Automatic provisioning and onboarding of offline or disconnected machines
US-12182236-B2 · Dec 31, 2024 · US
Management control method, apparatus, and system for virtual machine
US9698988B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9698988-B2 |
| Application number | US-201514720245-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 22, 2015 |
| Priority date | Nov 22, 2012 |
| Publication date | Jul 4, 2017 |
| Grant date | Jul 4, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A security control platform receives a virtual machine starting request message that is from user equipment and forwarded by a management platform, where the virtual machine starting request message includes an identifier of a virtual machine that needs to be enabled and user information; invokes a third-party trusted platform to determine that the virtual machine starting request message is initiated by the user equipment according to an instruction of an authorized user; and performs authentication on the user information, and based on successful authentication, invokes the third-party trusted platform to decapsulate the virtual machine that needs to be enabled. It is ensured that other user equipment (including the management platform) cannot obtain a key of the third-party trusted platform, which enhances security of management control on the virtual machine, and thereby enhances security of a cloud computing platform.
First claim
Opening claim text (preview).
What is claimed is: 1. A management control method for a virtual machine, comprising: receiving, by a security control platform, a virtual machine starting request message that is from user equipment and forwarded by a management platform, wherein the virtual machine starting request message comprises an identifier of a virtual machine that needs to be enabled and user information; invoking a third-party trusted platform to determine that the virtual machine starting request message is initiated by the user equipment according to an instruction of an authorized user; performing authentication on the user information; and invoking, based on successful authentication, the third-party trusted platform to decapsulate the virtual machine that needs to be enabled, and, wherein invoking the third-party trusted platform to determine that the virtual machine starting request message is initiated by the user equipment according to the instruction of the authorized user comprises: invoking, by the security control platform, the third-party trusted platform to generate data encrypted using a key of the third-party trusted platform; sending the encrypted data to the user equipment using the management platform so that the user equipment decrypts the encrypted data using a private key provided by the third-party trusted platform for the authorized user, and returns decrypted data to the security control platform; and determining that the virtual machine starting request message is initiated by the user equipment according to the instruction of the authorized user when the decrypted data is the same as the data before the encryption. 2. The method according to claim 1 , wherein after invoking the third-party trusted platform to decapsulate the virtual machine that needs to be enabled, the method further comprises: invoking, by the security control platform, the third-party trusted platform to perform an integrity check on the virtual machine; restricting enabling of the virtual machine when an integrity check value is inconsistent with an integrity check value of the virtual machine that is stored on the security control platform; and enabling the virtual machine when the integrity check value is consistent with the integrity check value of the virtual machine that is stored on the security control platform. 3. The method according to claim 1 , wherein after invoking the third-party trusted platform to decapsulate the virtual machine that needs to be enabled, the method further comprises: detecting, by the security control platform using a virtual machine monitor, that a new application program is installed in the virtual machine; determining that the new application program is installed by the user equipment according to an instruction of the authorized user; invoking the third-party trusted platform to perform an integrity check on the virtual machine; and updating an integrity check value of the virtual machine that is stored on the security control platform. 4. The method according to claim 1 , wherein after invoking the third-party trusted platform to decapsulate the virtual machine that needs to be enabled, the method further comprises: receiving, by the security control platform, a virtual machine integrity check request message sent by the management platform, wherein the virtual machine integrity check request message is sent by the user equipment to the management platform, and wherein the virtual machine integrity check request message comprises an identifier of the virtual machine that requires an integrity check; invoking the third-party trusted platform to perform an integrity check on the virtual machine; comparing an integrity check value with an integrity check value of the virtual machine that is stored on the security control platform; and sending an integrity check value comparison result to the management platform so that the management platform sends the integrity check value comparison result to the user equipment. 5. The method according to claim 1 , wherein after invoking the third-party trusted platform to decapsulate the virtual machine that needs to be enabled, the method further comprises: detecting, by the security control platform using a virtual machine monitor, an access request of one or more other virtual machines for virtual storage data in the virtual machine; obtaining an identifier of the one or more other virtual machines that initiate the access request and an identifier of an application program; invoking the third-party trusted platform to decrypt the virtual storage data in the virtual machine when an access control policy table entry of the virtual machine comprises the identifier of the one or more other virtual machines and the identifier of the application program that are obtained; and sending decrypted virtual storage data to the one or more other virtual machines that initiate the access request. 6. The method according to claim 1 , wherein the virtual machine starting request message further comprises an encapsulation key for the virtual machine that needs to be enabled, wherein after performing authentication on the user information, based on successful authentication, the method comprises decapsulating, by the security control platform, the virtual machine corresponding to the identifier of the virtual machine using the encapsulation key for the virtual machine that needs to be enabled, and wherein the encapsulation key is part of the virtual machine starting request message. 7. The method according to claim 1 , wherein the security control platform comprises a trusted service domain (TSD), and wherein the third-party trusted platform comprises a trusted platform module (TPM) and a trusted cryptography module (TCM). 8. A security control platform, comprising: a processor, wherein the processor is configured to perform the following steps when running: receiving a virtual machine starting request message that is from user equipment and forwarded by a management platform, wherein the virtual machine starting request message comprises an identifier of a virtual machine that needs to be enabled and user information; invoking a third-party trusted platform to determine that the virtual machine starting request message is initiated by the user equipment according to an instruction of an authorized user; and invoking the third-party trusted platform to decapsulate the virtual machine that needs to be enabled after the user information is successfully authenticated, and, wherein invoking the third-party trusted platform to determine that the virtual machine starting request message is initiated by the user equipment according to the instruction of the authorized user comprises: invoking, by the security control platform, the third-party trusted platform to generate data encrypted using a key of the third-party trusted platform; sending the encrypted data to the user equipment using the management platform so that the user equipment decrypts the encrypted data using a private key provided by the third-party trusted platform for the authorized user, and returns decrypted data to the security control platform; and determining that the virtual machine starting request message is initiated by the user equipment according to the instruction of the authorized user when the decrypted data is the same as the data before the encryption. 9. The security control platform according to claim 8 , wherein the processor is further configured to perform the following steps: invoking the third-party trusted platform to perform an integrity check on the virtual machine; and restricting enabling of the virtual machine when an integrity check value is inconsistent with an integrity check value o
Assignees
Inventors
Classifications
- G06F21/31Primary
User authentication · CPC title
Electricity · mapped topic
Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy · CPC title
Hypervisors; Virtual machine monitors · CPC title
Configuration setting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9698988B2 cover?
- A security control platform receives a virtual machine starting request message that is from user equipment and forwarded by a management platform, where the virtual machine starting request message includes an identifier of a virtual machine that needs to be enabled and user information; invokes a third-party trusted platform to determine that the virtual machine starting request message is in…
- Who is the assignee on this patent?
- Huawei Tech Co Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/31. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 04 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).