基于TEE的可信存储系统设计与实现

在对当前主流可信存储系统的分析和研究的基础上,设计并实现了符合GP标准,同时满足多种安全存储特性的可信存储系统(TSS). TSS不仅能对数据进行授权加密、保证数据的完整性和一致性,同时还提供了很多其他安全存储特性(如持久存储对象的原子操作).为了改善大数据读写性能,提出了一种在REE的内核空间中动态申请连续内存并通过通信管道将该连续物理内存映射到TEE中的方法.这种方法可以有效地减少TEE和REE之间的切换次数、内存申请次数及内存的拷贝负载.实验数据显示,与其他相关可信存储系统相比,TSS有8%到10%的性能提升.

Design and Implement of TEE-Based Trusted Storage System

Based on the analysis of currently mainstream trusted storage system(TSS), we design and implement a trusted execution environment(TEE)-based TSS, which conforms to Global Platform(GP)standard. Our TSS provides not only authorized encryption,the integrity and consistency of data, but also many security storage operation properties such as atomicity operations of persistent object. In order to improve the read/write performance of big data, a new method is proposed for dynamically allocating continuous memory in REE’s kernel memory space and mapping the address to the TEE through communication pipe. This method can reduce switching times, allocating memory times and copy memory overloads between two worlds. The experiments show that our system has an 8% to 10% performance improvement compared with related trusted storage systems.