机密虚拟化：云计算大模型时代的数据安全新范式

伴随着人类社会对数据隐私保护需求的增长，隐私计算尤其是机密计算已经成为技术领域的焦点。本书重点介绍了机密计算，特别是机密虚拟化的核心概念、实现原理以及实际应用案例。本书分为四篇：基础概念、架构实现、实践案例和未来展望。基础概念篇介绍了云计算对数据安全与隐私保护的需求，重点讨论了隐私计算，尤其是机密计算的基础概念及技术演进趋势。架构实现篇则聚焦于机密虚拟化，分析了其出现的背景及典型的技术实现，并以英特尔的TDX技术为例，深入探讨其微架构、指令体系、系统软件实现等内容。实践案例篇通过剖析具体案例，探讨了机密计算在云业务场景中的应用及其带来的收益，涵盖了人工智能、大模型、数据库等领域。未来展望篇则从技术、生态和规范等角度，展望了机密计算未来发展的方向和机遇。

目录
第 1 章 数据安全与隐私保护····························································.3
1.1 数字化发展带来的机遇·································································.4
1.1.1 数字化的价值·····································································.4
1.1.2 国内数字化发展战略····························································.5
1.1.3 全球各国数字化发展战略······················································.6
1.2 数据安全面临的挑战····································································.7
1.2.1 数据隐私保护的重要性·························································.7
1.2.2 数据安全的影响··································································.8
1.2.3 数据生命周期的安全····························································.9
1.3 隐私保护技术············································································.11
1.3.1 隐私保护技术基本概念························································.11
1.3.2 隐私保护技术基本分类························································.12
1.3.3 各类技术比较····································································.17
第 2 章 云计算中的机密计算···························································.19
2.1 云计算及数据安全需求································································.20
2.1.1 云部署下的数据安全···························································.20
2.1.2 数据全生命周期保护····························································21
2.2 机密计算技术演进 ·······································································22
2.2.1 机密计算的定义··································································22
2.2.2 发展历程及现状··································································23
第二篇 架构实现
第 3 章 机密计算技术·······································································29
3.1 可信执行环境技术产生 ·································································30
3.2 防护域和攻击模型 ·······································································30
3.3 机密计算和可信执行环境技术纵览 ··················································31
3.3.1 ARM 架构 ·········································································32
3.3.2 x86 架构············································································36
3.3.3 RISC-V 架构 ······································································42
3.3.4 特性差异···········································································46
3.4 机密虚拟化················································································47
第 4 章 机密虚拟化架构与实现 ························································48
4.1 微架构······················································································49
4.1.1 威胁模型···········································································50
4.1.2 架构设计···········································································51
4.1.3 TCB 构成 ··········································································53
4.1.4 内存保护机制·····································································54
4.2 指令体系 ···················································································54
4.2.1 指令体系···········································································55
4.2.2 元数据管理········································································57
4.2.3 内存管理···········································································60
4.2.4 处理器虚拟化·····································································62
4.2.5 服务型可信域·····································································66
4.2.6 度量与认证·······································································.66
4.3 虚拟化软件···············································································.68
4.3.1 虚拟化原理·······································································.68
4.3.2 虚拟机软件的实现······························································.69
4.3.3 虚拟机监控器实现······························································.72
4.4 I/O 设备虚拟化··········································································.77
4.4.1 传统 I/O 设备 ····································································.77
4.4.2 TEE-I/O 设备 ····································································.79
4.4.3 TEE-I/O 安全模型 ······························································.81
4.4.4 TEE-I/O 设备认证 ······························································.84
第 5 章 高级特性探秘 ·····································································.89
5.1 远程认证··················································································.90
5.1.1 可信域度量信息生成···························································.91
5.1.2 可信域引证生成·································································.93
5.1.3 度量报告及生成·································································.94
5.1.4 可信域引证数据结构···························································.98
5.1.5 可信域引证验证·································································100
5.2 热迁移·····················································································102
5.2.1 热迁移流程·······································································103
5.2.2 状态和数据迁移·································································107
5.3 嵌套虚拟化···············································································108
5.4 TCB 在线升级···········································································108
5.5 内存完整性···············································································109
第 6 章 机密虚拟化软件形态···························································115
6.1 机密虚拟机···············································································116
6.1.1 虚拟化技术原理·································································116
6.1.2 机密虚拟机技术概念及发展··················································117
6.1.3 安全机制········································································.118
6.1.4 I/O 数据保护 ···································································.120
6.2 机密容器 ················································································.121
6.2.1 容器运行时安全·······························································.121
6.2.2 机密容器架构··································································.123
6.2.3 主要特性········································································.124
6.3 安全操作系统 ··········································································.129
6.3.1 操作系统安全··································································.129
6.3.2 星绽操作系统内核····························································.132
6.3.3 基于机密计算构建安全操作系统 ··········································.133
6.4 TDX 的系统软件栈···································································.138
6.4.1 基本组件········································································.138
6.4.2 Linux 发行版的支持 ··························································.140
第三篇 实践案例
第 7 章 联邦学习···········································································.145
7.1 联邦学习介绍 ··········································································.146
7.2 机密计算与联邦学习的结合 ························································.148
7.3 横向联邦学习方案 ····································································.149
第 8 章 可信大模型·······································································.153
8.1 构建安全可信大模型 ·································································.154
8.1.1 大模型数据安全隐患·························································.154
8.1.2 机密计算助力构建可信大模型 ·············································.156
8.2 可信大模型应用场景 ·································································.157
8.3 大模型密态计算平台案例 ···························································.159
8.3.1 TrustFlow ·······································································.160
8.3.2 蚂蚁密算大模型服务···························································163
第 9 章 云数据库 ············································································167
9.1 云数据库与数据安全···································································168
9.2 全密态数据库············································································169
9.3 典型案例··················································································173
9.3.1 瑶池全密态数据库······························································173
9.3.2 EdgelessDB ·······································································174
9.3.3 高斯密态数据库·································································175
第 10 章 区块链··············································································177
10.1 区块链技术·············································································178
10.2 区块链应用的挑战 ····································································179
10.3 典型案例················································································181
10.3.1 Azure 机密账本 ································································181
10.3.2 蚂蚁隐私保护合约链 ·························································182
10.3.3 机密计算在隐私公链中的应用 ·············································184
第 11 章 异构计算 ··········································································187
11.1 异构计算与安全性挑战 ······························································188
11.1.1 异构计算 ········································································188
11.1.2 优势分析 ········································································189
11.1.3 安全性挑战 ·····································································189
11.2 异构机密计算··········································································191
11.2.1 发展历程 ········································································192
11.2.2 商用机密计算 GPU····························································193
11.3 应用案例················································································195
11.3.1 异构计算中的远程认证 ······················································195
11.3.2 构建机密 AI 训练······························································197
第 12 章 远程认证服务 ·································································.199
12.1 MAA ···················································································.200
12.1.1 MAA 概览·····································································.200
12.1.2 MAA 应用案例·······························································.201
12.2 ITA ·····················································································.202
12.2.1 ITA 架构·······································································.202
12.2.2 ITA 应用案例·································································.205
第四篇 未来展望
第 13 章 安全防护的持续完善·······················································.213
13.1 侧信道防御能力提升 ·······························································.214
13.2 可信性的增强 ········································································.215
13.2.1 主要局限 ······································································.215
13.2.2 发展方向 ······································································.216
13.2.3 零知识证明应用 ·····························································.217
13.3 异构计算的协同保护 ·······························································.218
第 14 章 生态系统的协同发展·······················································.221
14.1 法规与监管体系 ·····································································.222
14.1.1 隐私保护立法 ································································.222
14.1.2 跨境数据流动体系建设 ····················································.223
14.2 多元技术融合 ········································································.224
14.2.1 隐私计算融合 ································································.224
14.2.2 软件供应链安全 ·····························································.225
14.3 标准化生态 ···········································································.226
参考文献 ·························································································.228