CN111125791A - Memory data encryption method and device, CPU chip and server - Google Patents

Memory data encryption method and device, CPU chip and server Download PDF

Info

Publication number
CN111125791A
CN111125791A CN201911277424.1A CN201911277424A CN111125791A CN 111125791 A CN111125791 A CN 111125791A CN 201911277424 A CN201911277424 A CN 201911277424A CN 111125791 A CN111125791 A CN 111125791A
Authority
CN
China
Prior art keywords
memory
mode
physical address
virtual machine
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911277424.1A
Other languages
Chinese (zh)
Other versions
CN111125791B (en
Inventor
冯浩
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Priority to CN201911277424.1A priority Critical patent/CN111125791B/en
Publication of CN111125791A publication Critical patent/CN111125791A/en
Application granted granted Critical
Publication of CN111125791B publication Critical patent/CN111125791B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a memory data encryption method and device, a CPU chip and a server, relates to the technical field of computers, and can effectively improve the memory data migration performance. The method comprises the following steps: inquiring a preset zone bit of a target address, and determining whether an address scrambling mode is started or not according to the preset zone bit; if the address scrambling mode is started, encrypting the target data to be written into the memory physical address corresponding to the target address by adopting the address scrambling mode; and if the address scrambling mode is not started, encrypting the target data to be written into the memory physical address corresponding to the target address by adopting a non-address scrambling mode. The invention is suitable for the encryption of the memory data.

Description

Memory data encryption method and device, CPU chip and server
Technical Field
The invention relates to the technical field of computers, in particular to a memory data encryption method and device, a CPU chip and a server.
Background
In order to improve the security of data encryption, address scrambling is introduced in the memory encryption technology, so that after the same plaintext data is encrypted by the same key, the encryption results are still different due to different storage addresses.
However, since the ciphertext data is related to the storage address thereof, the migration performance of the memory data is also deteriorated while the data security is improved by introducing the address scrambling function.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for encrypting memory data, a CPU chip, and a server, which can effectively improve the migration performance of the memory data.
In a first aspect, an embodiment of the present invention provides a method for encrypting memory data, including: inquiring a preset zone bit of a memory physical address; determining whether an address scrambling mode is started for data to be written into the memory according to the preset zone bit; if the address scrambling mode is determined to be opened for the data to be written into the memory, the data to be written into the memory is encrypted by adopting the address scrambling mode; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
Optionally, the querying the predetermined flag bit of the memory physical address includes: inquiring a preset zone bit of a physical address of a memory of the virtual machine; or querying a predetermined flag bit of a physical address of the host memory.
Optionally, the querying a predetermined flag bit of a physical address of a memory of the virtual machine includes: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
Optionally, the querying a predetermined flag bit of a physical address of a host memory includes: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
Optionally, before querying the predetermined flag bit of the physical address of the memory of the virtual machine, the method further includes: and configuring the preset zone bit of the memory physical address of the virtual machine through the virtual machine running on the processor core.
Optionally, before querying the predetermined flag bit of the physical address of the host memory, the method further includes: configuring, by the processor core, the predetermined flag bit of the host memory physical address by a host running on the processor core.
In a second aspect, an embodiment of the present invention further provides an apparatus for encrypting memory data, including: the query module is used for querying a preset zone bit of a memory physical address; the determining module is used for determining whether an address scrambling mode is started for the data to be written into the memory according to the preset zone bit; the encryption module is used for encrypting the data to be written into the memory by adopting an address scrambling mode if the address scrambling mode is determined to be started for the data to be written into the memory; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
Optionally, the query module includes: the first query unit is used for querying a preset zone bit of a physical address of a memory of the virtual machine; or, the second query unit is configured to query a predetermined flag bit of a physical address of the host memory.
Optionally, the first query unit is specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
Optionally, the second query unit is specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
Optionally, the apparatus further includes a first configuration module, configured to configure, by a virtual machine running on the processor core, a predetermined flag bit of a physical address of a memory of the virtual machine before querying the predetermined flag bit of the physical address of the memory of the virtual machine.
Optionally, the apparatus further includes a second configuration module, configured to configure, by a host running on the processor core, a predetermined flag bit of the host memory physical address before querying the predetermined flag bit of the host memory physical address.
In a third aspect, an embodiment of the present invention further provides a CPU chip, including: the system comprises at least one processor core, a scrambling switch module and an encryption module; the processor core is used for sending a memory physical address to the scrambling switch module; the scrambling switch module is configured to: inquiring a preset zone bit of a memory physical address; determining whether an address scrambling mode is started for data to be written into the memory according to the preset zone bit; the encryption module is configured to: if the address scrambling mode is determined to be opened for the data to be written into the memory, the data to be written into the memory is encrypted by adopting the address scrambling mode; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
Optionally, the scrambling switch module is specifically configured to: inquiring a preset zone bit of a physical address of a memory of the virtual machine; or querying a predetermined flag bit of a physical address of the host memory.
Optionally, the scrambling switch module is specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
Optionally, the scrambling switch module is specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
Optionally, the processor core is further configured to configure the predetermined flag bit of the memory physical address of the virtual machine by using the virtual machine running on the processor core before sending the memory physical address.
Optionally, the processor core is further configured to configure the predetermined flag bit of the host memory physical address by a host running on the processor core before sending the memory physical address.
In a fourth aspect, an embodiment of the present invention further provides a server, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing any one of the encryption methods provided for the embodiments of the present invention.
The encryption method, the encryption device, the CPU chip and the server for the memory data provided by the embodiment of the invention can inquire the preset flag bit of the physical address of the memory, and determine whether the address scrambling mode is started for the data to be written into the memory according to the preset flag bit, thereby determining whether the encryption processing is carried out on the data to be written into the memory by adopting the address scrambling mode. Therefore, when the data is not encrypted by address scrambling, the data can be transferred quickly and conveniently, and the transfer performance of the memory data is effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for encrypting memory data according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a predetermined flag bit in the memory data encryption method according to an embodiment of the present invention;
fig. 3 is another schematic structural diagram of a predetermined flag bit in the memory data encryption method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a predetermined flag bit in the memory data encryption method according to an embodiment of the present invention;
fig. 5 is a detailed flowchart of a memory data encryption method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a host in which the virtual machine V1 is located in the memory data encryption method shown in fig. 5;
FIG. 7 is a flowchart illustrating an embodiment of a method for encrypting memory data according to the present invention in detail;
FIG. 8 is a schematic diagram illustrating a structure of a host in the memory data encryption method shown in FIG. 7;
fig. 9 is a schematic structural diagram of an encryption apparatus for memory data according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a CPU chip according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a method for encrypting memory data, including:
s11, inquiring the preset zone bit of the memory physical address.
Optionally, the memory physical address may include a plurality of address bits, such as 32 bits, 64 bits, etc., which may be the same as the number of address bits supported by the processor core. In one embodiment of the present invention, the physical address of the memory can use the address bits to indicate at least two aspects of information, namely, storage location indication information of data to be written into the memory and indication information of an address scrambling switch. Optionally, in an embodiment of the present invention, a redundant bit in the physical address of the memory may be used as a predetermined flag bit, and a value of the predetermined flag bit indicates whether to turn on the address scrambling mode.
Optionally, in the embodiment of the present invention, the specific position of the predetermined flag bit in the stored physical address is not limited, and may be, for example, the highest bit, the next highest bit, the middle bit, the lowest bit, and the like. When the predetermined flag bit is the highest bit or the lowest bit of the physical memory address, the rest address bits can be directly used as the storage position indication information of the data, and when the predetermined flag bit is the middle bit of the physical memory address, the address information in the address bits on both sides of the middle bit can be spliced, and the spliced address information is used as the storage position indication information of the data. Alternatively, the storage location indication information may directly or indirectly indicate a storage location of the data in the memory.
And S12, determining whether an address scrambling mode is started for the data to be written into the memory according to the preset zone bit.
In this step, whether the address scrambling mode is enabled for the data to be written into the memory may be determined according to the specific value of the predetermined flag bit. For example, when the predetermined flag bit is a first value, the address scramble mode is turned off, and when the predetermined flag bit is a second value, the address scramble mode is turned on. The first value may be, for example, 0, and the second value may be, for example, 1.
S13, if the address scrambling mode is opened for the data to be written into the memory, the data to be written into the memory is encrypted by adopting the address scrambling mode; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
In this step, if the address scrambling mode is turned on, the data to be written into the memory is encrypted by using the address scrambling mode. That is, if the address scrambling mode is turned on, the address information can be used as a scrambling item to be confused with data to be written into the memory or the original encryption key, so that even if plaintext data is the same, only different physical addresses of the memory are written into, corresponding ciphertexts are different, and thus, the data security is greatly enhanced.
Optionally, if the address scrambling mode is not turned on, the data to be written into the memory is encrypted in the non-address scrambling mode. That is, if the address scramble mode is turned off, the target data written to the memory is not scrambled using the address information. The encryption algorithms corresponding to all data in the memory are the same, that is, if plaintext data is the same, ciphertext obtained by storing the plaintext data at any position in the memory is the same. Therefore, the data in the memory can be uniformly decrypted at any place and any time by removing the address scrambling information, so that the migration performance of the data is effectively improved.
The encryption method for memory data provided by the embodiment of the invention can inquire the preset flag bit of the physical address of the memory, and determine whether the address scrambling mode is started for the data to be written into the memory according to the preset flag bit, thereby determining whether the encryption processing is carried out on the data to be written into the memory by adopting the address scrambling mode. Therefore, when the data is not encrypted by address scrambling, the data can be transferred quickly and conveniently, and the transfer performance of the memory data is effectively improved.
In an embodiment of the present invention, the querying the predetermined flag bit of the memory physical address in step S11 may include: inquiring a preset zone bit of a physical address of a memory of the virtual machine; or querying a predetermined flag bit of a physical address of the host memory.
The physical address of the memory of the virtual machine can be configured by the operating system of the virtual machine, and the physical address of the memory of the host can be configured by the host. In step S11, the specific step is to query the predetermined flag bit of the physical address of the virtual machine memory or the predetermined flag bit of the physical address of the host machine memory, which may be determined by the operating mode of the processor core. If the processor core operates in the host mode, the physical memory address may specifically refer to a host physical address, that is, a real physical memory address, and therefore, in step S11, the predetermined flag bit of the host physical memory address may be queried; if the processor core is operating in the virtual machine mode, the memory physical address may specifically refer to a virtual machine memory physical address, and therefore, the predetermined flag of the virtual machine physical address may be queried in step S11.
Optionally, in an embodiment of the present invention, querying the predetermined flag bit of the physical address of the memory of the virtual machine may include: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
Further, before querying the predetermined flag bit of the physical address of the memory of the virtual machine, the memory data encryption method provided in the embodiment of the present invention may further include: and configuring the preset zone bit of the memory physical address of the virtual machine through the virtual machine running on the processor core.
Optionally, as shown in fig. 2, in an embodiment of the present invention, the processor core operates in a virtual machine mode, and when data needs to be written into the memory, the virtual machine operating system may configure a predetermined flag bit T in a virtual machine physical address corresponding to the data to be 0 or 1, so as to indicate whether to turn on an address scrambling mode for the data by using the predetermined flag bit. For example, when the predetermined flag bit is configured to 0, it indicates that the address scramble mode is turned off, and when the predetermined flag bit is configured to 1, it indicates that the address scramble mode is turned on. Of course, in another embodiment of the present invention, it may be also possible that when the predetermined flag bit is configured to be 1, the address scrambling mode is turned off, and when the predetermined flag bit is configured to be 0, the address scrambling mode is turned on. Therefore, whether the address scrambling encryption is carried out on the memory data in the virtual machine operation mode can be flexibly controlled.
Further, when the processor core operates in the virtual machine mode, the predetermined flag bit of the target address may be configured according to actual needs, for example, the predetermined flag bit may be configured according to whether the virtual machine needs to be migrated. When the virtual machine needs to be migrated, the virtual machine running on the processor core can configure a predetermined flag bit of a physical address of a memory of the virtual machine to a first value; when the virtual machine does not need to be migrated, the virtual machine running on the processor core can configure the predetermined flag bit of the physical address of the memory of the virtual machine to be a second value; wherein the first value is different from the second value.
For example, in one embodiment of the present invention, if the virtual machine a1 is about to perform virtual machine migration, when the virtual machine a1 needs to write data datal to the memory, the virtual machine a1 may configure the predetermined flag bit in the physical address of the virtual machine memory corresponding to the data1 to a first value, which may be, for example, 1 or 0, so as to indicate that the address scrambling mode is to be turned off for the data 1. Therefore, the data1 can be directly transmitted to the receiving end in a non-address scrambling encryption mode in the subsequent virtual machine migration, and because the encryption mode of the data1 does not contain address information, the receiving end can correctly decrypt the data datal only by using a corresponding decryption key, thereby avoiding extra encryption and decryption operations caused by using address scrambling encryption and effectively improving the migration performance of the virtual machine.
Optionally, in another embodiment of the present invention, if the data2 encrypted by using the address scrambling mode is already stored in the memory when the virtual machine a2 needs to be migrated, the virtual machine a2 may decrypt and read the encrypted data of the data2 from the memory, turn off the address scrambling mode by configuring a predetermined flag bit in the virtual machine physical address corresponding to the data2, and then rewrite the data2 into the memory by using the non-address scrambling mode. Optionally, the rewritten data2 may be overwritten with the original data2, or may be stored in another address in the memory, which is not limited in the embodiment of the present invention. Because the virtual machine A2 runs on the processor core, the data reading and writing and decryption speed is far faster than the data decryption operation performed by external software during the virtual machine migration, and therefore, the migration performance of the virtual machine can be effectively improved.
Optionally, in an embodiment of the present invention, querying the predetermined flag bit of the physical address of the host memory may include: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
Further, before querying the predetermined flag bit of the physical address in the host memory, the method may further include: configuring, by a host running on a processor core, the predetermined flag bit of a host memory physical address.
For example, as shown in fig. 3, in an embodiment of the present invention, when the processor core operates in the host mode, and data needs to be written into the memory, the host operating system may configure a predetermined flag bit T in a physical address of the host memory corresponding to the data to be 0 or 1, so as to indicate whether the address scrambling mode is turned on for the data by the predetermined flag bit. For example, when the predetermined flag bit is configured to 0, it indicates that the address scramble mode is turned off, and when the predetermined flag bit is configured to 1, it indicates that the address scramble mode is turned on. Of course, in another embodiment of the present invention, it may be also possible that when the predetermined flag bit is configured to be 1, the address scrambling mode is turned off, and when the predetermined flag bit is configured to be 0, the address scrambling mode is turned on. The embodiments of the present invention are not limited thereto. Therefore, whether the address scrambling encryption is carried out on the memory data in the host operation mode can be flexibly controlled.
It should be noted that, in the above embodiments, whether to turn on the address scrambling mode is determined by a predetermined flag bit in the virtual machine memory physical address or in the host machine memory physical address, but the embodiments of the present invention are not limited thereto. In other embodiments of the present invention, other indication bits, such as an encryption indication bit, may also be set in the virtual machine memory physical address or the host machine memory physical address to indicate whether to encrypt the data written to the address. For example, as shown in fig. 4, in an embodiment of the present invention, the highest bit of the virtual machine memory physical address is set as the encryption indicating bit C, and the second highest bit of the virtual machine memory physical address is set as the address scrambling indicating bit T. When C is 1 and T is 1, the data is subjected to address scrambling encryption, when C is 1 and T is 0, the data is subjected to encryption without address scrambling, and when C is 0, the data is not encrypted regardless of the value of T.
The following describes in detail an encryption method for memory data according to an embodiment of the present invention with reference to specific embodiments.
Treatment ofRunning a kernel in virtual machine mode
Fig. 5 is a flowchart of a memory data encryption method in an embodiment of the present invention, and as shown in fig. 5, the memory data encryption method provided in the embodiment of the present invention may include:
s201, the virtual machine V1 learns to migrate the data in the virtual machine V1 to the virtual machine V2, wherein the hardware structure of the host where the virtual machine V1 is located can be as shown in FIG. 6.
S202, the virtual machine V1 generates a write memory operation command so as to write the target data2 in the host memory physical address corresponding to the virtual machine memory physical address addr 2.
S203, the virtual machine V1 configures a predetermined flag bit T, for example, the second highest bit in the virtual machine physical address addr2, for example, configures the second highest bit T as 0, so as to close the address scrambling mode.
S204, the processor core1 where the virtual machine V1 is located sends the virtual machine internal physical address addr2, the host machine memory physical address addr3 corresponding to the virtual machine memory physical address addr2 and the running mode of the processor core to the scrambling switch module.
S205, the scrambling switch module determines that the current processor core operates in a virtual machine mode according to the operation mode of the processor core, and identifies that the predetermined flag bit T in the virtual machine physical address addr2 is 0.
S206, the scrambling switch module closes the address scrambling mode according to the value of the preset zone bit T;
s207, sending the plaintext data to an encryption module by a processor core corel where the virtual machine V1 is located;
s208, the encryption module encrypts the target data2 by using a non-address scrambling mode to generate ciphertext data 3.
S209, when the virtual machine V1 is migrated, the ciphertext data3 is transmitted to the virtual machine V2.
Processor operating in host mode
Fig. 7 is a detailed flowchart of a memory data encryption method in an embodiment of the present invention, and as shown in fig. 7, the memory data encryption method provided in the embodiment of the present invention may include:
s301, the host generates a memory write operation command so as to write the target data5 in the host memory physical address addr5, and the hardware structure of the host can be as shown in FIG. 8.
S302, the host configures a predetermined flag bit T, for example, the second highest bit, in the host memory physical address addr5, for example, configures the second highest bit T as 0, so as to turn off the address scrambling mode.
S303, the processor core2 where the host is located sends the host memory physical address addr5 and the operation mode of the processor core to the scrambling switch module.
S304, the scrambling switch module determines that the current processor core operates in the host mode according to the operation mode of the processor core, and identifies that the predetermined flag bit T in the physical address addr5 of the host memory is 0.
S305, the scrambling switch module closes an address scrambling mode according to the value of the preset zone bit T;
s306, sending the plaintext data to an encryption module by a processor core2 where the host is located;
s307, the encryption module encrypts the target data5 by using a non-address scrambling mode to generate ciphertext data 6.
Correspondingly, as shown in fig. 9, an embodiment of the present invention further provides an encryption apparatus for memory data, including: the query module 41 is configured to query a predetermined flag bit of a physical address of a memory; a determining module 42, configured to determine whether an address scrambling mode is enabled for data to be written into the memory according to the predetermined flag bit; the encryption module 43 is configured to, if it is determined that the address scrambling mode is enabled for the data to be written into the memory, perform encryption processing on the data to be written into the memory by using the address scrambling mode; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
The encryption method for memory data provided by the embodiment of the invention can inquire the preset flag bit of the physical address of the memory, and determine whether the address scrambling mode is started for the data to be written into the memory according to the preset flag bit, thereby determining whether the encryption processing is carried out on the data to be written into the memory by adopting the address scrambling mode. Therefore, when the data is not encrypted by address scrambling, the data can be transferred quickly and conveniently, and the transfer performance of the memory data is effectively improved.
Optionally, the query module 41 may include: the first query unit is used for querying a preset zone bit of a physical address of a memory of the virtual machine; or, the second query unit is configured to query a predetermined flag bit of a physical address of the host memory.
Optionally, the first query unit may be specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
Optionally, the second query unit may specifically be configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
Optionally, the encryption apparatus may further include a first configuration module, configured to configure, by a virtual machine running on the processor core, a predetermined flag bit of the virtual machine memory physical address before querying the predetermined flag bit of the virtual machine memory physical address.
Optionally, the encryption apparatus may further include a second configuration module, configured to configure the predetermined flag bit of the host memory physical address by a host running on the processor core before querying the predetermined flag bit of the host memory physical address.
In a third aspect, as shown in fig. 10, an embodiment of the present invention further provides a CPU chip 5, including: at least one processor core 51, a scrambling switch module 52 and an encryption module 53.
The processor core 51 may be configured to send a memory physical address to the scrambling switch module.
A scrambling switch module 52 operable to: inquiring a preset zone bit of a memory physical address; and determining whether an address scrambling mode is started for the data to be written into the memory according to the preset zone bit.
An encryption module 53, operable to: if the address scrambling mode is determined to be opened for the data to be written into the memory, the data to be written into the memory is encrypted by adopting the address scrambling mode; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
Optionally, the scrambling switch module 52 may be specifically configured to: inquiring a preset zone bit of a physical address of a memory of the virtual machine; or querying a predetermined flag bit of a physical address of the host memory.
Optionally, the scrambling switch module 52 may be specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
Optionally, the scrambling switch module 52 may be specifically configured to: determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode; and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
Optionally, the processor core 51 is further configured to configure the predetermined flag bit of the memory physical address of the virtual machine by the virtual machine running on the processor core before sending the memory physical address.
Optionally, the processor core 51 is further configured to configure the predetermined flag bit of the host memory physical address by a host running on the processor core 51 before sending the memory physical address.
Optionally, a memory controller may be further included in the CPU chip, and the scrambling switch module 52 and the encryption module 53 may be located in the memory controller or located outside the memory controller.
Accordingly, as shown in fig. 11, a server provided in an embodiment of the present invention may include: the electronic device comprises a shell 61, a processor 62, a memory 63, a circuit board 64 and a power circuit 65, wherein the circuit board 64 is arranged inside a space enclosed by the shell 61, and the processor 62 and the memory 63 are arranged on the circuit board 64; a power supply circuit 65 for supplying power to each circuit or device of the electronic apparatus; the memory 63 is used to store executable program code; the processor 62 executes a program corresponding to the executable program code by reading the executable program code stored in the storage 63, so as to execute any one of the memory encryption methods provided in the foregoing embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (19)

1. A method for encrypting memory data is characterized by comprising the following steps:
inquiring a preset zone bit of a memory physical address;
determining whether an address scrambling mode is started for data to be written into the memory according to the preset zone bit;
if the address scrambling mode is determined to be opened for the data to be written into the memory, the data to be written into the memory is encrypted by adopting the address scrambling mode;
and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
2. The encryption method according to claim 1, wherein said querying the predetermined flag bit of the physical memory address comprises:
inquiring a preset zone bit of a physical address of a memory of the virtual machine; alternatively, the first and second electrodes may be,
and querying a preset zone bit of a physical address of the memory of the host.
3. The encryption method according to claim 2, wherein said querying the predetermined flag bit of the virtual machine memory physical address comprises:
determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode;
and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
4. The encryption method according to claim 2 or 3, wherein before querying the predetermined flag bit of the virtual machine memory physical address, the method further comprises:
and configuring the preset zone bit of the memory physical address of the virtual machine through the virtual machine running on the processor core.
5. The encryption method according to claim 2, wherein said querying the predetermined flag bit of the physical address of the host memory comprises:
determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode;
and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
6. The encryption method according to claim 2 or 5, wherein before querying the predetermined flag bit of the physical address of the host memory, the method further comprises:
configuring, by a host running on a processor core, the predetermined flag bit of a host memory physical address.
7. An apparatus for encrypting memory data, comprising:
the query module is used for querying a preset zone bit of a memory physical address;
the determining module is used for determining whether an address scrambling mode is started for the data to be written into the memory according to the preset zone bit;
the encryption module is used for encrypting the data to be written into the memory by adopting an address scrambling mode if the address scrambling mode is determined to be started for the data to be written into the memory; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
8. The encryption device of claim 7, wherein the query module comprises:
the first query unit is used for querying a preset zone bit of a physical address of a memory of the virtual machine; alternatively, the first and second electrodes may be,
and the second query unit is used for querying the preset zone bit of the physical address of the memory of the host.
9. The encryption device according to claim 8, wherein the first query unit is specifically configured to:
determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode;
and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
10. The encryption apparatus according to claim 8 or 9, further comprising a first configuration module configured to configure the predetermined flag bit of the virtual machine memory physical address by the virtual machine running on the processor core before querying the predetermined flag bit of the virtual machine memory physical address.
11. The encryption device according to claim 8, wherein the second query unit is specifically configured to:
determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode;
and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
12. The encryption apparatus according to claim 8 or 11, further comprising a second configuration module configured to configure the predetermined flag bit of the host memory physical address by the host running on the processor core before querying the predetermined flag bit of the host memory physical address.
13. A CPU chip, comprising: the system comprises at least one processor core, a scrambling switch module and an encryption module;
the processor core is used for sending a memory physical address to the scrambling switch module;
the scrambling switch module is configured to: inquiring a preset zone bit of a physical address of the memory, and determining whether an address scrambling mode is started for data to be written into the memory according to the preset zone bit;
the encryption module is configured to: if the address scrambling mode is determined to be opened for the data to be written into the memory, the data to be written into the memory is encrypted by adopting the address scrambling mode; and if the address scrambling mode is determined not to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting a non-address scrambling mode.
14. The CPU chip of claim 13, wherein the scrambling switch module is specifically configured to: inquiring a preset zone bit of a physical address of a memory of the virtual machine; or querying a predetermined flag bit of a physical address of the host memory.
15. The CPU chip of claim 14, wherein the scrambling switch module is specifically configured to:
determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode;
and if the running mode is the virtual machine mode, inquiring a preset zone bit of a physical address of the memory of the virtual machine.
16. The CPU chip according to claim 14 or 15, wherein the processor core is further configured to configure the predetermined flag bit of the virtual machine memory physical address by a virtual machine running on the processor core before sending the memory physical address.
17. The CPU chip of claim 14, wherein the scrambling switch module is specifically configured to:
determining an operating mode of a processor core, wherein the operating mode comprises a host mode or a virtual machine mode;
and if the operation mode is the host mode, inquiring a preset zone bit of a physical address of the host memory.
18. The CPU chip of claim 14 or 17, wherein the processor core is further configured to configure the predetermined flag bit of a host memory physical address by a host running on the processor core before sending the memory physical address.
19. A server, comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any one of the preceding claims 1-6.
CN201911277424.1A 2019-12-11 2019-12-11 Memory data encryption method and device, CPU chip and server Active CN111125791B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911277424.1A CN111125791B (en) 2019-12-11 2019-12-11 Memory data encryption method and device, CPU chip and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911277424.1A CN111125791B (en) 2019-12-11 2019-12-11 Memory data encryption method and device, CPU chip and server

Publications (2)

Publication Number Publication Date
CN111125791A true CN111125791A (en) 2020-05-08
CN111125791B CN111125791B (en) 2023-08-29

Family

ID=70498516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911277424.1A Active CN111125791B (en) 2019-12-11 2019-12-11 Memory data encryption method and device, CPU chip and server

Country Status (1)

Country Link
CN (1) CN111125791B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112099901A (en) * 2020-08-17 2020-12-18 海光信息技术有限公司 Method and device for configuring virtual machine memory data encryption mode and CPU chip

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06133314A (en) * 1992-09-03 1994-05-13 Matsushita Electric Ind Co Ltd Video signal secreting processor
CN103154963A (en) * 2010-10-05 2013-06-12 惠普发展公司,有限责任合伙企业 Scrambling an address and encrypting write data for storing in a storage device
CN108073353A (en) * 2016-11-15 2018-05-25 华为技术有限公司 A kind of method and device of data processing
CN110309678A (en) * 2019-06-28 2019-10-08 兆讯恒达微电子技术(北京)有限公司 A kind of scrambled method of memory

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06133314A (en) * 1992-09-03 1994-05-13 Matsushita Electric Ind Co Ltd Video signal secreting processor
CN103154963A (en) * 2010-10-05 2013-06-12 惠普发展公司,有限责任合伙企业 Scrambling an address and encrypting write data for storing in a storage device
CN108073353A (en) * 2016-11-15 2018-05-25 华为技术有限公司 A kind of method and device of data processing
CN110309678A (en) * 2019-06-28 2019-10-08 兆讯恒达微电子技术(北京)有限公司 A kind of scrambled method of memory

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112099901A (en) * 2020-08-17 2020-12-18 海光信息技术有限公司 Method and device for configuring virtual machine memory data encryption mode and CPU chip
CN112099901B (en) * 2020-08-17 2022-10-11 海光信息技术股份有限公司 Method and device for configuring virtual machine memory data encryption mode and CPU chip

Also Published As

Publication number Publication date
CN111125791B (en) 2023-08-29

Similar Documents

Publication Publication Date Title
KR101224322B1 (en) Methods and apparatus for the secure handling of data in a microcontroller
US9483664B2 (en) Address dependent data encryption
RU2295834C2 (en) Initialization, maintenance, renewal and restoration of protected mode of operation of integrated system, using device for controlling access to data
EP2751734B1 (en) Sector map-based rapid data encryption policy compliance
CN106529308B (en) data encryption method and device and mobile terminal
US20150095652A1 (en) Encryption and decryption processing method, apparatus, and device
JP2005303981A (en) Method and device for cryptographic conversion in data storage system
EP3320478A1 (en) Secure handling of memory caches and cached software module identities for a method to isolate software modules by means of controlled encryption key management
CN109445705B (en) Firmware authentication method and solid state disk
CN107315966B (en) Solid state disk data encryption method and system
WO2023010834A1 (en) Method and apparatus for starting embedded linux system, and storage medium
EP3224759B1 (en) In-memory attack prevention
CN109598105B (en) Method and device for safely loading firmware by microcontroller, computer equipment and storage medium
CN107563228B (en) Memory data encryption and decryption method
US11533172B2 (en) Apparatus and method for securely managing keys
CN111125791A (en) Memory data encryption method and device, CPU chip and server
CN109075974B (en) Binding authentication method of fingerprint algorithm library and fingerprint sensor and fingerprint identification system
KR102583995B1 (en) Cryptographic program diversification
CN111512308A (en) Storage controller, file processing method, device and system
CN116011041A (en) Key management method, data protection method, system, chip and computer equipment
CN112099901B (en) Method and device for configuring virtual machine memory data encryption mode and CPU chip
CN111950017B (en) Memory data protection method, device, equipment and storage medium
CN113343265B (en) Key configuration method, device and related equipment
CN116881934B (en) Encryption and decryption method, system and device for data and storage medium
JP5494389B2 (en) Electronic control unit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 300 000 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 industrial incubation-3-8

Applicant after: Haiguang Information Technology Co.,Ltd.

Address before: 300 000 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 industrial incubation-3-8

Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant