KR102560696B1 - Storage device performing access authority control and Operating method thereof - Google Patents

Abstract

A storage device that performs access authority control and an operating method thereof are disclosed. A storage device according to one aspect of the technical concept of the present disclosure includes a plurality of cell blocks, and the plurality of cell blocks are classified into a plurality of namespaces and in response to a setting command from a host. At least one first information is extracted by storing security information related to access rights to namespaces, decoding a data access request provided from the host, and comparing the security information with the extracted at least one first information. and a controller that stops processing of the data access request, wherein the security information stored in the controller includes virtual machine information representing first to Nth virtual machines created in the host, and the first to Nth virtual machines. It is characterized in that it includes mapping information between unique information uniquely set for virtual machines.

Description

Storage device performing access authority control and operating method thereof

The technical idea of the present disclosure relates to a storage device, and more particularly, to a storage device that performs access authority control in response to a data access request from a host and an operation method thereof.

An example of a storage device based on a flash memory device is a solid state drive (SSD). Interfaces used in storage systems such as SSDs include Serial ATA (SATA), Peripheral Component Interconnect Express (PCIe), Serial Attached SCSI (SAS), Compute Express Link (CXL), and Non-Volatile Memory Express (NVMe). An interface based on the PCIe bus such as is being proposed.

Meanwhile, the storage device may be shared by a plurality of hosts, and each host may drive a plurality of virtual machines (VMs), and the plurality of virtual machines may share the storage device. As an example, a storage medium of a storage device may include a plurality of NameSpaces, and different virtual machines may have access rights to different NameSpaces. At this time, since the storage device does not adopt a security policy capable of blocking malicious access attempts that do not have normal access rights, the security of user data may be degraded.

An object to be solved by the technical idea of the present invention is to provide a storage device capable of blocking malicious access attempts that do not have normal access rights by employing a security policy in the storage device and an operation method thereof.

In order to achieve the above object, a storage device according to an aspect of the technical idea of the present disclosure includes a plurality of cell blocks, and the plurality of cell blocks are classified into a plurality of namespaces and are transmitted from a storage device and a host. Stores security information related to access rights to the plurality of namespaces in response to a setting command of, extracts at least one first information by decoding a data access request provided from the host, and extracts the security information and the extraction and a controller for stopping the processing of the data access request by comparing at least one piece of first information obtained by the host, wherein the security information stored in the controller includes virtual machine information indicating first through Nth virtual machines generated in the host. and mapping information between unique information uniquely set for the first to Nth virtual machines.

Meanwhile, a method of operating a storage device according to an aspect of the technical idea of the present disclosure includes receiving a setting command from a host, and in response to the setting command, each of first to Nth virtual machines created in the host. Storing security information including virtual machine information for each virtual machine, a memory address indicating a location of an input/output queue in a host memory allocated to each virtual machine, and a namespace ID indicating a namespace associated with the virtual machine; and and selectively stopping processing of the read request by comparing information extracted by decoding the read request with the security information when a read request is received from the read request.

Meanwhile, a host according to an aspect of the technical idea of the present disclosure includes first to Nth virtual machines generating a read request for accessing a plurality of namespaces through independent paths according to virtualization technology, and the first to Nth virtual machines, and the first to Nth virtual machines. Management of creation of a host memory including a plurality of I/O queues allocated to the Nth virtual machines and the first through Nth virtual machines, and allocation of the I/O queues of the host memory to the first through Nth virtual machines. and a virtual machine manager for performing a setting command, virtual machine information for each of the first through Nth virtual machines, a memory address indicating a location of the input/output queue allocated to each virtual machine, and It is characterized in that security information including a namespace ID indicating an associated namespace is transmitted to the storage device.

According to the storage device and its operating method of the technical idea of the present invention, security information for a plurality of virtual machines can be set in the storage device, and malicious access is attempted by hijacking a specific virtual machine by using the security information. There is an effect of strengthening user data security by stopping the processing of access requests.

In addition, according to the storage device and its operating method of the technical concept of the present invention, determination of access rights to namespaces by a very large number of virtual machines created on the host can be performed on the storage device side, so that the host's work The load can be reduced and the performance of the data processing system can be improved.

1 is a block diagram illustrating a data processing system according to an exemplary embodiment of the present invention.
2 is a block diagram illustrating a data processing system to which virtualization technology is applied according to an exemplary embodiment of the present disclosure.
3 is a block diagram illustrating an implementation example of a controller according to an exemplary embodiment of the present disclosure.
Fig. 4 is a block diagram illustrating a concrete implementation of a data processing system according to an exemplary embodiment of the present disclosure.
5 is a block diagram illustrating an example of using secure information according to an exemplary embodiment of the present disclosure.
6 and 7 are flowcharts illustrating an operating method of a data processing system according to exemplary embodiments of the present disclosure.
8 and 9 are block diagrams illustrating a process of setting and using secure data according to an exemplary embodiment of the present disclosure.
10 is a block diagram illustrating a data processing system according to another embodiment of the present disclosure.
11 is a perspective view illustrating an implementation example of a cell block included in a nonvolatile memory.
12 is a block diagram illustrating a case in which an SSD is applied to a storage device in a data processing system according to embodiments of the present disclosure.
13 is a block diagram illustrating a data center including a storage device according to an exemplary embodiment of the present disclosure.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a data processing system according to an exemplary embodiment of the present invention.

Referring to FIG. 1 , a data processing system 10 may include a host 100 and a storage device 200 . The storage device 200 may include a controller 210 and a nonvolatile memory 220 . The host 100 may provide a data write or read request to the storage device 200 . Also, in response to a data erase request from the host 100 , the storage device 200 may perform an erase operation on data in an area indicated by the host 100 .

In an exemplary embodiment, the storage device 200 is a concept including a memory device and a controller controlling the memory device, and may be defined in various terms other than the storage device. For example, the storage device 200 may be referred to as a memory system or a storage system, and the controller 210 may be referred to as a storage controller or memory controller.

The storage device 200 may include storage media for storing data according to a request from the host 100 . As an example, the storage device 200 may include one or more solid state drives (SSDs). When the storage device 200 includes an SSD, the nonvolatile memory 220 may include a plurality of flash memory chips (eg, NAND memory chips) that non-volatilely store data. Hereinafter, in describing embodiments of the present disclosure, it is assumed that the storage device 200 includes one or more flash memory chips.

As another example, the storage device 200 may include other various types of memories. For example, the storage device 200 may include nonvolatile memory, and the nonvolatile memory may include magnetic RAM (MRAM), spin-transfer torque MRAM (spin-transfer torque MRAM), conductive bridging RAM (CBRAM), and FeRAM ( Ferroelectric RAM), PRAM (Phase RAM), Resistive RAM, Nanotube RAM, Polymer RAM (PoRAM), Nano Floating Gate Memory (NFGM), Holographic Memory Various types of memories such as holographic memory, molecular electronics memory, or insulator resistance change memory may be applied.

The host 100 may communicate with the storage device 200 through various interfaces. For example, the host 100 is a USB (Universal Serial Bus), MMC (MultiMediaCard), PCIe (Peripheral Component Interconnect express), ATA (AT Attachment), SATA (Serial AT Attachment), PATA (Parallel AT Attachment), SCSI (Small AT Attachment) Storage devices through various interfaces such as Computer System Interface (SAS), Serial Attached SCSI (SAS), Enhanced Small Disk Interface (ESDI), Integrated Drive Electronics (IDE), Compute Express Link (CXL), and Non-Volatile Memory Express (NVMe). (200) can be communicated with. According to exemplary embodiments of the present disclosure, in the data processing system 10, it is assumed that the host 100 and the storage device 200 perform an NVMe-based interface through a PCIe bus.

According to an exemplary embodiment of the present disclosure, the host 100 may include a processor 110 and a host memory 120 . The processor 110 may control memory operations such as data writing and reading of the storage device 200 by executing software stored in the host memory 120 . In an exemplary embodiment, host 100 may encode or decode packets that meet standards defined in the NVMe interface. The host 100 may store a packet corresponding to the write request or read request in the host memory 120, and a completion response from the storage device 200 in response to the write request or read request may be stored in the host memory 120. It can be. In the following embodiments, a write request and a read request of the host 100 to the storage device 200 may each correspond to an access request (Req), and a packet provided by the host 100 may be used as a request or command. may be referred to.

In an exemplary embodiment, the controller 210 may include an access authority controller 211, and the nonvolatile memory 220 may include a plurality of NameSpaces (NS). Each of the flash memory chips included in the nonvolatile memory 220 may include a memory cell array, and the memory cell array may include one or more cell blocks. In FIG. 1 , a case in which the nonvolatile memory 220 includes first to K th namespaces NS 1 to NS K is exemplified. A plurality of cell blocks included in the nonvolatile memory 220 may be classified into first to Kth namespaces NS 1 to NS K, and one or more cell blocks may be classified into first to Kth namespaces NS 1 to NS K) can be assigned to each.

In an exemplary embodiment, the host 100 may create multiple virtual machines (VMs) based on the control of the processor 110 . For example, the host 100 may manage namespaces using virtualization technology, and multiple virtual machines may access one storage device together. As an example, the host memory 120 may include a virtual machine management module (not shown) enabling access to the storage device 200 based on virtualization technology, and the processor 110 may operate the virtual machine management module. Multiple virtual machines (VMs) can be created by executing. A plurality of virtual machines (VMs) may share resources such as processor, memory, firmware, and software in the host 100, but from the viewpoint of the storage device 200, the plurality of virtual machines (VMs) Each can be perceived as accessing data through separate hardware.

The first to Kth namespaces NS 1 to NS K may be associated with or allocated to multiple virtual machines (VMs). The storage device 200 may associate the first to K th namespaces NS 1 to NS K with a plurality of virtual machines (VMs) under the control of the host 100, and for example, each As a virtual machine (VM) is associated with at least one namespace, it can access data of the associated namespace. Each virtual machine (VM) may be associated with one or more namespaces, or at least two virtual machines (VMs) may share a namespace.

The host 100 may create a large number of virtual machines (VMs), and a process of authorizing access to namespaces by the virtual machines (VMs) may be performed by the host 100 . For example, when the first to Kth namespaces NS 1 to NS K are created, the host 100 provides ID information of the first to Kth namespaces NS 1 to NS K (hereinafter, the name space ID ), and provide virtual machines (VMs) with a namespace ID associated with each virtual machine. In addition, each of the plurality of virtual machines (VMs) may generate an access request (Req) including a namespace ID for accessing data of the allocated namespace and transmit the request to the storage device 200 .

However, when a virtual machine (VM) is hijacked by a malicious user and an attempt is made to access a specific namespace of the storage device 200 through the hijacked virtual machine (VM), the storage device 200 is destroyed by the host 100. ), decodes the access request (Req), reads data from a specific namespace indicated by the access request (Req), and provides it to the host 100. In this case, in the data processing system 10 where security is important, data security may be weakened as data is provided to malicious users who do not have normal access rights.

According to an exemplary embodiment of the present disclosure, in response to a setting command (CMD_S) from the host 100, security information (not shown) used to determine access authority may be set or stored in the access authority controller 211. can The access authority controller 211 compares the information extracted from the access request (Req) from the host 100 with the security information stored in the access authority controller 211, so that the access request (Req) is sent to a user with normal authority. (or, it may be determined whether the request is made by a virtual machine (VM)). When it is determined that the access request (Req) is a request by a virtual machine (VM) having normal authority, the controller 210 performs a control operation so that the access request (Req) from the host 100 is normally processed. can do. On the other hand, when it is determined that the access request (Req) is not a request by a virtual machine (VM) having normal authority, the access authority controller 211 processes the access request (Req) from the host 100. By aborting, it is possible to block data from being read or written from the nonvolatile memory 220 by malicious access.

In an exemplary embodiment, security information set in the access authority controller 211 may include information related to each of a plurality of virtual machines (VMs) created in the host 100 . As an example, the security information may include a plurality of entries corresponding to a plurality of virtual machines (VMs), each entry having virtual machine information representing a certain virtual machine and uniquely assigned to the virtual machine. It may include mapping information between at least one piece of unique information.

As an example, the host 100 may allocate a storage space at a specific location in the host memory 120 to each virtual machine (VM) as an I/O queue, and the unique information may be assigned to the I/O queue in the host memory 120. It may include a memory address indicating the location of the queue. As an example, the input/output queue may include a storage space included in a predetermined address range, and the memory address may include information related to the address range. In addition, the host 100 may allocate at least one namespace to each virtual machine (VM), and the unique information is a namespace ID indicating a namespace allocated to each virtual machine (VM). ) may be included. That is, each entry of security information may include virtual machine information of one virtual machine, a memory address mapped thereto, and a namespace ID.

According to an exemplary embodiment of the present disclosure, the controller 210 decodes the access request (Req) from the host 100, and extracts at least one piece of information to be compared with the security information from the access request (Req). can The access authority controller 211 can determine the virtual machine information that generated the access request (Req) by decoding the access request (Req), the memory address representing the position of the input/output queue in relation to data access, and the access request It is possible to extract the namespace ID that The access authority controller 211 may determine a memory address and a namespace ID mapped to the determined virtual machine information from security information. In addition, the access authority controller 211 compares whether the memory address and namespace ID extracted from the access request (Req) and the memory address and namespace ID included in the security information match, so that the access request (Req) It can be determined whether the access is by a virtual machine (VM) having normal authority. For example, it may be determined whether the memory address extracted from the access request (Req) falls within the range of memory addresses included in the security information, and also the namespace ID extracted from the access request (Req) and the name space included in the security information. Whether the IDs are identical may be determined.

The controller 210 may enhance user data security by stopping processing of the access request (Req) based on the determination result of the access authority controller 211 . For example, a malicious user who does not have normal access rights hijacks a specific virtual machine (eg, the second virtual machine) and deletes the I/O queue of the host memory 120 allocated to another virtual machine (eg, the first virtual machine). When trying to access the namespace associated with the first virtual machine through this, at least one of the memory address and the namespace ID extracted from the access request (Req) is mapped to virtual machine information representing the first virtual machine included in the security information. may be different from at least one of the specified memory address and namespace ID, and accordingly, processing of an access request (Req) from a virtual machine (VM) without normal authority may be stopped. Also, if the malicious user does not know at least one of the memory address of the I/O queue allocated to the first virtual machine or the namespace ID associated with the first virtual machine, comparison using security information in the storage device 200 Processing of an access request (Req) from a virtual machine (VM) without normal authority may be stopped through a procedure.

In an exemplary implementation, in the access authority controller 211, a circuit for storing security information and a circuit for determining an access authority may be implemented as one circuit block. Alternatively, in the access authority controller 211, a storage circuit for storing security information and a circuit for determining access authority may be implemented as separate circuit blocks. In addition, the storage circuit for storing security information may be implemented as a volatile memory or a non-volatile memory. As an example, as the storage circuit is implemented as a volatile memory, the host 100 when the data processing system 10 is initially driven An operation of setting security information for the storage device 200 may be controlled.

2 is a block diagram illustrating a data processing system to which virtualization technology is applied according to an exemplary embodiment of the present disclosure.

Referring to FIG. 2 , the data processing system 300 may include a host 310 and a storage device 320, and the storage device 320 may include a controller 321 and a nonvolatile memory 322. there is. The host 310 may include a virtual machine manager 311 and first to Nth virtual machines 312_1 to 312_N as a plurality of virtual machines. The virtual machine manager 311 may be implemented through hardware, software, or a combination thereof, and as an example, functions of the virtual machine manager 311 may be implemented by a processor executing software. The virtual machine manager 311 may also be referred to as a hypervisor, and may be configured to create and execute first to Nth virtual machines 312_1 to 312_N.

The host 310 may request creation and deletion of namespaces associated with each of the first to Nth virtual machines 312_1 to 312_N. For example, the storage device 320 may create first to Kth namespaces NS 1 to NS K as a plurality of namespaces under the control of the host 310 . According to the above-described embodiment, a plurality of cell blocks included in the nonvolatile memory 322 may be classified into first to K th namespaces NS 1 to NS K, and the first to N th virtual machines may be used. Each of (312_1 to 312_N) is associated with at least one namespace, and may generate an access request for accessing the associated namespace. For example, when generating an access request, each of the first to Nth virtual machines 312_1 to 312_N may include a namespace ID indicating a namespace having an access right in the access request.

The controller 321 may include a namespace management module 321_1 and an access authority controller 321_2, and the namespace management module 321_1 responds to a request from the host 310 to first to Kth namespaces. It is possible to manage an operation of creating or deleting s (NS 1 to NS K). In addition, the namespace management module 321_1 may control an access operation for the first to Kth namespaces NS 1 to NS K in response to a request from the host 310. The management module 321_1 may proceed or stop processing of an access request from the host 310 based on the control of the access authority controller 321_2 . However, the embodiments of the present disclosure are not limited thereto, and the controller 321 includes additional elements for controlling read/write operations for the first to Kth namespaces NS 1 to NS K. It may be possible, and the processing of the access request or the suspension of the processing of the access request may be performed by controlling the above-mentioned additional components according to the determination of the access authority.

Meanwhile, the access authority controller 321_2 may include a security information storage circuit, and the security information storage circuit stores security information including a plurality of entries in response to a setting command from the host 310 according to the above-described embodiment. can be saved As an example, according to the above-described embodiment, a plurality of entries may correspond to virtual machines created in the host 310, and each entry may include virtual machine information (VM Info) for the virtual machine (VM) and , a memory address (RA) representing the location of an input/output queue allocated to a virtual machine (VM) as an example of unique information, and mapping information between a namespace ID (NSID). The access authority controller 321_2 may receive an access request (eg, read request (Req_R)) from the host, extract one or more pieces of information through a decoding operation on the read request (Req_R), and Based on the comparison of the security information stored in the security information storage circuit, it may be determined whether to abort the processing of the read request Req_R.

Taking the operation of the first virtual machine (VM 1) as an example, the first virtual machine (VM 1) accesses a namespace (eg, the first namespace) having normal privileges, the first virtual machine (VM 1) A read request (Req_R) including a memory address (RA) indicating an input/output queue allocated to , and a namespace ID (NSID) indicating the first namespace (NS 1 ) may be generated. For example, in the process of generating a packet based on the NVMe interface, virtual machine information indicating the first virtual machine (VM 1 ) may be added to the read request (Req_R).

The read request Req_R from the first virtual machine VM 1 is provided to the storage device 320 , and the controller 321 decodes the read request Req_R to represent the first virtual machine VM 1 . Information, a memory address (RA) and a name space ID (NSID) included in the read request (Req_R) may be extracted. When the first virtual machine (VM 1) has normal access rights to the first namespace (NS 1), a virtual machine indicating the first virtual machine (VM 1) included in the security information of the access authority controller 321_2 The memory address (RA) and the namespace ID (NSID) mapped to the information may be matched with the information extracted from the read request (Req_R), and accordingly, the read request (Req_R) may be normally processed.

On the other hand, when the second virtual machine (VM 2), which does not have normal access rights to the first namespace (NS 1), transmits a read request (Req_R) attempting to access the first namespace (NS 1). , information extracted by decoding the read request (Req_R) may not match information included in the security information. For example, a memory address (RA) and a namespace ID (NSID) mapped to virtual machine information representing the second virtual machine (VM 2) provided in the security information of the access authority controller 321_2 are determined by the host 310. It may include information allocated corresponding to the second virtual machine (VM 2) during the setting process, and accordingly, at least one of the memory address (RA) and the namespace ID (NSID) included in the security information is a read request (Req_R). ) may be different from the extracted memory address (RA) and namespace ID (NSID), and accordingly, processing of the read request (Req_R) by a malicious user may be stopped.

3 is a block diagram illustrating an implementation example of a controller according to an exemplary embodiment of the present disclosure.

Referring to FIG. 3, the controller 400 includes a host interface circuit 410, a memory interface circuit 420, a processor 430, an access authority control module 440, a working memory (450), and ECC (Error Correction Code) circuit 460. In an exemplary embodiment, various types of software executable by the processor 430 may be loaded into the operation memory 450. As an example, the nonvolatile memory controlled by the controller 400 includes a flash memory device. Accordingly, a Flash Translation Layer (FTL) may be loaded into the working memory 450 . Also, in an exemplary implementation, as the namespace management function according to an embodiment of the present disclosure is implemented in software, the namespace management module may be loaded into the working memory 450 . The working memory 450 may be implemented in various forms, such as random access memory (RAM), read only memory (ROM), electronically erasable programmable read only memory (EEPROM), flash memory, or other memory technology.

The processor 430 may control overall operations of the storage device by executing various software stored in the operation memory 450 . The host interface circuit 410 performs communication with the host according to a predetermined interface, and as an example, the controller 400 is connected to the host through a PCIe (Peripheral Component Interconnect express) bus and communicates with the host according to the NVMe interface. can In addition, the memory interface circuit 420 provides an interface with a plurality of storage media included in the nonvolatile memory (NVM), and as an example, the memory interface circuit 420 is independent of the storage media through a plurality of channels. In-person communication can be performed. In addition, the ECC circuit 460 may perform an operation for detecting and correcting errors in data stored in the storage device. As an example, the ECC circuit 460 may generate ECC parity from write data, read data and ECC parity corresponding thereto. Error detection and correction operations can be performed using

According to an exemplary embodiment of the present disclosure, the access right control module 440 may include hardware components, software components, or a combination thereof, and the access right control module 440 may include software components. When including components, software provided in the access authority control module 440 may be loaded into the operation memory 450 . In response to the data access request from the host, the access authority control module 440 may determine whether the access request is from a virtual machine having normal authority. As an example, security information is stored in the access right control module 440 based on the setting command of the host according to the above-described embodiments, and the access right control module 440 decodes the access request from the host and responds to the request. Various types of included information are extracted, and processing of an access request from the host can be executed or stopped by comparing the extracted information with security information.

Fig. 4 is a block diagram illustrating a concrete implementation of a data processing system according to an exemplary embodiment of the present disclosure.

Referring to FIG. 4 , the data processing system 500 may include a host 510 and a storage device 520, the host 510 may include a virtual machine manager 511, and a virtual machine manager ( Based on the control of 511 , multiple virtual machines may be created in the host 510 . In FIG. 4 , a case in which the first and second virtual machines 512 and 513 are created is exemplified.

Meanwhile, the virtual machine manager 511 may allocate an input/output queue (IOQ) to a virtual machine according to a request of the virtual machine. For example, the host 510 may include a host memory 514, and although the input/output queue (IOQ) and the host memory 514 are shown separately in FIG. 4, the input/output queue (IOQ) is stored in the host memory 514. It may correspond to the included storage space. In an exemplary embodiment, the first and second I/O queues IOQ 0 and IOQ 1 are assigned to the first virtual machine 512, and the third and fourth I/O queues IOQ 2 and IOQ 3 are assigned to the second virtual machine 512. may be assigned to machine 513. In addition, address (eg, memory address) information representing the location of an input/output queue (IOQ) assigned to each virtual machine may be provided to the first and second virtual machines 512 and 513 . In addition, each of the input/output queues (IOQ) includes a submission queue (SQ) for storing packets to be transmitted to the storage device 520 and a completion queue for storing packets transmitted from the storage device 520. CQ) may be included.

Meanwhile, the storage device 520 may include a controller, and a single root input/output virtualization (SR-IOV) function is provided between the host 510 and the storage device 520 according to the NVMe interface. Accordingly, the storage device 520 may generate first and second virtual functions 521 and 522 corresponding to the first and second virtual machines 512 and 513 . The first and second virtual functions 521 and 522 may be implemented in the controller of the storage device 520 in response to a request from the host 510, and independently receive a data access request from the host 510. can be dealt with In addition, as each of the first and second virtual functions 521 and 522 processes a request from a corresponding virtual machine, a storage device is provided through an independent path between the first and second virtual machines 512 and 513. Data access to 520 may be performed.

Taking a read request from the host 510 as an example, each of the first and second virtual functions 521 and 522 determines whether the read request from the host 510 is a read request from a virtual machine having normal authority. can The access authority controller according to the above-described embodiments may be implemented in each of the first and second virtual functions 521 and 522, and may include, for example, a security manager and a security information storage circuit. For example, as shown in FIG. 4, the first virtual function 521 may include a first security manager 521_1 and a first security information storage circuit 521_2, and the second virtual function 522 may include a first security manager 521_1 and a first security information storage circuit 521_2. 2 may include a security manager 522_1 and a second security information storage circuit 522_2. In addition, the nonvolatile memory may include a plurality of name spaces, and FIG. 4 illustrates a case in which first and second name spaces 523 and 524 are created.

An example of a malicious access to the first namespace 523 of the second virtual machine 513 that does not have normal access rights to the first namespace 523 will be described as follows.

When the second virtual machine 513 generates a read request for malicious access to the first namespace 523, the read request is performed by adding information indicating a path to the first virtual function 521 to the read request. A request may be provided to the first virtual function 521 , and a memory address allocated to the first virtual machine 512 and a namespace ID indicating the first namespace 523 may be included in the read request. Also, in a packet encoding process according to an interface with the storage device 520 , virtual machine information representing the second virtual machine 513 generating the read request may be added to the read request.

The first virtual function 521 decodes the received read request and compares the information extracted by the decoding result with the security information stored in the first security information storage circuit 521_2 to stop the processing of the read request. . For example, when the embodiments of the present disclosure are not applied, the first virtual function 521 reads data from the first name space 523 indicated by the read request from the second virtual machine 513, and reads the data. A packet including the processed data may be stored in an input/output queue assigned to the first virtual machine 512 in the host memory 514 . However, according to an exemplary embodiment of the present disclosure, the memory address and namespace ID mapped to the virtual machine information indicating the second virtual machine 513 extracted from the read request are read from the first security information storage circuit 521_2. and the read security information may not match the memory address and namespace ID extracted from the read request, and thus processing of the read request from the second virtual machine 513 not having normal access rights can be stopped

5 is a block diagram illustrating an example of using secure information according to an exemplary embodiment of the present disclosure.

Taking the operation of the first virtual function (VF 1) as an example, the security manager 521_1 may include a request decoder 521_11, a comparator 521_12, and a stop controller 521_13, and the first security information storage circuit 521_2 ) may store security information including a number of entries. The security information may include security information corresponding to each of a plurality of virtual machines that can access the storage device 520, and as an example, virtual machine information (VM Info) representing each of a plurality of virtual machines and Mapped information may include a memory address (RAM ADDR) and a namespace ID (NSID).

In one embodiment, after security information is set in the storage device 520 according to a command from the host 510, one or more virtual machines may be additionally created in the host 510, and accordingly, the storage device 520 Security information can be updated within. For example, security information may be set for each of a plurality of virtual functions created in the storage device 520, and when a virtual machine is added or deleted from the host 510, the security information set for the plurality of virtual functions. can be updated together.

The request decoder 521_11 may perform a decoding operation on the read request Req_R provided to the first virtual function VF 1 and extract at least one piece of information from the read request Req_R. Virtual machine information indicating the virtual machine that generated the request (Req_R), a memory address indicating the location of the input/output queue, and a namespace ID of an access target may be extracted. In an exemplary embodiment, virtual machine information may be added to a packet in a packet generation process according to an NVMe interface, and a memory address and a namespace ID may be generated by a virtual machine requesting data access and included in the packet.

The comparator 521_12 may perform a comparison operation by matching the information extracted from the request decoder 521_11 with the security information stored in the first security information storage circuit 521_2, and provide the execution result to the stop controller 521_13. there is. The stop controller 521_13 may output a stop signal Info_A indicating whether to stop processing the read request Req_R based on the received comparison result, and the first virtual function VF 1 may output a stop signal ( By stopping the processing of the read request (Req_R) in response to Info_A), it is possible to block access to the namespace from a virtual machine that does not have normal authority.

6 and 7 are flowcharts illustrating an operating method of a data processing system according to exemplary embodiments of the present disclosure. Some of the configurations shown in FIGS. 6 and 7 may be operations performed by a host, and others may be operations performed by a storage device.

Referring to FIG. 6 , a host and a storage device may configure a data processing system, and multiple virtual machines may be created in the host. For example, a virtual machine manager in the host may create a first virtual machine (S11), and the virtual machine manager may perform various management for the first virtual machine to access the storage device. For example, the virtual machine manager may allocate a first input/output queue (IOQ) to the first virtual machine and may allocate one or more first name spaces associated with the first virtual machine (S12). Also, the virtual machine manager may provide a first memory address indicating a location of a first input/output queue (IOQ) allocated to the first virtual machine in the host memory and a first namespace ID to the first virtual machine.

In addition, according to an exemplary embodiment of the present disclosure, the host may provide security information related to the first virtual machine to the storage device. For example, according to a request of the host, a storage device corresponding to the first virtual machine A first virtual function may be created. Security information for a plurality of virtual machines may be stored in the first virtual function, and, for example, security information generated in relation to the first virtual machine may be set in a storage circuit of the first virtual function (S13). The security information may include various types of information, for example, virtual machine information indicating the first virtual machine according to the above-described embodiments, and unique information related to the first virtual machine mapped thereto, such as a first memory address and a first name. Can contain space ID.

Thereafter, the host may create an additional virtual machine, and may create a second virtual machine as an example (S14). Also, based on the control of the virtual machine manager, a second input/output queue (IOQ) at a location different from that of the first virtual machine may be allocated to the second virtual machine, and a second name space may be assigned to the second virtual machine. It can be assigned (S15). Also, the virtual machine manager may provide a second memory address indicating a location of a second input/output queue (IOQ) allocated to the second virtual machine in the host memory and a second namespace ID to the second virtual machine.

Meanwhile, in each of a plurality of virtual functions provided in the storage device, security information for a plurality of virtual machines created in the host may be set, and accordingly, the host transmits security information generated in relation to the second virtual machine. It is provided to the first virtual function, and accordingly, security information related to the second virtual machine may be updated in the storage circuit of the first virtual function (S16).

7 illustrates an example of stopping processing of a read request from a host based on security information at the storage device side. As an example, a first virtual function created in the storage device may receive a read request from the host (S21 ). When the first virtual function is created in correspondence with the first virtual machine of the host, the first virtual machine may be determined to have normal access rights to the namespace in the storage device to which the first virtual function accesses. It may be determined that a virtual machine (eg, a second virtual machine) different from the first virtual machine does not have normal access rights to a namespace in the storage device accessed by the first virtual function.

The security manager in the first virtual function may extract various types of information through decoding processing of the read request according to the above-described embodiments, and check virtual machine information representing the virtual machine that has transmitted the read request from the extracted information. It can (S22). Also, security information set in the first virtual function may include security information corresponding to a plurality of virtual machines, and security information corresponding to the virtual machine information extracted from the read request may be read from a security information storage circuit. Yes (S23).

It can be determined whether the memory address (RA_E) included in the extracted information and the memory address (RAM ADDR) corresponding to the security information match, and also corresponds to the namespace ID (NS_E) and the security information included in the extracted information. A comparison operation may be performed to determine whether the namespace IDs (NSIDs) matching each other may be performed (S24), and processing of the read request may proceed or be stopped according to the comparison result. For example, when at least one of the memory address (RA_E) and the namespace ID (NS_E) extracted from the read request is different from the memory address (RAM ADDR) and the namespace ID (NSID) corresponding to security information, the read request is not processed. While stopped (S26), if the memory address (RA_E) and namespace ID (NS_E) extracted from the read request are identical to the memory address (RAM ADDR) and namespace ID (NSID) corresponding to security information, the read request The processing of is in progress, and a completion response may be transmitted to the host (S25).

8 and 9 are block diagrams illustrating a process of setting and using secure data according to an exemplary embodiment of the present disclosure.

Referring to FIG. 8 , a data processing system 600 may include a host 610 and a storage device 620, and the host 610 includes a virtual machine manager 611 and one or more virtual machines VM1 to VM4. ) and host memory 613. Also, the storage device 620 may include a controller 621 , and an access authority controller according to an exemplary embodiment of the present disclosure may be provided in the controller 621 . In addition, the access authority controller may include a security manager and a security information storage circuit 622 according to the above-described embodiments. Although not shown in FIG. 9 , a plurality of virtual functions may be implemented in the controller 621 , and a security information storage circuit 622 may be included in each virtual function. Also, the storage device 620 may include a plurality of name spaces in which data is written and read based on the control of the controller 621 .

Taking the first virtual machine 612 as an example, the first virtual machine 612 may request the virtual machine manager 611 to create an input/output queue (IOQ). The virtual machine manager 611 may allocate an input/output queue (IOQ) to be used for communication with the storage device 620 or a memory address (RA) representing the input/output queue (IOQ) within the host memory 613 in response to the request. there is.

The host 610 may provide information related to namespaces allocated to a plurality of virtual machines and an input/output queue to the storage device 620, and as an example, a first command indicating that an input/output queue (IOQ) has been created It may be provided as a storage device 620 . In an exemplary embodiment, the host 610 may include an Admin Submission Queue 614 , and the first command may be transmitted through the Admin Submission Queue 614 . The storage device 620 may store information related to a plurality of virtual machines in response to the first command, for example, information on each generated input/output queue (IOQ) and a memory address indicating the location of the input/output queue (IOQ). (RAM ADDR), and information (name space ID) representing a namespace to communicate data through an input/output queue (IOQ) may be stored in the secure information storage circuit 622 .

Thereafter, the host 610 may associate a namespace with each of a plurality of virtual machines, and provide the configuration command in the above-described embodiment as a second command to the storage device 620 according to the association result of the namespace. can do. The setting command may include information indicating an input/output queue (IOQ) assigned to each of the plurality of virtual machines.

As shown in FIG. 8 , the storage device 620 may store security information in the security information storage circuit 622 in response to a setting command from the host 610, and as an example, first virtual machine information (VM). 1) may be mapped to memory addresses A and B representing the first and second input/output queues IOQ0 and IOQ1, and may also be mapped to namespace IDs representing the first and second namespaces NS1 and NS2. there is. Similarly, the second virtual machine information VM 2 is mapped to memory addresses C and D representing the third and fourth input/output queues IOQ2 and IOQ3, and also the second to fifth name spaces NS2 to IOQ3. NS5) may be mapped to a namespace ID representing In an exemplary embodiment, data access to the third and fourth namespaces NS3 and NS4 may be performed through the third input/output queue IOQ2 and to the second and fifth namespaces NS2 and NS5. Data access to may be performed through the fourth input/output queue IOQ3.

9 illustrates a matching operation for secure information according to an exemplary embodiment of the present disclosure. Referring to FIG. 9 , the first virtual machine 612 may store a packet according to the NVMe interface as a read request in the first input/output queue IOQ0, and the storage device 620 may store a packet according to the NVMe interface in the first input/output queue IOQ0. A request for fetching information of the mission queue may be transmitted to the host 610 . Also, a read request stored in a submission queue in the first input/output queue IOQ0 may be transmitted to the storage device 620 .

The storage device 620 may extract various types of information included in the read request by decoding the read request, and may extract virtual machine information (VN Info) that generated the read request and a memory address (or sub Together with mission queue information (SQID)), a namespace ID (NSID) indicating a namespace of an access target can be extracted. The security information in the controller 621 may include a plurality of entries, and information mapped to the virtual machine information (VN Info) is stored from the entry corresponding to the virtual machine information (VN Info) extracted from the read request. The extracted information can be compared. For example, whether the information (SQID) of the submission queue belongs to or matches the memory address (RAM ADDR) included in the security information can be checked, and the name space ID (NSID) extracted from the read request is the security information. It may be determined whether it is the same as the namespace ID (NSID) included in .

10 is a block diagram illustrating a data processing system according to another embodiment of the present disclosure. 10 illustrates a case in which the embodiment of the present disclosure is applied to a PCIe physical function (PF) as single root input/output virtualization (SR-IOV) technology is not applied to the storage device.

Referring to FIG. 10 , a data processing system 700 may include a plurality of virtual machines 710_1 to 710_N included in a host, and the plurality of virtual machines 710_1 to 710_N are storage devices through a PCIe bus. (eg, SSD 720). The SSD 720 may include a first physical function 721 and a second physical function 722 as one or more physical functions, and may also include a plurality of name spaces 723_1 to 723_K.

The host may assign different IDs to the first and second physical functions 721 and 722 to distinguish access through the first physical function 721 and the second physical function 722, and the host According to the ID added to the access request from , the access request may be provided to the first physical function 721 or the second physical function 722 through the PCIe bus. Each of the first physical function 721 and the second physical function 722 may include an access authority controller (or security manager) according to an exemplary embodiment of the present disclosure, and the first physical function 721 and the second physical function 721 may include Security information for the plurality of virtual machines 710_1 to 710_N according to exemplary embodiments of the present disclosure may be stored in each of the two physical functions 722 .

The plurality of virtual machines 710_1 to 710_N may access one or more namespaces through a first physical function 721 or a second physical function 722, and to determine an access right, the first physical function ( In each of 721) and the second physical function 722, a matching operation using security information according to the above-described embodiments may be performed. Depending on the matching result using the security information, processing of the access request by the virtual machine may proceed or may be stopped.

11 is a perspective view illustrating an implementation example of a cell block included in a nonvolatile memory.

Referring to FIG. 11 , a cell block BLKa that can be allocated to the name space of the present disclosure may have a 3D structure. As an example, the cell block BLKa is formed in a direction perpendicular to the substrate SUB, the substrate SUB has a first conductivity type (eg, p-type), and a second conductivity type is formed on the substrate SUB. A common source line CSL extending along the horizontal direction HD2 and doped with impurities of the second conductivity type (eg, n-type) is provided. On a region of the substrate SUB between two adjacent common source lines CSL, a plurality of insulating films IL extending along the second horizontal direction HD2 are sequentially provided along the vertical direction VD, The plurality of insulating layers IL are spaced apart by a specific distance along the vertical direction VD. For example, the plurality of insulating layers IL may include an insulating material such as silicon oxide.

On the area of the substrate SUB between two adjacent common source lines CSL, the plurality of insulating layers IL are sequentially disposed along the first horizontal direction HD1 and pass through the plurality of insulating layers IL along the vertical direction VD. A plurality of pillars (P) are provided. For example, the plurality of pillars P penetrate the plurality of insulating layers IL and contact the substrate SUB. Specifically, a surface layer (S) of each pillar (P) may include a first type silicon material and may function as a channel region. Meanwhile, the inner layer I of each pillar P may include an insulating material such as silicon oxide or an air gap.

In a region between two adjacent common source lines CSL, a charge storage layer CS is provided along the insulating layers IL, the pillars P, and the exposed surface of the substrate SUB. The charge storage layer CS may include a gate insulating layer (or referred to as 'tunneling insulating layer'), a charge trap layer, and a blocking insulating layer. For example, the charge storage layer CS may have an oxide-nitride-oxide (ONO) structure. In addition, in a region between two adjacent common source lines CSL, on the exposed surface of the charge storage layer CS, gate electrodes such as select lines GSL and SSL and word lines WL0 to WL7 (GE) is provided.

Drains or drain contacts DR are respectively provided on the plurality of pillars P. For example, the drains or drain contacts DR may include a silicon material doped with impurities of the second conductivity type. Bit lines BL1 to BL3 extending in the first horizontal direction HD1 and spaced apart from each other by a specific distance along the second horizontal direction HD2 are provided on the drains DR.

12 is a block diagram illustrating a case in which an SSD is applied to a storage device in a data processing system according to embodiments of the present disclosure.

Referring to FIG. 12 , a data processing system 800 may include a host 810 and an SSD 820 . The SSD 820 exchanges signals with the host 810 through a signal connector and receives power through a power connector. The SSD 820 may include an SSD controller 821, an auxiliary power supply 822, and nonvolatile memory devices 823_1 to 823_n. The nonvolatile memory devices 823_1 to 823_n may be vertically stacked NAND flash memory devices. In this case, the SSD 820 may be implemented using the embodiments described above with reference to FIGS. 1 to 11 . That is, the SSD controller 821 may include an access authority controller 821_1, and the access authority controller 821_1 may include security information stored in response to a setting command from the host. In addition, the access authority controller 821_1 performs an access authority determination operation using security information whenever an access request is received from a plurality of virtual machines created in the host 810, and processes the access request according to the determination result. will be able to stop

13 is a block diagram illustrating a data center 900 including a storage device according to an exemplary embodiment of the present disclosure. In some embodiments, the storage device described above with reference to the drawings may be included in an application server and/or a storage server of the data center 900 .

Referring to FIG. 13 , a data center 900 may collect various data and provide services, and may be referred to as a data storage center. For example, the data center 900 may be a system for operating a search engine and a database, or may be a computing system used by companies such as banks or government agencies. As shown in FIG. 13 , the data center 900 may include application servers 50_1 to 50_n and storage servers 60_1 to 60_m. The number n of application servers 50_1 to 50_n and the number m of storage servers 60_1 to 60_m may be variously selected according to embodiments, and the number n of application servers 50_1 to 50_n and the number of storage servers The number m of (60_1 to 60_m) may be different.

The application servers 50_1 to 50_n include at least one of processors 51_1 to 51_n, memory 52_1 to 52_n, switches 53_1 to 53_n, network interface controllers (NICs) 54_1 to 54_n, and storage devices 55_1 to 55_n. may contain one. The processors 52_1 to 51_n may control overall operations of the application servers 50_1 to 50_n, and may access the memories 52_1 to 52_n to provide instructions and/or data loaded into the memories 52_1 to 52_n. can run The memories 52_1 to 52_n are, as non-limiting examples, DDR SDRAM (Double Data Rate Synchronous DRAM), HBM (High Bandwidth Memory), HMC (Hybrid Memory Cube), DIMM (Dual In-line Memory Module), Optane DIMM, or NVMDIMM (Non-Volatile DIMM) may be included.

Depending on embodiments, the number of processors and memories included in the application servers 50_1 to 50_n may be variously selected. In some embodiments, the processors 51_1 to 51_n and the memories 52_1 to 52_n may provide a processor-memory pair. In some embodiments, the number of processors 51_1 to 51_n and memories 52_1 to 52_n may be different. The processors 51_1 to 51_n may include single-core processors or multi-core processors. In some embodiments, as shown by dotted lines in FIG. 13 , the storage devices 55_1 to 55_n may be omitted from the application servers 50_1 to 50_n. The number of storage devices 55_1 to 55_n included in the application servers 50_1 to 50_n may be variously selected according to embodiments. Processors 51_1 to 51_n, memories 52_1 to 52_n, switches 53_1 to 53_n, NICs 54_1 to 54_n, and/or storage devices 55_1 to 55_n communicate with each other through the links described above with reference to the drawings. can do.

The storage servers 60_1 to 60_m may include at least one of processors 61_1 to 61_m, memories 62_1 to 62_m, switches 63_1 to 63_m, NICs 64_1 to 64_n, and storage devices 65_1 to 65_m. there is. The processors 61_1 to 61_m and the memories 62_1 to 62_m may operate similarly to the processors 51_1 to 51_n and the memories 52_1 to 52_n of the application servers 50_1 to 50_n described above.

Storage devices 55_1 to 55_n and storage devices 65_1 to 65_m provided in the data center 900 may include storage devices according to embodiments of the present disclosure, and accordingly, the storage devices 55_1 to 55_n and the storage devices 55_1 to 55_n The devices 65_1 to 65_m may be provided with an access authority controller or security manager in the above-described embodiments for determining data access authority. In addition, security information may be stored in storage devices 55_1 to 55_n and storage devices 65_1 to 65_m, and when a virtualization function is applied to the data center 900, storage devices 55_1 to 55_n and storage devices 65_1 ~ 65_m) will be able to stop processing access requests from virtual machines that do not have normal access rights.

The application servers 50_1 to 50_n and the storage servers 60_1 to 60_m may communicate with each other through the network 70 . In some embodiments, network 70 may be implemented using Fiber Channel (FC) or Ethernet, or the like. FC may be a medium used for relatively high-speed data transmission, and an optical switch providing high performance/high availability may be used. According to the access method of the network 70, the storage servers 60_1 to 60_m may be provided as file storage, block storage, or object storage.

In some embodiments, network 70 may be a storage-only network, such as a storage area network (SAN). For example, the SAN may use an FC network and may be an FC-SAN implemented according to FC Protocol (FCP). Alternatively, the SAN may be an IP-SAN using a TCP/IP network and implemented according to the iSCSI (SCSI over TCP/IP or Internet SCSI) protocol. In some embodiments, network 70 may be a general network such as a TCP/IP network. For example, the network 70 may be implemented according to protocols such as FC over Ethernet (FCoE), Network Attached Storage (NAS), and NVMe over Fabrics (NVMe-oF).

Hereinafter, the application server 50_1 and the storage server 60_1 are mainly described, but the description of the application server 50_1 can also be applied to other application servers (eg, 50_n), and the description of the storage server 60_1 It is noted that it can also be applied to other storage servers (eg, 60_m).

The application server 50_1 may store data requested by a user or client to be stored in one of the storage servers 60_1 to 60_m through the network 70 . In addition, the application server 50_1 may acquire data requested to be read by a user or client from one of the storage servers 60_1 to 60_m through the network 70 . For example, the application server 50_1 may be implemented as a web server or a database management system (DBMS).

The application server 50_1 may access the memory 52_n and/or the storage device 55_n included in another application server 50_n through the network 70, and/or the storage server through the network 70. The memories 62_1 to 62_m and/or the storage devices 65_1 to 65_m included in the fields 60_1 to 60_m may be accessed. Accordingly, the application server 50_1 may perform various operations on data stored in the application servers 50_1 to 50_n and/or the storage servers 60_1 to 60_m. For example, the application server 50_1 may execute a command for moving or copying data between the application servers 50_1 to 50_n and/or the storage servers 60_1 to 60_m. At this time, the data is transferred from the storage devices 65_1 to 65_m of the storage servers 60_1 to 60_m through the memories 62_1 to 62_m of the storage servers 60_1 to 60_m or directly to the application servers 50_1 to 50_n. ) can be moved to the memories 52_1 to 52_n. In some embodiments, data traveling through network 70 may be encrypted data for security or privacy.

In the storage server 60_1, the interface IF may provide a physical connection between the processor 61_1 and the controller CTRL and a physical connection between the NIC 64_1 and the controller CTRL. For example, the interface IF may be implemented in a Direct Attached Storage (DAS) method that directly connects the storage device 65_1 with a dedicated cable. Also, for example, interfaces (IF) include Advanced Technology Attachment (ATA), Serial ATA (SATA), external SATA (e-SATA), Small Computer Small Interface (SCSI), Serial Attached SCSI (SAS), and Peripheral SATA (PCI). Component Interconnection), PCIe (PCI express), NVMe (NVM express), IEEE 1394, USB (universal serial bus), SD (secure digital) card, MMC (multi-media card), eMMC (embedded multi-media card), It can be implemented in various interface methods such as UFS (Universal Flash Storage), eUFS (embedded Universal Flash Storage), CF (compact flash) card interface, CXL (Compute eXpress Link), and the like.

In the storage server 60_1, the switch 63_1 selectively connects the processor 61_1 and the storage device 65_1 or selectively connects the NIC 64_1 and the storage device 65_1 under the control of the processor 61_1. can be connected.

In some embodiments, NIC 64_1 may include a network interface card, network adapter, or the like. The NIC 54_1 may be connected to the network 70 through a wired interface, a wireless interface, a Bluetooth interface, an optical interface, or the like. The NIC 54_1 may include an internal memory, a DSP, a host bus interface, and the like, and may be connected to the processor 61_1 and/or the switch 63_1 through the host bus interface. In some embodiments, the NIC 64_1 may be integrated with at least one of the processor 61_1, the switch 63_1, and the storage device 65_1.

In the application servers 50_1 to 50_n or the storage servers 60_1 to 60_m, the processors 51_1 to 51_m and 61_1 to 61_n are connected to the storage devices 55_1 to 55_n and 65_1 to 65_m or memories 52_1 to 52_n and 62_1 to 62_m. ) to program or read data. In this case, the data may be error-corrected data through an Error Correction Code (ECC) engine. The data is data subjected to data bus inversion (DBI) or data masking (DM) processing, and may include Cyclic Redundancy Code (CRC) information. The data may be encrypted data for security or privacy.

In response to read commands received from the processors 51_1 to 51_m and 61_1 to 61_n, the storage devices 55_1 to 55_n and 65_1 to 65_m transmit control signals and command/address signals to nonvolatile memory devices (eg, NAND flash memory devices, NVM). Accordingly, when data is read from the non-volatile memory device NVM, the read enable signal may be input as a data output control signal and output data to the DQ bus. A data strobe signal may be generated using the read enable signal. The command and address signals may be latched according to a rising edge or a falling edge of the write enable signal.

The controller CTRL may control the overall operation of the storage device 65_1. In one embodiment, the controller CTRL may include static random access memory (SRAM). The controller CTRL may write data into the nonvolatile memory device NVM in response to a write command, or may read data from the nonvolatile memory device NVM in response to a read command. For example, a write command and/or a read command may be applied to a host, for example, a processor 61_1 in a storage server 60_1, a processor 61_m in another storage server 60_m, or a processor 51_1 to 50_n in an application server 50_1 to 50_n. 51_n) may be generated based on a request provided. The buffer BUF may temporarily store (buffer) data to be written in the non-volatile memory device NVM or data read from the non-volatile memory device NVM. In some embodiments, the buffer BUF may include DRAM. Also, the buffer BUF may store meta data, and the meta data may refer to user data or data generated by the controller CTRL to manage the non-volatile memory device NVM. The storage device 65_1 may include a Secure Element (SE) for security or privacy.

As above, exemplary embodiments have been disclosed in the drawings and specifications. Although the embodiments have been described using specific terms in this specification, they are only used for the purpose of explaining the technical idea of the present disclosure, and are not used to limit the scope of the present disclosure described in the claims. . Therefore, those of ordinary skill in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Therefore, the true technical scope of protection of the present disclosure should be determined by the technical spirit of the appended claims.

Claims (20)

A storage device communicating with a host,
a nonvolatile memory including a plurality of cell blocks, wherein the plurality of cell blocks are classified into a plurality of NameSpaces; and
In response to a configuration command from the host, security information related to access rights to the plurality of namespaces is stored, and at least one first information is extracted by decoding a data access request provided from the host, and the security information And a controller for stopping processing of the data access request by comparing the extracted at least one piece of first information,
The security information stored in the controller is a mapping between virtual machine information representing the first to Nth virtual machines generated in the host and unique information uniquely set for the first to Nth virtual machines. A storage device characterized by including information (where N is an integer greater than or equal to 2). According to claim 1,
The security information includes N entries corresponding to the first to Nth virtual machines;
Each entry includes virtual machine information representing one virtual machine, a memory address representing the location of an input/output queue allocated to the virtual machine as unique information mapped to the virtual machine information, and a namespace associated with the virtual machine. A storage device characterized in that it includes a namespace ID indicating. According to claim 2,
The memory address may include information representing a location of the input/output queue in a host memory provided in the host. According to claim 2,
When an additional virtual machine is created in the host, security information for the additional virtual machine is updated in the controller. According to claim 1,
The controller includes first to Nth virtual functions corresponding to the first to Nth virtual machines;
Each of the first to Nth virtual functions includes a security information storage circuit for storing the security information, and a security manager for determining the access authority of the virtual machine that has provided the data access request by using the stored security information. A storage device characterized in that for. According to claim 5,
The storage device of claim 1 , wherein the first to Nth virtual functions provide access to the nonvolatile memory of the first to Nth virtual machines through independent paths according to a virtualization technology. According to claim 5,
The first virtual function receives a read request from the first virtual machine as the data access request, decodes the read request, and extracts first information included in the read request;
Characterized in that the read request from the first virtual machine is processed according to a result of comparing the first information with unique information mapped to first virtual machine information representing the first virtual machine in the security information. storage device. According to claim 5,
The first virtual function receives a read request from the second virtual machine as the data access request, decodes the read request, and extracts first information included in the read request;
Stopping processing of the read request from the second virtual machine according to a result of comparing the first information with unique information mapped to second virtual machine information representing the second virtual machine in the security information. characterized storage device. According to claim 1,
The storage device includes a plurality of flash memory chips, each flash memory chip includes a plurality of cell blocks,
At least one cell block is allocated to each of the plurality of name spaces. A method of operating a storage device communicating with a host, wherein the storage device includes a plurality of NameSpaces each including at least one cell block,
receiving a configuration command from the host;
In response to the setting command, virtual machine information for each of the first to Nth virtual machines created in the host, a memory address indicating a location of an I/O queue in a host memory allocated to each virtual machine, the virtual machine storing security information including a namespace ID representing a namespace associated with (where N is an integer greater than or equal to 2); and
and selectively stopping processing of the read request by comparing information extracted by decoding the read request with the security information when a read request is received from the host. method. According to claim 10,
The security information includes N entries corresponding to the first to Nth virtual machines;
Each entry includes virtual machine information representing one virtual machine, the memory address mapped to the virtual machine information, and the namespace ID. According to claim 11,
The memory address and the namespace ID of an entry corresponding to virtual machine information extracted from the read request among the N entries are compared with information extracted from the read request. According to claim 10,
As a (N+1)th virtual machine is further created in the host, updating virtual machine information for the (N+1)th virtual machine, the memory address mapped thereto, and the namespace ID to the security information. A method of operating a storage device, further comprising the steps of: According to claim 10,
generating first to Nth virtual functions corresponding to the first to Nth virtual machines in response to a request from the host;
and wherein security information for the first to Nth virtual machines is stored in each of the first to Nth virtual functions. According to claim 14,
Selectively stopping the processing of the read request,
decoding, by the first virtual function, a read request provided from the first virtual machine and extracting a memory address and a namespace ID from the read request; and
Comprising a step of processing the read request from the first virtual machine by comparing the memory address and the namespace ID mapped to virtual machine information for the first virtual machine among the security information with the extracted information A method of operating a storage device, characterized in that. According to claim 14,
Selectively stopping the processing of the read request,
decoding, by the first virtual function, a read request provided from the second virtual machine, and extracting a memory address and a namespace ID from the read request; and
stopping processing of the read request from the second virtual machine by comparing the memory address and the namespace ID mapped to virtual machine information for the second virtual machine among the security information with the extracted information; A method of operating a storage device comprising: According to claim 10,
the security information is stored in a volatile memory in the storage device;
The receiving of the setting command is performed when the storage device is initially driven. In a host accessing multiple namespaces provided on a storage device,
first to Nth virtual machines generating a read request for accessing the plurality of namespaces through independent paths according to virtualization technology (where N is an integer of 2 or more);
a host memory including a plurality of input/output queues allocated to the first through Nth virtual machines; and
a virtual machine manager managing creation of the first to Nth virtual machines and allocation of input/output queues of the host memory to the first to Nth virtual machines;
Along with a setting command, virtual machine information for each of the first to Nth virtual machines, a memory address indicating the location of the input/output queue allocated to each virtual machine, and a namespace ID indicating a namespace associated with the virtual machine. A host characterized in that for transmitting security information including a to the storage device. According to claim 18,
The security information includes N entries corresponding to the first to Nth virtual machines;
Each entry includes virtual machine information representing one virtual machine, the memory address mapped to the virtual machine information, and the namespace ID. According to claim 18,
The first virtual machine is associated with a first namespace of the storage device,
When the second virtual machine transmits a read request including the memory address corresponding to the first virtual machine or a namespace ID indicating the first namespace to the storage device, a read from the second virtual machine A host characterized in that reception of a completion response in response to a request is blocked.

Images