CN102270153A - Method and device for sharing encrypted card in virtual environment - Google Patents
Method and device for sharing encrypted card in virtual environment Download PDFInfo
- Publication number
- CN102270153A CN102270153A CN2011102309590A CN201110230959A CN102270153A CN 102270153 A CN102270153 A CN 102270153A CN 2011102309590 A CN2011102309590 A CN 2011102309590A CN 201110230959 A CN201110230959 A CN 201110230959A CN 102270153 A CN102270153 A CN 102270153A
- Authority
- CN
- China
- Prior art keywords
- encrypted card
- request
- queue
- card
- resource file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for sharing an encrypted card in virtual environment. The method comprises the following steps of: mapping a hardware encrypted card as an independent encrypted card resource file; and establishing a treatment line for each resource file and dispatching treatment requests. By the method and the device for sharing the encrypted card in virtual environment, a plurality of different encrypted card resources can be allocated to various virtual machines for use but the virtual machines still use the same encrypted card in physical aspect by mapping the same encrypted card as a plurality of different resource files, so that the service efficiency of the encrypted card is greatly improved.
Description
Technical field
The present invention relates to hardware and share, specifically, relate to a kind of method and apparatus of under virtual machine environment, encrypted card being shared.
Background technology
Along with the developing rapidly of cloud application model, cloud security becomes the problem that users pay close attention to the most in recent years.At present, encrypted card is widely used in information security field, is used for the authenticated identity and ensures secure user data, so use encrypted card to guarantee that the safety of cloud environment becomes first-selection.Generally use Intel Virtualization Technology in cloud environment, and current Intel Virtualization Technology causes virtual machine that encrypted card is monopolized character, if promptly virtual machine A has used encrypted card, other virtual machines just can't use this encrypted card, discharge the encrypted card resource up to A.
Under linux system, the driver of normal encrypted card can be mapped as encrypted card the resource file with unique resource identification number, and all application programs number are used this resource file by this resource identification, and use the encrypted physical card by driver.Intel Virtualization Technology uses VMM (Virtual Machine Monitor, virtual machine monitor) that hardware is dispatched, so as Fig. 1.Current Intel Virtualization Technology VMM allocative decision is: be that other virtual machines just can't be applied for this hardware resource after a virtual machine had distributed the encrypted card hardware resource.
This use pattern to encrypted card has been wasted the encrypted card resource greatly, so we need find a kind of encrypted card that makes to be shared using method by multi-dummy machine, improves the service efficiency of encrypted card.
Summary of the invention
In order to address the above problem, the present invention proposes the shared method of encrypted card under a kind of virtual environment, promptly change the single-mode that existing encrypted card driver is mapped as a block encryption card resource file, but same block encryption card is mapped as a plurality of different resource files, angle from VMM is exactly that a plurality of encrypted physical cards exist like this, VMM just can use to a plurality of different encrypted card resources allocations each virtual machine, but each virtual machine on physical layer, use be still same block encryption card.
The method that encrypted card is shared under a kind of virtual environment,
A hardware encryption card is mapped to independently encrypted card resource file;
For each resource file is set up processing queue and scheduling processing request.
Preferably, described processing queue comprises input queue and output queue;
Described input queue is deposited is solicit operation order and data to encrypted card;
What described output queue was deposited is the response results of returning after the encrypted card response request.
Preferably, the quantity of described encrypted card resource file is at least one.
Preferably, described scheduling is handled request and is adopted the First Come First Served algorithm.
Preferably, request is after encrypted card is handled, and this request can be deleted in input queue, after request is finished result turned back to output queue.
The device that encrypted card is shared under a kind of virtual environment comprises,
The mapping resources module is used for a hardware encryption card is mapped to independently encrypted card resource file;
Queue management module is used to each resource file to set up processing queue and request is handled in scheduling.
Preferably, described processing queue comprises input queue and output queue;
Described input queue is deposited is solicit operation order and data to encrypted card;
What described output queue was deposited is the response results of returning after the encrypted card response request.
Preferably, the quantity of described encrypted card resource file is at least one.
Preferably, described scheduling is handled request and is adopted the First Come First Served algorithm.
Preferably, request is after encrypted card is handled, and this request can be deleted in input queue, after request is finished result turned back to output queue.
The present invention is by being mapped as a plurality of different resource files with same block encryption card, just can use to each virtual machine a plurality of different encrypted card resources allocations, be still same block encryption card but each virtual machine uses on physical layer, improved the service efficiency of encrypted card greatly.
Description of drawings
Fig. 1 is that virtual machine is monopolized the encrypted card synoptic diagram.
Fig. 2 is that multi-dummy machine is shared the encrypted card synoptic diagram.
Fig. 3 is that multi-dummy machine is shared the encrypted card communication scheme.
Embodiment
The present invention will be described below in conjunction with the drawings and specific embodiments.
In order to realize that multi-dummy machine is shared encrypted card under the virtual environment, need drive adding mapping resources module and queue processing module on the basis at existing common encrypted card.
The main effect of mapping resources module becomes a plurality of independently encrypted card resource files with an encrypted card hardware exactly, an encrypted physical card is mapped as three independently resource files as shown in Figure 3, but the final visit of each resource file is an encrypted physical card.So need in driving, the request to the different resource file manage.Introduced queue management module in order to solve top problem.
The main effect of queue management module is to set up two processing queue for each resource file, and one is input queue, IP1 as shown in Figure 3, IP2 and IP3; One is output queue, OP1 as shown in Figure 3, OP2 and OP3.Input queue is deposited is solicit operation order and data to encrypted card, output queue is deposited be the encrypted card response request after, the response results of returning.Another vital role of queue management module is to assign request.Queue management module is assigned request, i.e. frist come,frist serve in proper order according to the time order and function of asking in the individual queue.In case a request is chosen tubulation reason module, will give encrypted card and handle, this request meeting is deleted from input queue; In case the encrypted card of request is finished dealing with, the result that queue management module can be returned encrypted card is put into output queue, equally according to frist come,frist serve, returns to corresponding resource file, finally returns to the corresponding virtual machine.
Claims (10)
1. the method that encrypted card is shared under the virtual environment is characterized in that:
A hardware encryption card is mapped to independently encrypted card resource file;
For each resource file is set up processing queue and scheduling processing request.
2. the method for claim 1, it is characterized in that: described processing queue comprises input queue and output queue;
Described input queue is deposited is solicit operation order and data to encrypted card;
What described output queue was deposited is the response results of returning after the encrypted card response request.
3. the method for claim 1, it is characterized in that: the quantity of described encrypted card resource file is at least one.
4. the method for claim 1 is characterized in that: described scheduling processing request employing First Come First Served algorithm.
5. method as claimed in claim 2 is characterized in that: request is after encrypted card is handled, and this request can be deleted in input queue, after request is finished result is turned back to output queue.
6. the device that encrypted card is shared under the virtual environment is characterized in that: comprises,
The mapping resources module is used for a hardware encryption card is mapped to independently encrypted card resource file;
Queue management module is used to each resource file to set up processing queue and request is handled in scheduling.
7. device as claimed in claim 6 is characterized in that: described processing queue comprises input queue and output queue;
Described input queue is deposited is solicit operation order and data to encrypted card;
What described output queue was deposited is the response results of returning after the encrypted card response request.
8. device as claimed in claim 6 is characterized in that: the quantity of described encrypted card resource file is at least one.
9. device as claimed in claim 6 is characterized in that: described scheduling is handled request and is adopted the First Come First Served algorithm.
10. device as claimed in claim 7 is characterized in that: request is after encrypted card is handled, and this request can be deleted in input queue, after request is finished result is turned back to output queue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102309590A CN102270153A (en) | 2011-08-12 | 2011-08-12 | Method and device for sharing encrypted card in virtual environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102309590A CN102270153A (en) | 2011-08-12 | 2011-08-12 | Method and device for sharing encrypted card in virtual environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102270153A true CN102270153A (en) | 2011-12-07 |
Family
ID=45052464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011102309590A Pending CN102270153A (en) | 2011-08-12 | 2011-08-12 | Method and device for sharing encrypted card in virtual environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102270153A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873245A (en) * | 2012-12-14 | 2014-06-18 | 华为技术有限公司 | Virtual machine system data encryption method and apparatus |
| CN104951712A (en) * | 2014-03-24 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Data safety protection method in Xen virtualization environment |
| CN104954452A (en) * | 2015-06-02 | 2015-09-30 | 华中科技大学 | Dynamic cipher card resource control method in virtualization environment |
| CN104951688A (en) * | 2014-03-24 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Special data encryption method and encryption card suitable for Xen virtualized environment |
| CN106874065A (en) * | 2017-01-18 | 2017-06-20 | 北京三未信安科技发展有限公司 | A kind of system for supporting hardware virtualization |
| CN109639424A (en) * | 2018-12-25 | 2019-04-16 | 山东超越数控电子股份有限公司 | A kind of virtual machine image encryption method and device based on different keys |
| CN111291332A (en) * | 2020-02-24 | 2020-06-16 | 山东超越数控电子股份有限公司 | Method and system for sharing and using encryption card in virtualization environment |
| CN113285983A (en) * | 2021-04-26 | 2021-08-20 | 北京科东电力控制系统有限责任公司 | Virtual experiment system supporting multiple virtualized security devices to share single encryption card |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070106992A1 (en) * | 2005-11-09 | 2007-05-10 | Hitachi, Ltd. | Computerized system and method for resource allocation |
| CN101262352A (en) * | 2008-03-04 | 2008-09-10 | 浙江大学 | Uniform data accelerated processing method in integrated secure management |
| US20100023939A1 (en) * | 2008-07-28 | 2010-01-28 | Fujitsu Limited | Virtual-machine generating apparatus, virtual-machine generating method, and virtual-machine generation program |
| CN101976200A (en) * | 2010-10-15 | 2011-02-16 | 浙江大学 | Virtual machine system for input/output equipment virtualization outside virtual machine monitor |
| CN102023888A (en) * | 2010-11-04 | 2011-04-20 | 北京曙光天演信息技术有限公司 | Virtual device based on multiple encryption cards |
-
2011
- 2011-08-12 CN CN2011102309590A patent/CN102270153A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070106992A1 (en) * | 2005-11-09 | 2007-05-10 | Hitachi, Ltd. | Computerized system and method for resource allocation |
| CN101262352A (en) * | 2008-03-04 | 2008-09-10 | 浙江大学 | Uniform data accelerated processing method in integrated secure management |
| US20100023939A1 (en) * | 2008-07-28 | 2010-01-28 | Fujitsu Limited | Virtual-machine generating apparatus, virtual-machine generating method, and virtual-machine generation program |
| CN101976200A (en) * | 2010-10-15 | 2011-02-16 | 浙江大学 | Virtual machine system for input/output equipment virtualization outside virtual machine monitor |
| CN102023888A (en) * | 2010-11-04 | 2011-04-20 | 北京曙光天演信息技术有限公司 | Virtual device based on multiple encryption cards |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014089968A1 (en) * | 2012-12-14 | 2014-06-19 | 华为技术有限公司 | Virtual machine system data encryption method and device |
| CN103873245A (en) * | 2012-12-14 | 2014-06-18 | 华为技术有限公司 | Virtual machine system data encryption method and apparatus |
| CN104951688B (en) * | 2014-03-24 | 2019-04-12 | 国家计算机网络与信息安全管理中心 | Suitable for the exclusive data encryption method and encrypted card under Xen virtualized environment |
| CN104951712A (en) * | 2014-03-24 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Data safety protection method in Xen virtualization environment |
| CN104951688A (en) * | 2014-03-24 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Special data encryption method and encryption card suitable for Xen virtualized environment |
| CN104951712B (en) * | 2014-03-24 | 2019-07-26 | 国家计算机网络与信息安全管理中心 | A kind of data security protection method under Xen virtualized environment |
| CN104954452A (en) * | 2015-06-02 | 2015-09-30 | 华中科技大学 | Dynamic cipher card resource control method in virtualization environment |
| CN104954452B (en) * | 2015-06-02 | 2018-12-28 | 华中科技大学 | Cipher card resource dynamic control method under a kind of virtualized environment |
| CN106874065A (en) * | 2017-01-18 | 2017-06-20 | 北京三未信安科技发展有限公司 | A kind of system for supporting hardware virtualization |
| CN109639424A (en) * | 2018-12-25 | 2019-04-16 | 山东超越数控电子股份有限公司 | A kind of virtual machine image encryption method and device based on different keys |
| CN109639424B (en) * | 2018-12-25 | 2022-06-17 | 超越科技股份有限公司 | Virtual machine image encryption method and device based on different keys |
| CN111291332A (en) * | 2020-02-24 | 2020-06-16 | 山东超越数控电子股份有限公司 | Method and system for sharing and using encryption card in virtualization environment |
| CN111291332B (en) * | 2020-02-24 | 2023-11-03 | 超越科技股份有限公司 | Method and system for sharing encryption card under virtualized environment |
| CN113285983A (en) * | 2021-04-26 | 2021-08-20 | 北京科东电力控制系统有限责任公司 | Virtual experiment system supporting multiple virtualized security devices to share single encryption card |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102270153A (en) | Method and device for sharing encrypted card in virtual environment | |
| CN108228316B (en) | Method and device for virtualizing password device | |
| CN103139159B (en) | Secure communication between virtual machine in cloud computing framework | |
| US10102018B2 (en) | Introspective application reporting to facilitate virtual machine movement between cloud hosts | |
| CN102214117B (en) | Virtual machine management method, system and server | |
| US9141785B2 (en) | Techniques for providing tenant based storage security and service level assurance in cloud storage environment | |
| CN109857542B (en) | Calculation resource adjusting method, system and device | |
| US20150207678A1 (en) | Method and Apparatus for Managing Physical Network Interface Card, and Physical Host | |
| US9858110B2 (en) | Virtual credential adapter for use with virtual machines | |
| US11307802B2 (en) | NVMe queue management multi-tier storage systems | |
| CN104951688B (en) | Suitable for the exclusive data encryption method and encrypted card under Xen virtualized environment | |
| CN105069383A (en) | Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system | |
| US20170093742A1 (en) | Managing a shared pool of configurable computing resources having an arrangement of a set of dynamically-assigned resources | |
| US20210157655A1 (en) | Container load balancing and availability | |
| CN109726005A (en) | For managing method, server system and the computer program product of resource | |
| CN104951712A (en) | Data safety protection method in Xen virtualization environment | |
| CN113821308B (en) | System on chip, virtual machine task processing method and device and storage medium | |
| CN105306576A (en) | Scheduling method and system for password arithmetic units | |
| CN103207965A (en) | Method and device for License authentication in virtual environment | |
| US11861406B2 (en) | Dynamic microservices allocation mechanism | |
| CN104598298A (en) | Virtual machine dispatching algorithm based on task load and current work property of virtual machine | |
| US20200151012A1 (en) | Adjustment of the number of central processing units to meet performance requirements of an i/o resource | |
| CN102801636A (en) | Method for limiting bandwidth of cloud hosting network of cloud computing platform | |
| US11416306B1 (en) | Placement to optimize heterogeneous physical host utilization | |
| US20150348177A1 (en) | Managing lease transactions in distributed systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111207 |