CN105550014A - Flexible and efficient cross-permission-level and cross-domain calling method - Google Patents
Flexible and efficient cross-permission-level and cross-domain calling method Download PDFInfo
- Publication number
- CN105550014A CN105550014A CN201510901658.4A CN201510901658A CN105550014A CN 105550014 A CN105550014 A CN 105550014A CN 201510901658 A CN201510901658 A CN 201510901658A CN 105550014 A CN105550014 A CN 105550014A
- Authority
- CN
- China
- Prior art keywords
- territory
- call
- calling
- called
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/544—Remote
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a flexible and efficient cross-permission-level and cross-domain calling method, which reduces the switching of a permission level and an address space to improve calling performance when cross-permission-level and cross-address-space calling is carried out, and guarantees calling flexibility and safety through a way that authentication and authorization are separated. A cross-domain calling mechanism of a traditional computer processor only has limited calling paths, and the calling of different domains can be finished only by reusing the traditional calling paths for multiple times so as to cause a great quantity of additional cross-permission-level and cross-address-space switching. The method provided by the invention can effectively avoid the unnecessary switching, improves system performance while safety is guaranteed, and accelerates the application of key service with high-performance demands in scenes including servers, embedded equipment and the like on the basis of a virtualization platform or a high-performance operating system so as to bring considerable social benefits and economic benefits.
Description
Technical field
The present invention relates to computer system software and architecture field.Be specifically related to the flexible and efficient call method across authority level and territory, mainly propose one cross-domain call method flexibly, while ensureing security, improve the performance of system.
Background technology
The revolutionary development of computer systems technology particularly Intel Virtualization Technology is that system software stack adds more vertical level, has had monitor of virtual machine, Virtual Machine Manager instrument, operating system and User space program four kinds to protect level at present.Many tenant's application of cloud computing scene then introduce multiple protective territory (as virtual machine) in the crosswise development of a computing machine.In addition, nested virtualization scene etc. popular gradually, adds the complicacy of software stack further on horizontal and vertical.
The ever-increasing software stack of complicacy is for we bring opportunities and challenges: on the one hand, developer can more freely utilize the software stack of different levels to realize diversified function, comprises safe enhancing, function decoupling zero and the enhancing of ALARA Principle degree etc.; On the other hand, software level is same with the increase of protected field result in more complicated cross-domainly to call and controlling mechanism.Such as one call (code calling another virtual machine from a virtual machine) across virtual machine needs to switch frequently between virtual machine and between virtual machine and monitor of virtual machine usually.Here territory refers to the computing environment be made up of states such as processor authority level, processor operational mode and program address space, and address space and pattern are determined by page table and processor execution pattern (as ring level, root or non-root pattern) respectively.
Cross-domain the calling of this complexity result in many unnecessary system complexities and performance cost with controlling mechanism, and its reason is existing cross-domain call-by mechanism underaction.As shown in Figure 1, current hardware mechanisms only supports system call (being called syscall) from User space program to kernel state program and calling (be called hypercall, also can be called vmcall) from virtual machine to monitor of virtual machine mostly.Therefore, one cross-domain call needs repeatedly toward ground return through monitor of virtual machine, to check the identity of caller and to determine whether such the calling of Authorization execution according to the specifying information of request.
Further, cross-domain calling not merely needs leap authority level (as from Ring3 to Ring0) also can cross over different address spaces, this not only allow cross-domain call become more complicated, poor efficiency, and the hit rate such as buffer memory, fast table can be caused low thus reduction overall performance due to cross-domain switching.As shown in Figure 2, when a virtual machine needs to call the service in another virtual machine, desirable invoked procedure only needs to switch can complete through 2 territories; But reality is, this invoked procedure needs the territory through reaching 9 times to switch, and produces considerable performance loss in the process.System across virtual machine call is a large amount of through monitor of virtual machine or the switching back and forth of operating system nucleus owing to all needing, thus causes the low of the complicacy that realizes and performance, significantly limit the availability of this type systematic.
Summary of the invention
For defect of the prior art, the object of this invention is to provide a kind of flexible and efficient call method across authority level and territory, its flexible and efficient and safe cross-domain call-by mechanism provided, the low and problem of complexity of performance of handoffs between current territory can be solved.
According to a kind of flexible and efficient call method across authority level and territory provided by the invention, adopt the mode that Authentication and authorization is separated;
The mode that described Authentication and authorization is separated, refers to: when territory occurring and calling, by completing certification to the information in call by passing territory, called territory, determined the execution of whether authorizing this territory to call by called territory.
Preferably, comprise and call preparatory stage step;
In a territory invoked procedure, described in call preparatory stage step and only perform once;
Describedly call preparatory stage step, comprise the steps:
Steps A 1, own domain respectively by a system call or virtual machine call instruction calls lower software, and is registered in the table of territory by caller and callee respectively;
Steps A 2, caller and callee set up the region of memory of two inter-domain sharing by the assistance of lower software, and described region of memory is for storing the memory copying in cross-domain calling; Described two territories refer to territory residing for territory residing for caller and callee;
Steps A 3, caller and callee get the territory ID in territory residing for the other side respectively by lower software; That is, caller gets the territory ID in territory residing for callee by lower software, and callee gets the territory ID in territory residing for caller by lower software.
Preferably, also comprise software transfer person and perform invocation step;
Described software transfer person performs invocation step, comprises the steps:
Step B1, caller provides the territory ID in territory residing for the callee that will call, then execution domains call instruction;
The execution of described territory call instruction, comprises the steps:
Step I 1, call territory provide called territory as token uniquely identified territory ID, wherein, the ID of described territory ID representative domain list item, is designated as WID;
Step I 2, first processor searches whether there is this WID according to self WID of caller in the table of territory; If do not exist, then illustrate that this called territory is not created and returns mistake; If exist, then enter step I 3 and continue to perform;
Step I 3, processor searches territory list item corresponding to called territory according to self WID calling territory and provide in the table cache of territory; If find, then enter step I 4 and continue to perform; If do not find, then enter step I 4 ' and continue to perform;
Step I 4 ', processor is thought and is produced abnormal and from the territory table internal memory, search corresponding territory list item and be filled in the table cache of territory, then proceeds to step I 3 and continues to perform; If the territory table of processor in internal memory does not find corresponding territory list item yet, then think territory malloc failure malloc, processor processes calling in territory to produce an exception and transfer to call territory software;
Step I 4, after the territory list item that processor finds called territory corresponding, the current state calling territory is preserved, then processor loads the information in territory list item corresponding to called territory, preserve self WID calling territory in a register to do to authorize further for called territory, and jump in called territory and perform; The address of redirect is PC value according to the information in territory list item corresponding to called territory and determines, and wherein, PC value is used to indicate the entry address that territory corresponding to territory list item is called; If this PC value is not 0, then jump in this address pointed by PC value; If this PC value is 0, then the address of redirect is specified by calling territory;
Wherein, use the information in a table preservation territory, a territory, and identify a territory uniquely by the token that can not forge; Territory only register on the table of territory become one just now can invoked territory, during registration, processor can increase by one in the table of territory, and every represents a territory and by a territory ID as token unique identification.
Preferably, also comprise processor hardware execution and call switch step;
Described processor hardware performs and calls switch step, comprises the steps:
Step C1, processor execution domains call instruction;
Wherein, described step C1 specifically comprises the steps:
Step C1.1, preserves the state in territory residing for current caller;
Step C1.2, the territory ID in territory residing for the callee that caller provides, search corresponding territory list item in the table of territory;
Step C1.3, changes to the value of found territory list item by the state of processor actual registers;
Step C1.4, the value of a register is set to the territory ID calling territory by processor.
Preferably, also comprise software callee and perform authorisation step;
Described software callee performs authorisation step, comprises the steps:
Step D1, processor starts to perform order corresponding to called realm entry place, calls territory ID, implement the scope check to caller according to obtained.
Preferably, the identity of the identity and called territory of calling territory is all that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and call a certain called territory and completed by soft ware authorization mode.
Preferably 7, the flexible and efficient call method across authority level and territory according to claim 6, it is characterized in that, the detailed process of described soft ware authorization is: cross-domain when calling execution, according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.
Preferably, territory table can only be running in the territory management software code access of authority level higher than the territory of registering in the table of territory.
Preferably, described certification is completed by hardware, provided the information in called territory by hardware; Described calling is the switching of finger processor control flow check.
Preferably, call described in and between territory, transmit data stream by shared drive mode;
When generation is called in territory, the state in what processor was current call territory will be stored in safe place, and then the place from safety is loaded the state in called territory by processor;
Wherein, described safe place, refers to:
-one piece of permission processor is in ability addressable memory address when setting authority or pattern; Or
One register of-processor inside.
Compared with prior art, the present invention has following beneficial effect:
The present invention proposes flexible and efficient territory call method, allow directly calling of any two territories, the buffer memory locality calling processor can be kept, realize lower delay and other virtual machines or application program can not be interrupted, greatly can improve the cross-domain performance called; Further, the mode that the present invention is separated by adopting Authentication and authorization, territory is called by soft ware autonomous configuration, can have extraordinary dirigibility, and can ensure security.
Accompanying drawing explanation
By reading the detailed description done non-limiting example with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:
Fig. 1 is existing directly cross-domainly to call and the direct cross-domain calling graph achieved by the present invention.
Fig. 2 calls route map across desirable during virtual machine call with actual.
Fig. 3 is processor and internal memory logical diagram.
Embodiment
Below in conjunction with specific embodiment, the present invention is described in detail.Following examples will contribute to those skilled in the art and understand the present invention further, but not limit the present invention in any form.It should be pointed out that to those skilled in the art, without departing from the inventive concept of the premise, some changes and improvements can also be made.These all belong to protection scope of the present invention.
A kind of flexible and efficient call method across authority level and territory that the present invention proposes, improves invocation performance when carrying out calling across authority level and address space by the switching reducing authority level and address space; By the mode adopting Authentication and authorization to be separated, the dirigibility that guarantee is called and security.
The cross-domain call-by mechanism of traditional computer processor only has limited several to call path, not the calling needs and repeatedly just can complete in multiplexing existing path of calling of same area, thus cause many switchings across authority level and address space additionally, and method proposed by the invention can less this unnecessary switching effectively, the performance of system is improved while ensureing security, promote that the key service with high performance demands is at the server based on virtual platform or high performance operation system, the application of the scenes such as embedded device, and then bring considerable Social benefit and economic benefit.
The described flexible and efficient call method across authority level and territory, only need to perform once call preparatory stage step, and the software transfer person performed when the later stage carries out cross-domain calling performs invocation step, processor hardware performs and calls switch step and software callee performs authorisation step.Wherein, calling preparatory stage step only needs to arrange execution once, for setting the environmental parameter called, follow-up cross-domain call i.e. this stage of reusable call result.
Below will describe flexible and efficient cross-domain call-by mechanism provided by the invention in detail by concrete exemplifying embodiment.
According to a kind of flexible and efficient call method across authority level and territory provided by the invention, adopt Authentication and authorization be separated mode, comprise call preparatory stage step, software transfer person performs invocation step, processor hardware perform call switch step, software callee perform authorisation step.The mode that described Authentication and authorization is separated, refers to: when territory occurring and calling, by completing certification to the information in call by passing territory, called territory, determined the execution of whether authorizing this territory to call by called territory.
In a territory invoked procedure, described in call preparatory stage step and only perform once;
Describedly call preparatory stage step, comprise the steps:
Steps A 1, own domain respectively by a system call or virtual machine call instruction calls lower software, and is registered in the table of territory by caller and callee respectively; Wherein, territory refers to that performs a space, and caller refers to the one section of specific code performed in space, that is, caller performs and calling in territory;
Steps A 2, caller and callee set up the region of memory of two inter-domain sharing by the assistance of lower software, and described region of memory is for storing the memory copying in cross-domain calling; Described two territories refer to territory residing for territory residing for caller and callee;
Steps A 3, caller and callee get the territory ID in territory residing for the other side respectively by lower software; That is, caller gets the territory ID in territory residing for callee by lower software, and callee gets the territory ID in territory residing for caller by lower software.
Described software transfer person performs invocation step, comprises the steps:
Step B1, caller provides the territory ID in territory residing for the callee that will call, then execution domains call instruction; Wherein, described territory call instruction can be existing processor instruction;
The execution of described territory call instruction, comprises the steps:
Step I 1, call territory provide called territory as token uniquely identified territory ID, wherein, the ID of described territory ID representative domain list item, is designated as WID;
Step I 2, first processor searches whether there is this WID according to self WID of caller in the table of territory; If do not exist, then illustrate that this called territory is not created and returns mistake; If exist, then enter step I 3 and continue to perform;
Step I 3, processor searches territory list item corresponding to called territory according to self WID calling territory and provide in the table cache of territory; If find, then enter step I 4 and continue to perform; If do not find, then enter step I 4 ' and continue to perform;
Step I 4 ', processor is thought and is produced abnormal and from the territory table internal memory, search corresponding territory list item and be filled in the table cache of territory, then proceeds to step I 3 and continues to perform; If the territory table of processor in internal memory does not find corresponding territory list item yet, then think territory malloc failure malloc, processor processes calling in territory to produce an exception and transfer to call territory software;
Step I 4, after the territory list item that processor finds called territory corresponding, the current state calling territory is preserved, then processor loads the information in territory list item corresponding to called territory, preserve self WID calling territory in a register to do to authorize further for called territory, and jump in called territory and perform; The address of redirect is PC value according to the information in territory list item corresponding to called territory and determines, and wherein, PC value is used to indicate the entry address that territory corresponding to territory list item is called; If this PC value is not 0, then jump in this address pointed by PC value; If this PC value is 0, then the address of redirect is specified by calling territory;
Wherein, use the information in a table preservation territory, a territory, and identify a territory uniquely by the token that can not forge; Territory only register on the table of territory become one just now can invoked territory, during registration, processor can increase by one in the table of territory, and every represents a territory and by a territory ID as token unique identification.
Described processor hardware performs and calls switch step, comprises the steps:
Step C1, processor execution domains call instruction;
Wherein, described step C1 specifically comprises the steps:
Step C1.1, preserves the state in territory residing for current caller;
Step C1.2, the territory ID in territory residing for the callee that caller provides, search corresponding territory list item in the table of territory;
Step C1.3, changes to the value of found territory list item by the state of processor actual registers;
Step C1.4, the value of a register is set to the territory ID calling territory by processor.
Described software callee performs authorisation step, comprises the steps:
Step D1, processor starts to perform order corresponding to called realm entry place, calls territory ID, implement the scope check to caller according to obtained.
Preferably, the identity of the identity and called territory of calling territory is all that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and call a certain called territory and completed by soft ware authorization mode.
Preferably 7, the flexible and efficient call method across authority level and territory according to claim 6, it is characterized in that, the detailed process of described soft ware authorization is: cross-domain when calling execution, according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.
Preferably, territory table can only be running in the territory management software code access of authority level higher than the territory of registering in the table of territory.
Preferably, described certification is completed by hardware, provided the information in called territory by hardware; Described calling is the switching of finger processor control flow check.
Preferably, call described in and between territory, transmit data stream by shared drive mode;
When generation is called in territory, the state in what processor was current call territory will be stored in safe place, and then the place from safety is loaded the state in called territory by processor;
Wherein, described safe place, refers to:
-one piece of permission processor is in ability addressable memory address when setting authority or pattern, and wherein, described setting authority or pattern can refer to the higher privileges level of the processor of setting, such as virtual middle root mode (RootMode); Or
One register of-processor inside.
Step B1, C1 and D1 are the key steps called for territory, can repeat.
More further detailed description is carried out to the described flexible and efficient call method across authority level and territory below.
The cross-domain subject matter calling existence needs to cross over many extra territories to cause complexity high-performance low at present.The present invention proposes the method that any two territories all can directly be called, and considerably reduces unnecessary territory and switches.The problem directly called between any two territories is security, the mode that the present invention is separated by adopting Authentication and authorization, the dirigibility that guarantee is called and security.That is the technical scheme that proposes of the present invention: the flexible and efficient call method across authority level and territory, the main points comprised:
1) any two territories can directly be called;
2) mode by adopting Authentication and authorization to be separated, the dirigibility that guarantee is called and security.
Specifically, the present invention follows the system design philosophies separated by Authentication and authorization, and the mechanism concrete mandate being transferred to software to perform or performed by software set hardware by certification being given hardware execution, allows directly to switch realization between two territories and call.This mechanism allows a territory can directly pass through different protection authority levels safely, efficiently, neatly and different address spaces calls in another territory.
More specifically, territory of the present invention, refers to the computing environment formed primarily of processor authority level, processor operational mode and program address space state.Two processes such as, run in an operating system, because the address space of these two processes is different, therefore they operate in different territories; Similarly, operate in the program operating in User space in the system kernel of kernel state and this operating system in an operating system, because authority level when this kernel and program are run residing for processor is different, therefore they are also operate in different territories.The address, call entry in called territory can be fixing, also can be specified by callee.
The identity calling territory and called territory is that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and can call a certain called territory and completed (such as callee may refuse caller call request according to token) by soft ware authorization mode.The detailed process of described mandate is: cross-domain when calling execution, and according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.The mode realizing authorizing has multiple, can be determine that whether allowing this to call continues to perform when calling execution by software (as running on the software in called territory), also can be that software (as running on the software in called territory) is just pre-set before calling execution, when calling execution, determine whether that allowing this to call continues to perform by hardware according to the rule set.This method for designing takes into account cross-domain dirigibility of calling and performance: on the one hand, the method remains the hardware authority separation mechanism of coarseness and allows the software of high authority (such as operating system or monitor of virtual machine) define different access rules neatly; On the other hand, the method enables hardware provide the token that can not forge, and reaching at every turn cross-domain calling all need not through the calling of other software levels, and so just can reduce the cross-domain number of times that calls thus raising performance.
The present invention uses the information in a table preservation territory, a territory, and identifies a territory uniquely by the token that can not forge.Territory needs registration on the table of territory can become one can invoked territory, and during registration, processor can increase by one in the table of territory, and every represents a territory and by a WID (WorldID, i.e. territory ID) as token unique identification.Territory table is kept in one piece of internal memory, is set to code (being called territory management software, as the monitor of virtual machine) access that can only be running in authority level higher than registered territory.Fig. 3 illustrates each part necessary information comprised in the table of territory.Territory management software can provide interface for creating and deleting territory list item for upper layer software (applications).When the territory that establishment one is new, territory management software can provide unique and the WID that can not forge, a WID why can not forge because it is directly managed by hardware for this territory.Meanwhile, territory management software can limit a maximum territory list item created of guest virtual machine and passes through registration a large amount of territory thus cause Denial of Service attack to prevent guest virtual machine.In order to accelerate territory table addressing speed, the present invention adds a territory table cache and reverse territory table cache on a processor to accelerate access speed, in the table cache of territory, in store WID is to the record of territory contents in table, table cache in store territory, reverse territory list item is to the record of WID, TLB search procedure in the search procedure of territory table cache and current processor is similar, does not repeat herein.When processor inquiry field table cache does not hit, processor can trigger an exception and be forwarded to by control flow check in the management software of territory, is responsible for filling corresponding territory list item in the table cache of territory, then recovers to perform by territory management software.The method that another processing domain table cache does not hit directly completes territory by processor hardware to show to search and the work being filled into territory table cache.
Territory can use a newly-increased instruction (this instruction is called world_call by the present invention) to complete territory handoff procedure in the table of territory after registration, processor still uses world_call instruction to return after executing called field code, complete call.During execution world_call instruction (world_call instruction is territory call instruction), call the WID (WorldID) that territory needs to provide the territory that will call, first processor searches whether there is this WID according to self WID of caller in the table of territory, if there is no then illustrates that this territory is not created and returns mistake.Then the domain information in called territory searched by processor in the table cache of territory according to the WID calling territory and provide, if do not find corresponding territory list item in the table cache of territory, processor then produces abnormal and from the territory table internal memory, searches corresponding territory list item and be filled in the table cache of territory, then recovers to perform.If the territory table of processor in internal memory does not find corresponding territory list item, then territory malloc failure malloc yet, processor processes calling in territory to produce an exception and transfer to call territory software.After processor finds the WID in the territory that will call and the territory list item information of correspondence, current territory state is kept at the place of a safety, the place of this safety can be the internal memory of one piece of secret, also can be a set of independently register of processor.Then processor will load the territory list item information found, preserve in some registers and call territory WID for the mandate further of called territory do, and jump in called territory and perform, the address of redirect is PC value according to found territory list item information and determines, if this PC value is not 0, jumps in this address pointed by PC value; If this PC value is 0, call the address that territory needs to specify when performing world_call redirect.The mode that mandate is called in territory has two kinds: a kind of is call preprocessor to be in the context in called territory in territory, whether first called territory software can call provided WID according to territory to judge that this calls territory be legal, if all check by; authorize allow continue perform, otherwise turn back in called territory, return course and invoked procedure similar; Another kind of mode of authorizing is before territory is called, called territory sets in advance and allows calling of which territory in hardware or territory management software, this policy information is kept in processor or internal memory with the form of a table (being called binding table), when territory is called hardware by search this list deciding call whether legal.In the invoked procedure of territory, call territory and called territory can realize consulting setting one piece of shared drive with Transfer Parameters or data, called the information such as rear called territory software can get parms further from shared drive, order and performed concrete task and then will call result and write in shared drive.
Preferably, shown in the following form of domain information that in the table of described territory, territory list item comprises:
P | WID | H/G | Ring | EPTP | PTP | PC |
Wherein:
P represents that whether this territory list item is effective;
The ID of WID representative domain list item, i.e. WorldID;
The processor mode at the place, territory that H/G representative domain list item is corresponding, processor mode comprises Host pattern, Guest pattern, and wherein, Host pattern refers to the processor mode that monitor of virtual machine runs, and Guest pattern refers to the processor mode that virtual machine allows;
The processor authority level that the territory that Ring representative domain list item is corresponding is run;
The page table root address of the expansion page table in the territory that EPTP representative domain list item is corresponding;
The root address of the page table in the territory that PTP representative domain list item is corresponding;
The entry address that the territory that PC representative domain list item is corresponding is called, the entry address that when value is 0, representative domain calls can be specified when calling by calling territory software.
In sum, the cross-domain flexibly call method that the present invention proposes, in invoked procedure, do not need lower software to allow any two territories directly to call as the intervention of monitor of virtual machine, by the mode adopting Authentication and authorization to be separated, the dirigibility that guarantee is called and security.
Above specific embodiments of the invention are described.It is to be appreciated that the present invention is not limited to above-mentioned particular implementation, those skilled in the art can make a variety of changes within the scope of the claims or revise, and this does not affect flesh and blood of the present invention.When not conflicting, the feature in the embodiment of the application and embodiment can combine arbitrarily mutually.
Claims (10)
1. a flexible and efficient call method across authority level and territory, is characterized in that, adopt the mode that Authentication and authorization is separated;
The mode that described Authentication and authorization is separated, refers to: when territory occurring and calling, by completing certification to the information in call by passing territory, called territory, determined the execution of whether authorizing this territory to call by called territory.
2. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, comprise and call preparatory stage step;
In a territory invoked procedure, described in call preparatory stage step and only perform once;
Describedly call preparatory stage step, comprise the steps:
Steps A 1, own domain respectively by a system call or virtual machine call instruction calls lower software, and is registered in the table of territory by caller and callee respectively;
Steps A 2, caller and callee set up the region of memory of two inter-domain sharing by the assistance of lower software, and described region of memory is for storing the memory copying in cross-domain calling; Described two territories refer to territory residing for territory residing for caller and callee;
Steps A 3, caller and callee get the territory ID in territory residing for the other side respectively by lower software; That is, caller gets the territory ID in territory residing for callee by lower software, and callee gets the territory ID in territory residing for caller by lower software.
3. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, also comprise software transfer person and perform invocation step;
Described software transfer person performs invocation step, comprises the steps:
Step B1, caller provides the territory ID in territory residing for the callee that will call, then execution domains call instruction;
The execution of described territory call instruction, comprises the steps:
Step I 1, call territory provide called territory as token uniquely identified territory ID, wherein, the ID of described territory ID representative domain list item, is designated as WID;
Step I 2, first processor searches whether there is this WID according to self WID of caller in the table of territory; If do not exist, then illustrate that this called territory is not created and returns mistake; If exist, then enter step I 3 and continue to perform;
Step I 3, processor searches territory list item corresponding to called territory according to self WID calling territory and provide in the table cache of territory; If find, then enter step I 4 and continue to perform; If do not find, then enter step I 4 ' and continue to perform;
Step I 4 ', processor is thought and is produced abnormal and from the territory table internal memory, search corresponding territory list item and be filled in the table cache of territory, then proceeds to step I 3 and continues to perform; If the territory table of processor in internal memory does not find corresponding territory list item yet, then think territory malloc failure malloc, processor processes calling in territory to produce an exception and transfer to call territory software;
Step I 4, after the territory list item that processor finds called territory corresponding, the current state calling territory is preserved, then processor loads the information in territory list item corresponding to called territory, preserve self WID calling territory in a register to do to authorize further for called territory, and jump in called territory and perform; The address of redirect is PC value according to the information in territory list item corresponding to called territory and determines, and wherein, PC value is used to indicate the entry address that territory corresponding to territory list item is called; If this PC value is not 0, then jump in this address pointed by PC value; If this PC value is 0, then the address of redirect is specified by calling territory;
Wherein, use the information in a table preservation territory, a territory, and identify a territory uniquely by the token that can not forge; Territory only register on the table of territory become one just now can invoked territory, during registration, processor can increase by one in the table of territory, and every represents a territory and by a territory ID as token unique identification.
4. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, also comprises processor hardware and performs and call switch step;
Described processor hardware performs and calls switch step, comprises the steps:
Step C1, processor execution domains call instruction;
Wherein, described step C1 specifically comprises the steps:
Step C1.1, preserves the state in territory residing for current caller;
Step C1.2, the territory ID in territory residing for the callee that caller provides, search corresponding territory list item in the table of territory;
Step C1.3, changes to the value of found territory list item by the state of processor actual registers;
Step C1.4, the value of a register is set to the territory ID calling territory by processor.
5. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, also comprise software callee and perform authorisation step;
Described software callee performs authorisation step, comprises the steps:
Step D1, processor starts to perform order corresponding to called realm entry place, calls territory ID, implement the scope check to caller according to obtained.
6. the flexible and efficient call method across authority level and territory according to claim 1, it is characterized in that, the identity of the identity and called territory of calling territory is all that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and call a certain called territory and completed by soft ware authorization mode.
7. the flexible and efficient call method across authority level and territory according to claim 6, it is characterized in that, the detailed process of described soft ware authorization is: cross-domain when calling execution, and according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.
8. the flexible and efficient call method across authority level and territory according to claim 3, it is characterized in that, territory table can only be running in the territory management software code access of authority level higher than the territory of registering in the table of territory.
9. the flexible and efficient call method across authority level and territory according to claim 1, it is characterized in that, described certification is completed by hardware, provided the information in called territory by hardware; Described calling is the switching of finger processor control flow check.
10. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, described in call and between territory, transmit data stream by shared drive mode;
When generation is called in territory, the state in what processor was current call territory will be stored in safe place, and then the place from safety is loaded the state in called territory by processor;
Wherein, described safe place, refers to:
-one piece of permission processor is in ability addressable memory address when setting authority or pattern; Or
One register of-processor inside.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510901658.4A CN105550014A (en) | 2015-12-08 | 2015-12-08 | Flexible and efficient cross-permission-level and cross-domain calling method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510901658.4A CN105550014A (en) | 2015-12-08 | 2015-12-08 | Flexible and efficient cross-permission-level and cross-domain calling method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105550014A true CN105550014A (en) | 2016-05-04 |
Family
ID=55829212
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510901658.4A Pending CN105550014A (en) | 2015-12-08 | 2015-12-08 | Flexible and efficient cross-permission-level and cross-domain calling method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105550014A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059453A (en) * | 2019-03-13 | 2019-07-26 | 中国科学院计算技术研究所 | A kind of container virtualization safety reinforced device and method |
US20220050908A1 (en) * | 2018-08-30 | 2022-02-17 | Micron Technology, Inc. | Domain Crossing in Executing Instructions in Computer Processors |
CN110209959B (en) * | 2018-02-11 | 2024-01-12 | 北京京东尚科信息技术有限公司 | Information processing method and device |
US11914726B2 (en) | 2018-08-30 | 2024-02-27 | Micron Technology, Inc. | Access control for processor registers based on execution domains |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103955362A (en) * | 2014-04-03 | 2014-07-30 | 广东工业大学 | Xen-based operating system kernel monitoring method |
CN104573553A (en) * | 2014-12-30 | 2015-04-29 | 中国航天科工集团第二研究院七O六所 | Xen-oriented memory sharing security isolation method for virtual machines |
-
2015
- 2015-12-08 CN CN201510901658.4A patent/CN105550014A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103955362A (en) * | 2014-04-03 | 2014-07-30 | 广东工业大学 | Xen-based operating system kernel monitoring method |
CN104573553A (en) * | 2014-12-30 | 2015-04-29 | 中国航天科工集团第二研究院七O六所 | Xen-oriented memory sharing security isolation method for virtual machines |
Non-Patent Citations (1)
Title |
---|
WENHAO LI ETC.: "Reducing World Switches in Virtualized Environment with Flexible Cross-world Calls", 《COMPUTER ARCHITECTURE (ISCA), 2015 ACM/IEEE 42ND ANNUAL INTERNATIONAL SYMPOSIUM ON》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110209959B (en) * | 2018-02-11 | 2024-01-12 | 北京京东尚科信息技术有限公司 | Information processing method and device |
US20220050908A1 (en) * | 2018-08-30 | 2022-02-17 | Micron Technology, Inc. | Domain Crossing in Executing Instructions in Computer Processors |
US11914726B2 (en) | 2018-08-30 | 2024-02-27 | Micron Technology, Inc. | Access control for processor registers based on execution domains |
CN110059453A (en) * | 2019-03-13 | 2019-07-26 | 中国科学院计算技术研究所 | A kind of container virtualization safety reinforced device and method |
CN110059453B (en) * | 2019-03-13 | 2021-02-05 | 中国科学院计算技术研究所 | Container virtualization security reinforcing device and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109522754B (en) | Core control method for trusted isolation environment of mobile terminal | |
EP1966706B1 (en) | Identifier associated with memory locations for managing memory accesses | |
JP6378758B2 (en) | Process evaluation for malware detection in virtual machines | |
KR102189296B1 (en) | Event filtering for virtual machine security applications | |
EP3047419B1 (en) | Virtual secure mode for virtual machines | |
US9971623B2 (en) | Isolation method for management virtual machine and apparatus | |
CN111651778A (en) | Physical memory isolation method based on RISC-V instruction architecture | |
EP3764239A1 (en) | Method and device for enhancing isolation between user space and kernel space | |
CN109858288B (en) | Method and device for realizing safety isolation of virtual machine | |
US10102373B2 (en) | Method and apparatus for capturing operation in a container-based virtualization system | |
US10083129B2 (en) | Code loading hardening by hypervisor page table switching | |
US7529916B2 (en) | Data processing apparatus and method for controlling access to registers | |
JP2017505492A (en) | Area specification operation to specify the area of the memory attribute unit corresponding to the target memory address | |
CN113064697B (en) | Method for accelerating communication between microkernel processes by using multiple hardware characteristics | |
JP7128206B2 (en) | Apparatus and method for managing use of features | |
US10552345B2 (en) | Virtual machine memory lock-down | |
CN105550014A (en) | Flexible and efficient cross-permission-level and cross-domain calling method | |
CN104036185A (en) | Virtualization based power and function isolating method for loading module of monolithic kernel operation system | |
CN111949369B (en) | Trusted execution environment construction method and system for graphic processor | |
CN108509251A (en) | A kind of safety virtualization system suitable for credible performing environment | |
EP3961446A1 (en) | Method and apparatus for securely entering trusted execution environment in hyper-threading scenario | |
US11036645B2 (en) | Secure userspace networking for guests | |
EP3274896A1 (en) | Configuration of a memory controller for copy-on-write with a resource controller | |
CN105989758B (en) | Address translation method and apparatus | |
CN107203716B (en) | Lightweight structured protection method and device for Linux kernel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160504 |
|
RJ01 | Rejection of invention patent application after publication |