CN105550014A - Flexible and efficient cross-permission-level and cross-domain calling method - Google Patents

Abstract

The invention provides a flexible and efficient cross-permission-level and cross-domain calling method, which reduces the switching of a permission level and an address space to improve calling performance when cross-permission-level and cross-address-space calling is carried out, and guarantees calling flexibility and safety through a way that authentication and authorization are separated. A cross-domain calling mechanism of a traditional computer processor only has limited calling paths, and the calling of different domains can be finished only by reusing the traditional calling paths for multiple times so as to cause a great quantity of additional cross-permission-level and cross-address-space switching. The method provided by the invention can effectively avoid the unnecessary switching, improves system performance while safety is guaranteed, and accelerates the application of key service with high-performance demands in scenes including servers, embedded equipment and the like on the basis of a virtualization platform or a high-performance operating system so as to bring considerable social benefits and economic benefits.

Description

The flexible and efficient call method across authority level and territory

Technical field

The present invention relates to computer system software and architecture field.Be specifically related to the flexible and efficient call method across authority level and territory, mainly propose one cross-domain call method flexibly, while ensureing security, improve the performance of system.

Background technology

The revolutionary development of computer systems technology particularly Intel Virtualization Technology is that system software stack adds more vertical level, has had monitor of virtual machine, Virtual Machine Manager instrument, operating system and User space program four kinds to protect level at present.Many tenant's application of cloud computing scene then introduce multiple protective territory (as virtual machine) in the crosswise development of a computing machine.In addition, nested virtualization scene etc. popular gradually, adds the complicacy of software stack further on horizontal and vertical.

The ever-increasing software stack of complicacy is for we bring opportunities and challenges: on the one hand, developer can more freely utilize the software stack of different levels to realize diversified function, comprises safe enhancing, function decoupling zero and the enhancing of ALARA Principle degree etc.; On the other hand, software level is same with the increase of protected field result in more complicated cross-domainly to call and controlling mechanism.Such as one call (code calling another virtual machine from a virtual machine) across virtual machine needs to switch frequently between virtual machine and between virtual machine and monitor of virtual machine usually.Here territory refers to the computing environment be made up of states such as processor authority level, processor operational mode and program address space, and address space and pattern are determined by page table and processor execution pattern (as ring level, root or non-root pattern) respectively.

Cross-domain the calling of this complexity result in many unnecessary system complexities and performance cost with controlling mechanism, and its reason is existing cross-domain call-by mechanism underaction.As shown in Figure 1, current hardware mechanisms only supports system call (being called syscall) from User space program to kernel state program and calling (be called hypercall, also can be called vmcall) from virtual machine to monitor of virtual machine mostly.Therefore, one cross-domain call needs repeatedly toward ground return through monitor of virtual machine, to check the identity of caller and to determine whether such the calling of Authorization execution according to the specifying information of request.

Further, cross-domain calling not merely needs leap authority level (as from Ring3 to Ring0) also can cross over different address spaces, this not only allow cross-domain call become more complicated, poor efficiency, and the hit rate such as buffer memory, fast table can be caused low thus reduction overall performance due to cross-domain switching.As shown in Figure 2, when a virtual machine needs to call the service in another virtual machine, desirable invoked procedure only needs to switch can complete through 2 territories; But reality is, this invoked procedure needs the territory through reaching 9 times to switch, and produces considerable performance loss in the process.System across virtual machine call is a large amount of through monitor of virtual machine or the switching back and forth of operating system nucleus owing to all needing, thus causes the low of the complicacy that realizes and performance, significantly limit the availability of this type systematic.

Summary of the invention

For defect of the prior art, the object of this invention is to provide a kind of flexible and efficient call method across authority level and territory, its flexible and efficient and safe cross-domain call-by mechanism provided, the low and problem of complexity of performance of handoffs between current territory can be solved.

According to a kind of flexible and efficient call method across authority level and territory provided by the invention, adopt the mode that Authentication and authorization is separated;

The mode that described Authentication and authorization is separated, refers to: when territory occurring and calling, by completing certification to the information in call by passing territory, called territory, determined the execution of whether authorizing this territory to call by called territory.

Preferably, comprise and call preparatory stage step;

In a territory invoked procedure, described in call preparatory stage step and only perform once;

Describedly call preparatory stage step, comprise the steps:

Steps A 1, own domain respectively by a system call or virtual machine call instruction calls lower software, and is registered in the table of territory by caller and callee respectively;

Steps A 2, caller and callee set up the region of memory of two inter-domain sharing by the assistance of lower software, and described region of memory is for storing the memory copying in cross-domain calling; Described two territories refer to territory residing for territory residing for caller and callee;

Steps A 3, caller and callee get the territory ID in territory residing for the other side respectively by lower software; That is, caller gets the territory ID in territory residing for callee by lower software, and callee gets the territory ID in territory residing for caller by lower software.

Preferably, also comprise software transfer person and perform invocation step;

Described software transfer person performs invocation step, comprises the steps:

Step B1, caller provides the territory ID in territory residing for the callee that will call, then execution domains call instruction;

The execution of described territory call instruction, comprises the steps:

Step I 1, call territory provide called territory as token uniquely identified territory ID, wherein, the ID of described territory ID representative domain list item, is designated as WID;

Step I 2, first processor searches whether there is this WID according to self WID of caller in the table of territory; If do not exist, then illustrate that this called territory is not created and returns mistake; If exist, then enter step I 3 and continue to perform;

Step I 3, processor searches territory list item corresponding to called territory according to self WID calling territory and provide in the table cache of territory; If find, then enter step I 4 and continue to perform; If do not find, then enter step I 4 ＇ and continue to perform;

Step I 4 ＇, processor is thought and is produced abnormal and from the territory table internal memory, search corresponding territory list item and be filled in the table cache of territory, then proceeds to step I 3 and continues to perform; If the territory table of processor in internal memory does not find corresponding territory list item yet, then think territory malloc failure malloc, processor processes calling in territory to produce an exception and transfer to call territory software;

Step I 4, after the territory list item that processor finds called territory corresponding, the current state calling territory is preserved, then processor loads the information in territory list item corresponding to called territory, preserve self WID calling territory in a register to do to authorize further for called territory, and jump in called territory and perform; The address of redirect is PC value according to the information in territory list item corresponding to called territory and determines, and wherein, PC value is used to indicate the entry address that territory corresponding to territory list item is called; If this PC value is not 0, then jump in this address pointed by PC value; If this PC value is 0, then the address of redirect is specified by calling territory;

Wherein, use the information in a table preservation territory, a territory, and identify a territory uniquely by the token that can not forge; Territory only register on the table of territory become one just now can invoked territory, during registration, processor can increase by one in the table of territory, and every represents a territory and by a territory ID as token unique identification.

Preferably, also comprise processor hardware execution and call switch step;

Described processor hardware performs and calls switch step, comprises the steps:

Step C1, processor execution domains call instruction;

Wherein, described step C1 specifically comprises the steps:

Step C1.1, preserves the state in territory residing for current caller;

Step C1.2, the territory ID in territory residing for the callee that caller provides, search corresponding territory list item in the table of territory;

Step C1.3, changes to the value of found territory list item by the state of processor actual registers;

Step C1.4, the value of a register is set to the territory ID calling territory by processor.

Preferably, also comprise software callee and perform authorisation step;

Described software callee performs authorisation step, comprises the steps:

Step D1, processor starts to perform order corresponding to called realm entry place, calls territory ID, implement the scope check to caller according to obtained.

Preferably, the identity of the identity and called territory of calling territory is all that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and call a certain called territory and completed by soft ware authorization mode.

Preferably 7, the flexible and efficient call method across authority level and territory according to claim 6, it is characterized in that, the detailed process of described soft ware authorization is: cross-domain when calling execution, according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.

Preferably, territory table can only be running in the territory management software code access of authority level higher than the territory of registering in the table of territory.

Preferably, described certification is completed by hardware, provided the information in called territory by hardware; Described calling is the switching of finger processor control flow check.

Preferably, call described in and between territory, transmit data stream by shared drive mode;

When generation is called in territory, the state in what processor was current call territory will be stored in safe place, and then the place from safety is loaded the state in called territory by processor;

Wherein, described safe place, refers to:

-one piece of permission processor is in ability addressable memory address when setting authority or pattern; Or

One register of-processor inside.

Compared with prior art, the present invention has following beneficial effect:

The present invention proposes flexible and efficient territory call method, allow directly calling of any two territories, the buffer memory locality calling processor can be kept, realize lower delay and other virtual machines or application program can not be interrupted, greatly can improve the cross-domain performance called; Further, the mode that the present invention is separated by adopting Authentication and authorization, territory is called by soft ware autonomous configuration, can have extraordinary dirigibility, and can ensure security.

Accompanying drawing explanation

By reading the detailed description done non-limiting example with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:

Fig. 1 is existing directly cross-domainly to call and the direct cross-domain calling graph achieved by the present invention.

Fig. 2 calls route map across desirable during virtual machine call with actual.

Fig. 3 is processor and internal memory logical diagram.

Embodiment

Below in conjunction with specific embodiment, the present invention is described in detail.Following examples will contribute to those skilled in the art and understand the present invention further, but not limit the present invention in any form.It should be pointed out that to those skilled in the art, without departing from the inventive concept of the premise, some changes and improvements can also be made.These all belong to protection scope of the present invention.

A kind of flexible and efficient call method across authority level and territory that the present invention proposes, improves invocation performance when carrying out calling across authority level and address space by the switching reducing authority level and address space; By the mode adopting Authentication and authorization to be separated, the dirigibility that guarantee is called and security.

The cross-domain call-by mechanism of traditional computer processor only has limited several to call path, not the calling needs and repeatedly just can complete in multiplexing existing path of calling of same area, thus cause many switchings across authority level and address space additionally, and method proposed by the invention can less this unnecessary switching effectively, the performance of system is improved while ensureing security, promote that the key service with high performance demands is at the server based on virtual platform or high performance operation system, the application of the scenes such as embedded device, and then bring considerable Social benefit and economic benefit.

The described flexible and efficient call method across authority level and territory, only need to perform once call preparatory stage step, and the software transfer person performed when the later stage carries out cross-domain calling performs invocation step, processor hardware performs and calls switch step and software callee performs authorisation step.Wherein, calling preparatory stage step only needs to arrange execution once, for setting the environmental parameter called, follow-up cross-domain call i.e. this stage of reusable call result.

Below will describe flexible and efficient cross-domain call-by mechanism provided by the invention in detail by concrete exemplifying embodiment.

According to a kind of flexible and efficient call method across authority level and territory provided by the invention, adopt Authentication and authorization be separated mode, comprise call preparatory stage step, software transfer person performs invocation step, processor hardware perform call switch step, software callee perform authorisation step.The mode that described Authentication and authorization is separated, refers to: when territory occurring and calling, by completing certification to the information in call by passing territory, called territory, determined the execution of whether authorizing this territory to call by called territory.

In a territory invoked procedure, described in call preparatory stage step and only perform once;

Describedly call preparatory stage step, comprise the steps:

Steps A 1, own domain respectively by a system call or virtual machine call instruction calls lower software, and is registered in the table of territory by caller and callee respectively; Wherein, territory refers to that performs a space, and caller refers to the one section of specific code performed in space, that is, caller performs and calling in territory;

Steps A 2, caller and callee set up the region of memory of two inter-domain sharing by the assistance of lower software, and described region of memory is for storing the memory copying in cross-domain calling; Described two territories refer to territory residing for territory residing for caller and callee;

Steps A 3, caller and callee get the territory ID in territory residing for the other side respectively by lower software; That is, caller gets the territory ID in territory residing for callee by lower software, and callee gets the territory ID in territory residing for caller by lower software.

Described software transfer person performs invocation step, comprises the steps:

Step B1, caller provides the territory ID in territory residing for the callee that will call, then execution domains call instruction; Wherein, described territory call instruction can be existing processor instruction;

The execution of described territory call instruction, comprises the steps:

Step I 1, call territory provide called territory as token uniquely identified territory ID, wherein, the ID of described territory ID representative domain list item, is designated as WID;

Step I 2, first processor searches whether there is this WID according to self WID of caller in the table of territory; If do not exist, then illustrate that this called territory is not created and returns mistake; If exist, then enter step I 3 and continue to perform;

Step I 3, processor searches territory list item corresponding to called territory according to self WID calling territory and provide in the table cache of territory; If find, then enter step I 4 and continue to perform; If do not find, then enter step I 4 ＇ and continue to perform;

Step I 4 ＇, processor is thought and is produced abnormal and from the territory table internal memory, search corresponding territory list item and be filled in the table cache of territory, then proceeds to step I 3 and continues to perform; If the territory table of processor in internal memory does not find corresponding territory list item yet, then think territory malloc failure malloc, processor processes calling in territory to produce an exception and transfer to call territory software;

Step I 4, after the territory list item that processor finds called territory corresponding, the current state calling territory is preserved, then processor loads the information in territory list item corresponding to called territory, preserve self WID calling territory in a register to do to authorize further for called territory, and jump in called territory and perform; The address of redirect is PC value according to the information in territory list item corresponding to called territory and determines, and wherein, PC value is used to indicate the entry address that territory corresponding to territory list item is called; If this PC value is not 0, then jump in this address pointed by PC value; If this PC value is 0, then the address of redirect is specified by calling territory;

Wherein, use the information in a table preservation territory, a territory, and identify a territory uniquely by the token that can not forge; Territory only register on the table of territory become one just now can invoked territory, during registration, processor can increase by one in the table of territory, and every represents a territory and by a territory ID as token unique identification.

Described processor hardware performs and calls switch step, comprises the steps:

Step C1, processor execution domains call instruction;

Wherein, described step C1 specifically comprises the steps:

Step C1.1, preserves the state in territory residing for current caller;

Step C1.2, the territory ID in territory residing for the callee that caller provides, search corresponding territory list item in the table of territory;

Step C1.3, changes to the value of found territory list item by the state of processor actual registers;

Step C1.4, the value of a register is set to the territory ID calling territory by processor.

Described software callee performs authorisation step, comprises the steps:

Step D1, processor starts to perform order corresponding to called realm entry place, calls territory ID, implement the scope check to caller according to obtained.

Preferably, the identity of the identity and called territory of calling territory is all that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and call a certain called territory and completed by soft ware authorization mode.

Preferably 7, the flexible and efficient call method across authority level and territory according to claim 6, it is characterized in that, the detailed process of described soft ware authorization is: cross-domain when calling execution, according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.

Preferably, territory table can only be running in the territory management software code access of authority level higher than the territory of registering in the table of territory.

Preferably, described certification is completed by hardware, provided the information in called territory by hardware; Described calling is the switching of finger processor control flow check.

Preferably, call described in and between territory, transmit data stream by shared drive mode;

When generation is called in territory, the state in what processor was current call territory will be stored in safe place, and then the place from safety is loaded the state in called territory by processor;

Wherein, described safe place, refers to:

-one piece of permission processor is in ability addressable memory address when setting authority or pattern, and wherein, described setting authority or pattern can refer to the higher privileges level of the processor of setting, such as virtual middle root mode (RootMode); Or

One register of-processor inside.

Step B1, C1 and D1 are the key steps called for territory, can repeat.

More further detailed description is carried out to the described flexible and efficient call method across authority level and territory below.

The cross-domain subject matter calling existence needs to cross over many extra territories to cause complexity high-performance low at present.The present invention proposes the method that any two territories all can directly be called, and considerably reduces unnecessary territory and switches.The problem directly called between any two territories is security, the mode that the present invention is separated by adopting Authentication and authorization, the dirigibility that guarantee is called and security.That is the technical scheme that proposes of the present invention: the flexible and efficient call method across authority level and territory, the main points comprised:

1) any two territories can directly be called;

2) mode by adopting Authentication and authorization to be separated, the dirigibility that guarantee is called and security.

Specifically, the present invention follows the system design philosophies separated by Authentication and authorization, and the mechanism concrete mandate being transferred to software to perform or performed by software set hardware by certification being given hardware execution, allows directly to switch realization between two territories and call.This mechanism allows a territory can directly pass through different protection authority levels safely, efficiently, neatly and different address spaces calls in another territory.

More specifically, territory of the present invention, refers to the computing environment formed primarily of processor authority level, processor operational mode and program address space state.Two processes such as, run in an operating system, because the address space of these two processes is different, therefore they operate in different territories; Similarly, operate in the program operating in User space in the system kernel of kernel state and this operating system in an operating system, because authority level when this kernel and program are run residing for processor is different, therefore they are also operate in different territories.The address, call entry in called territory can be fixing, also can be specified by callee.

The identity calling territory and called territory is that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and can call a certain called territory and completed (such as callee may refuse caller call request according to token) by soft ware authorization mode.The detailed process of described mandate is: cross-domain when calling execution, and according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.The mode realizing authorizing has multiple, can be determine that whether allowing this to call continues to perform when calling execution by software (as running on the software in called territory), also can be that software (as running on the software in called territory) is just pre-set before calling execution, when calling execution, determine whether that allowing this to call continues to perform by hardware according to the rule set.This method for designing takes into account cross-domain dirigibility of calling and performance: on the one hand, the method remains the hardware authority separation mechanism of coarseness and allows the software of high authority (such as operating system or monitor of virtual machine) define different access rules neatly; On the other hand, the method enables hardware provide the token that can not forge, and reaching at every turn cross-domain calling all need not through the calling of other software levels, and so just can reduce the cross-domain number of times that calls thus raising performance.

The present invention uses the information in a table preservation territory, a territory, and identifies a territory uniquely by the token that can not forge.Territory needs registration on the table of territory can become one can invoked territory, and during registration, processor can increase by one in the table of territory, and every represents a territory and by a WID (WorldID, i.e. territory ID) as token unique identification.Territory table is kept in one piece of internal memory, is set to code (being called territory management software, as the monitor of virtual machine) access that can only be running in authority level higher than registered territory.Fig. 3 illustrates each part necessary information comprised in the table of territory.Territory management software can provide interface for creating and deleting territory list item for upper layer software (applications).When the territory that establishment one is new, territory management software can provide unique and the WID that can not forge, a WID why can not forge because it is directly managed by hardware for this territory.Meanwhile, territory management software can limit a maximum territory list item created of guest virtual machine and passes through registration a large amount of territory thus cause Denial of Service attack to prevent guest virtual machine.In order to accelerate territory table addressing speed, the present invention adds a territory table cache and reverse territory table cache on a processor to accelerate access speed, in the table cache of territory, in store WID is to the record of territory contents in table, table cache in store territory, reverse territory list item is to the record of WID, TLB search procedure in the search procedure of territory table cache and current processor is similar, does not repeat herein.When processor inquiry field table cache does not hit, processor can trigger an exception and be forwarded to by control flow check in the management software of territory, is responsible for filling corresponding territory list item in the table cache of territory, then recovers to perform by territory management software.The method that another processing domain table cache does not hit directly completes territory by processor hardware to show to search and the work being filled into territory table cache.

Territory can use a newly-increased instruction (this instruction is called world_call by the present invention) to complete territory handoff procedure in the table of territory after registration, processor still uses world_call instruction to return after executing called field code, complete call.During execution world_call instruction (world_call instruction is territory call instruction), call the WID (WorldID) that territory needs to provide the territory that will call, first processor searches whether there is this WID according to self WID of caller in the table of territory, if there is no then illustrates that this territory is not created and returns mistake.Then the domain information in called territory searched by processor in the table cache of territory according to the WID calling territory and provide, if do not find corresponding territory list item in the table cache of territory, processor then produces abnormal and from the territory table internal memory, searches corresponding territory list item and be filled in the table cache of territory, then recovers to perform.If the territory table of processor in internal memory does not find corresponding territory list item, then territory malloc failure malloc yet, processor processes calling in territory to produce an exception and transfer to call territory software.After processor finds the WID in the territory that will call and the territory list item information of correspondence, current territory state is kept at the place of a safety, the place of this safety can be the internal memory of one piece of secret, also can be a set of independently register of processor.Then processor will load the territory list item information found, preserve in some registers and call territory WID for the mandate further of called territory do, and jump in called territory and perform, the address of redirect is PC value according to found territory list item information and determines, if this PC value is not 0, jumps in this address pointed by PC value; If this PC value is 0, call the address that territory needs to specify when performing world_call redirect.The mode that mandate is called in territory has two kinds: a kind of is call preprocessor to be in the context in called territory in territory, whether first called territory software can call provided WID according to territory to judge that this calls territory be legal, if all check by; authorize allow continue perform, otherwise turn back in called territory, return course and invoked procedure similar; Another kind of mode of authorizing is before territory is called, called territory sets in advance and allows calling of which territory in hardware or territory management software, this policy information is kept in processor or internal memory with the form of a table (being called binding table), when territory is called hardware by search this list deciding call whether legal.In the invoked procedure of territory, call territory and called territory can realize consulting setting one piece of shared drive with Transfer Parameters or data, called the information such as rear called territory software can get parms further from shared drive, order and performed concrete task and then will call result and write in shared drive.

Preferably, shown in the following form of domain information that in the table of described territory, territory list item comprises:

P

WID

H/G

Ring

EPTP

PTP

PC

Wherein:

P represents that whether this territory list item is effective;

The ID of WID representative domain list item, i.e. WorldID;

The processor mode at the place, territory that H/G representative domain list item is corresponding, processor mode comprises Host pattern, Guest pattern, and wherein, Host pattern refers to the processor mode that monitor of virtual machine runs, and Guest pattern refers to the processor mode that virtual machine allows;

The processor authority level that the territory that Ring representative domain list item is corresponding is run;

The page table root address of the expansion page table in the territory that EPTP representative domain list item is corresponding;

The root address of the page table in the territory that PTP representative domain list item is corresponding;

The entry address that the territory that PC representative domain list item is corresponding is called, the entry address that when value is 0, representative domain calls can be specified when calling by calling territory software.

In sum, the cross-domain flexibly call method that the present invention proposes, in invoked procedure, do not need lower software to allow any two territories directly to call as the intervention of monitor of virtual machine, by the mode adopting Authentication and authorization to be separated, the dirigibility that guarantee is called and security.

Above specific embodiments of the invention are described.It is to be appreciated that the present invention is not limited to above-mentioned particular implementation, those skilled in the art can make a variety of changes within the scope of the claims or revise, and this does not affect flesh and blood of the present invention.When not conflicting, the feature in the embodiment of the application and embodiment can combine arbitrarily mutually.

Claims (10)

1. a flexible and efficient call method across authority level and territory, is characterized in that, adopt the mode that Authentication and authorization is separated;

The mode that described Authentication and authorization is separated, refers to: when territory occurring and calling, by completing certification to the information in call by passing territory, called territory, determined the execution of whether authorizing this territory to call by called territory.

2. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, comprise and call preparatory stage step;

In a territory invoked procedure, described in call preparatory stage step and only perform once;

Describedly call preparatory stage step, comprise the steps:

Steps A 1, own domain respectively by a system call or virtual machine call instruction calls lower software, and is registered in the table of territory by caller and callee respectively;

Steps A 2, caller and callee set up the region of memory of two inter-domain sharing by the assistance of lower software, and described region of memory is for storing the memory copying in cross-domain calling; Described two territories refer to territory residing for territory residing for caller and callee;

Steps A 3, caller and callee get the territory ID in territory residing for the other side respectively by lower software; That is, caller gets the territory ID in territory residing for callee by lower software, and callee gets the territory ID in territory residing for caller by lower software.

3. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, also comprise software transfer person and perform invocation step;

Described software transfer person performs invocation step, comprises the steps:

Step B1, caller provides the territory ID in territory residing for the callee that will call, then execution domains call instruction;

The execution of described territory call instruction, comprises the steps:

Step I 1, call territory provide called territory as token uniquely identified territory ID, wherein, the ID of described territory ID representative domain list item, is designated as WID;

Step I 2, first processor searches whether there is this WID according to self WID of caller in the table of territory; If do not exist, then illustrate that this called territory is not created and returns mistake; If exist, then enter step I 3 and continue to perform;

Step I 3, processor searches territory list item corresponding to called territory according to self WID calling territory and provide in the table cache of territory; If find, then enter step I 4 and continue to perform; If do not find, then enter step I 4 ＇ and continue to perform;

Step I 4 ＇, processor is thought and is produced abnormal and from the territory table internal memory, search corresponding territory list item and be filled in the table cache of territory, then proceeds to step I 3 and continues to perform; If the territory table of processor in internal memory does not find corresponding territory list item yet, then think territory malloc failure malloc, processor processes calling in territory to produce an exception and transfer to call territory software;

Step I 4, after the territory list item that processor finds called territory corresponding, the current state calling territory is preserved, then processor loads the information in territory list item corresponding to called territory, preserve self WID calling territory in a register to do to authorize further for called territory, and jump in called territory and perform; The address of redirect is PC value according to the information in territory list item corresponding to called territory and determines, and wherein, PC value is used to indicate the entry address that territory corresponding to territory list item is called; If this PC value is not 0, then jump in this address pointed by PC value; If this PC value is 0, then the address of redirect is specified by calling territory;

Wherein, use the information in a table preservation territory, a territory, and identify a territory uniquely by the token that can not forge; Territory only register on the table of territory become one just now can invoked territory, during registration, processor can increase by one in the table of territory, and every represents a territory and by a territory ID as token unique identification.

4. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, also comprises processor hardware and performs and call switch step;

Described processor hardware performs and calls switch step, comprises the steps:

Step C1, processor execution domains call instruction;

Wherein, described step C1 specifically comprises the steps:

Step C1.1, preserves the state in territory residing for current caller;

Step C1.2, the territory ID in territory residing for the callee that caller provides, search corresponding territory list item in the table of territory;

Step C1.3, changes to the value of found territory list item by the state of processor actual registers;

Step C1.4, the value of a register is set to the territory ID calling territory by processor.

5. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, also comprise software callee and perform authorisation step;

Described software callee performs authorisation step, comprises the steps:

Step D1, processor starts to perform order corresponding to called realm entry place, calls territory ID, implement the scope check to caller according to obtained.

6. the flexible and efficient call method across authority level and territory according to claim 1, it is characterized in that, the identity of the identity and called territory of calling territory is all that the token that can not forge being produced by hardware or manage carries out identifying, there is provided the token calling territory to realize certification by processor hardware to called territory when calling execution, and call territory and call a certain called territory and completed by soft ware authorization mode.

7. the flexible and efficient call method across authority level and territory according to claim 6, it is characterized in that, the detailed process of described soft ware authorization is: cross-domain when calling execution, and according to the token that can not forge that hardware provides, called territory knows that territory is called in this cross-domain source of calling, and authorize.

8. the flexible and efficient call method across authority level and territory according to claim 3, it is characterized in that, territory table can only be running in the territory management software code access of authority level higher than the territory of registering in the table of territory.

9. the flexible and efficient call method across authority level and territory according to claim 1, it is characterized in that, described certification is completed by hardware, provided the information in called territory by hardware; Described calling is the switching of finger processor control flow check.

10. the flexible and efficient call method across authority level and territory according to claim 1, is characterized in that, described in call and between territory, transmit data stream by shared drive mode;

When generation is called in territory, the state in what processor was current call territory will be stored in safe place, and then the place from safety is loaded the state in called territory by processor;

Wherein, described safe place, refers to:

-one piece of permission processor is in ability addressable memory address when setting authority or pattern; Or

One register of-processor inside.