CN108509613A - A method of promoting encrypted file system performance using NVM - Google Patents

A method of promoting encrypted file system performance using NVM Download PDF

Info

Publication number
CN108509613A
CN108509613A CN201810296629.3A CN201810296629A CN108509613A CN 108509613 A CN108509613 A CN 108509613A CN 201810296629 A CN201810296629 A CN 201810296629A CN 108509613 A CN108509613 A CN 108509613A
Authority
CN
China
Prior art keywords
nvm
data
write
ciphertext
file system
Prior art date
Application number
CN201810296629.3A
Other languages
Chinese (zh)
Inventor
肖春华
潘妍樾
成林峰
李鹏达
Original Assignee
重庆大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 重庆大学 filed Critical 重庆大学
Priority to CN201810296629.3A priority Critical patent/CN108509613A/en
Publication of CN108509613A publication Critical patent/CN108509613A/en

Links

Abstract

The invention discloses a kind of methods promoting encrypted file system performance using NVM, Dynamic Programming is carried out according to the data block characteristics of file write request, the suitable soft calculation of selection or hard method of calculating execute cryptographic operation, then it by ciphertext write-in NVM cachings, is finally concentrated by background thread and the ciphertext data in NVM is write back into disk layer in a manner of asynchronous IO.Wherein NVM memory headrooms are distributed and are managed by the NVM memory management schemes;According to the storage location of the NVM memory management schemes quick search requested data, read-out ciphertext will be selected suitable soft calculation or hard method of calculating to execute decryption oprerations, will finally be returned to upper layer application in plain text by the dynamic programming method.Time delay is caused to compare with needing repeatedly calling hardware engine when traditional eCryptfs enciphering/decipherings data and grade pending datas being needed to write back disk, the pattern context handover overhead of hardware can effectively be reduced and due to the unmatched time delay of IO speed, the application of hardware cryptographic engine is improved, the overall performance of encrypted file system is also improved.

Description

A method of promoting encrypted file system performance using NVM

Technical field

The present invention relates to field of information security technology more particularly to a kind of promoting encrypted file system performance using NVM Method.

Background technology

In recent years, how to protect sensitive data not to be leaked and have become hot issue of people's attention.Invader in addition to Physical storage device directly is stolen, file data can also be usurped by network attack;Moreover, because shared demand, quick Sense data can be accessed by more people, and this also increases the possibilities of leakage.Data or file are encrypted and have become a kind of public affairs The method for relatively successfully protecting data recognized, ensures that content is encrypted be stored among physical equipment, improves file data Storage security.

ECryptfs is a kind of stack encrypted file system (Stackable as enterprise-level encrypted file system Cryptographic File System), this encrypted file system can regard the conversion layer of an encryption/decryption as, and simultaneously A true global function file system, must framework on other generic file system, to its underlying file system The file of system is encrypted.Stack encrypted file system does not have corresponding magnetic disk, does not realize data in physical medium yet The function of upper access.

File system application program reaches VFS, VFS is given to the write request of encryption file through system call layer The processing of eCryptfs file system components after being disposed, then is given to lower layer's physical file system write-in bottom disk;Read request Flow is then on the contrary, file system application program is issued to VFS, VFS calls bottom to the read request of encryption file from upper layer application File system reads the ciphertext data in disk, is transmitted to eCryptfs decryption, returns again to after decryption and read to upper layer request The application program taken.

It is divided into currently based on the file enciphering/deciphering system design of eCryptfs:User application layer, Virtual File System (VFS) layer, eCryptfs layers, file system layer, hardware accelerator layer and disk layer.As shown in Figure 1, for write operation, use Write request is presented a paper to the VFS layers of kernel spacing in family, and data to be written block passes to VFS simultaneously, and VFS passes through interface Call eCryptfs encrypted data chunks, eCryptfs that the CryptoAPI of kernel, CryptoAPI is called to pass through hardware drive program The hardware accelerator for starting lower layer accelerates the data block of encryption write-in, and after the completion of encryption, eCryptfs transmits ciphertext block data To next layer of file system, disk layer is written in ciphertext data by file system, waits for return after the completion of write operation;For reading Operation, user present a paper read requests to the Virtual File System of kernel spacing, and Virtual File System issues read requests To after eCryptfs, eCryptfs reads ciphertext data from the file system of lower layer, then calls the CryptoAPI of kernel, CryptoAPI starts the data block that the hardware accelerator of lower layer accelerates decryption to read by hardware drive program, after the completion of decryption, Clear data after decryption is returned to the application program that upper layer request reads file by eCryptfs by Virtual File System.

The eCryptfs layers of read/write file request that response upper-level virtual file system is submitted upwards, pass downwardly through and file System interaction, the enciphering/deciphering for calling CryptoAPI to complete data are asked, and enciphering/deciphering request is submitted to hardware by CryptoAPI Accelerator carries out corresponding enciphering/deciphering operation, completes digital independent or write-in.The size of eCryptfs processing data is generally Page, i.e. 4KB are carried out when then calling Accelerator every time by the eCryptfs CryptoAPI called as unit of Page Enciphering/deciphering operates, and can all have context handover overhead (Context per 4KB data using hardware accelerator enciphering/deciphering Switch), expense includes:

A) it after kernel submits the enciphering/deciphering of a Page to ask, waits for the enciphering/deciphering of hardware accelerator to operate and completes Afterwards, the enciphering/deciphering process operation of another Page of kernel dispatching, generates a Context Switch;

B) hardware accelerator executes enciphering/deciphering request, and execution generates primary interruption after completing, interrupt processing will produce one Secondary Context Switch.

After eCryptfs layers are completed cryptographic operation, in order to guarantee data security, disk is arrived in storage, can wait until all data (Direct IO) could be returned to after writing back to disk, then each write operation also needs to wait for disk after completing cryptographic operation IO completions could return, and carry out next operation.There are following defects for traditional technical solution:

A) eCryptfs layers of read-write operation is handed down to since needs repeatedly call Accelerator to complete decimal in upper layer It is operated according to the enciphering/deciphering of block (Page) so that produce a large amount of Context Switch during enciphering/deciphering, cannot play The advantage of hardware accelerator causes the utilization rate of hardware accelerator to decline;

B) it after the encryption for completing data, needs to return again to after waiting pending datas to write back disk, increases the time delay of write operation, use File system performance seen in family is poor.

Invention content

In view of this, the present invention provides a kind of method improving file system enciphering/deciphering performance using NVM, solve In eCryptfs ciphering process due to repeatedly calling hardware accelerator caused by a large amount of context handover overhead and because waiting for number The problem of time delay being caused according to disk is write back.

The present invention provides following schemes:

A method of promoting encrypted file system write performance using NVM, it is characterised in that:According to file write request Data block characteristics carry out Dynamic Programming, and the suitable soft calculation of selection or hard method of calculating execute cryptographic operation, then ciphertext are written NVM is cached, and is finally concentrated by background thread the ciphertext data in NVM writing back to disk layer in a manner of asynchronous IO.Wherein NVM Memory headroom is distributed and is managed by the NVM memory management schemes.

A method of promoting encrypted file system reading performance using NVM, it is characterised in that:According to the NVM memories pipe The storage location of the tactful quick search requested data of reason, read-out ciphertext will be by the dynamic programming methods, and it is suitable to select Soft calculation or hard method of calculating execute decryption oprerations, will finally return to upper layer application in plain text.

Further, the Dynamic Programming includes following operation:

A) each write request sent out to topmost paper system application pre-processes, and is determined by being continuously written into request The pattern of file access;

B) data recombination is carried out to the be-encrypted data block of sequence read-write mode, it is big that setting hardware accelerator handles data block Small upper limit ThAnd lower limit Tl, the data block after recombination meet as possible hardware accelerator bound requirement;

C) eCryptfs configuration files are changed so that the data block length that eCryptfs can handle maximum enciphering/deciphering is Th

D) use data structure perdurable data be written when offset and length, ensure digital independent when to be written when Identical size is read, and realizes correct decryption;

E) different size of to be added/block of unencrypted data is dispatched, the data block length after recombination is between TlAnd ThBetween using hard Part accelerator enciphering/deciphering is encrypted if being unsatisfactory for bound and requiring without using hardware accelerator.

Further, the NVM memory management schemes include following operation:

A) spaces chained list management NVM of fixed page size (for example, 4KB) are used;

B) when ciphertext data write-in NVM, free page is matched in linked list head part, and ciphertext data write back to disk freeing of page Afterwards, the recycling page realizes quick distribution/recycling of the NVM pages to chained list tail portion;

C) it is that the file opened establishes radix tree, the offset of file is keyword, and leaf node is directed toward each NVM pages;

D) after read requests issue, whether it already is resident in NVM first with the data of the quick Location Request of radix tree, If, by the quick returned datas of NVM, otherwise continuing the location data in disk if.

Further, the asynchronous IO includes following operation:

A) eCryptfs configuration files are changed, data base and IO stacks are separated, ciphertext data write direct NVM;

B) after all NVM is written in ciphertext data, system returns immediately;

C) eCryptfs initializes asynchronous IO queues, will be submitted to the queue in the ciphertext data set that NVM is written;

D) system creation background thread, background thread write back to the data in asynchronous IO queues in disk.

It can be seen that the present invention provides a kind of method promoting encrypted file system performance using NVM.By using dynamic The enciphering/deciphering operation that planning request upper-layer user's program application issues, to the data block that is encrypted at eCryptf layers into line number According to recombination, the context switch latency for reducing and hardware accelerator being called to generate is realized, the hardware resource of encrypted file system is improved Utilization rate;The present invention realizes the quickly distribution NVM pages and quick search positioning number by using NVM memory management schemes According to block;By using asynchronous I/O mechanism, solve the problems, such as that IO speed mismatches caused I/O latency length;Final realize carries The encryption performance of eCryptfs encrypted file systems is risen, and then improves the overall performance of encrypted file system.

Description of the drawings

File enciphering/deciphering system framework figures of the Fig. 1 based on eCryptfs

Fig. 2 is Dynamic Programming streams of the EXT4 of the embodiment of the present invention to the upper layer File System file read-write requests applied Journey

Fig. 3 is schematic diagram of the present invention to request sequence data recombination

Fig. 4 is the structure of NVM Memory Managements

Fig. 5 is the function call flow that asynchronous IO is realized when upper layer of the present invention sends out write request

Specific implementation method

It is clearer to make those skilled in the art understand the object, technical solutions and advantages of the present invention, below will Embodiment of the present invention is further described in conjunction with the accompanying drawings and embodiments, which is not constituted to the embodiment of the present invention It limits.

Embodiment:

The present invention provides a kind of methods promoting encrypted file system readwrite performance using NVM.This method has general Property, it can build on different file system, while also supporting the software cryptography library of current main-stream.

Below on EXT4 file system, to be using AES encryption algorithm and QAT hardware accelerator encrypted file datas Example is described in further detail the enciphering/deciphering performance that file system is improved using NVM of the present invention.

Hereinafter, by taking the write operation and read operation of EXT4 encrypted file systems as an example, how analysis NVM, which promotes EXT4, adds The readwrite performance of close file system.

First, Dynamic Programming is carried out to the write request that upper layer application issues.As shown in Fig. 2, upper layer application is under VFS layers The write request of hair is pre-processed, and according to request identification access module is continuously written into, it is sequential write mould to tell the request Formula or random WriteMode, the data block of random write are directly issued to request scheduling program and are handled, when recognizing under upper layer When the sequence write request of hair, according to the data block length threshold value of setting, data are recombinated, all data after recombination Block length is both less than upper limit Th;Data block after recombination is issued to the processing of request scheduling program, and request scheduling program receives upper layer The different size of data block issued is less than lower limit T according to data block lengthlThe AES-NI that consigns to be encrypted, data block Length is between TlWith ThBetween consign to the encrypted principles of QAT, classification encryption is carried out to data block.Below to data recombination Process is described in detail:

Such as Fig. 3, the I/O Request sequence of publication is (1,1) R1, R2 (2,1), R3 (3,1), R4 (4,1), R5 (5,1), R6 (6, 1), (10,1) R7, R8 (15,1), R9 (20,11), the data of the digital representation write-in in bracket there are in NVM position and should The size of data block.Wherein R1-R6 is sequence WriteMode, and R7-R9 is random WriteMode;In this example, encrypted data chunk The upper limit is arranged to 4 data blocks, therefore the polymerizable encryption unit EU1 of R1-R4;And R7-R9 is due to being random WriteMode, Data aggregate is cannot be used for, therefore the request R5-R6 of sequence WriteMode can only polymerize as another encryption unit EU2;R7 and R8 Due to that cannot polymerize, the two encryption units of EU3 and EU4 are respectively enterd;11 data blocks are written in R9 altogether, are split into three Contain 4 data blocks in encryption unit EU5, EU6 and EU7, EU5 and EU6, contains 3 data blocks in EU7.

As shown in figure 4, after Dynamic Programming write request and recombination data, it is following that write operation will continue to triggering Behavior:

A) NVM distributes free page p from idle chained list;

B) page p is written in ciphertext, and p is inserted into the NVM cachings of inode;

C) it after the content in p is asynchronously write back disk in background thread, discharges p and is placed back into NVM free time chained lists Chained list tail portion.

Wherein NVM distribution free page is realized by NVM management strategies, by using fixed page size (for example, 4KB) The pointer for being directed toward next page is stored in current page by chained list to manage NVM memory headrooms, and to realize, quickly distribution is empty The not busy page and freeing of page.

Wherein the specific implementation that underlying file systems are write back in ciphertext data set is included by the asynchronous IO of background thread:

As shown in figure 5, upper layer application by function call VFS layers of write () _ vfs_write () function is each to obtain The write functions file- of a file system>f_op->Write (), by calling in eCryptfs in file system Ecryptfs_new_write () function realizes the cryptographic operation of file;Meanwhile ecryptfs_init_async_ctx () letter Number can initialize an ecryptfs_async_ctx structure, utilize ctx->Ecryptfs_async_wq=create_ Singlethread_workqueue () function initializes an asynchronous IO queue;In ecryptfs_new_write () function Ecryptfs_submit_async_io () realize submit data to asynchronous IO queues in, ecryptfs_async_io_ Routine () function enters the normal procedure of asynchronous IO, and ecryptfs_write_lower () is realized will be under the write-in of ciphertext data The operation of layer file system, is finally reached background thread by the asynchronous purpose for writing back to disk of ciphertext data.

Secondly, the encryption file read request for quickly returning to upper layer and issuing, method are realized using NVM memory management schemes It is to establish the index that radix tree caches as NVM for the file of each opening, the keyword of node is set as the offset of this document, Whether each leaf node is directed toward the page of NVM, can be with the page that quick search is asked in NVM, if quick by NVM Ground returns to the data of request, if not existing, reading ciphertext data return to upper layer application immediately in disk;It is correct in order to realize Decryption, the ciphertext data of request after Dynamic Programming, with write-in when data block size it is identical;Finally by request scheduling journey Sequence is less than lower limit T according to data block lengthlThe AES-NI that consigns to be encrypted, data block length is between TlWith ThBetween friendship The encrypted principles of QAT are paid, suitable algorithm is selected to carry out classification decryption to data block, the plaintext after decryption returns to upper layer and asks Ask the application of data.

The present invention has significant performance boost under four kinds of different read-write modes:

A) 23.76 times of sequence read operation improving performance;

B) random 6.17 times of read operation improving performance;

C) 18.55 times of sequence write operation improving performance;

D) 4.87 times of random writing operations improving performance.

Based on described above, the present invention is asked by using Dynamic Programming, realizes reduction and hardware accelerator is called to generate Context switch latency, improve the hardware resource utilization of encrypted file system;The present invention is by using NVM memory management plans Slightly, quickly the distribution NVM pages and quick search location data block are realized;By using asynchronous I/O mechanism, solves IO speed The problem of I/O latency length caused by degree mismatches;It is final to realize the encryption performance for promoting eCryptfs encrypted file systems, And then improve the overall performance of encrypted file system.

Embodiment described above is not intended to limit the invention, all any modifications within the principle of the present invention, made, Equivalent replacement, improvement etc., should be included in the scope of protection of the invention.

Claims (5)

1. a kind of method promoting encrypted file system write performance using NVM, which is characterized in that according to the number of file write request Dynamic Programming is carried out according to block feature, the suitable soft calculation of selection or hard method of calculating execute cryptographic operation, NVM then are written in ciphertext Caching is finally concentrated by background thread the ciphertext data in NVM writing back to disk layer in a manner of asynchronous IO.In wherein NVM Space is deposited to be distributed and managed by the NVM memory management schemes.
2. a kind of method promoting encrypted file system reading performance using NVM, which is characterized in that according to the NVM memory managements The storage location of tactful quick search requested data, read-out ciphertext will be by the dynamic programming methods, and it is suitable to select Soft calculation or hard method of calculating execute decryption oprerations, will finally return to upper layer application in plain text.
3. a kind of method for implementing the Dynamic Programming described in claim 1,2, characterized in that including following operation:
A) each write request sent out to topmost paper system application pre-processes, and file is determined by being continuously written into request The pattern of access;
B) data recombination is carried out to the be-encrypted data block of sequence read-write mode, setting hardware accelerator is handled on data block size Limit ThAnd lower limit Tl, the data block after recombination meet as possible hardware accelerator bound requirement;
C) eCryptfs configuration files are changed so that the data block length that eCryptfs can handle maximum enciphering/deciphering is Th
D) use data structure perdurable data be written when offset and length, ensure digital independent when to be written when it is identical Size read, realize correct decryption;
E) different size of to be added/block of unencrypted data is dispatched, the data block length after recombination is between TlAnd ThBetween added using hardware Fast device enciphering/deciphering is encrypted if being unsatisfactory for bound and requiring without using hardware accelerator.
4. a kind of method for implementing the NVM memory management schemes described in claim 1,2, characterized in that including following operation:
A) spaces chained list management NVM of fixed page size (for example, 4KB) are used;
B) when ciphertext data write-in NVM, free page is matched in linked list head part, after ciphertext data write back to disk freeing of page, returns The page is received to chained list tail portion, realizes quick distribution/recycling of the NVM pages;
C) it is that the file opened establishes radix tree, the offset of file is keyword, and leaf node is directed toward each NVM pages;
D) after read requests issue, whether it already is resident in NVM first with the data of the quick Location Request of radix tree, if Then by the quick returned datas of NVM, otherwise continue the location data in disk.
5. a kind of method for implementing asynchronous IO described in claim 1, characterized in that including following operation:
A) eCryptfs configuration files are changed, data base and IO stacks are separated, ciphertext data write direct NVM;
B) after all NVM is written in ciphertext data, system returns immediately;
C) eCryptfs initializes asynchronous IO queues, will be submitted to the queue in the ciphertext data set that NVM is written;
D) system creation background thread, background thread write back to the data in asynchronous IO queues in disk.
CN201810296629.3A 2018-04-03 2018-04-03 A method of promoting encrypted file system performance using NVM CN108509613A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810296629.3A CN108509613A (en) 2018-04-03 2018-04-03 A method of promoting encrypted file system performance using NVM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810296629.3A CN108509613A (en) 2018-04-03 2018-04-03 A method of promoting encrypted file system performance using NVM

Publications (1)

Publication Number Publication Date
CN108509613A true CN108509613A (en) 2018-09-07

Family

ID=63380322

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810296629.3A CN108509613A (en) 2018-04-03 2018-04-03 A method of promoting encrypted file system performance using NVM

Country Status (1)

Country Link
CN (1) CN108509613A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960372A (en) * 2006-11-09 2007-05-09 华中科技大学 Encrypting read / write method in use for NAS storage system
CN101803327A (en) * 2007-07-27 2010-08-11 国际商业机器公司 Transparent aware data transformation at file system level
CN102722449A (en) * 2012-05-24 2012-10-10 中国科学院计算技术研究所 Key-Value local storage method and system based on solid state disk (SSD)
CN103412794A (en) * 2013-08-08 2013-11-27 南京邮电大学 Dynamic dispatching distribution method for stream computing
CN106201349A (en) * 2015-12-31 2016-12-07 华为技术有限公司 A kind of method and apparatus processing read/write requests in physical host

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960372A (en) * 2006-11-09 2007-05-09 华中科技大学 Encrypting read / write method in use for NAS storage system
CN101803327A (en) * 2007-07-27 2010-08-11 国际商业机器公司 Transparent aware data transformation at file system level
CN102722449A (en) * 2012-05-24 2012-10-10 中国科学院计算技术研究所 Key-Value local storage method and system based on solid state disk (SSD)
CN103412794A (en) * 2013-08-08 2013-11-27 南京邮电大学 Dynamic dispatching distribution method for stream computing
CN106201349A (en) * 2015-12-31 2016-12-07 华为技术有限公司 A kind of method and apparatus processing read/write requests in physical host

Similar Documents

Publication Publication Date Title
KR101880075B1 (en) Deduplication-based data security
Xu et al. Performance analysis of NVMe SSDs and their implication on real world databases
US9141558B2 (en) Secure memory control parameters in table look aside buffer data fields and support memory array
CN102156665B (en) Differential serving method for virtual system competition resources
CN104636181B (en) For migrating the method and system of virtual machine
US8325372B2 (en) Parallel printing system
Xie et al. Three-dimensional integrated circuit design
KR20160022248A (en) Data access apparatus and operating method thereof
Patterson et al. Informed prefetching and caching
US20190138221A1 (en) Method and Apparatus for SSD Storage Access
CN101819541B (en) Managing terminal
CN1517885B (en) Method and system for updating central cache by atomicity
CN103842976B (en) There is protected mode with the I/O Memory Management Unit preventing I/O device from carrying out memory access
CN100555247C (en) Justice at multinuclear/multiline procedure processor high speed buffer memory is shared
US6378071B1 (en) File access system for efficiently accessing a file having encrypted data within a storage device
US5548724A (en) File server system and file access control method of the same
US6612486B2 (en) Smart card managing system
KR100543887B1 (en) Piplined memory controller
US8001390B2 (en) Methods and apparatus for secure programming and storage of data using a multiprocessor in a trusted mode
US7757232B2 (en) Method and apparatus for implementing work request lists
CN105378642A (en) System and method for high performance and low cost flash translation layer
CA1266531A (en) Method to control i/o accesses in a multi-tasking virtual memory virtual machine type data processing system
US7293173B2 (en) Methods and systems for protecting information in paging operating systems
CN102708067B (en) Combining memory pages having identical content
KR20120092930A (en) Distributed memory cluster control apparatus and method using map reduce

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination