CN109710373B - Method and device for realizing memory and external memory exchange function and security processor - Google Patents
Method and device for realizing memory and external memory exchange function and security processor Download PDFInfo
- Publication number
- CN109710373B CN109710373B CN201811401809.XA CN201811401809A CN109710373B CN 109710373 B CN109710373 B CN 109710373B CN 201811401809 A CN201811401809 A CN 201811401809A CN 109710373 B CN109710373 B CN 109710373B
- Authority
- CN
- China
- Prior art keywords
- content
- ciphertext
- memory
- page
- memory page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 230000006870 function Effects 0.000 title claims abstract description 36
- 238000012545 processing Methods 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 18
- 101100134058 Caenorhabditis elegans nth-1 gene Proteins 0.000 description 27
- 238000005516 engineering process Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method and a device for realizing the exchange function of an internal memory and an external memory, and a safety processor, which can improve the use efficiency of the internal memory and enhance the capability of Linux for processing sudden large-scale internal memory requests. The method comprises the following steps: when page swapping is performed on a first memory page of the memory, executing the following processing: analyzing a first plaintext from first content stored in a ciphertext form in the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in an external memory as second content; when a page swap is performed for second content in the external memory, a process is performed that includes: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
Description
Technical Field
The invention relates to the technical field of virtualization, in particular to a method and a device for realizing the exchange function of a memory and an external memory and a security processor.
Background
Linux is an operating system, and is also an operating system used by a hypervisor in a virtual machine in virtualization technology. The exchange function between the Linux memory and the external memory, also called swap, means that when the Linux available memory is insufficient, part of the memory which is not used for a long time is stored in the external memory, so that the part of the memory is released. When the memory content stored in the external storage needs to be used, Linux allocates a new page and copies the content from the external storage.
The inventor finds in research that a ciphertext generated in an encryption mode of a physical memory in a virtualization technology is related to an address of the physical memory, when the ciphertext is swapped out to an external storage and then swapped in, the ciphertext is decrypted by using the newly allocated address of the physical memory, and the originally stored address of the physical memory of the ciphertext is different from the newly allocated address of the physical memory, which causes decryption failure, that is, a swap function cannot be realized in the virtualization technology. When the memory of the whole Linux is in tension, certain memory contents which are not used for a long time still occupy the memory space, so that the use efficiency of the memory is inevitably reduced, and the capability of the Linux for processing sudden large-scale memory requests is weakened.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for implementing a swap function, and a secure processor, so as to improve the utilization efficiency of a memory and enhance the capability of Linux to process a large-scale sudden memory request.
In a first aspect, an embodiment of the present invention provides a method for implementing a swap function, where the method includes:
when page swapping is performed on a first memory page of the memory, executing the following processing: analyzing a first plaintext from first content stored in a ciphertext form of the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in the external memory as second content; and
upon a page swap for the second content in the external memory, performing a process comprising: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the parsing a first plaintext from a first content of the first memory page stored in a ciphertext form includes:
judging whether the first content is a ciphertext;
if the first content is a ciphertext, parsing a first plaintext from the first content;
wherein the decrypting the second content to obtain a second plaintext includes:
and judging whether the second content is a ciphertext, and if the second content is the ciphertext, decrypting the second content to obtain a second plaintext.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the determining whether the first content is a ciphertext includes:
acquiring the value of the n1 th bit of a page table entry corresponding to the first memory page in the nested page table;
if the value of the n1 th bit of the page table entry corresponding to the first memory page is judged to be a first numerical value, determining that the first content is a ciphertext, otherwise, determining that the first content is not the ciphertext;
wherein, after the storing the first ciphertext in the external memory as the second content, comprising:
setting the value of the n2 th bit of the page table entry corresponding to the first memory page as a second numerical value, wherein n1 and n2 are integers, n1 is greater than or equal to 52 and is less than or equal to 62, and n2 is greater than or equal to 52 and is less than or equal to 62.
With reference to the second possible implementation manner of the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the determining whether the second content is a ciphertext includes:
obtaining a value of an n2 bit of a page table entry corresponding to the first memory page, judging whether the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, if the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, determining that the second content is a ciphertext, otherwise, determining that the second content is not the ciphertext;
after the storing the second ciphertext in the second memory page, the method further includes:
setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested page table to be the first numerical value.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where if the first content is a ciphertext, parsing a first plaintext from the first content further includes:
storing the first content in the external memory if the first content is not a ciphertext;
wherein, if the second content is a ciphertext, decrypting the second content to obtain a second plaintext, further comprising:
if the second content is not a ciphertext, allocating a third memory page of the memory to the second content, storing the second content in the third memory page, and setting a value of an n1 bit of a page table entry corresponding to the third memory page in the nested page table to be a third numerical value.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the parsing a first plaintext from a first content of the first memory page, where the first content is stored in a ciphertext form, and encrypting the first plaintext to obtain a first ciphertext includes:
analyzing a first plaintext from the first content by using a first encryption key, and encrypting the first plaintext by using a second encryption key to obtain a first ciphertext;
wherein the decrypting the second content to obtain a second plaintext includes:
decrypting the second content by using the second encryption key to obtain a second plaintext;
the encrypting the obfuscated result to obtain a second ciphertext includes:
and encrypting the confusion result by using the first encryption key to obtain a second ciphertext.
With reference to the second possible implementation manner of the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where before parsing a first plaintext from a first content of the first memory page, which is stored in a ciphertext form, the method further includes:
after the first memory page is distributed, judging whether the first memory page needs to be encrypted or not;
if the first memory page needs to be encrypted, setting the value of the n1 th bit of the page table entry corresponding to the first memory page in the nested page table as the first numerical value, otherwise, setting the value of the n1 th bit of the page table entry corresponding to the first memory page in the nested page table as a third numerical value;
wherein, after the allocating the second memory page of the memory to the second content, the method further comprises:
judging whether the second memory page needs to be encrypted or not;
if the second memory page needs to be encrypted, setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested page table as the first numerical value, otherwise, setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested page table as the third numerical value.
In a second aspect, an embodiment of the present invention further provides a device for implementing a swap function, where the device includes:
a swap-out unit, configured to execute, when performing page swap-out for a first memory page of the memory, processing that includes: analyzing a first plaintext from first content stored in a ciphertext form of the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in the external memory as second content; and
a swap-in unit configured to, when page swap-in is performed for the second content in the external memory, execute processing including: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
With reference to the second aspect, an embodiment of the present invention provides a first possible implementation manner of the second aspect, where the swap-out unit includes:
a judging subunit, configured to judge whether the first content is a ciphertext;
the analysis subunit is configured to, if the judgment subunit determines that the first content is a ciphertext, analyze a first plaintext from the first content;
wherein the swap-in unit comprises:
and the decryption subunit is configured to determine whether the second content is a ciphertext, and if the second content is the ciphertext, decrypt the second content to obtain a second plaintext.
With reference to the first possible implementation manner of the second aspect, an embodiment of the present invention provides a second possible implementation manner of the second aspect, where the determining subunit is specifically configured to:
acquiring the value of the n1 th bit of a page table entry corresponding to the first memory page in the nested page table;
if the value of the n1 th bit of the page table entry corresponding to the first memory page is judged to be a first numerical value, determining that the first content is a ciphertext, otherwise, determining that the first content is not the ciphertext;
wherein the swap-out unit is further configured to:
after the first ciphertext is stored in the external storage as second content, setting the value of the n2 th bit of the page table entry corresponding to the first memory page as a second numerical value, wherein n1 and n2 are integers, and 52 ≦ n1 ≦ 62, and 52 ≦ n2 ≦ 62.
With reference to the second possible implementation manner of the second aspect, an embodiment of the present invention provides a third possible implementation manner of the second aspect, where the decryption subunit is specifically configured to:
obtaining a value of an n2 bit of a page table entry corresponding to the first memory page, judging whether the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, if the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, determining that the second content is a ciphertext, otherwise, determining that the second content is not the ciphertext;
wherein the swap-in unit is further configured to:
after the second ciphertext is stored in the second memory page, setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested paging table to be the first value.
With reference to the first possible implementation manner of the second aspect, an embodiment of the present invention provides a fourth possible implementation manner of the second aspect, where the parsing subunit is further configured to:
storing the first content in the external memory if the first content is not a ciphertext;
wherein the decryption subunit is further configured to:
if the second content is not a ciphertext, allocating a third memory page of the memory to the second content, storing the second content in the third memory page, and setting a value of an n1 bit of a page table entry corresponding to the third memory page in the nested page table to be a third numerical value.
With reference to the second aspect, an embodiment of the present invention provides a fifth possible implementation manner of the second aspect, where the swap-out unit is specifically configured to:
analyzing a first plaintext from the first content by using a first encryption key, and encrypting the first plaintext by using a second encryption key to obtain a first ciphertext;
wherein, the swap-in unit is specifically configured to:
and decrypting the second content by using the second encryption key to obtain a second plaintext, and encrypting the confusion result by using the first encryption key to obtain a second ciphertext.
With reference to the second possible implementation manner of the second aspect, an embodiment of the present invention provides a sixth possible implementation manner of the second aspect, where the apparatus further includes:
the first judging unit is used for judging whether the first memory page needs to be encrypted or not after the first memory page is distributed before the swap-out unit works;
a first setting unit, configured to set a value of an n1 bit of a page table entry corresponding to the first memory page in the nested page table as the first numerical value if the first determining unit determines that the first memory page needs to be encrypted, and set a value of an n1 bit of a page table entry corresponding to the first memory page in the nested page table as a third numerical value if the first determining unit determines that the first memory page needs to be encrypted;
a second judging unit, configured to judge whether a second memory page needs to be encrypted after the swap-in unit allocates the second memory page;
a second setting unit, configured to set a value of an n1 bit of a page table entry corresponding to the second memory page in the nested page table as the first numerical value if the second determining unit determines that the second memory page needs to be encrypted, and set a value of an n1 bit of a page table entry corresponding to the second memory page in the nested page table as the third numerical value if the second determining unit determines that the second memory page needs to be encrypted.
In a third aspect, an embodiment of the present invention further provides a secure processor, including:
a receiving unit and a processing unit; wherein,
the receiving unit is used for receiving a first command and a second command sent by an operating system;
the processing unit is configured to execute the processing when performing page swapping for the first memory page of the memory according to the first aspect and the various possible embodiments of the first aspect when the receiving unit receives the first command, or execute the processing when performing page swapping for the second content in the external storage according to the first aspect and the various possible embodiments of the first aspect when the receiving unit receives the second command.
According to the method and the device for realizing the swap function and the safety processor provided by the embodiment of the invention, the first ciphertext switched out of the external memory in the page switching-out process is generated by directly encrypting the first plaintext analyzed from the first content, and is irrelevant to the address of the first memory page, so that when the first ciphertext is subjected to page switching, the first ciphertext is directly decrypted to obtain the corresponding plaintext.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 shows a flowchart of a method for implementing a swap function according to an embodiment of the present invention;
fig. 2 shows a flowchart of another method for implementing a swap function according to an embodiment of the present invention;
fig. 3 shows a partial flowchart of another method for implementing a swap function according to an embodiment of the present invention;
fig. 4 shows a partial flowchart of another method for implementing a swap function according to an embodiment of the present invention;
fig. 5 shows a schematic structural diagram of an apparatus for implementing a swap function according to an embodiment of the present invention;
fig. 6 shows a schematic structural diagram of another apparatus for implementing a swap function according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another apparatus for implementing a swap function according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram illustrating a secure processor according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In view of the fact that the prior art cannot implement a swap function in a virtualization technology, embodiments of the present invention provide a method and an apparatus for implementing a swap function, and a secure processor, and are described below with reference to embodiments.
First, it should be noted that the embodiment of the present invention is applied to a scenario that needs to implement a swap function in a virtualization technology.
Example 1
Referring to fig. 1, the invention discloses a method for implementing swap function, comprising:
s10, when a page is swapped out for a first memory page of the memory, executing processing including: analyzing a first plaintext from first content stored in a ciphertext form of the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in the external memory as second content; and
in this embodiment, it can be understood that the first content paged out in step S10 is a ciphertext and is related to a physical address of the first memory page. When the page of the first content is swapped out, the first plaintext needs to be parsed from the first content, and after the first plaintext is parsed, in order to prevent the first plaintext from being stolen, the first plaintext needs to be encrypted, and a first ciphertext obtained by encryption is stored in an external memory. After the first ciphertext is stored in the external memory, the first memory page is released.
S11, when a page is to be swapped into the second content in the external memory, executing a process including: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
In this embodiment, it can be understood that the second content of the page swap-in performed in step S11 is a ciphertext and is not related to the physical address of the memory page. When the page is switched in for the second content, the second content needs to be decrypted to obtain a second plaintext, then a second memory page is allocated for the second plaintext, and the second plaintext is encrypted according to an encryption mode of a physical memory in a virtualization technology to obtain a second ciphertext. The second ciphertext is the ciphertext and can be prevented from being stolen.
In the method for implementing the swap function provided by the embodiment of the invention, the first ciphertext swapped out of the external memory in the page swapping-out process is generated by directly encrypting the first plaintext analyzed from the first content, and is irrelevant to the address of the page of the first memory, so that when the page swapping is performed on the first ciphertext, the first ciphertext is directly decrypted to obtain the corresponding plaintext.
Example 2
Fig. 2 is a flowchart illustrating another method for implementing a swap function according to an embodiment of the present invention, where, referring to fig. 2, on the basis of embodiment 1, the parsing a first plaintext from a first content of the first memory page stored in a ciphertext form may include:
s20, judging whether the first content is a ciphertext;
s21, if the first content is a ciphertext, parsing a first plaintext from the first content;
the decrypting the second content to obtain a second plaintext may include:
and S23, judging whether the second content is a ciphertext, and if the second content is the ciphertext, decrypting the second content to obtain a second plaintext.
The steps S22 and S24 in fig. 2 correspond to those in embodiment 1, and are not described here again.
In this embodiment, it can be understood that, when performing swap-out and swap-in of a memory page, it is required to first determine whether the contents swapped out and swapped in of the memory page are ciphertexts, and when the contents swapped out and swapped in of the memory page are ciphertexts, the process is performed according to the corresponding process in embodiment 2.
Example 3
On the basis of embodiment 2, the determining whether the first content is a ciphertext may include:
acquiring the value of the n1 bit of a Page Table Entry (PTE) corresponding to the first memory Page in a Nested Page Table (NPT);
if the value of the n1 th bit of the page table entry corresponding to the first memory page is judged to be a first numerical value, determining that the first content is a ciphertext, otherwise, determining that the first content is not the ciphertext;
wherein, after the storing the first ciphertext in the external memory as the second content, comprising:
setting the value of the n2 th bit of the PTE corresponding to the first memory page as a second numerical value, wherein n1 and n2 are integers, n1 is greater than or equal to 52 and is less than or equal to 62, and n2 is greater than or equal to 52 and is less than or equal to 62.
In this embodiment, when determining whether the first content is a ciphertext, the determination may be performed according to a value of an nth 1 bit of the PTE corresponding to the first memory page stored in the first content in the NPT. The nth 1 bit is a bit (for example, 62 nd bit) between the 52 nd bit and the 62 nd bit of the PTE, and is used to identify whether the corresponding first content is ciphertext. Specifically, the first numerical value may be set in advance to represent the ciphertext. When determining whether the first content is a ciphertext, only the value of the nth 1 bit corresponding to the first content needs to be obtained, and whether the value of the nth 1 bit is the first numerical value is determined. When the value of the nth 1 bit is the first value, it indicates that the first content is the ciphertext, otherwise, it indicates that the first content is not the ciphertext. The first value may be set as desired (e.g., set to 1), and will not be described herein.
The nth 2 bit of the PTE is a bit (for example, the 61 st bit) between the 52 th bit and the 62 nd bit of the PTE, and it and the nth 1 bit each occupy one bit, and are used for identifying whether the content swapped out from the first memory page to the external storage is encrypted, and when it takes on the second value, it indicates that the content is encrypted. The second value may be set as desired (e.g., set to 1), and will not be described further herein.
In this embodiment, whether the corresponding first content is a ciphertext is determined by the value of the nth 1 bit of the PTE, so that the efficiency of the determination processing can be ensured.
Example 4
On the basis of embodiment 3, the determining whether the second content is a ciphertext may include:
obtaining a value of an n2 bit of a page table entry corresponding to the first memory page, judging whether the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, if the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, determining that the second content is a ciphertext, otherwise, determining that the second content is not the ciphertext;
after the storing the second ciphertext in the second memory page, the method may further include:
setting the value of the n1 th bit of the PTE corresponding to the second memory page in the NPT as the first numerical value.
In this embodiment, the value of the nth 2 bit of the page table entry corresponding to the first memory page is used to identify whether the content of the first memory page swapped out to the external storage is encrypted. The content of the first memory page swapped out to the external memory is the second content, and when determining whether the second content is the ciphertext, the determination may be made according to the value of the nth 2 bit of the page table entry corresponding to the first memory page. And when the value of the n2 th bit of the page table entry corresponding to the first memory page is a second numerical value, the second content is a ciphertext. After the second content is swapped into the second memory page, the value of the n1 th bit of the PTE corresponding to the second memory page in the NPT needs to be set to be the first numerical value, so that when the second memory page is swapped out, whether the content of the second memory page is encrypted can be quickly determined, and the page swapping-out efficiency of the second memory page is improved.
Example 5
On the basis of embodiment 2, if the first content is a ciphertext, parsing a first plaintext from the first content may further include:
storing the first content in the external memory if the first content is not a ciphertext;
wherein, if the second content is a ciphertext, decrypting the second content to obtain a second plaintext, which may further include:
if the second content is not a ciphertext, allocating a third memory page of the memory for the second content, storing the second content in the third memory page, and setting a value of an n1 bit of a PTE (packet data transfer) corresponding to the third memory page in an NPT (network platform transport) to be a third numerical value.
In this embodiment, when the first content is not the ciphertext, in order to ensure that the first content can be acquired by other objects, the first content cannot be encrypted at this time, but is directly stored in the external memory. Similarly, when the second content is not the ciphertext, for the same reason, the second content needs to be directly stored in the third memory page, and cannot be encrypted.
Example 6
On the basis of embodiment 1, parsing a first plaintext from a first content of the first memory page stored in a ciphertext form, and encrypting the first plaintext to obtain a first ciphertext may include:
analyzing a first plaintext from the first content by using a first encryption key, and encrypting the first plaintext by using a second encryption key to obtain a first ciphertext;
the decrypting the second content to obtain a second plaintext may include:
decrypting the second content by using the second encryption key to obtain a second plaintext;
the encrypting the obfuscated result to obtain a second ciphertext may include:
and encrypting the confusion result by using the first encryption key to obtain a second ciphertext.
In this embodiment, it should be noted that the first encryption key is an encryption key related to a physical address of a memory, and a first plaintext may be parsed from the first content including the physical address of the first memory page by using the first encryption key. The second encryption key is an encryption key irrelevant to the physical address of the memory, and the first cipher text obtained by encrypting the first plain text by using the second encryption key does not contain the physical address of the memory. The first encryption key and the second encryption key may be specifically set according to needs (for example, the first encryption key selects a virtual machine encryption key, and the second encryption key selects a data encryption algorithm encryption key), which is not described herein again.
Example 7
Fig. 3 and fig. 4 show a flowchart of another method for implementing a swap function according to an embodiment of the present invention, and referring to fig. 3 and fig. 4, on the basis of embodiment 3, before parsing a first plaintext from a first content of the first memory page stored in a ciphertext form, the method may further include:
s30, after the first memory page is distributed, judging whether the first memory page needs to be encrypted;
s31, if the first memory page needs to be encrypted, setting the value of the n1 bit of the PTE corresponding to the first memory page in the NPT as the first numerical value, otherwise, executing the step S32;
s32, setting the value of the n1 bit of the PTE corresponding to the first memory page in the NPT as a third numerical value;
after the allocating the second memory page of the memory to the second content, the method may further include:
s38, judging whether the second memory page needs to be encrypted or not;
s39, if the second memory page needs to be encrypted, setting the value of the n1 bit of the PTE corresponding to the second memory page in the NPT as the first numerical value, otherwise, executing the step S310;
s310, setting the value of the n1 th bit of the PTE corresponding to the second memory page in the NPT as the third numerical value.
In this embodiment, steps S33 to S37 and step S311 are the same as those in embodiment 3, and are not repeated here. It can be understood that after each memory page is allocated, in order to identify whether the content stored in the memory page is encrypted in the subsequent page swapping-out process, the value of the nth 1 bit of the PTE corresponding to the memory page needs to be set according to whether the memory page needs to be encrypted: when the memory page needs to be encrypted, setting the value of the nth 1 bit of the corresponding PTE as a first value, otherwise, setting the value of the nth 1 bit of the corresponding PTE as a third value. Whether a memory page needs to be encrypted or not can be determined according to the 47 th bit of the physical address of the memory page, which is not described herein again. The third value may be set to a value different from the first value as needed, and is not described herein again. In addition, the value of the nth 1 bit of the PTE may be set by the hypervisor by transmitting a message carrying the value of the nth 1 bit of the PTE to the hypervisor, according to the message.
Example 8
Referring to fig. 5, the present invention discloses an apparatus for implementing the exchange function between the internal memory and the external memory, including:
a swap-out unit 50, configured to, when performing page swap-out on a first memory page of the memory, perform processing that includes: analyzing a first plaintext from first content stored in a ciphertext form of the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in the external memory as second content; and
in this embodiment, it can be understood that the first content of the page swap-out performed by the swap-out unit 50 is a ciphertext and is related to the physical address of the first memory page. When the page of the first content is swapped out, the first plaintext needs to be parsed from the first content, and after the first plaintext is parsed, in order to prevent the first plaintext from being stolen, the first plaintext needs to be encrypted, and a first ciphertext obtained by encryption is stored in an external memory. After the first ciphertext is stored in the external memory, the first memory page is released.
A swap-in unit 51, configured to, when performing page swap for the second content in the external memory, execute processing including: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
In this embodiment, it can be understood that the second content of the page swap-in performed by the swap-in unit 51 is a ciphertext, and is not related to the physical address of the memory page. When the page is switched in for the second content, the second content needs to be decrypted to obtain a second plaintext, then a second memory page is allocated for the second plaintext, and the second plaintext is encrypted according to an encryption mode of a physical memory in a virtualization technology to obtain a second ciphertext. The second ciphertext is the ciphertext and can be prevented from being stolen.
According to the device for realizing the swap function, provided by the embodiment of the invention, the first ciphertext exchanged out of the external memory in the page exchange process is generated by directly encrypting the first plaintext analyzed from the first content, and is irrelevant to the address of the page of the first memory, so that when the page exchange is carried out on the first ciphertext, the first ciphertext is directly decrypted to obtain the corresponding plaintext.
Example 9
Fig. 6 is a flowchart illustrating another apparatus for implementing a swap function according to an embodiment of the present invention, and referring to fig. 6, the swap-out unit 50 may include:
a judging subunit 60, configured to judge whether the first content is a ciphertext;
the parsing subunit 61 is configured to parse a first plaintext from the first content if the determining subunit determines that the first content is a ciphertext;
the swap-in unit 51 may include:
and a decryption subunit 62, configured to determine whether the second content is a ciphertext, and if the second content is the ciphertext, decrypt the second content to obtain a second plaintext.
In this embodiment, it can be understood that, when performing swap-out and swap-in of a memory page, it is required to first determine whether the contents swapped out and swapped in of the memory page are ciphertexts, and when the contents swapped out and swapped in of the memory page are ciphertexts, the process is performed according to the corresponding process in embodiment 8.
Example 10
On the basis of embodiment 9, the determining subunit may be specifically configured to:
acquiring the value of the n1 th bit of the PTE corresponding to the first memory page in the NPT;
if the value of the nth 1 bit of the PTE corresponding to the first memory page is judged and known to be a first numerical value, determining that the first content is a ciphertext, otherwise, determining that the first content is not the ciphertext;
wherein, the swap-out unit may be further configured to:
after the first ciphertext is stored in the external storage as second content, setting the value of the n2 th bit of the PTE corresponding to the first memory page as a second numerical value, wherein n1 and n2 are integers, and 52 ≦ n1 ≦ 62, and 52 ≦ n2 ≦ 62.
In this embodiment, when determining whether the first content is a ciphertext, the determination may be performed according to a value of an nth 1 bit of the PTE corresponding to the first memory page stored in the first content in the NPT. The nth 1 bit is a bit (for example, 62 nd bit) between the 52 nd bit and the 62 nd bit of the PTE, and is used to identify whether the corresponding first content is ciphertext. Specifically, the first numerical value may be set in advance to represent the ciphertext. When determining whether the first content is a ciphertext, only the value of the nth 1 bit corresponding to the first content needs to be obtained, and whether the value of the nth 1 bit is the first numerical value is determined. When the value of the nth 1 bit is the first value, it indicates that the first content is the ciphertext, otherwise, it indicates that the first content is not the ciphertext. The first value may be set as desired (e.g., set to 1), and will not be described herein.
The nth 2 bit of the PTE is a bit (for example, the 61 st bit) between the 52 th bit and the 62 nd bit of the PTE, and it and the nth 1 bit each occupy one bit, and are used for identifying whether the content swapped out from the first memory page to the external storage is encrypted, and when it takes on the second value, it indicates that the content is encrypted. The second value may be set as desired (e.g., set to 1), and will not be described further herein.
In this embodiment, whether the corresponding first content is a ciphertext is determined by the value of the nth 1 bit of the PTE, so that the efficiency of the determination processing can be ensured.
Example 11
On the basis of embodiment 10, the decryption subunit may be specifically configured to:
obtaining a value of an n2 bit of a page table entry corresponding to the first memory page, judging whether the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, if the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, determining that the second content is a ciphertext, otherwise, determining that the second content is not the ciphertext;
wherein, the swap-in unit may be further configured to:
after the second ciphertext is stored in the second memory page, setting the value of the n1 th bit of the PTE corresponding to the second memory page in the NPT to be the first numerical value.
In this embodiment, the value of the nth 2 bit of the page table entry corresponding to the first memory page is used to identify whether the content of the first memory page swapped out to the external storage is encrypted. The content of the first memory page swapped out to the external memory is the second content, and when determining whether the second content is the ciphertext, the determination may be made according to the value of the nth 2 bit of the page table entry corresponding to the first memory page. And when the value of the n2 th bit of the page table entry corresponding to the first memory page is a second numerical value, the second content is a ciphertext. After the second content is swapped into the second memory page, the value of the n1 th bit of the PTE corresponding to the second memory page in the NPT needs to be set to be the first numerical value, so that when the second memory page is swapped out, whether the content of the second memory page is encrypted can be quickly determined, and the page swapping-out efficiency of the second memory page is improved.
Example 12
On the basis of embodiment 9, the parsing subunit may further be configured to:
storing the first content in the external memory if the first content is not a ciphertext;
wherein, the decryption subunit is further configured to:
if the second content is not a ciphertext, allocating a third memory page of the memory for the second content, storing the second content in the third memory page, and setting a value of an n1 bit of a PTE (packet data transfer) corresponding to the third memory page in an NPT (network platform transport) to be a third numerical value.
In this embodiment, when the first content is not the ciphertext, in order to ensure that the first content can be acquired by other objects, the first content cannot be encrypted at this time, but is directly stored in the external memory. Similarly, when the second content is not the ciphertext, for the same reason, the second content needs to be directly stored in the third memory page, and cannot be encrypted.
Example 13
On the basis of embodiment 8, the swap-out unit may be specifically configured to:
analyzing a first plaintext from the first content by using a first encryption key, and encrypting the first plaintext by using a second encryption key to obtain a first ciphertext;
the swap-in unit may be specifically configured to:
and decrypting the second content by using the second encryption key to obtain a second plaintext, and encrypting the confusion result by using the first encryption key to obtain a second ciphertext.
In this embodiment, it should be noted that the first encryption key is an encryption key related to a physical address of a memory, and a first plaintext may be parsed from the first content including the physical address of the first memory page by using the first encryption key. The second encryption key is an encryption key irrelevant to the physical address of the memory, and the first cipher text obtained by encrypting the first plain text by using the second encryption key does not contain the physical address of the memory. The first encryption key and the second encryption key may be specifically set according to needs (for example, the first encryption key selects a virtual machine encryption key, and the second encryption key selects a data encryption algorithm encryption key), which is not described herein again.
Example 14
Fig. 7 is a flowchart illustrating another apparatus for implementing a swap function according to an embodiment of the present invention, and referring to fig. 7, on the basis of embodiment 10, the apparatus may further include:
a first determining unit 70, configured to determine whether the first memory page needs to be encrypted after the first memory page is allocated before the swap-out unit 50 works;
a first setting unit 71, configured to set, if the first determining unit 70 determines that the first memory page needs to be encrypted, a value of an n1 bit of a PTE corresponding to the first memory page in the NPT as the first numerical value, and otherwise, set, a value of an n1 bit of the PTE corresponding to the first memory page in the NPT as a third numerical value;
a second determining unit 72, configured to determine whether a second memory page needs to be encrypted after the swap-in unit 51 allocates the second memory page;
a second setting unit 73, configured to set, if the second determining unit 72 determines that the second memory page needs to be encrypted, the value of the nth 1 bit of the PTE corresponding to the second memory page in the NPT as the first numerical value, and otherwise, set, the value of the nth 1 bit of the PTE corresponding to the second memory page in the NPT as the third numerical value.
In this embodiment, it can be understood that, after a memory page is allocated each time, in order to facilitate to identify whether content stored in the memory page is encrypted in a subsequent page swapping-out process, a value of an nth 1 bit of the PTE corresponding to the memory page needs to be set according to whether the memory page needs to be encrypted: when the memory page needs to be encrypted, setting the value of the nth 1 bit of the corresponding PTE as a first value, otherwise, setting the value of the nth 1 bit of the corresponding PTE as a third value. Whether a memory page needs to be encrypted or not can be determined according to the 47 th bit of the physical address of the memory page, which is not described herein again. The third value may be set to a value different from the first value as needed, and is not described herein again. In addition, the value of the nth 1 bit of the PTE may be set by the hypervisor by transmitting a message carrying the value of the nth 1 bit of the PTE to the hypervisor, according to the message.
Example 15
Referring to fig. 8, the present invention discloses a secure processor, comprising:
a receiving unit 80 and a processing unit 81; wherein,
the receiving unit 80 is configured to receive a first command and a second command sent by an operating system;
the processing unit 81 is configured to execute the processing performed when performing page swapping on the first memory page of the memory according to embodiments 1 to 7 when the receiving unit 80 receives the first command, or execute the processing performed when performing page swapping on the second content in the external storage according to embodiments 1 to 7 when the receiving unit 80 receives the second command.
It is to be understood that the operating system may be an X86 system, the first command may include an instruction corresponding to the processing performed when performing page swap-out on the first memory page of the memory in embodiments 1 to 7, and the second command may include an instruction corresponding to the processing performed when performing page swap-in on the second content in the external memory in embodiments 1 to 7. And the operating system judges whether the swap function needs to be realized, selects to send a first command or a second command to the security processor according to the judgment result, and the security processor executes corresponding page swap-out and page swap-in flows according to the corresponding command. For example, when the current memory is in a short supply, the operating system selects to swap out the physical memory M that has not been used for a long time to the external memory, and then sends a corresponding first command to the secure processor, and the secure processor executes the corresponding first command to swap out the content of the physical memory M to the external memory, so as to release the storage space of the physical memory M. For another example, when the content N in the external memory needs to be used, a corresponding second command is sent to the secure processor, and the secure processor performs page swapping on the content N according to the corresponding second command.
The security processor provided in the embodiments of the present invention, by receiving the first command and the second command sent by the operating system, and executing the page swap-out and page swap-in processes of embodiments 1 to 7 according to the first command and the second command, can implement page swap-in after page swap-out in the virtualization technology, that is, can implement swap function in the virtualization technology, thereby improving the utilization efficiency of the memory and enhancing the capability of Linux to process a sudden large-scale memory request.
Based on the above analysis, it can be known that the method and apparatus for implementing the swap function between the internal memory and the external memory, and the security processor provided in the embodiments of the present invention, can successfully implement page swap-in by removing the physical address of the internal memory page when the page is swapped out, i.e., can implement swap function in the virtualization technology.
The computer program product for implementing the method for exchanging the internal memory and the external memory according to the embodiment of the present invention includes a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, which is not described herein again.
The device for realizing the exchange function of the memory and the external memory provided by the embodiment of the invention can be specific hardware on equipment, or software or firmware installed on the equipment, and the like. The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the foregoing systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided by the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the present invention in its spirit and scope. Are intended to be covered by the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (15)
1. A method for realizing the exchange function between a memory and an external memory is characterized by comprising the following steps:
when page swapping is performed on a first memory page of the memory, executing the following processing: analyzing a first plaintext from first content stored in a ciphertext form of the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in the external memory as second content; and
upon a page swap for the second content in the external memory, performing a process comprising: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
2. The method of claim 1, wherein parsing a first plaintext from a first content of the first memory page stored in a ciphertext form comprises:
judging whether the first content is a ciphertext;
if the first content is a ciphertext, parsing a first plaintext from the first content;
wherein the decrypting the second content to obtain a second plaintext includes:
and judging whether the second content is a ciphertext, and if the second content is the ciphertext, decrypting the second content to obtain a second plaintext.
3. The method of claim 2, wherein the determining whether the first content is ciphertext comprises:
acquiring the value of the n1 th bit of a page table entry corresponding to the first memory page in the nested page table;
if the value of the n1 th bit of the page table entry corresponding to the first memory page is judged to be a first numerical value, determining that the first content is a ciphertext, otherwise, determining that the first content is not the ciphertext;
wherein, after the storing the first ciphertext in the external memory as the second content, comprising:
setting the value of the n2 th bit of the page table entry corresponding to the first memory page as a second numerical value, wherein n1 and n2 are integers, n1 is greater than or equal to 52 and is less than or equal to 62, and n2 is greater than or equal to 52 and is less than or equal to 62.
4. The method of claim 3, wherein the determining whether the second content is ciphertext comprises:
obtaining a value of an n2 bit of a page table entry corresponding to the first memory page, judging whether the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, if the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, determining that the second content is a ciphertext, otherwise, determining that the second content is not the ciphertext;
after the storing the second ciphertext in the second memory page, the method further includes:
setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested page table to be the first numerical value.
5. The method of claim 2, wherein parsing a first plaintext from the first content if the first content is a ciphertext, further comprises:
storing the first content in the external memory if the first content is not a ciphertext;
wherein, if the second content is a ciphertext, decrypting the second content to obtain a second plaintext, further comprising:
if the second content is not a ciphertext, allocating a third memory page of the memory to the second content, storing the second content in the third memory page, and setting a value of an n1 bit of a page table entry corresponding to the third memory page in the nested page table to be a third numerical value.
6. The method of claim 1, wherein parsing a first plaintext from a first content of the first memory page stored in a form of ciphertext, and encrypting the first plaintext to obtain a first ciphertext comprises:
analyzing a first plaintext from the first content by using a first encryption key, and encrypting the first plaintext by using a second encryption key to obtain a first ciphertext;
wherein the decrypting the second content to obtain a second plaintext includes:
decrypting the second content by using the second encryption key to obtain a second plaintext;
the encrypting the obfuscated result to obtain a second ciphertext includes:
and encrypting the confusion result by using the first encryption key to obtain a second ciphertext.
7. The method of claim 3, further comprising, prior to parsing the first plaintext from the first content of the first memory page stored in ciphertext form:
after the first memory page is distributed, judging whether the first memory page needs to be encrypted or not;
if the first memory page needs to be encrypted, setting the value of the n1 th bit of the page table entry corresponding to the first memory page in the nested page table as the first numerical value, otherwise, setting the value of the n1 th bit of the page table entry corresponding to the first memory page in the nested page table as a third numerical value;
wherein, after the allocating the second memory page of the memory to the second content, the method further comprises:
judging whether the second memory page needs to be encrypted or not;
if the second memory page needs to be encrypted, setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested page table as the first numerical value, otherwise, setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested page table as the third numerical value.
8. An apparatus for implementing a memory and external memory swap function, comprising:
a swap-out unit, configured to execute, when performing page swap-out for a first memory page of the memory, processing that includes: analyzing a first plaintext from first content stored in a ciphertext form of the first memory page, encrypting the first plaintext to obtain a first ciphertext, and storing the first ciphertext in the external memory as second content; and
a swap-in unit configured to, when page swap-in is performed for the second content in the external memory, execute processing including: decrypting the second content to obtain a second plaintext, allocating a second memory page of the memory to the second content, obfuscating the second plaintext and the address of the second memory page to obtain an obfuscated result, encrypting the obfuscated result to obtain a second ciphertext, and storing the second ciphertext in the second memory page.
9. The apparatus of claim 8, wherein the swap-out unit comprises:
a judging subunit, configured to judge whether the first content is a ciphertext;
the analysis subunit is configured to, if the judgment subunit determines that the first content is a ciphertext, analyze a first plaintext from the first content;
wherein the swap-in unit comprises:
and the decryption subunit is configured to determine whether the second content is a ciphertext, and if the second content is the ciphertext, decrypt the second content to obtain a second plaintext.
10. The apparatus according to claim 9, wherein the determining subunit is specifically configured to:
acquiring the value of the n1 th bit of a page table entry corresponding to the first memory page in the nested page table;
if the value of the n1 th bit of the page table entry corresponding to the first memory page is judged to be a first numerical value, determining that the first content is a ciphertext, otherwise, determining that the first content is not the ciphertext;
wherein the swap-out unit is further configured to:
after the first ciphertext is stored in the external storage as second content, setting the value of the n2 th bit of the page table entry corresponding to the first memory page as a second numerical value, wherein n1 and n2 are integers, and 52 ≦ n1 ≦ 62, and 52 ≦ n2 ≦ 62.
11. The apparatus according to claim 10, wherein the decryption subunit is specifically configured to:
obtaining a value of an n2 bit of a page table entry corresponding to the first memory page, judging whether the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, if the value of the n2 bit of the page table entry corresponding to the first memory page is the second numerical value, determining that the second content is a ciphertext, otherwise, determining that the second content is not the ciphertext;
wherein the swap-in unit is further configured to:
after the second ciphertext is stored in the second memory page, setting the value of the n1 th bit of the page table entry corresponding to the second memory page in the nested paging table to be the first value.
12. The apparatus of claim 9, wherein the parsing subunit is further configured to:
storing the first content in the external memory if the first content is not a ciphertext;
wherein the decryption subunit is further configured to:
if the second content is not a ciphertext, allocating a third memory page of the memory to the second content, storing the second content in the third memory page, and setting a value of an n1 bit of a page table entry corresponding to the third memory page in the nested page table to be a third numerical value.
13. The apparatus according to claim 8, wherein the swap-out unit is specifically configured to:
analyzing a first plaintext from the first content by using a first encryption key, and encrypting the first plaintext by using a second encryption key to obtain a first ciphertext;
wherein, the swap-in unit is specifically configured to:
and decrypting the second content by using the second encryption key to obtain a second plaintext, and encrypting the confusion result by using the first encryption key to obtain a second ciphertext.
14. The apparatus of claim 10, further comprising:
the first judging unit is used for judging whether the first memory page needs to be encrypted or not after the first memory page is distributed before the swap-out unit works;
a first setting unit, configured to set a value of an n1 bit of a page table entry corresponding to the first memory page in the nested page table as the first numerical value if the first determining unit determines that the first memory page needs to be encrypted, and set a value of an n1 bit of a page table entry corresponding to the first memory page in the nested page table as a third numerical value if the first determining unit determines that the first memory page needs to be encrypted;
a second judging unit, configured to judge whether a second memory page needs to be encrypted after the swap-in unit allocates the second memory page;
a second setting unit, configured to set a value of an n1 bit of a page table entry corresponding to the second memory page in the nested page table as the first numerical value if the second determining unit determines that the second memory page needs to be encrypted, and set a value of an n1 bit of a page table entry corresponding to the second memory page in the nested page table as the third numerical value if the second determining unit determines that the second memory page needs to be encrypted.
15. A secure processor, comprising:
a receiving unit and a processing unit; wherein,
the receiving unit is used for receiving a first command and a second command sent by an operating system;
the processing unit, configured to execute the processing when performing page swapping for the first memory page of the memory according to claims 1 to 7 when the receiving unit receives the first command, or execute the processing when performing page swapping for the second content in the external storage according to claims 1 to 7 when the receiving unit receives the second command.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811401809.XA CN109710373B (en) | 2018-11-22 | 2018-11-22 | Method and device for realizing memory and external memory exchange function and security processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811401809.XA CN109710373B (en) | 2018-11-22 | 2018-11-22 | Method and device for realizing memory and external memory exchange function and security processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109710373A CN109710373A (en) | 2019-05-03 |
| CN109710373B true CN109710373B (en) | 2021-02-12 |
Family
ID=66254423
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811401809.XA Active CN109710373B (en) | 2018-11-22 | 2018-11-22 | Method and device for realizing memory and external memory exchange function and security processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109710373B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH08123721A (en) * | 1994-10-24 | 1996-05-17 | Nippondenso Co Ltd | Microcomputer device |
| CN101281580A (en) * | 2008-05-14 | 2008-10-08 | 北京深思洛克数据保护中心 | Method for expanding memory of information safety equipment |
| CN102077204A (en) * | 2008-06-24 | 2011-05-25 | 纳格拉影像股份有限公司 | Secure memory management system and method |
| CN104050424A (en) * | 2014-06-26 | 2014-09-17 | 大唐微电子技术有限公司 | Method for achieving file access security authority management through smart card and file access method |
| CN104636662A (en) * | 2013-11-15 | 2015-05-20 | 华为技术有限公司 | Data processing method and terminal device |
| CN104881241A (en) * | 2014-02-28 | 2015-09-02 | 华为技术有限公司 | Swap operation implementation method and apparatus |
-
2018
- 2018-11-22 CN CN201811401809.XA patent/CN109710373B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH08123721A (en) * | 1994-10-24 | 1996-05-17 | Nippondenso Co Ltd | Microcomputer device |
| CN101281580A (en) * | 2008-05-14 | 2008-10-08 | 北京深思洛克数据保护中心 | Method for expanding memory of information safety equipment |
| CN102077204A (en) * | 2008-06-24 | 2011-05-25 | 纳格拉影像股份有限公司 | Secure memory management system and method |
| CN104636662A (en) * | 2013-11-15 | 2015-05-20 | 华为技术有限公司 | Data processing method and terminal device |
| CN104881241A (en) * | 2014-02-28 | 2015-09-02 | 华为技术有限公司 | Swap operation implementation method and apparatus |
| CN104050424A (en) * | 2014-06-26 | 2014-09-17 | 大唐微电子技术有限公司 | Method for achieving file access security authority management through smart card and file access method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109710373A (en) | 2019-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105577379B (en) | Information processing method and device | |
| CN105260668B (en) | A kind of file encrypting method and electronic equipment | |
| CN105450620B (en) | A kind of information processing method and device | |
| CN106790223B (en) | Data transmission method, equipment and system | |
| EP2151763A1 (en) | Method and apparatus for obfuscating virtual to physical memory mapping | |
| CN104052742A (en) | Internet of things communication protocol capable of being encrypted dynamically | |
| CN109347839B (en) | Centralized password management method and device, electronic equipment and computer storage medium | |
| US20200050779A1 (en) | Reducing compromise of sensitive data in virtual machine | |
| CN106341375A (en) | Method and system for realizing resource encrypted access | |
| CN108111622B (en) | Method, device and system for downloading white box library file | |
| CN107835206A (en) | Data-updating method, server and computer-readable recording medium | |
| CN106789008B (en) | Method, device and system for decrypting sharable encrypted data | |
| CN102609643A (en) | Dynamic cryptography protection for virtual machines and key management method thereof | |
| US20200044838A1 (en) | Data encryption method and system using device authentication key | |
| CN112559991A (en) | System secure login method, device, equipment and storage medium | |
| US20130283043A1 (en) | Method and apparatus for authorization updating | |
| CN113824553A (en) | Key management method, device and system | |
| EP2947815A1 (en) | Method for discovering user of equipment, and user equipment | |
| CN109710373B (en) | Method and device for realizing memory and external memory exchange function and security processor | |
| CN102609648B (en) | Method and device for using word stock safely | |
| US20170054554A1 (en) | Apparatus for obfuscating and restoring program execution code and method thereof | |
| US20150030153A1 (en) | Repeatable application-specific encryption key derivation using a hidden root key | |
| JP2012147341A (en) | Common key exchange method, common key generation method, common key exchange system, common key exchange device, and program of the same | |
| CN114745115A (en) | Information transmission method and device, computer equipment and storage medium | |
| CN118551404B (en) | Data processing method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 300450 Tianjin Binhai New Area Huayuan Industrial Zone Haitai West Road 18 North 2-204 Industrial Incubation-3-8 Applicant after: Haiguang Information Technology Co.,Ltd. Address before: 300450 Tianjin Binhai New Area Huayuan Industrial Zone Haitai West Road 18 North 2-204 Industrial Incubation-3-8 Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20190503 Assignee: CHENGDU HAIGUANG INTEGRATED CIRCUIT DESIGN Co.,Ltd.|CHENGDU HAIGUANG MICROELECTRONICS TECHNOLOGY Co.,Ltd. Assignor: Haiguang Information Technology Co.,Ltd. Contract record no.: X2022980016699 Denomination of invention: Method and device for realizing memory and external memory exchange function, security processor Granted publication date: 20210212 License type: Common License Record date: 20220927 |