CN109766164A - A kind of access control method, EMS memory management process and relevant apparatus - Google Patents
A kind of access control method, EMS memory management process and relevant apparatus Download PDFInfo
- Publication number
- CN109766164A CN109766164A CN201811400760.6A CN201811400760A CN109766164A CN 109766164 A CN109766164 A CN 109766164A CN 201811400760 A CN201811400760 A CN 201811400760A CN 109766164 A CN109766164 A CN 109766164A
- Authority
- CN
- China
- Prior art keywords
- memory
- address
- directed toward
- secure
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the present invention provides a kind of access control method, EMS memory management process, device and relevant device, the detection of security doctrine is carried out while traversing the corresponding address of access request described in nested page table lookup, it can be avoided in search procedure, page table on the common memory page is directed toward the page in secure memory, prevent the page table in secure memory is from by random access, improve the safety of the nested page table of safety in secure memory, so that virtual machine manager can not grasp the service condition for the secure memory that virtual machine uses, improve the safety of secure memory.
Description
Technical field
The present embodiments relate to virtual machine technique fields, and in particular to a kind of access control method, EMS memory management process
And relevant apparatus.
Background technique
By virtualization technology (Virtualization), physical host can virtually dissolve more virtual machine (Virtual
Machine, VM), to maximumlly utilize the hardware resource of physical host;In the every virtual machine virtually dissolved can be assigned
It deposits in (space), the memory of every virtual machine distribution is mainly used for task consumption and supports virtualization.
The memory management of virtual machine is mainly carried out by virtual machine manager at present, this obtains virtual machine manager pair
Certain manipulation ability of memory will carry out certain threat to the safety belt of virtual-machine data;Therefore how to optimize the interior of virtual machine
Management is deposited, the problem of to promote the safety of virtual-machine data, become those skilled in the art's urgent need to resolve.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of access control method, EMS memory management process and relevant apparatus, promoted
The safety of virtual-machine data.
To solve the above problems, the embodiment of the present invention provides the following technical solutions:
In a first aspect, the embodiment of the present invention provides a kind of access control method, comprising:
Receive the access request to memory;
The corresponding address of access request described in nested page table lookup is traversed, detects whether searched address points relationship is disobeyed
Anti- security doctrine;The security doctrine includes at least: forbidding address points relationship to be directed toward secure memory by common memory, wherein pacifying
Memory is highly-safe in common memory entirely;
When the address points relationship searched violates security doctrine, refuse the access request.
Second aspect, the access control method according to first aspect, the address points relationship include:
The address points relationship of memory pages where the nesting page tables entries, and, the address in the nesting page table
Points relationship.
The third aspect, the access control method according to second aspect, the searched address points relationship of the detection
Whether security doctrine is violated, comprising:
Whether the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward are secure memory;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are common
Memory, it is determined that the address points relationship searched violates security doctrine;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are safety
Memory, it is determined that the address points relationship searched does not violate security doctrine.
Fourth aspect, the access control method according to the third aspect, the accessed memory pages of the judgement are corresponding
Page directory be directed toward memory pages whether be secure memory, comprising:
Judge whether the corresponding page address of the page directory is located in the address range of secure memory;
If the corresponding page address of the page directory is located in the address range of secure memory, accessed memory is determined
The memory pages that the corresponding page directory of the page is directed toward are secure memory.
5th aspect, the access control method according to fourth aspect, the accessed memory pages of the judgement are corresponding
Page directory be directed toward memory pages whether be secure memory, comprising:
Whether the memory pages for judging that the page directory is directed toward are configured with access authority;
If the memory pages that the page directory is directed toward are configured with access authority, the page that the page directory is directed toward is determined
Face is located at secure memory.
6th aspect, according to access control method described in first aspect or second aspect, the security doctrine further include:
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
7th aspect, the embodiment of the present invention provide a kind of EMS memory management process, comprising:
To the memory configurations security mechanism of preset address range, wherein configured with saving as secure memory in security mechanism,
Secure memory it is highly-safe in common memory;
Configure the security doctrine of the address points relationship of the memory pages of the memory;The security doctrine includes at least:
Address points relationship is forbidden to be directed toward secure memory by common memory.
Eighth aspect, according to EMS memory management process described in the 7th aspect, the address points relationship includes:
The address points relationship of memory pages where the nesting page tables entries, and, the address in the nesting page table
Points relationship.
9th aspect, according to EMS memory management process described in the 7th aspect or eighth aspect, the security doctrine further include:
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
Tenth aspect, the embodiment of the present invention provide a kind of Memory Controller Hub, comprising:
Address translator, for responding the access request to memory;It is corresponding to traverse access request described in nested page table lookup
Address, detect whether searched address points relationship violates security doctrine;The security doctrine includes at least: forbidding address
Points relationship is directed toward secure memory by common memory, and wherein secure memory is highly-safe in common memory;When the ground searched
When location points relationship violates security doctrine, refuse the access request.
Tenth on the one hand, according to Memory Controller Hub described in the tenth aspect, further includes:
Memory configurations logic, for the memory configurations security mechanism to preset address range, wherein be configured with security mechanism
In save as secure memory;
Security configuration logic, the security doctrine of the address points relationship of the memory pages for configuring the memory.
12nd aspect, according to Memory Controller Hub described in the tenth one side, the address translator is searched in detection
Address points relationship when whether violating security doctrine, comprising:
Whether the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward are secure memory;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are common
Memory, it is determined that the address points relationship searched violates security doctrine;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are safety
Memory, it is determined that the address points relationship searched does not violate security doctrine.
13rd aspect, according to Memory Controller Hub described in the 12nd aspect, the address translator is accessed in judgement
The memory pages that are directed toward of the corresponding page directory of memory pages when whether being secure memory, comprising:
Judge whether the corresponding page address of the page directory is located in the address range of secure memory;
If the corresponding page address of the page directory is located in the address range of secure memory, accessed memory is determined
The memory pages that the corresponding page directory of the page is directed toward are secure memory.
Fourteenth aspect, according to Memory Controller Hub described in the 12nd aspect, the memory configurations logic is to preset address
The security mechanism of the memory configurations of range is access authority.
15th aspect, the Memory Controller Hub according to fourteenth aspect, the address translator are accessed in judgement
The memory pages that are directed toward of the corresponding page directory of memory pages whether be secure memory, comprising:
Whether the memory pages for judging that the page directory is directed toward are configured with access authority;
If the memory pages that the page directory is directed toward are configured with access authority, the page that the page directory is directed toward is determined
Face is secure memory.
16th aspect, the embodiment of the present invention provide a kind of computer system, comprising:
Safe processor, the secure memory distribution application for being issued according to virtual machine manager are virtual machine distribution safety
Memory;
Memory Controller Hub, for realizing memory access control method described in first aspect to the 6th aspect either side.
17th aspect, according to computer system described in the 16th aspect, the safe processor is also used to, creation with
The corresponding page table of the secure memory, the page table include nested page table.
In access control method provided in an embodiment of the present invention, traversing, access request described in nested page table lookup is corresponding
The detection that security doctrine is carried out while address, can be avoided in search procedure, and the page table on the common memory page is directed toward safety
The page in memory, prevent the page table in secure memory is from improving the peace in secure memory by random access
The safety of full nesting page table so that virtual machine manager can not grasp the secure memory that virtual machine uses use feelings
Condition improves the safety of secure memory.Therefore the Memory Management of virtual machine provided in an embodiment of the present invention has higher
Safety.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is the system architecture schematic diagram of virtualized environment;
Fig. 2 is the another system configuration diagram of virtualized environment;
Fig. 3 be a kind of memory pages virtual address to physical address multi-level page-table exemplary construction schematic diagram;
Fig. 4 is the mapping relations schematic diagram of memory pages in page table;
The schematic diagram of secure memory and common memory is divided in Fig. 5 memory;
Fig. 6 is a kind of optional method flow chart that secure virtual machine distributes secure memory;
Fig. 7 is a kind of memory access control method flow chart;
Fig. 8 is the optional method flow chart of step S21;
Fig. 9 is another optional method flow chart of step S21;
Figure 10 is a kind of page table points relationship schematic diagram;
The position Figure 11 another kind page table points relationship schematic diagram;
Figure 12 is a kind of optional flow chart of EMS memory management process;
Figure 13 is a kind of structure chart of Memory Controller Hub;
Figure 14 is a kind of structure chart of computer system.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
As a kind of optional example, Fig. 1 shows the system architecture schematic diagram of virtualized environment, as shown in Figure 1, virtualization
The system architecture of environment may include: CPU (Central Processing Unit, central processing unit) core 1, Memory control
Device 2, memory 3;
Wherein, core cpu 1 can configure virtual machine manager 11 by software form, and be virtualized by virtualization technology
More virtual machines 12 out, the more virtual machines 12 can carry out memory management by virtual machine manager 11;
Memory Controller Hub 2 is control memory 3, and makes the hardware of memory 3 and the swapping data of CPU1;Typically counting
In calculation machine system, Memory Controller Hub 2 is responsible for processing memory access request, and for memory access request, Memory Controller Hub 2 is detectable
Whether caching records the corresponding address of memory access request, if so, the corresponding data in the address are read from caching, otherwise, time
It goes through the page table lookup of the memory address and reads the corresponding data in the address.
System architecture shown in FIG. 1, which can be, realizes that traditional virtual technology is not to void based on traditional virtual technology
The memory of quasi- machine carries out safeguard protection, therefore the safety of virtual-machine data has threat, in order to promote the peace of virtual-machine data
Quan Xing, the safety virtualization technology for being different from traditional virtual technology are come into being;
Safety virtualization technology is the virtualization technology that safeguard protection can be carried out to the memory of virtual machine, such as can be to virtual
The memory of machine encrypt etc. the virtualization technology of safeguard protection, and certainly, safety virtualization technology can also be for example to virtual machine
Memory carries out the virtualization technology for the protection such as being isolated;
It is exemplary, by safety virtualization technology, the memory of some or all virtual machines can be encrypted, and different
The memory that virtual machine uses is encrypted by different keys, and virtual machine manager can not also access key, to prevent physics master
Machine, virtual machine manager to the data access of virtual machine and are distorted, and the Information Security of virtual machine is promoted;
As a kind of optional example, it is based on safety virtualization technology, Fig. 2 shows the another system frameworks of virtualized environment
Schematic diagram, referring to figs. 1 and 2, system shown in Figure 2 framework can also include: safe place compared to system shown in Figure 1 framework
Manage device 4;
Safe processor 4 is the processor of the security related operations of the responsible processing and virtual machine that are specially arranged, for example, peace
Full processor 4 can carry out the operation such as memory encryption and decryption (for example, being encrypted by safe processor to virtual machine primary data);?
In the embodiment of the present invention, the configurable API (Application communicated with safe processor 4 of virtual machine manager 11
Programming Interface, application programming interface) interface, realize virtual machine manager 11 and safe processor 4
Data interaction;
In embodiments of the present invention, Memory Controller Hub 2 can configure crypto engine 21, and crypto engine 21 can store key;
The key that safe processor 4 can be stored by crypto engine 21 is that the memory of some or all virtual machines is added
It is close, and the memory that different virtual machine uses is encrypted by different keys;Optionally, in order to which preferably pre- anti-replay is attacked
It hits, different encryption parameters (i.e. key) can be used in different physical address in the memory of virtual machine;It is attacked it should be noted that resetting
It hits (Replay Attacks) and is also known as replay attack, replay attack, refer to that attacker sends what a destination host had received
Packet, to achieve the purpose that fraud system, mainly destroys the correctness of certification under authentication scene.
Optionally, in system shown in Figure 2 framework, core cpu 1, Memory Controller Hub 2, safe processor 4 can be integrated in SOC
In (System on Chip, system on chip);Obviously, SOC is only a kind of optional form of Computer Architecture, and the present invention is real
The Computer Architecture of other forms can also be supported by applying example, for example, the Computer Architecture that processor and south bridge are coupled,
Set up the Computer Architecture etc. of south bridge and north bridge separately, at this point, core cpu 1, Memory Controller Hub 2, memory 3 and safe processor
4 can accordingly dispose, herein not reinflated explanation.
In general, (traditional virtual technology or safety virtualization technology are not limited to) in virtualization technology, memory
The lookup of location is mainly realized by page table.When creating virtual machine 12, corresponding memory can be distributed for virtual machine 12.In virtual machine
When 12 program operation, virtual machine 12 needs to find for program operation and the memory pages of the memory 3 of distribution, that is, finds memory
The corresponding physical address of the page, by establishing the page table of the mapping relations comprising virtual machine virtual address to host-physical address,
Realize the lookup to memory pages physical address.
For convenience of storage, the management that multi-level page-table carries out memory can be used.Wherein, in final stage page table it is in store virtually
Location is to the mapping of physical address, referred to as page table entry;In other page tables in addition to final stage page table, the in store virtual address of higher level's page table
To the mapping of junior's page table, referred to as page directory.
The structure of multi-level page-table can refer to Fig. 3, and the virtual addresses of memory pages a kind of be shown to physical address
Multi-level page-table exemplary construction schematic diagram.
As can be seen from Figure, the address of the memory pages is described by 32 bit address, and CR3 is to control showing for register
Example passes through the page of level page table for recording level page table place page address (i.e. the initial address that CR3 may point to multi-level page-table)
Find level page table in address;
Given virtual address takes its 20~31 to find the entry pointed by it in level page table as offset, counts
According to including the page address where second level page table;
12~19 of virtual address are taken as offset, the entry pointed by it, data packet are found in second level page table
12~31 of the corresponding physical address containing virtual address;
By 0~12 of virtual address 0~12 as physical address, complete physical address is obtained.
Virtual address shown in Fig. 3 to physical address mapping relations, either virtual machine virtual address is to virtual machine
The mapping relations of physical address, be also possible to host virtual address to host-physical address mapping relations.
Fig. 4 shows the mapping relations schematic diagram of memory pages in page table, and Fig. 4 is shown in virtualization technology, from virtual
The virtual address of machine to host physical address mapping process example;As can be seen that this process has used virtual machine virtual
To the mapping page table of virtual machine physical address, which is known as virtual machine mapping page table and virtual machine physical address for address
To the mapping page table of host-physical address, which is nested page table.In another example, it is different from shown in Fig. 4,
Nested page table also may be implemented directly by virtual machine physical address map to host-physical address, without carrying out virtual machine physics
Association of the address to host virtual address.
The embodiment of the present invention can be when carrying out virtual machine initialization, and completion virtual machine mapping page table is preliminary with nested page table
Building;
When the operation of the program of virtual machine, VME operating system can be found by page tables entries (such as control register)
Virtual machine maps the memory address of page table level page table, to find virtual machine mapping page table according to the storage logic of multi-level page-table
Multi-level page-table, realize based on virtual machine mapping page table realize virtual machine virtual page table to virtual machine physical address lookup;
It, can be according to nested page table lookup host-physical address, it may be assumed that entered by page table by the virtual machine physical address found
The level page table of nested page table is found in mouthful, and according to the storage logic of multi-level page-table, find in memory 3 in sequence complete
Host-physical address, and then find corresponding memory pages.
In a kind of optional example, Fig. 1 and system shown in Figure 2 framework can realize the interior of virtual machine by virtual machine manager
Management is deposited, this makes virtual machine manager can control nested page table, the physical memory service condition of virtual machine is grasped, to malice
Virtual machine manager provide unnecessary information leakage (service condition of the memory physical address of such as virtual machine), may
There can be the risks such as potential side-channel attack, potential threat is brought to the safety of virtual-machine data.
Based on this, the present inventor considers to improve safety virtualization technology, under safety virtualization technology, by safety
Processor completes the operation such as memory management of virtual machine, and (safe processor can also be responsible for the behaviour such as creation, deactivated, destruction virtual machine
Make), while Added Management is carried out to virtual machine by safe processor by virtual machine manager;Under safety virtualization technology,
Can also by hardware carry out memory isolation with the protection of nested page table so that virtual machine manager can not grasp the interior of virtual machine
Distribution situation is deposited, eliminates and provides the possibility of information leakage to the virtual machine manager of malice, reduce potential side channel and attack
Hit possibility.
As a kind of optional realization of disclosure of the embodiment of the present invention, the embodiment of the present invention can divide peace in memory 3
Full memory (space) and common memory (space), in general, secure memory is highly-safe in common memory, for example, in safety
Safety protecting mechanism can be used by depositing;
Exemplary, Fig. 5 shows the schematic diagram for dividing secure memory and common memory in memory;As a kind of optional reality
Existing, the embodiment of the present invention can mark off several region of memory in memory, and (part that several region of memory can be memory is empty
Between, it is also possible to whole spaces of memory), by recording the relevant information of several region of memory divided, by what is divided
Several region of memory are protected labeled as secure memory (as passed through hardware tab secure memory) using safety protecting mechanism
Shield (encryption can be used in such as secure memory, and the mechanism such as isolation are protected, the most typically, the memory protected by safe processor
It may be considered a kind of example of secure memory);Unlabelled region of memory can be described as common memory, common memory one in memory
As do not protected using safety protecting mechanism.
As a kind of optional example, the size of secure memory can be greater than common memory, and certainly, the embodiment of the present invention can also prop up
The size for holding secure memory is smaller than common memory;It should be noted that example shown in Fig. 5 is by the partial memory region of memory
Labeled as secure memory, the embodiment of the present invention can also be supported the full memory zone marker of memory to be secure memory.
Optionally, it can be described as secure virtual machine using the virtual machine of safety protecting mechanism, such as using the virtual of secure memory
Machine can be described as secure virtual machine, and the virtual machine that safety protecting mechanism is not used can be described as General Virtual Machine, such as use common memory
Virtual machine can be described as General Virtual Machine, in general, the safety of secure virtual machine can be higher than General Virtual Machine.
Secure memory, common memory, secure virtual machine and General Virtual Machine are applicable to traditional virtual skill shown in FIG. 1
The system architecture of art is equally applicable to the system architecture of safety virtualization technology shown in Fig. 2.The void of description of the embodiment of the present invention
The Memory Management of quasi- machine is suitable for the case where existing simultaneously secure memory and common memory, and the system architecture being applicable in can be with
It is secure virtual machine and the simultaneous framework of General Virtual Machine.
Optionally, in embodiments of the present invention, safe processor can manage whole secure memories, and virtual machine manager can
With to safe processor application secure memory.During initializing secure virtual machine, safe processor can be according to virtual machine
The distribution request of manager is that secure virtual machine distributes secure memory, so that secure virtual machine has the access right to secure memory
Limit.As a kind of optional realization, Fig. 6 shows a kind of optional method process that secure memory is distributed for secure virtual machine, the party
Method process can be executed by safe processor, can specifically be executed during creating secure virtual machine by safe processor;Reference
Fig. 6, this method process may include:
Step S10: the secure memory distribution application that Virtual Machine Manager machine is issued to safe processor is received.
Optionally, secure memory distribution application may include: required secure memory size.
Step S11: applying according to the distribution, distributes secure memory for secure virtual machine, and in creation and the safety
Deposit corresponding page table.
The distribution application that safe processor is issued according to the Virtual Machine Manager machine distributes secure memory for virtual machine, and
Page table corresponding with the secure memory is created, the page table includes the nested page for mapping the secure memory physical address
Table.Also, virtual machine control block is created in the secure memory for distributing to the secure virtual machine, and distributes one section of continuous memory
Nested page table is directed toward to virtual machine control block, and by the page tables entries of virtual machine control block (such as control register).
During distributing secure memory for secure virtual machine, safe processor can also distribute for the secure virtual machine
Common memory, and the mapping relations of the corresponding part common memory physical address are stored in page table (comprising nested page simultaneously simultaneously
Table).In an example of the invention, the nested page table for being used to map the secure memory physical address is at least stored in safety
In memory;It (simultaneously include the nesting of mapping secure memory physical address by complete nested page table in another optional example
The nested page table of page table and mapping common memory physical address) it is stored in the secure memory for distributing to the secure virtual machine.At this
In invention, it is at least stored into the nested page table for being used to map secure memory physical address of secure memory, the referred to as nested page of safety
Table.
Since virtual machine manager is unable to the secure memory of access safety virtual machine, so that virtual machine manager can not be real
Now to the random access of safety nesting page table, so as to achieve the purpose that protect secure virtual machine;
Also, after secure memory distribution, the nested page table for mapping the secure memory physical address can still be stored in safety
In memory, so that either virtual machine or virtual machine manager, if to access the data in secure memory, as desired by
Page table entry in secure memory parses its linear address (virtual address i.e. in virtualization system framework), can just obtain
The physical address of secure memory.
In an optional example, for the nested page table in secure memory, the present invention also provides a kind of visits of memory
It asks control method, by the way that the security doctrine of access safety memory and common memory is arranged, realizes to memory access control, optimization
The memory management of virtual machine;
Optionally, Fig. 7 shows memory access control method provided in an embodiment of the present invention, and this method process can be by memory
Controller executes, exemplary, can specifically be executed by the page walk of Memory Controller Hub, page walk can be Memory Controller Hub
In address translator, the embodiment of the present invention can on the basis of the address translation feature of page walk, increase the embodiment of the present invention
The internal storage access control function of offer realizes the security control of internal storage access to optimize the memory management of virtual machine;
Referring to Fig. 7, this method process may include:
Step S20: the access request to memory is received.
Step S21: traversing the corresponding address of access request described in nested page table lookup, detects searched address and is directed toward pass
Whether system violates security doctrine, and the security doctrine includes at least: address points relationship being forbidden to be directed toward in safety by common memory
It deposits, wherein secure memory is highly-safe in common memory.
If so, step S22 is executed, if it is not, executing step S23.
Step S22: refuse the access request.
During the nested page table lookup access request of traversal corresponding address, if the address points relationship searched
It is directed toward and violates security doctrine, then the embodiment of the present invention is rejected by access request.
Optionally, the embodiment of the present invention can also report an error when the testing result of step S21, which is, is, such as output is hard
Part abnormity prompt.
Step S23: the access request is executed.
It is understood that either virtual machine or virtual machine manager, if necessary to access in secure memory
Data are required to parse the linear address of secure memory by the page table entry in secure memory, can just find in safety
The physical address deposited;When receiving the access request to memory, the embodiment of the present invention (can include secure memory to memory pages
The memory pages of memory pages and common memory) physical address any address for being searched, and being searched be directed toward need it is full
When sufficient security doctrine, just think that access request is legal, allows to execute access request;
Optionally, in embodiments of the present invention, page table can be directed toward secure memory, can also be directed toward common memory, but this
The security doctrine of inventive embodiments limitation includes following at least one aspect:
The page directory being stored in secure memory can be directed toward common memory;Wherein, the in store virtual address of higher level's page table
To the mapping of junior's page table, referred to as page directory;Specifically, higher level's secure memory page table can be directed toward junior's common memory page table,
Optionally, the page table of common memory can be described as common memory page table, and the page table of secure memory can be described as secure memory page table;
The page directory being stored in secure memory can be directed toward secure memory;Specifically, allowing address points relationship by pacifying
Full memory is directed toward secure memory;
The page directory for being stored in common memory cannot be directed toward secure memory, otherwise report an error;Specifically, forbidding being located at general
Logical memory page table is directed toward secure memory page table;
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
It should be noted that in addition to the address points relationship in nested page table needs to meet security doctrine, the page of virtual machine
Memory pages and its memory pages being directed toward where table entry also need to meet the security doctrine.That is,
In step S21, the address points relationship includes: the address points relationship of the memory pages where the nested page tables entries,
With, it is described nesting page table in address points relationship.
Since the page tables entries of secure virtual machine are located in secure memory, the page tables entries of General Virtual Machine are located in common
In depositing, to where virtual machine page tables entries memory pages and its address be directed toward and detect, avoid the page of General Virtual Machine
Table entry is directed toward the page table in secure memory.
In secure virtual machine and the simultaneous system architecture of General Virtual Machine, received access request in step S20
It can be the access of the memory distributed secure virtual machine, be also possible to the access of the memory distributed General Virtual Machine.Therefore,
In secure virtual machine and the simultaneous system architecture of General Virtual Machine, common nested page table page nested with safety is existed simultaneously
Table, and whether common nested page table, or the nested page table of safety, may all be directed toward secure memory, it is also possible to be directed toward in common
It deposits.
When virtual machine program operation when, Memory Controller Hub can according to the virtual machine physical address that virtual machine system is found,
Pass through nested page table lookup host-physical address.That is: the level-one by finding nested page table in the page tables entries of Memory Controller Hub
Page table, and according to the storage logic of multi-level page-table, find complete host-physical address in memory in sequence, and then find
Corresponding memory pages.
In embodiments of the present invention, step S21 is while the lookup to the corresponding address of access request, Memory Controller Hub
It can also detect whether searched address points relationship violates security doctrine.Specifically, referring to Fig. 8, show step S21 can
Choosing method flow chart, comprising:
Step S211: whether the accessed memory pages of judgement are secure memory, if it is not, step S212 is executed, if so, holding
Row step S213.
Step S212: whether the page that the page directory in the accessed memory pages of judgement is directed toward is secure memory, if it is not,
Step S213 is executed, if so, executing step S22.
Step S213: the next stage page table that the page directory in access memory pages is directed toward.
Wherein, the memory pages accessed are the memory pages in accessed state when traversing nested page table.Namely
It says, is traversing the corresponding address of access request described in nested page table lookup, which memory pages is accessed, i.e., the page is carried out
The detection of security doctrine, thus the real-time detection in address procedures, the direction for avoiding the occurrence of violation security doctrine causes illegally to visit
It asks.
If the memory pages accessed are secure memory, page directory in the memory pages is to secure memory and common
The direction of memory does not violate security doctrine, therefore, executes step S213, accesses what the page directory in the memory pages was directed toward
Next stage page table executes step S212 if the memory pages accessed are common memory.
If the page that the page directory in the memory pages accessed is directed toward is secure memory, it is determined that the address searched
Points relationship violates security doctrine, if the page that the page directory in the memory pages accessed is directed toward is common memory, really
Fixed searched address points relationship does not violate security doctrine.
It include the address for the next stage page that will be accessed in the page directory of memory pages, to realize to next stage page
The access in face.In a preferred example, the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward are
No is secure memory, can be by judging whether the page address for including in the page directory is located at the address range of secure memory
Inside judged, if the corresponding page address of the page directory is located in the address range of secure memory, it is determined that accessed
The memory pages that are directed toward of the corresponding page directory of memory pages be secure memory.
In another preferred example, in the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward
It, can also be by judging whether the memory pages that the page directory is directed toward are configured with access authority progress when whether being secure memory
Judgement determines the memory pages that the page directory is directed toward if the memory pages that the page directory is directed toward are configured with access authority
Positioned at secure memory.
In step S211, when judging whether accessed memory pages are secure memory, preset condition can be passed through
Judge whether memory pages are secure memory, in an optional example, judges whether accessed memory pages are configured with
Preset access authority, if it is, the memory pages are secure memory, if it is not, then the memory pages are in common
It deposits.Alternatively, judging whether the physical address of accessed memory pages is located at secure memory in another optional example
In address range, if it is, the page is secure memory, if it is not, then the memory pages are common memory.
In another optional example, the step S212 and the step S211 be can be interchanged.It is shown referring to Fig. 9
Another optional method flow chart of step S21 first carries out step S212, judges that the page directory in accessed memory pages is directed toward
The page whether be secure memory, if not, the page that is directed toward of the page directory in the memory pages accessed is common memory, then
It determines that searched address points relationship does not violate security doctrine, step S213 is executed, under accessing pointed by the page directory
First level pages.If so, the corresponding page directory of the memory pages accessed is directed toward secure memory, S211 is thened follow the steps, into one
Step judges whether accessed memory pages are secure memory, if so, the memory pages accessed are secure memory, it is determined that
The address points relationship searched does not violate security doctrine, thens follow the steps S213, accesses next pointed by the page directory
The grade page, if it is not, then the memory pages accessed are common memory, then it is former that the address points relationship searched violates safety
Then, step S22 is executed, the access request is refused.
The nested page table of the safety of secure virtual machine, it may be possible to be entirely located in secure memory, it is also possible to be only for mapping peace
The page table of full memory physical address is located at secure memory, for both of these case, to the lookup of the corresponding address of access request with
The detection for the address points relationship searched is specific as follows:
When safety nesting page table is entirely located in secure memory, traverses safety nesting page table, there is no be located in common
Less there is the case where page directory being located in the page table of common memory is directed toward secure memory in the page table deposited, therefore to being searched
The detection of address points relationship do not violate security doctrine, and then the corresponding physical address of the access request can be found.
Then, step S23 is executed, the secondary access is executed.
In safety nesting page table, the page table of mapping secure memory physical address is only used for when being located at secure memory, is traversed
The nested page table of the safety carries out the lookup of corresponding address, meanwhile, detect searched address points relationship.With the page table in Figure 10
For, the page for being decorated with oblique line is common memory, remaining page is secure memory.As can be seen that being located in safety in the first order
It deposits page table 101 on the page and is directed toward the page table 102 and 103 for being located at and being located on the secure memory page on the second level, on the second level
Page table 102 on the secure memory page is directed toward the third level and is located at the page table 104 on the common memory page, and, the second level
On be located at the secure memory page on page table 103 be directed toward the third level be located at the page table 105 on the common memory page, be all not separated
The address points relationship of anti-security doctrine obtains corresponding physical address so as to execute the traversal lookup to nested page table.
And it is located at the direction of page table 201 on the secure memory page by taking Figure 11 as an example, in the first order and is located on the second level
Page table 202 and 203 on the secure memory page, the page table 202 being located on the secure memory page on the second level are directed toward the third level
Page table 204 on the common memory page, and, the page table 203 being located on the secure memory page on the second level is directed toward the
Three-level is located at the page table 205 on the common memory page, identical as Figure 10, is all the address points relationship for not violating security doctrine.
But the third level is located at the page table 205 on the common memory page and is directed toward the page table 206 that the fourth stage is located on the secure memory page,
It is then to violate the address points relationship of security doctrine, thus the subsequent traversal to nested page table can not be carried out and searched, it is even more impossible to
Obtain corresponding physical address.
As can be seen that carrying out the detection of security doctrine while searching by above-mentioned access control method, can be avoided
In search procedure, the page table on the common memory page is directed toward the page in secure memory, so that the page table in secure memory
The safety of the nested page table of safety in secure memory cannot be improved by random access.
In an optional example, for the management of the nested page table in secure memory, the present invention also provides one kind
EMS memory management process, the security doctrine of the address points relationship by configuring memory pages are realized to memory access control, excellent
Change the memory management of virtual machine.This method can be executed by Memory Controller Hub, can specifically be patrolled by the memory configurations in Memory Controller Hub
It collects with security configuration logic and executes;Referring to Fig.1 2, it is a kind of optional process of EMS memory management process, this method process can wrap
It includes:
Step S30: to the memory configurations security mechanism of preset address range, wherein configured with being saved as in security mechanism
Secure memory, secure memory it is highly-safe in common memory;
Step S31: the security doctrine of the address points relationship of the memory pages of the memory is configured;The security doctrine is extremely
It less include: that address points relationship is forbidden to be directed toward secure memory by common memory.
Step S30 can be executed by memory configurations logic, for marking off secure memory and common memory, and in safety
Deposit configuration security mechanism.Wherein, the security mechanism can be encrypted for the data in internally depositing, alternatively, being memory configurations
Access authority controls the access to secure memory to realize the isolation to secure memory.
Step S31 can be executed by security configuration logic, configure the address points relationship of the memory pages of the memory
Security doctrine.Wherein, the security doctrine configured for the address points relationship of memory pages, page table can be directed toward secure memory,
It can be directed toward common memory, but the security doctrine of limitation of the embodiment of the present invention includes following at least one aspect:
The page directory being stored in secure memory can be directed toward common memory;Wherein, the in store virtual address of higher level's page table
To the mapping of junior's page table, referred to as page directory;Specifically, higher level's secure memory page table can be directed toward junior's common memory page table,
Optionally, the page table of common memory can be described as common memory page table, and the page table of secure memory can be described as secure memory page table;
The page directory being stored in secure memory can be directed toward secure memory;Specifically, allowing address points relationship by pacifying
Full memory is directed toward secure memory;
The page directory for being stored in common memory cannot be directed toward secure memory, otherwise report an error;Specifically, forbidding being located at general
Logical memory page table is directed toward secure memory page table;
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
It should be noted that the security doctrine in this example is preferably referring to the security doctrine in access control method of the present invention
It is configured, so that Memory Controller Hub of the invention realizes corresponding access control according to the security doctrine.
Wherein, the address points relationship includes: that pass is directed toward in the address of the memory pages where the nested page tables entries
System, and, the address points relationship in the nesting page table.That is, in addition to the address points relationship in nested page table needs
Meeting security doctrine, the address points relationship positioned at the memory pages where nested page tables entries is also required to meet security doctrine,
To comprehensively protect to the nested page table in secure memory, and then ensure the peace for the data being stored in secure memory
Entirely.
In an optional example, it to be peace by memory configurations logic that the present invention also provides a kind of Memory Controller Hub
Full memory configurations security mechanism, the security doctrine of the address points relationship of memory pages is configured by security configuration logic, is passed through
Address translator is realized to memory access control, to optimize the memory management of virtual machine.Referring to Fig.1 3, it is a kind of memory control
The structure chart of device processed, the Memory Controller Hub 2 may include:
Address translator 22, for responding the access request to memory;Traverse access request pair described in nested page table lookup
The address answered, detects whether searched address points relationship violates security doctrine;The security doctrine includes at least: forbidding ground
Location points relationship is directed toward secure memory by common memory, and wherein secure memory is highly-safe in common memory;When what is searched
When address points relationship violates security doctrine, refuse the access request;
Memory configurations logic 23, for the memory configurations security mechanism to preset address range, wherein be configured with safe machine
Secure memory is saved as in system;
Security configuration logic 24, the security doctrine of the address points relationship of the memory pages for configuring the memory.
Wherein, the security doctrine configured for the address points relationship of memory pages, page table can be directed toward secure memory, can also
To be directed toward common memory, but the security doctrine of limitation of the embodiment of the present invention includes following at least one aspect:
The page directory being stored in secure memory can be directed toward common memory;Wherein, the in store virtual address of higher level's page table
To the mapping of junior's page table, referred to as page directory;Specifically, higher level's secure memory page table can be directed toward junior's common memory page table,
Optionally, the page table of common memory can be described as common memory page table, and the page table of secure memory can be described as secure memory page table;
The page directory being stored in secure memory can be directed toward secure memory;Specifically, allowing address points relationship by pacifying
Full memory is directed toward secure memory;
The page directory for being stored in common memory cannot be directed toward secure memory, otherwise report an error;Specifically, forbidding being located at general
Logical memory page table is directed toward secure memory page table;
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
It should be noted that in addition to the address points relationship in nested page table needs to meet security doctrine, the page of virtual machine
Memory pages and its memory pages being directed toward where table entry also need to meet the security doctrine.That is, institute
The address points relationship that address points relationship includes: the memory pages where the nested page tables entries is stated, and, the nesting page
Address points relationship in table.
Since the page tables entries of secure virtual machine are located in secure memory, the page tables entries of General Virtual Machine are located in common
In depositing, to where virtual machine page tables entries memory pages and its address be directed toward and detect, avoid the page of General Virtual Machine
Table entry is directed toward the page table in secure memory.
In an optional example, the address translator is detecting whether searched address points relationship violates peace
When full principle, comprising: whether the memory pages that the corresponding page directory of the accessed memory pages of judgement is directed toward are secure memory;Such as
The corresponding page directory of the memory pages that fruit is accessed is directed toward secure memory, and the memory pages accessed are common memory, then really
Fixed searched address points relationship violates security doctrine;If the corresponding page directory of the memory pages accessed is directed toward in safety
The memory pages deposited, and accessed are secure memory, it is determined that the address points relationship searched does not violate security doctrine.
Wherein, the address translator is in the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward
It is no be secure memory when, comprising: judge whether the corresponding page address of the page directory is located in the address range of secure memory;
If the corresponding page address of the page directory is located in the address range of secure memory, determine that accessed memory pages are corresponding
Page directory be directed toward memory pages be secure memory.
In embodiments of the present invention, memory configurations logic is access to the security mechanism of the memory configurations of preset address range
Permission.That is, improving the safety of memory to avoid the unauthorized access to memory for memory configurations access authority.In this reality
It applies in example, configured with saving as secure memory in access authority.
For secure memory configured with access authority, the address translator is judging that accessed memory pages are corresponding
The memory pages that are directed toward of page directory whether be secure memory, comprising: whether the memory pages for judging that the page directory is directed toward match
It is equipped with access authority;If the memory pages that the page directory is directed toward are configured with access authority, determine what the page directory was directed toward
Memory pages are secure memory.
Memory Controller Hub in the present embodiment can be avoided and look by carrying out the detection of security doctrine while searching
During looking for, the page table on the common memory page is directed toward the page in secure memory, so that the page table in secure memory is not
The safety of the nested page table of safety in secure memory can be improved by random access, and then ensure and be stored in safety
The safety of data in memory.
In another optional example, the present invention also provides a kind of computer systems, are carried out by safe processor
The distribution of secure memory realizes memory access control method provided by the invention by Memory Controller Hub, by configuring page
The security doctrine of the address points relationship in face is realized to memory access control, to optimize the memory management of virtual machine.Reference
Figure 14, is a kind of structure chart of computer system, which may include:
Safe processor 4, the secure memory distribution application for being issued according to virtual machine manager are virtual machine distribution peace
Full memory;
Memory Controller Hub 2, for realizing memory access control method provided in an embodiment of the present invention.
Wherein, in embodiments of the present invention, the safe processor 4 is also used to, and is created corresponding with the secure memory
Page table, the page table include nested page table.
The distribution application that safe processor is issued according to the Virtual Machine Manager machine distributes secure memory for virtual machine, and
Page table corresponding with the secure memory is created, the page table includes the nested page for mapping the secure memory physical address
Table.Also, virtual machine control block is created in the secure memory for distributing to the secure virtual machine, virtual machine control block is to virtual
The message structure that the state of the virtual processor of machine is described, and one section of continuous memory is distributed to virtual machine control block, and
Nested page table is directed toward by the page tables entries (such as nCR3) of virtual machine control block.
During distributing secure memory for secure virtual machine, safe processor can also distribute for the secure virtual machine
Common memory, and the mapping relations of the corresponding part common memory physical address are stored in page table (comprising nested page simultaneously simultaneously
Table).
Since virtual machine manager is unable to the secure memory of access safety virtual machine, so that virtual machine manager can not be real
Now to the random access of safety nesting page table, so as to achieve the purpose that protect secure virtual machine;
Also, after secure memory distribution, the nested page table for mapping the secure memory physical address can still be stored in safety
In memory, so that either virtual machine or virtual machine manager, if to access the data in secure memory, as desired by
Page table entry in secure memory parses its linear address (virtual address i.e. in virtualization system framework), can just obtain
The physical address of secure memory.
And the access control method of the internal counter foil row of Memory Controller Hub, the detection of security doctrine is carried out while searching,
It can be avoided in search procedure, the page table on the common memory page is directed toward the page in secure memory, so that being in secure memory
In page table the safety of the nested page table of safety in secure memory cannot be improved by random access, and then improve
The safety of secure memory.
Described above is multiple example schemes provided in an embodiment of the present invention, each optional side of each example scheme introduction
Formula can be combined with each other in the absence of conflict, cross reference, thus extend a variety of possible example schemes, these
It is considered disclosure of the embodiment of the present invention, disclosed embodiment scheme.
Although the embodiment of the present invention discloses as above, present invention is not limited to this.Anyone skilled in the art, not
It is detached from the spirit and scope of the present invention, can make various changes or modifications, therefore protection scope of the present invention should be with right
It is required that subject to limited range.
Claims (17)
1. a kind of access control method characterized by comprising
Receive the access request to memory;
The corresponding address of access request described in nested page table lookup is traversed, detects whether searched address points relationship violates peace
Full principle;The security doctrine includes at least: forbidding address points relationship to be directed toward secure memory by common memory, wherein in safety
That deposits is highly-safe in common memory;
When the address points relationship searched violates security doctrine, refuse the access request.
2. access control method according to claim 1, which is characterized in that the address points relationship includes:
The address points relationship of memory pages where the nesting page tables entries, and, the address in the nesting page table is directed toward
Relationship.
3. access control method according to claim 2, which is characterized in that the searched address points relationship of the detection
Whether security doctrine is violated, comprising:
Whether the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward are secure memory;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are in common
It deposits, it is determined that the address points relationship searched violates security doctrine;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are in safety
It deposits, it is determined that the address points relationship searched does not violate security doctrine.
4. access control method according to claim 3, which is characterized in that the accessed memory pages of the judgement are corresponding
Page directory be directed toward memory pages whether be secure memory, comprising:
Judge whether the corresponding page address of the page directory is located in the address range of secure memory;
If the corresponding page address of the page directory is located in the address range of secure memory, accessed memory pages are determined
The memory pages that corresponding page directory is directed toward are secure memory.
5. access control method according to claim 4, which is characterized in that the accessed memory pages of the judgement are corresponding
Page directory be directed toward memory pages whether be secure memory, comprising:
Whether the memory pages for judging that the page directory is directed toward are configured with access authority;
If the memory pages that the page directory is directed toward are configured with access authority, the memory pages position that the page directory is directed toward is determined
In secure memory.
6. access control method according to claim 1 or 2, which is characterized in that the security doctrine further include:
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
7. a kind of EMS memory management process characterized by comprising
To the memory configurations security mechanism of preset address range, wherein configured with secure memory is saved as in security mechanism, safely
Memory it is highly-safe in common memory;
Configure the security doctrine of the address points relationship of the memory pages of the memory;The security doctrine includes at least: forbidding
Address points relationship is directed toward secure memory by common memory.
8. EMS memory management process according to claim 7, which is characterized in that the address points relationship includes:
The address points relationship of memory pages where the nesting page tables entries, and, the address in the nesting page table is directed toward
Relationship.
9. EMS memory management process according to claim 7 or 8, which is characterized in that the security doctrine further include:
Address points relationship is allowed to be directed toward secure memory or common memory by secure memory.
10. a kind of Memory Controller Hub characterized by comprising
Address translator, for responding the access request to memory;Traverse access request described in nested page table lookup correspondingly
Location, detects whether searched address points relationship violates security doctrine;The security doctrine includes at least: address being forbidden to be directed toward
Relationship is directed toward secure memory by common memory, and wherein secure memory is highly-safe in common memory;When the address searched refers to
When violating security doctrine to relationship, refuse the access request.
11. Memory Controller Hub according to claim 10, which is characterized in that further include:
Memory configurations logic, for the memory configurations security mechanism to preset address range, wherein configured in security mechanism
Save as secure memory;
Security configuration logic, the security doctrine of the address points relationship of the memory pages for configuring the memory.
12. Memory Controller Hub according to claim 11, which is characterized in that the address translator is searched in detection
When whether address points relationship violates security doctrine, comprising:
Whether the memory pages for judging that the corresponding page directory of accessed memory pages is directed toward are secure memory;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are in common
It deposits, it is determined that the address points relationship searched violates security doctrine;
If the corresponding page directory of the memory pages accessed is directed toward secure memory, and the memory pages accessed are in safety
It deposits, it is determined that the address points relationship searched does not violate security doctrine.
13. Memory Controller Hub according to claim 12, which is characterized in that the address translator is accessed in judgement
When whether the memory pages that the corresponding page directory of memory pages is directed toward are secure memory, comprising:
Judge whether the corresponding page address of the page directory is located in the address range of secure memory;
If the corresponding page address of the page directory is located in the address range of secure memory, accessed memory pages are determined
The memory pages that corresponding page directory is directed toward are secure memory.
14. Memory Controller Hub according to claim 12, which is characterized in that the memory configurations logic is to preset address model
The security mechanism for the memory configurations enclosed is access authority.
15. Memory Controller Hub according to claim 14, which is characterized in that the address translator is accessed in judgement
Whether the memory pages that the corresponding page directory of memory pages is directed toward are secure memory, comprising:
Whether the memory pages for judging that the page directory is directed toward are configured with access authority;
If the memory pages that the page directory is directed toward are configured with access authority, the memory pages for determining that the page directory is directed toward are
Secure memory.
16. a kind of computer system characterized by comprising
Safe processor, the secure memory distribution application for being issued according to virtual machine manager is that virtual machine distributes in safety
It deposits;
Memory Controller Hub, for realizing memory access control method described in any one of claims 1-6.
17. computer system according to claim 16, which is characterized in that the safe processor is also used to, creation with
The corresponding page table of the secure memory, the page table include nested page table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811400760.6A CN109766164B (en) | 2018-11-22 | 2018-11-22 | Access control method, memory management method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811400760.6A CN109766164B (en) | 2018-11-22 | 2018-11-22 | Access control method, memory management method and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109766164A true CN109766164A (en) | 2019-05-17 |
| CN109766164B CN109766164B (en) | 2021-06-18 |
Family
ID=66449627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811400760.6A Active CN109766164B (en) | 2018-11-22 | 2018-11-22 | Access control method, memory management method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109766164B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110196819A (en) * | 2019-06-03 | 2019-09-03 | 海光信息技术有限公司 | Memory pool access method and hardware |
| CN110348204A (en) * | 2019-06-17 | 2019-10-18 | 海光信息技术有限公司 | A kind of code protection system, authentication method, device, chip and electronic equipment |
| CN110955904A (en) * | 2019-11-22 | 2020-04-03 | 海光信息技术有限公司 | Data encryption method, data decryption method, processor and computer equipment |
| CN111949376A (en) * | 2020-08-24 | 2020-11-17 | 海光信息技术有限公司 | Virtual machine system and method for virtual machine system |
| CN111966468A (en) * | 2020-08-28 | 2020-11-20 | 海光信息技术有限公司 | Method, system, secure processor and storage medium for pass-through device |
| CN111984374A (en) * | 2020-08-20 | 2020-11-24 | 海光信息技术有限公司 | Method for managing secure memory, system, apparatus and storage medium therefor |
| CN112099903A (en) * | 2020-08-18 | 2020-12-18 | 海光信息技术股份有限公司 | Memory management method and device of virtual machine, CPU chip and server |
| CN112241310A (en) * | 2020-10-21 | 2021-01-19 | 海光信息技术股份有限公司 | Page table management method, information acquisition method, processor, chip, device, and medium |
| CN112256598A (en) * | 2020-10-27 | 2021-01-22 | 上海壁仞智能科技有限公司 | Memory allocation method and device and memory addressing method and device |
| CN113868673A (en) * | 2021-12-06 | 2021-12-31 | 荣耀终端有限公司 | Vulnerability detection method and device |
| CN117421118A (en) * | 2023-10-27 | 2024-01-19 | 海光信息技术股份有限公司 | Secure memory allocation, release and related configuration methods and devices |
| WO2024017311A1 (en) * | 2022-07-22 | 2024-01-25 | 地平线征程(杭州)人工智能科技有限公司 | Access control method and apparatus, computer readable storage medium, and electronic device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106502926A (en) * | 2016-09-26 | 2017-03-15 | 华为技术有限公司 | A kind of internal memory monitoring method, internal storage access controller and SoC systems |
| US20170249261A1 (en) * | 2016-02-29 | 2017-08-31 | Intel Corporation | System for address mapping and translation protection |
| CN107220189A (en) * | 2017-03-14 | 2017-09-29 | 晨星半导体股份有限公司 | Memory headroom is managed and memory access control method and device |
| CN107368354A (en) * | 2017-08-03 | 2017-11-21 | 致象尔微电子科技(上海)有限公司 | A kind of secure virtual machine partition method |
| US20180136867A1 (en) * | 2016-11-15 | 2018-05-17 | Red Hat Israel, Ltd. | Address based host page table selection |
-
2018
- 2018-11-22 CN CN201811400760.6A patent/CN109766164B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170249261A1 (en) * | 2016-02-29 | 2017-08-31 | Intel Corporation | System for address mapping and translation protection |
| CN106502926A (en) * | 2016-09-26 | 2017-03-15 | 华为技术有限公司 | A kind of internal memory monitoring method, internal storage access controller and SoC systems |
| US20180136867A1 (en) * | 2016-11-15 | 2018-05-17 | Red Hat Israel, Ltd. | Address based host page table selection |
| CN107220189A (en) * | 2017-03-14 | 2017-09-29 | 晨星半导体股份有限公司 | Memory headroom is managed and memory access control method and device |
| CN107368354A (en) * | 2017-08-03 | 2017-11-21 | 致象尔微电子科技(上海)有限公司 | A kind of secure virtual machine partition method |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110196819B (en) * | 2019-06-03 | 2021-08-24 | 海光信息技术股份有限公司 | Memory access method and hardware |
| CN110196819A (en) * | 2019-06-03 | 2019-09-03 | 海光信息技术有限公司 | Memory pool access method and hardware |
| CN110348204A (en) * | 2019-06-17 | 2019-10-18 | 海光信息技术有限公司 | A kind of code protection system, authentication method, device, chip and electronic equipment |
| CN110955904A (en) * | 2019-11-22 | 2020-04-03 | 海光信息技术有限公司 | Data encryption method, data decryption method, processor and computer equipment |
| CN112099903A (en) * | 2020-08-18 | 2020-12-18 | 海光信息技术股份有限公司 | Memory management method and device of virtual machine, CPU chip and server |
| CN112099903B (en) * | 2020-08-18 | 2023-01-31 | 海光信息技术股份有限公司 | Memory management method and device of virtual machine, CPU chip and server |
| CN111984374A (en) * | 2020-08-20 | 2020-11-24 | 海光信息技术有限公司 | Method for managing secure memory, system, apparatus and storage medium therefor |
| CN111984374B (en) * | 2020-08-20 | 2021-07-23 | 海光信息技术股份有限公司 | Method for managing secure memory, system, apparatus and storage medium therefor |
| CN111949376B (en) * | 2020-08-24 | 2021-12-17 | 海光信息技术股份有限公司 | Virtual machine system and method for virtual machine system |
| CN111949376A (en) * | 2020-08-24 | 2020-11-17 | 海光信息技术有限公司 | Virtual machine system and method for virtual machine system |
| CN111966468A (en) * | 2020-08-28 | 2020-11-20 | 海光信息技术有限公司 | Method, system, secure processor and storage medium for pass-through device |
| CN111966468B (en) * | 2020-08-28 | 2021-10-26 | 海光信息技术股份有限公司 | Method, system, secure processor and storage medium for pass-through device |
| CN112241310B (en) * | 2020-10-21 | 2023-01-31 | 海光信息技术股份有限公司 | Page table management method, information acquisition method, processor, chip, device and medium |
| CN112241310A (en) * | 2020-10-21 | 2021-01-19 | 海光信息技术股份有限公司 | Page table management method, information acquisition method, processor, chip, device, and medium |
| CN112256598B (en) * | 2020-10-27 | 2022-10-28 | 上海壁仞智能科技有限公司 | Memory allocation method and device and memory addressing method and device |
| CN112256598A (en) * | 2020-10-27 | 2021-01-22 | 上海壁仞智能科技有限公司 | Memory allocation method and device and memory addressing method and device |
| CN113868673A (en) * | 2021-12-06 | 2021-12-31 | 荣耀终端有限公司 | Vulnerability detection method and device |
| CN113868673B (en) * | 2021-12-06 | 2022-04-19 | 荣耀终端有限公司 | Vulnerability detection method and device |
| WO2024017311A1 (en) * | 2022-07-22 | 2024-01-25 | 地平线征程(杭州)人工智能科技有限公司 | Access control method and apparatus, computer readable storage medium, and electronic device |
| CN117421118A (en) * | 2023-10-27 | 2024-01-19 | 海光信息技术股份有限公司 | Secure memory allocation, release and related configuration methods and devices |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109766164B (en) | 2021-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766164A (en) | A kind of access control method, EMS memory management process and relevant apparatus | |
| US10572689B2 (en) | Method and apparatus for secure execution using a secure memory partition | |
| CN109901911B (en) | Information setting method, control method, device and related equipment | |
| Ren et al. | Design space exploration and optimization of path oblivious ram in secure processors | |
| CN103907101B (en) | System and method for kernel ROOTKIT protection in a hypervisor environment | |
| CN109766165A (en) | A kind of memory access control method, device, Memory Controller Hub and computer system | |
| CN110348204B (en) | Code protection system, authentication method, authentication device, chip and electronic equipment | |
| CN107690629A (en) | Address conversion | |
| US11775177B2 (en) | Integrity tree for memory integrity checking | |
| JP7431225B2 (en) | trusted intermediary realm | |
| JP7431224B2 (en) | Parameter signatures for realm security configuration parameters | |
| CN109739613A (en) | Maintaining method, access control method and the relevant apparatus of nested page table | |
| CN107526974A (en) | A kind of information password protection device and method | |
| KR102365263B1 (en) | Efficient Encryption Method and Apparatus for Hardware-based Secure GPU Memory | |
| Heo et al. | Hardware-assisted trusted memory disaggregation for secure far memory | |
| Heo et al. | Supporting Trusted Virtual Machines with Hardware-Based Secure Remote Memory | |
| KR20230164733A (en) | Apparatus and method for handling hidden transactions | |
| CN116860666A (en) | GPU memory protection method and device, chip and electronic equipment | |
| Lr | tlB |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant after: Haiguang Information Technology Co., Ltd Address before: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |