CN109901911A - A kind of information setting method, control method, device and relevant device - Google Patents
A kind of information setting method, control method, device and relevant device Download PDFInfo
- Publication number
- CN109901911A CN109901911A CN201910060502.6A CN201910060502A CN109901911A CN 109901911 A CN109901911 A CN 109901911A CN 201910060502 A CN201910060502 A CN 201910060502A CN 109901911 A CN109901911 A CN 109901911A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- information
- secure
- security code
- control block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The embodiment of the present invention provides a kind of information setting method, control method, device and relevant device, the information setting method includes: to define security code control information structure for secure virtual machine, and the security code control information structure description has the whole original state of the secure virtual machine;Wherein, the virtual machine control block of the secure virtual machine remains with address field, the initial address of the security code control information structure for saving the secure virtual machine.The embodiment of the present invention can guarantee the integrality of secure virtual machine original state by defining security code control information structure for secure virtual machine.
Description
Technical field
The present embodiments relate to virtual machine technique fields, and in particular to a kind of information setting method, control method, device
And relevant device.
Background technique
By virtualization technology (Virtualization), host can virtually dissolve more virtual machine (Virtual
Machine, VM), to maximumlly utilize the hardware resource of host;The every virtual machine virtually dissolved can be assigned memory
(space) can be described as virutal machine memory for the memory of virtual machine distribution, and virutal machine memory is mainly used for task consumption and supports empty
Quasi-ization.
In virtualization technology, virtual machine control block is the information for describing the corresponding virtual processor state of virtual machine
Structure lacks however, virtual machine control block can only individually describe the state of a virtual processor to virtual machine integrality
Description, not can guarantee the integrality of virtual machine original state.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of information setting method, control method, device and relevant device, with
Guarantee the integrality of virtual machine original state.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of information setting method, comprising:
Security code control information structure is defined for secure virtual machine, the security code control information structure description is
State the whole original state of secure virtual machine;
Wherein, the virtual machine control block of the secure virtual machine remains with address field, for saving the secure virtual
The initial address of the security code control information structure of machine.
The embodiment of the present invention also provides a kind of control method, comprising:
When that need to modify to the target information of the virtual machine control block of secure virtual machine, it is retrieved as the secure virtual
The security code control information structure that machine defines;Wherein, the security code control information structure description has the secure virtual
The whole original state of machine, and definition have the modification attribute of the information in the virtual machine control block of the secure virtual machine, institute
Stating modification attribute includes that can modify and can not modify;The virtual machine control block of the secure virtual machine and security code control
Message structure is stored in secure memory;
According to the security code control information structure, the modification attribute of the target information is determined;
If the modification attribute of the target information is that can modify, allow to modify the target information;
If the modification attribute of the target information is that can not modify, refusal modifies the target information.
The embodiment of the present invention also provides a kind of information setting device, comprising:
Definition module, for defining security code control information structure, the security code control letter for secure virtual machine
Breath structure description has the whole original state of the secure virtual machine;
Wherein, the virtual machine control block of the secure virtual machine remains with address field, for saving the secure virtual
The initial address of the security code control information structure of machine.
The embodiment of the present invention also provides a kind of control device, comprising:
Security code control information structure obtains module, for need to be to the target of the virtual machine control block of secure virtual machine
When information is modified, it is retrieved as the security code control information structure that the secure virtual machine defines;Wherein, the safe generation
Code control information structure description has the whole original state of the secure virtual machine, and definition has the void of the secure virtual machine
The modification attribute of information in quasi- machine control block, the modification attribute include that can modify and can not modify;The secure virtual machine
Virtual machine control block and the security code control information structure be stored in secure memory;
Attribute determination module is modified, for determining the target information according to the security code control information structure
Modify attribute;
Allow modified module, if the modification attribute for the target information is that can modify, allows to modify the target letter
Breath;
Refuse modified module, if the modification attribute for the target information is that can not modify, refusal modifies the target
Information.
The embodiment of the present invention also provides a kind of core cpu, including control device described above.
The embodiment of the present invention also provides a kind of chip, including safe processor and core cpu described above.
The embodiment of the present invention also provides a kind of electronic equipment, including chip described above.
In the embodiment of the present invention, safe processor or host virtual machine can define security code control information to secure virtual machine
Structure;The security code control information structure can describe, the whole original state of secure virtual machine, to preferably guarantee
The integrality of secure virtual machine original state.
On the other hand, in control method provided in an embodiment of the present invention, security code control can be defined for secure virtual machine
Message structure, the whole original state of secure virtual machine is described by security code control information structure, and defines secure virtual machine
Virtual machine control block information modification attribute, wherein the security code control information structure and virtual machine of secure virtual machine
Control block is stored in secure memory;To need the target information to the virtual machine control block of secure virtual machine to repair
When changing, the embodiment of the present invention can obtain the modification category of the target information defined in the security code control information structure
Property, and then when the modification attribute, which is, to be modified, it is believed that target information is revisable information in the virtual machine control block,
To allow to modify the target information, when the modification attribute, which is, to be modified, it is believed that target information is the virtual machine
Not revisable information in control block, to refuse to modify the target information, to realize the virtual machine control to secure virtual machine
The modification control of information, prevents the information of the virtual machine control block of secure virtual machine to be maliciously tampered, promotes virtual machine in clamp dog
The safety of data.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is the system architecture schematic diagram of virtualized environment;
Fig. 2 is the another system configuration diagram of virtualized environment;
Fig. 3 is the micro-architecture schematic diagram of safety virtualization technology;
Fig. 4 is the schematic diagram that physical memory includes secure memory and common memory;
Fig. 5 is the flow chart of control method provided in an embodiment of the present invention;
Fig. 6 is the method flow diagram for determining virtual processor belonging to virtual machine control block;
Fig. 7 is the schematic diagram for determining virtual processor belonging to virtual machine control block;
Fig. 8 is the configuration diagram provided in an embodiment of the present invention with SMCR;
Fig. 9 is the block diagram of control device provided in an embodiment of the present invention;
Figure 10 is another block diagram of control device provided in an embodiment of the present invention;
Figure 11 is another block diagram of control device provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
As a kind of optional example, Fig. 1 shows the system architecture schematic diagram of virtualized environment, as shown in Figure 1, virtualization
The system architecture of environment may include: CPU (Central Processing Unit, central processing unit) core 1, Memory control
Device 2, memory 3;
Wherein, core cpu can configure virtual machine manager 11 by software form, and virtually be dissolved by virtualization technology
More virtual machines 12, which can carry out memory management by virtual machine manager 11, such as by virtual machine manager 11
Manage the virutal machine memory of virtual machine 12;
Memory Controller Hub 2 is control memory 3, and makes the hardware of the swapping data of memory 3 and core cpu, memory 3
Partly or entirely it can be used as virutal machine memory, for virtual machine storage allocation space;In typical computer system, memory
Controller 2 is responsible for processing memory access request, and for memory access request, it is interior whether the detectable caching of Memory Controller Hub 2 records
The corresponding address of access request is deposited, if so, reading the corresponding data in the address from caching, otherwise, the page table for traversing memory is looked into
It looks for the address and reads the corresponding data in the address.
System architecture shown in FIG. 1, which can be, realizes that traditional virtual technology is not to void based on traditional virtual technology
Quasi- machine memory carries out safeguard protection, therefore the safety of virtual-machine data has threat in virutal machine memory, virtual in order to be promoted
The safety of virtual-machine data in machine memory, the safety virtualization technology for being different from traditional virtual technology are come into being;
Safety virtualization technology is the virtualization technology that safeguard protection can be carried out to virutal machine memory, such as can be to virtual machine
Memory encrypt etc. the virtualization technology of safeguard protection, certainly, safety virtualization technology can also for example to virutal machine memory into
The virtualization technology of the protections such as row isolation;
It, can be to some or all virtual machines by safety virtualization technology in a kind of exemplary safety virtualization technology
Virutal machine memory is encrypted, and different virtual machine memory is encrypted by different keys, and virtual machine manager can not also visit
It asks key, to prevent physical host, virtual machine manager to the access of virtual-machine data in virutal machine memory and distort, is promoted
The safety of virtual-machine data;
As a kind of optional example, it is based on safety virtualization technology, Fig. 2 shows the another system frameworks of virtualized environment
Schematic diagram, referring to figs. 1 and 2, system shown in Figure 2 framework can also include: safe place compared to system shown in Figure 1 framework
Manage device 4;
Safe processor 4 is the processor of the security related operations of the responsible processing and virtual machine that are specially arranged, for example, peace
Full processor 4 can carry out the operation such as encryption and decryption to virutal machine memory;In embodiments of the present invention, virtual machine manager 11 is configurable
The api interface communicated with safe processor 4 realizes the data interaction of virtual machine manager 11 and safe processor 4;
In embodiments of the present invention, Memory Controller Hub 2 can configure crypto engine 21, and crypto engine 21 can store key;
The key that safe processor 4 can be stored by crypto engine 21 is that some or all virutal machine memories are encrypted,
And different virtual machine memory is encrypted by different keys;Optionally, for preferably pre- anti-replay-attack, virtual machine
Different encryption parameters can be used in different physical address in memory;It should be noted that Replay Attack (Replay Attacks)
Also known as replay attack, replay attack refer to that attacker sends the packet that a destination host had received, to reach fraud system
Purpose mainly destroys the correctness of certification under authentication scene.
Exemplary, Fig. 3 shows the micro-architecture schematic diagram of safety virtualization technology, as shown in figure 3, safe processor is
The processor of processing virutal machine memory encryption and decryption and starting virtual machine, safe place in SoC (System on Chip, system on chip)
Reason device 4 can be interacted with core cpu 1 by api interface, safe processor 4 and Memory Controller Hub (memory controller) 2
By bus interaction, and run program (formula);
The component being related to inside SoC has core cpu 1, safe processor 4 and Memory Controller Hub 2;SOC exterior design
There is memory 3 (such as dynamic random access memory DRAM etc.);Optionally, the data outside SOC can be encrypted ciphertext,
For in plain text inside SOC;
Multiple VEK (Virtualization Encrypted Key, virtual machine encryption key) are respectively used to difference in Fig. 3
Virtual machine so that each different virtual machine (or host) can have a key independent, guarantee different virtual machine and
Host can not all read the correct data of other virtual machines or host.
Optionally, in Fig. 2 and system shown in Figure 3 framework, core cpu, Memory Controller Hub, safe processor can be integrated in
On SOC (System on Chip, system on chip);Obviously, SOC is only a kind of optional form of Computer Architecture, this hair
Bright embodiment can also support the Computer Architecture of other forms, for example, the computer architecture that processor and south bridge are coupled
Structure sets up the Computer Architecture etc. of south bridge and north bridge separately, at this point, core cpu, Memory Controller Hub, memory and safe handling
Device can be disposed accordingly, herein not reinflated explanation.
Safety virtualization technology by different virtual machines use different keys so that different virtual machine or host it
Between all cannot correctly interpret mutual internal storage data, reached the protection requirement of internal storage data confidentiality, but host is also
It is to have permission the internal storage data of modification virtual machine without being found, lacks the protection of internal storage data integrality;
Based on this, memory 3 may include secure memory (space) and common memory (space) in the embodiment of the present invention, generally
, secure memory it is highly-safe in common memory, for example, secure memory can use safety protecting mechanism;
Exemplary, Fig. 4 shows the schematic diagram that physical memory may include secure memory and common memory, can as one kind
Choosing realizes that the embodiment of the present invention can (part that several region of memory can be memory be empty by several region of memory in memory
Between, it is also possible to whole spaces of memory), it is labeled as secure memory;For example, passing through the interior of physical register record security memory
The address range in region is deposited, is realized through hardware tab secure memory, and protected (in safety using safety protecting mechanism
Usable encryption is deposited, the mechanism such as isolation are protected);Non-security memory in memory can be described as common memory, common memory one
As do not protected using safety protecting mechanism;The safety of secure memory can be higher than common memory;
As a kind of optional example, the size of secure memory can be greater than common memory, and certainly, the embodiment of the present invention can also prop up
The size for holding secure memory is smaller than common memory;It should be noted that secure memory is the portion of memory in example shown in Fig. 4
Divide region of memory, the embodiment of the present invention can also support that secure memory is the full memory region of memory;
Optionally, it can be described as secure virtual machine using the virtual machine of safety protecting mechanism, such as using the virtual of secure memory
Machine can be described as secure virtual machine, and the virtual machine that safety protecting mechanism is not used can be described as General Virtual Machine, such as use common memory
Virtual machine can be described as General Virtual Machine, in general, the safety of secure virtual machine can be higher than General Virtual Machine.
Optionally, it is realized if being transferred by virtual machine manager the management to virutal machine memory by safe processor, though
The safety of virutal machine memory can be so promoted, but safe processor will (performance of safe processor be general as performance bottleneck
It is weaker than general processor);When therefore to carry out memory management to virtual machine, compromise between security and performance, the embodiment of the present invention can
A special virtual machine is designed to manage the memory that other virtual machines use, which can be described as host virtual machine,
Other virtual machines in addition to host virtual machine can be described as from virtual machine.Optionally, the code of host virtual machine can by software form into
Row is previously set, and safe processor is responsible for configuring host virtual machine, and during configuring host virtual machine, authorizes for host virtual machine
To the memory management permission from virtual machine, work to be realized by host virtual machine from the memory management of virtual machine.
It, can for the access of the secure memory of secure virtual machine after isolating exclusive secure memory to secure virtual machine
Realization is executed by Memory Controller Hub, (configuration of access authority can by the secure memory configuration access permission for secure virtual machine
Realized by safe processor or host virtual machine) so that access request (access of the secure memory for secure virtual machine
Request can be issued by host or virtual machine) only when meeting the access authority of secure memory of configuration, just allow to execute access
Request.
In safety virtualization technology, virtual machine control block can describe the state of the corresponding virtual processor of virtual machine, but
Virtual machine control block can only individually describe the state (such as original state) of a virtual processor, lack to virtual machine integrality
Description;Meanwhile the data of each memory pages of virtual machine are only protected in initialization of virtual machine, but to data itself
Address information is not protected, so that malicious virtual machine manager can arbitrarily can exchange virtual machine when virtual machine starts
The distribution of primary data in memory;
Based on this, the present inventor proposes to improve safety virtualization technology: the embodiment of the present invention is virtual in addition to using
Machine control block individually describes outside the state of single virtual processor, and safe processor or host virtual machine can also give secure virtual
Machine defines security code control information structure (SCCS);The security code control information structure of secure virtual machine is pacified for describing
The whole original state of full virtual machine, including but not limited to: the distribution situation in the virtual address space of secure virtual machine, safety
The Address d istribution of all data of virtual machine original state, the virtual processor number and each virtual processing that secure virtual machine uses
The information such as the original state of device;The embodiment of the present invention can preferably ensure that secure virtual by security code control information structure
The integrality of machine original state.
It should be noted that the virtual machine control block of meaning of the embodiment of the present invention and it is not specific to a certain virtualization technology, and
It is to be adaptable to all possible virtualization technology;In different virtualization technologies, the call of virtual machine control block may be simultaneously
Disunity, such as be also likely to be virtual machine control structure.
As a kind of optional realization of the embodiment of the present invention, the embodiment of the present invention, which is removed, controls information knot using security code
Structure describes the whole original state of secure virtual machine, can also define secure virtual machine by security code control information structure
The modification attribute (modification attribute, which can be divided into, can modify and can not modify) of information in virtual machine control block, to pacify in host modifications
When information in the virtual machine control block of full virtual machine, the modification category that the information is defined in security code control information can detect
Property, so that host can just modify to the information of virtual machine control block when the modification attribute of the information is that can modify, with
Prevent the information in host malicious modification virtual machine control block.
Optionally, Fig. 5 shows a kind of optional process of control method provided in an embodiment of the present invention, and this method can be by
Core cpu is executed by microcommand form, or is executed by safe processor, and referring to Fig. 5, which may include:
Step S10, it obtains and application, the information modification application is modified to the information of the virtual machine control block of secure virtual machine
It include: the target information of the virtual machine control block of the secure virtual machine of application modification.
Optionally, host (such as virtual machine manager) can apply for modifying the letter in the virtual machine control block of secure virtual machine
Breath.
The embodiment of the present invention can be optional when that need to modify to the target information of the virtual machine control block of secure virtual machine
Execute step S10.
Step S11, the security code control information structure that the secure virtual machine defines, the security code control are retrieved as
Message structure description processed has the whole original state of the secure virtual machine, and definition has the virtual machine of the secure virtual machine
The modification attribute of information in control block.
Optionally, the embodiment of the present invention can define security code control information structure, secure virtual machine for secure virtual machine
Virtual machine control block and security code control information structure can be stored in the secure memory of secure virtual machine;To pass through
Security code control information structure can define the whole original state of secure virtual machine and the virtual machine control of secure virtual machine
The modification attribute of information in block;The modification attribute may include: that can modify and can not modify.
Optionally, the virtual machine control block of secure virtual machine can have multiple field informations, and the embodiment of the present invention can pacify
The modification attribute of each field information of the virtual machine control block of secure virtual machine is defined in full code control information structure.
Step S12, according to the security code control information structure, the modification attribute of the target information is determined.
After obtaining the security code control information structure, the embodiment of the present invention can be from security code control information structure
The middle modification attribute for obtaining the target information.
If the modification attribute of step S13, the described target information is that can modify, allow to modify the target information.
If the modification attribute of step S14, the described target information is that can not modify, refusal modifies the target information.
In control method provided in an embodiment of the present invention, security code control information structure can be defined for secure virtual machine,
The whole original state of secure virtual machine is described by security code control information structure, and defines the virtual machine control of secure virtual machine
The modification attribute of the information of clamp dog, wherein the security code control information structure and virtual machine control block of secure virtual machine store
In secure memory;To, when needing the target information to the virtual machine control block of secure virtual machine to modify, the present invention
Embodiment can obtain the modification attribute of the target information defined in the security code control information structure, and then described
Modification attribute is when can modify, it is believed that target information is revisable information in the virtual machine control block, to allow to modify
The target information, when the modification attribute, which is, to be modified, it is believed that target information is can not in the virtual machine control block
The information of modification, to refuse to modify the target information, to realize to information in the virtual machine control block of secure virtual machine
Modification control, prevents the information of the virtual machine control block of secure virtual machine to be maliciously tampered, promotes the safety of virtual-machine data.
Optionally, the process that the target information of the above-mentioned virtual machine control block to secure virtual machine is modified can be by CPU
Core or safe processor execute;For example, core cpu can execute above-mentioned process by special instruction, for another example host can pass through peace
Full processor modifies to the information in virtual machine control block, and safe processor can be controlled by query safe code at this time
Message structure determines whether to modify to the information in virtual machine control block.
Optionally, the virtual machine control block of secure virtual machine may include: control zone (Control Area) information and shape
State conservation zone (State Save Area) information;Control zone information may include the more of the virtual machine control block of secure virtual machine
A control information, status save area information may include multiple status informations of the virtual machine control block of secure virtual machine;
The embodiment of the present invention can be each control of control zone information in the security code control information structure of secure virtual machine
Information definition modification attribute processed is each status information definition modification attribute of status save area information, to realize definition safety
The modification attribute of the information of the virtual machine control block of virtual machine.
Optionally, modification attribute can be the mark information of setting, and mark information can be indicated using bit value, and such as first
The mark information of the bit value of value can indicate revisable modification attribute, and the mark information of the bit value of second value can indicate
Not revisable modification attribute, the first value and second value can be with logics on the contrary, if the first value can be 1, and second value can be 0.
In a kind of optional setting, the status information in the settable status save area information of the embodiment of the present invention can not be repaired
Change, such as the modification attribute of the status information in status save area information can be indicated with 0 bit value;And control zone is believed
Control information in breath may be configured as to modify or can not modify, and can define according to actual needs and modify category in the information of control zone
Property the control information that is indicated with 1 bit value, and the control information that modification attribute is indicated with 0 bit value.
As a kind of optional realization of disclosure of the embodiment of the present invention, optionally, the security code control of secure virtual machine
Message structure processed can be defined by safe processor or host virtual machine by software, and be stored in the safety of secure virtual machine
Memory;Preferably, each virtual machine control block of secure virtual machine can retain an address field (being located in secure memory),
The address field can be used for saving the initial address of security code control information structure, to realize the void by secure virtual machine
Quasi- machine control block is directed toward, the security code control information structure of secure virtual machine;
Optionally, virtual machine control block is generally corresponding to the physical page in memory, can be divided into multiple fields, than
If each field can be several bytes, it is also possible to a bit;The void of secure virtual machine can be used in the embodiment of the present invention
Reserve (deposit) field being not used by quasi- machine control block is as the address field, such as can appoint from Reserve field
Meaning selects the successive byte of 8 alignment as the address field, controls information knot to save the security code of secure virtual machine
The initial address of structure.
Further, the address field (initial address) in the virtual machine control block of same secure virtual machine can be initialized to
Identical value (such as being initialized by safe processor or host virtual machine);The embodiment of the present invention controls information using security code
Structure describes the whole original state of secure virtual machine, can provide the virtual machine environment of a safety, prevents from controlling virtual
The hacker of machine management code steals the content of secure virtual machine;It is being not provided with security code control information structure Unify legislation peace
In the case where the whole original state of full virtual machine, for the different virtual processors of same secure virtual machine, hardware is difficult to know
Whether these other different virtual processors are originated from same secure virtual machine, at this point, if attacker creates a virtual place
Manage device, the resource of another virtual processor is then accessed by this virtual processor, due to hardware can not identify this two
Whether a virtual processor belongs to same secure virtual machine, can not just judge whether this access is illegal, so that this can not be prevented
Kind unauthorized access;
And the embodiment of the present invention passes through setting security code control information structure, so that it may so that the void of different secure virtual machines
Quasi- processor has different security code control information structures, so as to the virtual place for being not belonging to same secure virtual machine
Unauthorized access between reason device is refused, and the Information Security of secure virtual machine is protected.
As a kind of optional realization, hardware (such as core cpu) can pass through the SCCS of detection different virtual machine control block direction
It is whether identical, to determine and verify the different virtual processors whether different virtual machine control block belongs to same secure virtual machine,
That is when the SCCS of different virtual machine control block direction is identical, the embodiment of the present invention thinks that different virtual machine control block belongs to same peace
The different virtual processors of full virtual machine, a virtual machine control block of secure virtual machine can correspond to a void of secure virtual machine
Quasi- processor;
Optionally, Fig. 6 shows the method flow of virtual processor belonging to determining virtual machine control block, side shown in Fig. 6
Method can be executed by core cpu by microcommand form, and referring to Fig. 6, this method process may include:
Step S20, at least two virtual machine control blocks are determined.
At least two virtual machine control block may belong to identical secure virtual machine, it is also possible to belong to different safety
Virtual machine.
Step S21, the identical virtual machine control block of SCCS being directed toward is determined.
The initial address of the pointed SCCS of address field instruction may be present in virtual machine control block, and the embodiment of the present invention can lead to
The address field for crossing virtual machine control block determines the SCCS that virtual machine control block is directed toward, if the address field of virtual machine control block
Identical, then the SCCS that virtual machine control block is directed toward is identical, to can determine that the identical virtual machine control block of the SCCS of direction.
Step S22, the identical virtual machine control block of the SCCS of direction is determined as belonging to a secure virtual machine, and be directed toward
The identical virtual machine control block of SCCS belong to belonging to secure virtual machine a virtual processor.
It is exemplary, as shown in fig. 7, being directed toward SCCS1, the ground of virtual machine control block 2 with the address field of virtual machine control block 1
Location field is directed toward SCCS1, and the address field of virtual machine control block 3 is directed toward SCCS2;It then can determine that virtual machine control block 1 and void
Quasi- machine control block 2 is directed toward identical SCCS, and virtual machine control block 1 and virtual machine control block 2 belong to same secure virtual machine not
Same virtual processor, for example, virtual machine control block 1 belongs to the virtual processor 11 of secure virtual machine 1, virtual machine control block 2
Belong to the virtual processor 12 of secure virtual machine 1;And due to virtual machine control block 3 be directed toward SCCS and virtual machine control block 1 and
Virtual machine control block 2 is different, therefore virtual machine control block 3 and virtual machine control block 1 and virtual machine control block 2 belong to different peaces
Full virtual machine, such as virtual machine control block 3 belong to the virtual processor 21 of secure virtual machine 2.
Optionally, for being not belonging to the virtual processor of same secure virtual machine, the embodiment of the present invention, which is rejected by, to be not belonging to
Access between the virtual processor of same secure virtual machine, to further protect the data safety of secure virtual machine;And permit
Permitted to belong to the access between the virtual processor of same secure virtual machine.
The embodiment of the present invention can limit the virtual machine control block of secure virtual machine and SCCS is in secure memory, so that empty
Quasi- machine manager can not modify various control information and status information about secure virtual machine in virtual controlling block;As one kind
Substitution realizes that the embodiment of the present invention can also support the partial information in virtual machine control block can be by host modifications, for example, in SCCS
In can define allow by the information of the virtual machine control block of host modifications.
Optionally, the following table 1 shows the explanation of SCCS exemplary each field and field description, can refer to.
Table 1
Optionally, further, the embodiment of the present invention can further isolate safety in the secure memory of secure virtual machine
It controls region of memory (Secure Memory Control Region, SMCR), it is empty to store safety by security control region of memory
The virtual machine control block of quasi- machine, so that SMCR either virtual machine or host (such as virtual machine manager) can not access, and
SMCR is accessed by safe processor or host virtual machine;
Optionally, common memory and secure memory are included in interior bag deposit, and is isolated in exclusive safety for secure virtual machine
In the case where depositing, Fig. 8 shows the signal of the framework with SMCR, as shown in figure 8, the virtual machine control block of secure virtual machine is not
It is safeguarded by the virtual manager of host, but the secure memory in secure virtual machine has further isolated SMCR, is deposited by SMCR
The virtual machine control block of secure virtual machine is stored up, and realizes the virtual machine of management secure virtual machine by safe processor or host virtual machine
Control block and page table;
Meanwhile the page table of secure virtual machine is stored in the secure memory of secure virtual machine, and the void by storing in SMCR
The control register of quasi- machine control block, is directed toward the page table of secure virtual machine, the physics of secure memory can be managed by secure page table
The mapping of address realizes the virtual machine physical address of secure virtual machine to the mapping of host (host) physical address.
In embodiments of the present invention, the page table of secure virtual machine can be protected that (exemplary, page table can be with by secure memory
It is mapping page table of the virtual machine physical address to host-physical address), i.e., secure memory should at least store the page of secure virtual machine
Table can also store the data of secure virtual machine certainly;The embodiment of the present invention can be described as security page by the page table that secure memory is protected
Table.
It should be noted that the page table of meaning of the embodiment of the present invention can be such as virtual machine physical address to host-physical address
Mapping page table, and be not specific to a certain virtualization technology, but be adaptable to all possible virtualization technology;In a kind of possibility
Virtualization technology in, the page table of meaning of the embodiment of the present invention can be nested page table, correspondingly, by secure memory protect page
Table is properly termed as the nested page table of safety;
Memory is usually to carry out memory management as unit of memory pages, and using multi-level page-table;It is saved in final stage page table
Mapping of the virtual address to physical address, referred to as page table entry;In other page tables in addition to final stage page table, higher level's page table is in store
Virtual address is to the mapping of junior's page table, referred to as page directory.
As it can be seen that in embodiments of the present invention, the virtual machine control block of secure virtual machine is located in security control region of memory,
The initial address of the page table of secure virtual machine is located in secure memory;And for General Virtual Machine, the void of General Virtual Machine
Quasi- machine control block is not located in secure memory (so not also being located in SMCR), and the initial address of the page table of General Virtual Machine
It is not located in secure memory.
As a kind of optional realization, on the basis of the address range in secure memory region is indicated by physical register, this
The address range of the settable specific physical register instruction security control region of memory with special sign position of inventive embodiments,
For example, the address range of security control region of memory can be indicated by the specific physical register of a pair of special sign position, wherein
The initial address of the specific physical register instruction security control region of memory of one special sign position, another special sign position
The size of specific physical register instruction security control region of memory.
As can be seen that the embodiment of the present invention can use in the safety of safety protecting mechanism protection for secure virtual machine distribution
It deposits, i.e., secure memory may include multiple secure memory regions;In the safety of at least one of the multiple secure memory region
Security control region of memory can be isolated by depositing region, for storing the virtual machine control block of secure virtual machine, the multiple safety
Non-security control region of memory in region of memory can be used at least storing the page table and security code control letter of secure virtual machine
Structure is ceased, and the virtual machine control block of the secure virtual machine of security control region of memory storage may point to, non-security control memory
The page table of the secure virtual machine of region storage.
As optional realization, secure memory region can be indicated address range by physical register, and indicate security control
The specific physical register of the address range of region of memory has special sign position.
Address field (initial address) in the virtual machine control block of same secure virtual machine is initialized to identical
When value (such as being initialized by safe processor or host virtual machine), due in embodiments of the present invention, the void of secure virtual machine
Quasi- machine control block is stored in SMCR, in addition to safe processor (or host virtual machine), is able to access that without any equipment
SMCR, therefore by the management code of setting safe processor or host virtual machine in secure virtual machine life cycle not modified address
The data of field then can guarantee that the address field in the virtual machine control block of same secure virtual machine is initialized to identical value
Afterwards, in the life cycle of entire secure virtual machine without any change, from regardless of same secure virtual machine virtual machine
How control block adjusts change, the security code control information that may make the virtual machine control block of same secure virtual machine to be directed toward
Structure is identical.
Described above is multiple example schemes provided in an embodiment of the present invention, each optional side of each example scheme introduction
Formula can be combined with each other in the absence of conflict, cross reference, thus extend a variety of possible example schemes, these
It is considered disclosure of the embodiment of the present invention, disclosed embodiment scheme.
Information provided in an embodiment of the present invention setting device is introduced below, device is arranged in information described below,
Safe processor or host virtual machine be may be considered to realize and defining security code control information structure, the function of required setting fills
It sets.The content of information setting device described below, can correspond to each other reference with above description.
Device is arranged in information provided in an embodiment of the present invention
Definition module (not shown), for defining security code control information structure, the safe generation for secure virtual machine
Code control information structure description has the whole original state of the secure virtual machine;
Wherein, the virtual machine control block of the secure virtual machine remains with address field, for saving the secure virtual
The initial address of the security code control information structure of machine.
Optionally, the identical virtual machine control block of security code control information structure of direction belongs to a secure virtual
Machine, and the identical virtual machine control block of security code control information structure being directed toward belongs to a void of affiliated secure virtual machine
Quasi- processor.
Optionally, the security code control information structure there is also defined in the virtual machine control block of the secure virtual machine
Information modification attribute, the modification attribute includes that can modify and can not modify.
Control device provided in an embodiment of the present invention is introduced below, control device described below may be considered
The core cpu control method that embodiment provides to realize the present invention, the functional device of required setting.Control device described below
Content, reference can be corresponded to each other with above description.
Fig. 9 is the block diagram of control device provided in an embodiment of the present invention, and referring to Fig. 9, which may include:
Security code control information structure obtains module 100, for need to be to the virtual machine control block of secure virtual machine
When target information is modified, it is retrieved as the security code control information structure that the secure virtual machine defines;Wherein, the peace
Full code control information structure description has the whole original state of the secure virtual machine, and definition has the secure virtual machine
Virtual machine control block in information modification attribute, the modification attribute includes that can modify and can not modify;The safety is empty
The virtual machine control block and the security code control information structure of quasi- machine are stored in secure memory;
Attribute determination module 110 is modified, for determining the target information according to the security code control information structure
Modification attribute;
Allow modified module 120, if the modification attribute for the target information is that can modify, allows to modify the target
Information;
Refuse modified module 130, if the modification attribute for the target information is that can not modify, refusal modifies the mesh
Mark information.
Optionally, the security code control information structure can define each of the virtual machine control block of secure virtual machine
The modification attribute of field information.
Optionally, the virtual machine control block may include: control zone information and status save area information;The control zone
Information includes multiple control information of the virtual machine control block, and the status save area information includes the virtual machine control block
Multiple status informations;
To which the security code control information structure can define each control information definition of the promising control zone information
Modification attribute, and, for the modification attribute that defines of each status information of the status save area information.
Optionally, the modification attribute of the control information of the control zone information may include that can modify and can not modify;Institute
The modification attribute for stating status save area information can be that can not modify.
Optionally, revisable modification attribute can be indicated by the mark information of the first value, not revisable modification attribute
It can be indicated by the mark information of second value, first value and second value logic are opposite.
Optionally, the mark information can be indicated by bit value.
Optionally, Figure 10 shows another block diagram of control device provided in an embodiment of the present invention, in conjunction with Fig. 9 and Figure 10 institute
Show, which can also include:
Detection module 140, the security code control information structure for detecting at least two virtual machine control blocks direction are
It is no identical;Wherein, the virtual machine control block of the secure virtual machine remains with address field, and the address field is for saving peace
The initial address of the security code control information structure of full virtual machine;Address in the virtual machine control block of same secure virtual machine
Field initialization is identical value, so that the security code control that the different virtual machine control block of same secure virtual machine is directed toward
Message structure is identical;
Determining module 150, if the security code control information structure being directed toward at least two virtual machine control block
It is identical, determine that the corresponding virtual processor of at least two virtual machine control block belongs to same secure virtual machine.
Optionally, Figure 11 shows another block diagram of control device provided in an embodiment of the present invention, in conjunction with Figure 10 and Figure 11
Shown, which can also include:
Allow access modules 160, if the security code at least two virtual machine control block to be directed toward controls information
Structure is identical, allows the access between the corresponding virtual processor of at least two virtual machine control block;
Denied access module 170, if the security code at least two virtual machine control block to be directed toward controls information
Structure is different, refuses the access between the corresponding virtual processor of at least two virtual machine control block.
Optionally, the embodiment of the present invention also provides a kind of core cpu, including control device described above.
Optionally, the embodiment of the present invention also provides a kind of chip, the chip can such as SoC chip, which may include
Safe processor and core cpu described above.
Optionally, the embodiment of the present invention also provides a kind of electronic equipment, which may include core described above
Piece.The electronic equipment can be terminal device, be also possible to server apparatus.
Although the embodiment of the present invention discloses as above, present invention is not limited to this.Anyone skilled in the art, not
It is detached from the spirit and scope of the present invention, can make various changes or modifications, therefore protection scope of the present invention should be with right
It is required that subject to limited range.
Claims (17)
1. a kind of information setting method characterized by comprising
Security code control information structure is defined for secure virtual machine, the security code control information structure description has the peace
The whole original state of full virtual machine;
Wherein, the virtual machine control block of the secure virtual machine remains with address field, for saving the secure virtual machine
The initial address of security code control information structure.
2. information setting method according to claim 1, which is characterized in that the security code control information structure phase of direction
Same virtual machine control block belongs to a secure virtual machine, and the identical virtual machine of security code control information structure being directed toward
Control block belongs to a virtual processor of affiliated secure virtual machine.
3. information setting method according to claim 1, which is characterized in that the security code control information structure is also fixed
Justice has the modification attribute of the information in the virtual machine control block of the secure virtual machine, and the modification attribute is including that can modify and not
It can modify.
4. a kind of control method, which is characterized in that based on defined in the described in any item information setting methods of claim 1-3
Security code control information structure, the control method include:
When that need to modify to the target information of the virtual machine control block of secure virtual machine, it is fixed to be retrieved as the secure virtual machine
The security code control information structure of justice;Wherein, the security code control information structure description has the secure virtual machine
Whole original state, and definition have the modification attribute of the information in the virtual machine control block of the secure virtual machine, described to repair
Changing attribute includes that can modify and can not modify;The virtual machine control block of the secure virtual machine and the security code control information
Structure is stored in secure memory;
According to the security code control information structure, the modification attribute of the target information is determined;
If the modification attribute of the target information is that can modify, allow to modify the target information;
If the modification attribute of the target information is that can not modify, refusal modifies the target information.
5. control method according to claim 4, which is characterized in that the security code control information structure definition is
The modification attribute for stating the information in the virtual machine control block of secure virtual machine includes:
The security code control information structure defines the modification of each field information of the virtual machine control block of secure virtual machine
Attribute.
6. control method according to claim 5, which is characterized in that the virtual machine control block includes: control zone information
With status save area information;The control zone information includes multiple control information of the virtual machine control block, and the state is protected
Deposit multiple status informations that area's information includes the virtual machine control block;
Definition has repairing for each field information of the virtual machine control block of secure virtual machine in the security code control information structure
Changing attribute includes:
The security code control information structure defines the modification attribute that each control information of the promising control zone information defines,
And the modification attribute that defines of each status information for the status save area information.
7. control method according to claim 6, which is characterized in that the modification category of the control information of the control zone information
Property include that can modify and can not modify;The modification attribute of the status information of the status save area information is that can not modify.
8. control method according to claim 4, which is characterized in that revisable modification attribute is believed by the label of the first value
Breath indicates that not revisable modification attribute indicates that first value and second value logic are opposite by the mark information of second value.
9. control method according to claim 8, which is characterized in that the mark information is indicated by bit value.
10. control method according to claim 4, which is characterized in that further include:
Whether the security code control information structure for detecting at least two virtual machine control blocks direction is identical;Wherein, the safety
The virtual machine control block of virtual machine remains with address field, and the address field is used to save the security code control of secure virtual machine
The initial address of message structure processed;Address field in the virtual machine control block of same secure virtual machine is initialized as identical
Value, so that the security code control information structure that the different virtual machine control block of same secure virtual machine is directed toward is identical;
If the security code control information structure that at least two virtual machine control block is directed toward is identical, described at least two are determined
The corresponding virtual processor of virtual machine control block belongs to same secure virtual machine.
11. control method according to claim 10, which is characterized in that further include:
If the security code control information structure that at least two virtual machine control block is directed toward is identical, allow described at least two
Access between the corresponding virtual processor of virtual machine control block;
If the security code control information structure that at least two virtual machine control block is directed toward is different, refusal described at least two
Access between the corresponding virtual processor of virtual machine control block.
12. the control method according to claim 4 or 10, which is characterized in that the secure memory also further isolates
Security control region of memory, to store the virtual machine control block of the secure virtual machine;The non-security control of the secure memory
Region of memory at least store the secure virtual machine page table and the security code control information structure;The secure virtual machine
Virtual machine control block, be directed toward the page table of the secure virtual machine.
13. device is arranged in a kind of information characterized by comprising
Definition module, for defining security code control information structure for secure virtual machine, the security code controls information knot
Structure describes the whole original state for having the secure virtual machine;
Wherein, the virtual machine control block of the secure virtual machine remains with address field, for saving the secure virtual machine
The initial address of security code control information structure.
14. a kind of control device characterized by comprising
Security code control information structure obtains module, for need to be to the target information of the virtual machine control block of secure virtual machine
When modifying, it is retrieved as the security code control information structure that the secure virtual machine defines;Wherein, the security code control
Message structure description processed has the whole original state of the secure virtual machine, and definition has the virtual machine of the secure virtual machine
The modification attribute of information in control block, the modification attribute include that can modify and can not modify;The void of the secure virtual machine
Quasi- machine control block and the security code control information structure are stored in secure memory;
Attribute determination module is modified, for determining the modification of the target information according to the security code control information structure
Attribute;
Allow modified module, if the modification attribute for the target information is that can modify, allows to modify the target information;
Refuse modified module, if the modification attribute for the target information is that can not modify, refusal modifies the target information.
15. a kind of core cpu, which is characterized in that including the control device described in claim 14.
16. a kind of chip, which is characterized in that including core cpu described in safe processor and claim 15.
17. a kind of electronic equipment, which is characterized in that including the chip described in claim 16.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2018114018390 | 2018-11-22 | ||
| CN201811401839 | 2018-11-22 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109901911A true CN109901911A (en) | 2019-06-18 |
| CN109901911B CN109901911B (en) | 2023-07-07 |
Family
ID=66861836
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910060494.5A Active CN109858265B (en) | 2018-11-22 | 2019-01-22 | Encryption method, device and related equipment |
| CN201910059800.3A Active CN109828827B (en) | 2018-11-22 | 2019-01-22 | Detection method, detection device and related equipment |
| CN201910060502.6A Active CN109901911B (en) | 2018-11-22 | 2019-01-22 | Information setting method, control method, device and related equipment |
Family Applications Before (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910060494.5A Active CN109858265B (en) | 2018-11-22 | 2019-01-22 | Encryption method, device and related equipment |
| CN201910059800.3A Active CN109828827B (en) | 2018-11-22 | 2019-01-22 | Detection method, detection device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (3) | CN109858265B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110348204B (en) * | 2019-06-17 | 2023-05-16 | 海光信息技术股份有限公司 | Code protection system, authentication method, authentication device, chip and electronic equipment |
| CN110380854A (en) * | 2019-08-12 | 2019-10-25 | 南京芯驰半导体科技有限公司 | For root key generation, partition method and the root key module of multiple systems |
| CN111045605B (en) * | 2019-12-12 | 2023-10-20 | 海光信息技术股份有限公司 | Technical scheme for improving system security by utilizing processor cache and security processor |
| CN111143900B (en) * | 2019-12-24 | 2023-09-26 | 海光信息技术(苏州)有限公司 | Data processing and access control method, system, device, equipment and storage medium |
| US11604671B2 (en) | 2020-03-19 | 2023-03-14 | Red Hat, Inc. | Secure virtual machine and peripheral device communication |
| CN111984374B (en) * | 2020-08-20 | 2021-07-23 | 海光信息技术股份有限公司 | Method for managing secure memory, system, apparatus and storage medium therefor |
| CN111949376B (en) * | 2020-08-24 | 2021-12-17 | 海光信息技术股份有限公司 | Virtual machine system and method for virtual machine system |
| CN111949995B (en) * | 2020-08-25 | 2021-07-16 | 海光信息技术股份有限公司 | Host CPU architecture system and method for safely managing hardware resources |
| CN112363797B (en) * | 2020-10-19 | 2022-04-05 | 海光信息技术股份有限公司 | Virtual machine safe operation method, electronic equipment and storage medium |
| CN112363800B (en) * | 2020-11-10 | 2023-03-07 | 海光信息技术股份有限公司 | Network card memory access method, security processor, network card and electronic equipment |
| CN112363801B (en) * | 2020-11-10 | 2022-10-21 | 海光信息技术股份有限公司 | Virtual machine migration method, processing method, system, device, chip and medium |
| CN112433817B (en) * | 2020-11-27 | 2022-11-25 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112748984B (en) * | 2020-12-28 | 2022-12-06 | 海光信息技术股份有限公司 | Virtual machine data processing method, virtual machine data control method, processor, chip, device and medium |
| CN112540833B (en) * | 2020-12-28 | 2022-11-11 | 海光信息技术股份有限公司 | Process running method and device, processor, storage medium and electronic equipment |
| CN113342735B (en) * | 2021-06-28 | 2024-04-16 | 海光信息技术股份有限公司 | Processor chip and electronic equipment |
| CN113485785B (en) * | 2021-06-28 | 2023-10-27 | 海光信息技术股份有限公司 | Virtual trusted platform module realization method, secure processor and storage medium |
| CN114564724A (en) * | 2021-12-30 | 2022-05-31 | 海光信息技术股份有限公司 | Method and device for protecting memory integrity of virtual machine, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150143533A1 (en) * | 2013-11-21 | 2015-05-21 | Nxp B.V. | Method of generating a structure and corresponding structure |
| CN106293873A (en) * | 2016-07-29 | 2017-01-04 | 北京北信源软件股份有限公司 | One accurately obtains the method for critical data position in virtual machine control block (VMCS) |
| CN106970823A (en) * | 2017-02-24 | 2017-07-21 | 上海交通大学 | Efficient secure virtual machine guard method and system based on nested virtualization |
| CN107341115A (en) * | 2017-06-30 | 2017-11-10 | 联想(北京)有限公司 | Virutal machine memory access method, system and electronic equipment |
| CN107368354A (en) * | 2017-08-03 | 2017-11-21 | 致象尔微电子科技(上海)有限公司 | A kind of secure virtual machine partition method |
| CN107562515A (en) * | 2017-08-04 | 2018-01-09 | 致象尔微电子科技(上海)有限公司 | A kind of method of the managing internal memory in virtualization technology |
Family Cites Families (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050204357A1 (en) * | 2004-03-15 | 2005-09-15 | Ajay Garg | Mechanism to protect extensible firmware interface runtime services utilizing virtualization technology |
| EP1811387A4 (en) * | 2004-08-25 | 2016-04-13 | Nec Corp | Information communication device, and program execution environment control method |
| CN101719825A (en) * | 2009-04-30 | 2010-06-02 | 中兴通讯股份有限公司 | Method and system for realizing safe bifurcation call session in IP multimedia subsystem |
| CN102752301A (en) * | 2012-07-04 | 2012-10-24 | 深圳市京华科讯科技有限公司 | Data transmission system and data transmission method applied to virtualized environment |
| JP6324127B2 (en) * | 2014-03-14 | 2018-05-16 | 三菱電機株式会社 | Information processing apparatus, information processing method, and program |
| FR3020160B1 (en) * | 2014-04-16 | 2017-08-11 | Commissariat Energie Atomique | SYSTEM FOR EXECUTING A CODE WITH BLIND HYPERVISION MECHANISM |
| US9454497B2 (en) * | 2014-08-15 | 2016-09-27 | Intel Corporation | Technologies for secure inter-virtual-machine shared memory communication |
| CN104572488B (en) * | 2015-02-13 | 2017-11-17 | 西安酷派软件科技有限公司 | EMS memory management process, memory management device and terminal |
| CN106295267B (en) * | 2015-06-09 | 2019-04-19 | 阿里巴巴集团控股有限公司 | It is a kind of access electronic equipment physical memory in private data method and apparatus |
| CN106445628A (en) * | 2015-08-11 | 2017-02-22 | 华为技术有限公司 | Virtualization method, apparatus and system |
| CN105718794B (en) * | 2016-01-27 | 2018-06-05 | 华为技术有限公司 | The method and system of safeguard protection are carried out to virtual machine based on VTPM |
| CN107038128B (en) * | 2016-02-03 | 2020-07-28 | 华为技术有限公司 | Virtualization of execution environment, and access method and device of virtual execution environment |
| US10536274B2 (en) * | 2016-03-31 | 2020-01-14 | Intel Corporation | Cryptographic protection for trusted operating systems |
| US10303899B2 (en) * | 2016-08-11 | 2019-05-28 | Intel Corporation | Secure public cloud with protected guest-verified host control |
| CN107450962B (en) * | 2017-07-03 | 2020-04-24 | 北京东土科技股份有限公司 | Exception handling method, device and system in virtualized operation environment |
| CN108599930B (en) * | 2018-04-02 | 2021-05-14 | 湖南国科微电子股份有限公司 | Firmware encryption and decryption system and method |
| CN108804203B (en) * | 2018-06-15 | 2019-06-21 | 四川大学 | VTPM private information guard method based on label |
-
2019
- 2019-01-22 CN CN201910060494.5A patent/CN109858265B/en active Active
- 2019-01-22 CN CN201910059800.3A patent/CN109828827B/en active Active
- 2019-01-22 CN CN201910060502.6A patent/CN109901911B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150143533A1 (en) * | 2013-11-21 | 2015-05-21 | Nxp B.V. | Method of generating a structure and corresponding structure |
| CN106293873A (en) * | 2016-07-29 | 2017-01-04 | 北京北信源软件股份有限公司 | One accurately obtains the method for critical data position in virtual machine control block (VMCS) |
| CN106970823A (en) * | 2017-02-24 | 2017-07-21 | 上海交通大学 | Efficient secure virtual machine guard method and system based on nested virtualization |
| CN107341115A (en) * | 2017-06-30 | 2017-11-10 | 联想(北京)有限公司 | Virutal machine memory access method, system and electronic equipment |
| CN107368354A (en) * | 2017-08-03 | 2017-11-21 | 致象尔微电子科技(上海)有限公司 | A kind of secure virtual machine partition method |
| CN107562515A (en) * | 2017-08-04 | 2018-01-09 | 致象尔微电子科技(上海)有限公司 | A kind of method of the managing internal memory in virtualization technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109828827B (en) | 2023-10-27 |
| CN109858265A (en) | 2019-06-07 |
| CN109901911B (en) | 2023-07-07 |
| CN109828827A (en) | 2019-05-31 |
| CN109858265B (en) | 2022-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109901911A (en) | A kind of information setting method, control method, device and relevant device | |
| CN109800050B (en) | Memory management method, device, related equipment and system of virtual machine | |
| CN109766164B (en) | Access control method, memory management method and related device | |
| US9898624B2 (en) | Multi-core processor based key protection method and system | |
| CN103026347B (en) | Virutal machine memory in multicore architecture divides | |
| CN109766165A (en) | A kind of memory access control method, device, Memory Controller Hub and computer system | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| US8464069B2 (en) | Secure data access methods and apparatus | |
| US20040093505A1 (en) | Open generic tamper resistant CPU and application system thereof | |
| CN110348204B (en) | Code protection system, authentication method, authentication device, chip and electronic equipment | |
| CN107092495A (en) | Platform firmware armouring technology | |
| US20080263256A1 (en) | Logic Device with Write Protected Memory Management Unit Registers | |
| CN109739613B (en) | Maintenance method and access control method of nested page table and related device | |
| US10360370B2 (en) | Authenticated access to manageability hardware components | |
| CN103136124B (en) | A kind of intelligent card hardware firewall system and its implementation | |
| CN106716435B (en) | Interface between a device and a secure processing environment | |
| CN112639789A (en) | Integrity tree for memory integrity checking | |
| US11748493B2 (en) | Secure asset management system | |
| CN103309819B (en) | Embedded system and internal memory method for managing security therein | |
| CN107563226A (en) | A kind of Memory Controller, processor module and key updating method | |
| CN116126463A (en) | Memory access method, configuration method, computer system and related devices | |
| CN115994389A (en) | Hardware memory encryption system based on RISC-V architecture and application thereof | |
| JP6079151B2 (en) | System setting information updating apparatus, system setting information updating system, system setting information updating method, and system setting information updating program | |
| US20240080193A1 (en) | Counter integrity tree | |
| You et al. | KVSEV: A Secure In-Memory Key-Value Store with Secure Encrypted Virtualization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant after: Haiguang Information Technology Co.,Ltd. Address before: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |