CN110007849B - Memory controller and method for access control of memory module - Google Patents

Memory controller and method for access control of memory module Download PDF

Info

Publication number
CN110007849B
CN110007849B CN201810321501.8A CN201810321501A CN110007849B CN 110007849 B CN110007849 B CN 110007849B CN 201810321501 A CN201810321501 A CN 201810321501A CN 110007849 B CN110007849 B CN 110007849B
Authority
CN
China
Prior art keywords
data
command
buffer
access command
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810321501.8A
Other languages
Chinese (zh)
Other versions
CN110007849A (en
Inventor
山岗
杨崇和
李毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Montage Technology Shanghai Co Ltd
Original Assignee
Montage Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Montage Technology Shanghai Co Ltd filed Critical Montage Technology Shanghai Co Ltd
Priority to US15/952,246 priority Critical patent/US10983711B2/en
Priority to US16/239,549 priority patent/US10936212B2/en
Publication of CN110007849A publication Critical patent/CN110007849A/en
Application granted granted Critical
Publication of CN110007849B publication Critical patent/CN110007849B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/16Handling requests for interconnection or transfer for access to memory bus
    • G06F13/1668Details of memory controller
    • G06F13/1673Details of memory controller using buffers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • G06F3/0622Securing storage systems in relation to access
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0655Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
    • G06F3/0658Controller construction arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]

Abstract

A memory controller and a method for access control to a memory module are disclosed. A memory controller is coupled between the memory module and a host controller to control access of the host controller to the memory module, the memory controller comprising: a central buffer coupled to the host controller for receiving data access commands from the host controller and coupled to the memory module for providing encrypted data access commands to the memory module; the central buffer comprises an access command processing module, a data access command processing module and a data processing module, wherein the access command processing module is used for carrying out encryption processing on the data access command by using a preset command encryption algorithm to generate an encrypted data access command; a data channel coupled between the memory module and the host controller, the memory module and the host controller interacting data via the data channel under control of the encrypted data access commands.

Description

Memory controller and method for access control of memory module
Technical Field
The present application relates to the field of memory technologies, and more particularly, to a memory controller and a method for performing access control on a memory module.
Background
The rapid development of internet technology enables network devices such as computers and mobile terminals to communicate with each other. Through these interconnected network devices, people can obtain information very conveniently. However, data and information security issues are increasingly highlighted while facilitating information retrieval. Networked devices are vulnerable to attack by unauthorized external devices for casual or malicious reasons, resulting in the destruction, leakage, or alteration of internal data.
Accordingly, there is a need to improve existing computers or other electronic devices to improve their data security.
Disclosure of Invention
An object of the present application is to provide a memory controller and a method for access control of a memory module to improve data security thereof.
According to one aspect of the present application, there is provided a memory controller coupled between a memory module and a host controller to control access of the host controller to the memory module, the memory controller including: a central buffer coupled to the host controller for receiving data access commands from the host controller and coupled to the memory module for providing encrypted data access commands to the memory module; wherein the central buffer comprises an access command processing module having a predetermined command encryption algorithm, the access command processing module being configured to encrypt the data access command with the predetermined command encryption algorithm to generate the encrypted data access command; and wherein the memory module and the host controller are coupled to each other by a data channel, the memory module and the host controller interacting data via the data channel under control of the encrypted data access command.
In some embodiments, the data access command and the encrypted data access command include respective access addresses, the encryption process being such that an access address included in the encrypted data access command is different from an access address included in the data access command.
In some embodiments, the central buffer receives an algorithm configuration command to configure the predetermined command encryption algorithm in the access command processing module, wherein the interface of the central buffer for receiving the algorithm configuration command is an interface for receiving a data access command or a system management bus interface.
In some embodiments, the predetermined command encryption algorithm in the access command processing module is set at startup of the memory controller.
In some embodiments, the access command processing module further has a predetermined command decryption algorithm, the data access command received by the memory controller is a pre-encrypted data access command, and the memory controller is further configured to decrypt the pre-encrypted data access command with the predetermined command decryption algorithm, so as to further encrypt the decrypted data access command with the predetermined command encryption algorithm.
In some embodiments, the memory controller further comprises: a data buffer coupled in the data channel and coupled to the central buffer to receive the encrypted data access command from the central buffer, whereby the host controller and the memory module interact data via the data channel including the data buffer under control of the encrypted data access command.
In some embodiments, the data buffer comprises a data processing module having at least one of a predetermined data encryption algorithm and a predetermined data decryption algorithm; the data processing module is used for receiving data from the main controller or the storage module, carrying out encryption processing on the data by the preset data encryption algorithm, and sending the encrypted data to the main controller or the storage module; or the data processing module is used for receiving the encrypted data from the main controller or the storage module, decrypting the encrypted data by the predetermined data decryption algorithm, and sending the decrypted data to the main controller or the storage module.
In some embodiments, the data processing module has a predetermined data encryption algorithm and a predetermined data decryption algorithm; the data processing module is used for receiving the pre-encrypted data from the main controller, decrypting the pre-encrypted data by the preset data decryption algorithm, further encrypting the decrypted data by the preset data encryption algorithm, and sending the encrypted data to the storage module.
In some embodiments, the central buffer and the data buffer are coupled to each other via a data buffer control bus, and the data processing module receives an algorithm configuration command via the data buffer control bus, wherein the algorithm configuration command is used to configure at least one of the predetermined data encryption algorithm and the predetermined data decryption algorithm.
In some embodiments, the predetermined data encryption algorithm and the predetermined data decryption algorithm in the data processing module are set at startup of the memory controller.
In some embodiments, the memory module and the memory controller conform to a JEDEC double rate synchronous dynamic random access memory standard, the central buffer being integrated in a register clock driver.
According to another aspect of the present application, there is also provided a memory controller coupled between a memory module and a host controller to control access of the host controller to the memory module, the memory controller including: a central buffer coupled to the host controller for receiving data access commands from the host controller and coupled to the memory modules for providing data access commands to the memory modules; a data buffer coupled to the central buffer for receiving the data access commands from the central buffer and coupled between the host controller and the memory modules for interacting data between the host controller and the memory modules under control of the data access commands; and wherein the data buffer comprises a data processing module having at least one of a predetermined data encryption algorithm and a predetermined data decryption algorithm; the data processing module is used for receiving data from the main controller or the storage module, carrying out encryption processing on the data by the preset data encryption algorithm, and sending the encrypted data to the main controller or the storage module; or the data processing module is used for receiving the encrypted data from the main controller or the storage module, decrypting the encrypted data by the predetermined data decryption algorithm, and sending the decrypted data to the main controller or the storage module.
In yet another aspect of the present application, there is also provided a method for access control of a memory module coupled to a host controller through a memory controller and coupled to the host controller through a data channel, the memory controller including a central buffer having an access command processing module, wherein the access command processing module has a predetermined command encryption algorithm for encryption processing of data access commands; the method comprises the following steps: receiving, by the central buffer, a data access command; encrypting, by the central buffer, the data access command to generate the encrypted data access command; providing, by the central buffer, the encrypted data access command to the storage module; and interacting data between the host controller and the memory module via the data channel according to the encrypted data access command.
In yet another aspect of the present application, there is also provided a method for access control of a memory module coupled to a host controller through a memory controller, the memory controller including a central buffer and a data buffer having a data processing module, wherein the data processing module has at least one of a predetermined data encryption algorithm and a predetermined data decryption algorithm; the method comprises the following steps: receiving, by the central buffer, a data access command; according to the data access command, the central buffer controls the data buffer to receive data from the main controller or the storage module, the data processing module carries out encryption processing on the data by the predetermined data encryption algorithm and sends the encrypted data to the main controller or the storage module; or according to the data access command, the central buffer controls the data buffer to receive encrypted data from the main controller or the storage module, the data processing module decrypts the encrypted data by the predetermined data decryption algorithm, and sends the decrypted data to the main controller or the storage module.
The foregoing is a summary of the application that may be simplified, generalized, and details omitted, and thus it should be understood by those skilled in the art that this section is illustrative only and is not intended to limit the scope of the application in any way. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Drawings
The above-described and other features of the present disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the accompanying drawings. It is appreciated that these drawings depict only several embodiments of the disclosure and are therefore not to be considered limiting of its scope. The present disclosure will be described more clearly and in detail by using the accompanying drawings.
FIG. 1 illustrates a memory system 100 according to one embodiment of the present application;
FIG. 2 illustrates an exemplary structure of a center buffer 200 according to one embodiment of the present application;
FIG. 3 illustrates an exemplary structure of a data buffer 300 according to one embodiment of the present application;
FIG. 4 illustrates a memory system 400 according to one embodiment of the present application;
FIG. 5 illustrates a method 500 for access control to a memory module according to one embodiment of the present application;
FIG. 6 illustrates a method 600 for access control to a memory module according to one embodiment of the present application.
Detailed Description
In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, like reference numerals generally refer to like parts throughout the various views unless the context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not intended to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter of the present application. It will be understood that aspects of the present disclosure, as generally described in the present disclosure and illustrated in the figures herein, may be arranged, substituted, combined, and designed in a wide variety of different configurations, all of which form part of the present disclosure.
FIG. 1 illustrates a memory system 100 according to one embodiment of the present application.
As shown in fig. 1, the memory system 100 includes a memory module 102, which is configured as a memory module in the present embodiment, for storing data. In some embodiments, the memory modules 102 may be memory modules compliant with the JEDEC double-rate Synchronous Dynamic Random Access Memory (SDRAM) standards, including, for example, JEDEC DDR, DDR2, DDR3, DDR4, and other double-rate memory standards. In addition, the memory module 102 may also be an internal memory conforming to other standards or protocols, such as an SDRAM or RAMBUS internal memory. In some embodiments, the storage module 102 may include volatile memory (e.g., random access memory), non-volatile memory (flash memory), or a combination of both. It should be noted that the memory module 102 described herein may be one memory granule, and may also include two or more memory granules.
As shown in FIG. 1, the memory system 100 also includes a memory controller 104 having a center buffer 106 and a data buffer (DB _ P) 108. In particular, the central buffer 106 is coupled between the host controller 110 and the memory modules 102, which may receive data access commands including access addresses and access types from the host controller 110. For example, the data access command may be a command to access (e.g., read or write) a data storage address (i.e., access address) in the memory module 102. A data buffer 108 is coupled between the memory module 102 and the host controller 110 for exchanging data between the memory module 102 and the host controller 110 under the control of the central buffer 106. For DDR3 or DDR4 standard memory systems, the central buffer may be integrated in a Registered Clock Driver (RCD). Accordingly, the central buffer is coupled to the main controller 110 via a Command/Address (C/A) bus to receive data access commands. For memory systems that conform to the DDR4 standard, the C/A bus (i.e., the DCA bus shown in FIG. 1) may include pins A0-A17, pins BG0-BG1, and/or pins BA0-BA 1. The pins BG0-BG1 are used to determine which Bank Group (Memory Bank Group) in the Memory module 102 is processed, for example, written to or read from; pins BA0-BA1 are used to determine which Bank (Memory Bank) in Memory module 102 is processed; while pins a0-a17 are used to address and determine which memory cell in a bank is being processed. In addition, the inputs of the three pins, A16(RAS _ n), A15(CAS _ n), and A14(WE _ n), may be used to determine data access commands that are input, such as read commands, write commands, and other predefined control commands.
Unlike the existing center buffer, an access command processing module (CA _ P)112, which may be configured as a module having data processing and arithmetic capabilities, is provided in the center buffer 106. In some embodiments, the access command processing module 112 may be implemented by software, hardware, firmware, or a combination thereof. For example, the access command processing module 112 may be an application specific integrated circuit or a field programmable logic array chip. The access command processing module 112 may process the data access command received from the master controller 110 to generate a modified data access command.
Further, the access command processing module 112 may provide the modified data access command to the memory module 102 and the data buffer 108 so that both may continue to perform data access operations according to the modified data access command. In some embodiments, the access command processing module 112 may generate one or more access addresses from the access addresses included in the data access command, which may be provided to the memory module 102 for addressing use in the access. For example, the QCA bus may be configured between the memory modules 102 and the central buffer 106 for signal and command interaction therebetween. Meanwhile, the access command processing module 112 also generates a corresponding access type according to the access type of the data access command, so that the data buffer 108 can control data interaction between the accessed memory unit in the memory module 102 and the main controller 110 according to the generated access type.
The access command processing module 112 may generate the modified data access command in various desired ways. In some embodiments, the access command processing module may encode the access address in the data access command such that the modified data access command includes the encoded access address. In other embodiments, the access command processing module may process the access address in the data access command with a predetermined address processing algorithm to generate a set of access addresses based on the access address. Each access address in the set of newly generated access addresses may correspond to a modified data access command. Alternatively, these modified data access commands may have the same access type as the original data access commands. For example, the data access command received from the master controller 110 may be a data access command to read one access address in the memory module 102, and the newly generated modified data access command may be a data access command to read a plurality of access addresses associated with the access address.
In some embodiments, the access command processing module 112 may have a predetermined command encryption algorithm and/or a predetermined command decryption algorithm. The access command processing module 112 may encrypt an access address included in the received data access command by using a command encryption algorithm, so that the encrypted access address is different from the access address before encryption (in a clear text manner). The encrypted access address may be included in the modified data access command, i.e. as an encrypted data access command. In this way, the encrypted data access commands may, in turn, be provided to the memory module 102 and the data buffer 108 to control the data buffer 108 to exchange data between the memory module 102 and the host controller 110. It will be appreciated that the encrypted data access commands provided to the memory module 102 and the data buffer 108 as described herein may be complete commands or portions of complete access commands. For example, a data access command may generally include an access address and an access type. For the memory module 102 to address, it need only obtain the encrypted access address included in the encrypted data access command from the central buffer 106. For example, a memory location in the memory module 102 corresponding to the encrypted access address may be addressed for data access. Similarly, for the data buffer 108, it needs to obtain information of the access type (e.g., read or write) from the central buffer 106. Thus, the memory module 102 and the data buffer 108 complete data access under the control of the encrypted data access commands provided by the central buffer 106. It should be noted that the difference between the encrypted access address and the access address before encryption does not mean that the two are necessarily different, but means that the two are different in a statistical sense (in most cases). In some cases, depending on the encryption rules of the command encryption algorithm, there is a certain probability that the encrypted access address is the same as the unencrypted access address (e.g., for 50 access addresses, one before and after encryption is the same).
It should be noted that the process of encrypting or decrypting data and/or addresses is substantially similar to the process of scrambling or descrambling, and thus the encryption referred to in this application includes scrambling, and the decryption includes descrambling.
For example, data accesses by the host controller 110 to the memory module 102 may include, for example, read operations and write operations. When a write operation is performed, the main controller 110 sends an unencrypted write operation command to the central buffer 106. Wherein the unencrypted write operation command points to a first address in the memory module 102. Accordingly, the central buffer 106 encrypts the write operation command with a predetermined command encryption algorithm, thereby generating an encrypted write operation command. Wherein the encrypted write operation command points to a second address in the memory module 102. Based on the second address, data received from the master controller 110 is written into the memory module 102 via the data buffer 108. On the other hand, when a read operation is performed, the main controller 110 sends an unencrypted read operation command to the center buffer 106, the read operation command being used to read data corresponding to the first address, for example. Accordingly, the central buffer 106 performs an encryption process on the read operation command in a predetermined command encryption algorithm, thereby generating an encrypted read operation command. Since the same command encryption algorithm is used for encrypting the read operation command and the write operation command, the encrypted read operation command also points to the second address in the memory module 102. Thus, data written to the second address at the time of the write operation can be correctly read out.
It can be seen that during the encrypted access described above, access between the memory controller 104 and the memory module 102 is encrypted. Without knowing the information of the predetermined command encryption algorithm, the main controller 110 cannot know which address in the memory module 102 stores the desired data. Therefore, an illegal program running on the main controller 110, or other illegal programs, cannot access data in a desired memory module 102 by transmitting the address of the designated memory module, which greatly improves the security of data access.
In some embodiments, the data access command received from the master controller 110 may be a pre-encrypted data access command. For example, the main controller 110 may encrypt the data access command using a predetermined command encryption algorithm a and generate a pre-encrypted data access command. Accordingly, the central buffer 106, upon receiving the pre-encrypted data access command, decrypts the pre-encrypted data access command with the corresponding command decryption algorithm a', thereby obtaining an unencrypted data access command. Then, the central buffer 106 further encrypts the unencrypted data access command with the command encryption algorithm B therein, so as to obtain a secondarily encrypted data access command. Based on the twice encrypted data access command, data received from the master controller 110 may be written to the memory module 102. It can be seen that this approach also cryptographically processes command communications between the host controller 110 and the memory controller 104, which further improves the security of the storage system.
The access command processing module 112 has a predetermined command encryption algorithm and/or command decryption algorithm. These algorithms may be configured by configuration information stored in a register table. As previously described, the host controller 110 may send data access commands to the central buffer 106 via a Command/Address (C/A) bus. In some embodiments, the master controller 110 may send an algorithm configuration command to the central buffer 106 over the same bus, which may be used to configure a command encryption algorithm or decryption algorithm in the access command processing module 112. As such, the access command processing module 112 may be loaded with the command encryption algorithm and/or the command decryption algorithm, or the command encryption algorithm and/or the command decryption algorithm already in the access command processing module 112 may be modified or configured. For example, the algorithm configuration command may be transmitted using some signal lines of a command/address bus for transmitting a Mode Register Set (MRS). In other embodiments, the main controller 110 may send the algorithm configuration commands to the central buffer 106 on a different interface/bus. For example, the algorithm configuration command may be sent to the central buffer 106 through a System Management Bus (SMBus) interface. Since these dedicated interfaces are often inaccessible to illegal programs, the use of these interfaces to send algorithm configuration commands helps to increase the security of the system.
In some embodiments, the loading or modification of the command encryption algorithm and/or command decryption algorithm may be dynamic, i.e., when the memory controller 104 is started (powered up), these algorithms are loaded into the access command processing module 112; the data and configuration of these algorithms will be cleared when the memory controller 104 is powered down, or when the central buffer 106 is reset.
In the embodiment shown in fig. 1, in addition to the access command processing module 112 provided at the center buffer 106, a data processing module (D _ P)114 is provided in the data buffer 108. The data processing module 114 may receive data from the host controller 110 and/or the memory module 102 to which it is coupled, process the received data in a predetermined data processing algorithm, and then transmit the processed data to the host controller 110 and/or the memory module 102. In some embodiments, when the main controller 110 instructs to read data from the memory module 102, the data buffer 108 may buffer the data received from the memory module 102 and the data is processed by the data processing module 114. Thus, the data obtained by the main controller 110 is processed data. In other embodiments, when the main controller 110 instructs to write data to the memory module 102, the data buffer 108 may also buffer data received from the main controller 110 and the data is processed by the data processing module 114 and then written to the memory module 102. Thus, the data stored in the storage module 102 is processed data.
In some embodiments, the data processing module 114 may receive data from the memory module 102 and process the data, thereby sending the processed data to the memory module 102. In other words, thanks to the data processing module 114 in the data buffer 108, data can be processed directly in the memory controller 104 without being transferred to the main controller 110 for processing, which greatly reduces data interaction between the main controller 110 and the memory module 102 and can effectively improve data processing efficiency.
Similar to the access command processing module 112, the data processing module 114 may have a predetermined data encryption algorithm and/or a predetermined data decryption algorithm. The data encryption algorithm may encrypt data, and the data decryption algorithm may decrypt encrypted data. Depending on the source and destination of the data, complex encryption/decryption processes may be implemented using the data processing module 114, thereby increasing the security of the entire memory module.
In some embodiments, the data processing module 114 may have a matching data encryption algorithm and data decryption algorithm. In a write operation, the data buffer 108 may receive data from the main controller 110 and the data is encrypted by the data processing module 114 in a data encryption algorithm and the encrypted data is written to the memory module 102. Accordingly, in performing a read operation, the data buffer 108 may read encrypted data from the memory module 102, perform a decryption process on the encrypted data in a data decryption algorithm, and transmit the decrypted data to the main controller 110. It can be seen that since the data stored in the storage module 102 is encrypted data, it is difficult for an illegal program to decrypt the data to obtain correct data content even if the data is obtained, which improves the security of the storage system.
In other embodiments, the data processing module 114 may have only a data encryption algorithm for encrypting data read from the memory module 102 so that the data buffer 108 may send the encrypted data to the main controller 110. Accordingly, the main controller 110 may have a matching data decryption algorithm, thereby performing a decryption process on the encrypted data. In other words, the read operation of the memory module 102 by the main controller 110 is encrypted, and only a legitimate program (having or capable of invoking a matching data decryption algorithm) can decrypt the read data and obtain the correct data content.
In other embodiments, the data processing module 114 may have multiple data encryption algorithms and data decryption algorithms. For example, the data sent by the master controller 110 to the memory controller 104 may be pre-encrypted data (using a data encryption algorithm C). When a write operation is performed, the data buffer 108 receives the pre-encrypted data from the main controller 110 and the pre-encrypted data is decrypted by the data processing module 114 with a matching data decryption algorithm C' resulting in decrypted data. Meanwhile, the data processing module 114 has another data encryption algorithm D and a data decryption algorithm D'. Further, the data processing module 114 may perform a further encryption process on the decrypted data with the data encryption algorithm D to obtain re-encrypted data, so that the data buffer 108 may write the re-encrypted data into the storage module 102. Accordingly, when a read operation is performed, the data buffer 108 receives encrypted data from the memory module 102 and performs a decryption process on the encrypted data by the data decryption algorithm D', thereby obtaining decrypted data. The data buffer 108 may then send the decrypted data to the main controller 110.
In still other embodiments, the data processing module 114 may also perform rewrite operations on the data. In this case, the data processing module 114 may perform decryption processing on the encrypted data stored in the storage module 102 with a predetermined data decryption algorithm, and then modify the decrypted data with a predetermined data processing algorithm. The data processing module 114 may then re-encrypt the modified data with a predetermined data encryption algorithm and write the encrypted data back to the storage module 102.
In some embodiments, the data buffer 108 may include a plurality of data buffer unit groups 108i, and each data buffer unit group 108i corresponds to one data processing sub-module 114 i. In addition to each data processing submodule 114i being coupled in a link of the data buffer unit group 108i in which it is located, the different data processing submodules 114i are coupled to each other through a bidirectional interface BOP (e.g., BOP01, BOP12 … BOP67, and BOP70 in fig. 1) so that data can be exchanged between the plurality of data buffer unit groups 108 i. Data interaction between different data buffer unit groups 108i can satisfy the requirements of various data operation operations. In some embodiments, the BOP interface may be a two-wire, bi-directional bus structure comprising a clock and 1-bit bi-directional data lines, with bi-directional data interaction via a agreed-upon protocol. In other embodiments, the interface may be a three-wire bus structure including a clock, a transmit direction indicator signal, and 1-bit bidirectional data lines. The bandwidth of the BOP interface may be increased by increasing the number of bidirectional data lines.
The data processing module 114 may be responsive to operational commands provided by the central buffer 106. For example, the operation command may be transmitted through a data buffer control Bus (BCOM) between the center buffer 106 and the data buffer 108. In some memory systems conforming to the DDR4 standard, such as the M88DDR4DB02 and M88DDR4RCD02 chips provided by the incorporated by reference (shanghai) co.
In some embodiments, the data processing module 114 may receive an algorithm configuration command over the data buffer control bus, wherein the algorithm configuration command is to configure at least one of a predetermined data encryption algorithm and a predetermined data decryption algorithm.
In some embodiments, the loading or modification of the data encryption algorithm and/or the data decryption algorithm may be dynamic, i.e., when the memory controller 104 is started (powered up), the algorithms are loaded into the access command processing module 112; and when the memory controller 104 is powered down, or when the data buffer 108 is reset, the data and configuration of these algorithms will be cleared.
In the embodiment shown in fig. 1, both the access command processing module 112 and the data processing module 114 are included, so that after the access command processing module 112 encrypts the data access command, the data processing module 114 can encrypt/decrypt the data according to the encrypted data access command, and further interact the encrypted/decrypted data between the storage module 102 and the main controller 110. In some embodiments, the processing of data access commands or encrypted data access commands by the central buffer 106 may determine the encryption and/or decryption operations that the data processing module 114 is to specifically perform. Accordingly, the central buffer 106 may provide the data processing module 114 with an encryption or decryption algorithm or indication to be specifically performed, and the data processing module 114 may process the data according to the obtained related information.
It will be appreciated that in actual practice, the memory controller may include only one of the access command processing module 112 and the data processing module 114. For example, the memory controller may include only the access command processing module 112 to generate encrypted data access commands, which may instruct the data buffer 108 not to modify data but only to perform conventional read, write, etc. operations. For another example, the memory controller may also only include the data processing module 114 to encrypt or decrypt the buffered data, and the specific type of data operation may be determined by the data access command provided by the central buffer 106 through the BCOM bus.
FIG. 2 illustrates an exemplary configuration of a center buffer 200 according to one embodiment of the present application.
As shown in fig. 2, the central buffer 200 includes two signal paths coupled between a receiving side (D side) and an output side (Q side), respectively a buffer 202 and an access command processing module 204. For the path of the buffer 202, after receiving a data access command (CMD & ADDR) including an access address and an access type, the buffer 202 does not perform additional processing on the data access command, but merely buffers the command and then outputs it from the output side. And for the access command processing module 204, it includes a calculation unit 206 and a control unit 208. When receiving a data access command sent by a main control module (not shown), the host determines whether address processing and corresponding operation command generation are required according to a preset trigger condition, that is, whether the data access command needs to be modified. When the trigger condition is satisfied, the access command processing module 204 performs encryption processing using the calculation unit 206, and generates an encrypted data access command. Thereafter, the control unit 208 switches the output of the central buffer 200 from the buffer 202 to the output of the access command processing module 204 through a Multiplexer (MUX), and sends a corresponding control signal to each data processing module (not shown in the figure) of the data buffer through the BCOM bus, so as to instruct the data processing modules to perform corresponding data processing operations.
In some embodiments, the buffer 202 and the access command processing module 204 may be configured by configuration information stored in a register table, which may be modified by the SMBus interface.
FIG. 3 illustrates an exemplary structure of a data buffer 300 according to one embodiment of the present application
As shown in FIG. 3, the data buffer 300 includes two data paths coupled between the host controller side and the memory module side, respectively via a bi-directional buffer 302 and via a data processing module 304. For the path of bi-directional buffer 302, it does not process the received data, but merely buffers the data. And for the data processing module 304 it comprises a calculation unit 306 and a control unit 308. Wherein the computing unit 306 also interacts data with the data processing modules of the adjacent data buffers through the BOP interface. Therefore, the computing unit 306 can perform corresponding encryption and/or decryption processing on the data according to the control command received by the control unit 308 from the BCOM bus. When the operation requires data of other data buffers, the data processing module 304 may perform data interaction with an adjacent data buffer through a BOP interface, where the BOP _ L interface is used for data interaction with the data buffer on the left side, and the BOP _ R interface is used for data interaction with the data buffer on the right side.
In some embodiments, the bi-directional buffer 302 and the data processing module 304 may be configured by configuration information stored in a register table.
It should be noted that the circuit structures of the center buffer and the data buffer shown in fig. 2 and 3 are merely exemplary, and in practical applications, the circuit structures may be modified as needed.
In the Memory system 100 shown in FIG. 1, data interaction between the Memory module 102 and the host controller 110 is performed via a data buffer 108, such as a low-Load Dual-Inline Memory module (LRDIMM). In other words, the data buffer 108 is implemented as part of the data path between the memory module 102 and the host controller 110. In some alternative embodiments, the data path between the memory module 102 and the host controller 110 may not include the data buffer 108.
FIG. 4 illustrates a memory system 400 according to one embodiment of the present application. As shown in FIG. 4, in the memory system 400, a memory module 402 and a host controller 410 are coupled to each other via a data channel 405 to exchange data therebetween. Unlike the memory system 100 of FIG. 1, there are no data buffers coupled between the data channels 405. In some embodiments, memory system 400 may employ, for example, a Registered dual inline memory module/module (RDIMM, Registered DIMM).
In addition, the memory system 400 also includes a central buffer 406 that is coupled to the main controller 410 via a command/address bus DCA and to the memory modules 402 via a buffered command/address bus QCA. Similar to the central buffer 106 shown in FIG. 1, the central buffer 406 may include an access command processing module having a predetermined command encryption algorithm. Central buffer 406 may receive data access commands from host controller 410 and encrypt the data access commands to generate encrypted data access commands. The central buffer 406 may then send the encrypted data access command to the memory module 402 via the buffered command/address bus QCA. Thus, in response to the encrypted data access command, the central buffer 406 directly controls the addressing of the memory module 402 so that the memory module 402 can write data to or read data from the host controller 410. In some embodiments, the algorithm configuration command may be sent to the central buffer 406 through a system management bus (SMBus).
For more functions and characteristics of the center buffer 406, reference may be made to the description of the center buffer 106 in the embodiment shown in fig. 1, and further description is omitted here.
The memory controller of the embodiments of the present application may be applied to a memory, and such a memory system may also be used in a different computer system.
FIG. 5 illustrates a method 500 for access control to a memory module according to one embodiment of the present application. The method 500 may be performed by a memory controller, such as that shown in FIG. 1, or by a memory controller, such as that shown in FIG. 4.
As shown in fig. 5, the method 500 includes:
step 502, receiving a data access command by a central buffer;
step 504, encrypting the data access command by the central buffer to generate an encrypted data access command;
step 506, providing the encrypted data access command to the storage module by the central buffer; and
at step 508, data is exchanged between the host controller and the memory module according to the encrypted data access command via the data channel.
In some embodiments, a data buffer is coupled in the data channel.
In some embodiments, the data access command and the encrypted data access command include respective access addresses, the encryption process being such that an access address included in the encrypted data access command is different from an access address included in the data access command.
In some embodiments, the predetermined command encryption algorithm in the access command processing module is set at startup of the memory controller.
In some embodiments, the access command processing module further has a predetermined command decryption algorithm, the data access command received by the central buffer is a pre-encrypted data access command, the method further comprising:
decrypting, by the central buffer, the pre-encrypted data access command with the predetermined command decryption algorithm prior to the step of encrypting, by the central buffer, the data access command to generate the encrypted data access command.
FIG. 6 illustrates a method 600 for access control to a memory module according to one embodiment of the present application. The method 600 may be performed by, for example, a memory controller as shown in FIG. 1.
As shown in fig. 6, in step 602, a data access command is received by a central buffer; and
in step 604, according to the data access command, the central buffer controls the data buffer to receive data from the main controller or the storage module, the data processing module encrypts the data by using a predetermined data encryption algorithm, and sends the encrypted data to the main controller or the storage module; or
And according to the data access command, the central buffer controls the data buffer to receive the encrypted data from the main controller or the storage module, the processing module decrypts the encrypted data by using a preset data decryption algorithm, and the decrypted data is sent to the main controller or the storage module.
In some embodiments, prior to the step of sending the decrypted data to the host controller or the storage module, the method further comprises:
the decrypted data is subjected to encryption processing with the predetermined data encryption algorithm, and then the encrypted data is transmitted to the main controller or the storage module.
In some embodiments, the predetermined data encryption algorithm and the predetermined data decryption algorithm in the data processing module are set at startup of the memory controller.
For further details of embodiments of the method of the present application, reference may be made to the description relating to embodiments of the apparatus of the present application.
It should be noted that although in the above detailed description several steps of the method for access control of a memory module and several modules or sub-modules of a memory controller are mentioned, this division is only exemplary and not mandatory. Indeed, according to embodiments of the application, the features and functions of two or more modules described above may be embodied in one module. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
Other variations to the disclosed embodiments can be understood and effected by those skilled in the art from a study of the specification, the disclosure, the drawings, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the words "a" or "an" do not exclude a plurality. In the practical application of the present application, one element may perform the functions of several technical features recited in the claims. Any reference signs in the claims shall not be construed as limiting the scope.

Claims (19)

1. A memory controller coupled between a memory module and a host controller to control access of the host controller to the memory module, the memory controller comprising:
a central buffer having a receive side coupled to a command/address bus to receive data access commands from the host controller, and an output side on an opposite side of the receive side and coupled to the memory modules, the central buffer comprising:
a buffer coupled between the receive side and the output side to buffer data access commands;
an access command processing module coupled in parallel with the buffer between the receiving side and the output side, the access command processing module having a predetermined command encryption algorithm and configured to receive a data access command transmitted through the command/address bus and to perform an encryption process on the data access command with the predetermined command encryption algorithm to generate the encrypted data access command and transmit the encrypted data access command to the output side; wherein the access command and the encrypted data access command include respective access addresses, the encryption processing being such that an access address included in the encrypted data access command is different from an access address included in the data access command; and
a multiplexer coupled to an output side of the central buffer to switchably output the data access command buffered by the buffer or the encrypted data access command generated by the access command processing module to the memory module;
wherein the storage module and the host controller are coupled to each other through a data channel, and the storage module and the host controller interact data through the data channel under the control of the encrypted data access command.
2. The memory controller according to claim 1, wherein the central buffer receives an algorithm configuration command to configure the predetermined command encryption algorithm in the access command processing module, wherein an interface of the central buffer for receiving the algorithm configuration command is an interface for receiving a data access command or a system management bus interface.
3. The memory controller according to claim 1, wherein the predetermined command encryption algorithm in the access command processing module is set at startup of the memory controller.
4. The memory controller of claim 1, wherein the access command processing module further has a predetermined command decryption algorithm, the data access command received by the memory controller is a pre-encrypted data access command, and the memory controller is further configured to decrypt the pre-encrypted data access command with the predetermined command decryption algorithm, so as to further encrypt the decrypted data access command with the predetermined command encryption algorithm.
5. The memory controller of claim 1, further comprising:
a data buffer coupled in the data channel and coupled to the central buffer to receive the encrypted data access command from the central buffer, whereby the host controller and the memory module interact data via the data channel including the data buffer under control of the encrypted data access command.
6. The memory controller of claim 5, wherein the data buffer comprises a data processing module having at least one of a predetermined data encryption algorithm and a predetermined data decryption algorithm;
the data processing module is used for receiving data from the main controller or the storage module, carrying out encryption processing on the data by the preset data encryption algorithm, and sending the encrypted data to the main controller or the storage module; or
The data processing module is used for receiving the encrypted data from the main controller or the storage module, decrypting the encrypted data by the predetermined data decryption algorithm, and sending the decrypted data to the main controller or the storage module.
7. The memory controller of claim 6, wherein the data processing module has a predetermined data encryption algorithm and a predetermined data decryption algorithm;
the data processing module is used for receiving the pre-encrypted data from the main controller, decrypting the pre-encrypted data by the preset data decryption algorithm, further encrypting the decrypted data by the preset data encryption algorithm, and sending the encrypted data to the storage module.
8. The memory controller of claim 6, wherein the central buffer and the data buffer are coupled to each other via a data buffer control bus, and wherein the data processing module receives an algorithm configuration command via the data buffer control bus, wherein the algorithm configuration command is used to configure at least one of the predetermined data encryption algorithm and the predetermined data decryption algorithm.
9. The memory controller according to claim 6, wherein the predetermined data encryption algorithm and the predetermined data decryption algorithm in the data processing module are set at startup of the memory controller.
10. The memory controller of claim 1, wherein the memory module and the memory controller conform to JEDEC double rate synchronous dynamic random access memory standards, the central buffer being integrated in a register clock driver.
11. A memory comprising the memory controller of any one of claims 1 to 10 and a memory module.
12. A computer system comprising the memory of claim 11.
13. A method for access control of a memory module, the memory module coupled to a host controller through a memory controller and coupled to the host controller through a data channel, the memory controller including a central buffer having a receive side coupled to a command/address bus and an output side coupled to the memory module, the central buffer comprising:
a buffer coupled between the receive side and the output side to buffer data access commands;
an access command processing module coupled in parallel with the buffer between the receiving side and the output side, the access command processing module having a predetermined command encryption algorithm for encrypting data access commands; and
a multiplexer coupled to an output side of the center buffer;
the method comprises the following steps:
receiving a data access command via a receiving side of the central buffer;
receiving, by the access command processing module, the data access command transmitted through the command/address bus;
encrypting, by the central buffer, the data access command to generate the encrypted data access command, the encrypting being such that an access address included in the encrypted data access command is different from an access address included in the data access command;
providing the encrypted data access command to the memory module via an output side of the central buffer;
switchably outputting the data access command buffered by the buffer or the encrypted data access command generated by the access command processing module to the memory module via the multiplexer;
exchanging data between the host controller and the memory module according to the encrypted data access command via the data channel.
14. The method of claim 13, wherein a data buffer is coupled in the data channel.
15. The method according to claim 13, wherein the predetermined command encryption algorithm in the access command processing module is set at startup of the memory controller.
16. The method of claim 13, wherein the access command processing module further has a predetermined command decryption algorithm, wherein the data access commands received by the central buffer are pre-encrypted data access commands, and wherein the method further comprises:
decrypting, by the central buffer, the pre-encrypted data access command with the predetermined command decryption algorithm prior to the step of encrypting, by the central buffer, the data access command to generate the encrypted data access command.
17. A method for access control of a memory module, the memory module coupled to a host controller through a memory controller, the memory controller including a central buffer and a data buffer, the central buffer having a receive side coupled to a command/address bus and an output side coupled to the memory module, the central buffer comprising:
a buffer coupled between the receive side and the output side to buffer data access commands;
an access command processing module coupled between the receiving side and the output side in parallel with the buffer, the access command processing module having a predetermined command encryption algorithm; and
a multiplexer coupled to an output side of the center buffer;
wherein the data buffer has a data processing module having at least one of a predetermined data encryption algorithm and a predetermined data decryption algorithm;
the method comprises the following steps:
receiving a data access command via a receiving side of the central buffer;
receiving, by the access command processing module, the data access command transmitted through the command/address bus; encrypting, by the central buffer, the data access command with the predetermined command encryption algorithm to generate an encrypted data access command, wherein the encryption by the central buffer causes an access address included in the encrypted data access command to be different from an access address included in the data access command;
switchably outputting the data access command buffered by the buffer or the encrypted data access command generated by the access command processing module to the memory module via the multiplexer; and
according to the encrypted data access command, the central buffer controls the data buffer to receive data from the main controller or the storage module, the data processing module encrypts the data by the preset data encryption algorithm and sends the encrypted data to the main controller or the storage module; or
According to the encrypted data access command, the central buffer controls the data buffer to receive encrypted data from the main controller or the storage module, the data processing module decrypts the encrypted data by the predetermined data decryption algorithm, and sends the decrypted data to the main controller or the storage module.
18. The method of claim 17, wherein the step of sending the decrypted data to the host controller or the storage module comprises:
the decrypted data is subjected to encryption processing with the predetermined data encryption algorithm, and then the encrypted data is transmitted to the main controller or the storage module.
19. The method of claim 17, wherein the predetermined data encryption algorithm and the predetermined data decryption algorithm in the data processing module are set at startup of the memory controller.
CN201810321501.8A 2018-01-04 2018-04-11 Memory controller and method for access control of memory module Active CN110007849B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/952,246 US10983711B2 (en) 2018-01-04 2018-04-13 Memory controller, method for performing access control to memory module
US16/239,549 US10936212B2 (en) 2018-01-04 2019-01-04 Memory controller, method for performing access control to memory module

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201810008762 2018-01-04
CN2018100087624 2018-01-04
CN2018100645885 2018-01-23
CN201810064588 2018-01-23

Publications (2)

Publication Number Publication Date
CN110007849A CN110007849A (en) 2019-07-12
CN110007849B true CN110007849B (en) 2021-03-12

Family

ID=67164770

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201810321501.8A Active CN110007849B (en) 2018-01-04 2018-04-11 Memory controller and method for access control of memory module
CN201810929033.2A Active CN110008148B (en) 2018-01-04 2018-08-15 Memory controller and method for access control of memory module

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN201810929033.2A Active CN110008148B (en) 2018-01-04 2018-08-15 Memory controller and method for access control of memory module

Country Status (1)

Country Link
CN (2) CN110007849B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110007849B (en) * 2018-01-04 2021-03-12 澜起科技股份有限公司 Memory controller and method for access control of memory module
US10936212B2 (en) 2018-01-04 2021-03-02 Montage Technology Co., Ltd. Memory controller, method for performing access control to memory module
US10983711B2 (en) 2018-01-04 2021-04-20 Montage Technology Co., Ltd. Memory controller, method for performing access control to memory module

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1536311A1 (en) * 2003-11-28 2005-06-01 Bull S.A. Modular cryptographic system with high flow rate
CN103154963A (en) * 2010-10-05 2013-06-12 惠普发展公司,有限责任合伙企业 Scrambling an address and encrypting write data for storing in a storage device
CN105868125A (en) * 2015-01-23 2016-08-17 澜起科技(上海)有限公司 Buffer memory as well as apparatus and method used for controlling internal memory data access
CN110008148A (en) * 2018-01-04 2019-07-12 澜起科技股份有限公司 Memory Controller and for accessing the method for control to memory module

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101869059B1 (en) * 2012-02-28 2018-06-20 삼성전자주식회사 Storage device and memory controller thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1536311A1 (en) * 2003-11-28 2005-06-01 Bull S.A. Modular cryptographic system with high flow rate
CN103154963A (en) * 2010-10-05 2013-06-12 惠普发展公司,有限责任合伙企业 Scrambling an address and encrypting write data for storing in a storage device
CN105868125A (en) * 2015-01-23 2016-08-17 澜起科技(上海)有限公司 Buffer memory as well as apparatus and method used for controlling internal memory data access
CN110008148A (en) * 2018-01-04 2019-07-12 澜起科技股份有限公司 Memory Controller and for accessing the method for control to memory module

Also Published As

Publication number Publication date
CN110007849A (en) 2019-07-12
CN110008148B (en) 2021-03-12
CN110008148A (en) 2019-07-12

Similar Documents

Publication Publication Date Title
US9489540B2 (en) Memory controller with encryption and decryption engine
US9483664B2 (en) Address dependent data encryption
US10097349B2 (en) Systems and methods for protecting symmetric encryption keys
US9537656B2 (en) Systems and methods for managing cryptographic keys in a secure microcontroller
US10936212B2 (en) Memory controller, method for performing access control to memory module
CN110008147B (en) Memory controller and method for accessing memory module
CN110007849B (en) Memory controller and method for access control of memory module
US9152576B2 (en) Mode-based secure microcontroller
US10983711B2 (en) Memory controller, method for performing access control to memory module
EP4109270A1 (en) Memory bus integrity and data encryption (ide)
CN112887077B (en) SSD main control chip random cache confidentiality method and circuit
US20210067323A1 (en) Method and Apparatus for Ensuring Integrity of Keys in a Secure Enterprise Key Manager Solution
US11886624B2 (en) Crypto device, integrated circuit and computing device having the same, and writing method thereof
US11636046B1 (en) Latency free data encryption and decryption between processor and memory
US11288406B1 (en) Fast XOR interface with processor and memory
US11226768B2 (en) Memory controller and method for accessing memory module
US10929029B2 (en) Memory controller and method for accessing memory modules and processing sub-modules
KR102660388B1 (en) Memory module, oprtation method of memory module, memory system and operation method of memory system
CN113448891B (en) Memory controller and method for monitoring access to memory modules
US20200218671A1 (en) Semiconductor device, semiconductor system, and system
US11550929B2 (en) Memory system
KR20200129595A (en) Memory module, oprtation method of memory module, memory system and operation method of memory system
US20160202314A1 (en) Test circuit and method of semiconductor device
US20210406410A1 (en) Method and device to ensure a secure memory access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant