CN111090869A - Data encryption method, processor and computer equipment - Google Patents
Data encryption method, processor and computer equipment Download PDFInfo
- Publication number
- CN111090869A CN111090869A CN201911300244.0A CN201911300244A CN111090869A CN 111090869 A CN111090869 A CN 111090869A CN 201911300244 A CN201911300244 A CN 201911300244A CN 111090869 A CN111090869 A CN 111090869A
- Authority
- CN
- China
- Prior art keywords
- data
- memory
- encrypted
- address
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a data encryption method, a processor and computer equipment, and belongs to the technical field of computers. The method comprises the following steps: the security processor acquires physical memory information to be encrypted; the safety processor generates an indication command based on the physical memory information, wherein the indication command carries a data length, a source address for reading data from the memory and a destination address for writing the data into the memory, and the data length is used for reading corresponding data; and the safety processor sends the instruction command to the password coprocessor to enable the password coprocessor to execute the instruction command so as to encrypt the data to be encrypted, which is read from the memory space pointed by the source address and corresponds to the data length, and write the encrypted data into the memory space pointed by the destination address. The DMA hardware module of the password coprocessor executes the instruction command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine is improved, and the whole starting time of the virtual machine is effectively reduced.
Description
Technical Field
The application belongs to the technical field of computers, and relates to a data encryption method, a processor and computer equipment.
Background
In a current hardware platform supporting a secure virtualization technology, memory data of a virtual machine is encrypted by a virtual machine encryption key. In the whole life cycle of the virtual machine operation, the encryption and decryption processes of the physical memory for storing the virtual machine data are all completed by the memory controller. However, in the starting stage of the virtual machine, the virtual machine monitor needs to perform encryption processing once on the physical memory storing the virtual machine data in advance by means of a Security Processor (PSP) to ensure that the memory data read from the memory during the starting process of the virtual machine can be correctly decrypted by the memory controller.
Disclosure of Invention
In view of this, an object of the present application is to provide a data encryption method, a processor, and a computer device, so as to overcome the defects of slow speed and low operating efficiency of the existing processing method for copying memory data by using a software program in a secure processor.
The embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a data encryption method, where the method includes: the security processor acquires physical memory information to be encrypted; the safety processor generates an indication command based on the physical memory information, wherein the indication command carries a data length, a source address for reading data from a memory and a destination address for writing data into the memory, and the data length is used for reading corresponding data; and the safety processor sends the indication command to a password coprocessor to enable the password coprocessor to execute the indication command so as to encrypt data to be encrypted, which is read from a memory space pointed by the source address and corresponds to the data length, and then write the encrypted data into the memory space pointed by the destination address. In the embodiment of the application, the indication command is packaged to the password coprocessor by the security processor, and then the DMA (direct memory access) hardware module of the password coprocessor is used for executing the indication command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine based on the security virtual machine technology is improved, and the whole starting time of the virtual machine is effectively reduced.
With reference to a possible implementation manner of the embodiment of the first aspect, the generating, by the security processor, an indication command based on the physical memory information, where the generating the indication command includes: the security processor acquires a physical address and the data length in the physical memory information; the security processor marks a source address for reading data from the memory space pointed by the physical address as unencrypted, and marks a destination address for writing data into the memory space as encrypted; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In the embodiment of the application, the memory controller is controlled to encrypt the written-back data by configuring the encryption flag bit, the encryption function of the memory controller is fully utilized to encrypt the data, and the encryption speed of the memory of the virtual machine can be improved to the maximum extent.
With reference to a possible implementation manner of the embodiment of the first aspect, the generating, by the secure processor, an indication command based on the physical memory information includes: the security processor acquires a physical address and the data length in the physical memory information; the security processor obtains a source address used for reading data from the memory space pointed by the physical address and a destination address used for writing data into the memory space based on the physical address; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In the embodiment of the application, the encryption function of the password coprocessor is used for encrypting the write-back data, so that the security processor does not need to configure the encryption mark bit when generating the indication command, and the time for configuring the encryption mark bit can be saved.
With reference to a possible implementation manner of the embodiment of the first aspect, before the secure processor encapsulates the data length, the source address, and the destination address, and generates the indication command, the method further includes: the safety processor judges whether the width of a physical address bus of the safety processor is smaller than that of a physical address bus of the memory; when yes, the secure processor maps the physical address bus width of the source address from the physical address bus width of the memory to the own physical address bus width, and maps the physical address bus width of the destination address from the physical address bus width of the memory to the own physical address bus width. In the embodiment of the application, before the indication command is generated by encapsulating the required information, whether the physical address bus width of the memory is lower than that of the memory is judged, if so, the address mapping processing needs to be performed on the source address and the destination address, the physical address bus widths of the source address and the destination address are mapped to the physical address bus width of the memory from the physical address bus width of the memory, then the safety processor encapsulates the data length, the mapped source address and the mapped destination address to generate the indication command, so that the memory controller can successfully finish the memory access, and the success rate of the memory controller accessing the memory is ensured.
With reference to one possible implementation manner of the embodiment of the first aspect, the sending, by the secure processor, the indication command to the cryptographic coprocessor includes: and the safety processor sends the indication command to the password coprocessor through the middleware. In the embodiment of the application, a data channel is not directly established between the security processor and the password coprocessor, but asynchronous communication is realized through middleware, so that the requirement on equipment is reduced, and the receiving equipment and the sending equipment do not need to use the same clock.
In a second aspect, an embodiment of the present application further provides a data encryption method, where the method includes: the password coprocessor receives an indication command sent by a security processor, wherein the indication command comprises: the method comprises the following steps of (1) writing data into a memory according to the data length, a source address for reading the data from the memory and a destination address with an encrypted mark bit for writing the data into the memory; the cipher coprocessor sends a read instruction to a memory controller so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; when the password coprocessor receives the data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address. In the embodiment of the application, the indication command is packaged to the password coprocessor through the security processor, and then the DMA hardware module of the password coprocessor executes the indication command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine based on the security virtual machine technology is improved, the whole starting time of the virtual machine is effectively reduced, meanwhile, the encryption function of the memory controller is fully utilized to realize the encryption of data, and the encryption speed of the memory of the virtual machine can be improved to the maximum extent.
In a third aspect, an embodiment of the present application further provides a data encryption method, where the method includes: the password coprocessor receives an indication command sent by a security processor, wherein the indication command comprises: the data length is used for reading a source address of data from a memory and writing a destination address of the data into the memory; the cipher coprocessor sends a read instruction to a memory controller so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; the password coprocessor encrypts the data to be encrypted and sends a write instruction to the memory controller, so that the memory controller writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the encrypted data to be written and the destination address. In the embodiment of the application, the indication command is packaged to the password coprocessor through the security processor, and then the DMA hardware module of the password coprocessor executes the indication command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine based on the security virtual machine technology is improved, the whole starting time of the virtual machine is effectively reduced, and meanwhile, the write-back data is encrypted by the encryption function of the password coprocessor, so that the encryption mark bit does not need to be configured, and the time for configuring the encryption mark bit can be saved.
With reference to a possible implementation manner of the third aspect, when the destination address carries identification information for characterizing an identity of a virtual machine, the cryptographic coprocessor encrypts the data to be encrypted, including: and the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted. In the embodiment of the application, different keys are distributed to different virtual machines, so that when the data of the virtual machines are encrypted, the keys corresponding to the identification information are selected to encrypt the data to be encrypted, and the security of the data can be further improved.
In a fourth aspect, an embodiment of the present application further provides a processor, including: a security processor and a cryptographic coprocessor; the security processor is used for acquiring physical memory information to be encrypted; the password coprocessor is used for generating an indication command based on the physical memory information and sending the indication command to the password coprocessor; the indication command carries a data length, a source address for reading data from a memory, and a destination address for writing data into the memory, wherein the data length is used for reading corresponding data; and the password coprocessor is used for receiving the indication command and executing the indication command so as to encrypt the data to be encrypted read from the memory space pointed by the source address and corresponding to the data length and write the encrypted data into the memory space pointed by the destination address.
With reference to a possible implementation manner of the embodiment of the fourth aspect, the destination address carries an encryption flag bit, and the security processor is configured to: acquiring a physical address and the data length in the physical memory information; marking a source address for reading data from the memory space pointed by the physical address as unencrypted, and marking a destination address for writing data into the memory space as encrypted; packaging the data length, the source address and the destination address to generate the indication command; accordingly, the processor further comprises a memory controller; the password coprocessor is used for sending a read instruction to the memory controller, wherein the read instruction carries the data length and the source address; the memory controller is used for reading data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the reading instruction, and sending the data to be encrypted to the password coprocessor; the password coprocessor is further configured to send a write instruction to the memory controller, where the write instruction carries the data to be encrypted and the destination address; and the memory controller is further used for encrypting the data to be encrypted and writing the encrypted data into the memory space pointed by the destination address based on the write instruction.
With reference to a possible implementation manner of the fourth aspect, the destination address carries identification information for representing an identity of a virtual machine, and the memory controller is configured to select a key corresponding to the identification information to encrypt the data to be encrypted.
In combination with one possible implementation manner of the embodiment of the fourth aspect, the secure processor is configured to: acquiring a physical address and the data length in the physical memory information; based on the physical address, obtaining a source address for reading data from a memory space pointed by the physical address and a destination address for writing data into the memory space; packaging the data length, the source address and the destination address to generate the indication command; accordingly, the processor further comprises a memory controller; the password coprocessor is used for sending a read instruction to the memory controller, wherein the read instruction carries the data length and the source address; the memory controller is used for reading data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the reading instruction, and sending the data to be encrypted to the password coprocessor; the password coprocessor is further used for encrypting the data to be encrypted and sending a write instruction to the memory controller, wherein the write instruction carries the encrypted data and the destination address; and the memory controller is further configured to write the encrypted data into a memory space to which the destination address points based on the write instruction.
With reference to a possible implementation manner of the embodiment of the fourth aspect, the secure processor is further configured to determine whether a physical address bus width of the secure processor is lower than a physical address bus width of the memory before encapsulating the data length, the source address, and the destination address and generating the indication command; and if so, mapping the physical address bus width of the source address from the physical address bus width of the memory to the physical address bus width of the destination address, and mapping the physical address bus width of the destination address from the physical address bus width of the memory to the physical address bus width of the destination address.
With reference to a possible implementation manner of the fourth aspect, the destination address carries identification information for representing an identity of a virtual machine, and the password coprocessor is configured to select a key corresponding to the identification information to encrypt the data to be encrypted. With reference to one possible implementation manner of the embodiment of the fourth aspect, the processor further includes a processor core, where a virtual machine monitor is deployed on the processor core; and the virtual machine monitor is used for sending an interaction request to the security processor, wherein the interaction request carries the physical memory information.
In a fifth aspect, an embodiment of the present application further provides a computer device, including: the memory and the processor provided in the fourth aspect embodiment and/or in combination with any possible implementation manner of the fourth aspect embodiment, where the processor is electrically connected to the memory.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts. The foregoing and other objects, features and advantages of the application will be apparent from the accompanying drawings. Like reference numerals refer to like parts throughout the drawings. The drawings are not intended to be to scale as practical, emphasis instead being placed upon illustrating the subject matter of the present application.
Fig. 1 shows a schematic diagram of interaction between a processor and a memory according to an embodiment of the present disclosure.
Fig. 2 shows a flow chart of a data encryption method provided in an example of the present application.
Fig. 3 is a schematic diagram illustrating a flow chart of a secure processor interacting with a cryptographic coprocessor according to an embodiment of the present application.
Fig. 4 is a schematic flow chart illustrating interaction between a secure processor and a cryptographic coprocessor according to an embodiment of the present application.
Fig. 5 shows a schematic structural diagram of a computer device provided in an example of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, relational terms such as "first," "second," and the like may be used solely in the description herein to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Further, the term "and/or" in the present application is only one kind of association relationship describing the associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone.
Fig. 1 is a schematic diagram of interaction between a processor and a memory according to an embodiment of the present disclosure. The processor includes: a Processor core (kernel), a Security Processor (PSP), a Cryptographic Coprocessor (CC), and a Memory Controller (UMC). Each processor core is connected with a security processor and a memory controller, and the security processor is also connected with a password coprocessor and the memory controller. The crypto coprocessor and the security processor can be two independent integrated chips, and in one embodiment, the crypto coprocessor can be integrated in the security processor to reduce the volume of the circuit as much as possible.
The Processor may be a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), an Accelerated Processing Unit (Accelerated Processing Unit), or other types of processors, such as a Network Processor (NP) and an application Processor, and of course, in some products, the application Processor is the CPU.
In the embodiment of the application, the number of the processor cores in the processor is at least one, so that the computing capability is improved, the stability of a system is improved, and the like, and even if a certain processor core is damaged, the stable operation can be ensured. A Virtual Machine (VM) and a Virtual Machine Monitor (VMM) are disposed on at least one of the processor cores. In hardware virtualization technology, a VMM is used to isolate the virtual system from the host hardware. The VMM may also be referred to as a virtual machine manager and may run directly on the system hardware or on the host operating system. The VMM performs the mapping from virtual resources to physical resources and performs computations using local physical resources. When the virtual system accesses the system resource, the VMM takes over the request and returns the processing result to the virtual machine system, thus realizing the virtualization of a plurality of hardware devices and ensuring the effective isolation of the virtual system.
The Memory may be a Double Data Rate (DDR) Memory, or other memories, such as a Random Access Memory (RAM), a Dynamic Random Access Memory (DRAM), or the like.
In the starting stage of the virtual machine, the virtual machine monitor needs to encrypt the physical memory for storing the virtual machine data once in advance by virtue of the security processor, and the process needs the security processor to copy the unencrypted virtual machine memory data to the local by calling a software program and then write the data back to the virtual machine memory. Because the processing mode realized by software can only be processed according to a specific word length, if the data volume is larger, the processing speed completely depends on the instruction execution speed, and the instruction running speed of the safety processor is far lower than that of the central processing unit, the processing mode for copying the memory data by adopting a software program has the defects of low speed, low running efficiency and long time consumption of the whole process. It should be noted that the defects existing in the above solutions are the results obtained after the inventor has practiced and studied carefully, and therefore, the discovery process of the above problems and the solutions proposed by the following embodiments of the present application to the above problems should be the contribution of the inventor to the present application in the process of the present application.
In view of this, the present application provides a method for increasing an encryption speed by using a DMA (Direct memory access) hardware module of a password coprocessor, so as to solve the defects that when a current virtual machine monitor based on a secure virtualization technology performs encryption processing on a physical memory storing virtual machine data in advance by using a secure processor, a processing mode in which the secure processor uses a software program to copy the memory data is slow in speed and low in operation efficiency. The process of using the DMA hardware module of the cryptographic coprocessor to increase the encryption speed will be described with reference to the schematic diagram shown in fig. 1.
In the initial stage of starting the virtual machine, the virtual machine monitor prepares the physical memory storing the data of the virtual machine, and then carries the prepared physical memory information in the interaction request to send to the security processor for processing and waiting. The physical memory is used for storing virtual machine data of a virtual machine to be started and operated. As an implementation manner, different virtual machines may correspond to different physical memories, so that virtual machine data of different virtual machines are stored in different memories, so as to ensure that the stored virtual machine data do not interfere with each other.
And after receiving the interactive request of the virtual machine monitor, the security processor acquires the physical memory information to be encrypted from the interactive request and acquires an idle command queue corresponding to the password coprocessor. And the safety processor generates an indication command based on the physical memory information, adds the indication command into the idle command queue, and submits the idle command queue to the password coprocessor for processing. Wherein the physical memory information includes: the method comprises the following steps of obtaining a physical address of a memory and a length of data to be encrypted, wherein the length of the data to be encrypted is required to be read, and correspondingly, the indication command comprises: the data length is used for reading a source address of data from the specified memory and writing a destination address of the data into the specified memory. In addition, the secure processor sends the instruction command to the password coprocessor through a middleware (queue or stack), and also can send the instruction command to the password coprocessor based on a direct connection mode, at the moment, a data channel is directly established between the secure processor and the password coprocessor, and synchronous communication is adopted.
As one embodiment, the encryption and decryption functions of the memory controller may be utilized to implement the encryption of the virtual machine data. Since the encryption and decryption processes are performed by the memory controller in this embodiment, after acquiring the physical address and the data length in the physical memory information, the security processor needs to set the encryption flag bit based on the physical address, mark the source address for reading data from the memory space pointed by the physical address as unencrypted, mark the destination address for writing data into the memory as encrypted, and encapsulate the data length, the source address (physical address without the encryption flag bit) and the destination address (physical address with the encryption flag bit) to generate the indication command. In this embodiment, the instruction command includes: the data length, the source address without the encryption flag bit for reading data from the specified memory space, and the destination address with the encryption flag bit for writing data into the specified memory space. In this embodiment, 1 bit in the destination address is used to represent the encryption flag bit to control the memory controller to encrypt the written-back data. For example, if the bit is 1, it indicates that the data to be written back needs to be encrypted, and if the bit is 0, it indicates that the data to be written back does not need to be encrypted. Of course, the other way around, if the bit is 0, it means that the data to be written back needs to be encrypted, and if the bit is 1, it means that the data to be written back does not need to be encrypted. Other values or identifiers may be used to represent the encryption flag bits.
As one embodiment, the encryption of the virtual machine data may be implemented without utilizing the encryption and decryption functions of the memory controller. In such an embodiment, encryption of the virtual machine data may be implemented using the encryption and decryption functions of the cryptographic co-process. Since the encryption and decryption processes are performed by the cryptographic coprocessor, the encryption flag bit may not be set in this embodiment. After acquiring the physical address and the data length in the physical memory information, the security processor directly encapsulates the data length, a source address for reading data from the memory space pointed by the physical address and a destination address for writing data into the memory, and generates an instruction command. In this embodiment, the instruction command includes: the data length is used for reading a source address of data from a specified memory and writing a destination address of the data into the specified memory.
It should be noted that, in the present application, the source address is relative to the read data, and the destination address is relative to the write data. In one embodiment, the source address and the destination address are the same physical address and both point to the same memory space.
It is contemplated that the physical address bus width of the secure processor may sometimes be lower than the physical address bus width of the system memory. Therefore, optionally, before encapsulating the data length, the source address and the destination address and generating the instruction command, the security processor may further determine whether the physical address bus width of the security processor is lower than that of the system memory; if so, the security processor needs to perform address mapping processing on the source address and the destination address, map the physical address bus width of the source address from the physical address bus width of the system memory to the physical address bus width of the security processor, map the physical address bus width of the destination address from the physical address bus width of the system memory to the physical address bus width of the security processor, and then encapsulate the data length, the mapped source address and the mapped destination address to generate an indication command; if not, the safety processor does not need to map the address of the source address and the destination address, and directly encapsulates the data length, the source address and the destination address to generate the indication command.
When the destination address carries the encryption flag bit, in the embodiment, after receiving the indication command sent by the security processor, the password coprocessor analyzes the indication command to obtain the length of the data carried in the indication command, a source address without the encryption flag bit for reading the data from the specified memory, and a destination address with the encryption flag bit for writing the data into the specified memory; the method comprises the steps that a password coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by a source address based on the read instruction, and sends the data to be encrypted to the password coprocessor, wherein the read instruction carries the data length and the source address; when the password coprocessor receives data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by a destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address. In the embodiment, the password coprocessor copies the data of the virtual machine memory to be encrypted to the local based on a DMA mode, then writes the data back to the virtual machine memory, and encrypts the written-back data by the memory controller in the process of writing back. Since the memory controller completes the encryption process of the memory data, the memory controller needs to be configured with the encryption flag bit of the system memory physical address to control the memory controller to encrypt the written-back data.
When the destination address does not carry the encryption flag bit, in the embodiment, after receiving the indication command sent by the security processor, the password coprocessor analyzes the indication command to obtain the length of the data carried in the indication command, a source address for reading the data from the specified memory and a destination address for writing the data into the specified memory; the method comprises the steps that a password coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by a source address based on the read instruction, and sends the data to be encrypted to the password coprocessor, wherein the read instruction carries the data length and the source address; when receiving data to be encrypted returned by a memory controller, a password coprocessor encrypts the data and then sends a write instruction to the memory controller so that the memory controller writes the encrypted data into a memory space pointed by a destination address based on the write instruction, wherein the write instruction carries the encrypted data to be encrypted and the destination address. In this embodiment, the crypto coprocessor copies the virtual machine memory data to be encrypted to the local based on a DMA (direct memory access) mode (hardware), then encrypts the data, and then writes back the encrypted data to the virtual machine memory. Because the encryption process of the memory data is completed by the password coprocessor, the memory controller can be controlled to encrypt the written-back data without configuring an encryption flag bit of a system memory physical address.
When data is encrypted, different virtual machines can correspond to different encryption and decryption keys, so that the security of the data is guaranteed to the maximum extent. Therefore, as an embodiment, the physical address in the physical memory information sent by the virtual machine monitor to the secure processor also carries identification information for characterizing the virtual machine identity, such as an index value (ASID), and correspondingly, the destination address in the indication command sent by the secure processor also carries the identification information, so that when the memory controller or the cryptographic coprocessor encrypts data, the data is encrypted based on a key corresponding to the identification information (such as the index value) carried in the destination address. For convenience of understanding, taking the example that the password coprocessor encrypts the data to be encrypted, if the destination address carries identification information for representing the identity of the virtual machine, the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted; and if the destination address does not carry identification information for representing the identity of the virtual machine, the password coprocessor selects a default key to encrypt the data to be encrypted. In this embodiment, 1 bit in the destination address is used to represent the identity tag of the virtual machine, so that when encrypting, the data is encrypted based on the key corresponding to the identification information of the bit.
And after receiving the processing result returned by the password coprocessor, the security processor returns the processing result to the virtual machine monitor and waits for the next interaction request. And then, the virtual machine monitor acquires the return result and then processes the memory data to complete the memory encryption process of the virtual machine.
Because the processing mode of copying the memory data is realized by adopting the software program, the data can be processed only according to a specific word length, if the data volume is larger, the processing speed completely depends on the instruction execution speed, and the instruction operation speed of the safety processor is far lower than that of the central processing unit, the speed of copying the data from the memory by adopting the software mode in the safety processor is low, the execution efficiency is low, and the time consumption of the whole process is long. According to the method and the device, the indication command is packaged to the password coprocessor through the security processor, the DMA hardware module of the password coprocessor is further utilized to improve the encryption speed of the memory of the virtual machine based on the security virtual machine technology, the hardware module is utilized to execute the indication command to replace an existing pure software method, and the whole time for starting the virtual machine is effectively shortened. By adopting the scheme, the memory encryption speed of the virtual machine based on the safe virtualization technology is greatly increased, about 6400% is increased compared with that before optimization, the starting time of the virtual machine is shortened, and the market competitiveness of a server CPU based on the safe virtualization technology is enhanced.
As shown in fig. 2, the present embodiment further provides a data encryption method applied to the above-mentioned processor, and the steps included in the method will be described with reference to fig. 2.
Step S101: the security processor obtains physical memory information to be encrypted.
At the initial stage of starting the virtual machine, the virtual machine monitor prepares a physical memory storing virtual machine data, and then sends the prepared physical memory information to the security processor, and after receiving an interaction request of the virtual machine monitor, the security processor acquires physical memory information to be encrypted from the interaction request. Wherein the physical memory information includes: the method comprises the steps of storing physical addresses and obtaining the length of data to be encrypted, wherein the data are required to be read.
Step S102: the secure processor sends an indication command to the cryptographic coprocessor.
And the safety processor generates an indication command based on the physical memory information. In one embodiment, the process of the secure processor generating the indication command based on the physical memory information may be: the security processor acquires a physical address and the data length in the physical memory information; the security processor configures an encryption mark bit based on the physical address, marks a source address for reading data from a memory space pointed by the physical address as unencrypted, and marks a destination address for writing data into the memory as encrypted; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In this embodiment, the instruction command includes: the data length, the source address without the encrypted flag bit for reading data from the memory space, and the destination address with the encrypted flag bit for writing data into the memory space.
In another embodiment, the process of the secure processor generating the indication command based on the physical memory information may be: the security processor acquires a physical address and the data length in the physical memory information; the security processor obtains a source address used for reading data from a memory space pointed by the physical address and a destination address used for writing the data into the memory based on the physical address; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In this embodiment, the instruction command includes: a data length, a source address for reading data from the memory space and a destination address for writing data into the memory space.
It is considered that the physical address bus width of the secure processor may sometimes be lower than the physical address bus width of the memory. Therefore, in an embodiment, before the secure processor encapsulates the data length, the source address and the destination address and generates the indication command, it may be determined whether the physical address bus width of the secure processor is lower than that of the memory; if so, the security processor needs to perform address mapping processing on the source address and the destination address, map the physical address bus width of the source address and the destination address from the physical address bus width of the memory to the physical address bus width of the security processor, and then encapsulate the data length, the mapped source address and the mapped destination address to generate an indication command; if not, the safety processor does not need to map the address of the source address and the destination address, and directly encapsulates the data length, the source address and the destination address to generate the indication command.
Step S103: and the password coprocessor executes the instruction command so as to encrypt the data to be encrypted, which is read from the memory space pointed by the source address and corresponds to the data length, and then write the encrypted data into the memory space pointed by the destination address.
Under one embodiment, the instruction command includes: the data length, the source address without the encrypted flag bit for reading data from memory, and the destination address with the encrypted flag bit for writing data to memory. At this time, the cipher coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; when the password coprocessor receives the data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address.
Under another embodiment, the instruction command includes: the data length is used for reading a source address of data from the memory and writing a destination address of the data into the memory. At this time, the cipher coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; the password coprocessor encrypts the data to be encrypted and sends a write instruction to the memory controller based on the destination address, so that the memory controller writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the encrypted data to be written and the destination address.
When data is encrypted, different virtual machines may correspond to different encryption and decryption keys. Therefore, as an embodiment, the physical Address in the physical memory information sent by the virtual machine monitor to the secure processor also carries identification information for representing the virtual machine identity, such as an index value (ASID), and correspondingly, the destination Address in the indication command sent by the secure processor also carries the identification information, and when the memory controller or the cryptographic coprocessor encrypts data, the memory controller or the cryptographic coprocessor encrypts the data based on a key corresponding to the identification information (such as the index value) carried in the destination Address. For convenience of understanding, taking the example that the password coprocessor encrypts the data to be encrypted, if the destination address carries identification information for representing the identity of the virtual machine, the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted; and if the destination address does not carry identification information for representing the identity of the virtual machine, the password coprocessor selects a default key to encrypt the data to be encrypted.
To facilitate understanding of the above-described interaction diagrams, reference may be made to the diagrams shown in fig. 3 and 4. Fig. 3 is an interaction diagram illustrating that data is encrypted by using the encryption and decryption functions of the memory controller, and fig. 4 is an interaction diagram illustrating that data is encrypted by using the encryption and decryption functions of the cryptographic coprocessor.
The data encryption method provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing device embodiment, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing device embodiment for the part of the method embodiment that is not mentioned.
An embodiment of the present application further provides a computer device, as shown in fig. 5. The computer device includes: the memory is electrically connected with the processor and the memory. The processor has been described in detail above, and the interaction process between the two is also described in detail, so that the details are not repeated here.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. A method for data encryption, the method comprising:
the security processor acquires physical memory information to be encrypted;
the safety processor generates an indication command based on the physical memory information, wherein the indication command carries a data length, a source address for reading data from a memory and a destination address for writing data into the memory, and the data length is used for reading corresponding data;
and the safety processor sends the indication command to a password coprocessor to enable the password coprocessor to execute the indication command so as to encrypt data to be encrypted, which is read from a memory space pointed by the source address and corresponds to the data length, and then write the encrypted data into the memory space pointed by the destination address.
2. The method of claim 1, wherein the secure processor generating an indication command based on the physical memory information comprises:
the security processor acquires a physical address and the data length in the physical memory information;
the security processor marks a source address for reading data from the memory space pointed by the physical address as unencrypted, and marks a destination address for writing data into the memory space as encrypted;
and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command.
3. The method of claim 1, wherein the secure processor generating an indication command based on the physical memory information comprises:
the security processor acquires a physical address and the data length in the physical memory information;
the security processor obtains a source address used for reading data from the memory space pointed by the physical address and a destination address used for writing data into the memory space based on the physical address;
and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command.
4. The method according to claim 2 or 3, wherein before the secure processor encapsulates the data length, the source address, and the destination address, and generates the indication command, the method further comprises:
the safety processor judges whether the width of a physical address bus of the safety processor is smaller than that of a physical address bus of the memory;
when yes, the secure processor maps the physical address bus width of the source address from the physical address bus width of the memory to the own physical address bus width, and maps the physical address bus width of the destination address from the physical address bus width of the memory to the own physical address bus width.
5. The method of claim 1, wherein the secure processor sending the indication command to a cryptographic coprocessor comprises:
and the safety processor sends the indication command to the password coprocessor through the middleware.
6. A method for data encryption, the method comprising:
the password coprocessor receives an indication command sent by a security processor, wherein the indication command comprises: the method comprises the following steps of (1) writing data into a memory according to the data length, a source address for reading the data from the memory and a destination address with an encrypted mark bit for writing the data into the memory;
the cipher coprocessor sends a read instruction to a memory controller so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address;
when the password coprocessor receives the data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address.
7. A method for data encryption, the method comprising:
the password coprocessor receives an indication command sent by a security processor, wherein the indication command comprises: the data length is used for reading a source address of data from a memory and writing a destination address of the data into the memory;
the cipher coprocessor sends a read instruction to a memory controller so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address;
the password coprocessor encrypts the data to be encrypted and sends a write instruction to the memory controller, so that the memory controller writes the encrypted data into a memory space to which the destination address points based on the write instruction, wherein the write instruction carries the encrypted data and the destination address.
8. The method according to claim 7, wherein when the destination address carries identification information for characterizing the identity of the virtual machine, the cryptographic coprocessor encrypts the data to be encrypted, including:
and the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted.
9. A processor, comprising:
the security processor is used for acquiring physical memory information to be encrypted; the password coprocessor is used for generating an indication command based on the physical memory information and sending the indication command to the password coprocessor; the indication command carries a data length, a source address for reading data from a memory, and a destination address for writing data into the memory, wherein the data length is used for reading corresponding data;
and the password coprocessor is used for receiving the indication command and executing the indication command so as to encrypt the data to be encrypted read from the memory space pointed by the source address and corresponding to the data length and write the encrypted data into the memory space pointed by the destination address.
10. The processor of claim 9, wherein the destination address carries an encryption flag bit, and wherein the security processor is configured to: acquiring a physical address and the data length in the physical memory information; marking a source address for reading data from the memory space pointed by the physical address as unencrypted, and marking a destination address for writing data into the memory space as encrypted; packaging the data length, the source address and the destination address to generate the indication command;
accordingly, the processor further comprises a memory controller;
the password coprocessor is used for sending a read instruction to the memory controller, wherein the read instruction carries the data length and the source address;
the memory controller is used for reading data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the reading instruction, and sending the data to be encrypted to the password coprocessor;
the password coprocessor is further configured to send a write instruction to the memory controller, where the write instruction carries the data to be encrypted and the destination address;
and the memory controller is further used for encrypting the data to be encrypted and writing the encrypted data into the memory space pointed by the destination address based on the write instruction.
11. The processor according to claim 10, wherein the destination address carries identification information for characterizing an identity of a virtual machine, and the memory controller is configured to select a key corresponding to the identification information to encrypt the data to be encrypted.
12. The processor of claim 9, wherein the secure processor is configured to: acquiring a physical address and the data length in the physical memory information; based on the physical address, obtaining a source address for reading data from a memory space pointed by the physical address and a destination address for writing data into the memory space; packaging the data length, the source address and the destination address to generate the indication command;
accordingly, the processor further comprises a memory controller;
the password coprocessor is used for sending a read instruction to the memory controller, wherein the read instruction carries the data length and the source address;
the memory controller is used for reading data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the reading instruction, and sending the data to be encrypted to the password coprocessor;
the password coprocessor is further used for encrypting the data to be encrypted and sending a write instruction to the memory controller, wherein the write instruction carries the encrypted data and the destination address;
and the memory controller is further configured to write the encrypted data into a memory space to which the destination address points based on the write instruction.
13. The processor according to claim 10 or 12, wherein the secure processor is further configured to determine whether a physical address bus width of the secure processor is lower than a physical address bus width of the memory before encapsulating the data length, the source address, and the destination address and generating the indication command; and if so, mapping the physical address bus width of the source address from the physical address bus width of the memory to the physical address bus width of the destination address, and mapping the physical address bus width of the destination address from the physical address bus width of the memory to the physical address bus width of the destination address.
14. The processor according to claim 12, wherein the destination address carries identification information for characterizing an identity of a virtual machine, and the cryptographic coprocessor is configured to select a key corresponding to the identification information to encrypt the data to be encrypted.
15. A computer device, comprising: a memory and a processor according to any of claims 9 to 14, the processor and the memory being electrically connected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911300244.0A CN111090869B (en) | 2019-12-16 | 2019-12-16 | Data encryption method, processor and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911300244.0A CN111090869B (en) | 2019-12-16 | 2019-12-16 | Data encryption method, processor and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111090869A true CN111090869A (en) | 2020-05-01 |
| CN111090869B CN111090869B (en) | 2022-04-05 |
Family
ID=70396473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911300244.0A Active CN111090869B (en) | 2019-12-16 | 2019-12-16 | Data encryption method, processor and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111090869B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112052069A (en) * | 2020-08-25 | 2020-12-08 | 海光信息技术有限公司 | Method, device and related equipment for writing and reading virtual machine identifier |
| CN112231239A (en) * | 2020-10-19 | 2021-01-15 | 海光信息技术股份有限公司 | Page exchange method and device, CPU, trusted hardware and computer equipment |
| CN112257092A (en) * | 2020-11-05 | 2021-01-22 | 海光信息技术股份有限公司 | Data transmission control method, key management method, configuration method and related device |
| CN112416526A (en) * | 2020-11-27 | 2021-02-26 | 海光信息技术股份有限公司 | Direct storage access method, device and related equipment |
| CN112433817A (en) * | 2020-11-27 | 2021-03-02 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112560086A (en) * | 2020-12-11 | 2021-03-26 | 海光信息技术股份有限公司 | Configuration method and device for password coprocessor, CPU and electronic equipment |
| CN114238185A (en) * | 2021-12-20 | 2022-03-25 | 海光信息技术股份有限公司 | Direct storage access and command data transmission method, device and related equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007208696A (en) * | 2006-02-02 | 2007-08-16 | Seiko Epson Corp | Encryption processing circuit and printer |
| CN107092835A (en) * | 2017-04-21 | 2017-08-25 | 杭州华澜微电子股份有限公司 | The computer data enciphering device and method of a kind of virtual memory disk |
| CN107229415A (en) * | 2016-03-24 | 2017-10-03 | 华为技术有限公司 | A kind of data write method, data read method and relevant device, system |
| CN109670345A (en) * | 2018-12-21 | 2019-04-23 | 成都海光集成电路设计有限公司 | Guard method, accelerator module and the SOC chip of memory pages swapping in and out |
-
2019
- 2019-12-16 CN CN201911300244.0A patent/CN111090869B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007208696A (en) * | 2006-02-02 | 2007-08-16 | Seiko Epson Corp | Encryption processing circuit and printer |
| CN107229415A (en) * | 2016-03-24 | 2017-10-03 | 华为技术有限公司 | A kind of data write method, data read method and relevant device, system |
| CN107092835A (en) * | 2017-04-21 | 2017-08-25 | 杭州华澜微电子股份有限公司 | The computer data enciphering device and method of a kind of virtual memory disk |
| CN109670345A (en) * | 2018-12-21 | 2019-04-23 | 成都海光集成电路设计有限公司 | Guard method, accelerator module and the SOC chip of memory pages swapping in and out |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112052069A (en) * | 2020-08-25 | 2020-12-08 | 海光信息技术有限公司 | Method, device and related equipment for writing and reading virtual machine identifier |
| CN112052069B (en) * | 2020-08-25 | 2024-03-12 | 海光信息技术股份有限公司 | Method, device and related equipment for writing and reading virtual machine identification |
| CN112231239A (en) * | 2020-10-19 | 2021-01-15 | 海光信息技术股份有限公司 | Page exchange method and device, CPU, trusted hardware and computer equipment |
| CN112231239B (en) * | 2020-10-19 | 2022-05-17 | 海光信息技术股份有限公司 | Page exchange method and device, CPU, trusted hardware and computer equipment |
| CN112257092A (en) * | 2020-11-05 | 2021-01-22 | 海光信息技术股份有限公司 | Data transmission control method, key management method, configuration method and related device |
| CN112257092B (en) * | 2020-11-05 | 2023-10-27 | 海光信息技术股份有限公司 | Data transmission control method, key management method, configuration method and related devices |
| CN112416526A (en) * | 2020-11-27 | 2021-02-26 | 海光信息技术股份有限公司 | Direct storage access method, device and related equipment |
| CN112433817A (en) * | 2020-11-27 | 2021-03-02 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112433817B (en) * | 2020-11-27 | 2022-11-25 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112416526B (en) * | 2020-11-27 | 2023-02-17 | 海光信息技术股份有限公司 | Direct storage access method, device and related equipment |
| CN112560086A (en) * | 2020-12-11 | 2021-03-26 | 海光信息技术股份有限公司 | Configuration method and device for password coprocessor, CPU and electronic equipment |
| CN114238185A (en) * | 2021-12-20 | 2022-03-25 | 海光信息技术股份有限公司 | Direct storage access and command data transmission method, device and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111090869B (en) | 2022-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111090869B (en) | Data encryption method, processor and computer equipment | |
| JP4940460B2 (en) | Processing system, method and device | |
| US10536274B2 (en) | Cryptographic protection for trusted operating systems | |
| US10338949B2 (en) | Virtual trusted platform module function implementation method and management device | |
| CN112433817B (en) | Information configuration method, direct storage access method and related device | |
| US10938559B2 (en) | Security key identifier remapping | |
| CN111967065B (en) | Data protection method, processor and electronic equipment | |
| CN106716435B (en) | Interface between a device and a secure processing environment | |
| CN111949372B (en) | Virtual machine migration method, general processor and electronic equipment | |
| EP3913513A1 (en) | Secure debug of fpga design | |
| CN111124599B (en) | Virtual machine memory data migration method and device, electronic equipment and storage medium | |
| CN111158853A (en) | Virtual machine memory data migration method, CPU chip and server | |
| WO2024098594A1 (en) | Code protection system and method, virtual system architecture, chip and electronic device | |
| CN116126463A (en) | Memory access method, configuration method, computer system and related devices | |
| CN116450281A (en) | Access processing method, virtual machine identifier configuration method, chip and computer equipment | |
| CN111290830B (en) | Virtual machine migration method, processor and electronic equipment | |
| CN112241308B (en) | Virtual machine identifier processing method and device and related equipment | |
| CN113342735A (en) | Processor chip and electronic equipment | |
| TW201433937A (en) | Secure input method and system thereof | |
| CN110990120B (en) | Inter-partition communication method and device for virtual machine monitor, storage medium and terminal | |
| CN113485790B (en) | Restarting method, migration method and related equipment of virtual machine | |
| CN117349870B (en) | Transparent encryption and decryption computing system, method, equipment and medium based on heterogeneous computing | |
| US20240054071A1 (en) | Hardware mechanism to extend mktme protections to sgx data outside epc | |
| US20230267214A1 (en) | Virtual trusted platform module implementation method and related apparatus | |
| US20240134804A1 (en) | Data transfer encryption mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 300450 Tianjin Binhai New Area Huayuan Industrial Zone Haitai West Road 18 North 2-204 Industrial Incubation-3-8 Applicant after: Haiguang Information Technology Co., Ltd Address before: 1809-1810, block B, blue talent port, No.1, Intelligent Island Road, high tech Zone, Qingdao, Shandong Province Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |