CN111125791B - Memory data encryption method and device, CPU chip and server - Google Patents
Memory data encryption method and device, CPU chip and server Download PDFInfo
- Publication number
- CN111125791B CN111125791B CN201911277424.1A CN201911277424A CN111125791B CN 111125791 B CN111125791 B CN 111125791B CN 201911277424 A CN201911277424 A CN 201911277424A CN 111125791 B CN111125791 B CN 111125791B
- Authority
- CN
- China
- Prior art keywords
- memory
- address
- mode
- flag bit
- physical address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The embodiment of the invention discloses a memory data encryption method, a memory data encryption device, a CPU chip and a server, relates to the technical field of computers, and can effectively improve memory data migration performance. The method comprises the following steps: inquiring a preset zone bit of a target address, and determining whether to start an address scrambling mode according to the preset zone bit; if the address scrambling mode is started, encrypting target data to be written into a memory physical address corresponding to the target address by adopting the address scrambling mode; and if the address scrambling mode is not started, encrypting the target data to be written into the memory physical address corresponding to the target address by adopting the non-address scrambling mode. The method is suitable for encrypting the memory data.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for encrypting memory data, a CPU chip, and a server.
Background
In order to improve the security of data encryption, address scrambling is introduced in the memory encryption technology, so that the encryption result is still different due to different storage addresses after the same plaintext data is encrypted by the same secret key.
However, since the ciphertext data is related to the storage address thereof, the address scrambling function is introduced to improve the data security and simultaneously degrade the migration performance of the memory data.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method and apparatus for encrypting memory data, a CPU chip, and a server, which can effectively improve migration performance of memory data.
In a first aspect, an embodiment of the present invention provides a method for encrypting memory data, including: inquiring a preset flag bit of a memory physical address; determining whether an address scrambling mode is started for data to be written into the memory according to the preset flag bit; if the address scrambling mode is determined to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting the address scrambling mode; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
Optionally, the querying the predetermined flag bit of the memory physical address includes: inquiring a preset flag bit of a physical address of a memory of the virtual machine; or, inquiring a preset flag bit of the physical address of the host memory.
Optionally, the querying the predetermined flag bit of the physical address of the virtual machine memory includes: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
Optionally, the querying the predetermined flag bit of the host memory physical address includes: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
Optionally, before querying a predetermined flag bit of the virtual machine memory physical address, the method further includes: and configuring the preset flag bit of the memory physical address of the virtual machine through the virtual machine running on the processor core.
Optionally, before querying a predetermined flag bit of the host memory physical address, the method further includes: the predetermined flag bit of the host memory physical address is configured by a host running on the processor core.
In a second aspect, an embodiment of the present invention further provides an encryption device for memory data, including: the inquiry module is used for inquiring a preset zone bit of the memory physical address; the determining module is used for determining whether an address scrambling mode is started for the data to be written into the memory according to the preset flag bit; the encryption module is used for carrying out encryption processing on the data to be written into the memory by adopting the address scrambling mode if the address scrambling mode is determined to be started on the data to be written into the memory; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
Optionally, the query module includes: the first query unit is used for querying a preset flag bit of the memory physical address of the virtual machine; or the second query unit is used for querying the preset flag bit of the physical address of the host memory.
Optionally, the first query unit is specifically configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
Optionally, the second query unit is specifically configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
Optionally, the apparatus further includes a first configuration module configured to configure, by a virtual machine running on the processor core, a predetermined flag bit of a virtual machine memory physical address before querying the predetermined flag bit of the virtual machine memory physical address.
Optionally, the apparatus further includes a second configuration module configured to configure, by a host running on the processor core, a predetermined flag bit of a host memory physical address before querying the predetermined flag bit of the host memory physical address.
In a third aspect, an embodiment of the present invention further provides a CPU chip, including: at least one processor core, a scrambling switch module, and an encryption module; the processor core is used for sending the memory physical address to the scrambling switch module; the scrambling switch module is used for: inquiring a preset flag bit of a memory physical address; determining whether an address scrambling mode is started for data to be written into the memory according to the preset flag bit; the encryption module is used for: if the address scrambling mode is determined to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting the address scrambling mode; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
Optionally, the scrambling switch module is specifically configured to: inquiring a preset flag bit of a physical address of a memory of the virtual machine; or, inquiring a preset flag bit of the physical address of the host memory.
Optionally, the scrambling switch module is specifically configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
Optionally, the scrambling switch module is specifically configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
Optionally, the processor core is further configured to configure, by a virtual machine running on the processor core, the predetermined flag bit of the virtual machine memory physical address before sending the memory physical address.
Optionally, the processor core is further configured to configure, by a host running on the processor core, the predetermined flag bit of the host memory physical address before sending the memory physical address.
In a fourth aspect, an embodiment of the present invention further provides a server, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing any one of the encryption methods provided for the embodiments of the present invention.
The encryption method, the encryption device, the CPU chip and the encryption server for the memory data can query the preset flag bit of the physical address of the memory, determine whether the address scrambling mode is started for the data to be written into the memory according to the preset flag bit, and further determine whether the address scrambling mode is adopted for encryption processing for the data to be written into the memory. Therefore, when the data is encrypted without address scrambling, the data can be quickly and conveniently migrated, and the migration performance of the memory data is effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for encrypting memory data according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a predetermined flag bit in an encryption method of memory data according to an embodiment of the present invention;
fig. 3 is a schematic diagram of another structure of a predetermined flag bit in the encryption method of memory data according to the embodiment of the present invention;
fig. 4 is a schematic diagram of another structure of a predetermined flag bit in the encryption method of memory data according to the embodiment of the present invention;
FIG. 5 is a detailed flowchart of a method for encrypting memory data according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a host in which the virtual machine V1 is located in the encryption method of memory data shown in fig. 5;
FIG. 7 is a detailed flowchart of another embodiment of a method for encrypting memory data;
FIG. 8 is a schematic diagram of a host in the encryption method of the memory data shown in FIG. 7;
fig. 9 is a schematic structural diagram of an encryption device for memory data according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a CPU chip according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, an embodiment of the present invention provides a method for encrypting memory data, including:
s11, inquiring a preset flag bit of the memory physical address.
Alternatively, the memory physical address may include a plurality of address bits, e.g., 32 bits, 64 bits, etc., which may be the same number as the address bits supported by the processor core. In one embodiment of the present invention, the memory physical address may use the address bits to indicate at least two aspects of information, namely, storage location indication information of data to be written to the memory and indication information of the address scrambling switch. Alternatively, in one embodiment of the present invention, the redundancy bits in the physical address of the memory may be used as a predetermined flag bit, and by the value of the predetermined flag bit, whether to turn on the address scrambling mode is indicated.
Alternatively, in the embodiment of the present invention, the specific position of the predetermined flag bit in the memory physical address is not limited, and may be, for example, the highest order, the next highest order, the middle order, the lowest order, and the like. When the preset flag bit is the highest bit or the lowest bit of the memory physical address, the rest address bits can be directly used as the storage position indication information of the data, when the preset flag bit is the middle bit of the memory physical address, the address information in the address bits at two sides of the middle bit can be spliced, and the spliced address information is used as the storage position indication information of the data. Alternatively, the storage location indication information may directly or indirectly indicate the storage location of the data in the memory.
S12, determining whether an address scrambling mode is started for the data to be written into the memory according to the preset flag bit.
In this step, it may be determined whether to turn on the address scrambling mode for the data to be written into the memory according to the specific value of the predetermined flag bit. For example, the address scrambling mode is turned off when the predetermined flag bit is a first value, and the address scrambling mode is turned on when the predetermined flag bit is a second value. The first value may be, for example, 0 and the second value may be, for example, 1.
S13, if an address scrambling mode is started for the data to be written into the memory, encrypting the data to be written into the memory by adopting the address scrambling mode; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
In this step, if the address scrambling mode is turned on, the data to be written into the memory is encrypted using the address scrambling mode. That is, if the address scrambling mode is turned on, the address information may be used as a scrambling item to be confused with the data to be written into the memory or the original encryption key, so that even if the plaintext data is the same, only different physical addresses of the memory are written into the plaintext data, and the corresponding ciphertext is different, thereby greatly enhancing the data security.
Optionally, if the address scrambling mode is not turned on, the data to be written into the memory is encrypted by using a non-address scrambling mode. That is, if the address scrambling mode is turned off, the target data written into the memory is not scrambled using the address information. The encryption algorithm corresponding to all data in the memory is the same, i.e. if the plaintext data is the same, the ciphertext obtained by storing in any position in the memory is the same. Therefore, the address scrambling information is removed, and the data in the memory can be uniformly decrypted at any place and any time, so that the migration performance of the data is effectively improved.
The encryption method for the memory data provided by the embodiment of the invention can inquire the preset flag bit of the physical address of the memory, and determine whether to start an address scrambling mode for the data to be written into the memory according to the preset flag bit, thereby determining whether to encrypt the data to be written into the memory by adopting the address scrambling mode. Therefore, when the data is encrypted without address scrambling, the data can be quickly and conveniently migrated, and the migration performance of the memory data is effectively improved.
In one embodiment of the present invention, the querying the predetermined flag bit of the memory physical address in step S11 may include: inquiring a preset flag bit of a physical address of a memory of the virtual machine; or, inquiring a preset flag bit of the physical address of the host memory.
The virtual machine memory physical address may be configured by an operating system of the virtual machine, and the host memory physical address may be configured by the host. In step S11, whether the predetermined flag bit of the physical address of the virtual machine memory is queried or the predetermined flag bit of the physical address of the host memory is queried may be determined by the operation mode of the processor core. If the processor core is operating in the host mode, the memory physical address may specifically refer to the host physical address, that is, the real memory physical address, so that in step S11, a predetermined flag bit of the host memory physical address may be queried; if the processor core is operating in the virtual machine mode, the memory physical address may specifically refer to the virtual machine memory physical address, so in step S11, a predetermined flag bit of the virtual machine physical address may be queried.
Optionally, in an embodiment of the present invention, querying a predetermined flag bit of a memory physical address of a virtual machine may include: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
Further, before querying the predetermined flag bit of the virtual machine memory physical address, the encryption method of the memory data provided by the embodiment of the invention may further include: and configuring the preset flag bit of the memory physical address of the virtual machine through the virtual machine running on the processor core.
Optionally, as shown in fig. 2, in an embodiment of the present invention, when the processor core works in the virtual machine mode and data needs to be written into the memory, the virtual machine operating system may configure a predetermined flag bit T in a virtual machine physical address corresponding to the data to be 0 or 1, so as to indicate whether to start the address scrambling mode for the data through the predetermined flag bit. For example, when the predetermined flag bit is configured to 0, the off address scrambling mode is indicated, and when the predetermined flag bit is configured to 1, the on address scrambling mode is indicated. Of course, in another embodiment of the present invention, the predetermined flag bit may be configured to be 1, and the address scrambling mode may be indicated to be turned off, and the predetermined flag bit may be configured to be 0, and the address scrambling mode may be indicated to be turned on. Therefore, whether the address scrambling encryption is performed on the memory data in the running mode of the virtual machine can be flexibly controlled.
Further, when the processor core operates in the virtual machine mode, a predetermined flag bit of the target address may be configured according to actual needs, for example, the predetermined flag bit may be configured according to whether the virtual machine needs to be migrated. When the virtual machine needs to be migrated, the virtual machine running on the processor core can configure a preset flag bit of a memory physical address of the virtual machine to be a first value; when the virtual machine does not need to be migrated, the virtual machine running on the processor core can configure a preset flag bit of a memory physical address of the virtual machine to be a second value; wherein the first value is different from the second value.
For example, in one embodiment of the present invention, if the virtual machine A1 is about to perform virtual machine migration, when the virtual machine A1 needs to write the data into the memory, the virtual machine A1 may configure a predetermined flag bit in the virtual machine memory physical address corresponding to the data1 to be a first value, which may be, for example, 1 or 0, so as to indicate that the address scrambling mode is to be turned off for the data 1. In this way, the data1 can be directly transmitted to the receiving end in a non-address scrambling encryption mode in the subsequent virtual machine migration, and the receiving end can correctly decrypt the data only by using a corresponding decryption key because the encryption mode of the data1 does not contain address information, so that the extra encryption and decryption operations caused by using the address scrambling encryption are avoided, and the migration performance of the virtual machine is effectively improved.
Optionally, in another embodiment of the present invention, if the data2 encrypted using the address scrambling mode is already stored in the memory when the virtual machine A2 needs to perform migration, the virtual machine A2 may decrypt and read the encrypted data of the data2 from the memory, close the address scrambling mode by configuring a predetermined flag bit in the virtual machine physical address corresponding to the data2, and then use the non-address scrambling mode to rewrite the data2 into the memory. Alternatively, the rewritten data2 may overwrite the original data2, or may be stored at another address in the memory, which is not limited by the embodiment of the present invention. Because the virtual machine A2 runs on the processor core, the data reading and writing and decrypting operation speed is far faster than the data decrypting operation by external software when the virtual machine is migrated, and therefore the migration performance of the virtual machine can be effectively improved.
Alternatively, in one embodiment of the present invention, querying the predetermined flag bit of the host memory physical address may include: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
Further, before querying the predetermined flag bit of the host memory physical address, the method may further include: the predetermined flag bit of the host memory physical address is configured by a host running on the processor core.
For example, as shown in fig. 3, in one embodiment of the present invention, when the processor core is operating in the host mode and data needs to be written into the memory, the host operating system may configure a predetermined flag bit T in the host memory physical address corresponding to the data to be 0 or 1, so as to indicate whether to turn on the address scrambling mode for the data through the predetermined flag bit. For example, when the predetermined flag bit is configured to 0, the off address scrambling mode is indicated, and when the predetermined flag bit is configured to 1, the on address scrambling mode is indicated. Of course, in another embodiment of the present invention, the predetermined flag bit may be configured to be 1, and the address scrambling mode may be indicated to be turned off, and the predetermined flag bit may be configured to be 0, and the address scrambling mode may be indicated to be turned on. The embodiments of the present invention are not limited in this regard. Therefore, whether the address scrambling encryption is performed on the memory data in the host operation mode can be flexibly controlled.
It should be noted that, in the above embodiment, whether to turn on the address scrambling mode is determined by a predetermined flag bit in the virtual machine memory physical address or the host memory physical address, but the embodiment of the invention is not limited thereto. In other embodiments of the present invention, other indicator bits, such as an encryption indicator bit, may be set in the virtual machine memory physical address or in the host memory physical address to indicate whether the data written to the address is encrypted. For example, as shown in fig. 4, in one embodiment of the present invention, the highest order bit of the virtual machine memory physical address is set as the encryption indicator bit C, and the next highest order bit of the virtual machine memory physical address is set as the address scrambling indicator bit T. When c=1 and t=1, address scrambling encryption is performed on the data, when c=1 and t=0, encryption without address scrambling is performed on the data, and when c=0, no encryption is performed on the data regardless of the value of T.
The encryption method of the memory data provided by the embodiment of the invention is described in detail below through a specific embodiment.
Processor cores operate in virtual machine mode
Fig. 5 is a flowchart of a memory data encryption method according to an embodiment of the present invention, where, as shown in fig. 5, the memory data encryption method provided by the embodiment of the present invention may include:
s201, the virtual machine V1 knows that data in the virtual machine V1 is about to be migrated to the virtual machine V2, wherein the hardware structure of the host where the virtual machine V1 is located can be shown in FIG. 6.
S202, the virtual machine V1 generates a memory writing operation instruction so as to write the target data2 in a host memory physical address corresponding to the virtual machine memory physical address addr 2.
S203, the virtual machine V1 configures a predetermined flag bit T, for example, a next-highest bit, in the virtual machine physical address addr2, for example, configures the next-highest bit T to be 0, so as to turn off the address scrambling mode.
S204, the processor core1 where the virtual machine V1 is located sends the physical address addr2 in the virtual machine, the host memory physical address addr3 corresponding to the virtual machine memory physical address addr2 and the running mode of the processor core to the scrambling switch module.
S205, a scrambling switch module determines that the current processor core operates in a virtual machine mode according to the operation mode of the processor core, and recognizes that a preset flag bit T in a virtual machine physical address addr2 is 0.
S206, the scrambling switch module turns off the address scrambling mode according to the value of the preset flag bit T;
s207, the processor core where the virtual machine V1 is located sends a statement Wen Shuju to the encryption module;
s208, the encryption module encrypts the target data2 by using a non-address scrambling mode to generate ciphertext data3.
S209, when the virtual machine V1 migrates, the ciphertext data3 is transmitted to the virtual machine V2.
The processor operates in host mode
Fig. 7 is a detailed flowchart of a memory data encryption method according to an embodiment of the present invention, and as shown in fig. 7, the memory data encryption method according to the embodiment of the present invention may include:
s301, the host generates a write memory operation instruction so as to write the target data5 in the host memory physical address addr5, and the hardware structure of the host can be as shown in FIG. 8.
S302, the host configures a predetermined flag bit T, such as a next-highest bit, in the host memory physical address addr5, for example, the next-highest bit T is configured to be 0, so as to turn off the address scrambling mode.
S303, the processor core2 where the host is located sends the host memory physical address addr5 and the running mode of the processor core to the scrambling switch module.
S304, a scrambling switch module determines that the current processor core operates in a host mode according to the operation mode of the processor core, and recognizes that a preset flag bit T in a host memory physical address addr5 is 0.
S305, the scrambling switch module turns off the address scrambling mode according to the value of the preset flag bit T;
s306, the processor core2 where the host is located sends the name Wen Shuju to the encryption module;
s307, the encryption module encrypts the target data5 using the non-address scrambling mode, generating ciphertext data6.
Correspondingly, as shown in fig. 9, an embodiment of the present invention further provides an encryption device for memory data, including: a query module 41, configured to query a predetermined flag bit of a memory physical address; a determining module 42, configured to determine whether to start an address scrambling mode for the data to be written into the memory according to the predetermined flag bit; an encryption module 43, configured to, if it is determined that an address scrambling mode is turned on for the data to be written into the memory, encrypt the data to be written into the memory using the address scrambling mode; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
The encryption method for the memory data provided by the embodiment of the invention can inquire the preset flag bit of the physical address of the memory, and determine whether to start an address scrambling mode for the data to be written into the memory according to the preset flag bit, thereby determining whether to encrypt the data to be written into the memory by adopting the address scrambling mode. Therefore, when the data is encrypted without address scrambling, the data can be quickly and conveniently migrated, and the migration performance of the memory data is effectively improved.
Alternatively, the query module 41 may include: the first query unit is used for querying a preset flag bit of the memory physical address of the virtual machine; or the second query unit is used for querying the preset flag bit of the physical address of the host memory.
Optionally, the first query unit may specifically be configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
Optionally, the second query unit may specifically be configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
Optionally, the encryption device may further include a first configuration module, configured to configure, by the virtual machine running on the processor core, a predetermined flag bit of a memory physical address of the virtual machine before querying the predetermined flag bit of the memory physical address of the virtual machine.
Optionally, the encryption device may further include a second configuration module configured to configure, by the host running on the processor core, a predetermined flag bit of the host memory physical address before querying the predetermined flag bit of the host memory physical address.
In a third aspect, as shown in fig. 10, an embodiment of the present invention further provides a CPU chip 5 including: at least one processor core 51, a scrambling switch module 52 and an encryption module 53.
The processor core 51 may be configured to send a memory physical address to the scrambling switch module.
The scramble switch module 52 may be used to: inquiring a preset flag bit of a memory physical address; and determining whether an address scrambling mode is started for the data to be written into the memory according to the preset flag bit.
An encryption module 53, which may be used to: if the address scrambling mode is determined to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting the address scrambling mode; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
Optionally, the scrambling switch module 52 may be specifically configured to: inquiring a preset flag bit of a physical address of a memory of the virtual machine; or, inquiring a preset flag bit of the physical address of the host memory.
Optionally, the scrambling switch module 52 may be specifically configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
Optionally, the scrambling switch module 52 may be specifically configured to: determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode; if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
Optionally, the processor core 51 is further configured to configure the predetermined flag bit of the virtual machine memory physical address by a virtual machine running on the processor core before sending the memory physical address.
Optionally, the processor core 51 is further configured to configure the predetermined flag bit of the host memory physical address by a host running on the processor core 51 before sending the memory physical address.
Optionally, a memory controller may be further included in the CPU chip, and the scrambling switch module 52 and the encryption module 53 may be located in the memory controller or located outside the memory controller.
Accordingly, as shown in fig. 11, the server provided by the embodiment of the present invention may include: the processor 62 and the memory 63 are arranged on the circuit board 64, wherein the circuit board 64 is arranged in a space surrounded by the shell 61; a power supply circuit 65 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 63 is for storing executable program code; the processor 62 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 63, for executing any one of the memory encryption methods provided in the foregoing embodiments.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random access Memory (Random AccessMemory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (19)
1. An encryption method for memory data, comprising:
inquiring a preset flag bit of a memory physical address; the memory physical address comprises a plurality of address bits, each address bit is used for indicating storage position indication information and address scrambling switch indication information of data to be written into a memory, and the predetermined flag bit is a redundant bit in the plurality of address bits;
determining whether an address scrambling mode is started for data to be written into the memory according to the preset flag bit;
if the address scrambling mode is determined to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting the address scrambling mode;
if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
2. The encryption method according to claim 1, wherein the querying the predetermined flag bit of the memory physical address includes:
inquiring a preset flag bit of a physical address of a memory of the virtual machine; or alternatively, the process may be performed,
and inquiring a preset flag bit of the physical address of the host memory.
3. The encryption method according to claim 2, wherein the querying the predetermined flag bit of the physical address of the virtual machine memory comprises:
determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode;
and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
4. A method of encrypting according to claim 2 or 3, wherein prior to querying a predetermined flag bit of a virtual machine memory physical address, the method further comprises:
and configuring the preset flag bit of the memory physical address of the virtual machine through the virtual machine running on the processor core.
5. The encryption method according to claim 2, wherein the querying the predetermined flag bit of the host memory physical address comprises:
determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode;
if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
6. The encryption method according to claim 2 or 5, wherein before the predetermined flag bit of the host memory physical address is queried, the method further comprises:
the predetermined flag bit of the host memory physical address is configured by a host running on the processor core.
7. An encryption device for memory data, comprising:
the inquiry module is used for inquiring a preset zone bit of the memory physical address; the memory physical address comprises a plurality of address bits, each address bit is used for indicating storage position indication information and address scrambling switch indication information of data to be written into a memory, and the predetermined flag bit is a redundant bit in the plurality of address bits;
the determining module is used for determining whether an address scrambling mode is started for the data to be written into the memory according to the preset flag bit;
the encryption module is used for carrying out encryption processing on the data to be written into the memory by adopting the address scrambling mode if the address scrambling mode is determined to be started on the data to be written into the memory; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
8. The encryption device of claim 7, wherein the query module comprises:
the first query unit is used for querying a preset flag bit of the memory physical address of the virtual machine; or alternatively, the process may be performed,
and the second inquiry unit is used for inquiring the preset flag bit of the physical address of the host memory.
9. The encryption device according to claim 8, wherein the first querying unit is specifically configured to:
determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode;
and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
10. The encryption device of claim 8 or 9, further comprising a first configuration module configured to configure a predetermined flag bit of a virtual machine memory physical address by a virtual machine running on a processor core prior to querying the predetermined flag bit of the virtual machine memory physical address.
11. The encryption device according to claim 8, wherein the second querying unit is specifically configured to:
determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode;
if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
12. The encryption device of claim 8 or 11, further comprising a second configuration module configured to configure a predetermined flag bit of a host memory physical address by a host running on the processor core prior to querying the predetermined flag bit of the host memory physical address.
13. A CPU chip, comprising: at least one processor core, a scrambling switch module, and an encryption module;
the processor core is used for sending the memory physical address to the scrambling switch module;
the scrambling switch module is used for: inquiring a preset flag bit of a physical address of a memory, and determining whether an address scrambling mode is started for data to be written into the memory according to the preset flag bit; the memory physical address comprises a plurality of address bits, each address bit is used for indicating storage position indication information and address scrambling switch indication information of data to be written into a memory, and the predetermined flag bit is a redundant bit in the plurality of address bits;
the encryption module is used for: if the address scrambling mode is determined to be started for the data to be written into the memory, encrypting the data to be written into the memory by adopting the address scrambling mode; if the data to be written into the memory is determined not to start the address scrambling mode, the data to be written into the memory is encrypted by adopting the non-address scrambling mode.
14. The CPU chip of claim 13, wherein the scrambling switch module is specifically configured to: inquiring a preset flag bit of a physical address of a memory of the virtual machine; or, inquiring a preset flag bit of the physical address of the host memory.
15. The CPU chip of claim 14, wherein the scrambling switch module is specifically configured to:
determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode;
and if the operation mode is a virtual machine mode, inquiring a preset flag bit of a physical address of a memory of the virtual machine.
16. The CPU chip of claim 14 or 15, wherein the processor core is further configured to configure the predetermined flag bit of a virtual machine memory physical address by a virtual machine running on the processor core before sending the memory physical address.
17. The CPU chip of claim 14, wherein the scrambling switch module is specifically configured to:
determining an operation mode of a processor core, wherein the operation mode comprises a host mode or a virtual machine mode;
if the operation mode is the host mode, inquiring a preset flag bit of a physical address of a host memory.
18. The CPU chip of claim 14 or 17, wherein the processor core is further configured to configure the predetermined flag bit of a host memory physical address by a host running on the processor core prior to transmitting the memory physical address.
19. A server, comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of the preceding claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911277424.1A CN111125791B (en) | 2019-12-11 | 2019-12-11 | Memory data encryption method and device, CPU chip and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911277424.1A CN111125791B (en) | 2019-12-11 | 2019-12-11 | Memory data encryption method and device, CPU chip and server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111125791A CN111125791A (en) | 2020-05-08 |
| CN111125791B true CN111125791B (en) | 2023-08-29 |
Family
ID=70498516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911277424.1A Active CN111125791B (en) | 2019-12-11 | 2019-12-11 | Memory data encryption method and device, CPU chip and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111125791B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112099901B (en) * | 2020-08-17 | 2022-10-11 | 海光信息技术股份有限公司 | Method and device for configuring virtual machine memory data encryption mode and CPU chip |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06133314A (en) * | 1992-09-03 | 1994-05-13 | Matsushita Electric Ind Co Ltd | Video signal secreting processor |
| CN103154963A (en) * | 2010-10-05 | 2013-06-12 | 惠普发展公司,有限责任合伙企业 | Scrambling an address and encrypting write data for storing in a storage device |
| CN108073353A (en) * | 2016-11-15 | 2018-05-25 | 华为技术有限公司 | A kind of method and device of data processing |
| CN110309678A (en) * | 2019-06-28 | 2019-10-08 | 兆讯恒达微电子技术(北京)有限公司 | A kind of scrambled method of memory |
-
2019
- 2019-12-11 CN CN201911277424.1A patent/CN111125791B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06133314A (en) * | 1992-09-03 | 1994-05-13 | Matsushita Electric Ind Co Ltd | Video signal secreting processor |
| CN103154963A (en) * | 2010-10-05 | 2013-06-12 | 惠普发展公司,有限责任合伙企业 | Scrambling an address and encrypting write data for storing in a storage device |
| CN108073353A (en) * | 2016-11-15 | 2018-05-25 | 华为技术有限公司 | A kind of method and device of data processing |
| CN110309678A (en) * | 2019-06-28 | 2019-10-08 | 兆讯恒达微电子技术(北京)有限公司 | A kind of scrambled method of memory |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111125791A (en) | 2020-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9483664B2 (en) | Address dependent data encryption | |
| JP4648687B2 (en) | Method and apparatus for encryption conversion in data storage system | |
| US20190384938A1 (en) | Storage apparatus and method for address scrambling | |
| US10698840B2 (en) | Method and apparatus to generate zero content over garbage data when encryption parameters are changed | |
| JP2008530663A (en) | Microprocessor data security method and system | |
| KR20160040322A (en) | System and method for key management for issuer security domain using global platform specifications | |
| CN103946856A (en) | Encryption and decryption process method, apparatus and device | |
| CN101968834A (en) | Encryption method and device for anti-copy plate of electronic product | |
| CN109684030B (en) | Virtual machine memory key generation device and method, encryption method and SoC system | |
| EP3252991B1 (en) | Application specific low-power secure key | |
| CN102460456B (en) | Memory device and method for adaptive protection of content | |
| CN109522758B (en) | Hard disk data management method and hard disk | |
| JP2023510311A (en) | memory-based encryption | |
| CN111566989A (en) | Key processing method and device | |
| CN105162578A (en) | Encryption circuit applied to universal digital signal processor | |
| CN111125791B (en) | Memory data encryption method and device, CPU chip and server | |
| CN113342425A (en) | Starting method, device and storage medium of Linux embedded system | |
| CN107563228B (en) | Memory data encryption and decryption method | |
| WO2018099157A1 (en) | Method and device for encrypting file system | |
| KR102583995B1 (en) | Cryptographic program diversification | |
| CN112887077A (en) | Random cache security method and circuit for SSD (solid State disk) master control chip | |
| CN114785503B (en) | Cipher card, root key protection method thereof and computer readable storage medium | |
| CN107861892B (en) | Method and terminal for realizing data processing | |
| CN116011041A (en) | Key management method, data protection method, system, chip and computer equipment | |
| CN110909318B (en) | Operating system anti-theft method and device for user equipment and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 300 000 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 industrial incubation-3-8 Applicant after: Haiguang Information Technology Co.,Ltd. Address before: 300 000 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 industrial incubation-3-8 Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |