CN111125794B - Access control method, system and storage device controller - Google Patents
Access control method, system and storage device controller Download PDFInfo
- Publication number
- CN111125794B CN111125794B CN201911412224.2A CN201911412224A CN111125794B CN 111125794 B CN111125794 B CN 111125794B CN 201911412224 A CN201911412224 A CN 201911412224A CN 111125794 B CN111125794 B CN 111125794B
- Authority
- CN
- China
- Prior art keywords
- storage device
- data
- message authentication
- storage
- authentication data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Memory access control method, system and storage device controller, wherein one memory access control method comprises: based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block; generating corresponding message authentication data aiming at an effective data block to be written, generating a storage address of the message authentication data in a first storage device, and caching the message authentication data and the storage address of the message authentication data in the first storage device to a second storage device; writing the valid data block into the first storage means based on the storage address of the valid data block; and responding to a preset triggering condition, preventing the access request within a preset time period, and writing the message authentication data cached in the second storage device into the first storage device within the preset time period according to the storage address stored in the second storage device. The scheme can carry out data integrity check on the effective data in the storage device with lower storage cost.
Description
Technical Field
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a memory access control method, a memory access control system, and a memory device controller.
Background
In computer systems, even if the data of the storage device is encrypted, a hacker may still invade the data in the storage device by a malicious program in some cases. For example, the memory used by the virtual machine is provided by the host, so although the data in the memory is encrypted, a malicious program on the host can modify the encrypted data by a ciphertext conflict attack or the like.
However, there is currently no effective data protection mechanism for data stored in a storage device against the above-described problems.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a memory access control method, system and storage device controller, which can perform data integrity check on valid data in a storage device with low storage cost.
The embodiment of the specification provides a memory access control method, which comprises the following steps:
based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block;
generating corresponding message authentication data aiming at the effective data block to be written, generating a storage address of the message authentication data in a first storage device, and caching the message authentication data and the storage address of the message authentication data in the first storage device to a second storage device;
Writing the valid data block into a first storage device based on a storage address of the valid data block;
responding to a preset triggering condition, preventing access requests within a preset time period, and writing the message authentication data cached in the second storage device into the first storage device within the preset time period according to a storage address stored by the second storage device;
wherein the message authentication data is adapted to perform a data integrity check on a corresponding valid data block written to the first storage means upon subsequent read-out from the first storage means.
Optionally, the preset triggering condition includes at least one of the following:
the free storage space of the second storage device is smaller than a preset storage capacity threshold value;
the bandwidth of the first storage device is in an idle state.
Optionally, the generating the corresponding message authentication data for the valid data block to be written includes: and generating corresponding message authentication data according to a preset first generation method aiming at the effective data block to be written.
Optionally, the generating the storage address of the message authentication data in the first storage device includes: and generating the storage address of the message authentication data in the first storage device according to a preset second generation method according to the storage address of the effective data block based on a preset address division rule in the first storage device.
Optionally, the preset address dividing rule in the first storage device includes: and the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportion relation.
Optionally, the generating, based on a preset address dividing rule in the first storage device, the storage address of the message authentication data in the first storage device according to a preset second generation method according to the storage address of the valid data block includes:
and generating an offset address of the message authentication data in the second address field according to a preset linear mapping relation based on a preset storage space proportion relation between a first address field of a corresponding effective data storage area in the address field of the first storage device and a second address field of a corresponding message authentication data storage area, and according to the address of the effective data block and the acquired base address of the message authentication data storage area, and obtaining the storage address of the message authentication data in the first storage device based on the base address of the message authentication data storage area and the offset address.
Optionally, before generating the corresponding message authentication data for the valid data block to be written and generating the storage address of the message authentication data in the first storage device, the method further includes: and determining that the data integrity protection identifier contained in the data writing request is in a valid state.
Optionally, the first storage device is a memory, and the second storage device is a random access memory disposed in a memory controller.
The embodiment of the specification also provides a memory access control method, which comprises the following steps:
based on the received data reading request, acquiring a storage address of a valid data block to be read;
calculating the storage address of the message authentication data corresponding to the effective data block in the first storage device based on the storage address of the effective data block to be read;
determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device;
reading a corresponding valid data block from the first storage device based on the storage address of the valid data block to be read; and continuing to acquire the message authentication data from the first storage device as first message authentication data when it is determined that the message authentication data is not stored in the second storage device; acquiring the message authentication data from the second storage device as first message authentication data when it is determined that the message authentication data is stored in the second storage device;
Based on the read effective data block, generating corresponding message authentication data as second message authentication data;
comparing the first message authentication data with the second message authentication data, and determining that the data integrity check of the valid data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed;
when the integrity check of the data block is confirmed to pass, returning a valid data block corresponding to the read data request;
the second storage device is adapted to cache the message authentication data and a storage address of the message authentication data in the first storage device, and the message authentication data cached in the second storage device is adapted to be written into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met.
Optionally, the preset triggering condition includes at least one of the following:
the free storage space of the second storage device is smaller than a preset storage capacity threshold value;
the bandwidth of the first storage device is in an idle state.
Optionally, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are stored in a partitioning mode according to a preset storage space proportion relation.
Optionally, before calculating the storage address of the message authentication data corresponding to the valid data block in the first storage device based on the storage address of the valid data block to be read, the method further includes: and determining that the data integrity protection identifier contained in the read data request is in a valid state.
Optionally, the access control method further includes: and when the integrity check of the data block is determined to not pass, sending an interrupt request to a preset safety processing device, so that the safety processing device performs preset data protection processing operation on the read data request.
Optionally, the first storage device is a memory, and the second storage device is a random access memory disposed in a memory controller.
Optionally, the determining, based on the storage address of the message authentication data in the first storage device, whether the message authentication data is stored in the second storage device includes: based on the memory address of the message authentication data in the memory, a read hit determiner provided in the memory controller is employed to determine whether the message authentication data is stored in the random access memory.
The embodiment of the specification also provides a memory access control system, which comprises:
the first storage device is suitable for storing the effective data block and the message authentication data corresponding to the effective data block;
the second storage device is suitable for caching the message authentication data corresponding to the valid data block and the storage address of the message authentication data in the first storage device;
a storage device controller adapted to access and control valid data blocks in the first storage device, comprising: based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block; generating corresponding message authentication data aiming at the effective data block to be written, generating a storage address of the message authentication data in a first storage device, and storing the message authentication data and the storage address of the message authentication data in the first storage device to a second storage device; writing the valid data block into a first storage device based on a storage address of the valid data block; responding to a preset triggering condition, preventing access requests within a preset time period, and writing message authentication data stored in the second storage device into the first storage device within the preset time period according to a storage address stored in the second storage device;
Wherein the message authentication data is adapted to perform a data integrity check on a corresponding valid data block written to the first storage means upon subsequent read-out from the first storage means.
Optionally, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportion relation.
Optionally, the storage device controller is adapted to generate an offset address of the message authentication data in the second address segment according to a preset linear mapping relationship based on a preset storage space proportional relationship between a first address segment of the corresponding effective data storage area in the address segment of the first storage device and a second address segment of the corresponding message authentication data storage area, and according to the address of the effective data block and the acquired base address of the message authentication data storage area, and obtain the storage address of the message authentication data in the first storage device based on the base address of the message authentication data storage area and the offset address.
Optionally, the first storage device is a memory; the second storage device is arranged in the storage device controller and is a random access memory.
The embodiment of the specification also provides another access control system, which comprises:
the first storage device is suitable for storing the effective data block and the message authentication data corresponding to the effective data block;
the second storage device is suitable for caching the message authentication data corresponding to the valid data block and the storage address of the message authentication data in the first storage device, and the cached message authentication data is suitable for being stored into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met;
a storage device controller adapted to access and control valid data blocks in the first storage device, comprising: based on the received data reading request, acquiring a storage address of a valid data block to be read; calculating the storage address of the message authentication data corresponding to the effective data block in the first storage device based on the storage address of the effective data block to be read; determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device; reading a corresponding valid data block from the first storage device based on the storage address of the valid data block to be read; and continuing to acquire the message authentication data from the first storage device as first message authentication data when it is determined that the message authentication data is not stored in the second storage device; acquiring the message authentication data from the second storage device as first message authentication data when it is determined that the message authentication data is stored in the second storage device; based on the read effective data block, generating corresponding message authentication data as second message authentication data; comparing the first message authentication data with the second message authentication data, and determining that the data integrity check of the valid data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed; and returning a valid data block corresponding to the read data request when the integrity check of the data block is confirmed to pass.
Optionally, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are stored in a partitioning mode according to a preset storage space proportion relation.
Optionally, the access control system further includes: a security processing device;
the storage device controller is further adapted to send an interrupt request to a preset secure processing device when it is determined that the integrity check of the data block fails, so that the secure processing device performs a preset data protection processing operation on the read data request;
the safety processing device is suitable for carrying out preset data protection processing operation on the read data request based on the interrupt request.
Optionally, the first storage device is a memory; the second storage device is arranged in the storage device controller and is a random access memory.
The embodiment of the present disclosure further provides a storage device controller, coupled to a first storage device and a second storage device, respectively, adapted to perform a data read/write control operation, the storage device controller including:
the first data acquisition unit is suitable for acquiring an effective data block to be written and a storage address of the effective data block based on a received data writing request;
The verification data generation unit is suitable for generating corresponding message authentication data aiming at the effective data block to be written in and generating a storage address of the message authentication data in the first storage device;
the first access control unit is suitable for writing the effective data block into the first storage device based on the storage address of the effective data block;
the first check data processing unit is suitable for storing the message authentication data and the storage address of the message authentication data in the first storage device to the second storage device, responding to a preset trigger condition, preventing access requests within a preset duration, and writing the message authentication data stored in the second storage device into the first storage device according to the storage address stored in the second storage device within the preset duration.
Optionally, the first check data generating unit is adapted to generate the storage address of the message authentication data in the first storage device according to a preset second generating method based on a preset address dividing rule in the first storage device and according to the storage address of the valid data block.
Optionally, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportion relation.
Optionally, the storage device controller further includes: the first data integrity protection identification unit is suitable for determining whether a data integrity protection identification contained in a received write data request is in a valid state, and triggering the check data generation unit to execute corresponding operation based on the write data request when the data integrity identification is in the valid state.
Optionally, the first storage device is a memory, the storage device controller includes the second storage device, and the second storage device is a random access memory.
The embodiments of the present disclosure also provide another storage device controller, coupled to a first storage device and a second storage device, respectively, adapted to perform a data read/write control operation, the storage device controller including:
the second data acquisition unit is suitable for acquiring the storage address of the effective data block to be read based on the received read data request;
a second check-up data acquisition unit adapted to calculate a storage address of message authentication data corresponding to the valid data block in the first storage device based on the storage address of the valid data block to be read; determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device, and continuing to acquire the message authentication data from the first storage device as first message authentication data when the message authentication data is determined not to be stored in the second storage device; acquiring the message authentication data from the second storage device as first message authentication data when it is determined that the message authentication data is stored in the second storage device;
The second access control unit is suitable for reading the corresponding effective data block from the first storage device based on the storage address of the effective data block to be read;
a second check-up data generating unit adapted to generate corresponding message authentication data as second message authentication data based on the read effective data block;
the data integrity checking unit is suitable for comparing the first message authentication data with the second message authentication data, and determining that the data integrity of the effective data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed;
the data return unit is suitable for returning a valid data block corresponding to the read data request when the data integrity check unit determines that the integrity check of the data block passes;
the second storage device is adapted to cache the message authentication data and a storage address of the message authentication data in the first storage device, and the message authentication data cached in the second storage device is adapted to be stored into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met.
Optionally, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportion relation.
Optionally, the storage device controller further includes: and the interrupt unit is suitable for sending an interrupt request to a preset safety processing device when the data integrity checking unit determines that the integrity check of the data block fails, so that the safety processing device performs preset data protection processing operation on the read data request based on the interrupt request.
Optionally, the storage device controller further includes: the second data integrity protection identifier identifying unit is suitable for determining whether the data integrity protection identifier contained in the received read data request is in a valid state, and triggering the check data acquiring unit to execute corresponding operation based on the read data request when the data integrity identifier is in the valid state.
Optionally, the first storage device is a memory, the storage device controller includes the second storage device, and the second storage device is a random access memory.
Optionally, the second verification data acquisition unit includes: a read hit determiner adapted to determine whether the message authentication data is stored in the random access memory based on a memory address of the message authentication data in the first memory device.
By adopting the access control scheme in the embodiment of the specification, on one hand, for a data writing request, corresponding message authentication data and a storage address of the message authentication data in a first storage device can be generated for an effective data block to be written, the message authentication data and the storage address of the message authentication data in the first storage device are cached to a second storage device, and the effective data block is written into the first storage device based on the storage address of the effective data block, so that the effective data block is written into the first storage device. For writing a valid data block into a first storage device through the above-described data writing process, in a subsequent reading process from the first storage device, data integrity verification can be performed by the message authentication data stored by the first storage device or a second storage device, so that the valid data block can be prevented from being tampered with during storage in the first storage device. And the message authentication data is cached through the second storage device, the access request is prevented within a preset time period in response to a preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period according to the storage address stored by the second storage device, so that the data integrity of the effective data in the first storage device is protected, only one second storage device with smaller storage space is required to be expanded, and the data integrity verification of the effective data in the first storage device can be realized with smaller storage cost. In addition, in response to a preset trigger condition, the access request is prevented within a preset time period, and the message authentication data cached in the second storage device is written into the first storage device according to the storage address stored in the second storage device within the preset time period, so that the operation of inserting the message authentication data after the writing operation of each effective data block is not needed, the pipeline is prevented from being damaged, and the bandwidth overhead of the message authentication data storage is reduced.
By adopting the access control scheme in the embodiment of the present disclosure, on the other hand, for a read data request, a storage address of message authentication data corresponding to a valid data block to be read in a first storage device may be calculated based on the storage address of the valid data block, then, by determining whether the message authentication data is stored in the first storage device or a second storage device, and acquiring the message authentication data from the first storage device or the second storage device, as first message authentication data, comparing the first message authentication data with second message authentication data generated based on the read valid data block, so as to determine whether the data integrity check of the valid data block passes, and when it is determined that the integrity check of the data block passes, returning the valid data block corresponding to the read data request, so as to implement reading of the valid data block from the first storage device. According to the data reading process, the data integrity of the valid data block is checked through the message authentication data stored in the first storage device or the second storage device, so that whether the valid data block is tampered during the storage period of the first storage device can be found, and the integrity check of the valid data block during the storage period of the first storage device can be realized. In addition, the second storage device is adopted to cache the message authentication data, and when the preset trigger condition is met, the message authentication data can be written into the first storage device, so that in order to realize the data integrity protection of the effective data in the first storage device, only one second storage device with smaller storage space is required to be expanded, and the data integrity verification of the effective data in the first storage device can be realized with smaller storage cost. In addition, the message authentication data corresponding to the valid data blocks cached in the second storage device is written into the first storage device only in response to a preset trigger condition, so that the operation of inserting the message authentication data after the writing operation of each valid data block is not needed, the pipeline is prevented from being damaged, and the bandwidth overhead of the message authentication data storage is reduced.
Further, when the bandwidth of the first storage device is in an idle state, temporarily preventing the access request within a preset time period, and writing the message authentication data cached in the second storage device into the first storage device within the preset time period according to the storage address stored by the second storage device, so that the bandwidth resource of the first storage device can be fully utilized.
Further, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportion relation, so that effective data corresponding to a write data request can be continuously stored, the message authentication data is transparent to equipment corresponding to the write data request, addresses of the effective data seen by the equipment corresponding to the write data request are continuous, and therefore fragmentation storage of the effective data can be avoided, and the equipment corresponding to the write data request can conveniently manage the address of the first storage device. In addition, the device corresponding to the data writing request cannot sense the existence of the message authentication data, so that the host can be prevented from being hijacked maliciously to acquire the effective data in the first storage device, and the safety of the effective data stored in the first storage device can be further improved.
Further, based on whether the data integrity protection identifier included in the data writing request or the data reading request is in an effective state, message authentication data corresponding to the effective data block to be written is generated when the data integrity protection identifier included in the data writing request is in the effective state, and data integrity verification operation is performed when the data integrity protection identifier included in the data reading request is in the effective state, and common read access and write access operation can be performed on the first storage device when the data integrity protection identifier included in the data writing request or the data reading request is in an invalid state, so that different safety requirements of users on data can be met, and waste of processing resources can be avoided.
Further, when it is determined that the data integrity check of the data block fails, an interrupt request is sent to a preset security processing device, so that the security processing device performs a preset data protection processing operation on the read data request, thereby preventing the data in the first storage device from being tampered and realizing integrity protection of effective data in the first storage device.
Furthermore, on the one hand, the random access memory is arranged in the memory controller to buffer the message authentication data, and the operation of inserting the message authentication data after each writing operation is not needed, so that the blocking caused by the bandwidth for receiving the memory access request can be avoided, the normal execution of a pipeline can be kept, the message authentication data is written into the memory when the memory bandwidth is idle, and the memory writing bandwidth can be effectively utilized. On the other hand, in the process of reading the effective data block, the message authentication data stored in the random access memory of the memory controller is used for data integrity verification, and the message authentication data is not required to be read from the memory, so that the memory reading bandwidth can be saved. In summary, the random access memory arranged in the memory controller is used for caching the message authentication data, so that the memory bandwidth resource can be effectively utilized, the security of the stored data is improved, and the processing performance of the system is considered.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present description, the drawings that are required to be used in the embodiments of the present description or the description of the prior art will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present description, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a memory access control system according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a memory access control method according to an embodiment of the present disclosure;
FIG. 3 is a flowchart of another access control method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a memory access control system in a specific application scenario according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a memory access control system in another specific application scenario in the embodiment of the present disclosure;
FIG. 6 is a schematic diagram of a storage device controller according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of another storage device controller according to an embodiment of the present disclosure;
fig. 8 shows a schematic diagram of memory area division in the first memory device in the embodiment of the present disclosure.
Detailed Description
As described in the background art, after virtual machine data is written into the memory, there is a risk of being tampered with.
To avoid tampering of the data in the storage device, the inventors have found that a data integrity protection mechanism may be added to the data in the storage device. Taking the integrity protection of the memory data of the virtual machine as an example for illustration. For the virtual machine to perform integrity verification on the memory data, as an implementation manner, information capable of performing integrity verification on the written data may be added to the data written into the memory, and for convenience of description, the information capable of performing integrity verification on the written data may be referred to herein as message authentication data. Considering that the message authentication data is written into a second storage device other than the memory, when the data written in the memory is read out, the corresponding message authentication data is read out from the second storage device so as to verify whether the written data is tampered with during storage in the memory.
The inventor finds that along with the continuous writing of the memory data, a large amount of message authentication data is correspondingly generated to occupy a large amount of storage space, and the storage cost of the message authentication data is higher. For this reason, the inventors consider writing the message authentication data into the memory together with the write data. However, as the inventors have found during further research and practice that the requests for memory from the host are often in units of one Cache Line (Cache Line) or half Cache Line, typically 64 bits for one Cache Line and 32 bits for half Cache Line, the data blocks are required to be as small as possible, e.g., in units of 64 bits, when generating message authentication data for memory write data. This is mainly considered to read data from the memory.
However, if the valid data block for generating the message authentication data is smaller, there is a problem that each valid data block is written, the corresponding message authentication data needs to be additionally written, if the writing operation of the message authentication data is inserted after each written valid data block, the bandwidth of the memory controller for receiving the host request is blocked, the pipeline is damaged, and a large memory bandwidth overhead exists.
In view of the above problems, the embodiments of the present disclosure provide a corresponding access control scheme, which generates corresponding message authentication data based on a write data request, caches the corresponding message authentication data by using a storage device, writes the message authentication data into the storage device written by the write data request when a preset trigger condition is satisfied, and performs data integrity verification by using the stored message authentication data when the written data in the storage device is read out. The data integrity verification scheme of the embodiment of the specification can reduce the storage cost of the message authentication data.
In order that those skilled in the art will better understand the technical concepts, embodiments and advantages of the examples of the present specification, a detailed description will be given below by way of specific examples.
Firstly, the embodiment of the present disclosure provides a corresponding access control system, referring to the schematic structural diagram of the access control system shown in fig. 1, the access control system 10 may include a first storage device 11, a second storage device 12, and a storage device controller 13, where the storage device controller 13 may perform access control on the first storage device 11, and may perform data interaction with the first storage device 11 based on a read data request or a write data request.
For convenience of description, data read requested by the read data request or data written requested by the write data request will be hereinafter referred to as valid data, and an operation unit of valid data corresponding to the read data or write data operation will be hereinafter referred to as a valid data block. The effective data Block may be a Cache Line (Cache Line) or a Cache Block (Cache Block), or be a half Cache Line or a half Cache Block, and since the Cache Line or the Cache Block is generally used as a minimum unit of data interaction in the storage device, one or half Cache Line or Cache Block is selected as an effective data Block unit, so that memory efficiency can be improved. It will be appreciated that the size of the specific valid data block may be set according to specific needs, and the size of the valid data block is not limited in the embodiment of the present disclosure.
In the present embodiment, the first storage means 11 is adapted to store the valid data.
In order to perform integrity protection on the valid data in the first storage device 11, corresponding message authentication data may be generated during writing of the valid data into the first storage device 11, and the message authentication data may be stored in the first storage device 11 or the second storage device 12, and then, during subsequent reading of the valid data from the first storage device 11, the message authentication data is used to perform data integrity verification, so as to identify whether the valid data is tampered during storage of the first storage device 11, and implement integrity verification on the valid data stored in the first storage device.
The storage device controller 13 may buffer the generated message authentication data and the address of the message authentication data to the second storage device 12. After that, when the preset trigger condition is met, the storage device controller 13 may temporarily block the access request, and write the message authentication data cached in the second storage device 12 into the first storage device 11 according to the storage address stored in the second storage device 12.
By adopting the embodiment, the message authentication data is cached through the second storage device, the access request is prevented within the preset time period in response to the preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period according to the storage address stored by the second storage device, so that the data integrity protection of the effective data in the first storage device is realized, only one second storage device with smaller storage space is required to be expanded, and the data integrity verification of the effective data in the first storage device can be realized with smaller storage cost.
In addition, by adopting the writing process of the effective data, the operation of inserting the message authentication data after the writing operation of each effective data block is not needed, so that the damage to a pipeline can be avoided, and the bandwidth overhead of the message authentication data storage can be reduced.
In order to enable those skilled in the art to better understand and implement the access control scheme in the embodiments of the present specification, the following details are provided for the access control operations from the data writing process and the data reading process according to specific embodiments.
Referring first to the flow chart of the memory control method shown in fig. 2, in a specific implementation, the memory control method may be executed by a memory device controller or other memory control device. When there is a write data request to the first storage device, as shown in FIG. 2, the following steps may be performed:
s21, based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block.
For example, a storage device controller may receive a write data request over a bus and then, based on the received write data request, obtain a 64 byte valid data block to be written to a first storage device and a storage address of the 64 byte valid data block at the first storage device.
In implementations, a CPU or CPU core or other processor (e.g., secure processor), host, etc. may issue a write data request to a storage device controller.
As an example of an implementation scenario, when a host generates a write data request, the write data request, an effective data block to be written, and a storage address of the effective data block may be transmitted to a storage device controller through a bus. The valid data block to be written, the storage address of the valid data block and the write data request command can be transmitted to the storage device controller through one bus or can be synchronously transmitted to the storage device controller through different buses. For example, the write data request may be transmitted via a write data bus, the valid data block to be written may be transmitted via a data bus, and the memory address of the valid data block may be transmitted via an address bus.
The specific size of the valid data block to be written may be set correspondingly by the host, CPU or policy of the corresponding processor. In a specific example of the present disclosure, the first storage device is a memory, and a Cache Line (Cache Line) or a Cache Block (Cache Block) may be selected as an effective data Block, and since the Cache Line or the Cache Block is used as a minimum unit of data interaction in the storage device, the Cache Line or the Cache Block is selected as a data Block unit, so that the memory access efficiency may be improved.
In a specific implementation, the complete data block may not be received at one time, i.e. a complete valid data block to be written may be obtained based on a plurality of write data requests.
It will be appreciated that the size of the valid data block and the corresponding CPU policy may be set according to specific needs, which is not limited in the embodiment of the present disclosure.
S22, generating corresponding message authentication data aiming at the effective data block to be written in, and generating a storage address of the message authentication data in a first storage device.
In a specific implementation, a preset first generation method may be used to generate corresponding message authentication data. In this specification, the encoding form and specific number of bits of the message authentication data are not limited, and the specific generation algorithm adopted by the first generation method is not limited.
In some embodiments of the present description, a message authentication code (Message Authentication Code, MAC) may be employed as message authentication data.
As some specific examples, the first generation method may use at least one of HMAC-MD5 signature algorithm, HMAC-SHA1 signature algorithm, etc., or may use other mature data generation algorithms, or a dedicated algorithm, an improved algorithm, which is not limited in this specification.
Wherein a Hash operation message authentication code (Hash-based Message Authentication Code, HMAC) operation uses a Hash algorithm to generate a message digest as output with a key and a message as inputs.
The HMAC-MD5 signature algorithm is a keyed-hash algorithm constructed from a MD5 (message digest algorithm 5) hash function, and is used as a hash-based message authentication code (HMAC), which mixes a key with message data, hashes the mixed result using a hash function, mixes the obtained hash value with the key, and then applies the hash function again, and the output hash value has a length of 128 bits.
The HMAC-SHA1 signature algorithm may be used to generate a signature digest for a piece of message data.
In some embodiments of the present disclosure, the valid data block to be written may be used as message data, and the final operation result may be used as a MAC value.
In a specific implementation, the specific generation algorithm of the message authentication data can be implemented in a hardware, software or a combination of hardware and software mode. The implementation manner of the specific generation algorithm of the message authentication data is not limited in the embodiment of the present specification.
For the storage address of the message authentication data in the first storage device, in a specific implementation, the message authentication data may be generated according to a preset second generation method based on a preset address division rule in the first storage device and according to the storage address of the valid data block.
For example, the address of the valid data block to be written may be directly mapped according to a preset mapping relationship, so as to obtain the address of the message authentication data. Or, the address of the data block to be written may be transformed according to a preset nonlinear transformation mode, so as to obtain the address of the message authentication data. It will be appreciated that a variety of methods of generation may be combined with the address used to generate the message authentication data, for example, the preset direct mapping mode and the nonlinear transformation mode may be combined to generate the address of the message authentication data.
S23, the storage address of the message authentication data in the first storage device is cached to the second storage device.
In a specific implementation, a random access memory (Random Access Memory, RAM) may be used as the second storage device, and the message authentication data and the storage address of the message authentication data in the first storage device may be temporarily stored. For example, a static random access memory (Static Random Access Memory, SRAM) may be employed as the second storage means.
In an embodiment of the present disclosure, the memory is used as the first storage device, and valid data may be written into the memory. For example, for a received write data request, the memory controller generates message authentication data of a valid data block corresponding to the write data request, and caches the message authentication data in the second storage device. In an implementation, the second storage device may be disposed in the memory controller or may be disposed outside the memory controller. For example, a RAM may be specifically provided in the memory controller to buffer the MAC and the address of the MAC in the memory.
S24, writing the valid data block into a first storage device based on the storage address of the valid data block.
In a specific implementation, if the storage address of the valid data block included in the data writing request is a virtual address, the physical address of the valid data block in the first storage device may be obtained by searching a page table stored in advance, and the valid data block is written into a storage area corresponding to the physical address in the first storage device. The specific form of the storage address of the valid data block is not limited in the embodiment of the present specification.
S25, responding to a preset triggering condition, preventing access requests within a preset time period, and writing the message authentication data cached in the second storage device into the first storage device within the preset time period according to the storage address stored in the second storage device.
Wherein the message authentication data, whether stored in the first storage device or the second storage device, is adapted to perform a data integrity check on a corresponding valid data block written to the first storage device when subsequently read from the first storage device. The specific data integrity verification process will be described in connection with the following embodiments in which access control is performed based on read data requests.
In a specific implementation, the triggering condition may be set according to specific needs.
In some embodiments of the present disclosure, the preset triggering condition may be: and the free storage space of the second storage device is smaller than a preset storage capacity threshold, so that once the free storage space of the second storage device is smaller than the preset storage capacity threshold, the message authentication data stored in the second storage device can be transferred to the first storage device according to the address of the corresponding message authentication data stored in the second storage device. For example, when the second storage device is full, there is no free storage space, the message authentication data stored in the second storage device may be stored into the first storage device; or a certain margin may be set, and when the free storage space of the second storage device is smaller than a preset storage capacity threshold, for example, smaller than 256 bytes, the message authentication data stored in the second storage device may be stored in the first storage device.
In other embodiments of the present disclosure, the preset triggering condition may be: the bandwidth of the first storage device is in an idle state, so that the message authentication data stored in the second storage device can be stored into the first storage device upon detecting that the bandwidth of the first storage device is in an idle state. For example, when a write data bus with a first storage device is detected to be free, message authentication data stored in the second storage device may be stored into the first storage device through the write data bus.
In a specific implementation, the preset trigger condition may also be: the free storage space of the second storage device is smaller than a preset storage capacity threshold value and the bandwidth of the first storage device is in a free state. Accordingly, the message authentication data stored in the second storage means may be stored in the first storage means when this trigger condition is satisfied.
It will be appreciated that other trigger conditions may be selected according to the specific application environment, and the embodiments of the present disclosure do not limit the trigger conditions used.
And when the preset triggering condition is met and the message authentication data in the second storage device is stored in the first storage device, the access request on the corresponding transmission channel can be temporarily prevented in order to avoid the transmission channel bandwidth blocking for receiving the access request. For example, if the memory device controller receives the access request through the bus, the access request on the bus may be temporarily blocked first, and the blocking period may be set based on a length required for writing the message authentication data cached in the second memory device into the first memory device, for example, the blocking period may be set to a write operation period, such as one clock cycle.
With the above embodiment, for a write data request, corresponding message authentication data and a storage address of the message authentication data in a first storage device may be generated for an effective data block to be written, and the message authentication data and the storage address of the message authentication data in the first storage device are cached together in a second storage device, and the effective data block is written into the first storage device based on the storage address of the effective data block, and in response to a preset trigger condition, a memory access request is prevented for a preset duration, and the message authentication data cached in the second storage device is written into the first storage device according to the storage address stored in the second storage device for the preset duration, so as to implement writing of the effective data block into the first storage device.
For writing a valid data block into a first storage device through the above-described data writing process, in a subsequent reading process from the first storage device, data integrity verification can be performed by the message authentication data stored by the first storage device or a second storage device, so that the valid data block can be prevented from being tampered with during storage in the first storage device. And the message authentication data is cached through the second storage device, the access request is prevented within a preset time period in response to a preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period according to the storage address stored by the second storage device, so that the data integrity of the effective data in the first storage device is protected, only one second storage device with smaller storage space is required to be expanded, and the data integrity verification of the effective data in the first storage device can be realized with smaller storage cost.
In addition, the message authentication data corresponding to the valid data blocks are cached to the second storage device, the access request is temporarily blocked within a preset time period in response to a preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period, so that the operation of inserting the message authentication data after the writing operation of each valid data block is not needed, the pipeline is prevented from being damaged, and the bandwidth overhead of the message authentication data storage is reduced.
The inventors have found in specific practice that storing message authentication data together with valid data in the first storage means may break the continuity of storage management. For example, a host (e.g., a CPU or CPU core) may see that valid data stored in memory is discontinuous for writing data to memory or reading data from memory, or for memory management.
In order that the device (such as a host) corresponding to the write data request cannot sense the existence of the message authentication data, so that the message authentication data is transparent to the device corresponding to the write data request, the effective data storage area and the message authentication data storage area in the first storage device may be divided into intervals according to a proportional relationship.
Specifically, the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportional relation. Correspondingly, an offset address of the message authentication data in the second address segment can be generated according to a preset linear mapping relation based on a preset storage space proportional relation between a first address segment of a corresponding effective data storage area in the address segment of the first storage device and a second address segment of a corresponding message authentication data storage area, and according to the address of the effective data block and the acquired base address of the message authentication data storage area, and the storage address of the message authentication data in the first storage device is obtained based on the base address of the message authentication data storage area and the offset address.
Referring to a storage area division diagram in a first storage device shown in fig. 8, the first storage device 80 includes a valid data storage area 81 and a message authentication data storage area 82. The proportional relationship of the address segments of the effective data memory area 81 and the message authentication data memory area 82 may be set in accordance with the bit number size relationship of the effective data block and the corresponding message authentication data. For example, the size of the valid data block is m, and the size of the MAC corresponding to the valid data block is n, then the first address segment of the valid data storage area and the second address segment of the corresponding MAC may be set according to m: n is divided proportionally. As shown in fig. 8, the space size of the effective data storage area 81 is m, and the space size of the message authentication data storage area 82 is n.
In particular implementations, a BASE address register base_addr may be provided to store the BASE address of the message authentication data in the first memory device, the BASE address stored in the BASE address register base_addr being at the boundary of the message authentication data store 82. The correspondence relationship between the addresses of the valid data storage area 81 and the message authentication data storage area 82 may be a linear mapping relationship, as shown in fig. 8, in the valid data storage area 81, valid data blocks A, B, C sequentially correspond to the message authentication data a, b, c through linear mapping. Therefore, by the spatial proportional relationship between the effective data storage area 81 and the message authentication data storage area 82, and the direct mapping relationship between the addresses of the effective data blocks stored in the effective data storage area 81 and the corresponding message authentication data stored in the message authentication data storage area 82, based on the address a of the effective data block, the relative address of the message authentication data can be obtained by multiplying the address a of the effective data block by n, which effective data block is counted from 0 in the effective data storage area 81 in the first storage device 80, and which message authentication data corresponds to which message authentication data, namely: the address of the corresponding message authentication data can be obtained by base_addr+ (a/m) n.
In specific implementations, the above embodiments may be further optimized or expanded according to specific needs.
For example, in some data processing systems or data processing devices, there are situations where the data integrity protection requirements for some data are high, while the data integrity protection requirements for other data are not sensitive. For these data processing systems or data processing devices, a data integrity protection identifier may be set in the write data request, and whether to perform data integrity protection on the data block to be written is determined by acquiring whether the data integrity identifier included in the write data request is in a valid state.
Specifically, referring to fig. 2, before step S22 in the foregoing embodiment, step S26 may be performed first, to determine whether a data integrity protection identifier (e.g., an M-bit) included in the write data request is in a valid state, and if so, step S22 may be performed; otherwise, only step S24 may be performed: the valid data block is written to the first storage device based on the storage address of the valid data block without performing step S22, step S23 and step S25.
Next, with reference to the drawings, access control operations are described in detail from reading data from the corresponding storage devices based on the read data requests.
The flow chart of the access control method shown in fig. 3 may be executed by a storage device controller or other access control device in a specific implementation. When there is a request to read data from the first storage device, the following steps may be performed:
s31, based on the received read data request, the storage address of the effective data block to be read is obtained.
For example, the storage device controller may receive a read data request via the bus, and then, based on the received read data request, obtain a storage address of the valid data block to be read in the first storage device.
In implementations, there may be a read data request from a processor or external device internal to the system-on-chip. For example, a CPU or CPU core in a system on a chip or other processor (e.g., a secure processor) may issue read data requests to a storage device controller.
As an example of an implementation scenario, when a host generates a read data request, the read data request and a memory address of a valid data block to be read may be transmitted to a storage device controller through a bus. The storage address of the valid data block to be read and the read data request command can be transmitted to the storage device controller through one bus or can be synchronously transmitted to the storage device controller through different buses. For example, the read data request may be transmitted via a read data bus, and the memory address of the valid data block to be read may be transmitted via an address bus.
The specific size of the valid data block to be read can be set correspondingly by the CPU or the policy of the corresponding processor. In a specific example of the present disclosure, the first storage device is a memory, a Cache Line (Cache Line) or a Cache block (Cache block) may be selected as an effective data block, and the Cache Line or the Cache block is selected as an effective data block unit, so that memory efficiency may be improved.
In this embodiment of the present disclosure, in the same data processing system, the size of the valid data block to be read included in the read data request may be consistent with the size of the valid data block to be written in the write data request.
It will be appreciated that the size of the valid data block and the corresponding CPU policy may be set according to specific needs, which is not limited in the embodiment of the present disclosure.
S32, based on the storage address of the effective data block to be read, reading the corresponding effective data block from the first storage device.
In a specific implementation, if the storage address of the valid data block to be read corresponding to the read data request is a virtual address, the physical address of the valid data block in the first storage device may be obtained by searching a page table stored in advance, and the valid data block is read in a storage area corresponding to the physical address in the first storage device. The specific form of the storage address of the valid data block is not limited in the embodiment of the present specification.
S33, based on the storage address of the effective data block to be read, calculating the storage address of the message authentication data corresponding to the effective data block in the first storage device.
As described in the foregoing embodiment, the first address segment of the corresponding effective data storage area and the second address segment of the corresponding message authentication data storage area in the address segments of the first storage device are stored in a partitioned manner according to a preset storage space proportion relationship. Accordingly, the mapping relationship between the storage address of the valid data block and the storage address of the corresponding message authentication data can be calculated based on the preset storage space partition relationship between the valid data storage area and the message authentication data storage area in the first storage device.
For example, referring to fig. 8, the proportional relationship of the address segments of the effective data memory area 81 and the message authentication data memory area 82 may be set as m based on the bit number size relationship of the effective data block and the corresponding message authentication data: n. Accordingly, by obtaining the BASE address stored in the BASE address register base_addr, the storage address of the corresponding message authentication data in the first storage device may be obtained by base_addr+ (a/m) x n, as described in the previous embodiment, based on the address a of the valid data block to be read.
S34, based on the storage address of the message authentication data in the first storage device, determining whether the message authentication data is stored in a second storage device, and continuing to execute step S35 after step S32 when the message authentication data is determined not to be stored in the second storage device; otherwise, step S36 is performed after step S32.
The second storage device is adapted to cache the message authentication data and a storage address of the message authentication data in the first storage device, and the message authentication data cached in the second storage device is adapted to be stored into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met.
The implementation of specific triggering conditions can be described with reference to the previous embodiments, and will not be described in detail here.
In a specific implementation, whether the message authentication data is stored in the second storage device may be determined in a corresponding manner based on a positional relationship of the second storage device and the storage device controller. Wherein when the second storage device is provided in the storage device controller, a read hit determiner may be employed to quickly determine whether message authentication data is stored in the second storage device. If the storage address of the message authentication data stored in the second storage device in the first storage device is acquired through the read hit judgment device, determining that the message authentication data is stored in the second storage device; otherwise, determining that the message authentication data is not stored in the second storage device.
As a specific example, the first storage device is a memory, and the RAM is used as the second storage device, where the RAM is disposed in the memory controller, and the read hit determiner disposed in the memory controller may be used to determine whether the message authentication data is stored in the random access memory based on a storage address of the message authentication data in the memory.
S35, acquiring the message authentication data from the first storage device as first message authentication data.
Based on the storage address of the message authentication data corresponding to the valid data block calculated in step S32 in the first storage device, the message authentication data may be acquired from the corresponding storage area in the first storage device, so as to be distinguished from the message authentication data regenerated based on the read valid data block, which is referred to as "first message authentication data".
S36, acquiring the message authentication data from the second storage device as first message authentication data.
In a specific implementation, if the second storage device is set in the storage device controller, the message authentication data hit by the read hit determiner can be obtained through the storage address of the message authentication data hit by the read hit determiner in the first storage device; if the second storage device is not set in the storage device controller, the message authentication data can also be acquired from the second storage device through the acquired storage address of the message authentication data in the first storage device.
And S37, based on the read effective data block, generating corresponding message authentication data as second message authentication data.
In a specific implementation, based on the read valid data block, corresponding message authentication data may be generated according to a preset first generation method, and the corresponding message authentication data may be used as second message authentication data.
As a specific example, the first generation method may use at least one of HMAC-MD5 signature algorithm, HMAC-SHA1 signature algorithm, etc., or may use other mature data generation algorithms, or a dedicated algorithm, an improved algorithm, which is not limited in this specification. Specific generation algorithms and implementation examples can refer to an embodiment of generating corresponding message authentication data based on valid data blocks to be written in a data writing process, which is not described herein.
In order to distinguish the message authentication data directly obtained from the first storage device or the second storage device from the message authentication data directly obtained from the first storage device or the second storage device, the message authentication data generated based on the valid data block obtained by reading is referred to as "second message authentication data", and it is understood that the "first message authentication data" and the "second message authentication data" in the embodiment of the present disclosure are only used to distinguish the message authentication data from different sources, and there is no difference in size, sequence, priority, importance, or the like.
S38, comparing the first message authentication data with the second message authentication data, and determining that the data integrity check of the valid data block passes when determining that the first message authentication data is consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block fails.
Upon determining that the integrity check of the data block passes, step S39 may be performed.
And S39, returning a valid data block corresponding to the read data request.
It should be understood that the access control method in the embodiment of the present disclosure is not limited to the above execution sequence, for example, step S34 may be executed in parallel with step S33, step S35, and step S36, as long as the storage device controller can read the valid data block and the corresponding message authentication data.
With the access control scheme in the above embodiment, for a read data request, the storage address of the message authentication data corresponding to the valid data block in the first storage device may be calculated based on the storage address of the valid data block to be read, after that, by determining whether the message authentication data is stored in the first storage device or the second storage device, and obtaining the message authentication data from the first storage device or the second storage device, the message authentication data is used as first message authentication data, and compared with second message authentication data generated based on the read valid data block, so as to determine whether the data integrity check of the valid data block passes, and when it is determined that the integrity check of the data block passes, the valid data block corresponding to the read data request is returned, so as to realize the reading of the valid data block from the first storage device.
According to the data reading process, the data integrity of the valid data block is checked through the message authentication data stored in the first storage device or the second storage device, so that whether the valid data block is tampered during the storage period of the first storage device can be found, and the integrity check of the valid data block during the storage period of the first storage device can be realized. And the message authentication data is cached through the second storage device, the access request is prevented within a preset time period in response to a preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period according to the storage address stored by the second storage device, so that the data integrity of the effective data in the first storage device is protected, only one second storage device with smaller storage space is required to be expanded, and the data integrity verification of the effective data in the first storage device can be realized with smaller storage cost.
In addition, since the message authentication data buffered in the second storage device is stored in the first storage device according to the storage address stored in the second storage device only when the preset trigger condition is satisfied, an operation of inserting the message authentication data after the writing operation of each valid data block is not required, so that the damage to a pipeline can be avoided, and the bandwidth overhead of the message authentication data storage can be reduced.
In specific implementations, the above embodiments may be further optimized or expanded according to specific needs.
For example, in some data processing systems or data processing devices, there are situations where the data integrity protection requirements for some data are high, while the data integrity protection requirements for other data are not sensitive. For the data processing systems or the data processing devices, a data integrity protection identifier can be set in the read data request, and whether to perform data integrity check on the valid data block to be read is determined by acquiring whether the data integrity identifier contained in the read data request is in a valid state.
Specifically, referring to fig. 3, step S3A may be performed before step S32 in the foregoing embodiment: judging whether a data integrity protection identifier (such as M bits) contained in the read data request is in a valid state, and if so, executing step S32; otherwise, step S3B may be performed: and reading the corresponding effective data block from the first storage device based on the storage address of the effective data block to be read, and returning the effective data block to the equipment corresponding to the read data request.
With continued reference to fig. 3, as an optional step, in a specific implementation, when it is determined in step S38 that the integrity check of the data block fails, step S3C may also be performed: and sending an interrupt request to a preset safety processing device, so that the safety processing device performs preset data protection processing operation on the read data request.
In some embodiments, the processor that sends the request may be used as the secure processing device to perform a preset processing operation on the read data request based on the interrupt request. For example, the processor sending the request may terminate running the software corresponding to the read data request, or output an alarm alert to alert the user that the data block to be read is incomplete, and may have been tampered with.
In other implementations, a special security processor or other on-chip security unit may be provided in the system on a chip as the security processing device, and the interrupt request may be sent to the preset security processing device, such as a security processor (Platform Security Processor, PSP), so that the security processing device may send a control instruction to the processor that sends the read data request, and control the processor that sends the data request to terminate running software corresponding to the read data request, or terminate the data access operation. Or, the preset security processing device may output an alarm alert based on the interrupt request, so as to remind the user that the data block to be read may be tampered, so that the user may adopt a corresponding security protection operation or a data recovery operation based on the alert.
The system and the device for carrying out the integrity check and the corresponding protection on the data in the storage device are correspondingly described through the specific embodiment.
Referring to the schematic structure of the access control system shown in fig. 1, as described in the foregoing embodiment, the access control system 10 may include: a first storage device 11, a second storage device 12, and a storage device controller 13. In some embodiments of the present description, with the access control system 10, the storage device controller 13 may write a corresponding valid data block into the first storage device 11 based on the write data request. In order to avoid tampering of the valid data block during storage in the first storage means 11, corresponding message authentication data may first be generated during writing of the valid data block into the first storage means 11 for data integrity checking at a subsequent reading of the valid data block from the first storage means 11.
One specific implementation of the memory access control system 10 is as follows:
a first storage device 11 adapted to store a valid data block and message authentication data corresponding to the valid data block;
a second storage device 12 adapted to cache message authentication data corresponding to the valid data block and a storage address of the message authentication data in the first storage device 11;
A storage device controller 13 adapted to access and control valid data blocks in the first storage device 11, including: based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block; generating corresponding message authentication data for the valid data block to be written, generating a storage address of the message authentication data in the first storage device 11, and storing the message authentication data and the storage address of the message authentication data in the first storage device 11 into the second storage device 12; writing the valid data block into the first storage means 11 based on the storage address of the valid data block; responding to a preset triggering condition, preventing access requests within a preset time period, and writing message authentication data stored in the second storage device 12 into the first storage device 11 within the preset time period according to a storage address stored in the second storage device 12;
wherein the message authentication data is adapted to perform a data integrity check on a corresponding valid data block written to the first storage means 11 upon subsequent read-out from the first storage means 11.
By adopting the access control system, for a data writing request, corresponding message authentication data and a storage address of the message authentication data in a first storage device can be generated for an effective data block to be written, the message authentication data and the storage address of the message authentication data in the first storage device are cached to a second storage device, the effective data block is written into the first storage device based on the storage address of the effective data block, the access request is prevented within a preset time period in response to a preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device according to the storage address stored in the second storage device within the preset time period, so that the effective data block is written into the first storage device.
In this way, in the process of reading out the valid data block from the first storage device, the data integrity check can be performed through the message authentication data stored in the first storage device or the second storage device, so that the valid data block can be prevented from being tampered during the storage period of the first storage device. And the message authentication data is cached through the second storage device, the access request is prevented within a preset time period in response to a preset trigger condition, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period according to the storage address stored by the second storage device, so that the data integrity of the effective data in the first storage device is protected, only one second storage device with smaller storage space is required to be expanded, and the data integrity verification of the effective data in the first storage device can be realized with smaller storage cost.
In addition, in response to a preset trigger condition, the access request is temporarily blocked within a preset time period, and the message authentication data cached in the second storage device is written into the first storage device within the preset time period, so that the operation of inserting the message authentication data after the writing operation of each valid data block is not needed, the pipeline is prevented from being damaged, and the bandwidth overhead of the message authentication data storage is reduced.
In a specific implementation, in order to facilitate storage address management, so that the read-write device or the management device cannot sense the existence of the message authentication data, a first address segment corresponding to the effective data storage area in the address segment of the first storage device 11 and a second address segment corresponding to the message authentication data storage area may be partitioned according to a preset storage space proportion relationship. The data storage area dividing manner in the first storage device 11 may be specifically described in the foregoing embodiments and fig. 8, and will not be described herein.
In a specific implementation, the storage device controller 13 is adapted to generate, according to a preset linear mapping relationship, an offset address of the message authentication data in the second address field according to the address of the valid data block and the obtained base address of the message authentication data storage area, and obtain the storage address of the message authentication data in the first storage device based on the base address of the message authentication data storage area and the offset address, based on the preset linear mapping relationship, of the first address field of the corresponding valid data storage area and the second address field of the corresponding message authentication data storage area in the address field of the first storage device 11.
In some embodiments of the present disclosure, the first storage device is a memory; the second storage device is arranged in the storage device controller and is a RAM. Referring to the schematic structure of the access control system in a specific application scenario shown in fig. 4, the access control system 40 includes: a memory 41, a memory controller 42, and a RAM 43 provided in the memory controller 42. The following describes a process of writing data to a memory by a memory controller and storing a MAC with reference to fig. 4, and specifically may execute the following steps:
s41, the memory controller 42 receives a write data request from a host (not shown), a corresponding valid data block to be written, and a storage address of the valid data block through a bus.
S42, the memory controller 42 generates a corresponding MAC, writes the corresponding MAC into the RAM 43 for buffering, and calculates the address of the MAC in the memory, and writes the address into the RAM 43.
The memory address stored in the MAC may be calculated by the memory controller 42 according to the rule of dividing the memory address.
S43, the memory controller 42 writes the valid data block into the memory 41.
S44, when the preset trigger condition is met (for example, the RAM 43 has no free storage space or the memory bandwidth is free, etc.), the memory controller 42 temporarily stops the access request of the host end, and starts to write the MAC data in the RAM 43 into the memory 41 according to the address stored in the RAM 43.
The above is only a specific example of a specific implementation scenario of the access control system, and is not intended to limit the specific structure of the access control system, for example, the first storage device may also be an external memory, and the first storage device may be a hard disk, a dynamic random access memory (Dynamic Random Access Memory, DRAM), an optical disk, an external storage device such as a usb disk, or the like.
Referring to memory control system 10 shown in fig. 1, in an implementation, memory control system 10 may read a corresponding valid data block from first storage device 11 based on a read data request. In order to determine whether the valid data block has been tampered with during storage in the first storage means 11, a data integrity check may be performed when the valid data block is read out from the first storage means 11. As previously described, the memory control system 10 may include: a first storage device 11, a second storage device 12, and a storage device controller 13.
One specific implementation of the memory control system 10 for the data readout process is as follows:
a first storage device 11 adapted to store a valid data block and message authentication data corresponding to the valid data block;
the second storage device 12 is adapted to cache the message authentication data corresponding to the valid data block and the storage address of the message authentication data in the first storage device 11, and the cached message authentication data is adapted to be stored into the first storage device according to the storage address stored in the second storage device when the preset trigger condition is satisfied;
A storage device controller 13 adapted to access and control valid data blocks in the first storage device 11, including: based on the received data reading request, acquiring a storage address of a valid data block to be read; calculating the storage address of the message authentication data corresponding to the valid data block in the first storage device 11 based on the storage address of the valid data block to be read; determining whether the message authentication data is stored in the second storage means 12 based on the storage address of the message authentication data in the first storage means; reading a corresponding valid data block from the first storage device 11 based on the storage address of the valid data block to be read; and continuing to acquire the message authentication data from the first storage device 11 as first message authentication data when it is determined that the message authentication data is not stored in the second storage device 12; upon determining that the message authentication data is stored in the second storage device 12, acquiring the message authentication data from the second storage device 12 as first message authentication data; based on the read effective data block, generating corresponding message authentication data as second message authentication data; comparing the first message authentication data with the second message authentication data, and determining that the data integrity check of the valid data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed; and returning a valid data block corresponding to the read data request when the integrity check of the data block is confirmed to pass.
In a specific implementation, a first address segment of the corresponding effective data storage area in the address segments of the first storage device 11 and a second address segment of the corresponding message authentication data storage area are stored in a partitioned manner according to a preset storage space proportion relationship.
In particular implementations, with continued reference to FIG. 1, the access control system 10 may further include: a security processing device 14;
the storage device controller 13 is further adapted to send an interrupt request to a preset secure processing device 14 when it is determined that the integrity check of the data block is not passed, so that the secure processing device 14 performs a preset data protection processing operation on the read data request;
the secure processing device 14 is adapted to perform a preset data protection processing operation on the read data request based on the interrupt request.
For example, a special security processor or other on-chip security unit may be provided in the access control system as the security processing device 14, and the interrupt request may be sent to the preset security processing device, such as a security processor (Platform Security Processor, PSP), so that the security processing device may issue a control instruction to the processor that issues the read data request, control the processor that issues the data request to terminate running software corresponding to the read data request, or terminate the data access operation. Or, the preset security processing device may output an alarm alert based on the interrupt request, so as to remind the user that the data block to be read may be tampered, so that the user may adopt a corresponding security protection operation or a data recovery operation based on the alert.
In some embodiments of the present disclosure, the first storage device 11 may be a memory; the second storage device 12 may be provided in the storage device controller 13.
In a specific implementation, the first storage device may be a ROM or a RAM, for example, may be a DRAM; the second memory means may be a RAM, for example an SRAM may be used. The specific types of first storage device and second storage device are not subject to any limitation in this specification.
Referring to the schematic structural diagram of the access control system in another specific application scenario shown in fig. 5, the access control system 50 may include: a memory 51, a memory controller 52, a RAM 53 provided in the memory controller 52, a read hit determiner 54, and a data integrity checking unit 55. The following describes a flow of the memory controller reading data from the memory and performing data integrity verification using the generated MAC with reference to fig. 5, and specifically may execute the following steps:
s51, the memory controller 52 receives a read data request from a host (not shown) and a storage address of a corresponding valid data block to be read through the bus.
S52, if the memory controller 52 determines that the data integrity check is required based on the data integrity protection identifier in the read data request, it may calculate the storage address of the MAC corresponding to the valid data block in the memory 51, and the read hit determiner 54 may determine whether the MAC is still cached in the RAM 53.
S53, the memory controller 52 reads the valid data block from the memory based on the storage address of the valid data block to be read.
In S54, when determining that the MAC is not cached in the RAM 53, the memory controller 52 may continue to read the MAC corresponding to the valid data block from the memory 51 after reading the valid data block.
In S55, when determining that the MAC is in the RAM 53 and the memory 51 is not yet written, the memory controller 52 may read the MAC corresponding to the valid data block from the RAM 53.
S56, the memory controller 52 performs data integrity check to determine whether the valid data block read by the host is tampered with during the storage of the memory 51.
Specifically, the memory controller 52 may generate, by the data integrity checking unit 55, a corresponding MAC based on the valid data block read in step S53, compare the generated MAC with the MAC corresponding to the valid data block read in step S54 or step S55, determine whether the two are consistent, and determine that the read valid data block passes the data integrity check when the two are consistent, and determine that the valid data block is not tampered during the storage of the memory 51, otherwise, determine that the read valid data block does not pass the data integrity check.
And S57, when the memory controller 52 determines that the read valid data block passes the data integrity check, the read valid data block is returned to the host through the bus.
The foregoing is merely illustrative for facilitating understanding of a specific implementation of the access control system, and is not intended to limit the specific implementation of the access control system, so long as verification of data integrity may be implemented to determine whether data has been tampered with during storage in the first storage device. It may be understood that the memory access control system adopted in the embodiments of the present disclosure may execute the memory access control method described in any of the foregoing embodiments, and specific embodiments, principles, and corresponding effects and actions of the memory access control method may be referred to, which are not described herein.
In the embodiment of the present disclosure, the storage device controller may interact with the storage device to perform data read/write operations. For better understanding and implementation of the data integrity protection scheme in the embodiments of the present disclosure by those skilled in the art, the following description of the specific embodiments refers to a corresponding storage device controller used for access control.
Referring to the schematic structure of the storage device controller shown in fig. 6, the storage device controller 60 may interact with the first storage device 6A and the second storage device 6B, respectively, and is adapted to perform data read-write control operations, and in an implementation, the storage device controller 60 may include:
A first data acquisition unit 61 adapted to acquire an effective data block to be written and a storage address of the effective data block based on a received write data request;
a first check data generating unit 62 adapted to generate corresponding message authentication data for the valid data block to be written, and to generate a storage address of the message authentication data in the first storage device 6A;
a first access control unit 63 adapted to write the valid data block into the first storage means 6A based on the storage address of the valid data block;
the verification data processing unit 64 is adapted to store the message authentication data and the storage address of the message authentication data in the first storage device 6A to the second storage device 6B, and in response to a preset trigger condition, to block the access request for a preset duration, and to write the message authentication data stored in the second storage device 6B into the first storage device 6A according to the storage address stored in the second storage device 6B for the preset duration.
In a specific implementation, the first check data generating unit 62 is adapted to generate, according to a preset second generation method, the storage address of the message authentication data in the first storage device 6A according to the storage address of the valid data block based on a preset address division rule in the first storage device 6A.
In a specific implementation, the first address segment of the corresponding valid data storage area in the address segment of the first storage device 6A and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportional relationship. The method for dividing the data storage area in the first storage device 6A in the embodiment of the access control method described in fig. 8 is specifically described, and will not be described herein.
In particular implementations, the storage device controller 60 may further include: the first data integrity protection identifier identifying unit 65 is adapted to determine whether a data integrity protection identifier included in a received write data request is in a valid state, and trigger the check data generating unit to execute a corresponding operation based on the write data request when the data integrity identifier is in the valid state.
In an implementation, the first storage device 6A may be a memory, and the storage device controller 60 may include the second storage device 6B.
In some embodiments of the present disclosure, the second storage device 6B may be a RAM. The storage device controller 60 is now referred to as a memory controller, and this specific application of the storage device controller 60 may refer to the structure of the access control system shown in fig. 4, which will not be described in detail herein.
Referring to the schematic structure of the storage device controller shown in fig. 7, the storage device controller 70 may interact with the first storage device 7A and the second storage device 7B, respectively, and is adapted to perform data read-write control operations, and in an implementation, the storage device controller 70 may include:
a second data acquisition unit 71 adapted to acquire a storage address of a valid data block to be read based on the received read data request;
a second check-up data acquisition unit 72 adapted to calculate a storage address of message authentication data corresponding to the valid data block in the first storage device 7A based on the storage address of the valid data block to be read; determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device 7A, and continuing to acquire the message authentication data from the first storage device 7A as first message authentication data when it is determined that the message authentication data is not stored in the second storage device 7B; upon determining that the message authentication data is stored in the second storage means 7B, acquiring the message authentication data from the second storage means 7B as first message authentication data;
A second access control unit 73, adapted to read the corresponding valid data block from the first storage device 7A based on the storage address of the valid data block to be read;
a second check data generation unit 74 adapted to generate corresponding message authentication data as second message authentication data based on the read valid data block;
a data integrity check unit 75 adapted to compare the first message authentication data with the second message authentication data, and to determine that the data integrity check of the valid data block passes when it is determined that the first message authentication data is identical to the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed;
a data return unit 76 adapted to return a valid data block corresponding to the read data request when the data integrity check unit determines that the integrity check of the data block passes;
wherein the second storage device 7B is adapted to cache the message authentication data and the storage address of the message authentication data in the first storage device 7A, and the message authentication data cached in the second storage device 7B is adapted to be stored into the first storage device according to the storage address stored in the second storage device 7B when a preset trigger condition is satisfied.
In a specific implementation, the first address segment of the corresponding valid data storage area in the address segment of the first storage device 7A and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportional relationship. The method for dividing the data storage area in the first storage device in the embodiment of the access control method described in fig. 8 is specifically described, and will not be described herein.
In particular implementations, the storage device controller 70 may further include: and an interrupt unit 77, configured to send an interrupt request to a preset secure processing device when the data integrity checking unit 75 determines that the integrity of the data block fails, so that the secure processing device performs a preset data protection processing operation on the read data request based on the interrupt request.
In particular implementations, the storage device controller 70 may further include: the second data integrity protection identifier identifying unit 78 is adapted to determine whether a data integrity protection identifier contained in a received read data request is in a valid state, and trigger the second check data obtaining unit 72 to perform a corresponding operation based on the read data request when the data integrity identifier is in a valid state.
In some embodiments of the present disclosure, the first storage device 7A may be a memory, and the storage device controller 70 may include the second storage device 7B.
In some embodiments of the present disclosure, the first storage device 7A may be a hard disk, an optical disk, a DRAM, etc., and the second storage device may be a RAM, for example, an SRAM.
If the first storage device is a RAM and is built in the storage device controller 70, the second verification data obtaining unit 72 may include: the read hit determiner 721 is adapted to determine whether the message authentication data is stored in the RAM based on the memory address of the message authentication data in the first memory means 7A.
In a specific implementation, the second verification data generating unit 74, the data integrity verification unit 75, etc. may be implemented by software, hardware, or a combination of software and hardware, which is not limited in any way.
The specific implementation method, principle and function of the memory device controller can refer to the foregoing embodiments of the access control method and the access control system, which are not described herein again.
In implementations, a storage device controller that processes read data requests may be used in combination with a storage device controller that processes write data requests, and the corresponding devices or functional units may be integrated or multiplexed. For example, the first data acquisition unit 61 and the second data acquisition unit 71 may be integrated together to form a data acquisition unit for acquiring all access requests including a read data request and a write data request. As another example, the first check data generating unit 62 and the second check data acquiring unit 72 may be multiplexed, and one check data acquiring unit may be adopted; similarly, the first data integrity protection identifier identification unit 65 and the second data integrity protection identifier identification unit 78 may be multiplexed, and one data integrity protection unit is used to identify whether all access requests include a data integrity protection identifier. As illustrated above, the above structures may be variously combined or expanded by those skilled in the art, and are not illustrated herein.
Although the embodiments of the present specification are disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention should be assessed accordingly to that of the appended claims.
Claims (34)
1. The access control method is characterized by comprising the following steps of:
based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block;
generating corresponding message authentication data aiming at the effective data block to be written, generating a storage address of the message authentication data in a first storage device, and caching the message authentication data and the storage address of the message authentication data in the first storage device to a second storage device;
writing the valid data block into a first storage device based on a storage address of the valid data block;
responding to a preset triggering condition, preventing access requests within a preset time period, and writing the message authentication data cached in the second storage device into the first storage device within the preset time period according to a storage address stored by the second storage device;
Wherein the message authentication data is adapted to perform a data integrity check on a corresponding valid data block written to the first storage means upon subsequent read-out from the first storage means.
2. The access control method according to claim 1, wherein the preset trigger condition includes at least one of:
the free storage space of the second storage device is smaller than a preset storage capacity threshold value;
the bandwidth of the first storage device is in an idle state.
3. The access control method according to claim 1, wherein the generating corresponding message authentication data for the valid data block to be written includes:
and generating corresponding message authentication data according to a preset first generation method aiming at the effective data block to be written.
4. The access control method according to claim 1, wherein the generating the storage address of the message authentication data in the first storage device includes:
and generating the storage address of the message authentication data in the first storage device according to a preset second generation method according to the storage address of the effective data block based on a preset address division rule in the first storage device.
5. The access control method according to claim 4, wherein the preset address dividing rule in the first storage device includes:
and the first address segment of the corresponding effective data storage area in the address segment of the first storage device and the second address segment of the corresponding message authentication data storage area are partitioned according to a preset storage space proportion relation.
6. The access control method according to claim 5, wherein the generating the storage address of the message authentication data in the first storage device according to the second generation method based on the preset address dividing rule in the first storage device and the storage address of the valid data block, includes:
and generating an offset address of the message authentication data in the second address field according to a preset linear mapping relation based on a preset storage space proportion relation between a first address field of a corresponding effective data storage area in the address field of the first storage device and a second address field of a corresponding message authentication data storage area, and according to the address of the effective data block and the acquired base address of the message authentication data storage area, and obtaining the storage address of the message authentication data in the first storage device based on the base address of the message authentication data storage area and the offset address.
7. The access control method according to claim 1, characterized by further comprising, before generating the corresponding message authentication data for the valid data block to be written and generating the storage address of the message authentication data in the first storage means:
and determining that the data integrity protection identifier contained in the data writing request is in a valid state.
8. The access control method according to any one of claims 1 to 7, wherein the first storage device is a memory and the second storage device is a random access memory provided in a memory controller.
9. The access control method is characterized by comprising the following steps of:
based on the received data reading request, acquiring a storage address of a valid data block to be read;
calculating the storage address of the message authentication data corresponding to the effective data block in the first storage device based on the storage address of the effective data block to be read;
determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device;
reading a corresponding valid data block from the first storage device based on the storage address of the valid data block to be read; and continuing to acquire the message authentication data from the first storage device as first message authentication data when it is determined that the message authentication data is not stored in the second storage device; acquiring the message authentication data from the second storage device as first message authentication data when it is determined that the message authentication data is stored in the second storage device;
Based on the read effective data block, generating corresponding message authentication data as second message authentication data;
comparing the first message authentication data with the second message authentication data, and determining that the data integrity check of the valid data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed;
when the integrity check of the data block is confirmed to pass, returning a valid data block corresponding to the read data request;
the second storage device is adapted to cache the message authentication data and a storage address of the message authentication data in the first storage device, and the message authentication data cached in the second storage device is adapted to be written into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met.
10. The access control method according to claim 9, wherein the preset trigger condition includes at least one of:
the free storage space of the second storage device is smaller than a preset storage capacity threshold value;
The bandwidth of the first storage device is in an idle state.
11. The access control method according to claim 9, wherein a first address segment of the corresponding effective data storage area in the address segment of the first storage device and a second address segment of the corresponding message authentication data storage area are stored in a partitioned manner according to a preset storage space proportion relationship.
12. The access control method according to claim 9, wherein before the calculating, based on the storage address of the valid data block to be read, the storage address of the message authentication data corresponding to the valid data block in the first storage device, further comprises:
and determining that the data integrity protection identifier contained in the read data request is in a valid state.
13. The access control method according to claim 9, characterized by further comprising:
and when the integrity check of the data block is determined to not pass, sending an interrupt request to a preset safety processing device, so that the safety processing device performs preset data protection processing operation on the read data request.
14. The access control method according to any one of claims 9 to 13, wherein the first storage device is a memory and the second storage device is a random access memory provided in a memory controller.
15. The access control method according to claim 14, wherein the determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device, comprises:
based on the memory address of the message authentication data in the memory, a read hit determiner provided in the memory controller is employed to determine whether the message authentication data is stored in the random access memory.
16. A memory access control system, comprising:
the first storage device is suitable for storing the effective data block and the message authentication data corresponding to the effective data block;
the second storage device is suitable for caching the message authentication data corresponding to the valid data block and the storage address of the message authentication data in the first storage device;
a storage device controller adapted to access and control valid data blocks in the first storage device, comprising: based on the received data writing request, acquiring an effective data block to be written and a storage address of the effective data block; generating corresponding message authentication data aiming at the effective data block to be written, generating a storage address of the message authentication data in a first storage device, and storing the message authentication data and the storage address of the message authentication data in the first storage device to a second storage device; writing the valid data block into a first storage device based on a storage address of the valid data block; responding to a preset triggering condition, preventing access requests within a preset time period, and writing message authentication data stored in the second storage device into the first storage device within the preset time period according to a storage address stored in the second storage device;
Wherein the message authentication data is adapted to perform a data integrity check on a corresponding valid data block written to the first storage means upon subsequent read-out from the first storage means.
17. The memory control system of claim 16, wherein a first address segment of the corresponding valid data storage area and a second address segment of the corresponding message authentication data storage area in the address segments of the first storage device are partitioned according to a preset memory space proportional relationship.
18. The memory access control system according to claim 16, wherein the memory device controller is adapted to generate an offset address of the message authentication data in the second address field according to a preset linear mapping relationship based on a preset memory space proportional relationship between a first address field of a corresponding valid data memory area and a second address field of a corresponding message authentication data memory area in the address field of the first memory device, and according to the address of the valid data block and the acquired base address of the message authentication data memory area, and obtain the memory address of the message authentication data in the first memory device based on the base address of the message authentication data memory area and the offset address.
19. The access control system of any one of claims 16-18, wherein the first storage device is a memory; the second storage device is arranged in the storage device controller and is a random access memory.
20. A memory access control system, comprising:
the first storage device is suitable for storing the effective data block and the message authentication data corresponding to the effective data block;
the second storage device is suitable for caching the message authentication data corresponding to the valid data block and the storage address of the message authentication data in the first storage device, and the cached message authentication data is suitable for being stored into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met;
a storage device controller adapted to access and control valid data blocks in the first storage device, comprising: based on the received data reading request, acquiring a storage address of a valid data block to be read; calculating the storage address of the message authentication data corresponding to the effective data block in the first storage device based on the storage address of the effective data block to be read; determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device; reading a corresponding valid data block from the first storage device based on the storage address of the valid data block to be read; and continuing to acquire the message authentication data from the first storage device as first message authentication data when it is determined that the message authentication data is not stored in the second storage device; acquiring the message authentication data from the second storage device as first message authentication data when it is determined that the message authentication data is stored in the second storage device; based on the read effective data block, generating corresponding message authentication data as second message authentication data; comparing the first message authentication data with the second message authentication data, and determining that the data integrity check of the valid data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed; and returning a valid data block corresponding to the read data request when the integrity check of the data block is confirmed to pass.
21. The access control system of claim 20, wherein a first address field of the corresponding valid data storage area in the address field of the first storage device and a second address field of the corresponding message authentication data storage area are stored in a partitioned manner according to a preset memory space ratio relationship.
22. The access control system of claim 20, wherein the access control system further comprises: a security processing device;
the storage device controller is further adapted to send an interrupt request to a preset secure processing device when it is determined that the integrity check of the data block fails, so that the secure processing device performs a preset data protection processing operation on the read data request;
the safety processing device is suitable for carrying out preset data protection processing operation on the read data request based on the interrupt request.
23. The access control system of any one of claims 20-22, wherein the first storage device is a memory; the second storage device is arranged in the storage device controller and is a random access memory.
24. A storage device controller coupled to a first storage device and a second storage device, respectively, adapted to perform data read-write control operations, the storage device controller comprising:
The first data acquisition unit is suitable for acquiring an effective data block to be written and a storage address of the effective data block based on a received data writing request;
the first check data generation unit is suitable for generating corresponding message authentication data aiming at the valid data block to be written in and generating a storage address of the message authentication data in a first storage device;
the first access control unit is suitable for writing the effective data block into the first storage device based on the storage address of the effective data block;
and the verification data processing unit is suitable for storing the message authentication data and the storage address of the message authentication data in the first storage device to the second storage device, responding to a preset trigger condition, preventing access requests within a preset duration, and writing the message authentication data stored in the second storage device into the first storage device according to the storage address stored in the second storage device within the preset duration.
25. The storage device controller according to claim 24, wherein the first check data generating unit is adapted to generate the storage address of the message authentication data in the first storage device according to a second predetermined generating method based on a predetermined address dividing rule in the first storage device according to the storage address of the valid data block.
26. The storage device controller of claim 25, wherein a first address segment of the corresponding valid data storage area and a second address segment of the corresponding message authentication data storage area in the address segments of the first storage device are partitioned according to a predetermined memory space ratio.
27. The storage device controller of claim 24, further comprising: the first data integrity protection identification unit is suitable for determining whether a data integrity protection identification contained in a received write data request is in a valid state, and triggering the first check data generation unit to execute corresponding operation based on the write data request when the data integrity identification is in the valid state.
28. The storage device controller of any one of claims 24-27, wherein the first storage device is a memory, the storage device controller comprises the second storage device, and the second storage device is a random access memory.
29. A storage device controller, coupled to a first storage device and a second storage device, respectively, adapted to perform data read-write control operations, the storage device controller comprising:
The second data acquisition unit is suitable for acquiring the storage address of the effective data block to be read based on the received read data request;
a second check-up data acquisition unit adapted to calculate a storage address of message authentication data corresponding to the valid data block in the first storage device based on the storage address of the valid data block to be read; determining whether the message authentication data is stored in a second storage device based on a storage address of the message authentication data in the first storage device, and continuing to acquire the message authentication data from the first storage device as first message authentication data when the message authentication data is determined not to be stored in the second storage device; acquiring the message authentication data from the second storage device as first message authentication data when it is determined that the message authentication data is stored in the second storage device;
the second access control unit is suitable for reading the corresponding effective data block from the first storage device based on the storage address of the effective data block to be read;
a second check-up data generating unit adapted to generate corresponding message authentication data as second message authentication data based on the read effective data block;
The data integrity checking unit is suitable for comparing the first message authentication data with the second message authentication data, and determining that the data integrity of the effective data block passes when the first message authentication data is determined to be consistent with the second message authentication data; otherwise, determining that the integrity check of the valid data block is not passed;
the data return unit is suitable for returning a valid data block corresponding to the read data request when the data integrity check unit determines that the integrity check of the data block passes;
the second storage device is adapted to cache the message authentication data and a storage address of the message authentication data in the first storage device, and the message authentication data cached in the second storage device is adapted to be stored into the first storage device according to the storage address stored in the second storage device when a preset trigger condition is met.
30. The storage device controller of claim 29, wherein a first address segment of the corresponding valid data storage area and a second address segment of the corresponding message authentication data storage area of the address segments of the first storage device are partitioned according to a predetermined memory space proportionality relationship.
31. The storage device controller of claim 29, further comprising:
and the interrupt unit is suitable for sending an interrupt request to a preset safety processing device when the data integrity checking unit determines that the integrity check of the data block fails, so that the safety processing device performs preset data protection processing operation on the read data request based on the interrupt request.
32. The storage device controller of claim 29, further comprising: the second data integrity protection identifier identifying unit is suitable for determining whether the data integrity protection identifier contained in the received read data request is in a valid state, and triggering the check data acquiring unit to execute corresponding operation based on the read data request when the data integrity identifier is in the valid state.
33. The storage device controller of any one of claims 29-32, wherein the first storage device is a memory, the storage device controller comprises the second storage device, and the second storage device is a random access memory.
34. The storage device controller according to claim 33, wherein the second check data acquisition unit includes: a read hit determiner adapted to determine whether the message authentication data is stored in the random access memory based on a memory address of the message authentication data in the first memory device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911412224.2A CN111125794B (en) | 2019-12-31 | 2019-12-31 | Access control method, system and storage device controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911412224.2A CN111125794B (en) | 2019-12-31 | 2019-12-31 | Access control method, system and storage device controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111125794A CN111125794A (en) | 2020-05-08 |
| CN111125794B true CN111125794B (en) | 2023-09-26 |
Family
ID=70506458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911412224.2A Active CN111125794B (en) | 2019-12-31 | 2019-12-31 | Access control method, system and storage device controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111125794B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707450A (en) * | 2004-06-08 | 2005-12-14 | 侯方勇 | Method and apparatus for protecting data confidentiality and integrity in memory equipment |
| WO2008127723A2 (en) * | 2007-04-13 | 2008-10-23 | Bartronics America, Inc. | Method and system for rfid transaction integrity utilizing an eeprom |
| EP2339499A1 (en) * | 2008-08-22 | 2011-06-29 | International Business Machines Corporation | Storage device, information processing device, and program |
| CN104008069A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Data protection method, device and equipment |
| CN109582214A (en) * | 2017-09-29 | 2019-04-05 | 华为技术有限公司 | Data access method and computer system |
| CN110443070A (en) * | 2019-08-12 | 2019-11-12 | 南京芯驰半导体科技有限公司 | More host shared memory systems and data completeness protection method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7299379B2 (en) * | 2003-06-27 | 2007-11-20 | Intel Corporation | Maintaining cache integrity by recording write addresses in a log |
-
2019
- 2019-12-31 CN CN201911412224.2A patent/CN111125794B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707450A (en) * | 2004-06-08 | 2005-12-14 | 侯方勇 | Method and apparatus for protecting data confidentiality and integrity in memory equipment |
| WO2008127723A2 (en) * | 2007-04-13 | 2008-10-23 | Bartronics America, Inc. | Method and system for rfid transaction integrity utilizing an eeprom |
| EP2339499A1 (en) * | 2008-08-22 | 2011-06-29 | International Business Machines Corporation | Storage device, information processing device, and program |
| CN104008069A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Data protection method, device and equipment |
| CN109582214A (en) * | 2017-09-29 | 2019-04-05 | 华为技术有限公司 | Data access method and computer system |
| CN110443070A (en) * | 2019-08-12 | 2019-11-12 | 南京芯驰半导体科技有限公司 | More host shared memory systems and data completeness protection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111125794A (en) | 2020-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3274848B1 (en) | Providing enhanced replay protection for a memory | |
| EP3274850B1 (en) | Protecting a memory | |
| US11777705B2 (en) | Techniques for preventing memory timing attacks | |
| CN110945509B (en) | Apparatus and method for controlling access to data in a protected memory region | |
| JP6162652B2 (en) | Memory management apparatus, program, and method | |
| CN111143247B (en) | Storage device data integrity protection method, controller thereof and system on chip | |
| US11139959B2 (en) | Stream ciphers for digital storage encryption | |
| US11775177B2 (en) | Integrity tree for memory integrity checking | |
| CN111159781B (en) | Storage device data integrity protection method, controller thereof and system on chip | |
| EP3271828B1 (en) | Cache and data organization for memory protection | |
| KR102117838B1 (en) | Methods for protecting security-related data in cache memory | |
| CN112148521A (en) | Providing improved efficiency for metadata usage | |
| US20110173412A1 (en) | Data processing device and memory protection method of same | |
| CN115777101A (en) | Memory protection using cached partial hash values | |
| CN111125794B (en) | Access control method, system and storage device controller | |
| CN107861892B (en) | Method and terminal for realizing data processing | |
| CN115422604A (en) | Data security processing method for nonvolatile memory, memory controller and system | |
| KR102183648B1 (en) | Method and apparatus for protecting kernel without nested paging | |
| US20240220650A1 (en) | Securing ats from rogue devices for confidential computing | |
| WO2024144864A1 (en) | Securing ats from rogue devices for confidential computing | |
| JP2011053786A (en) | Information processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant after: Haiguang Information Technology Co.,Ltd. Address before: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230824 Address after: Rooms 501 and 502, No. 289 Chunxiao Road, China (Shanghai) Pilot Free Trade Zone, Pudong New Area, Shanghai, 200020 (nominal floor is 6th floor) Applicant after: Haiguang Yunxin Integrated Circuit Design (Shanghai) Co.,Ltd. Address before: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin Applicant before: Haiguang Information Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |