CN111290829B - Access control module, virtual machine monitor and access control method - Google Patents
Access control module, virtual machine monitor and access control method Download PDFInfo
- Publication number
- CN111290829B CN111290829B CN202010041831.9A CN202010041831A CN111290829B CN 111290829 B CN111290829 B CN 111290829B CN 202010041831 A CN202010041831 A CN 202010041831A CN 111290829 B CN111290829 B CN 111290829B
- Authority
- CN
- China
- Prior art keywords
- address
- data access
- access request
- virtual
- virtual address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45579—I/O management, e.g. providing access to device drivers or storage
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multi Processors (AREA)
- Computer And Data Communications (AREA)
Abstract
The access control module, the virtual machine monitor and the access control method, wherein the access control module comprises: the method comprises the steps that a first IO interface is used as a communication interface between an IO main device and a computer system, and the IO main device forms an IO virtual machine through establishing an association relation with a first virtual machine preset in the computer system; the first memory management unit is suitable for converting a virtual address of an access space contained in the data access request into a corresponding physical address when receiving the data access request from the first IO interface, and sending the data access request containing the physical address to the physical address routing unit; and the physical address routing unit is suitable for routing the data access request to the corresponding access space according to the physical address contained in the received data access request. By adopting the scheme, the load of a processor in the computer system can be reduced, and the data exchange efficiency of the IO main equipment and the computer system is improved.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to an access control module, a virtual machine monitor and an access control method.
Background
In the existing Input/Output virtualization (Input/Output virtualization, IOV) technology, an Input/Output (IO) device may be connected to a Non-transparent bridge (NTB, non-Transparent Bridge) through an IO interface of a computer system, so as to be used as an IO master device to access the computer system.
The IO host device and the computer system belong to two operating systems, which have completely different address domains, so that the non-transparent bridge performs address translation between the address of the IO host device address domain and the address of the computer system address domain.
However, typically the address translation space of the non-transparent bridge is limited, resulting in that the IO master may only use part of the computer system resources. For the computer resources which do not correspond to the computer address domain converted by the non-transparent bridge, the IO main equipment cannot be directly used, but a processor in the computer system is required to carry out data relocation, so that the load of the processor is increased, and the data exchange efficiency of the IO main equipment and the computer system is reduced.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide an access control module, a virtual machine monitor, and an access control method, which can reduce the load of a processor in a computer system and improve the data exchange efficiency between an IO host device and the computer system.
The embodiment of the specification provides an access control module, which comprises a first IO interface, a first memory management unit and a physical address routing unit, wherein:
the first IO interface is used as a communication interface between the IO main equipment and the computer system, and the IO main equipment establishes an association relation with a first virtual machine preset in the computer system to form an IO virtual machine;
the first memory management unit is adapted to, when receiving a data access request from the first IO interface, convert a virtual address of an access space included in the data access request into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit; the virtual address is the address of the IO virtual machine address domain, and the physical address is the address of the computer system address domain;
the physical address routing unit is adapted to route the data access request to a corresponding access space according to a physical address contained in the received data access request.
Optionally, the access control module further comprises: the second IO interface and the virtual address routing unit, wherein:
the second IO interface is used as a communication interface between the IO slave equipment and the computer system;
The virtual address routing unit is adapted to obtain a virtual address of an access space included in the data access request when receiving the data access request from the second IO interface, and route the data access request to the first memory management unit when determining that the virtual address points to the IO virtual machine address domain;
the first memory management unit is further adapted to, when receiving a data access request from the virtual address routing unit, obtain a virtual address of an access space included in the data access request, and send the data access request to an IO virtual machine to which the virtual address points, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine.
Optionally, the access control module further comprises: a second memory management unit;
the virtual address routing unit is further adapted to send the access request to the second memory management unit when it is determined that the virtual address of the access space included in the data access request points to the computer system address field;
the second memory management unit is adapted to, when receiving a data access request from the virtual address routing unit, obtain a virtual address of an access space included in the data access request, convert the virtual address into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit.
Optionally, the first memory management unit is further adapted to send the data access request to the virtual address routing unit when determining that the virtual address points to the IO slave device address field according to the virtual address of the access space included in the data access request before converting the virtual address of the access space included in the data access request into the corresponding physical address;
the virtual address routing unit is further adapted to route, when receiving a data access request from the first memory management unit, the data access request to an IO slave device to which the virtual address points according to a virtual address of an access space included in the data access request, so as to perform a data access operation on the access space corresponding to the virtual address in the IO slave device.
Optionally, the IO slave device establishes an association relationship with a second virtual machine specified by the virtual function through a preset virtual function, where the second virtual machine is adapted to set an address mapping relationship in the virtual address routing unit.
Optionally, the first memory management unit is further adapted to determine whether the sending body of the received data access request has a corresponding access right, and execute a corresponding access control operation according to the determination result.
The embodiment of the specification also provides a virtual machine monitor, which comprises a first memory management unit and a physical address routing unit, wherein:
the first memory management unit is suitable for converting a virtual address of an access space contained in a data access request into a corresponding physical address when the data access request from the first IO interface is received, and sending the data access request containing the physical address to the physical address routing unit;
the physical address routing unit is suitable for routing the data access request to a corresponding access space according to the physical address contained in the received data access request;
the first IO interface is a communication interface between an IO main device and a computer system, and the IO main device forms an IO virtual machine by establishing an association relation with a first virtual machine preset in the computer system; the virtual address is the address of the address domain of the IO virtual machine, and the physical address is the address of the address domain of the computer system.
Optionally, the virtual machine monitor further includes a virtual address routing unit adapted to, when receiving a data access request from the second IO interface, obtain a virtual address of an access space included in the data access request, and when determining that the virtual address points to the IO virtual machine address field, route the data access request to the first memory management unit;
The first memory management unit is further adapted to, when receiving a data access request from the virtual address routing unit, obtain a virtual address of an access space included in the data access request, and send the data access request to an IO virtual machine to which the virtual address points, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine;
the second IO interface is a communication interface between the IO slave equipment and the computer system.
Optionally, the virtual machine monitor further comprises: a second memory management unit;
the virtual address routing unit is further adapted to send the access request to the second memory management unit when it is determined that the virtual address of the access space included in the data access request points to the computer system address field;
the second memory management unit is adapted to, when receiving a data access request from the virtual address routing unit, obtain a virtual address of an access space included in the data access request, convert the virtual address into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit.
Optionally, the first memory management unit is further adapted to, before converting the virtual address of the access space included in the data access request into a corresponding physical address, send the data access request to the virtual address routing unit when determining that the virtual address points to the IO slave device address field according to the virtual address of the access space included in the data access request;
the virtual address routing unit is further adapted to route, when receiving a data access request from the first memory management unit, the data access request to an IO slave device to which the virtual address points according to a virtual address of an access space included in the data access request, so as to perform a data access operation on the access space corresponding to the virtual address in the IO slave device.
The embodiment of the specification also provides an access control method, which is suitable for performing access control on the access device of the IO interface, and comprises the following steps:
the first memory management unit receives a data access request from a first IO interface;
the first memory management unit converts a virtual address of an access space contained in the data access request into a corresponding physical address, and sends the data access request containing the physical address to a physical address routing unit;
The physical address routing unit routes the data access request to a corresponding access space according to a physical address contained in the received data access request;
the first IO interface is a communication interface between an IO main device and a computer system, and the IO main device forms an IO virtual machine by establishing an association relation with a first virtual machine preset in the computer system; the virtual address is the address of the address domain of the IO virtual machine, and the physical address is the address of the address domain of the computer system.
Optionally, the access control method further comprises:
when receiving a data access request from a second IO interface, a virtual address routing unit acquires a virtual address of an access space contained in the data access request;
the virtual address routing unit sends the data access request to the first memory management unit when determining that the virtual address points to the IO virtual machine address field;
when receiving a data access request from the virtual address routing unit, the first memory management unit acquires a virtual address of an access space contained in the data access request, and sends the data access request to an IO virtual machine pointed by the virtual address, so as to perform data access operation on the access space corresponding to the virtual address in the IO virtual machine;
The second IO interface is a communication interface between the IO slave equipment and the computer system.
Optionally, the access control method further includes:
the virtual address routing unit sends the access request to a second memory management unit when determining that the virtual address points to the address domain of the computer system;
and when receiving the data access request from the virtual address routing unit, the second memory management unit acquires the virtual address of the access space contained in the data access request, converts the virtual address into a corresponding physical address, and sends the data access request containing the physical address to the physical address routing unit.
Optionally, before the first memory management unit converts the virtual address of the access space included in the data access request into a corresponding physical address, the method further includes:
the first memory management unit determines that the virtual address points to the address domain of the IO slave device according to the virtual address of the access space contained in the data access request, and sends the data access request to the virtual address routing unit;
when receiving a data access request from the first memory management unit, the virtual address routing unit routes the data access request to an IO slave device pointed by the virtual address according to the virtual address of an access space contained in the data access request so as to perform data access operation on the access space corresponding to the virtual address in the IO slave device.
By adopting the access control scheme provided by the embodiment of the specification, the IO main equipment can establish an association relation with a first virtual machine preset in the computer system through a first IO interface to form the IO virtual machine, when the first memory management unit receives a data access request from the first IO interface, the virtual address of an access space contained in the data access request can be converted into a corresponding physical address, the data access request containing the physical address can be sent to the physical address routing unit, and then the physical address routing unit can route the data access request to the corresponding access space according to the physical address contained in the received data access request. As can be seen from the above, by establishing an association relationship between the IO host device and a preset first virtual machine, the processor of the IO host device may be used as a coprocessor of the first virtual machine, so that the IO host device may be used as a virtual machine of a computer system, form an IO virtual machine, share resources with the computer system, and may use all resources in the computer system; in addition, the IO virtual machine can actively initiate a data access request, and for data exchange between the IO main equipment and the CPU, no operation is required to be performed by a processor in the computer system, so that the load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO main equipment and the computer system can be improved.
Further, when the virtual address routing unit receives the data access request from the second IO interface, the virtual address of the access space included in the data access request may be obtained, and when it is determined that the virtual address points to the IO virtual machine address domain, the data access request may be sent to the first memory management unit, so that it may be determined by the virtual address routing unit that the virtual address points to the IO virtual machine address domain, so that the first memory management unit may query the corresponding IO virtual machine through the virtual address, perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine, thereby directly sending the data access request of the IO slave device to the corresponding IO virtual machine, without performing conversion between the virtual address and the physical address, and without participating in data interaction by a processor of a computer system, and therefore, the load of a processor in the computer system may be reduced, and the data exchange efficiency between IO devices may be improved.
Further, when the virtual address routing unit determines that the virtual address of the access space included in the data access request points to the address domain of the computer system, the access request is sent to the second memory management unit, the second memory routing unit converts the virtual address of the access space included in the data access request into a corresponding physical address, and the physical address routing unit routes the virtual address to the corresponding access space, so that data interaction between the IO slave device and the computer system can be realized, and the IO slave device can directly use the resources of the computer system.
Further, when the first memory management unit determines that the virtual address points to the address domain of the IO slave device according to the virtual address of the access space included in the data access request, the data access request is sent to the virtual address routing unit, and the virtual address routing unit routes the data access request to the IO slave device pointed by the virtual address, so that data access operation can be performed on the access space corresponding to the virtual address in the IO slave device, the IO master device can share resources of the IO slave device of the computer system, and the whole data interaction process does not need to perform data migration by a processor in the computer system, so that data interaction efficiency can be further improved, and load of the processor in the computer system is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present description, the drawings that are required to be used in the embodiments of the present description or the description of the prior art will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present description, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a hierarchy of computer system virtualization in an embodiment of the present disclosure.
Fig. 2 is a schematic structural diagram of input/output virtualization in the embodiment of the present disclosure.
Fig. 3 is a schematic structural diagram of an access control module according to an embodiment of the present disclosure.
Fig. 4 is a schematic structural diagram of a virtual machine monitor according to an embodiment of the present disclosure.
Fig. 5 is a flowchart of an access control method in an embodiment of the present disclosure.
Fig. 6 is a flowchart of another access control method in an embodiment of the present disclosure.
Detailed Description
A Virtual Machine (VM) refers to a complete computer system that runs in a completely isolated environment with complete hardware system functionality through software emulation.
Referring to FIG. 1, a hierarchical structure diagram of computer system virtualization according to an embodiment of the present disclosure is shown, wherein a computer system 10 includes: the computer system resource 11 and the virtual machines 1 to N running on the computer system may respectively run corresponding virtual machine operating systems on the virtual machines 1 to N, that is, the virtual machine 1 operating system to the virtual machine N operating system. Virtual machines 1 to N share underlying computer system resources 11 through virtual machine monitors (Virtual Machine Monitor, VMM) 12, which can isolate virtual machine 1 to N resources by monitoring the behavior of virtual machines 1 to N, so that no conflict occurs when virtual machines 1 to N access computer system resources.
In the prior art IOV, referring to a schematic structure diagram of input/output virtualization shown in fig. 2, an IO device may access a computer system 20 through an IO interface, where an IO master device 2A may access the computer system 20 through a first IO interface 21 of the computer system 20 and connect to a Non-transparent bridge (NTB, non-Transparent Bridge) 22; IO slave 2B may communicate with Input/output device memory management unit (I/Output Memory Management Unit, IOMMU) 24 via a second IO interface.
Because the IO host device 2A and the computer system 20 belong to two operating systems, the two operating systems have completely different address domains, so that an address from the address domain of the IO host device 2A needs to be converted into an address corresponding to the address domain of the computer system 20 through the non-transparent bridge 22, and then data interaction with the processor 25 is performed through the bus 27 in the computer system 20, so as to access the corresponding storage space in the memory 26.
However, the address translation space of the non-transparent bridge 22 is limited, and only the address of the IO host device 2A can be translated to a partial address of the computer system 20, resulting in that the IO host device 2A can only use a partial resource of the computer system 20. Because the address conversion relationship set in the non-transparent bridge 22 is fixed, for the computer resources that do not correspond to the computer address domain converted by the non-transparent bridge 22, the IO host device 2A cannot be directly used, but the processor 25 is required to move the data in the memory 26, so that the load of the processor 25 is increased, and the data exchange efficiency between the IO host device 2A and the computer system 20 is reduced.
In view of the foregoing, an embodiment of the present disclosure provides an access control scheme, where an IO host device may establish an association relationship with a first virtual machine preset in a computer system through a first IO interface to form the IO virtual machine, and when receiving a data access request from the first IO interface, the first memory management unit may convert a virtual address of an access space included in the data access request into a corresponding physical address, and may send the data access request including the physical address to the physical address routing unit, and then, the physical address routing unit may route the data access request to the corresponding access space according to the physical address included in the received data access request.
By adopting the scheme of the embodiment of the specification, the association relation is established between the IO main equipment and the preset first virtual machine, so that a processor of the IO main equipment can be used as a coprocessor of the first virtual machine, the IO main equipment can be used as one virtual machine of a computer system, the IO virtual machine is formed, resources are shared with the computer system, and all resources in the computer system can be used; in addition, the IO virtual machine can actively initiate a data access request, and for data exchange between the IO main equipment and the CPU, no operation is required to be performed by a processor in the computer system, so that the load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO main equipment and the computer system can be improved.
In order to make the concept, implementation and advantages of the embodiments of the present disclosure more apparent to and apparent to those skilled in the art, a detailed description will be made with reference to the accompanying drawings by way of specific application scenarios.
Referring to the schematic structural diagram of an access control module in the embodiment of the present disclosure shown in fig. 3, in the embodiment of the present disclosure, the access control module 30 may include a first IO interface 301, a first memory management unit 302, and a physical address routing unit 303, where:
the first IO interface 301 is used as a communication interface between the IO master device 3A and the computer system 3C, where the IO master device 3A establishes an association relationship with a first virtual machine (not shown) preset in the computer system 3C to form an IO virtual machine;
the first memory management unit 302 is adapted to, when receiving a data access request from the first IO interface 301, convert a virtual address of an access space included in the data access request into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit 303, where the virtual address is an address of an IO virtual machine address field, and the physical address is an address of a computer system 3C address field;
The physical address routing unit 303 is adapted to route the data access request to the corresponding access space according to the physical address contained in the received data access request.
One or more virtual machines may be run on the computer system 3C. In a specific implementation, a virtual machine that establishes an association relationship with the IO host device 3A may be selected in advance, which is referred to herein as a first virtual machine for convenience of description. The IO host device 3A may establish an association relationship with a first virtual machine preset in the computer system 3C, so as to form an IO virtual machine.
In some embodiments of the present disclosure, the association relationship between the first virtual machine and the corresponding IO host device may be established through a virtual machine monitor. For example, the binding relation between the corresponding virtual machine and the IO main device can be preset and stored to form the IO virtual machine, so that the processor of the IO main device can be used as a coprocessor of the IO virtual machine, and the resources of the processor of the IO main device can be fully utilized.
In other embodiments of the present disclosure, the association relationship between the identifier of the first virtual machine and the identifier of the preset IO host device may be established through a virtual machine operating system of the first virtual machine, for example, the association relationship between the identifier of the first virtual machine and the identifier of the preset IO host device may be set through the virtual machine operating system.
In a specific implementation, the identifier of any one or more virtual machines may be bound with the identifier of one IO master device to form an IO virtual machine or an IO virtual machine group.
Thus, the processor of the IO master device may be used as a coprocessor for the first virtual machine, and the IO master device may share the resources of the computer system with one or more virtual machines running on the computer system 3C.
It can be understood that in practical application, a corresponding number of first IO interfaces may be set according to the number of IO host devices or according to the number of virtual machines, where any one of the IO host devices may be electrically connected to any one of the first IO interfaces, so that resources of a computer system or resources of a slave device having a master-slave connection relationship with the computer system may be directly accessed. The embodiment of the present disclosure does not limit the type and the number of the first IO interfaces.
In an implementation, the first memory management unit 302 may be disposed in a virtual machine monitor, and used as an MMU of the IO virtual machine to perform address translation management on access of the IO virtual machine. The method specifically comprises the following steps: when the IO virtual machine sends out the data access request R1, the first memory management unit 302 may receive the data access request R1 through the first IO interface 301, convert a virtual address of an access space included in the data access request R1 into a corresponding physical address according to a preset address mapping relationship, and send the data access request R1 including the physical address to the physical address routing unit 303.
The virtual address may be an address of the IO virtual machine address field, and the physical address may be an address of the computer system 3C address field.
It will be appreciated that the types of virtual addresses and physical addresses may be selected according to actual requirements, for example, the type of virtual address may be a client physical address (Guest Physical Address, GPA) and the type of physical address may be a host virtual address (Host Virtual Address, HVA) or a host physical address (Host Physical Address, HPA).
In a specific implementation, a physical address routing table may be preset in the physical address routing unit 303, and the physical address routing unit 303 queries the physical address routing table according to a physical address included in the received data access request, so as to obtain a routing path, and route the data access request to a corresponding access space in the computer system 3C, thereby using resources of the computer system.
For example, when the type of the physical address included in the data access request is HVA, the physical address routing unit 303 determines, by referring to the physical address routing table, that the access destination corresponding to the routing destination address is: a processor 31 and a memory 32. Thus, the physical address routing unit 303 sends the data access request to the processor 31, and the processor 31 may convert the HVA into the corresponding HPA through a page table walk, so that a data access operation, such as a data read operation or a data write operation, may be performed on the corresponding access space in the memory 32.
For another example, when the type of the physical address included in the data access request is HPA, the physical address routing unit 303 determines that the access target corresponding to the routing destination address is the memory 32 by referring to the physical address routing table. Thus, the physical address routing unit 303 may perform a corresponding data access operation, such as a read operation or a write operation, on the memory 32 according to the data access request.
It is to be understood that the physical address routing unit 303 may be set according to a hardware structure of the computer system, and the physical address routing unit 303 may determine different routing paths through different physical address routing tables, so that the data access request may be routed to a corresponding device in the computer system, such as a processor, a memory, a network card, a display card, and so on. The embodiment of the present specification does not limit the specific contents of the physical address routing table.
By adopting the scheme, the association relation is established between the IO main equipment and the preset first virtual machine, so that the processor of the IO main equipment can be used as a coprocessor of the first virtual machine, the IO main equipment can be used as one virtual machine of a computer system to form the IO virtual machine, and resources are shared with the computer system, so that all resources in the computer system can be used; in addition, the IO virtual machine can actively initiate a data access request, and for data exchange between the IO main equipment and the CPU, no operation is required to be performed by a processor in the computer system, so that the load of the processor in the computer system can be reduced, the operation of the processor in the computer system on the IO main equipment is reduced, and the data exchange efficiency between the IO main equipment and the computer system can be improved.
The IO device may also be a slave device of a computer system, and in particular implementations, with continued reference to FIG. 2, IO slave device 2B may be coupled to IO memory management unit (IO Memory Management Unit, IOMMU) 24 via second IO interface 23 to thereby access computer system 20.
Access to IO slave 2B may be rights managed and address translation managed by IOMMU 24. The IO slave device 2B may bind to a certain Virtual machine through a preset Virtual Function (Virtual Function, VF), and an address of an access space included in a data access request sent from the IO slave device bound to the Virtual machine to the computer system 20 is an address of a Virtual machine address domain, so that the address of the access space included in the data access request may be converted into a physical address of the computer system address domain by the IOMMU 24.
The inventor researches that, although many of the existing IO devices have processors, after the IO devices are used as a master device or a slave device and are accessed into a computer system, access and data exchange cannot be directly performed between the IO devices externally connected to the computer system, only a command is initiated through the processor of the computer system, access and data exchange can be performed between the IO devices, and data migration is required through the processor of the computer system, so that the data exchange efficiency between the IO devices is low, and the load of the processor of the computer system 20 is increased.
In a specific implementation, in order to improve the data exchange efficiency between the IO devices and reduce the load of the processor of the computer system, a virtual address of an access space included in the data access request may be determined, and it is determined whether the virtual address points to an IO device address field or a computer system address field, so that different operations are performed, which will be described in detail below through specific embodiments.
In a specific embodiment of the present disclosure, as shown in fig. 3, the access control module may further include: a second IO interface 304 and a virtual address routing unit 305, wherein:
the second IO interface 304 may be used as a communication interface between the IO slave device 3B and the computer system 3C;
the virtual address routing unit 305 is adapted to, when receiving a data access request from the second IO interface 304, obtain a virtual address of an access space included in the data access request, and when determining that the virtual address points to the IO virtual machine address field, route the data access request to the first memory management unit 302;
the first memory management unit 302 is further adapted to, when receiving a data access request from the virtual address routing unit 305, obtain a virtual address of an access space included in the data access request, and send the data access request to an IO virtual machine pointed by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine.
The virtual address of the access space included in the data access request may be GPA or GVA.
In a specific implementation, a virtual address routing table may be preset in the virtual address routing unit 305, and the virtual address routing unit 305 may query the virtual address routing table according to a virtual address included in the received data access request, so as to obtain a routing destination address, and send the data access request to the first memory management unit 302 when determining that the virtual address points to the IO virtual machine address domain according to the routing destination address. In addition, since the first memory management unit 302 may be connected to a corresponding IO virtual machine through a plurality of first IO interfaces, the first memory management unit 302 may send the data access request to the IO virtual machine pointed to by the virtual address according to the virtual address of the access space included in the data access request, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine.
In a specific implementation, the virtual machine may use the resources of the IO slave device that is accessed to the computer system through a preset VF. The IO slave device can establish an association relationship with the virtual machine appointed by the VF through a preset VF, and in order to distinguish the virtual machine appointed by the VF from other virtual machines, the virtual machine appointed by the VF can be called as a second virtual machine. The second virtual machine may set an address mapping relationship in the virtual address routing unit 305, to obtain a corresponding virtual address routing table.
Therefore, after the VF of the IO slave device is allocated to the IO virtual machine, the IO virtual machine can set a virtual address routing table in the virtual address routing unit, so that the virtual address routing table comprises the corresponding relation between the address domain of the IO virtual machine and the address domain of the IO slave device.
As can be seen from the above, when the virtual address routing unit 305 determines that the virtual address points to the address domain of the IO virtual machine, the data access request may be directly sent to the first memory management unit 302, and after determining that the IO virtual machine includes the access space, the first memory management unit 302 directly sends the data access request to the IO virtual machine through the corresponding first IO interface 301, so that access between the IO slave device 3B and the IO virtual machine may not need to perform address conversion operation, and the processor 31 does not need to participate in data interaction, thereby reducing the load of the processor and improving the data exchange efficiency between the IO master device and the IO slave device.
In addition, the IO slave device 3B and the IO virtual machine may use the same address field, so that the first memory management unit 302 may determine which IO virtual machine is the IO virtual machine that includes the access space.
In other embodiments of the present disclosure, the IO virtual machine may further access the IO slave device, as shown in fig. 3, and further optimize and extend the access control module 30, where as a specific example, the access control module 30:
The first memory management unit 302 is further adapted to send the data access request to the virtual address routing unit 305 when determining that the virtual address points to the IO slave device address field according to the virtual address of the access space included in the data access request before converting the virtual address of the access space included in the data access request into a corresponding physical address;
the virtual address routing unit 305 is further adapted to, when receiving a data access request from the first memory management unit 302, route the data access request to an IO slave device pointed to by the virtual address according to a virtual address of an access space included in the data access request, so as to perform a data access operation on the access space corresponding to the virtual address in the IO slave device.
The virtual address routing unit 305 may connect a corresponding number of IO slave devices through a plurality of second IO interfaces, so that the data access request may be routed to the IO slave device including the access space according to the virtual address of the access space included in the data access request. And, the virtual address of the access space included in the data access request may be GPA or GVA.
As can be seen from the foregoing, when the first memory management unit 302 determines that the virtual address points to the address domain of the IO slave device according to the virtual address of the access space included in the data access request, the data access request is sent to the virtual address routing unit by the data access request, and the virtual address routing unit routes the data access request to the IO slave device pointed to by the virtual address, so that the data access operation can be performed on the access space corresponding to the virtual address in the IO slave device, so that the IO master device can share the resource of the IO slave device of the computer system, and the data migration is not required by the processor in the computer system in the whole data interaction process, so that the data interaction efficiency can be further improved, and the load of the processor in the computer system is reduced.
In an implementation, as shown in fig. 3, in order to enable the IO slave device 3B to access the system resource of the computer system 3C, the access control module 30 may further include a second memory management unit 306.
Accordingly, the virtual address routing unit 305 is further adapted to route the access request to the second memory management unit 306 when it is determined that the virtual address of the access space contained in the data access request points to the computer system 3C address field;
The second memory management unit 306 is adapted to, when receiving a data access request from the virtual address routing unit 305, obtain a virtual address of an access space included in the data access request, convert the virtual address into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit 303.
Wherein the second memory management unit 306 may be an IOMMU or an MMU, and the specific operation of the physical address routing unit 303 on the data access request may be described above, which is not described in detail herein.
As can be seen from the above, the virtual address routing unit determines the direction of the virtual address of the access space included in the data access request, and only sends the data access request directed to the address domain of the computer system to the second memory management unit 306, so that the operand of the second memory management unit 306 and the load of the processor 31 of the computer system 3C can be reduced, and the data exchange efficiency between the IO virtual machine and the IO slave device 3B can be improved.
In a specific implementation, in order to improve the security of access, the first memory management unit 302 may further determine whether the sending body of the received data access request has a corresponding access right, and execute a corresponding access control operation according to the determination result. Similarly, the second memory management unit may further determine whether the transmitting body of the received data access request has a corresponding access right, and execute a corresponding access control operation according to the determination result.
The sending body may be an IO virtual machine, an IO slave device, a processor of a computer system, and the like. When the received transmitting body of the data access request does not have the access right, an alarm signal can be sent to the processor of the computer system, and the data access request is interrupted by the processor of the computer system. When the received transmitting main body of the data access request has the access right, according to the transmitting main body of the data access request, performing subsequent operations, such as address conversion, data access request transmission and the like, and the specific operation process corresponding to the transmitting main body can be described above, which will not be described in detail herein.
Embodiments of the present disclosure provide a virtual machine monitor that may manage an IO master device and a slave device that access a computer system, and for those skilled in the art to better understand and implement the virtual machine monitor in the present disclosure, the following detailed description will be made with reference to the accompanying drawings.
Referring to a schematic structural diagram of a virtual machine monitor in the embodiment of the present specification shown in fig. 4, in the embodiment of the present specification, a virtual machine monitor 40 may include a first memory management unit 41 and a physical address routing unit 42, where:
The first memory management unit 41 is adapted to, when receiving a data access request from the first IO interface 4A, convert a virtual address of an access space included in the data access request into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit 42;
the physical address routing unit 42 is adapted to route the data access request to a corresponding access space according to a physical address included in the received data access request;
the first IO interface 4A is a communication interface between the IO host device 4B and the computer system 4S, where the IO host device 4B establishes an association relationship with a first virtual machine (not shown) preset in the computer system 4S to form an IO virtual machine; the virtual address is the address of the IO virtual machine address field, and the physical address is the address of the computer system 4S address field.
And, the types of the virtual address and the physical address may be selected according to actual requirements, for example, the type of the virtual address may be GPA, and the type of the physical address may be HVA or HPA.
It will be appreciated that the physical address routing unit 42 may be configured according to a hardware structure of the computer system 4S, and the physical address routing unit 42 may determine different routing paths through different physical address routing tables, so as to route the data access request to corresponding devices in the computer system 4S, such as a processor, a memory, a network card, a video card, etc., where the specific contents of the physical address routing tables are not limited in this embodiment of the present disclosure.
By adopting the virtual machine monitor, the IO virtual machine can actively initiate a data access request, and the virtual address of the access space in the data access request is not limited by the address conversion space by flexibly setting the address mapping relation in the first memory management unit 41, so that the IO virtual machine can use all resources of the computer system 4S, the operation of a processor of the computer system 4S on the IO main device 4B is reduced, the load of the processor of the computer system 4S is reduced, and the data exchange efficiency between the IO main device 4B and the computer system 4S is improved.
In a specific implementation, in order to improve the data exchange efficiency between the IO devices, the virtual machine monitor may determine a virtual address of an access space included in the data access request, and determine whether the virtual address points to an IO device address domain or a computer system address domain, so as to perform different operations, which will be described in detail in the following through specific embodiments.
In an embodiment of the present disclosure, as shown in fig. 4, the virtual machine monitor 40 may further include a virtual address routing unit 43, where:
the virtual address routing unit 43 is adapted to, when receiving a data access request from the second IO interface 4C, obtain a virtual address of an access space included in the data access request, and when determining that the virtual address points to the IO virtual machine address field, route the data access request to the first memory management unit 41;
Correspondingly, the first memory management unit 41 is further adapted to, when receiving a data access request from the virtual address routing unit, obtain a virtual address of an access space included in the data access request, and send the data access request to an IO virtual machine pointed by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine;
as shown in fig. 4, the second IO interface 4C is a communication interface between the IO slave device 4D and the computer system 4S. The type of the virtual address of the access space contained in the data access request may be GPA or GVA.
In implementations, the IO slave device 4D accessing the computer system may be shared by the virtual machine through the VF. The IO slave device 4D may establish an association relationship between the VF and the virtual machine specified by the VF, and in order to distinguish the virtual machine specified by the VF from other virtual machines, the virtual machine specified by the VF may be referred to as a second virtual machine. The second virtual machine may set an address mapping relationship in the virtual address routing unit 43, to obtain a corresponding virtual address routing table.
Therefore, after the VF of the IO slave device is allocated to the IO virtual machine, the IO virtual machine may set a virtual address routing table in the virtual address routing unit 43, so that the virtual address routing table includes a mapping relationship between an address domain of the IO virtual machine and an address domain of the IO slave device, and further direct access of the IO slave device to the IO virtual machine may be achieved.
As a specific example, when the virtual address routing unit 43 determines that the virtual address points to the address domain of the IO virtual machine, the data access request is directly sent to the first memory management unit 41, and after determining that the IO virtual machine including the access space, the first memory management unit 41 directly sends the data access request to the IO virtual machine including the access space, so that access between the IO slave device and the IO virtual machine may not perform a conversion operation between the virtual address and the physical address, and may not need a processor (not shown in the figure) in the computer system to send a corresponding instruction or perform a data migration operation, thereby reducing the load of the processor of the computer system.
In addition, the IO slave device 4D and the IO virtual machine may use the same address field, so that the first memory management unit 41 determines which IO virtual machine corresponds to the access space.
By adopting the virtual machine monitor, the virtual address can be determined to point to the IO virtual machine address field through the virtual address routing unit, so that the first memory management unit can inquire the corresponding IO virtual machine through the virtual address, and perform data access operation on the access space corresponding to the virtual address in the IO virtual machine, thereby directly sending the data access request of the IO slave device to the corresponding IO virtual machine without performing conversion between the virtual address and the physical address or participating in data interaction by a processor of a computer system, thereby reducing the load of the processor in the computer system and improving the data exchange efficiency between IO devices.
In other embodiments of the present disclosure, the IO virtual machine may access an IO slave device, as shown in fig. 4, where before converting a virtual address of an access space included in the data access request into a corresponding physical address, the first memory management unit 41 is further adapted to send the data access request to the virtual address routing unit 43 when determining that the virtual address points to the IO slave device address field according to the virtual address of the access space included in the data access request;
the virtual address routing unit 43 is further adapted to, when receiving a data access request from the first memory management unit 41, route the data access request to an IO slave device including an access space to which the virtual address points according to a virtual address of the access space included in the data access request, so as to perform a data access operation on the access space corresponding to the virtual address in the IO slave device.
The virtual address of the access space included in the data access request may be GPA or GVA.
According to the embodiment of the virtual machine monitor, the first memory management unit determines, according to the virtual address of the access space included in the data access request, that the virtual address points to the address domain of the IO slave device, through sending the data access request to the virtual address routing unit, and the virtual address routing unit routes the data access request to the IO slave device pointed to by the virtual address, so that the data access operation can be performed on the access space corresponding to the virtual address in the IO slave device, so that the IO master device can share the resource of the IO slave device of the computer system, and the whole data interaction process does not need to perform data migration by the processor in the computer system, thereby further improving the data interaction efficiency and reducing the load of the processor in the computer system.
In an implementation, as shown in fig. 4, in order to enable the IO slave device 4D to access other resources of the computer system, the virtual machine monitor 40 may further include a second memory management unit 44:
the virtual address routing unit 43 is further adapted to route the access request to the second memory management unit 44 upon determining that the virtual address of the access space contained in the data access request points to the computer system address field;
the second memory management unit 44 is adapted to, when receiving a data access request from the virtual address routing unit 43, obtain a virtual address of an access space included in the data access request, convert the virtual address into a corresponding physical address, and send the data access request including the physical address to the physical address routing unit 42.
Wherein the second memory management unit 44 may be an IOMMU or an MMU, the specific operation of the physical address routing unit 42 on the data access request may be described above, and will not be described in detail herein.
From the above, the virtual address routing unit determines the direction of the virtual address of the access space included in the data access request, and only sends the data access request directed to the address domain of the computer system to the second memory management unit, so that the operation amount of the second memory management unit and the load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO devices can be improved.
In a specific implementation, in order to improve the security of access, the first memory management unit 41 may further determine whether the sending body of the received data access request has a corresponding access right, and execute a corresponding access control operation according to the determination result. Similarly, the second memory management unit 44 may also determine whether the transmitting body of the received data access request has a corresponding access right, and perform a corresponding access control operation according to the determination result.
The sending body may be an IO virtual machine, an IO slave device, a processor of a computer system, and the like. When the received transmitting body of the data access request does not have the access right, an alarm signal can be sent to the processor of the computer system, and the data access request is interrupted by the processor of the computer system. When the received transmitting main body of the data access request has the access right, according to the transmitting main body of the data access request, performing subsequent operations, such as address conversion, data access request transmission and the like, and the specific operation process corresponding to the transmitting main body can be described above, which will not be described in detail herein.
The embodiments of the present specification also provide an access control method, and in order to enable those skilled in the art to better understand and implement the method in the present specification, the following detailed description is provided with reference to the accompanying drawings.
Referring to a flowchart of an access control method in the embodiment of the present specification shown in fig. 5, in the embodiment of the present specification, the method may include:
s51, the first memory management unit receives a data access request from the first IO interface.
The first IO interface is used as a communication interface between the IO main equipment and the computer system, and the IO main equipment establishes an association relation with a first virtual machine preset in the computer system to form an IO virtual machine.
In a specific implementation, one or more virtual machines may be run on the computer system, from which a relationship between the virtual machine and the IO host device may be selected, for convenience of description, the virtual machine that has a relationship with the IO host device may be used as the first virtual machine, so that when the IO host device accesses the computer system through a preset communication interface, resources may be shared with the IO host device, and a processor of the IO host device may be used as a coprocessor of the first virtual machine, so that resources of the processor of the IO host device may be fully utilized.
In practical application, if multiple virtual machines are selected as the first virtual machines, corresponding IO interfaces can be allocated to each first virtual machine, and each IO interface can be externally connected with corresponding IO main equipment. When the IO main equipment is accessed to the computer system through the corresponding IO interface, each first virtual machine can firstly judge whether the IO interface connected with the IO main equipment is an allocated communication interface, and if so, the IO main equipment and the IO main equipment can form an IO virtual machine.
Thus, the processor of the IO host device may be used as a coprocessor of the first virtual machine, and the IO host device may share resources of the computer system with the virtual machine running on the computer system, thereby forming an IO virtual machine.
It may be understood that, in practical application, a communication interface preset between the IO host device and the computer system may be referred to as a first IO interface, and the number of the first IO interfaces is determined by the required amount of the IO virtual machine, which is not limited in the embodiment of the present disclosure.
S52, the first memory management unit converts the virtual address of the access space contained in the data access request into a corresponding physical address, and sends the data access request containing the physical address to a physical address routing unit.
In an implementation manner, the first IO interface is further connected to a first memory management unit, where the first memory management unit may be a memory management unit controlled by a virtual machine monitor, and is used as an MMU of the IO virtual machine to perform address translation management on access of the IO virtual machine.
The virtual address may be an address of the IO virtual machine address field, and the physical address may be an address of the computer system address field. It is understood that the types of the virtual address and the physical address may be selected according to actual requirements, for example, the type of the virtual address may be GPA, and the type of the physical address may be HVA or HPA.
And S53, the physical address routing unit routes the data access request to the corresponding access space according to the physical address contained in the received data access request.
In a specific implementation, the physical address routing unit may be preset with a physical address routing table, and the physical address routing unit queries the physical address routing table according to a physical address included in the received data access request, so as to obtain a routing destination address, and route the data access request to a corresponding access space in the computer system, thereby using resources of the computer system.
It may be understood that the physical address routing may be set according to a hardware structure of the computer system, and the physical address routing unit may determine different routing paths through different physical address routing tables, so as to route the data access request to corresponding devices in the computer system, such as a processor, a memory, a network card, a display card, etc., where specific contents of the physical address routing tables are not limited in this embodiment of the present disclosure.
By adopting the scheme, the association relation is established between the IO main equipment and the preset first virtual machine, so that a processor of the IO main equipment can be used as a coprocessor of the first virtual machine, the IO main equipment can be used as one virtual machine of a computer system, the IO virtual machine is formed, resources are shared with the computer system, and all resources in the computer system can be used; in addition, the IO virtual machine can actively initiate a data access request, and the virtual address of an access space in the data access request is not limited by an address conversion space by flexibly setting the address mapping relation in the memory management unit, so that the data exchange between the IO main equipment and the CPU does not need any operation of a processor in the computer system, the load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO main equipment and the computer system is improved.
In an implementation, as shown in fig. 5, before step S52, the access control method may further include:
s54, the first memory management unit acquires the virtual address of the access space contained in the data access request.
S55, the first memory management unit judges whether the virtual address points to the address domain of the IO slave device, if so, step S56 is executed, and otherwise, step S52 is executed.
S56, the first memory management unit sends the data access request to the virtual address routing unit.
S57, when receiving the data access request from the first memory management unit, the virtual address routing unit routes the data access request to the IO slave device pointed by the virtual address according to the virtual address of the access space contained in the data access request.
From the above, it can be determined by the first memory management unit that the virtual address points to the address domain of the IO slave device, so that the virtual address routing unit can query a corresponding access space through the virtual address, and further determine the IO slave device including the access space, thereby directly sending the data access request of the IO virtual machine to the corresponding IO slave device, without performing virtual address and physical address conversion, or initiating a command or performing data migration through a processor of the computer system, so that the load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO master device and the IO slave device can be improved.
In an implementation, as shown in fig. 6, there is a flowchart of another access control method, where the access control method may further include:
s61, when receiving a data access request from a second IO interface, the virtual address routing unit acquires a virtual address of an access space contained in the data access request.
S62, when the virtual address routing unit determines that the virtual address points to the IO virtual machine address field, the data access request is sent to the first memory management unit.
S63, when receiving the data access request from the virtual address routing unit, the first memory management unit acquires the virtual address of the access space contained in the data access request, and sends the data access request to the IO virtual machine containing the access space.
The second IO interface is used as a communication interface between the IO slave equipment and the computer system.
From the above, it is known that, by determining, by the virtual address routing unit, that the virtual address points to the IO virtual machine address field, the first memory management unit may query, by using the virtual address, a corresponding IO virtual machine, and perform a data access operation on an access space corresponding to the virtual address in the IO virtual machine, thereby, a data access request of the IO slave device may be directly sent to the corresponding IO virtual machine, without performing conversion between the virtual address and the physical address, or without participating in data interaction by a processor of the computer system, so that a load of the processor in the computer system may be reduced, and a data exchange efficiency between the IO devices may be improved.
In an implementation, as shown in fig. 6, after step S61, the access control method may further include:
s64, the virtual address routing unit sends the access request to the second memory management unit when determining that the virtual address points to the address field of the computer system.
S65, when receiving the data access request from the virtual address routing unit, the second memory management unit acquires the virtual address of the access space contained in the data access request, converts the virtual address into a corresponding physical address, and sends the data access request containing the physical address to the physical address routing unit.
Wherein the second memory management unit may be an IOMMU or an MMU, and specific operations of the physical address routing unit on the data access request may be described above, which will not be described in detail herein.
From the above, the virtual address routing unit determines the direction of the virtual address of the access space included in the data access request, and only sends the data access request directed to the address domain of the computer system to the second memory management unit, so that the operation amount of the second memory management unit and the load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO master device and the IO slave device can also be improved.
Although the embodiments of the present specification are disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the embodiments of the present invention, and the scope of the invention is therefore intended to be limited only by the appended claims.
Claims (14)
1. The access control module is characterized by comprising a first IO interface, a first memory management unit and a physical address routing unit, wherein:
the first IO interface is used as a communication interface between an IO main device and a computer system, and the IO main device establishes an association relation with a first virtual machine preset in the computer system, wherein a processor of the IO main device is used as a coprocessor of the first virtual machine to form an IO virtual machine;
the first memory management unit is adapted to determine, when a first data access request from the first IO interface is received, whether a first virtual address of a first access space included in the first data access request points to an address field of an IO slave device, where the IO slave device is communicatively connected to the computer system, and if the determination is negative, convert the first virtual address of the first access space included in the first data access request into a corresponding physical address, and send the first data access request including the physical address to the physical address routing unit; the first virtual address is an address of an address field of the IO virtual machine, and the physical address is an address of an address field of a computer system;
The physical address routing unit is adapted to route the first data access request to the corresponding first access space according to the physical address contained in the received first data access request.
2. The access control module of claim 1, further comprising: the second IO interface and the virtual address routing unit, wherein:
the second IO interface is used as a communication interface between the IO slave equipment and the computer system;
the virtual address routing unit is adapted to, when receiving a second data access request from the second IO interface, obtain a second virtual address of a second access space included in the second data access request, and when determining that the second virtual address points to an address field of the IO virtual machine, route the second data access request to the first memory management unit;
the first memory management unit is further adapted to acquire the second virtual address when receiving the second data access request, and send the second data access request to the IO virtual machine pointed by the second virtual address through the first IO interface, so as to perform a data access operation on the second access space.
3. The access control module of claim 2, further comprising: a second memory management unit;
the virtual address routing unit is further adapted to send the second data access request to the second memory management unit when it is determined that the second virtual address of the second access space included in the second data access request points to the computer system address field;
the second memory management unit is adapted to acquire the second virtual address when receiving the second data access request, convert the second virtual address into a corresponding physical address, and send the second data access request including the physical address to the physical address routing unit.
4. The access control module of claim 1, further comprising a virtual address routing unit, wherein the first memory management unit is further adapted to send the first data access request to the virtual address routing unit when it is determined that a first virtual address of a first access space included in the first data access request points to an address field of an IO slave device;
the virtual address routing unit is adapted to route the first data access request to the IO slave device pointed by the first virtual address according to the first virtual address when the first data access request is received.
5. The access control module according to any one of claims 2-4, wherein the IO slave device establishes an association relationship with a second virtual machine specified by the virtual function through a preset virtual function, and the second virtual machine is adapted to set an address mapping relationship in the virtual address routing unit.
6. The access control module according to claim 3, wherein the first memory management unit is further adapted to determine whether the transmitting body of the received data access request has a corresponding access right, and execute a corresponding access control operation according to the determination result, where the data access request includes a first data access request from the first IO interface and a second data access request from the second IO interface.
7. A virtual machine monitor comprising a first memory management unit and a physical address routing unit, wherein:
the first memory management unit is adapted to determine, when a first data access request from a first IO interface is received, whether a first virtual address of a first access space included in the first data access request points to an address field of an IO slave device, where the IO slave device is in communication connection with a computer system, and if not, convert the first virtual address of the first access space included in the first data access request into a corresponding physical address, and send the first data access request including the physical address to the physical address routing unit;
The physical address routing unit is adapted to route the first data access request to a corresponding access space according to a physical address contained in the received first data access request;
the first IO interface is a communication interface between an IO main device and a computer system, the IO main device establishes an association relation with a first virtual machine preset in the computer system, and a processor of the IO main device is used as a coprocessor of the first virtual machine to form an IO virtual machine; the first virtual address is an address of an address field of the IO virtual machine, and the physical address is an address of an address field of a computer system.
8. The virtual machine monitor of claim 7, further comprising: the virtual address routing unit is suitable for acquiring a second virtual address of a second access space contained in a second data access request when receiving the second data access request from a second IO interface, and routing the second data access request to the first memory management unit when determining that the second virtual address points to an address field of the IO virtual machine;
the first memory management unit is further adapted to acquire the second virtual address when receiving the second data access request, and send the second data access request to the IO virtual machine pointed by the second virtual address through the first IO interface, so as to perform a data access operation on the second access space;
The second IO interface is a communication interface between the IO slave equipment and the computer system.
9. The virtual machine monitor of claim 8, further comprising: a second memory management unit;
the virtual address routing unit is further adapted to send the second data access request to the second memory management unit when it is determined that the second virtual address of the second access space included in the second data access request points to the computer system address field;
the second memory management unit is adapted to acquire the second virtual address when receiving the second data access request, convert the second virtual address into a corresponding physical address, and send the second data access request including the physical address to the physical address routing unit.
10. The virtual machine monitor of claim 7, further comprising a virtual address routing unit, wherein the first memory management unit is further adapted to send the first data access request to the virtual address routing unit when it is determined that a first virtual address of a first access space included in the first data access request points to an address field of an IO slave device;
The virtual address routing unit is adapted to route the first data access request to the IO slave device pointed by the first virtual address according to the first virtual address when the first data access request is received.
11. An access control method, characterized in that it is suitable for performing access control on an access device of an IO interface, the method comprising:
the first memory management unit receives a first data access request from a first IO interface;
the first memory management unit judges whether a first virtual address of a first access space contained in the first data access request points to an address field of an IO slave device, the IO slave device is in communication connection with a computer system, if not, the first virtual address of the first access space contained in the first data access request is converted into a corresponding physical address, and the first data access request containing the physical address is sent to a physical address routing unit;
the physical address routing unit routes the first data access request to a corresponding access space according to a physical address contained in the received first data access request;
the first IO interface is a communication interface between an IO main device and a computer system, the IO main device establishes an association relation with a first virtual machine preset in the computer system, and a processor of the IO main device is used as a coprocessor of the first virtual machine to form an IO virtual machine; the first virtual address is an address of the IO virtual machine address field, and the physical address is an address of a computer system address field.
12. The access control method according to claim 11, further comprising:
when receiving a second data access request from a second IO interface, the virtual address routing unit acquires a second virtual address of a second access space contained in the second data access request;
the virtual address routing unit sends the second data access request to the first memory management unit when determining that the second virtual address points to the address field of the IO virtual machine;
the first memory management unit acquires the second virtual address when receiving the second data access request, and sends the second data access request to an IO virtual machine pointed by the second virtual address through the first IO interface so as to perform data access operation on the second access space;
the second IO interface is a communication interface between the IO slave equipment and the computer system.
13. The access control method according to claim 12, further comprising:
the virtual address routing unit sends the second data access request to a second memory management unit when determining that the second virtual address points to the address field of the computer system;
And when the second memory management unit receives the second data access request, acquiring the second virtual address, converting the second virtual address into a corresponding physical address, and sending the second data access request containing the physical address to the physical address routing unit.
14. The access control method according to claim 11, wherein the first memory management unit sends the first data access request to the virtual address routing unit when judging that a first virtual address of a first access space included in the first data access request points to an address field of an IO slave device;
and when the virtual address routing unit receives the first data access request, the first data access request is routed to the IO slave device pointed by the first virtual address according to the first virtual address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010041831.9A CN111290829B (en) | 2020-01-15 | 2020-01-15 | Access control module, virtual machine monitor and access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010041831.9A CN111290829B (en) | 2020-01-15 | 2020-01-15 | Access control module, virtual machine monitor and access control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111290829A CN111290829A (en) | 2020-06-16 |
| CN111290829B true CN111290829B (en) | 2023-05-02 |
Family
ID=71023143
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010041831.9A Active CN111290829B (en) | 2020-01-15 | 2020-01-15 | Access control module, virtual machine monitor and access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111290829B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116662224A (en) * | 2022-02-17 | 2023-08-29 | 华为技术有限公司 | Memory access method, memory access device, memory access storage medium and computer program product |
| CN115185643A (en) * | 2022-07-22 | 2022-10-14 | 地平线征程(杭州)人工智能科技有限公司 | Access control method and device, computer readable storage medium and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102498478A (en) * | 2009-07-24 | 2012-06-13 | 超威半导体公司 | Iommu using two-level address translation for i/o and computation offload devices on a peripheral interconnect |
| CN107209681A (en) * | 2015-10-21 | 2017-09-26 | 华为技术有限公司 | A kind of storage device access methods, devices and systems |
| CN109800050A (en) * | 2018-11-22 | 2019-05-24 | 海光信息技术有限公司 | A kind of EMS memory management process of virtual machine, device, relevant device and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10048881B2 (en) * | 2016-07-11 | 2018-08-14 | Intel Corporation | Restricted address translation to protect against device-TLB vulnerabilities |
-
2020
- 2020-01-15 CN CN202010041831.9A patent/CN111290829B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102498478A (en) * | 2009-07-24 | 2012-06-13 | 超威半导体公司 | Iommu using two-level address translation for i/o and computation offload devices on a peripheral interconnect |
| CN107209681A (en) * | 2015-10-21 | 2017-09-26 | 华为技术有限公司 | A kind of storage device access methods, devices and systems |
| CN109800050A (en) * | 2018-11-22 | 2019-05-24 | 海光信息技术有限公司 | A kind of EMS memory management process of virtual machine, device, relevant device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111290829A (en) | 2020-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6355114B2 (en) | Resource processing method, operating system, and device | |
| CN102110196B (en) | Method and system for safely transmitting data among parallel-running multiple user operating systems | |
| US8156503B2 (en) | System, method and computer program product for accessing a memory space allocated to a virtual machine | |
| US5574862A (en) | Multiprocessing system with distributed input/output management | |
| US7970852B2 (en) | Method for moving operating systems between computer electronic complexes without loss of service | |
| JP2016541072A5 (en) | ||
| WO2018176911A1 (en) | Virtual disk file format conversion method and device | |
| TW201423422A (en) | System and method for sharing device having PCIe interface | |
| US10140214B2 (en) | Hypervisor translation bypass by host IOMMU with virtual machine migration support | |
| US11940933B2 (en) | Cross address-space bridging | |
| CN111290829B (en) | Access control module, virtual machine monitor and access control method | |
| KR20210001886A (en) | Data accessing method and apparatus, device and medium | |
| KR101716715B1 (en) | Method and apparatus for handling network I/O apparatus virtualization | |
| CN113342711B (en) | Page table updating method and device and related equipment | |
| US10013199B2 (en) | Translation bypass by host IOMMU for systems with virtual IOMMU | |
| US10331591B2 (en) | Logical-to-physical block mapping inside the disk controller: accessing data objects without operating system intervention | |
| US10713081B2 (en) | Secure and efficient memory sharing for guests | |
| KR900018832A (en) | Multiple operating system computer devices and computer systems | |
| CN116010296A (en) | Method, device and system for processing request | |
| CN115576654B (en) | Request processing method, device, equipment and storage medium | |
| US7389398B2 (en) | Methods and apparatus for data transfer between partitions in a computer system | |
| CN112433826B (en) | Hybrid heterogeneous virtualization communication method and chip | |
| US11150928B2 (en) | Hypervisor translation bypass | |
| CN116737322A (en) | Method for simultaneously supporting PCIe virtual equipment and physical equipment by virtual machine | |
| US20230185593A1 (en) | Virtual device translation for nested virtual machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 300384 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 Industrial Incubation-3-8 Applicant after: Haiguang Information Technology Co.,Ltd. Address before: 300384 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 Industrial Incubation-3-8 Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |