CN112417470B - Method, device, electronic equipment and storage medium for realizing GPU data security access - Google Patents
Method, device, electronic equipment and storage medium for realizing GPU data security access Download PDFInfo
- Publication number
- CN112417470B CN112417470B CN202011232357.4A CN202011232357A CN112417470B CN 112417470 B CN112417470 B CN 112417470B CN 202011232357 A CN202011232357 A CN 202011232357A CN 112417470 B CN112417470 B CN 112417470B
- Authority
- CN
- China
- Prior art keywords
- access request
- area
- request
- memory
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000004590 computer program Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 11
- 230000007246 mechanism Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T1/00—General purpose image data processing
- G06T1/20—Processor architectures; Processor configuration, e.g. pipelining
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The embodiment of the invention provides a method, a device, electronic equipment and a storage medium for realizing secure access of GPU memory data, wherein the method comprises the following steps: receiving an access request for GPU memory data; judging whether the access request is a security request or not and judging whether a memory area requested to be accessed by the access request is a protected area or not, and controlling whether the access request is executed or not according to a preset access control rule. The method, the device, the electronic equipment and the storage medium for realizing the secure access of the GPU memory data combine whether the access request contains the security identifier and the preset access control rule of the GPU memory, and can effectively protect the security of private data of a user on the GPU.
Description
Technical Field
The present invention relates to the field of memory data security, and in particular, to a method, an apparatus, an electronic device, and a storage medium for implementing secure access of GPU memory data.
Background
Currently, the technology of protecting private data of GPU (english: graphics Processing Unit, abbreviated: GPU, chinese: graphics processor) mainly focuses on how data on a remote host is transferred to a memory of a local GPU in a secure manner, or how memory private data of the local GPU is transferred to the remote host in a secure manner, as shown in fig. 1. The local host A comprises a GPU and network card equipment, wherein private data is stored in a memory of the GPU, the host A is in communication connection with the host B through a network card equipment interface of the host A, and the data of the GPU is transmitted to the remote host B in a safe link and data encryption mode.
The data protection mechanism of the GPU memory in the prior art is insufficient, because the data protection of the GPU memory is mainly concentrated in the transmission process, and does not specially perform systematic protection on the GPU memory data, and a special control module is not arranged in the GPU to protect private data.
Therefore, the private data of the GPU is not protected, and can be read by other user programs on the GPU, so that the private data of the user is leaked or stolen. As shown in FIG. 2, since the page tables and data of the user are unprotected, if the page tables of the B user are modified, the GPU program of the B user can read the private data of the A user.
In addition, if the malicious program obtains kernel mode driving authority of the operating system, the malicious program can directly read or modify data (such as an a page directory, an a page table and a user data) in the GPU memory through PCIE (english: peripheral component interconnect express, chinese: high-speed serial computer expansion bus standard) (as shown in fig. 3), and also can cause leakage or theft of private data of the user.
Disclosure of Invention
The embodiment of the invention provides a method, a device, electronic equipment and a storage medium for realizing secure access of GPU memory data, which are used for solving the problem that the data protection mechanism of the GPU memory is insufficient in the prior art.
In a first aspect, a method for implementing secure access to GPU memory data provided by an embodiment of the present invention includes:
receiving an access request for GPU memory data;
judging whether the access request is a security request or not and judging whether a memory area requested to be accessed by the access request is a protected area or not, and controlling whether the access request is executed or not according to a preset access control rule.
Optionally, the receiving the request for access to the GPU memory data includes one or more of the following combinations:
receiving an access request of PCIE to GPU memory data;
and receiving an access request of the computing unit from the GPU to the GPU memory data.
Optionally, the determining whether the access request is a security request includes:
aiming at receiving an access request from PCIE to GPU memory data, judging the access request as an unsafe access request;
and aiming at receiving an access request of a computing unit from the GPU to the GPU memory data, judging whether the access request contains a security identifier, if so, judging that the access request is a security access request or a pseudo security request, and if not, judging that the access request is an unsafe access request.
Optionally, the request for receiving the access request of the computing unit from the GPU to the GPU memory data is a computing task which is issued to the computing unit by a Kernel start security protection instruction through a Kernel, the computing task has a security identifier, and when the computing task is completed, the Kernel releases the security protection instruction of the computing task.
Optionally, the determining whether the memory area requested to be accessed by the access request is a protected area includes:
and configuring the memory area into a protected area and an unprotected area, and defining the address of the protected area of the memory area through a configuration register.
Optionally, the defining, by the configuration register, the protected area of the memory area includes one or more of the following combinations:
defining a protected area of the memory area by adopting a mode of starting physical address and length;
and defining the protected area of the memory area in a bit map mode.
Optionally, the controlling whether to execute the access request according to a preset access control rule includes:
when the access request is a security request, allowing the access request to execute the read request operation of the protected area and the unprotected area of the memory area, allowing the access request to execute the write request operation of the protected area of the memory area, and refusing the access request to execute the write request operation of the unprotected area of the memory area;
when the access request is an unsafe request, refusing the access request to execute the read request operation of the protected area of the memory area, allowing the access request to execute the read request operation of the unprotected area of the memory area, refusing the access request to execute the write request operation of the protected area of the memory area, and allowing the access request to execute the write request operation of the unprotected area of the memory area;
and when the access request is a pseudo-security request, allowing the access request to execute the read request operation of the protected area and the unprotected area of the memory area, allowing the access request to execute the write request operation of the protected area of the memory area, and refusing the access request to execute the write request operation of the unprotected area of the memory area.
Optionally, the receiving the access request to the GPU memory data further includes:
and if the access request rewrites the address of the protected area of the configuration register, executing the operation of covering the data of the memory area corresponding to the address.
In a second aspect, an embodiment of the present invention provides an apparatus for implementing secure access to GPU memory data, including:
the receiving module is used for receiving an access request for the memory data of the GPU;
and the security access control module is used for judging whether the access request is a security request or not and judging whether the memory area which is requested to be accessed by the access request is a protected area or not, and controlling whether the access request is executed or not according to a preset access control rule.
In a third aspect, an embodiment of the present invention provides a GPU chip, including a memory, a control unit, and a computing unit, and further including a security access control module for accessing the memory, where the security access control module executes the steps of the method for implementing secure access of GPU memory data described above.
In a fourth aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a bus, where the processor, the communication interface, and the memory are in communication with each other via the bus, and the processor may invoke logic commands in the memory to perform the steps of the method as provided in the first aspect.
In a fifth aspect, embodiments of the present invention provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method as provided by the first aspect.
According to the method, the device, the electronic equipment and the storage medium for realizing the secure access of the GPU memory data, which are provided by the embodiment of the invention, whether the access request contains the security identifier and the preset access control rule of the GPU memory are combined, so that the security of private data of a user on the GPU can be effectively protected.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of GPU data transmission protection provided in the prior art;
FIG. 2 is a schematic diagram of prior art private data access from a computing unit to a GPU;
fig. 3 is a schematic diagram of a prior art access to GPU private data from PCIE;
FIG. 4 is a flowchart of a method for implementing secure access to GPU memory data according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a configuration register defining a protected area address according to an embodiment of the present invention;
FIG. 6 is a flowchart of performing control according to a preset access control rule according to an embodiment of the present invention;
FIG. 7 is a schematic diagram illustrating memory data access from a computing unit to a GPU according to an embodiment of the present invention;
FIG. 8 is a schematic diagram illustrating memory data access from a computing unit to a GPU according to another embodiment of the present invention;
fig. 9 is a schematic diagram of accessing GPU memory data from PCIE according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an apparatus for implementing secure access to GPU memory data according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be capable of being practiced otherwise than as specifically illustrated and described. Furthermore, the terms "comprises," "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those explicitly listed but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus, such that the division of modules by such means may occur in the present application by only one logical division, such that a plurality of modules may be combined or integrated in another system, or some feature vectors may be omitted, or not implemented, and further such that the coupling or direct coupling or communication connection between such displayed or discussed modules may be through some interfaces, such that indirect coupling or communication connection between such modules may be electrical or other similar, none of which are intended to be limiting in this application. The modules or sub-modules described as separate components may or may not be physically separate, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purposes of the present application.
Graphics Processing Units (GPUs) are an essential component of most modern computing devices for optimizing the performance of graphics and multimedia processing. GPUs are also increasingly used to speed up a variety of applications, including security, computer vision, computing finance, bioinformatics, etc., which may involve sensitive data.
Starting from the architecture of the computer, the codes and the processed data which need to be executed by the GPU are stored through the memory, and the states of the codes and the data in the memory can be monitored by monitoring the GPU instructions.
First, a method for implementing secure access to GPU memory data according to an embodiment of the present invention will be described with reference to fig. 4. A method for realizing secure access of GPU memory data comprises the following steps:
As can be also seen from fig. 2 and 3, the access request to the GPU memory data is generally from a PCIE or a computing unit inside the GPU, so the embodiment of the present invention formulates an access control rule for the GPU memory data for these two approaches.
And receiving an access request for the GPU memory data through the PCIE, wherein the access request is judged to be an unsafe access request.
And aiming at receiving the access request of the computing unit from the GPU to the GPU memory data, judging whether the access request contains a security identifier, if so, judging that the access request is a security access request or a pseudo security request, and if not, judging that the access request is an unsafe access request.
Alternatively, the security identifier may be identified by a "0,1," 0 "indicating an unsafe identifier, and" 1 "indicating a security identifier.
According to the embodiment of the invention, a two-layer protection mechanism is arranged for the GPU memory data security access mechanism, one layer is used for judging whether the access request contains a security identifier or not, and the other layer is used for judging whether the memory data to be accessed by the access request is protected data or not, so that higher-level protection is provided for the memory data of the GPU, and the user data of the GPU can be ensured not to be leaked even under the condition that the security of a CPU host side is lost.
Fig. 5 is a schematic diagram of a configuration register defining a protected area according to an embodiment of the present invention. Before determining whether the memory area requested to be accessed by the access request is a protected area, the method includes:
and configuring the memory area into a protected area and an unprotected area, and defining the address of the protected area of the memory area through a configuration register.
It should be noted that, all access requests to the GPU memory data need to be executed by a security access control module set by the system, where the security access control module may configure which regions of the memory region are protected.
Optionally, the security access control module is provided with a configuration register, and the defining the protected area of the memory area by the configuration register includes one or more of the following combinations:
(1) And defining the protected area of the memory area by adopting a mode of starting physical address and length.
Each configuration register defines a protected memory area in a manner that may be the starting physical address and length. In this definition, the security access control module may check whether the address of an access request is in the protected memory area by querying the configuration register. The number of configuration registers may be set as desired.
(2) And defining the protected area of the memory area in a bit map mode.
The configuration registers may also define the protected memory region in the form of a bit map (bitmap). For example, the physical memory of the entire GPU is divided into a plurality of pieces at a fixed granularity (e.g., 2 MB), each piece of memory is represented by a bit in a bit map, whether it is protected, a "0" indicates unprotected, and a "1" indicates protected.
It should be noted that, when the configuration register used to define the memory area is changed, the security access control module automatically covers the data in the corresponding memory area, such as clearing or writing useless data, so that the protected data in the memory area cannot be read or written.
Fig. 6 is a flowchart of performing control according to a preset access control rule according to an embodiment of the present invention, where as shown in the drawing, the preset access control rule includes the steps of:
In step 601, when the access request is an unsafe request, the access request is refused to execute the read request operation of the protected area of the memory area, the access request is allowed to execute the read request operation of the unprotected area of the memory area, the access request is refused to execute the write request operation of the protected area of the memory area, and the access request is allowed to execute the write request operation of the unprotected area of the memory area.
The secure access control module controls whether to execute the access request according to a preset access control rule according to whether the access request contains a secure identifier and whether the requested memory area is a protected area, wherein the preset access control rule is as shown in the following table 1:
TABLE 1
When the command processed in the command processor is maliciously modified, if the security identifier on the command is tampered, for example, when the security identifier is tampered from 0 to 1, the command is disguised as being secure (referred to as a "pseudo-secure" command), and according to the above-mentioned preset access control rule, the GPU program cannot write the protected memory data into the non-secure memory area, so that the user data is still under the protection of the secure memory area. The data of the protected memory area in the GPU can be copied into the unprotected memory area only by a special security encryption unit in the GPU in an encryption mode, so that even a pseudo-security command is not leaked to user data.
FIG. 7 is a schematic diagram of memory data access from a computing unit to a GPU according to an embodiment of the present invention. The embodiment of the invention can adopt a security protection design based on commands for the computing unit of the GPU.
For example, an a user Context (execution Context) starts a security protection instruction through a Kernel Launch function (Kernel Launch function) thread, and a Kernel of a GPU computing task may have a security state identifier on a command when the Kernel is allocated to a computing unit through the command. When the computing unit receives a computing task with a security state identification of "1", the computing unit will enable the security state for this computing task. The computing task in the safe state can force the computing unit to have the safe state identification when the computing task accesses the cache and the memory. Under the condition that the user data of the memory A is read and written, the safe access control module stops the calculation task in the safe state from writing the data into the unsafe memory area according to the preset access control rule, thereby stopping the data leakage and protecting the user data.
And the B user Context does not start a security protection instruction through the Kernel run thread, so that the computing unit of the GPU accesses the memory B user data in an unsafe state.
Fig. 8 is a schematic diagram of memory data access from a computing unit to a GPU according to another embodiment of the present invention, as shown in the drawing. When the user's compute kernel is sent to the GPU compute unit via a command, as shown in figure a, the command will have a security state identifier "1" ("1" is indicated as a security state). When the computing unit receives this security identification, the computing unit enables the secure state, as shown in B, i.e. the computing unit internally enables the secure state for this computing core, after which this computing core will start up in the secure state, without being able to change the secure state of the task until the exit is finished. When the secure access control module receives the access request, the access is controlled according to the preset access control rule.
It should be noted that, when the computing task is in a secure state, the computing task cannot write data into the unprotected memory area, i.e., private data of the user cannot leak from the protected memory area.
Fig. 9 is a schematic diagram of accessing GPU memory data from PCIE according to an embodiment of the present invention, as shown in the drawing. The security identifier of the access request from PCIE is unsafe, so the CPU cannot directly access the protected Memory area through PCIE MMIO (english: memory-mapped I/O, abbreviated MMIO, chinese: memory mapped I/O).
First, as shown in fig. a, the second user Context does not start a security protection instruction, and a computing kernel not in a secure state cannot access the protected security data of the memory area, i.e. cannot access the first user data.
Second, as shown in B, even if B is a secure computing core, it is impossible to rewrite the page table, i.e., map it to other user data, because the memory address of the page table itself is not mapped into the page table of the normal user.
In addition, as shown in figure C, each GPU's execution Context is bound to a specific address space identifier (e.g., A user Context is bound to A address space identifier, B user Context is bound to B address space identifier), which cannot be changed on hardware after creation until the Context run ends. According to the address space identifier, MMU (Memory Management Unit, abbreviated as MMU, chinese name: memory management unit) is used as a trusted hardware module, and its access request is provided with a security identifier, i.e. the user page directory and page table in the secure memory area can be accessed.
Finally, as shown in fig. D, the access request from PCIE is not able to access the protected memory area, so even if the operating system is cracked, the page table and the protected user data of the memory area are not able to be accessed through PCIE MMIO.
Therefore, the method for realizing the secure access of the GPU data combines the secure identification of the access request and the secure access control module of the GPU memory, and can effectively protect the security of private data of users on the GPU.
Based on any of the above embodiments, fig. 10 is a schematic structural diagram of an apparatus for implementing secure access to GPU memory data according to an embodiment of the present invention, and as shown in fig. 10, the apparatus 604 includes a receiving module 605 and a secure access control module 606. The receiving module 605 is configured to receive an access request for GPU memory data, and the secure access control module 606 is configured to determine whether the access request is a secure request and whether a memory area requested to be accessed by the access request is a protected area, and control whether to execute the access request according to a preset access control rule.
It should be noted that, all access requests to the GPU memory need to be processed by the secure access control module, which may configure which memory areas are protected.
Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, as shown in fig. 11, the electronic device may include: processor 610, communication interface (Communications Interface) 620, memory 630, and communication bus 640, wherein processor 610, communication interface 620, and memory 630 communicate with each other via communication bus 640. The processor 610 may invoke logic commands in the memory 630 to perform the steps of the method described above for achieving secure access of GPU memory data.
In addition, the logic commands in the memory 630 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in the form of a software product stored in a storage medium, comprising several commands for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The embodiment of the invention also provides a GPU chip, which comprises a memory, a control unit and a calculation unit, and also comprises a security access control module for accessing the memory, wherein the security access control module executes the steps of the method for realizing the security access of the GPU memory data.
Embodiments of the present invention also provide a non-transitory computer readable storage medium having stored thereon a computer program that, when executed by a processor, is implemented to perform the methods provided in the above embodiments, for example, including a method for implementing secure access to GPU memory data.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several commands for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for implementing secure access to GPU memory data, comprising:
receiving an access request for GPU memory data;
judging whether the access request is a security request or not, judging whether a memory area requested to be accessed by the access request is a protected area or not, and controlling whether to execute the access request according to a preset access control rule;
wherein the access request includes two kinds of: an access request from PCIE to GPU memory data and an access request from a GPU computing unit to GPU memory data;
the determining whether the access request is a security request includes:
aiming at receiving an access request from PCIE to GPU memory data, judging the access request as an unsafe access request;
before determining whether the memory area requested to be accessed by the access request is the protected area, the method includes:
configuring the memory area into a protected area and an unprotected area, and defining the address of the protected area of the memory area through a configuration register;
the controlling whether to execute the access request according to the preset access control rule comprises:
and when the access request is an unsafe request, refusing the access request to execute the read request operation of the protected area of the memory area, allowing the access request to execute the read request operation of the unprotected area of the memory area, refusing the access request to execute the write request operation of the protected area of the memory area, and allowing the access request to execute the write request operation of the unprotected area of the memory area.
2. The method of claim 1, wherein said determining whether the access request is a secure request comprises:
and aiming at receiving an access request of a computing unit from the GPU to the GPU memory data, judging whether the access request contains a security identifier, if so, judging that the access request is a security access request or a pseudo security request, and if not, judging that the access request is an unsafe access request.
3. The method according to claim 2, wherein the request for receiving the access request from the GPU to the GPU memory data by the computing unit is a computing task that is issued to the computing unit by a KernelLaunch thread through a computing kernel, the computing task has a security identifier, and the computing kernel releases the security protection instruction of the computing task after the computing task is executed.
4. The method of claim 3, wherein defining the protected area of the memory area by the configuration register comprises one or more of the following combinations:
defining a protected area of the memory area by adopting a mode of starting physical address and length;
and defining the protected area of the memory area in a bit map mode.
5. The method of claim 1, wherein controlling whether to execute the access request according to a preset access control rule comprises:
when the access request is a security request, allowing the access request to execute the read request operation of the protected area and the unprotected area of the memory area, allowing the access request to execute the write request operation of the protected area of the memory area, and refusing the access request to execute the write request operation of the unprotected area of the memory area;
and when the access request is a pseudo-security request, allowing the access request to execute the read request operation of the protected area and the unprotected area of the memory area, allowing the access request to execute the write request operation of the protected area of the memory area, and refusing the access request to execute the write request operation of the unprotected area of the memory area.
6. The method of claim 3, wherein receiving the access request to the GPU memory data further comprises:
and if the access request rewrites the address of the protected area of the configuration register, executing the operation of covering the data of the memory area corresponding to the address.
7. An apparatus for implementing secure access to GPU memory data, comprising:
the receiving module is used for receiving an access request for the memory data of the GPU;
the security access control module is used for judging whether the access request is a security request or not and judging whether a memory area which is requested to be accessed by the access request is a protected area or not, and controlling whether the access request is executed or not according to a preset access control rule;
wherein the access request includes two kinds of: an access request from PCIE to GPU memory data and an access request from a GPU computing unit to GPU memory data; the determining whether the access request is a security request includes:
aiming at receiving an access request from PCIE to GPU memory data, judging the access request as an unsafe access request;
before determining whether the memory area requested to be accessed by the access request is the protected area, the method includes:
configuring the memory area into a protected area and an unprotected area, and defining the address of the protected area of the memory area through a configuration register;
the controlling whether to execute the access request according to the preset access control rule comprises:
and when the access request is an unsafe request, refusing the access request to execute the read request operation of the protected area of the memory area, allowing the access request to execute the read request operation of the unprotected area of the memory area, refusing the access request to execute the write request operation of the protected area of the memory area, and allowing the access request to execute the write request operation of the unprotected area of the memory area.
8. A GPU chip comprising a memory, a control unit and a computing unit, and further comprising a secure access control module for accessing the memory, the secure access control module performing the steps of the method for implementing secure access of GPU memory data according to any of claims 1 to 6.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of implementing secure access of GPU memory data according to any of claims 1 to 6 when said program is executed by said processor.
10. A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of implementing secure access of GPU memory data as claimed in any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011232357.4A CN112417470B (en) | 2020-11-06 | 2020-11-06 | Method, device, electronic equipment and storage medium for realizing GPU data security access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011232357.4A CN112417470B (en) | 2020-11-06 | 2020-11-06 | Method, device, electronic equipment and storage medium for realizing GPU data security access |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112417470A CN112417470A (en) | 2021-02-26 |
| CN112417470B true CN112417470B (en) | 2023-06-27 |
Family
ID=74782032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011232357.4A Active CN112417470B (en) | 2020-11-06 | 2020-11-06 | Method, device, electronic equipment and storage medium for realizing GPU data security access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112417470B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886834B (en) * | 2021-09-29 | 2022-06-21 | 南方科技大学 | ARM architecture-based GPU trusted execution method, system, equipment and storage medium |
| CN115269198A (en) * | 2022-08-10 | 2022-11-01 | 抖音视界有限公司 | Access request processing method based on server cluster and related equipment |
| CN115587348B (en) * | 2022-11-24 | 2023-04-07 | 中国人民解放军国防科技大学 | Configurable security control method, device and medium for access of PCIE (peripheral component interface express) equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105229608A (en) * | 2013-03-15 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Based on the database processing towards array of coprocessor |
| CN111338988A (en) * | 2020-02-20 | 2020-06-26 | 西安芯瞳半导体技术有限公司 | Memory access method and device, computer equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9672162B2 (en) * | 2013-08-16 | 2017-06-06 | Arm Limited | Data processing systems |
| CN106295267B (en) * | 2015-06-09 | 2019-04-19 | 阿里巴巴集团控股有限公司 | It is a kind of access electronic equipment physical memory in private data method and apparatus |
| CN109766165B (en) * | 2018-11-22 | 2022-07-08 | 海光信息技术股份有限公司 | Memory access control method and device, memory controller and computer system |
-
2020
- 2020-11-06 CN CN202011232357.4A patent/CN112417470B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105229608A (en) * | 2013-03-15 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Based on the database processing towards array of coprocessor |
| CN111338988A (en) * | 2020-02-20 | 2020-06-26 | 西安芯瞳半导体技术有限公司 | Memory access method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112417470A (en) | 2021-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112417470B (en) | Method, device, electronic equipment and storage medium for realizing GPU data security access | |
| CN109901911B (en) | Information setting method, control method, device and related equipment | |
| EP2062145B1 (en) | Memory access security management | |
| TWI705353B (en) | Integrated circuit, method and article of manufacture for allowing secure communications | |
| CN109002706B (en) | In-process data isolation protection method and system based on user-level page table | |
| US9734092B2 (en) | Secure support for I/O in software cryptoprocessor | |
| EP1857943A1 (en) | Computer system having memory protection function | |
| CN108154032B (en) | Computer system trust root construction method with memory integrity guarantee function | |
| CN102541765A (en) | Security protection for memory content of processor main memory | |
| US20220180009A1 (en) | Peripheral component interconnect express protection controller | |
| CN112818327A (en) | TrustZone-based user-level code and data security credibility protection method and device | |
| CN112749397A (en) | System and method | |
| US7610426B1 (en) | System management mode code modifications to increase computer system security | |
| US7389427B1 (en) | Mechanism to secure computer output from software attack using isolated execution | |
| US10592663B2 (en) | Technologies for USB controller state integrity protection | |
| US7246213B2 (en) | Data address security device and method | |
| CN107402892B (en) | Semiconductor device and memory access control method thereof | |
| US10754967B1 (en) | Secure interrupt handling between security zones | |
| US10740454B2 (en) | Technologies for USB controller state integrity protection with trusted I/O | |
| CN112580023B (en) | Shadow stack management method and device, medium and equipment | |
| EP4231159A1 (en) | Method for switching execution environment and related device | |
| CN111382442B (en) | Application processor, coprocessor and data processing equipment | |
| CN111382111B (en) | Application processor, coprocessor and data processing equipment | |
| US20240119139A1 (en) | Securing critical data in a storage device of a computer system | |
| CN108932205B (en) | Method and equipment for defending RowHammer attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 201114 room 1302, 13 / F, building 16, 2388 Chenhang Road, Minhang District, Shanghai Patentee after: Shanghai Bi Ren Technology Co.,Ltd. Country or region after: China Address before: 201114 room 1302, 13 / F, building 16, 2388 Chenhang Road, Minhang District, Shanghai Patentee before: Shanghai Bilin Intelligent Technology Co.,Ltd. Country or region before: China |