CN114116524A - Method and device for creating secure page table and accessing memory - Google Patents
Method and device for creating secure page table and accessing memory Download PDFInfo
- Publication number
- CN114116524A CN114116524A CN202010865253.0A CN202010865253A CN114116524A CN 114116524 A CN114116524 A CN 114116524A CN 202010865253 A CN202010865253 A CN 202010865253A CN 114116524 A CN114116524 A CN 114116524A
- Authority
- CN
- China
- Prior art keywords
- page table
- secure
- page
- security
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/0223—User address space allocation, e.g. contiguous or non contiguous base addressing
- G06F12/0292—User address space allocation, e.g. contiguous or non contiguous base addressing using tables or multilevel address translation means
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/0223—User address space allocation, e.g. contiguous or non contiguous base addressing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/0802—Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
- G06F12/0877—Cache access modes
- G06F12/0882—Page mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/10—Address translation
- G06F12/1009—Address translation using page tables, e.g. page table structures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Memory System Of A Hierarchy Structure (AREA)
Abstract
The application discloses a method and a device for creating a secure page table and accessing a memory, which relate to the technical field of computers. The method for creating the secure page table is applied to a processor running a first process. The method for creating the secure page table comprises the following steps: allocating a first physical page; when the first physical page is not allocated to any one security process as a security space, an nth-level page table in a first security page table is created for the first process based on the first physical page; the first secure page table is used for converting a virtual address of a first process into a physical address by the processor when the first process accesses the memory, the first secure page table is an n-level page table, and n is a positive integer.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for creating a secure page table and accessing a memory.
Background
In the field of computers, system isolation (system isolation) is an important support technology for improving the overall reliability and expandability of a system. When the third-party application program runs on a computer adopting the system isolation technology, even if the third-party application program has defects, the third-party application program does not influence other application programs or computer systems. The enclave (enclave) scheme belongs to a hardware or software and hardware combined system isolation scheme. enclave provides a trusted execution environment that is not accessible to either privileged or non-privileged software. Therefore, when an application is located in enclave, neither privileged nor non-privileged software can affect the application.
In the enclave scheme, an important technical point is the isolation of the memory. In an enclave-based memory isolation scheme, a physical page in a memory can be generally managed by introducing an enclave bit map into the memory. As shown in fig. 1, a secure area 101 in the memory 10 stores a security bitmap (bit map), each bit of which represents a tag (tag), such as tag 111. Each tag corresponds to a physical page in the memory, and the value of each tag is used for representing the security level of the physical page corresponding to the tag. For example, when the value of tag is 0, it indicates that the physical page corresponding to the tag is not allocated to an enclave process (or referred to as a security process) for use, that is, the physical page is a non-enclave page. When the value of the tag is 1, it indicates that the physical page corresponding to the tag is allocated to be used by an enclave process, that is, the physical page is an enclave page.
When a process running on a processor needs to access a memory, the processor needs to perform security check on a physical page indicated by a physical address after converting a virtual address of the process into the physical address. Specifically, the processor reads the value of the corresponding tag of the physical page indicated by the physical address in the security bitmap to determine whether the security level of the process matches the security level of the physical page. When there is a match, e.g., the process is a secure process and the physical page is an enclave page, then the process continues to access the physical page. If the process is not the secure process, for example, the process is the non-secure process, and the physical page enclave page is not matched, the memory refuses the process to access the physical page. However, the security bitmap is stored in a security area of the memory, and therefore, each time the process accesses the memory, the process reads the security bitmap from the memory, which causes additional access overhead.
Disclosure of Invention
The application provides a method and a device for creating a secure page table and accessing a memory, which can obviously reduce the cost of accessing the memory when a processor runs a process.
In order to achieve the above purpose, the present application provides the following technical solutions:
in a first aspect, the present application provides a method of creating a secure page table, the method being applied to a processor running a first thread processor, the method comprising: allocating a first physical page; when the first physical page is not allocated to any one security process as a security space, an nth-level page table in a first security page table is created for the first process based on the first physical page. The first secure page table is used for converting a virtual address of the first process into a physical address by the processor when the first process accesses the memory, the first secure page table is an n-level page table, and n is a positive integer.
By the method, the processor can check the legality of the last stage page table of the secure page table in the process of creating the secure page table for the process to determine that the first physical page mapped by the last stage page table is not allocated to any one secure process as a secure space, and then create the nth stage page table based on the first physical page. In this way, isolation of the presence of page granularity within memory is achieved. In addition, since the processor already performs validity check on the first physical page mapped in the first secure page table of the first process in the process of creating the page table, when the processor needs to access the memory in the process of running the first process, security check on the physical address mapped by the secure page table of the first process is not needed, so that the cost of accessing the memory when the processor runs the process is obviously reduced, and the system performance is improved.
In a possible design manner, the creating an nth-level page table in a first secure page table for a first process based on a first physical page when the first physical page is not allocated to any one secure process as a secure space specifically includes: and determining that the first physical page is not allocated to any one security process as a security space through a preset module, wherein the preset module comprises running firmware or preset microcode. And based on the first physical page, creating an nth level page table in the first safe page table for the first process through the preset module.
In another possible design, the method further includes: and writing the first secure page table into a first secure area in the memory through the preset module.
Through the two possible designs, the method and the device realize the validity check of the first physical page by running firmware or microcode so as to determine that the first physical page is not allocated to any one security process as a security space. The security permission level of the running firmware and the microcode is higher than that of the kernel, and the created first secure page table is stored in the secure area of the memory, so that the security of the memory isolation scheme based on the page granularity provided by the embodiment of the application is higher.
In another possible design, the method further includes: when the first physical page is not allocated to any one security process as a security space and is used as a non-security space of the first process, setting a tag corresponding to the first physical page in a security bitmap as a first value; or, when the first physical page is not allocated to any one security process as a security space, the first process is a security process, and the first physical page is used as a security space of the first process, setting a tag corresponding to the first physical page in the security bitmap to be a second value. If any tag in the security bitmap takes the value of the first value, the physical page corresponding to the any tag is not allocated to the security process as the security space; and if the value of any tag is the second value, indicating that the physical page corresponding to any tag is allocated to the security process as the security space.
Through the possible design, after the nth-level page table is created, the tag corresponding to the first physical page is set to a corresponding value according to the security level of the first process and the security level of the memory space currently required by the first process. Thus, there is isolation at the page granularity within the implementation.
In another possible design, the security bitmap is stored in a second security area in the memory.
With this possible design, the security bitmap is stored in a secure region of the memory, and thus, the security of the page-granularity-based memory isolation scheme provided herein is higher.
In another possible design, the method further includes: and when the first physical page is allocated to any one security process as a security space, determining that the creation of the nth-level page table fails.
With this possible design, isolation of memory at page granularity is achieved.
In another possible design, before the "allocating the first physical page", the method further includes: the first n-1 level page table of the first secure page table is created.
In a second aspect, the present application provides a method for accessing a memory, the method being applied to a processor running a first process, the first process corresponding to a first secure page table, the first secure page table being stored in a first secure region of the memory, the first secure page table being an n-level page table, n being a positive integer. The method comprises the following steps: it is determined whether each of the stages of the first secure page tables is within the first secure region. And if each stage of page tables in the first secure page table is in the first secure region, determining a physical address corresponding to the virtual address of the first process based on the base address of the nth stage of page tables in the first secure page table. Based on the physical address, memory is accessed.
The method for accessing the memory provided by the present application is implemented based on the secure page table created in the first aspect. Since the processor is in the process of creating the secure page table for the process, the processor has already performed a validity check on the last stage page table of the secure page table and stores the secure page table in a secure region of the memory. Therefore, when the processor needs to access the memory in the process of running the first process, the first physical page mapped by the first secure page table can be accessed only by determining that each level of the secure page table is in the secure area of the memory, and security check is not needed to be performed on the first physical page, so that the cost of accessing the memory when the processor runs the process is obviously reduced, and the system performance is improved.
In a possible design, before determining whether each of the page tables in the first secure page table is in the first secure region, the method further includes: a first base address is obtained, the first base address being a base address of a first stage page table in a first secure page table. Based on the virtual address of the first process and the first base address, a base address of each of the last n-1 level page tables in the first secure page table is determined.
In another possible design, the "obtaining the first base address" specifically includes: if the first process is a security process, acquiring a first base address from a register corresponding to the security process; or, if the first process is an insecure process, the first base address is obtained from a register corresponding to the insecure process.
By the possible design, the safety performance of the system can be improved by using different registers to store the page table base address of the safety process and the page table base address of the non-safety process.
In another possible design, the method further includes: and if any one of the first safe page tables is not in the safe area, ending the access to the memory.
With this possible design, since the processor is creating the secure page table for the process, the processor has already performed a validity check on the last stage page table of the secure page table and stored the secure page table in a secure region of the memory. Therefore, when the processor needs to access the memory in the process of running the first process, the access to the memory can be directly finished only by determining that any level of page table in the secure page table is not in the secure area of the memory, without translating the virtual address of the first process into the physical address, and determining whether to finish the access after performing security check on the physical address.
In a third aspect, the present application provides an apparatus for creating a secure page table. The apparatus for creating a secure page table is arranged to perform any of the methods provided by the first aspect above. The present application may perform functional module division on the apparatus for creating the secure page table according to any one of the methods provided in the foregoing first aspect. For example, the functional blocks may be divided for the respective functions, or two or more functions may be integrated into one processing block. For example, the apparatus for creating the secure page table may be divided into an allocation unit and a creation unit according to functions. The above description of possible technical solutions and beneficial effects executed by each divided functional module may refer to the technical solutions provided by the first aspect or the corresponding possible designs thereof, and will not be described herein again.
In a fourth aspect, the present application provides an apparatus for accessing memory. The apparatus for accessing memory is configured to perform any one of the methods provided by the second aspect. The present application may perform the division of the functional modules on the device for accessing the memory according to any one of the methods provided by the second aspect. For example, the functional blocks may be divided for the respective functions, or two or more functions may be integrated into one processing block. For example, the device for accessing the memory may be divided into a determination unit and an access unit according to functions. The above description of possible technical solutions and beneficial effects executed by each divided functional module can refer to the technical solution provided by the second aspect or its corresponding possible design, and will not be described herein again.
In a fifth aspect, the present application provides a processor for invoking computer instructions stored on a memory to perform any of the methods provided in any of the possible implementations of the first or second aspects as described above.
In a sixth aspect, the present application provides a computer-readable storage medium, such as a computer non-transitory readable storage medium. Having stored thereon a computer program (or instructions) which, when run on a processor, causes the processor to perform any of the methods provided by any of the possible implementations of the first or second aspect described above.
In a seventh aspect, the present application provides a computer program product which, when run on a processor, causes the performance of any one of the methods provided by any one of the possible implementations of the first aspect or the second aspect.
In an eighth aspect, the present application provides a chip system, comprising: and the processor is used for calling and running the computer program stored in the memory from the memory and executing any one of the methods provided by the implementation modes in the first aspect or the second aspect.
It is understood that any one of the apparatuses, computer storage media, computer program products, or chip systems provided above can be applied to the corresponding methods provided above, and therefore, the beneficial effects achieved by the apparatuses, the computer storage media, the computer program products, or the chip systems can refer to the beneficial effects in the corresponding methods, and are not described herein again.
In the present application, the names of the above-mentioned means for creating a secure page table and means for accessing a memory do not limit the devices or functional modules themselves, and in an actual implementation, these devices or functional modules may appear by other names. Insofar as the functions of the respective devices or functional modules are similar to those of the present application, they fall within the scope of the claims of the present application and their equivalents.
These and other aspects of the present application will be more readily apparent from the following description.
Drawings
FIG. 1 is a diagram illustrating a security bitmap stored in a secure area of a memory according to the prior art;
FIG. 2 is a schematic diagram of a page table translation provided by an embodiment of the present application;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a processor according to an embodiment of the present application;
FIG. 5 is a block diagram of another processor according to an embodiment of the present disclosure;
fig. 6 is a schematic diagram illustrating a start address and an end address of a region for storing a secure page table in a secure region of a memory according to an embodiment of the present application;
FIG. 7 is a diagram illustrating a secure page table region and a secure bitmap region in a secure region of a memory according to an embodiment of the present application;
fig. 8 is a schematic flowchart of a method for creating a secure page table according to an embodiment of the present application;
fig. 9 is a schematic flowchart of a method for accessing a memory according to an embodiment of the present application;
fig. 10 is a schematic diagram illustrating a method for accessing a memory according to an embodiment of the present application;
fig. 11 is a schematic diagram illustrating advantageous effects of a method for creating a secure page table and accessing a memory according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of an apparatus for creating a secure page table according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of an apparatus for accessing a memory according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a chip system according to an embodiment of the present disclosure;
fig. 15 is a schematic structural diagram of a computer program product according to an embodiment of the present application.
Detailed Description
For a clearer understanding of the embodiments of the present application, some terms or techniques referred to in the embodiments of the present application are described below:
1) security process
A process is an instance of a running program, such as an application (App).
The security process refers to a process with high security level authority. When the security process runs, the virtual memory and the physical memory of the security process are both isolated exclusively, so that the security of the process is ensured.
In contrast, a process with a low security level authority may be referred to as an unsecure process or as a normal process. Virtual memory and physical memory used by multiple non-secure processes may be shared.
2) Page table
A page table is a special data structure, usually placed in a page table area in the system memory, and is used to represent the correspondence between the Virtual Address (VA) of a process and the Physical Address (PA) in the memory. In this way, the processor may index the physical address with the page table corresponding to the process during the process of converting the virtual address of the process to the physical address. The virtual address may also be referred to as a logical address.
It should be noted that each process has its own page table.
In this embodiment, the page table corresponding to the process may be an n-level page table, where n is a positive integer.
For example, the page table may be a level2 page table, in which case the level2 page table includes a first level page table and a second level page table. For another example, the page table may be a 4-level page table, the 4-level page table including a first-level page table, a second-level page table, a third-level page table, and a fourth-level page table.
It should be understood that each of the page tables in a multi-level page table is essentially a physical page. The page table of each stage includes a plurality of entries (entries).
As an example, taking the page table as a 4-level page table as an example, in the 4-level page table, a plurality of entries are included in a first-level page table (i.e., level 1), and one of the plurality of entries may be used to indicate a base address of a second-level page table. The second-stage page table (i.e. level 2) includes a plurality of entries, and one of the entries may be used to indicate the base address of the third-stage page table. The third level page table (i.e. level 3) includes a plurality of entries, and one of the entries may be used to indicate the base address of the fourth level page table. The fourth level page table (i.e. level 4) includes a plurality of entries, and one of the entries may be used to indicate the base address of the physical page.
For example, taking the X86 operating system as an example, the first-level page table may be a page map level 4(page map level4, PML4), the second-level page table may be a Page Directory Pointer Table (PDPT), the third-level page table may be a Page Directory (PD), and the fourth-level page table may be a Page Table (PT).
3) Page table translation
When a processing core in a processor needs to access a memory when running a process, the processing core usually sends a virtual address of the process to a Memory Management Unit (MMU), so that the MMU converts the virtual address of the process into a physical address of the memory according to a page table corresponding to the process, which is called page table translation.
Referring to fig. 2, the process of the MMU converting the virtual address of the process into the physical address of the memory will be briefly described, taking as an example that the page table is a 4-level page table and the single page size of the physical page is 4 k.
Referring to FIG. 2, FIG. 2 illustrates a schematic diagram of an MMU address translation to a 4-level page table in an X86 operating system. As shown in fig. 2, when a processing core in a processor starts to run process 1, the processing core may write the base address of PML4 corresponding to the process into control register CR 3.
When a processing core needs to access a memory during the process 1, and a physical page of the memory to be accessed by the processing core misses in the cache (i.e., the physical page does not exist in the cache), the processing core sends the virtual address 20 of the process 1 to the MMU.
In an X86 operating system, the virtual address 20 may include 64 bits. Typically, the upper 12 bits of the 64 bits (i.e., the virtual address segment 201 shown in FIG. 2) do not set a real meaning and may be referred to as an invalid bit.
Thus, the effective address bits of the virtual address 20 include the lower 48 bits, specifically including the virtual address segment 202, the virtual address segment 203, the virtual address segment 204, the virtual address segment 205, and the virtual address segment 206 shown in FIG. 2. The virtual address field 202 represents a table entry index (PML4 entry index) of the PML4, i.e., a first-level page table entry index, the virtual address field 203 represents a table entry index (PDPT entry index) of the PDPT, i.e., a second-level page table entry index, the virtual address field 204 represents a table entry index (PD entry index) of the PD, i.e., a third-level page table entry index, the virtual address field 205 represents a table entry index (PT entry index) of the PT, i.e., a fourth-level page table entry index, and the virtual address field 206 represents a page offset (page offset).
It should be understood that the MMU is typically located within the processor as described above. In a processor including a plurality of processing cores, the processor may include a plurality of MMUs, the plurality of MMUs and the plurality of processing cores being in a one-to-one correspondence. Alternatively, in a processor that includes multiple processing cores, the processor may include 1 MMU, i.e., the multiple processing cores share the 1 MMU. The embodiment of the present application is not particularly limited to this.
Next, as shown in FIG. 2, the MMU retrieves the base address of PML4 from CR3 register 211 and reads physical page 212 representing PML4 from memory based on the base address. Then, the MMU adds the bits 39 th to 47 th in the virtual address (e.g., the virtual address field 202 shown in fig. 2) to the obtained base address of the PML4, so as to obtain an entry in the PML4 for indicating the base address of the PDPT, where the content in the entry is the base address of the PDPT.
Next, the MMU reads physical page 213 in memory that represents the PDPT from the base address of the PDPT. Then, the MMU adds the bits 30 th to 38 th in the virtual address (e.g., the virtual address segment 203 shown in fig. 2) to the base address of the PDPT, so as to obtain an entry in the PDPT indicating the base address of the PD, where the content in the entry is the base address of the PD.
Next, the MMU reads 214 the physical page representing the PD from memory based on the base address of the PD. Then, the MMU adds the bits 21 st to 29 th in the virtual address (e.g., the virtual address segment 204 shown in fig. 2) to the base address of the PD, so as to obtain an entry of the base address of the PT in the PD, where the entry is the base address of the PT.
The MMU then reads physical page 215 representing the PT from memory based on the base address of the PT. Then, the MMU adds the bits 12 th to 20 th in the virtual address (e.g., the virtual address segment 205 shown in fig. 2) to the base address of the PT to obtain an entry of the base address of the page (page) in the PT, where the page is a physical page and the contents of the entry are the base address of the physical page.
Next, the MMU shifts the base address of the physical page to the right by 12 bits to obtain the Physical Page Number (PPN) of the physical page, and then adds the bits from 0 th to 11 th (as shown in the virtual address field 206 in fig. 2) of the virtual address to the PPN to obtain the physical address corresponding to the virtual address. I.e. the MMU completes the translation of the virtual address to a physical address.
4) Running firmware
The operating firmware, which may also be referred to as secure firmware, is a set of software codes that have the highest privilege level during the operating process of the operating system.
5) Microcode
Microcode, which may also be referred to as a microinstruction (microcode), is a collection of instructions. A set of instructions that execute in succession is referred to as a microcode.
Microcode is typically written during the design phase of the processor and is stored in read-only-memory (ROM) or Programmable Logic Array (PLA). Some machines also store microcode in Static Random Access Memory (SRAM) or flash memory (flash memory). Microcode is typically not visible to, or even unmodified by, an ordinary programmer using a processor that includes the microcode.
6) Secure area
The secure area is an area in the memory, and the data information stored in the secure area only allows the software (for example, running firmware) or microcode with the highest privilege level authority to perform write operation.
Generally, when an operating system is started, a secure area is defined as a block of area in a memory by a start-up firmware of the operating system.
7) Security bitmap
The safety bitmap is obtained by distributing a section of memory from a safety region in the memory and initializing the content of the section of memory when operating firmware is executed and an operating system is initialized. The security bitmap comprises a plurality of tags (tags), the tags correspond to each physical page in the memory, and the value of the tag is used for indicating whether the physical page corresponding to the tag is allocated to the security process to be used as a security space.
When the value of the tag is the first value, it indicates that the physical page corresponding to the tag is not allocated to any process for use, or the physical page corresponding to the tag is not allocated to any security process for use as a security space, or the physical page corresponding to the tag is allocated to at least one process for use as a non-security space. It can be seen that multiple processes may share a physical page that is an insecure space. Of course, a physical page is only available to one process at a time.
When the value of the tag is a second value, it indicates that the physical page corresponding to the tag has been allocated to a security process (e.g., process 1) as a security space. In this case, the physical page is not allowed to be re-allocated for use by processes other than process 1.
It can be seen that by marking the tag corresponding to the physical page with different values, the physical page can be dynamically allocated to the process running in the processor, so as to be used as a secure space or a non-secure space. It can be seen that when a physical page is used as a secure space of a secure process, the physical page can not be used by the non-secure spaces of other processes. The other process may be a secure process or a non-secure process.
As an example, the first value and the second value described above may be represented by 1 bit, for example, the first value may be "0", and at this time, the second value is "1". Of course, the first value may be "1", and in this case, the second value is "0". Of course, the first value and the second value are considered to be represented by 2 or more bits, which is not limited in the embodiment of the present application.
It is understood that, when the running firmware initializes the contents of the memory for storing the security bitmap ("allocates a segment of memory from the secure area in the memory" as described above), the value of tag in the security bitmap is set to a first value.
In the operating process of the operating system, the value of tag in the security bitmap can be reset by operating firmware or microcode.
In the following of the embodiments of the present application, the first value and the second value are described by taking 1 bit as an example.
8) Is trapped in
Trapping generally refers to operations in a computer operating system for enabling a process running in a user mode to call a kernel program of the operating system, or to call a program of a higher authority level when the kernel program operates.
9) Other terms
In the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the embodiments of the present application, the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
The term "at least one" in this application means one or more, and the term "plurality" in this application means two or more, for example, the plurality of second messages means two or more second messages. The terms "system" and "network" are often used interchangeably herein.
It is to be understood that the terminology used in the description of the various described examples herein is for the purpose of describing particular examples only and is not intended to be limiting. As used in the description of the various described examples and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should also be understood that, in the embodiments of the present application, the size of the serial number of each process does not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
It should be understood that determining B from a does not mean determining B from a alone, but may also be determined from a and/or other information.
It will be further understood that the terms "comprises," "comprising," "includes," and/or "including," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also understood that the term "if" may be interpreted to mean "when" ("where" or "upon") or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined." or "if [ a stated condition or event ] is detected" may be interpreted to mean "upon determining.. or" in response to determining. "or" upon detecting [ a stated condition or event ] or "in response to detecting [ a stated condition or event ]" depending on the context.
It should be appreciated that reference throughout this specification to "one embodiment," "an embodiment," "one possible implementation" means that a particular feature, structure, or characteristic described in connection with the embodiment or implementation is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "one possible implementation" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
The embodiment of the application provides a method for creating a secure page table, which can create a secure page table for a process, during the creation of the secure page table, a processor performs validity check on a physical page mapped by a last page table in the secure page table to determine whether the physical page can be used by the process, and writes the created secure page table of the process into a secure area.
Then, in the method for accessing a memory provided in this embodiment of the present application, when a processor accesses a memory in a process of running a process, by determining that a base address of each level of a page table in a secure page table of the process is within a secure area for storing the secure page table, it indicates a physical address that the processor can translate a virtual address of the process and obtain, and accesses the physical address.
Therefore, the method provided by the embodiment of the application can achieve memory isolation by taking the page as a granularity unit. Moreover, after the corresponding physical address is indexed through the page table of the process, the security check of the physical page indicated by the physical address is not required to be performed according to the security bitmap stored in the security area in the memory. In addition, the processor determines whether the base address of each level of the page table in the secure page table is in the secure region for storing the secure page table through hardware, namely, the processor does zero runtime overhead. Therefore, compared with the prior art, the method provided by the embodiment of the application greatly reduces the expenditure of accessing the memory when the processor runs the process.
The embodiment of the application also provides a device for creating the secure page table, and the device can be applied to a terminal. Specifically, the terminal may be a portable device such as a mobile phone, a tablet computer, and a wearable electronic device, may also be a computing device such as a Personal Computer (PC), a Personal Digital Assistant (PDA), a netbook, and may also be any other terminal device that can implement the embodiment of the present application, which is not limited in this application. Of course, the apparatus may also be applied to a server.
The embodiment of the application also provides a device for accessing the memory, and the device can be applied to a terminal or a server. The terminal may refer to the description of the terminal, which is not repeated herein.
Referring to fig. 3, taking the above-mentioned terminal as a computer device as an example, fig. 3 shows a schematic structural diagram of a computer device 30. As shown in fig. 3, the computer device 30 includes a processor 301, a memory 302, a communication interface 303, and a bus 304. The processor 301, the memory 302, and the communication interface 303 may be connected to each other via a bus 304. The above-mentioned device for creating a secure page table may be applied to the processor 301 in the computer device 30, and the above-mentioned device for accessing a memory may also be applied to the processor 301 in the computer device 30, which is not limited thereto.
The processor 301 is a control center of the computer device 30, and may be a Central Processing Unit (CPU), other general-purpose processor, or the like. Wherein a general purpose processor may be a microprocessor or any conventional processor or the like.
As one example, processor 301 may include one or more CPUs, such as CPU 0 and CPU1 shown in fig. 3.
Referring to fig. 4, fig. 4 shows a schematic structural diagram of a CPU provided in an embodiment of the present application. As shown in fig. 4, CPU 40 may include a processing core 41, a memory management unit 42, a page table base register 43, a secure memory interval base register 44, a secure memory interval terminal register 45, and an address comparator 46.
The processing core 41 is used for running the process of the application program. The memory management unit 42 is configured to convert a virtual address of a process into a physical address when the processing core 41 needs to access a memory during the process. Here, the number of the processing cores 41 and the memory management units 42 is not particularly limited in the embodiment of the present application.
And the page table base register 43 is used for storing the base address of the page table corresponding to the process currently running on the processing core 41. Specifically, the page table base register 43 is used to store the base address of the first level page table in the page table corresponding to the process currently running on the processing core 41.
Typically, when the processing core 41 starts running a process, the processing core 41 writes the base address of the page table corresponding to the process into the page table base register 43.
Optionally, as shown in FIG. 5, the page table base registers 43 may include a non-secure process page table base register 531 and a secure process page table base register 532.
The non-secure process page table base register 531 is used to store the base address of the page table corresponding to the non-secure process currently running on the processing core 41.
The secure process page table base register 532 is used to store the base address of the page table corresponding to the secure process currently running on the processing core 41.
In this case, as shown in fig. 5, the CPU 40 may further include a base address selection register 57. A base address select register 57 is used to indicate whether the process currently running on the processing core 41 is a secure process or a non-secure process. In this way, the memory management unit 42 may obtain the base address of the page table corresponding to the process from the corresponding register according to whether the process currently running on the processing core 41 is a secure process or a non-secure process, so that the virtual address of the process may be converted into the corresponding physical address based on the base address.
As an example, when the processing core 41 writes a "0" in the base address selection register 57, it may indicate that the process currently running by the processing core 41 is a non-secure process. When processing core 41 writes a "1" in base address select register 57, it may indicate that the process currently running by processing core 41 is a secure process. Alternatively, when processing core 41 writes a "1" in base address selection register 57, it may indicate that the process currently running by processing core 41 is a non-secure process. When processing core 41 writes a "0" in base address select register 57, it may indicate that the process currently running by processing core 41 is a secure process. The embodiments of the present application do not limit this.
As shown in fig. 4, the secure memory block base register 44 is used to indicate the base address (or called the start address) of the region for storing the secure page table in the secure region of the memory. The secure memory block end register 45 is used to indicate the end address (or called end address) of the area for storing the secure page table in the secure area on the memory.
The secure page table is a page table created for a process running on a processor in this embodiment of the present application, and may be an n-level page table, and the secure page table is typically stored in a secure area of a memory. In this way, the security of the secure page table can be guaranteed.
By way of example, referring to fig. 6, fig. 6 shows a schematic diagram of the start address and the end address of the region for storing the secure page table within the secure region of the memory. As shown in fig. 6, the memory 60 includes a secure area 61, and the secure page table area is a secure page table area 611 in the secure area 61. Therefore, the address of the start point a of the secure page table area 611 is the start address of the secure page table area 611, and the address of the end point B of the secure page table area 611 is the end address of the secure page table area 611. As can be seen from (a) in fig. 6, the secure page table area 611 is located in the middle area of the secure area 61. As can be seen from (b) in fig. 6, the secure page table area 611 is located in the left area of the secure area 61, and its start address is the same as that of the secure area 61.
As shown in fig. 4, the address comparator 46 is configured to perform a security check on a base address of each level of the page tables in the secure page table to determine whether each level of the page tables indicated by the base address of each level of the page tables is within the secure region in the process that the memory management unit 42 converts the virtual address of the process into the physical address based on the secure page table of the process running in the processing core 41.
Specifically, the address comparator 46 may determine whether the page table of each stage is within the secure region by comparing the base address of the page table of each stage (i.e., the base address of the physical page representing the page table of each stage) with the base address stored in the secure memory interval base register 44, and comparing the end address of the page table of each stage (i.e., the end address of the physical page representing the page table of each stage) with the end address stored in the secure memory interval end register 45.
The memory 302 may be, but is not limited to, a read-only memory or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
In one possible implementation, the memory 302 may exist independently of the processor 301. A memory 302 may be coupled to the processor 301 through a bus 304 for storing data, instructions, or program code. When the processor 301 calls and executes the instructions or program codes stored in the storage 302, the method for creating the secure page table and accessing the memory provided by the embodiment of the present application can be implemented.
In another possible implementation, the memory 302 may also be integrated with the processor 301.
It should be understood that if the memory 302 is used as a memory, the security page table and the security bitmap provided by the embodiment of the present application are both stored in the security area in the memory 302.
As an example, as shown in fig. 7, in the memory 302, a secure area 71 is included. In the secure area 71, a secure page table area 711 for storing a secure page table and a secure bitmap area 712 for storing a secure bitmap are included.
A communication interface 303, configured to connect the computer device 30 and other devices (such as a server, etc.) through a communication network, where the communication network may be an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), or the like. The communication interface 303 may include a receiving unit for receiving data, and a transmitting unit for transmitting data.
The bus 304 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 3, but this does not mean only one bus or one type of bus.
It should be noted that the configuration shown in fig. 3 does not constitute a limitation of the computer device 30, and that the computer device 30 may include more or less components than those shown in fig. 3, or combine some components, or a different arrangement of components, in addition to the components shown in fig. 3.
The following describes methods for creating a secure page table and accessing a memory according to embodiments of the present application with reference to the accompanying drawings.
Example one
Referring to fig. 8, fig. 8 is a flowchart illustrating a method for creating a secure page table according to an embodiment of the present application, where the method may be applied to a processor in the computer device shown in fig. 3, and the method may include the following steps:
s101, the processor creates a first n-1 level page table of a first secure page table for a first process, wherein the first secure page table is an n-level page table.
The first process runs on the processor, and the first secure page table is used for converting a virtual address of the first process into a physical address based on the first secure page table when the processor needs to access a memory during the process of running the first process.
In a first possible scenario, the processor needs to create a secure page table for a first process when the first process is started.
Optionally, the processor may create the first n-1 level page table of the first secure page table by the kernel.
Taking the example that the processor creates a 4-level page table for the first process, the following is a brief description of the processor creating the first 3-level page table of the 4-level page table through the kernel.
The processor may first perform the creation of the first level page table by calling a first level page table creation function. For example, the first level page table creation function may be a level1_ alloc () function. Specifically, the processor may allocate a free physical page 1 via the kernel and write the base address of the physical page 1 into the page table address register. The processor then adds, by the kernel, the first level page table entry index in the virtual address of the first process and the base address of physical page 1 to determine entry 1 indicating the base address of the second level page table. Thus, the physical page 1 is the first level page table of the 4-level page table.
The processor then performs creation of the second level page table by calling a second level page table creation function. For example, the second stage page table creation function may be a level12_ alloc () function. Specifically, the processor may allocate a free physical page 2 via the kernel and write the base address of the physical page 2 to entry 1 in the first-level page table. The processor then adds, by the kernel, the second level page table entry index in the virtual address of the first process and the base address of physical page 2 to determine entry 2 indicating the base address of the third level page table. Thus, the physical page 2 is the second level page table of the 4-level page table.
Then, the processor performs creation of a third-level page table by calling a third-level page table creation pde _ alloc () function. For example, the third level page table creation function may be a level3_ alloc () function. Specifically, the processor may allocate a free physical page 3 by the kernel and write the base address of the physical page 3 to the entry 2 in the second stage page table. The processor then adds, by the kernel, the third level page table entry index in the virtual address of the first process and the base address of physical page 3 to determine entry 3 indicating the fourth level page table base address. Thus, the physical page 3 is the third level page table of the 4-level page table.
In a second possible scenario, the processor is involved in a page fault exception handling during execution of the first process. In this case, it is indicated that the first secure page table corresponding to the first process has a missing page, and therefore the processor needs to create the missing page in the first secure page table by the kernel.
In this way, the processor may perform a page fault exception handling via the kernel, and create a missing one or more page tables for the first secure page table of the first process, where the missing one or more page tables are the first n-1 page tables of the first secure page table.
For the description of creating, by the processor, the missing one or more levels of page tables for the first secure page table through the kernel, reference may be made to the description of creating, by the processor, any one level of page tables in the first n-1 levels of page tables of the first secure page table under the first possible condition, which is not described herein again.
S102, the processor allocates a first physical page for the first process, creates an nth-level page table of the first secure page table based on the first physical page, and writes the first secure page table into the first secure area.
Wherein the nth stage page table is a last stage page table in the first secure page table.
In particular, the processor may create the nth level page table by calling a fourth level page table creation function, for example, to create the fourth level page table in the 4 level secure page table. In this case, the processor may allocate a first physical page through the core, where the first physical page may be a free physical page. Then, the processor can check the validity of the first physical page through the preset module.
Specifically, when the result of the validity check indicates that the first physical page is not allocated to any one of the security processes to be used as the security space, the processor creates an nth-level page table through the preset module based on the first physical page. When the result of the validity check indicates that the first physical page has been allocated to any one of the security processes for use as a security space, the processor determines that creating the nth level page table failed.
Specifically, the following describes a process in which the processor checks the validity of the first physical page through the preset module, and creates the nth-level page table based on the result of the validity check.
In a first possible implementation, when the fourth level page table creating function indicates that the first physical page is checked for validity by the running firmware, for example, the fourth level page table creating function may be "level 14_ pt _ page ()", the processor may trap the highest privilege level authority after the first physical page is allocated by the kernel, that is, the processor may check for validity of the first physical page by running the firmware. In this case, the preset module includes the operating firmware.
Referring to fig. 8, the processor creates an nth level page table based on the first physical page by running firmware, and checks the validity of the first physical page by:
s1021, the processor reads a first tag corresponding to a first physical page in the safety bitmap through running the firmware.
Specifically, the processor may determine a first tag corresponding to the first physical page in the security bitmap by running firmware according to a base address of the first physical page.
Generally, in the security bitmap, tag is written to the second security area of the memory, usually in units of bytes, i.e. tag is written to the second security area of the memory in units of 8 bits.
Illustratively, the base address of the physical page in the memory is represented by 48 bits, and the size of the physical page divided in the memory is 4 KB. In this case, the lower 12 bits of the 48-bit bits may be used to represent a physical page. Thus, the processor may right-shift the base address of the first physical page by 12 bits by running firmware, i.e., get the PPN of the first physical page. Next, the processor may determine the location of the byte in the security bitmap that includes the first tag corresponding to the first physical page by executing the firmware to right shift the PPN of the first physical page by 3 bits. The processor may then determine the bit position of the first tag in the byte based on the value of the lower three bits of the PPN of the first physical page. For example, if the lower three bits are 100, that is, the value of the lower three bits is 4, which means that the first tag is the fifth bit in the byte, and the value of the fifth bit is the value of the first tag.
S1022, the processor determines whether the value of the first tag is the first value by executing the firmware.
When the processor determines that the value of the first tag is not the first value by executing the firmware, that is, the value of the first tag is the second value, the processor performs step S1023. When the processor determines that the value of the first tag is the first value by executing the firmware, the processor performs steps S1024-S1028.
S1023, the processor determines that the nth page table is failed to be created by running the firmware.
Since the first tag is not the first value, that is, the first tag is the second value, this indicates that the first physical page has been allocated to any one of the security processes as the security space, and thus the first physical page cannot be allocated to other processes. Thus, the processor may determine that the nth, i.e., page table creation, failed by running firmware.
S1024, based on the first physical page, the processor creates an nth-level page table by running firmware, and writes a first secure page table including the nth-level page table into a first secure region.
When the value of the first tag is a first value, the first physical page is not allocated to the security process, or the first physical page is allocated to any security process to be used as a non-security space. At this time, the processor may create an nth level page table based on the first physical page by executing firmware, and write a first secure page table including the nth level page table to the first secure region.
Specifically, the processor creates the description of the nth level page table by running the firmware, which may refer to the description above in S101 that the processor creates any level page table in the first secure page table by the kernel, and is not described herein again.
Wherein the processor determines an entry 4 indicating a base address of the first physical page by running firmware to add a base address of the nth stage page table and a fourth stage page table entry index in the virtual address of the first process. Then, the processor writes the base address of the first physical page into the entry 4 in the nth stage page table by running the firmware, thereby completing the mapping of the virtual address of the first process and the first physical page.
After the processor completes creation of the nth stage page table by running the firmware, a first secure page table including the nth stage page table is written into a first secure region.
S1025, the processor determines whether the first process is a secure process by running the firmware.
In one possible implementation, the processor may determine that the first process is a secure process or a non-secure process by running firmware based on the state of the base address select register 57 shown in FIG. 5.
For example, when the state of the base address selection register 57 indicates "0", the processor determines that the first process is an insecure process by executing the firmware, and when the state of the base address selection register 57 indicates "1", the processor determines that the first process is a secure process by executing the firmware.
In another possible implementation manner, the processor may determine, by running the firmware, whether the first process is a secure process or a non-secure process according to a process Identity (ID) of the first process.
For example, if the ID of the first process is "0", the processor determines that the first process is an insecure process by executing the firmware, and if the ID of the first process is "1", the processor determines that the first process is a secure process by executing the firmware.
When the first process is a secure process, the processor executes S1026 by running the firmware, and when the first process is an unsecure process, the processor executes S1028 by running the firmware.
S1026, the processor determines whether the virtual space pointed to by the virtual address of the first process is a secure virtual space by running the firmware.
Generally, when a processor runs a security process, a virtual space pointed to by a virtual address of the security process may be a secure virtual space or a non-secure virtual space.
If the virtual space pointed by the virtual address of the security process is the security virtual space, the first physical page which establishes a mapping relation with the virtual address through the first security page table is used as the security space of the first process. In this case, the first physical page cannot be reallocated for use by other processes.
If the virtual space pointed by the virtual address of the security process is the non-security virtual space, the first physical page which is mapped with the virtual address through the first security page table is used as the non-security space of the first process. In this case, the first physical page may also be allocated for use by other processes.
Therefore, the processor can determine whether the virtual space corresponding to the virtual address of the first process is the safe virtual space by running the firmware and according to the preset corresponding relation.
The preset corresponding relation is established by a designer when designing a program code, so that the running firmware can be known in advance.
When the virtual space pointed to by the virtual address of the first process is the secure virtual space, the first physical page cannot be reallocated to another process for use, and then the processor executes S1027 by running firmware. When the virtual space pointed to by the virtual address of the first process is an insecure virtual space, the first physical page may be allocated to another process for use, and then the processor executes S1028 by running the firmware.
S1027, the processor sets the first tag corresponding to the first physical page to be a second value by running the firmware.
Specifically, the processor sets, by running the firmware, a bit indicating a first tag corresponding to the first physical page to a second value, for example, to "1", in a security bitmap stored in a second security area of the security areas in the memory.
S1028, the processor sets a first tag corresponding to the first physical page to a first value by running the firmware.
Specifically, the processor sets a bit, which is stored in a security bitmap in a second security area of the security areas in the memory and used for indicating a first tag corresponding to the first physical page, to a first value, for example, to "0", by running the firmware.
In a second possible implementation manner, when the fourth stage page table creating function indicates that the preset microcode is called to check the validity of the first physical page, for example, the fourth stage page table creating function may be "pte _ alloc ()", and in this case, the processor may check the validity of the first physical page by calling the preset microcode after the first physical page is allocated by the core. In this case, the predetermined module includes the predetermined microcode.
In this way, the processor creates the nth level page table based on the first physical page, and checks the validity of the first physical page, which can be implemented by the instruction of the preset microcode.
Illustratively, the preset microcode may be WR _ SEC _ PT. The predetermined microcode "WR _ SEC _ PT" may include the following instructions:
a first instruction: GET TAG, PA;
the first instruction is used for instructing the processor to read a first tag corresponding to the first physical page. For the reading process of the first tag, reference may be made to the description of S1021, and details are not repeated here.
A second instruction: CMP TAG, first value;
the second instruction is for the processor to determine whether the first tag is a first value. When the first tag is not the first value, i.e., the first tag is the second value, the processor determines that the nth level page table creation failed. When the first tag is the first value, the third instruction is executed.
A third instruction: CMP EID, 0;
the third instructions are for the processor to determine whether the first process is a secure process. Here, the processor may determine whether the first process is a secure process by the ID of the first process.
If the processor determines from the third instruction that the first process is a secure process, then a fourth instruction described below is executed, and if the processor determines from the third instruction that the first process is a non-secure process, then a sixth instruction set described below is executed.
A fourth instruction: CMP VA, SECVARANGE;
the fourth instruction is for the processor to determine whether the virtual space pointed to by the virtual address of the first process is a secure virtual space, and if so, to execute a fifth instruction set described below, and if not, to execute a sixth instruction set described below.
A fifth instruction group:
instruction a 1: MAP PTE, PA;
instruction a1 is used to instruct the processor to create an nth level page table from the first physical page. The description that the processor creates the nth-level page table according to the first physical page may refer to the description of S1024 above, and is not described here again.
Instruction b 1: SAVE LEVEL1, 1E; SAVE LEVEL 2E; SAVE LEVEL 3E; …, respectively; SAVE LEVELnE;
instruction b1 is used to instruct the processor to write a first secure page table (including the level1 page table through the nth level page table) to a first secure region.
Instruction c 1: SAVE TAG, second value;
instruction c1 is to instruct the processor to set a bit in a security bitmap stored in a second secure area on the secure area of the memory to represent a first tag corresponding to the first physical page to a second value.
Sixth instruction set:
instruction a 2: MAP PTE, PA;
instruction b 2: SAVE LEVEL1, 1E; SAVE LEVEL 2E; SAVE LEVEL 3E; …, respectively; SAVE LEVELnE;
for the description of the command a2 and the command b2, reference may be made to the description of the command a1 and the command b1, which are not repeated here.
Execution of c 2: SAVE TAG, first value;
instruction c2 is to instruct the processor to set a bit in a security bitmap stored in a second secure area on the secure region of the memory to indicate a corresponding first tag of the first physical page to a first value.
It can be seen that, in a second possible implementation manner, the processor implements the processes described in the above S1021 to S1028 by executing the instruction of the preset microcode.
Therefore, by the method for creating the secure page table provided by the embodiment of the application, the first secure page table for completing the first process is created. It can be seen that, in the process of creating the first secure page table, the validity of the mapped first physical page is checked, so that the first physical page allocated to any secure process cannot be used by the first process, and the first physical page not allocated to any secure process can be allocated to the first process for use, and according to the security level of the first process, the tag value corresponding to the first physical page is updated and set, so that isolation of memories used by processes of different security levels in terms of page granularity (physical pages are granularity units) precision is achieved.
In addition, since the validity check is implemented by the processor running firmware or microcode, the security permission level of the running firmware and the microcode is higher than that of the kernel, and the created secure page table is stored in a secure area of the memory, the security of the memory isolation scheme based on page granularity provided by the embodiment of the present application is higher.
Example two
Referring to fig. 9, fig. 9 is a schematic flowchart illustrating a method for accessing a memory according to an embodiment of the present application, where the method is implemented based on a secure page table created according to an embodiment of the present application. The method may be applied to a processor in a computer device as shown in fig. 3, and may comprise the steps of:
s201, the processor acquires a first base address.
The processor runs a first process, and the first process corresponds to a first secure page table. Here, the first secure page table may be a secure page table created based on the method provided in the first embodiment, and the first secure page table is stored in a first secure area in the memory secure area. The first base address is a base address of the first secure page table, that is, a base address of a first-stage page table in the first secure page table.
For the description of the first secure page table, reference may be made to the above description of the first secure page table, which is not described herein again.
During the process of running the first process by the processing core in the processor, when a memory access is needed, the processing core sends a memory access request to the MMU in the processor, where the memory access request includes a virtual address of the first process (for example, the virtual address 104 shown in fig. 10, where the virtual address 104 includes a valid bit 1040, a first-level page table entry index 1041, a second-level page table entry index 1042, a third-level page table entry index 1043, a fourth-level page table entry index 1044, and a page offset (not shown in fig. 10)). Optionally, the memory access request further includes an ID of the first process.
It will be appreciated that when the processor starts the first process, or switches from running other processes to running the first process, the processor writes the secure page table of the first process, i.e. the base address of the first secure page table, to a page table base register, such as the page table base register 43 shown in figure 4.
In this way, the MMU of the processor may obtain the first base address of the first secure page table from the page table base register after receiving the memory access request.
Alternatively, if the page table base registers include a non-secure process page table base register (e.g. non-secure process page table base register 531 shown in fig. 5 or non-secure process page table base register 101 shown in fig. 10) and a secure process page table base register (e.g. secure process page table base register 532 shown in fig. 5 or secure process page table base register 102 shown in fig. 10), the processor writes the base of the first secure page table to the corresponding page table base register according to the security level of the first process.
As an example, referring to fig. 10, if the first process is a non-secure process, the processor may write the base address of the first secure page table to the non-secure process page table base register 101. If the first process is a secure process, the processor may write the base address of the first secure page table to the secure process page table base register 102.
Optionally, the processor also sets the state of a base address selection register (e.g. base address selection register 57 shown in fig. 5 or selection register 103 shown in fig. 10) based on the security level of the first process so that it can indicate the security level of the first process.
In this way, the MMU in the processor may determine the security level of the first process by reading the state of the base address selection register and obtain the base address of the first secure page table from the corresponding base address register.
Of course, the MMU in the processor may also determine the security level of the first process by the ID of the first process included in the received memory access request, and obtain the base address of the first secure page table from the corresponding page table base register.
By way of example, referring to fig. 10, the MMU in the processor, upon receiving a memory access request from the processing core to execute a first process, reads the state of the select register 103 to determine the security level of the first process. If the first process is a non-secure process, the MMU retrieves the base address of the first secure page table from the non-secure process page table base register 101. If the first process is a secure process, the MMU retrieves the base address of the first secure page table from the secure process page table base register 102.
S202, the MMU in the processor determines the base address of each page table in the last n-1 level page table in the first secure page table based on the virtual address of the first process and the first base address, and determines whether each page table in the first secure page table is in the first secure area.
Since the first base address is the base address of the first stage page table of the first secure page table, the MMU is only required to determine the base address of each stage of the last n-1 stage page table in the first secure page table.
The process of determining the base address of each page table in the last n-1 level page table in the first secure page table step by the MMU according to the virtual address of the first process and the first base address may refer to the description in the page table translation above, which is not described herein again.
In this embodiment, in the process of the MMU converting the virtual address of the first process into the corresponding physical address, the processor needs to further determine whether each of the secure page tables obtained or determined by the MMU is within the first secure region for storing the first secure page table. Here, the page table of each stage is essentially a physical page, and taking the first stage page table as an example, the processor needs to determine whether the physical page representing the first stage page table (i.e., the first stage page table page) is within the first secure region for storing the first secure page table. If within the first secure region, the MMU may determine a base address of the second stage page table based on the base address of the first stage page table and the virtual address of the first process. If not, the MMU exits the address translation, i.e., the processor ends the memory access requested by the first process.
The address translation process provided by the embodiment of the present application is described below with reference to fig. 10, taking the first secure page table as a 4-level page table as an example.
As shown in fig. 10, a base register 106 and an end register 107 are preset in the processor, where the description of the base register 106 may refer to the description of the base register 44 in the secure memory interval in fig. 4, and the description of the end register 107 may refer to the description of the end register 45 in the secure memory interval in fig. 4, which is not repeated herein.
It will be appreciated that the address stored in the base register 106 may be the base address of the first secure region in memory for storing all of the secure page tables, or may be the base address of the secure region in memory for storing the first secure page table. The address stored in the address register 107 may be an end address of the first secure area in the memory for storing all the secure page tables, or may be an end address of the secure area in the memory for storing the first secure page table. The embodiment of the present application is not particularly limited to this.
In the following description of the embodiment of the present application, an address stored in the base register 106 is a base address of the first secure area, and an address stored in the end register 107 may be an end address of the first secure area.
As shown in fig. 10, the processor is further provided with an address comparator 1081, an address comparator 1082, an address comparator 1083, and an address comparator 1084. The address comparator 1081 is used to determine whether the page table page pointed to by the base address of the first stage page table (i.e., the first base address retrieved by the MMU from the page table base register) is in the first safe region. Here, the description that the address comparator 1081 determines whether the page table page pointed to by the first base address is in the first security region according to the base address of the first level page table may refer to the description of the address comparator 46 above, and will not be described herein again.
The base register 106 is connected to the address comparator 1081, the address comparator 1082, the address comparator 1083, and the address comparator 1084, so that the address comparator 1081, the address comparator 1082, the address comparator 1083, and the address comparator 1084 can respectively obtain the base address of the first secure area stored in the base register 106.
The address register 107 is connected to an address comparator 1081, an address comparator 1082, an address comparator 1083, and an address comparator 1084, respectively. Thus, the address comparator 1081, the address comparator 1082, the address comparator 1083, and the address comparator 1084 can respectively acquire the end addresses of the first secure area stored in the end address register 107.
In this way, the MMU in the processor obtains the first base address and sends the first base address to the address comparator 1081. In this way, the address comparator 1081 can determine whether the page table page pointed to by the first base address is within the first secure area according to the first base address, the base address of the first secure area, and the end address of the first secure area.
If the page table page pointed to by the first base address is within the first security zone, address comparator 1081 sends the first base address to the MMU. The MMU reads the page table page indicated by the first base address (i.e., first stage page table 1051) from memory. The MMU then determines, based on the first base address and the first stage page table entry index 1041, an entry 1 in the first stage page table 1051, the entry 1 indicating a second base address of the second stage page table.
If the page table page pointed to by the first base address is not within the first secure region, the MMU ends the translation of the virtual address 104 for the first process, i.e., the processor determines to end accessing memory.
Then, the MMU in the processor sends the second base address of the second-stage page table indicated in the table entry 1 to the address comparator 1082, so that the address comparator 1082 can determine whether the page table page pointed to by the second base address is within the first secure area according to the second base address, the base address of the first secure area, and the end address of the first secure area.
If the page table page pointed to by the second base address is within the first security zone, address comparator 1082 sends the second base address to the MMU. The MMU reads the page table page indicated by the second base address (i.e., second stage page table 1052) from memory. The MMU then determines entry 2 in second stage page table 1052, based on the second base address and second stage page table entry index 1042, which entry 2 indicates the third base address of the third stage page table.
If the page table page pointed to by the second base address is not within the first secure region, the MMU ends the translation of the virtual address 104 for the first process, i.e., the processor determines to end accessing memory.
Then, the MMU in the processor sends the third base address of the third-level page table indicated in the table entry 2 to the address comparator 1083, so that the address comparator 1083 can determine whether the page table page pointed to by the third base address is within the first secure area according to the third base address, the base address of the first secure area, and the end address of the first secure area.
If the page table page pointed to by the third base address is within the first secure enclave, address comparator 1082 sends the third base address to the MMU. The MMU reads the page table page indicated by the third base address (i.e., third level page table 1053) from memory. The MMU then determines, based on the third base address and the third level page table entry index 1043, an entry 3 in the third level page table 1053, which entry 3 indicates the fourth base address of the fourth level page table.
If the page table page pointed to by the third base address is not within the first secure region, the MMU ends the translation of the virtual address 104 for the first process, i.e., the processor determines to end accessing memory.
Then, the MMU in the processor sends the fourth base address of the fourth level page table indicated in the table entry 3 to the address comparator 1084, so that the address comparator 1084 can determine whether the page table page pointed to by the fourth base address is within the first secure area according to the fourth base address, the base address of the first secure area, and the end address of the first secure area.
If the page table page pointed to by the fourth base address is within the first secure enclave, address comparator 1082 sends the fourth base address to the MMU. The MMU reads the page table page indicated by the fourth base address (i.e., the fourth stage page table 1054) from memory. The MMU then determines an entry 4 in the fourth level page table 1054 based on the fourth base address and the fourth level page table entry index 1044, where entry 4 indicates the base address of the physical page.
If the page table page pointed to by the fourth base address is not within the first secure region, the MMU ends the translation of the virtual address 104 for the first process, i.e., the processor determines to end accessing memory.
It can be seen that, in the method for accessing a memory provided in the embodiment of the present application, a processor does not need to additionally access a secure bitmap in a second secure region of the memory, but only needs to determine, through hardware, whether each level of a page table in a first secure page table is located in a first secure region, so that no overhead is incurred during operation.
S203, if each stage of page tables in the first secure page table is in the first secure region, the MMU in the processor determines a physical address corresponding to the virtual address of the first process based on the base address of the nth stage of page tables in the first secure page table, and the processor accesses the memory based on the physical address.
Specifically, if each of the stages of the page tables in the first secure page table is within the first secure region, the MMU may determine a physical address corresponding to the virtual address of the first process based on the base address of the nth stage page table in the first secure page table and the page offset in the virtual address of the first process. The processor then accesses memory based on the physical address.
As an example, in connection with fig. 10, the MMU may derive the physical address to which the virtual address 104 of the first process is mapped based on the base address of the physical page indicated by entry 4 in the fourth level page table 1054 and the page offset in the virtual address 104 of the first process. In this way, the processor can access memory based on the physical address.
Since the secure page table of the first process has been security checked at the time of creation, and the secure page table is stored in a secure region of memory. Therefore, when performing virtual address translation (or translation) of the first process based on the secure page table, the processor does not need to additionally access the secure bitmap in the memory after converting the virtual address into the physical address, so as to perform security check on the physical page indicated by the physical address as in the background art. Therefore, in the process of running the process, the processor reduces the overhead of additionally accessing the security bitmap in the memory, and improves the system performance.
By way of example, referring to fig. 11, fig. 11 illustrates an advantageous effect of the method for creating a secure page table and accessing a memory according to the embodiment of the present application.
As shown in fig. 11, for the prior art, if the total running time required for the processor to access the memory when running a certain process is t, the time for creating a page table (conventional page table) for the process therein accounts for about 0.02% of the total running time of the process. The processor takes up about 95% of the total run time of the process to execute the process. In the time for executing the process, the access time (including memory access and cache access) of the processor is about 50%, and the miss rate (cache miss, i.e. memory access is required) of the processor to access the cache is about 10%. The overhead of the processor in additional access to the security bitmap is about 20% when accessing the memory. Thus, during the process run by the processor in the prior art, the additional time overhead (Δ t1 as shown in FIG. 11) due to accessing the security bitmap is about: 95% by 50% by 10% by 20% to 1%. That is, the extra time overhead due to accessing the security bitmap during the process run by the processor is about 1% t.
When the method for creating a secure page table and accessing a memory provided in the embodiment of the present application is used, if the total running time required for accessing the memory when a processor runs a certain process is t, the time for the processor to create a page table (the secure page table in the embodiment of the present application) for the process is about 10% more than the time for creating a page table for the process in the prior art, that is, Δ t2 shown in fig. 11. However, the scheme provided by the embodiment of the application does not generate additional time overhead for accessing the security bitmap when executing the process. Therefore, with the technical solution provided in the embodiment of the present application, the overhead generated when creating the secure page table (i.e., the overhead caused by performing the validity check on the last stage page table of the secure page table) is about 0.02% × 10% × 0.002%, i.e., 0.002% × t. Therefore, the technical scheme provided by the embodiment of the application obviously reduces the expenditure of accessing the memory when the processor runs the process.
In summary, the embodiments of the present application provide a method for creating a secure page table and accessing a memory, where the method implements memory isolation through a secure bitmap, thereby implementing memory isolation on page granularity precision. And in the process of creating the secure page table for the process through the highest privilege level, the processor performs validity check on the last level page table of the secure page table, and then stores the created secure page table in a secure area of the memory. Therefore, when the processor needs to access the memory in the process of running the process, the processor only needs to determine whether each level of page tables in the secure page tables is in the secure area of the memory through hardware, and does not need to additionally access the secure bitmap in the secure area of the memory to perform security check on the physical page indicated by the physical address obtained by the MMU conversion, so that the cost of accessing the memory when the processor runs the process is obviously reduced, and the system performance is improved.
The scheme provided by the embodiment of the application is mainly introduced from the perspective of a method. To implement the above functions, it includes hardware structures and/or software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, according to the method example, functional modules of a device for creating a secure page table and a device for accessing a memory may be divided, for example, the functional modules may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
As shown in fig. 12, fig. 12 is a schematic structural diagram illustrating an apparatus 120 for creating a secure page table according to an embodiment of the present application. The means 120 for creating a secure page table may be adapted to run with the first thread processor, and the means 120 for creating a secure page table may be adapted to perform the method for creating a secure page table described above, for example, to perform the method shown in fig. 8. The apparatus 120 for creating a secure page table may include an allocation unit 121 and a creation unit 122.
An allocating unit 121 for allocating the first physical page. A creating unit 122, configured to create an nth-level page table in the first secure page table for the first process based on the first physical page when the first physical page is not allocated to any one of the secure processes as a secure space. The processor is used for converting a virtual address of the first process into a physical address when the first process accesses the memory, the first secure page table is an n-level page table, and n is a positive integer.
As an example, in connection with fig. 8, the allocating unit 121 may be configured to perform S102, and the creating unit 122 may be configured to perform S1024.
Optionally, the apparatus 120 for creating a secure page table further includes a determining unit 123. A determining unit 123, configured to determine, by a preset module, that the first physical page is not allocated to any one of the security processes as a security space, where the preset module includes running firmware or preset microcode. The creating unit 122 is specifically configured to create, based on the first physical page, an nth-level page table in the first secure page table for the first process through the preset module.
As an example, in conjunction with fig. 8, the determining unit 123 may be configured to perform S1022, and the creating unit 122 may be configured to perform S1024.
Optionally, the means 120 for creating a secure page table further includes a writing unit 124. The writing unit 124 is configured to write the first secure page table into the first secure area in the memory through the preset module.
As an example, in connection with fig. 8, write unit 124 may be configured to perform S1024.
Optionally, the apparatus 120 for creating a secure page table further includes a setting unit 125. The setting unit 125 is configured to: when the first physical page is not allocated to any one security process as a security space and is used as a non-security space of the first process, setting a tag corresponding to the first physical page in a security bitmap as a first value; or, when the first physical page is not allocated to any one security process as a security space, the first process is a security process, and the first physical page is used as a security space of the first process, setting a tag corresponding to the first physical page in the security bitmap to be a second value. And if the value of any tag in the security bitmap is the first value, indicating that the physical page corresponding to the any tag is not allocated to the security process as the security space. And if the value of any tag is the second value, indicating that the physical page corresponding to any tag is allocated to the security process as the security space.
As an example, in conjunction with fig. 8, the setting unit 125 may be configured to perform S1027 and S1028.
Optionally, the security bitmap is stored in a second security area in the memory.
Optionally, the determining unit 123 is further configured to determine that creating the nth page table fails when the first physical page is already allocated to any one of the security processes as a security space.
As an example, in connection with fig. 8, the determination unit 123 may be configured to perform S1022 and S1023.
Optionally, the creating unit 122 is further configured to create a first n-1 level page table of the first secure page table before the allocating unit 121 allocates the first physical page.
As an example, in connection with fig. 8, the creation unit 122 may be configured to perform S101.
For the detailed description of the above alternative modes, reference may be made to the foregoing method embodiments, which are not described herein again. In addition, for any explanation and description of the beneficial effects of the apparatus 120 for creating the secure page table, reference may be made to the corresponding method embodiments, and details are not repeated.
As an example, in conjunction with fig. 3, the allocation unit 121, the creation unit 122, the determination unit 123, the writing unit 124, and the setting unit 125 in the apparatus 120 for creating a secure page table may be implemented by the processor 301 in fig. 3 executing the program code in the memory 302 in fig. 3.
As shown in fig. 13, fig. 13 is a schematic structural diagram illustrating an apparatus 130 for accessing a memory according to an embodiment of the present disclosure. The memory accessing device 130 may be adapted to run a first process, which corresponds to a first secure page table stored in a first secure region of the memory, the first secure page table being an n (n is a positive integer) level page table. The memory access device 130 may be used to execute the above-described memory access method, such as the method shown in fig. 9. The memory access device 130 may include a determining unit 131 and an accessing unit 132.
A determining unit 131, configured to determine whether each of the stages in the first secure page table is within the first secure region; and if each stage of page tables in the first secure page table is in the first secure region, determining a physical address corresponding to the virtual address of the first process based on the base address of the nth stage of page tables in the first secure page table. An accessing unit 132, configured to access the memory based on the physical address determined by the determining unit.
As an example, in connection with fig. 9, the determining unit 131 may be configured to perform S202, and the accessing unit 132 may be configured to perform S203.
Optionally, the memory access apparatus 130 further includes an obtaining unit 133. An obtaining unit 133, configured to obtain a first base address before the determining unit 131 determines whether each of the page tables in the first secure page table is in the first secure region, where the first base address is a base address of the first page table in the first secure page table. The determining unit 131 is further configured to determine a base address of each page table in the last n-1 level page table in the first secure page table based on the virtual address of the first process and the first base address acquired by the acquiring unit 133.
As an example, in conjunction with fig. 9, the obtaining unit 133 may be configured to perform S201, and the determining unit 131 may be configured to perform S202.
Optionally, the obtaining unit 133 is specifically configured to: if the first process is a security process, acquiring a first base address from a register corresponding to the security process; or, if the first process is an insecure process, the first base address is obtained from a register corresponding to the insecure process.
As an example, in conjunction with fig. 9, the obtaining unit 133 may be configured to perform S201.
Optionally, the accessing unit 132 is further configured to end the memory access if any one of the first secure page tables is not in the secure area.
For the detailed description of the above alternative modes, reference may be made to the foregoing method embodiments, which are not described herein again. In addition, for any explanation and beneficial effect description of the memory access device 130 provided above, reference may be made to the corresponding method embodiment described above, and details are not repeated.
As an example, in connection with fig. 3, the determining unit 131, the accessing unit 132 and the obtaining unit 133 in the memory accessing device 130 may be implemented by the processor 301 in fig. 3 executing the program code in the memory 302 in fig. 3.
The embodiment of the present application further provides a chip system 140, as shown in fig. 14, where the chip system 140 includes at least one processor and at least one interface circuit. By way of example, when the system-on-chip 140 includes one processor and one interface circuit, then the one processor may be the processor 141 shown in solid line block in fig. 14 (or the processor 141 shown in dashed line block), and the one interface circuit may be the interface circuit 142 shown in solid line block in fig. 14 (or the interface circuit 142 shown in dashed line block). When the system-on-chip 140 includes two processors and two interface circuits, the two processors include the processor 141 shown in solid line block in fig. 14 and the processor 141 shown in dashed line block, and the two interface circuits include the interface circuit 142 shown in solid line block in fig. 14 and the interface circuit 142 shown in dashed line block. This is not limitative.
The processor 141 and the interface circuit 142 may be interconnected by wires. For example, interface circuit 142 may be used to receive signals (e.g., instructions stored in a memory, etc.). Also for example, interface circuit 142 may be used to send signals to other devices, such as processor 141. Illustratively, interface circuit 142 may read instructions stored in a memory and send the instructions to processor 141. The instructions, when executed by processor 141, may cause the apparatus that creates the secure page table or the apparatus that accesses memory to perform the various steps in the embodiments described above. Of course, the chip system 140 may also include other discrete devices, which is not specifically limited in this embodiment.
Another embodiment of the present application further provides a computer-readable storage medium, where instructions are stored, and when the instructions are executed on a device for creating a secure page table or a device for accessing a memory, the device for creating a secure page table or the device for accessing a memory performs the steps performed by the device for creating a secure page table or the device for accessing a memory in the method flows shown in the foregoing method embodiments.
In some embodiments, the disclosed methods may be implemented as computer program instructions encoded on a computer-readable storage medium in a machine-readable format or encoded on other non-transitory media or articles of manufacture.
Fig. 15 schematically illustrates a conceptual partial view of a computer program product including a computer program for executing a computer process on a computing device provided by an embodiment of the application.
In one embodiment, the computer program product is provided using a signal bearing medium 150. The signal bearing medium 150 may include one or more program instructions that, when executed by one or more processors, may provide the functions or portions of the functions described above with respect to fig. 8 or 9. Thus, for example, one or more features described with reference to S101-S102 in FIG. 8, or with reference to S201-S203 in FIG. 9, may be undertaken by one or more instructions associated with the signal bearing medium 150. Further, the program instructions in FIG. 15 also describe example instructions.
In some examples, signal bearing medium 150 may comprise a computer readable medium 151, such as, but not limited to, a hard disk drive, a Compact Disc (CD), a Digital Video Disc (DVD), a digital tape, a memory, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
In some embodiments, the signal bearing medium 150 may comprise a computer recordable medium 152 such as, but not limited to, a memory, a read/write (R/W) CD, a R/W DVD, and the like.
In some implementations, the signal bearing medium 150 may include a communication medium 153, such as, but not limited to, a digital and/or analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
The signal bearing medium 150 may be conveyed by a wireless form of communication medium 153, such as a wireless communication medium conforming to the IEEE 1502.11 standard or other transmission protocol. The one or more program instructions may be, for example, computer-executable instructions or logic-implementing instructions.
In some examples, a device that accesses memory, such as the device that creates secure page tables for fig. 8 or the device described for fig. 9, may be configured to provide various operations, functions, or actions in response to being programmed by one or more program instructions in computer-readable medium 151, computer-recordable medium 152, and/or communication medium 153.
It should be understood that the arrangements described herein are for illustrative purposes only. Thus, those skilled in the art will appreciate that other arrangements and other elements (e.g., machines, interfaces, functions, orders, and groupings of functions, etc.) can be used instead, and that some elements may be omitted altogether depending upon the desired results. In addition, many of the described elements are functional entities that may be implemented as discrete or distributed components or in conjunction with other components, in any suitable combination and location.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The processes or functions according to the embodiments of the present application are generated in whole or in part when the instructions are executed on and by a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device.
The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). Computer-readable storage media can be any available media that can be accessed by a computer or can comprise one or more data storage devices, such as servers, data centers, and the like, that can be integrated with the media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (24)
1. A method of creating a secure page table, for use in a processor having a first process running thereon, the method comprising:
allocating a first physical page;
when the first physical page is not allocated to any one security process as a security space, an nth-level page table in a first security page table is created for the first process based on the first physical page; the first secure page table is used for converting a virtual address of the first process into a physical address by the processor when the first process accesses a memory; the first secure page table is an n-level page table, the n being a positive integer.
2. The method of claim 1, wherein when the first physical page is not allocated to any one of the security processes as a security space, creating an nth-level page table in a first security page table for the first process based on the first physical page, specifically comprising:
determining, by a preset module, that the first physical page is not allocated to any one of the security processes as a security space, where the preset module includes an operating firmware or a preset microcode;
and based on the first physical page, creating an nth level page table in a first safe page table for the first process through the preset module.
3. The method of claim 2, further comprising:
and writing the first secure page table into a first secure area in the memory through the preset module.
4. The method according to any one of claims 1-3, further comprising:
when the first physical page is not allocated to any one security process as a security space and is used as a non-security space of the first process, setting a tag corresponding to the first physical page in a security bitmap as a first value; alternatively, the first and second electrodes may be,
when the first physical page is not allocated to any one security process as a security space, the first process is a security process, and the first physical page is used as the security space of the first process, setting a tag corresponding to the first physical page in a security bitmap as a second value;
for any tag in the security bitmap, if the value of the any tag is the first value, it indicates that a physical page corresponding to the any tag is not allocated to a security process as a security space; and if the value of any tag is the second value, indicating that the physical page corresponding to any tag is allocated to a security process as a security space.
5. The method of claim 4, wherein the security bitmap is stored in a second secure region in the memory.
6. The method according to any one of claims 1-5, further comprising:
and when the first physical page is allocated to any one security process as a security space, determining that the creation of the nth-level page table fails.
7. The method of any of claims 1-6, wherein prior to said allocating the first physical page, the method further comprises:
creating a first n-1 level page table of the first secure page table.
8. The method for accessing the memory is applied to a processor, wherein the processor runs a first process, and the first process corresponds to a first secure page table; the first secure page table is stored in a first secure region of the memory, the first secure page table being an n-level page table, n being a positive integer; the method comprises the following steps:
determining whether each of the stages of page tables in the first secure page table is within the first secure region;
if each level of page tables in the first secure page table is in the first secure region, determining a physical address corresponding to a virtual address of the first process based on a base address of an nth level of page tables in the first secure page table;
accessing the memory based on the physical address.
9. The method of claim 8, wherein the determining whether each of the stages of the first secure page tables is within the first secure region further comprises:
obtaining a first base address, the first base address being a base address of a first stage page table in the first secure page table;
determining a base address of each stage of a last n-1 stage page table in the first secure page table based on the virtual address of the first process and the first base address.
10. The method according to claim 9, wherein the obtaining the first base address specifically includes:
if the first process is a security process, acquiring the first base address from a register corresponding to the security process; alternatively, the first and second electrodes may be,
and if the first process is an unsafe process, acquiring the first base address from a register corresponding to the unsafe process.
11. The method according to any one of claims 8-10, further comprising:
and if any one of the first safe page tables is not in the safe area, ending the access to the memory.
12. An apparatus for creating a secure page table, applied to a processor running a first process, the apparatus comprising:
an allocation unit for allocating a first physical page;
a creating unit, configured to create an nth-level page table in a first secure page table for the first process based on the first physical page when the first physical page is not allocated to any one secure process as a secure space; the first secure page table is used for converting a virtual address of the first process into a physical address by the processor when the first process accesses a memory; the first secure page table is an n-level page table, the n being a positive integer.
13. The apparatus according to claim 12, wherein the apparatus further comprises a determining unit;
the determining unit is configured to determine, by a preset module, that the first physical page is not allocated to any one of the security processes as a security space, where the preset module includes an operating firmware or a preset microcode;
the creating unit is specifically configured to create, based on the first physical page, an nth-level page table in a first secure page table for the first process through the preset module.
14. The apparatus of claim 13, further comprising a write unit;
the writing unit is configured to write the first secure page table into a first secure area in the memory through the preset module.
15. The apparatus according to any one of claims 12-14, wherein the apparatus further comprises a setting unit; the setting unit is used for:
when the first physical page is not allocated to any one security process as a security space and is used as a non-security space of the first process, setting a tag corresponding to the first physical page in a security bitmap as a first value; alternatively, the first and second electrodes may be,
when the first physical page is not allocated to any one security process as a security space, the first process is a security process, and the first physical page is used as the security space of the first process, setting a tag corresponding to the first physical page in a security bitmap as a second value;
for any tag in the security bitmap, if the value of the any tag is the first value, it indicates that a physical page corresponding to the any tag is not allocated to a security process as a security space; and if the value of any tag is the second value, indicating that the physical page corresponding to any tag is allocated to a security process as a security space.
16. The apparatus of claim 15, wherein the security bitmap is stored in a second secure region in the memory.
17. The apparatus of any one of claims 12-16,
the determining unit is further configured to determine that creating the nth level page table fails when the first physical page is allocated to any one of the security processes as a security space.
18. The apparatus of any one of claims 12-17,
the creating unit is further configured to create a first n-1 level page table of the first secure page table before the allocating unit allocates the first physical page.
19. The device for accessing the memory is applied to a processor, wherein the processor runs a first process, and the first process corresponds to a first secure page table; the first secure page table is stored in a first secure region of the memory, the first secure page table being an n-level page table, n being a positive integer; the device comprises:
a determining unit to determine whether each of the stages of the first secure page tables is within the first secure region; and if each of the first secure page tables is within the first secure region, determining a physical address corresponding to the virtual address of the first process based on the base address of the nth page table in the first secure page table;
and the access unit is used for accessing the memory based on the physical address.
20. The apparatus of claim 19, further comprising an acquisition unit;
the obtaining unit is configured to obtain a first base address before the determining unit determines whether each of the stages of the first secure page tables is within the first secure region, where the first base address is a base address of a first stage page table in the first secure page table;
the determining unit is further configured to determine, based on the virtual address of the first process and the first base address, a base address of each of the last n-1 level page tables in the first secure page table.
21. The apparatus according to claim 20, wherein the obtaining unit is specifically configured to:
if the first process is a security process, acquiring the first base address from a register corresponding to the security process; alternatively, the first and second electrodes may be,
and if the first process is an unsafe process, acquiring the first base address from a register corresponding to the unsafe process.
22. The apparatus of any one of claims 19-21,
the access unit is further configured to end the memory access if any one of the first secure page tables is not in the secure region.
23. A processor for invoking a computer instruction stored on a memory to perform the method of any one of claims 1 to 11.
24. A computer-readable storage medium, having stored thereon a computer program which, when run on a computer, causes the computer to perform the method of any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010865253.0A CN114116524A (en) | 2020-08-25 | 2020-08-25 | Method and device for creating secure page table and accessing memory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010865253.0A CN114116524A (en) | 2020-08-25 | 2020-08-25 | Method and device for creating secure page table and accessing memory |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114116524A true CN114116524A (en) | 2022-03-01 |
Family
ID=80374033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010865253.0A Pending CN114116524A (en) | 2020-08-25 | 2020-08-25 | Method and device for creating secure page table and accessing memory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114116524A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115422554A (en) * | 2022-10-25 | 2022-12-02 | 支付宝(杭州)信息技术有限公司 | Request processing method, compiling method and trusted computing system |
-
2020
- 2020-08-25 CN CN202010865253.0A patent/CN114116524A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115422554A (en) * | 2022-10-25 | 2022-12-02 | 支付宝(杭州)信息技术有限公司 | Request processing method, compiling method and trusted computing system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109002706B (en) | In-process data isolation protection method and system based on user-level page table | |
| JP4219964B2 (en) | Bridge, processor unit, information processing apparatus, and access control method | |
| US20170329618A1 (en) | Modification of write-protected memory using code patching | |
| CN105247494A (en) | Instruction set specific execution isolation | |
| US9858199B1 (en) | Memory management unit for shared memory allocation | |
| US10365825B2 (en) | Invalidation of shared memory in a virtual environment | |
| CN112148418A (en) | Method, apparatus, device and medium for accessing data | |
| CN110928737B (en) | Method and device for monitoring memory access behavior of sample process | |
| US10310759B2 (en) | Use efficiency of platform memory resources through firmware managed I/O translation table paging | |
| CN114880074A (en) | Memory management method and device of virtual machine and electronic equipment | |
| CN113672237B (en) | Program compiling method and device for preventing memory boundary crossing | |
| CN113485716B (en) | Program compiling method and device for preventing memory boundary crossing | |
| CN114116524A (en) | Method and device for creating secure page table and accessing memory | |
| CN114691532A (en) | Memory access method, memory address allocation method and device | |
| US9639477B2 (en) | Memory corruption prevention system | |
| US5991895A (en) | System and method for multiprocessor partitioning to support high availability | |
| US20230281113A1 (en) | Adaptive memory metadata allocation | |
| CN109446755B (en) | Kernel hook function protection method, device, equipment and storage medium | |
| JP4478458B2 (en) | Method and apparatus for accessing an input / output device using desired security | |
| CN112115521A (en) | Data access method and device | |
| US20040193832A1 (en) | Physical mode windows | |
| CN107766259B (en) | Page table cache access method, page table cache, processor chip and storage unit | |
| CN117349197A (en) | Memory management unit and memory access method | |
| US11307999B2 (en) | Data cache segregation for spectre mitigation | |
| US11243864B2 (en) | Identifying translation errors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |