CN114117484B - Device for improving host cache data security and cache data reading and writing method and device - Google Patents

Device for improving host cache data security and cache data reading and writing method and device Download PDF

Info

Publication number
CN114117484B
CN114117484B CN202111388870.7A CN202111388870A CN114117484B CN 114117484 B CN114117484 B CN 114117484B CN 202111388870 A CN202111388870 A CN 202111388870A CN 114117484 B CN114117484 B CN 114117484B
Authority
CN
China
Prior art keywords
data
cache
host
encryption
host cache
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111388870.7A
Other languages
Chinese (zh)
Other versions
CN114117484A (en
Inventor
巴书法
滕向阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Green Crystal Semiconductor Technology Beijing Co ltd
Original Assignee
Green Crystal Semiconductor Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Green Crystal Semiconductor Technology Beijing Co ltd filed Critical Green Crystal Semiconductor Technology Beijing Co ltd
Priority to CN202111388870.7A priority Critical patent/CN114117484B/en
Publication of CN114117484A publication Critical patent/CN114117484A/en
Application granted granted Critical
Publication of CN114117484B publication Critical patent/CN114117484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0655Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0674Disk device
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application relates to a device for improving host cache data security, comprising: the device comprises a transmission control unit, a verification module and an encryption and decryption module; the transmission control unit, the verification module and the encryption and decryption module are all suitable for being loaded in a storage hard disk which performs data interaction with a host cache; the transmission control unit, the verification module and the encryption and decryption module are electrically connected in sequence; the transmission control unit is suitable for being in communication connection with an on-chip cache module in the storage hard disk and is configured to transmit and exchange data between the storage hard disk and a host cache; the checking module is configured to check data transmitted between the storage hard disk and the host cache; and the encryption and decryption module is configured to encrypt the data written into the host cache by the storage hard disk and decrypt the data read from the host cache to the storage hard disk. The method and the device effectively prevent the condition that the on-chip cache data is analyzed and cracked after being stored in the host cache, and greatly reduce the risk of user data leakage.

Description

Device for improving host cache data security and cache data reading and writing method and device
Technical Field
The present application relates to the field of data security technologies, and in particular, to an apparatus for improving host cache data security, and a method and an apparatus for reading and writing cache data.
Background
The HMB is called a Host Memory Buffer, that is, a Host Memory caching technology, so that the SSD (solid state disk) can improve the performance of the SSD itself by means of the high-speed read-write characteristic of the Host Memory without the help of the DRAM (dynamic random access Memory), and finally achieve the performance equivalent to the SSD with the DRAM. When the NVMe SSD supporting the HMB function is read and written, the function can be automatically started to improve and optimize the performance, and the principle of the HMB technology is that a cache area is reserved in the memory of a host and is specially used by the SSD. The partial area only occupies a small space of the PC memory, and the sufficient space is reserved in the memory to coordinate and complete data exchange between the CPU and the SSD.
In order to cache the internal mapping table of the SSD as much as possible, the SSD management unit usually temporarily stores the internal mapping table on the HMB to speed up retrieval and loading. However, in a general case, mapping table data is stored in a host HMB cache in clear code, which makes it easy for mapping table information to be analyzed and cracked, thereby causing great potential safety hazard to leakage of user data.
Disclosure of Invention
In view of this, the present application provides an apparatus for improving host cache data security, which can effectively improve security of user data cache and prevent leakage of user data.
According to an aspect of the present application, there is provided an apparatus for improving host cache data security, including: the device comprises a transmission control unit, a verification module and an encryption and decryption module;
the transmission control unit, the verification module and the encryption and decryption module are all suitable for being loaded in a storage hard disk which performs data interaction with a host cache;
the transmission control unit, the verification module and the encryption and decryption module are electrically connected in sequence;
the transmission control unit is suitable for being in communication connection with an on-chip cache module in the storage hard disk and is configured to perform transmission exchange of data between the storage hard disk and the host cache;
the checking module is configured to check data transmitted between the storage hard disk and the host cache;
the encryption and decryption module is configured to encrypt data written into the host cache by the storage hard disk and decrypt data read from the host cache to the storage hard disk.
In one possible implementation manner, the encryption and decryption module includes: the encryption and decryption device comprises a key list submodule, an encryption and decryption configuration register, a key generator and an encryption and decryption operation submodule;
the key list submodule is configured to store an initial key pre-allocated to each cache page in the storage hard disk;
the configuration register is configured to be used for starting page information and characteristic word information when data are written or read currently;
the key generator is configured to perform operation according to the initial key selected by the key list submodule and the configured characteristic word information to generate a corresponding key;
and the encryption and decryption operation submodule is configured to encrypt or decrypt the currently written data or the read data according to the key generated by the key generator.
In one possible implementation, the checking module, when configured to check the data transferred between the storage hard disk and the host cache, is performed based on a CRC16 algorithm.
According to another aspect of the present application, there is provided a host cache data writing method for writing cache data in a storage hard disk into a host cache by using any one of the above apparatuses, including:
the checking module checks the cache data which is written into the host cache currently to generate end-to-end protection information;
the encryption and decryption module encrypts the cache data to generate a corresponding ciphertext;
and the transmission control unit acquires the ciphertext generated by the encryption and decryption module and writes the ciphertext into the host cache.
In a possible implementation manner, the encryption and decryption module encrypts the cache data, and generates a corresponding ciphertext according to the management page cached by the host and the initial encryption key corresponding to each management page.
In a possible implementation manner, the management pages cached by the host and the initial encryption keys corresponding to the management pages are obtained from the management page information cached by the host through a CPU in the storage hard disk, and corresponding initial encryption keys are obtained according to the obtained management page information.
According to another aspect of the present application, there is provided a method for reading data in a host cache to a storage hard disk by using the apparatus described in any one of the preceding paragraphs, including:
the encryption and decryption module decrypts the data read from the host cache at present to obtain a corresponding decrypted ciphertext;
the verification module verifies the decrypted ciphertext, and when the verification result is correct, the decrypted ciphertext is transmitted to the transmission control unit;
and the transmission control unit forwards the decrypted ciphertext to an on-chip cache module of the storage hard disk.
In a possible implementation manner, when the verification module verifies the decrypted ciphertext, the verification module compares a verification code in the decrypted ciphertext with a verification code generated when the data is written into the host cache.
In a possible implementation manner, when the encryption and decryption module decrypts the data currently read from the host cache, the decryption is performed based on an initial encryption key corresponding to a management page of the data in the host cache.
According to another aspect of the present application, there is also provided an apparatus for improving security of host cache data, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to carry out the executable instructions to implement any of the methods described above.
The device for improving the host cache data security is additionally arranged in the storage hard disk, a transmission control single path of the device for improving the host cache data security is electrically connected with an on-chip cache module in the storage hard disk, and the encryption and decryption module is used as a data interaction interface and is used for communicating with a host cache, so that when the storage hard disk adopts the HMB technology, when data in the on-chip cache module is cached to the host cache, corresponding check codes are respectively generated on the on-chip cache data through the check module, the encryption and decryption module encrypts the on-chip cache data to obtain corresponding ciphertexts, and then the ciphertexts obtained through encryption are cached to the host cache, so that the on-chip cache data can be stored into the host cache in a ciphertexts manner, the conditions that the on-chip cache data is analyzed and cracked after being stored in the host cache are effectively prevented, and the risk of user data leakage is greatly reduced.
Other features and aspects of the present application will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features, and aspects of the application and, together with the description, serve to explain the principles of the application.
Fig. 1 is a block diagram illustrating a structure of an apparatus for improving security of host cache data according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram illustrating an encryption/decryption module in the apparatus for improving security of host cache data according to the embodiment of the present application;
FIG. 3 shows a schematic structural diagram between a host and an SSD according to an embodiment of the present application;
FIG. 4 is a flow chart illustrating a host cache data writing method according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram illustrating a page number key encrypted and decrypted according to an HMB cache page in an apparatus for improving security of host cache data in an embodiment of the present application;
FIG. 6 is a flowchart illustrating a host cache data reading method according to an embodiment of the present disclosure;
fig. 7 shows a block diagram of a device for improving security of host cache data according to an embodiment of the present application.
Detailed Description
Various exemplary embodiments, features and aspects of the present application will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present application. It will be understood by those skilled in the art that the present application may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present application.
Fig. 1 is a block diagram illustrating an apparatus for improving security of host cache data according to an embodiment of the present application. As shown in fig. 1, the apparatus for improving the security of host cache data includes: a transmission control unit 110, a verification module 120 and an encryption and decryption module 130.
Here, it should be noted that the apparatus for improving host cache data security according to the embodiment of the present application is suitable for being configured in a storage hard disk (e.g., SSD), and is configured in the SSD to interact with an on-chip cache and a CPU in the SSD, so that when the SSD stores data by using the HMB technology, data to be written into the host cache can be encrypted by the apparatus for improving host cache data security, so that the data stored in the host cache can be stored in a ciphertext manner, which effectively improves the security of host cache data.
Specifically, referring to fig. 1, the apparatus for improving host cache data security according to the embodiment of the present application includes a transmission control unit 110, a verification module 120, and an encryption/decryption module 130. The transmission control unit 110, the verification module 120 and the encryption and decryption module 130 are electrically connected in sequence.
The transmission control unit 110 is configured to perform transmission and exchange of data between the storage hard disk and the host cache, is suitable for communication connection with the on-chip cache module in the storage hard disk, and is mainly responsible for managing transmission and exchange of internal cache data and host-side HMB cache data, so as to ensure efficient data transmission and reduce CPU load.
The verification module 120 is configured to verify data transmitted between the storage hard disk and the host cache, and specifically includes: when data of the on-chip cache module is written into the host cache, corresponding check codes are generated for the on-chip cache data, and when the data cached by the host is read into the on-chip cache module, the read data is checked, so that an end-to-end protection function is realized.
The encryption and decryption module 130, as a data encryption unit, is adapted to be in communication connection with the host cache, and is configured to encrypt data written from the storage hard disk into the host cache and decrypt data read from the host cache into the storage hard disk.
Therefore, by adding the device for improving the host cache data security of the embodiment of the application in the storage hard disk, the transmission control single path of the device for improving the host cache data security is electrically connected with the on-chip cache module in the storage hard disk, and the encryption and decryption module 130 is used as an interface for data interaction and is used for communicating with the host cache, so that when the storage hard disk adopts the HMB technology, and data in the on-chip cache module is cached in the host cache, the on-chip cache data is respectively generated into corresponding check codes through the check module 120, the encryption and decryption module 130 encrypts the on-chip cache data to obtain corresponding ciphertexts, and then the ciphertexts obtained through encryption are cached in the host cache, so that the on-chip cache data can be stored in the host cache in the form of the ciphertexts, the conditions that the on-chip cache data is analyzed and cracked after being stored in the host cache are effectively prevented, and the risk of user data leakage is greatly reduced.
Moreover, according to the device for improving host cache data security provided by the embodiment of the application, when the data cached in the host cache is read out by the storage hard disk, the data stored in a ciphertext form is decrypted through the encryption and decryption module 130, and then the plaintext data obtained after decryption is verified through the verification module 120, so that the read data is ensured to be the data originally cached in the host cache, the situation of reading wrong data is effectively prevented, and deviation or error of user data read by the SSD is avoided.
In a possible implementation manner, the transmission control unit 110 may be directly implemented by using a circuit module with a data transmission switching function, which is conventional in the art, and is not specifically limited herein.
In addition, in the apparatus for improving host cache data security provided in the embodiment of the present application, when the checking module 120 is configured to check data transmitted between the storage hard disk and the host cache, the checking may be performed based on a CRC16 algorithm, and may also be implemented by using a simple xor check code or a CRC32 algorithm.
For example, when the CRC16 algorithm is used to check data transmitted between a storage hard disk and a host cache, the CRC algorithm mainly includes two parts, one part is: when the on-chip cache data of the on-chip cache module in the storage hard disk is cached to the host cache (namely, data is written into the host cache), the on-chip cache data which is written into the host cache at present is operated through a CRC16 algorithm, a corresponding check code is generated, and the check code is stored.
The other part is as follows: when the data stored in the host cache is read to the on-chip cache of the storage hard disk (i.e., the data is read from the host cache), after the encryption and decryption module 130 decrypts the read data, the check module 120 performs CRC16 operation on the decrypted plaintext data by executing a CRC16 algorithm to obtain a corresponding check code, and simultaneously compares the obtained check code with the check code generated when the data is written into the host cache. When the check code generated when the data is written into the host cache is consistent with the check code generated after the data is read out from the host cache, the data read at present is accurate, and the data can be normally used without being tampered. When the check codes obtained twice are inconsistent, the data read from the surface may be tampered, and a deviation occurs between the data and the specific content of the data when the data is written into the host cache, and at this time, an error processing flow may be entered, so as to avoid a situation that the SSD end uses wrong data to perform calculation.
In addition, in the apparatus for improving host cache data security according to the embodiment of the present application, the encryption and decryption module 130 is a core part for improving data security, which may be implemented in the following manner.
That is, referring to fig. 2, in one possible implementation, the encryption and decryption module includes a key list submodule, an encryption and decryption configuration register, a key generator, and an encryption and decryption operation submodule. The key list submodule is configured to store an initial key pre-allocated to each cache page in the storage hard disk. And the configuration register is configured to be used for starting page information and characteristic word information when data is currently written or read. And the key generator is configured to operate according to the initial key selected by the key list submodule and the configured characteristic word information so as to generate a corresponding key. And the encryption and decryption operation sub-module is configured to encrypt or decrypt the currently written data or the read data according to the key generated by the key generator.
The initial keys configured for each cache page of the storage hard disk stored in the key list submodule are stored in a list mode. That is, each initial key is stored in a list form (i.e., a key list) in a one-to-one correspondence with its corresponding cache page. That is, the key list stores the device memory space that is used to store the initial pre-allocated keys corresponding to the HMB memory pages.
The transmission control unit sends the page number, the page length, the key starting address and the page feature word of the current transmission to the encryption and decryption configuration register to configure the key information involved in the current encryption and decryption.
After the equipment starts transmission, the key generator continuously acquires key information and combines the selected key and the characteristic word to carry out scrambling operation. The characteristic word can select the updating times of the HMB page as a code word, and the scrambling code design greatly improves the safety. Even for the same data, the generated ciphertext is different for different update times.
And finally generating a secret key and sending the secret key to an encryption and decryption arithmetic unit to finish the encryption and decryption actions. Here, it should be noted that, when the encryption/decryption operation submodule performs the encryption/decryption operation based on the finally generated key, the encryption/decryption operation submodule may be implemented by using a simple xor algorithm.
Correspondingly, based on any one of the above devices for improving the host cache data security, the present application also provides a host cache data writing method. It should be noted that the host cache data writing method provided by the present application is implemented mainly based on any one of the aforementioned devices for improving host cache data security.
That is to say, the host cache data writing method provided by the present application mainly refers to a process of caching on-chip cache data of a storage hard disk into a host cache by using an HMB technology. The storage hard disk is provided with any one of the above devices for improving host cache data security (as shown in fig. 3).
Referring to fig. 4, the host cache data writing method provided by the present application includes: step S100, the checking module 120 checks the cache data currently to be written into the host cache, and generates end-to-end protection information. Then, in step S200, the encryption/decryption module 130 encrypts the cached data to generate a corresponding ciphertext. Finally, in step S300, the transmission control unit 110 obtains the ciphertext generated by the encryption and decryption module 130, and writes the ciphertext into the host buffer.
The encryption and decryption module 130 encrypts the cached data to generate a corresponding ciphertext, and generates the corresponding initial encryption key according to the management page cached by the host and each management page.
That is to say, in the host cache data writing method according to the embodiment of the present application, when performing encryption processing on the cache data to be written into the host cache, the encryption/decryption module 130 performs encryption processing based on the management page to be written into the host cache by the cache data.
That is, the cache data is encrypted by obtaining the specific position of the cache data to be written into the host cache, and then according to the initial encryption key corresponding to the specific position of the cache data to be written into the host cache, so as to generate the corresponding ciphertext data.
Here, it should be noted that the specific location in the host cache where the cache data is currently written refers to the management page in the host cache where the main cache data is currently written. As will be understood by those skilled in the art, the management pages cached by the host are usually multiple pages, and different management pages are distinguished by different page numbers.
Referring to fig. 5, in a possible implementation manner, each management page cached by the host is correspondingly provided with a corresponding initial encryption key. Such as: managing pages in a host cache includes: HMB page 1, HMB page 2, HMB page 3, \ 8230 \ 8230;, HMB page N. Correspondingly, the initial encryption key of the HMB page 1 is key 1, the initial encryption key of the HMB page 2 is key 2, the initial encryption key of the HMB page 3 is key 3, \8230;, and the initial encryption key of the HMB page N is key N.
Therefore, when the encryption and decryption module 130 encrypts the on-chip cache data that is currently to be written into the host cache, the on-chip cache data is directly encrypted according to the initial encryption key corresponding to the management page that is to be written into the host cache by the on-chip cache data.
The on-chip cache data is encrypted according to the initial encryption key corresponding to the management page to be written into the host cache, so that a host cache partition protection mechanism is realized, and the security and the concealment of the host cache data are further improved.
Furthermore, the management page cached by the host and the initial encryption key corresponding to each management page acquire the management page information cached by the host through a Central Processing Unit (CPU) in the storage hard disk, and acquire the corresponding initial encryption key according to the acquired management page information.
As shown in fig. 4, before starting writing data into the host cache, first, management page information of the host cache is acquired in step S001. Here, as will be understood by those skilled in the art, the retrieved host cached management page information refers to host cached HMB management page information. Specifically, the HMB management page information includes: and information such as an HMB page number and an HMB page characteristic word corresponding to the disk logical space.
In step S002, the corresponding initial key information is obtained according to the obtained management page information cached by the host. The initial key information comprises an initial key page number and an initial key address, and as each management page in the host cache is correspondingly provided with a corresponding key, each management page and the corresponding key can be stored in the database in advance, so that after the specific management page information is acquired, the matched initial encryption key can be searched in the database according to the specific management page information.
In one possible implementation manner, each management page of the host cache and the corresponding initial encryption key may be stored in a mapping table, or may be stored in another manner.
Then, the obtained initial encryption key information is set to the transmission control unit 110 again in step S003. Here, as will be understood by those skilled in the art, the initial encryption key information is written into a hardware register of the transmission control unit.
Further, in step S004, the cache address information of the management page to be cached by the on-chip cache data to the host cache, and the transmission length are set. Then, in step S005, write transfer is started, so that the transfer control unit 110 obtains corresponding on-chip cache data from the on-chip cache module of the storage hard disk according to the currently set transfer length, and transfers the on-chip cache data according to the set transfer length.
When the transmission control unit 110 transmits the on-chip cache data according to the set transmission length, the transmission control unit 110 first transmits the on-chip cache data to the check module 120, and the check module 120 performs corresponding processing on the on-chip cache data to generate end-to-end protection information (i.e., a check code). Then, the encryption/decryption module 130 encrypts the on-chip cache data according to the generated encryption key to obtain corresponding ciphertext data. Here, as can be understood by those skilled in the art, the encryption key used when the encryption/decryption module 130 encrypts the on-chip cache data is generated by performing a scrambling operation on the initial encryption key corresponding to the selected management page and combining with the corresponding feature word information.
Finally, the encryption and decryption module 130 writes the obtained ciphertext data into the management page of the host cache according to the set cache address information. The encryption key used by the encryption/decryption module 130 to encrypt the on-chip cache data may be directly read by the CPU.
Furthermore, based on the above device for improving host cache data security, the present application also provides a host cache data reading method. The host cache data reading method of the embodiment of the application mainly comprises the process of reading the data stored in the host cache to the storage hard disk through any one of the devices for improving the host cache data safety.
It will be understood by those skilled in the art that the specific process of the host cache data reading method corresponds to the specific process of the host cache data writing method described above.
Referring to fig. 6, the method for reading host cache data according to the embodiment of the present application includes: in step S100', the encryption/decryption module 130 decrypts the data currently read from the host buffer to obtain a corresponding decrypted ciphertext. In step S200', the verification module 120 verifies the decrypted ciphertext, and transmits the decrypted ciphertext to the transmission control unit 110 when the verification result is correct. Step S300' forwards the decrypted ciphertext to an on-chip cache module storing a hard disk by the transmission control unit 110.
When the encryption/decryption module 130 decrypts the data currently read from the host cache, the decryption of the read cache data in the ciphertext format may be realized by performing the reverse operation according to the initial encryption key corresponding to the management page cached by the host.
Meanwhile, in a possible implementation manner, the initial encryption key corresponding to the management page cached by the host may also be obtained by the CPU of the storage hard disk.
That is, referring to fig. 6, before starting reading data, management page information cached by the host is first acquired by the CPU storing the hard disk, through step S001'. Here, it should be noted that the principle and implementation manner of the management page information of the obtained host cache are the same as or similar to the previous principle and implementation manner of obtaining the management page information when performing on-chip cache data writing to the host cache. The difference is that when the host caches the read data, the obtained management page information of the host caches is the management page where the data to be read is cached in the host caches.
After the management page information of the data to be read currently in the host cache is obtained, in step S002', a corresponding initial encryption key is obtained according to the obtained management page information. According to the foregoing, each management page in the host cache is correspondingly provided with a corresponding initial encryption key, and each management page and the corresponding initial encryption key can be pre-stored in the database, so that after specific management page information is acquired, a matched key is searched for from the database according to the specific management page information.
In a possible implementation manner, each management page of the host cache and the corresponding initial key may be stored in a mapping table, or may be stored in another manner, and the storage manner of each management page of the host cache and the corresponding key data is not particularly limited in this application.
After obtaining the initial key information corresponding to the management page of the cached data to be currently read in the host cache, the obtained initial key information is set to the transmission control unit 110 in step S003', the cache address information and the transmission length when the cached data is read by the host cache are set in step S004', and then step S005' is performed to start the read transmission.
After the read transmission is started, step S100' may be executed, in which the encryption and decryption module 130 reads corresponding cache data from the host cache according to the set cache address information, and decrypts the read cache data.
When the encryption/decryption module 130 decrypts the data currently read from the host cache, the decryption may be performed based on the initial encryption key corresponding to the management page of the data in the host cache.
Specifically, when the cache data is decrypted, the transmission control unit 110 may directly read the encryption key corresponding to the management page where the cache data is located, and then perform an encryption reverse operation based on the read encryption key to decrypt the read cache data, so as to obtain the plaintext data of the cache data.
After the plaintext data is obtained, the verification module 120 verifies the decrypted plaintext data in step S200'. Here, it should be noted that when the cache data is written into the host cache, a corresponding check code is correspondingly generated, the generated check code is also stored in the on-chip cache module, and meanwhile, different identifiers are correspondingly marked on the check codes of different cache data, so as to implement the correspondence between the check code and the cache data.
Thus, when the decrypted ciphertext is verified by verification module 120, this is done by comparing the check code in the decrypted ciphertext with the check code that the data generated when written to the host cache.
Specifically, when the check module 120 checks the decrypted plaintext data, the corresponding check code may be read from the on-chip cache module according to the data identifier in the plaintext data, and then check the plaintext data based on the read check code.
When the verification is accurate (that is, when the check code regenerated for the plaintext data is identical to the check code read by the on-chip cache module), it indicates that the currently read cache data is accurate and is the data originally written into the host cache, so that the transmission control unit 110 may directly write the plaintext data obtained by decryption into the on-chip cache module according to the set transmission length in step S300'.
When the check result is inaccurate (that is, when the check code generated again for the plaintext data is inconsistent with the check code read by the on-chip cache module), it indicates that the currently read cache data is inconsistent with the original data previously written into the host cache, and a deviation occurs, so that in this case, to avoid a situation that data operation is erroneous due to writing erroneous data into the on-chip cache module, the error processing flow is entered through step S400'.
Therefore, when data is written into the host cache, the host cache data writing method according to the embodiment of the present application encrypts the data to be written into the host cache through the encryption and decryption module 130, so that the data written into the host cache can be stored in a form of a ciphertext, which effectively prevents the data from being analyzed and decrypted, and when the data is encrypted, the data is written into the management page of the host cache through the encryption key corresponding to the management page, so that an HMB partition protection mechanism through control firmware is implemented, and thus, the security and the concealment of the data in the host cache are further improved.
Meanwhile, when data is written into the host cache, the corresponding check code is generated through the set check module 120, so that when the data is read from the host cache, the read data is checked by the check module 120 according to the check code when the data is written, and the end-to-end protection of the data is increased. Therefore, even if the data is tampered after being written into the host cache, the management unit in the SSD can detect the condition that the data is modified in time, so that the condition that wrong data is adopted for operation is avoided, and the fault tolerance and the safety of the system are greatly improved.
It should be noted that, although the apparatus for improving the security of the host cache data and the host cache data writing and reading method as described above are described by taking fig. 1 to fig. 6 as examples, those skilled in the art will understand that the present application should not be limited thereto. In fact, the user can flexibly set the specific implementation manner of each module in the device according to personal preference and/or actual application scenarios, as long as the security of data caching can be ensured when the HMB technology is used for data caching.
Still further, according to another aspect of the present application, there is also provided an apparatus 200 for improving security of host cache data. Referring to fig. 7, the apparatus 200 for improving host cache data security according to the embodiment of the present application includes a processor 210 and a memory 220 for storing instructions executable by the processor 210. Wherein the processor 210 is configured to execute the executable instructions to implement any of the above-described methods for improving security of host cache data.
Here, it should be noted that the number of the processors 210 may be one or more. Meanwhile, in the apparatus 200 for improving security of host cache data according to the embodiment of the present application, an input device 230 and an output device 240 may be further included. The processor 210, the memory 220, the input device 230, and the output device 240 may be connected via a bus, or may be connected via other methods, which is not limited in detail herein.
The memory 220, which is a computer-readable storage medium, may be used to store software programs, computer-executable programs, and various modules, such as: the program or the module corresponding to the method for improving the security of the host cache data in the embodiment of the application. The processor 210 executes various functional applications and data processing of the apparatus 200 for improving host cache data security by running software programs or modules stored in the memory 220.
The input device 230 may be used to receive an input number or signal. Wherein the signal may be a key signal generated in connection with user settings and function control of the device/terminal/server. The output device 240 may include a display device such as a display screen.
Having described embodiments of the present application, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (5)

1. A device for improving host cache data security is characterized in that the device is configured in an SSD and interacts with an on-chip cache and a CPU in the SSD, so that when the SSD adopts an HMB technology for data storage, data to be written into a host cache can be encrypted through the device for improving host cache data security, and the device comprises: the device comprises a transmission control unit, a verification module and an encryption and decryption module;
the transmission control unit, the verification module and the encryption and decryption module are all suitable for being loaded in a storage hard disk which performs data interaction with a host cache;
the transmission control unit, the verification module and the encryption and decryption module are electrically connected in sequence;
the transmission control unit is suitable for being in communication connection with an on-chip cache module in the storage hard disk and is configured to perform transmission exchange of data between the storage hard disk and the host cache;
the checking module is configured to check data transmitted between the storage hard disk and the host cache;
the encryption and decryption module is configured to encrypt data written into the host cache by the storage hard disk and decrypt data read from the host cache to the storage hard disk;
wherein, the encryption and decryption module comprises: the encryption and decryption device comprises a key list submodule, an encryption and decryption configuration register, a key generator and an encryption and decryption operation submodule;
the key list submodule is configured to store an initial key pre-allocated to each cache page in the storage hard disk;
the encryption and decryption configuration register is configured to store the initial page information and the characteristic word information when data is currently written or read;
the key generator is configured to perform operation according to the initial key selected by the key list submodule and the configured characteristic word information to generate a corresponding key;
the encryption and decryption operation submodule is configured to encrypt or decrypt the currently written data or the read data according to the key generated by the key generator;
the verification module is configured to verify data transmitted between the storage hard disk and the host cache, and includes two parts, one part is: when the on-chip cache data of an on-chip cache module in a storage hard disk is cached to a host cache, performing operation on the on-chip cache data to be written into the host cache currently through a CRC16 algorithm to generate a corresponding check code and storing the check code;
the other part is as follows: when the data stored in the host cache is read into the on-chip cache of the storage hard disk, after the read data is decrypted by the encryption and decryption module, the check module performs CRC16 operation on the decrypted plaintext data by executing a CRC16 algorithm to obtain a corresponding check code, and simultaneously, the obtained check code is compared with the check code generated when the data is written into the host cache; when the check code generated when the data is written into the host cache is consistent with the check code generated after the data is read out from the host cache, the currently read data is accurate and can be normally used without being tampered; when the check codes obtained twice are inconsistent, it is indicated that the read data may be tampered, and a deviation occurs between the read data and the specific content of the data when the data is written into the host cache.
2. A host cache data writing method, performed based on a storage hard disk SSD including the apparatus of claim 1, for writing cache data in the storage hard disk into a host cache, comprising:
the checking module checks the cache data which is written into the host cache at present to generate end-to-end protection information;
the encryption and decryption module encrypts the cache data to generate a corresponding ciphertext;
the transmission control unit acquires the ciphertext generated by the encryption and decryption module and writes the ciphertext into the host cache;
and the encryption and decryption module encrypts the cache data and generates a corresponding ciphertext according to the management pages cached by the host and the initial encryption keys corresponding to the management pages.
3. The method according to claim 2, wherein the management pages cached by the host and the initial encryption keys corresponding to the management pages are obtained from the management page information cached by the host through a CPU in the storage hard disk, and corresponding initial encryption keys are obtained according to the obtained management page information.
4. A method for reading host cache data, performed based on a storage hard disk SSD including the apparatus of claim 1, to read data in the host cache to the storage hard disk, comprising:
the encryption and decryption module decrypts the data read from the host cache at present to obtain a corresponding decrypted ciphertext;
the verification module verifies the decrypted ciphertext, and transmits the decrypted ciphertext to the transmission control unit when the verification result is correct;
the transmission control unit forwards the decrypted ciphertext to an on-chip cache module of the storage hard disk;
when the verification module verifies the decrypted ciphertext, comparing a verification code in the decrypted ciphertext with a verification code generated when the data is written into the host cache;
and when the encryption and decryption module decrypts the data read from the host cache, the decryption is performed based on the initial encryption key corresponding to the management page of the data in the host cache.
5. An apparatus for improving security of host cached data, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any one of claims 2 to 4 when executing the executable instructions.
CN202111388870.7A 2021-11-22 2021-11-22 Device for improving host cache data security and cache data reading and writing method and device Active CN114117484B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111388870.7A CN114117484B (en) 2021-11-22 2021-11-22 Device for improving host cache data security and cache data reading and writing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111388870.7A CN114117484B (en) 2021-11-22 2021-11-22 Device for improving host cache data security and cache data reading and writing method and device

Publications (2)

Publication Number Publication Date
CN114117484A CN114117484A (en) 2022-03-01
CN114117484B true CN114117484B (en) 2023-03-17

Family

ID=80439749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111388870.7A Active CN114117484B (en) 2021-11-22 2021-11-22 Device for improving host cache data security and cache data reading and writing method and device

Country Status (1)

Country Link
CN (1) CN114117484B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887085A (en) * 2021-01-13 2021-06-01 深圳安捷丽新技术有限公司 Method, device and system for generating security key of SSD (solid State disk) main control chip

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930224A (en) * 2012-10-19 2013-02-13 华为技术有限公司 Hard drive data write/read method and device
WO2017101122A1 (en) * 2015-12-18 2017-06-22 深圳市振华微电子有限公司 Computer encryption lock having separating management and use
JP2020149222A (en) * 2019-03-12 2020-09-17 キオクシア株式会社 Memory system
JP2021043708A (en) * 2019-09-11 2021-03-18 キオクシア株式会社 Memory system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887085A (en) * 2021-01-13 2021-06-01 深圳安捷丽新技术有限公司 Method, device and system for generating security key of SSD (solid State disk) main control chip

Also Published As

Publication number Publication date
CN114117484A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
US20190278583A1 (en) Method for updating firmware, terminal and computer readable non-volatile storage medium
US11775332B2 (en) Technologies for memory replay prevention using compressive encryption
US8054972B2 (en) Encryption processor of memory card and method for writing and reading data using the same
EP3716071B1 (en) Combined secure message authentication codes (mac) and device correction using encrypted parity with multi-key domains
CN110489983B (en) Chip access method and device, chip and terminal
US11886717B2 (en) Interface for revision-limited memory
US11601283B2 (en) Message authentication code (MAC) based compression and decompression
US8397081B2 (en) Device and method for securing software
CN116635853A (en) Memory system and apparatus including an instance of accessing memory and generating an access code using an authenticated stream cipher
US11263350B2 (en) Cryptographic apparatus and self-test method of cryptographic apparatus
EP2317439B1 (en) Error Detection
CN114117484B (en) Device for improving host cache data security and cache data reading and writing method and device
US20210264063A1 (en) Storage system and encryption processing method
CN113127896B (en) Data processing method and device based on independent encryption chip
US20220114112A1 (en) Algebraic and deterministic memory authentication and correction with coupled cacheline metadata
US20240143197A1 (en) Memory buffer devices with modal encryption
US20230214331A1 (en) Micro-controller chip and access method thereof
CN113536331B (en) Data security for memory and computing systems
CN117786699A (en) Chip initialization method, device, module, electronic equipment and storage medium
CN114969794A (en) SoC system and data encryption method
JP2024011421A (en) Memory abnormality determination method and common key writing system
GB2622065A (en) Counter integrity tree
JP2024513159A (en) Secure communication throughout the chip
CN113536331A (en) Data security for memory and computing systems
CN117220859A (en) Key migration method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant