CN114840862A - Computing device, physical input device, physical output device, and data transmission method - Google Patents

Computing device, physical input device, physical output device, and data transmission method Download PDF

Info

Publication number
CN114840862A
CN114840862A CN202210453363.5A CN202210453363A CN114840862A CN 114840862 A CN114840862 A CN 114840862A CN 202210453363 A CN202210453363 A CN 202210453363A CN 114840862 A CN114840862 A CN 114840862A
Authority
CN
China
Prior art keywords
virtual machine
output device
data
register
input
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210453363.5A
Other languages
Chinese (zh)
Inventor
刘亚飞
刘子行
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Priority to CN202210453363.5A priority Critical patent/CN114840862A/en
Publication of CN114840862A publication Critical patent/CN114840862A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses computing equipment, physical input equipment, physical output equipment and a data transmission method, relates to the technical field of computers, and is convenient for improving the safety of data transmission between the computing equipment and the physical input and output equipment. The computing device includes: a first processor for running a virtual machine; the memory controller is electrically connected with the first processor, and a first encryption and decryption engine is arranged in the memory controller; the memory is electrically connected with the memory controller; a second processor, configured to configure a first security key for the first encryption/decryption engine and a second security key for a second encryption/decryption engine in a target physical input/output device; wherein the first security key and the second security key are the same. The method and the device are suitable for computer security technology.

Description

Computing device, physical input device, physical output device, and data transmission method
Technical Field
The present application relates to the field of computer technologies, and in particular, to a computing device, a physical input device, a physical output device, and a data transmission method.
Background
A virtual machine refers to a complete computer system with complete hardware system functionality, which is emulated by software, running in a completely isolated environment. The work that can be done in a physical computer can be implemented in a virtual machine. When creating a virtual machine in a computer, it is necessary to use a part of the hard disk and the memory capacity of the physical computer as the hard disk and the memory capacity of the virtual machine. The computer virtualization solution is adopted to abstract physical resources of the computer into logical resources, so that one computer becomes several or even hundreds of virtual computers which are isolated from each other, and hardware resources such as a CPU (central processing unit), a memory, a disk and the like become a resource pool which can be dynamically managed, so that the utilization rate of the resources is improved, the system management is simplified, and the integration of the computer resources is realized.
However, after the input/output device is configured to the computing device, when the computing device performs data interaction with the physical input/output device, in a data transmission process, data may be stolen by a malicious virtual machine manager in the computing device, so that security of data transmission between the computing device and the input/output device cannot be ensured.
Disclosure of Invention
In view of this, embodiments of the present application provide a computing device, a physical input device, a physical output device, a data transmission method and a data transmission system, which are convenient for improving security of data transmission between the computing device and the physical input/output device.
In a first aspect, an embodiment of the present application provides a computing device, including: a first processor for running a virtual machine; the memory controller is electrically connected with the first processor, and a first encryption and decryption engine is arranged in the memory controller; the memory is electrically connected with the memory controller; a second processor, configured to configure a first security key for the first encryption/decryption engine and a second security key for a second encryption/decryption engine in a target physical input/output device; wherein the first security key and the second security key are the same;
the virtual machine acquires the encrypted data encrypted by the first encryption and decryption engine from the memory through the memory controller, and writes the encrypted data into the target physical input and output device, so that the target physical input and output device can decrypt the encrypted data through the second encryption and decryption engine; or, the virtual machine sends data to be encrypted to the memory controller, and writes the data into the specified area of the memory after being encrypted by the first encryption and decryption engine, so that the target physical input and output device reads the encrypted data from the specified area and decrypts the data by the second encryption and decryption engine; or, the virtual machine receives encrypted data sent by the target physical input/output device, and decrypts the encrypted data through the first encryption/decryption engine; and the encrypted data sent by the target physical input and output device is generated by encrypting the received external input data by the second encryption and decryption engine through the target physical input and output device.
According to an implementation manner of the embodiment of the present application, the virtual machine is further configured to: assigning a value to a first register in the target physical input output device to indicate whether data to be decrypted is stored in a first memory or the designated area; the first memory is located in the target physical input and output device and used for storing the encrypted data written by the virtual machine.
According to an implementation manner of the embodiment of the present application, the virtual machine is further configured to: assigning a value to a second register in the target physical input/output device to indicate the position of the data to be decrypted stored in the first memory or the designated area; and/or assigning a value to a third register in the target physical input/output device to indicate the size of the data to be decrypted stored in the first memory or the designated area; wherein the first memory is located in the target physical input output device.
According to an implementation manner of the embodiment of the present application, when the virtual machine writes the encrypted data into the target physical input/output device, or when the target physical input/output device reads the encrypted data from the designated area, the target physical input/output device is a display device or a printing device, so that after the target physical input/output device decrypts the encrypted data by using the second encryption/decryption engine, the decrypted data is displayed or printed out; when the target physical input and output device is a display device, the first memory is a video memory.
According to an implementation manner of the embodiment of the present application, when the virtual machine receives encrypted data sent by the target physical input/output device, the target physical input/output device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In a second aspect, an embodiment of the present application provides a physical output device, including: an output unit for outputting the received data; the input/output interface is used for being electrically connected with the input/output interface of the computing equipment and receiving encrypted data sent by a virtual machine or a virtual machine manager on the computing equipment or directly reading the encrypted data from a specified area of a memory of the computing equipment; and the encryption and decryption engine is used for decrypting the encrypted data received from the virtual machine or the virtual machine manager or the encrypted data directly read from the specified area in the memory of the computing equipment, and the decrypted data is output through the output unit.
According to an implementation manner of the embodiment of the present application, the physical output device further includes: a first memory and a first register; the first memory is used for storing encrypted data sent or written by the virtual machine or a virtual machine manager; the first register is assigned by the virtual machine or the virtual machine manager; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
According to an implementation manner of the embodiment of the present application, the physical output device further includes: a second register and/or a third register; wherein the second register and the third register are assigned by the virtual machine or the virtual machine manager; the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory; the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
According to an implementation manner of the embodiment of the application, the physical output device is a display device or a printing device; when the physical output device is a display device, the first memory is a video memory.
In a third aspect, embodiments of the present application provide a physical input device, including: an input unit for receiving an external data input; the input/output interface is electrically connected with the input/output interface of the computing equipment and used for sending encrypted data to a virtual machine or a virtual machine manager on the computing equipment; and the encryption and decryption engine is used for encrypting the external input data received by the input unit, and the encrypted external input data is sent to the virtual machine or the virtual machine manager through the input and output interface.
According to an implementation manner of the embodiment of the application, the physical input device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In a fourth aspect, an embodiment of the present application provides a data transmission method, which is applied to a computing device, and includes: the memory controller reads data encrypted by the first encryption and decryption engine from the memory; the memory controller sends the encrypted data to the virtual machine; the virtual machine writes the encrypted data into target physical input and output equipment so that the target physical input and output equipment can receive the encrypted data and decrypt the encrypted data through a second encryption and decryption engine; or,
the virtual machine sends data to be encrypted to a memory controller, the data are encrypted by a first encryption and decryption engine and then written into a designated area of a memory, so that target physical input and output equipment can read the encrypted data from the designated area and decrypt the encrypted data by a second encryption and decryption engine; or,
the virtual machine receives encrypted data sent by target physical input and output equipment, and decrypts the encrypted data through a first encryption and decryption engine; and the encrypted data sent by the target physical input and output device is generated by encrypting the received external input data by the second encryption and decryption engine through the target physical input and output device.
According to an implementation manner of the embodiment of the present application, after the virtual machine writes the encrypted data to the target physical input output device, the method may further include: the virtual machine assigns a value to a first register in the target physical input/output equipment to indicate whether data to be decrypted is stored in a first memory; the first memory is located in the target physical input and output device and used for storing the encrypted data written by the virtual machine.
According to an implementation manner of the embodiment of the present application, after the virtual machine writes the encrypted data to the target physical input output device, the method further includes: the virtual machine assigns a value to a second register in the target physical input/output device to indicate the position of the data to be decrypted stored in the first memory; and/or the virtual machine assigns a value to a third register in the target physical input/output device to indicate the size of the data to be decrypted stored in the first memory;
wherein the first memory is located in the target physical input output device.
According to an implementation manner of the embodiment of the application, the target physical input and output device is a display device; wherein the virtual machine writes the encrypted data into a target physical input output device, comprising: and the virtual machine writes the encrypted image data into the display equipment so that the display equipment can receive the encrypted image data, and the encrypted image data is decrypted and displayed through a second encryption and decryption engine.
In a fifth aspect, an embodiment of the present application provides a data transmission method, applied to a physical input/output device, including: receiving encrypted data sent or written by a virtual machine or a virtual machine manager on computing equipment, and decrypting the encrypted data through an encryption and decryption engine in the physical input and output equipment; or, reading encrypted data from a specified area in a memory on the computing device, and decrypting the encrypted data through an encryption and decryption engine in the physical input and output device; or, after being encrypted by an encryption and decryption engine in the physical input and output device, the received external input data is sent to a virtual machine or a virtual machine manager on the computing device.
According to one implementation of the embodiment of the application, the physical input and output device comprises a first memory and a first register; wherein the method further comprises: storing the received encrypted data in the first memory; receiving an assignment operation of the virtual machine or the virtual machine manager to the first register; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
According to an implementation manner of the embodiment of the application, the physical input and output device further comprises a second register and/or a third register; wherein the method further comprises: receiving assignment operation of the virtual machine or the virtual machine manager on the second register and/or the third register; the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory; the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
According to an implementation manner of the embodiment of the application, the physical input/output device is a display device, and the first memory is a video memory; wherein the receiving encrypted data sent or written by a virtual machine on the computing device or the virtual machine manager comprises: receiving encrypted image data sent or written by a virtual machine on the computing device or the virtual machine manager; after receiving encrypted data sent or written by a virtual machine or the virtual machine manager on the computing device, the method further comprises: and the encrypted image data received by the display equipment is decrypted by the encryption and decryption engine and then displayed.
According to an implementation manner of the embodiment of the present application, when the physical input/output device encrypts external input data through an encryption/decryption engine and sends the encrypted external input data to the virtual machine or the virtual machine manager, the physical input/output device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In a sixth aspect, embodiments of the present application provide a computing device comprising: the virtual machine management system comprises a first processor, a second processor and a virtual machine management unit, wherein the first processor is used for operating a virtual machine manager and a virtual machine, and the virtual machine manager is used for virtualizing a virtual input and output device; the memory controller is electrically connected with the first processor, and a first encryption and decryption engine is arranged in the memory controller; the memory is electrically connected with the memory controller; the second processor is used for configuring a first security key for the first encryption and decryption engine and configuring a second security key for a second encryption and decryption engine in the target physical input and output equipment; wherein the first security key and the second security key are the same;
the virtual machine acquires encrypted data encrypted by the first encryption and decryption engine from an encrypted memory of the virtual machine through the memory controller, and writes the encrypted data into the virtual input and output device, and the virtual machine manager reads the encrypted data from the virtual input and output device, and writes the encrypted data into the target physical input and output device or sends the encrypted data to the target physical input and output device, so that the target physical input and output device receives the encrypted data and decrypts the encrypted data through a second encryption and decryption engine, wherein the encrypted memory of the virtual machine is an encrypted storage area of the virtual machine in the memory; or,
the virtual machine manager receives encrypted data from the target physical input and output device and writes the encrypted data into the virtual input and output device or sends the encrypted data to the virtual input and output device, and the virtual machine reads the encrypted data from the virtual input and output device and writes the encrypted data into the memory through the memory controller; wherein the encrypted data received by the virtual machine manager is generated by the target physical input output device encrypting the received external input data through the second encryption/decryption engine.
According to an implementation manner of the embodiment of the present application, the virtual machine manager is further configured to virtualize a first virtual register for the first register in the target physical input/output device; the virtual machine is also used for assigning a value to the first virtual register; the virtual machine manager reads the value of the first virtual register and assigns the read value of the first virtual register to the first register to indicate whether data to be decrypted is stored in the first memory; wherein the first memory is located in the target physical input output device.
According to an implementation manner of the embodiment of the present application, the virtual machine manager is further configured to virtualize a second virtual register for a second register in the target physical input/output device, and/or virtualize a third virtual register for a third register in the target physical input/output device; the virtual machine is further used for assigning values to the second virtual register and/or the third virtual register;
the virtual machine manager reads the value of the second virtual register and assigns the read value of the second virtual register to the second register so as to indicate the position of the data to be decrypted stored in the first memory; and/or the virtual machine manager reads the value of the third virtual register and assigns the read value of the third virtual register to the third register so as to indicate the size of the data to be decrypted stored in the first memory.
According to an implementation manner of the embodiment of the application, the target physical input and output device is a display device or a printing device; when the target physical input and output device is a display device, the first memory is a video memory.
According to an implementation manner of the embodiment of the present application, when the virtual machine manager receives encrypted data from the target physical input/output device, the target physical input/output device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In a seventh aspect, an embodiment of the present application provides a data transmission method, applied to a computing device, including: the virtual machine manager virtualizes a virtual input and output device; the virtual machine acquires encrypted data encrypted by the first encryption and decryption engine from an encrypted memory of the virtual machine through a memory controller, and writes the encrypted data into the virtual input and output device, the virtual machine manager reads the encrypted data from the virtual input and output device, and writes the encrypted data into a target physical input and output device or sends the encrypted data to the target physical input and output device, so that the target physical input and output device receives the encrypted data and decrypts the encrypted data through a second encryption and decryption engine, wherein the encrypted memory of the virtual machine is an encrypted storage area of the virtual machine in the memory; or,
the virtual machine manager receives encrypted data from the target physical input and output device and writes the encrypted data into the virtual input and output device or sends the encrypted data to the virtual input and output device, and the virtual machine reads the encrypted data from the virtual input and output device and writes the encrypted data into a memory through the memory controller; wherein the encrypted data received by the virtual machine manager is generated by the target physical input output device encrypting the received external input data through the second encryption/decryption engine.
According to an implementation manner of the embodiment of the present application, when the virtual machine manager virtualizes a virtual input/output device, the method further includes: virtualizing a first virtual register for a first register in the target physical input/output device by the virtual machine manager; the virtual machine assigns a value to the first virtual register; the virtual machine manager reads the value of the first virtual register and assigns the read value of the first virtual register to the first register to indicate whether data to be decrypted is stored in the first memory; wherein the first memory is located in the target physical input output device.
According to an implementation manner of the embodiment of the present application, when the virtual machine manager virtualizes a virtual input/output device, the method further includes: the virtual machine manager virtualizes a second virtual register for a second register in the target physical input/output device, and/or virtualizes a third virtual register for a third register in the target physical input/output device; the virtual machine assigns values to the second virtual register and/or the third virtual register;
the virtual machine manager reads the value of the second virtual register and assigns the read value of the second virtual register to the second register so as to indicate the position of the data to be decrypted stored in the first memory; and/or the virtual machine manager reads the value of the third virtual register and assigns the read value of the third virtual register to the third register so as to indicate the size of the data to be decrypted stored in the first memory.
According to an implementation manner of the embodiment of the application, the target physical input and output device is a display device, and the encrypted data is encrypted image data; the writing or sending of the read encrypted data to the target physical input/output device by the virtual machine manager so that the target physical input/output device decrypts the encrypted data through a second encryption/decryption engine includes: and the virtual machine manager writes the read encrypted image data into the target physical input and output device or sends the encrypted image data to the target physical input and output device, so that the target physical input and output device can decrypt and display the encrypted image data through a second encryption and decryption engine.
In an eighth aspect, an embodiment of the present application provides a data transmission system, including: a computing device and a physical output device connected thereto; the computing device is provided by any one of the implementation manners, and the physical output device is provided by any one of the implementation manners; alternatively, the data transmission system includes: a computing device and a physical input device connected thereto; the computing device is provided in any one of the foregoing implementation manners, and the physical input device is provided in any one of the foregoing implementation manners.
Embodiments of the present application provide a computing device, a physical input device, a physical output device, a data transmission method, and a system, where a second processor in the computing device of this embodiment may configure a first security key for a first encryption/decryption engine in a memory controller and a second security key for a second encryption/decryption engine in a target physical input/output device, where the first security key and the second security key are the same; in this way, the virtual machine running on the computing device may obtain, by the memory controller, the encrypted data encrypted by the first encryption/decryption engine from the memory, and write the encrypted data into the target physical input/output device, so that the target physical input/output device decrypts the encrypted data by the second encryption/decryption engine; or, the virtual machine receives encrypted data sent by the target physical input/output device, and decrypts the encrypted data through the first encryption/decryption engine; that is to say, in the embodiment of the present application, data transmitted between the computing device and the target physical input/output device is transmitted in an encrypted form, so that even if the encrypted data is stolen by a malicious virtual machine manager during transmission, the malicious virtual machine manager cannot decrypt the encrypted data, thereby ensuring the security of data transmission between the computing device and the physical input/output device.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1A is a schematic structural diagram of a computing device and a target physical input/output device according to an embodiment of the present disclosure;
fig. 1B is a schematic structural diagram of a target physical input/output device according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of an output device according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an input device according to an embodiment of the present application;
fig. 4 is a flowchart of a data transmission method according to an embodiment of the present application;
fig. 5A is a flowchart of another data transmission method according to an embodiment of the present application;
fig. 5B is a flowchart of another data transmission method according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of another computing device and a target physical input/output device according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of another output device provided in the embodiment of the present application;
FIG. 8 is a schematic structural diagram of another input device provided in an embodiment of the present application;
fig. 9A is a flowchart of another data transmission method provided in the embodiment of the present application;
fig. 9B is a flowchart of another data transmission method provided by an embodiment of the present application;
fig. 10A is a flowchart of another data transmission method provided in the embodiment of the present application;
fig. 10B is a flowchart of another data transmission method provided in the embodiment of the present application;
fig. 11 is a schematic structural diagram of another computing device and a target physical input/output device according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
It should be understood that the embodiments described are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In a first aspect, embodiments of the present application provide a computing device, which facilitates improving security of data transmission between the computing device and a physical input/output device.
Fig. 1A is a schematic structural diagram of a computing device provided in an embodiment of the present application, and as shown in fig. 1A, the computing device 1 provided in the embodiment of the present application may include: a system-on-chip 11 and a memory 12, wherein the system-on-chip 11 may include: a first processor 111, a memory controller 112, and a second processor 113; the first processor 111 is configured to run a virtual machine; and a memory controller 112 electrically connected to the first processor 111, wherein the memory controller 112 is provided with a first encryption/decryption engine. A memory 12 electrically connected to the memory controller 112; a second processor 113, configured to configure a first security key for the first encryption/decryption engine and a second security key for a second encryption/decryption engine in the target physical input/output device 200; wherein the first security key and the second security key are the same;
the virtual machine obtains the encrypted data encrypted by the first encryption and decryption engine from the memory 12 through the memory controller 112, and writes the encrypted data into the target physical input and output device 200, so that the target physical input and output device 200 receives the encrypted data and decrypts the encrypted data through the second encryption and decryption engine; or, the virtual machine sends the data to be encrypted to the memory controller 112, and writes the data to be encrypted to the specified area of the memory 12 after being encrypted by the first encryption and decryption engine, so that the target physical input and output device 200 reads the encrypted data from the specified area and decrypts the data by the second encryption and decryption engine; or, the virtual machine receives encrypted data sent by the target physical input/output device 200, and decrypts the encrypted data through the first encryption and decryption engine; the encrypted data transmitted by the target physical input/output device 200 is generated by the target physical input/output device 200 encrypting the received external input data by the second encryption/decryption engine.
Specifically, the first processor 111 may be referred to as a processor core for running a virtual machine; the first processor 111 may be a 32-bit processor, a 64-bit processor, or the like.
The memory controller 112 is electrically connected to the first processor 111 and the memory 12, so that different memory address spaces can be selected according to the address information sent by the first processor 111, and the virtual machine can write data into the selected memory space.
The second Processor 113 may be referred to as a Secure Processor or a Platform Secure Processor (PSP), and may also be referred to as a security coprocessor, or the like. A secure processor is a processor intended to help the system achieve functional security.
The memory in this embodiment may be a memory applied to a server, for example, a memory that adopts technologies such as ecc (error Checking and correcting), ChipKill, or hot plug, and has higher stability and error correction performance.
Since the second processor 113 may configure a first security key for a first encryption/decryption engine in the memory controller 112 and a second security key for a second encryption/decryption engine of the target physical input/output device 200, the first security key and the second security key are the same. In this way, the virtual machine running on the computing device may obtain, through the memory controller 112, the encrypted data encrypted by the first encryption/decryption engine from the memory 12, and write the encrypted data into the target physical input/output device 200, so that the target physical input/output device 200 decrypts the encrypted data by the second encryption/decryption engine; in one example, when writing the encrypted data into the target physical input/output device 200, the encrypted data may be implemented by using a Direct Memory Access (DMA) technology, which is an interface technology in which an external device directly exchanges data with a system Memory without using a CPU.
Alternatively, the memory controller 112 may write the encrypted data into a specific area in the virtual machine memory, specifically, the specific area is a mapping storage area of the target physical input/output device 200, and the target physical input/output device 200 may read the encrypted data from the specific area, and further decrypt the encrypted data by using a second encryption/decryption engine provided in the target physical input/output device, so as to obtain decrypted data.
Or, the virtual machine receives encrypted data sent by the target physical input/output device 200, and decrypts the encrypted data through the first encryption/decryption engine.
That is to say, in the three implementation manners of the embodiment of the present application, data transmitted between the computing device and the target physical input/output device 200 is transmitted in an encrypted form, so that even if the encrypted data is stolen by a malicious virtual machine manager during transmission, the malicious virtual machine manager cannot decrypt the encrypted data, thereby ensuring the security of data transmission between the computing device and the physical input/output device.
In one embodiment, the PSP may configure a first security key for a first encryption/decryption engine in the memory controller 112, and the virtual machine may share the first security key with the target physical input/output device 200, so that the PSP may configure a second security key, which is the same as the first security key, for a second encryption/decryption engine.
More specifically, in the process of sharing the security key between the virtual machine and the target physical input/output device 200, security authentication may be performed on the target physical input/output device 200 first, and only the target input/output device that has undergone security authentication performs the process of sharing the security key with the virtual machine, so as to prevent the security key from being stolen, and further ensure the security of the encrypted data in the subsequent transmission process.
Taking the target physical input/output device 200 as a secure display device for example, the principle description is specifically performed by the following steps:
step 1, when the safe display equipment is produced, a pair of unique public and private key pairs is preset in the safe display equipment, and the private key cannot be read out after being written into the safe display equipment and is only owned by the safe display equipment. After a legal Certificate Authority (CA) Certificate is generated by using the public key, the CA Certificate is written into the safety display equipment, each safety display equipment has a unique serial number ID, and the PSP public key is written into the safety display equipment at the same time.
Step 2, when the virtual machine is added with the safety display equipment, the virtual machine manager starts an authentication flow and sends authentication request information to the safety display equipment;
step 3, after the secure display device receives the authentication request information, generating a string of random numbers, encrypting the random numbers by using a PSP public key, then digitally signing the encrypted random numbers and the serial number ID by using a private key of the secure display device, returning the digitally signed data and a CA certificate of the secure display device to the virtual machine manager, forwarding the data and the CA certificate to the PSP by the virtual machine manager, and performing secure authentication by the PSP;
and 4, after receiving the authentication information, the PSP firstly uses the CA certificate to verify the validity of the public key of the security display equipment, and uses the public key of the security display equipment to verify the random number ciphertext and the digital signature of the serial number ID in the authentication information. After the verification is passed, the PSP decrypts the random number by using the private key of the PSP, derives a transmission key by using the random number, encrypts a first encryption key (PSP generation) of the virtual machine by using the transmission key, returns the encrypted first encryption key to the virtual machine manager, and transmits the encrypted first encryption key to the secure display equipment by using the virtual machine manager, and meanwhile, the PSP records the serial number ID of the secure display equipment.
And 5, after receiving the ciphertext of the first encryption key, the secure display device derives a transmission key from the random number in the same way, decrypts the ciphertext of the first encryption key by using the transmission key to obtain the first encryption key, and configures the first encryption key into the second encryption and decryption engine.
Through the steps, the first encryption key can be safely shared between the virtual machine and the target input and output device.
In addition, in order to prevent the virtual machine manager from replacing or adding a new secure display device, the PSP may further perform verification on the serial number ID of the secure display device by specifically adopting the following method:
in the starting process of the virtual machine, a serial number ID white list of the safe display equipment allowing to display the confidential image can be transmitted to the PSP in a safe calling mode; when the PSP authenticates the safe display equipment, the serial number ID of the current safe display equipment is checked according to the white list, and the PSP can transmit and configure an encryption key only if the safe display equipment allowed by the virtual machine (namely in the white list);
or,
another specific implementation manner is that when the PSP configures the encryption key into the secure display device, the PSP also records the serial number ID of the secure display device; the virtual machine can acquire the ID of the safe display equipment passing the safe authentication step from the PSP in a safe calling mode; the user of the virtual machine can judge whether the current safety display equipment is positioned in the white list by checking the ID of the safety display equipment and comparing the ID with the white list of the serial number ID of the safety display equipment.
The virtual machine in the embodiment of the present application may write data directly into the target physical input/output device 200, and this operation state may be referred to as that the virtual machine and the target physical input/output device 200 operate in a pass-through state. In the pass-through state, the target physical input output device 200 is a local device.
When the target physical input/output device 200 is an output device, the virtual machine may obtain, through the memory controller 112, the encrypted data encrypted by the first security key in the first encryption/decryption engine from the corresponding location in the memory 12, and write the encrypted data into the target physical input/output device 200, so that the target physical input/output device 200 decrypts the encrypted data by the second security key in the second encryption/decryption engine, thereby obtaining decrypted data to perform a subsequent data output operation.
When the target physical input/output device 200 is an input device, after receiving external data (e.g., externally input text information, audio information, etc.), the target physical input/output device 200 may first encrypt the external data with the second security key in the second encryption/decryption engine to generate encrypted data, and store the encrypted data at the target location. The virtual machine may read the encrypted information from the target location and perform a decryption operation on the encrypted data using the first security key in the first encryption/decryption engine to obtain decrypted data in a clear format for subsequent processing.
In the prior art, since the physical input/output device does not support the encryption/decryption function, when the computing device performs data transmission with the target physical input/output device 200, only data transmission in a plaintext format is performed, and once the input/output data is stolen by a malicious virtual machine manager, a large security risk is generated.
In contrast, in the two data transmission modes (input data and output data) of the application, data is transmitted in a ciphertext form no matter the virtual machine sends data to the physical output device or receives data from the physical input device, so that even if the ciphertext data is stolen by a malicious virtual machine manager, the encrypted data cannot be decrypted, and the security of the data in the transmission process is ensured.
Fig. 1B is a schematic structural diagram of a target physical input/output device according to an embodiment of the present disclosure, and as shown in fig. 1B, a first memory 204 is disposed in the target physical input/output device 200. In order to facilitate the target physical input/output device 200 to determine whether the encrypted data exists in the first storage 204, in an embodiment of the present application, the target physical input/output device 200 is further provided with a first register 201, and accordingly, the virtual machine may be further configured to: the first register 201 in the target physical input output device 200 is assigned a value to indicate whether the first memory 204 stores data to be decrypted.
In the embodiment of the present application, the first register 201 is a flag bit register, and the first register 201 is used to indicate whether there is data to be decrypted in the first memory 204. Generally, the default value of the first register 201 is 0, and when the virtual machine writes the encrypted data into the first memory 204 of the target physical input output device 200, the value of the first register 201 may be assigned to 1. Therefore, the target physical input/output device 200 can read the value of the first register 201, and can determine whether the data to be decrypted exists in the first memory 204 according to the value of the first register 201. If so, the target physical input output device 200 may perform the decryption operation using the second encryption/decryption engine, otherwise, the decryption operation need not be performed.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first storage 204, in an embodiment of the present application, the target physical input output device 200 is further provided with a second register 202 and/or a third register 203, and accordingly, the virtual machine may further be configured to: assigning a value to the second register 202 in the target physical input output device 200 to indicate the location of the data to be decrypted stored in the first memory 204; and/or assigning a value to the third register 203 in the target physical input output device 200 to indicate the size of the data to be decrypted stored in the first memory 204.
For example, when the target physical input/output device 200 is a display device, the value in the second register 202 is used to indicate the initial display position of the display data on the display screen, i.e. the initial abscissa and initial ordinate of the initial pixel point. The value in the third register 203 is used to indicate the occupied length of the display data in the abscissa direction and the ordinate direction, i.e. how many pixels are occupied. The target physical input/output device 200 may obtain the position information and the size information of the data to be decrypted on the display screen by reading the values of the second register 202 and the third register 203, and may further decrypt the data to be decrypted and display the decrypted data at the corresponding position on the display screen. When the target physical input/output device 200 is a printing device, the virtual machine may set the second register 202 and the third register 203 in the same manner, so that the printing device can read the values of the two and can print in a designated area.
Optionally, in an embodiment of the present application, when the virtual machine writes the encrypted data into the target physical input/output device 200, the target physical input/output device 200 may be a display device or a printing device, so that after the target physical input/output device 200 decrypts the encrypted data by using the second encryption/decryption engine, the decrypted data is displayed or printed; when the target physical input/output device 200 is a display device, the first memory 204 is a video memory.
The target physical input output device 200 may be either an input device or an output device. In the embodiment of the present application, when the virtual machine writes the encrypted data into the target physical input/output device 200, the target physical input/output device 200 is an output device, and more specifically, the target physical input/output device 200 may be a printing device or a display device. After receiving the encrypted data, the target physical input/output device 200 may perform a decryption operation using the second encryption/decryption engine, and may further perform display output or print output on the decrypted data. The target physical input/output device 200 may specifically be a display device, and correspondingly, the first memory 204 is a video memory for storing image data to be decrypted, so that the embodiment of the present application may implement secure transmission of print data and display data.
Optionally, in an embodiment of the present application, when the virtual machine receives the encrypted data sent by the target physical input output device 200, the target physical input output device 200 may be one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In daily application, when information interaction is performed between computing equipment and the outside, encrypted data transmitted by various physical input equipment needs to be received. In the embodiment of the present application, when the target physical input/output device 200 is used as an input device, the input device may be any one of the above input devices, and the application range is wide. Therefore, the embodiment of the application can realize encrypted data transmission between various input devices and the virtual machine, and improves the security of various input data in transmission.
In a second aspect, embodiments of the present application provide a physical output device, which facilitates improving security of data transmission between a computing device and the physical output device.
As shown in fig. 2, an embodiment of the present application provides a physical output device 2, which may include: an input/output interface 21, an encryption/decryption engine 22, and an output unit 23; the input/output interface 21 is used for being electrically connected with an input/output interface of the computing device and receiving encrypted data sent by a virtual machine on the computing device; an encryption/decryption engine 22 for decrypting encrypted data received from the virtual machine; and an output unit 23, configured to output the decrypted data.
In this embodiment of the application, the physical output device may be electrically connected to the computing device through the input/output interface 21, and when the virtual machine needs to output data through the physical output device, the physical output device 2 may receive the encrypted data written by the virtual machine through the input/output interface 21, decrypt the encrypted data by using the encryption/decryption engine 22, obtain decrypted data, and then further output the decrypted data through the output unit 23. Therefore, even if the encrypted data is stolen by the malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encrypted data, and therefore the security of data transmission between the computing equipment and the physical output equipment is guaranteed.
In order to facilitate the physical output device to determine whether the encrypted data exists in the first memory, in an embodiment of the present application, the output device 2 may further include: a first memory and a first register; the first memory is used for storing encrypted data written by the virtual machine; the first register is assigned by the virtual machine; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
In this embodiment, the first register is a flag register, which is used to indicate whether there is data to be decrypted in the first memory. For example, the default value of the first register is 0, when the virtual machine writes the encrypted data into the first memory of the output device 2, the value of the first register may be assigned to 1, and then the physical output device may read the value of the first register, and may determine whether the data to be decrypted exists in the first memory according to the value of the first register, and when the data to be decrypted exists, the decryption operation may be performed by using the encryption/decryption engine 22, otherwise, the decryption operation is not required to be performed.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first memory, the physical output device 2 may further include: a second register and/or a third register; the second register and the third register are assigned by the virtual machine; the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory; the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
In the embodiment of the present application, when the physical output device 2 is a display device, the second register is used to indicate the initial display position of the display data on the display screen, that is, the abscissa and the ordinate of the initial pixel point. The third register is used for indicating the length of the display data in the abscissa direction and the ordinate direction, namely how many pixel points are occupied. The target physical input and output device can read the values of the second register and/or the third register and display the data to be decrypted to the corresponding position. When the target physical input/output device is a printing device, the virtual machine may set the second register and the third register in the same manner, so that the target physical input/output device may read the values of the second register and the third register, and may further control a specific area of the print content.
Alternatively, the physical output device 2 may be a display device or a printing device; when the physical output device 2 is a display device, the first memory is a video memory.
In the embodiment of the present application, the physical output device 2 may be a display device or a printing device to implement display output or print output. For example, the physical output device 2 may be a display device, and the first memory may be a video memory for storing image data to be decrypted. Therefore, the video memory in the display device can receive and decrypt the image data to be decrypted from the virtual machine, and further output the decrypted image data, thereby realizing the safe transmission of the image data.
In a third aspect, embodiments of the present application provide a physical input device, which facilitates improving security of data transmission between a computing device and the physical input device.
As shown in fig. 3, an embodiment of the present application provides a physical input device 3, which may include: an input unit 31, an encryption/decryption engine 32, and an input/output interface 33; wherein, the input unit 31 is used for receiving external data input; an encryption/decryption engine 32, configured to encrypt the external input data received by the input unit 31, where the encrypted external input data is sent to the virtual machine through the input/output interface; and the input/output interface 33 is used for being electrically connected with the input/output interface of the computing equipment and sending the encrypted data to the virtual machine.
The physical input device in the embodiment of the present application may directly send the encrypted data to the virtual machine, and this operating state may be referred to as that the virtual machine and the physical input device operate in a pass-through state. In the pass-through state, the physical input device is a local device.
The physical input device and the computing device are electrically connected through the input/output interface, when the physical input device sends decryption data to the computing device, the physical input device can firstly encrypt external input data acquired from the input unit 31 through the encryption/decryption engine and send the encryption data to the virtual machine through the input/output interface, so that the virtual machine can perform corresponding processing after receiving the encryption data, and even if the encryption data is stolen by a malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encryption data, thereby ensuring the security of data transmission between the computing device and the physical input device.
Optionally, the physical input device 3 is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In daily application, when information interaction is performed between computing equipment and the outside, encrypted data transmitted by various physical input equipment needs to be received. In the embodiment of the present application, the physical input device may be any one of the above input devices, and the application range is wide. Therefore, the embodiment of the application can realize encrypted data transmission between various input devices and the virtual machine, and improves the security of various input data in transmission.
In a fourth aspect, embodiments of the present application provide a data transmission method, which facilitates improving security of data transmission between a computing device and a physical input/output device.
As shown in fig. 4, an embodiment of the present application provides a data transmission method applied to a computing device, including: s11, the memory controller reads the data encrypted by the first encryption and decryption engine from the memory; s12, the memory controller sends the encrypted data to the virtual machine; and S13, the virtual machine writes the encrypted data into a target physical input and output device, so that the target physical input and output device receives the encrypted data, and decrypts the encrypted data through a second encryption and decryption engine.
In the embodiment of the application, the memory controller may read data encrypted by the first encryption and decryption engine from the memory, so as to obtain encrypted data, and send the encrypted data to the virtual machine; furthermore, the virtual machine writes the encrypted data into the target physical input/output device, so that the target physical input/output device decrypts the encrypted data through a second encryption and decryption engine configured with the same security key, and decrypted data is obtained. In one example, DMA techniques may be employed when writing encrypted data to a target physical input output device.
In this embodiment of the present application, the virtual machine may directly write data into the target physical input/output device, and the operating state may be referred to as that the virtual machine and the target physical input/output device operate in a pass-through state. In the pass-through state, the target physical input output device is a local device.
In this embodiment of the application, reference may be made to relevant contents of the embodiments of the first aspect in the implementation processes of step S11 to step S13, which are not described herein again.
The embodiment of the present application may also provide another data transmission method, and the specific implementation manner may be: the virtual machine sends the data to be encrypted to the memory controller, the data are encrypted through the first encryption and decryption engine and then written into the designated area of the memory, so that the target physical input and output device can read the encrypted data from the designated area and decrypt the encrypted data through the second encryption and decryption engine.
Specifically, the memory controller may write the encrypted data into a designated area in the virtual machine memory, where the designated area is a mapping storage area of the target physical input/output device, and the target physical input/output device may read the encrypted data from the designated area, and further decrypt the encrypted data by using a second encryption/decryption engine provided by the memory controller, so as to obtain decrypted data.
The embodiment of the present application further provides another data transmission method, and the specific implementation manner may be: the virtual machine receives encrypted data sent by target physical input and output equipment, and decrypts the encrypted data through a first encryption and decryption engine; and the encrypted data sent by the target physical input and output device is generated by encrypting the received external input data by the second encryption and decryption engine through the target physical input and output device. Namely, the virtual machine can directly receive the encrypted external input data and decrypt the external input data by using the first encryption and decryption engine of the virtual machine, so that the external input data in a plaintext format is obtained.
Therefore, in the three data transmission methods provided by the embodiment of the application, data are transmitted between the computing device and the target physical input/output device in a ciphertext mode, so that even if the ciphertext data is stolen by the virtual machine manager, the encrypted data cannot be decrypted, and the security of the data in the transmission process is ensured.
In order to facilitate the determination of whether the encrypted data exists in the first storage by the target physical input output device, after the virtual machine writes the encrypted data into the target physical input output device, the method may further include: the virtual machine assigns a value to a first register in the target physical input/output equipment to indicate whether data to be decrypted is stored in a first memory; wherein the first memory is located in the target physical input output device.
In this embodiment of the application, when the target physical input/output device is an output device, a first register may be further disposed in the target physical input/output device, where the first register is a flag register, and the first register is used to indicate whether there is data to be decrypted in the first memory. Generally, the default value of the first register is 0, and the value of the first register may be assigned to 1 after the virtual machine writes the encrypted data into the first memory of the target physical input output device. Therefore, the target physical input and output device can read the value of the first register and judge whether the data to be decrypted exists in the first memory according to the value of the first register. If so, the target physical input output device may perform the decryption operation using the second encryption/decryption engine, otherwise, the decryption operation need not be performed.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first storage, in an embodiment of the present application, after the virtual machine writes the encrypted data to the target physical input output device, the method may further include: the virtual machine assigns a value to a second register in the target physical input and output device to indicate the position of the data to be decrypted stored in the first memory; and/or the virtual machine assigns a value to a third register in the target physical input/output device to indicate the size of the data to be decrypted stored in the first memory; wherein the first memory is located in the target physical input output device.
In this embodiment of the present application, a second register and/or a third register may also be disposed in the target physical output device, where the second register is used to indicate a location of the data to be decrypted in the first memory, and the third register is used to indicate a size of the data to be decrypted. For example, when the target physical output device is a display device, the second register is used to indicate an initial display position of the display data on the display screen, i.e., an abscissa and an ordinate of an initial pixel point. The third register is used for indicating the length of the display data in the abscissa direction and the ordinate direction, namely how many pixel points are occupied. Therefore, after the virtual machine writes the encrypted data into the target physical input/output device, the virtual machine can assign values to the second register and the third register according to actual needs, and the target physical input/output device can read the values of the second register and/or the third register and display the data to be decrypted to corresponding positions. When the target physical input/output device is a printing device, the virtual machine may set the second register and the third register in the same manner, so that the target physical input/output device may read the values of the second register and the third register, and may further control a specific area of the print content.
Optionally, the target physical input/output device is a display device; the writing, by the virtual machine, the encrypted data to the target physical input/output device may include: and the virtual machine writes the encrypted image data into the display equipment so that the display equipment can receive the encrypted data, and the encrypted image data is decrypted and displayed through a second encryption and decryption engine.
In the embodiment of the present application, the target physical input/output device may be a display device. The virtual machine may write the encrypted image data into a display device, specifically, a memory of the display device, and the display device may receive the encrypted image data, decrypt the encrypted image data by using the second encryption and decryption engine to obtain decrypted image data, and display the decrypted image data by using a display screen.
In a fifth aspect, embodiments of the present application provide a data transmission method, which is convenient for improving security of data transmission between a computing device and a physical output device.
As shown in fig. 5A, an embodiment of the present application provides a data transmission method applied to a physical output device, including:
s21, receiving encrypted data written by the virtual machine on the computing equipment;
s22, decrypting the encrypted data through the encryption and decryption engine in the physical output device.
In this embodiment of the application, a physical output device (specifically, a memory in the physical output device) may receive encrypted data written by a virtual machine on a computing device, and further, the physical output device may decrypt the encrypted data by using an encryption/decryption engine, so as to obtain decrypted data.
When the virtual machine sends output data to the physical output equipment, the data is transmitted to the target physical output equipment in a ciphertext mode, so that even if ciphertext data is stolen by a malicious virtual machine manager, the encrypted data cannot be decrypted, and the safety of the data in the transmission process is further ensured.
In order to facilitate the physical output device to determine whether encrypted data exists in the first memory, the physical output device may include a first memory and a first register; wherein the method further comprises: storing the received encrypted data in the first memory; receiving the assignment operation of the virtual machine to the first register; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
In this embodiment, the output device is provided with a first register and a first memory, where the first register is a flag bit register, the first memory is used to store encrypted data written from the virtual machine, and the first register is used to indicate whether there is data to be decrypted in the first memory. For example, the default value of the first register is 0, when the virtual machine writes encrypted data into the first memory of the output device, the value of the first register may be assigned to 1, and then the physical output device may read the value of the first register, and may determine whether data to be decrypted exists in the first memory according to the value of the first register, and when the data to be decrypted exists, the decryption operation may be performed by using the encryption and decryption engine, otherwise, the decryption operation is not required.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first memory, in an embodiment of the present application, the physical output device may further include a second register and/or a third register;
wherein the method may further comprise: receiving the assignment operation of the virtual machine to the second register and/or the third register; the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory; the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
In this embodiment of the present application, a second register and/or a third register may also be disposed in the physical output device, where the second register is used to indicate a position of data to be decrypted, and the third register is used to indicate a size of the data to be decrypted. For example, when the physical output device is a display device, the second register is used to indicate the initial display position of the display data on the display screen, i.e. the abscissa and the ordinate of the initial pixel point. The third register is used for indicating the length of the display data in the abscissa direction and the ordinate direction, namely how many pixel points are occupied. The physical output device may thus read the values of the second register and/or the third register and display the data to be decrypted to the corresponding location. When the physical output device is a printing device, the virtual machine can set the second register and the third register in the same manner, so that the physical output device can read the values of the second register and the third register, and further can control the specific area of the printing content.
Optionally, the physical output device is a display device, and the first memory is a video memory; wherein the receiving encrypted data written by the virtual machine on the computing device may include: receiving encrypted image data written by a virtual machine on the computing device;
after receiving the encrypted data written by the virtual machine on the computing device, the method may further include:
and the encrypted image data received by the display equipment is decrypted by the encryption and decryption engine and then displayed.
In this embodiment, the display device may receive the encrypted image data, decrypt the encrypted image data using the encryption/decryption engine to obtain decrypted image data, and display the decrypted image data using the display screen.
In a sixth aspect, embodiments of the present application provide a data transmission method, which facilitates improving security of data transmission between a computing device and a physical input device.
As shown in fig. 5B, an embodiment of the present application provides a data transmission method applied to a physical input device, including:
s31, encrypting the received external input data through the encryption and decryption engine in the physical input device;
s32, sending to the virtual machine on the computing device.
In the embodiment of the application, the physical input device and the virtual machine work in a direct connection state, the physical input device can receive external input data, encrypt the input data through the encryption and decryption engine to obtain encrypted data, and send the encrypted data to the virtual machine on the computing device, so that encrypted transmission of the data is achieved, and the security of the input data in the transmission process is further ensured.
Optionally, when the physical input device encrypts external input data through an encryption and decryption engine and sends the encrypted external input data to the virtual machine, the physical input device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In daily application, when information interaction is performed between computing equipment and the outside, encrypted data transmitted by various physical input equipment needs to be received. In the embodiment of the present application, the physical input device may be any one of the above input devices, and the application range is wide. Therefore, the embodiment of the application can realize encrypted data transmission between various input devices and the virtual machine, and improves the security of various input data in transmission.
In a seventh aspect, embodiments of the present application provide a computing device, which facilitates improving security of data transmission between the computing device and a physical input/output device.
As shown in fig. 6, embodiments of the present application provide a computing device 4 that may include: an on-chip system 41 and a memory 42, wherein the on-chip system 41 may include: a first processor 411, a memory controller 412, and a second processor 413; the first processor 411 is configured to run a virtual machine manager and a virtual machine, where the virtual machine manager is configured to virtualize a virtual input/output device; the memory controller 412 is electrically connected to the first processor 411, and a first encryption/decryption engine is disposed in the memory controller 412. The memory 42 is electrically connected to the memory controller 412; the second processor 413 is configured to configure a first security key for the first encryption/decryption engine and a second security key for the second encryption/decryption engine in the target physical input/output device; wherein the first security key and the second security key are the same.
The virtual machine obtains the encrypted data encrypted by the first encryption and decryption engine from the encrypted memory of the virtual machine through the memory controller 412, and writes the encrypted data into the virtual input and output device, and the virtual machine manager reads the encrypted data from the virtual input and output device, and writes the encrypted data into the target physical input and output device 300 or sends the encrypted data to the target physical input and output device 300, so that the target physical input and output device 300 receives the encrypted data and decrypts the encrypted data through the second encryption and decryption engine, wherein the encrypted memory of the virtual machine is an encrypted storage area of the virtual machine in the memory 42;
or, the virtual machine manager receives the encrypted data from the target physical input/output device 300 and writes the encrypted data into the virtual input/output device or sends the encrypted data to the virtual input/output device, and the virtual machine reads the encrypted data from the virtual input/output device and writes the encrypted data into the memory 42, and decrypts the encrypted data through the first encryption and decryption engine; the encrypted data received by the virtual machine manager is generated by the target physical input/output device 300 encrypting the received external input data through the second encryption/decryption engine.
In the embodiment of the present application, the virtual machine and the physical input/output device operate in a non-pass-through state, and different from the foregoing pass-through state, in the non-pass-through state, the virtual machine needs to read encrypted data from a memory of the virtual machine, and then store the encrypted data in a virtual input/output device (specifically, a virtual memory of the virtual input/output device). The virtual machine manager then reads the encrypted data from the virtual i/o device and writes the encrypted data to the target physical i/o device 300. In the non-pass-through state, the physical input output device may be classified as a local device or as a remote device.
The first processor 411 may be referred to as a processor core, and is configured to run a virtual machine and a virtual machine manager, wherein the virtual machine manager is configured to virtualize a virtual input/output device. The first processor 111 may be a 32-bit processor, a 64-bit processor, or the like.
The memory controller 412 is electrically connected to the first processor 411 and the memory 42, so that different memory address spaces can be selected according to the address information sent by the first processor 411, and the virtual machine can write data into the selected memory space.
Further, the second Processor 413 in the computing device may be referred to as a security Processor or a Platform Security Processor (PSP), and may also be referred to as a security coprocessor, etc. A secure processor is a processor intended to help the system achieve functional security.
The memory in this embodiment may be a memory applied to a server, for example, a memory that adopts technologies such as ecc (error Checking and correcting), ChipKill, or hot plug, and has higher stability and error correction performance.
The target physical input/output device 300 is a physical input/output device that the virtual machine needs to perform data transmission.
In this embodiment, the second processor 413 may configure a first security key for a first encryption/decryption engine in the memory controller 412 and a second security key for a second encryption/decryption engine of the target physical input/output device 300, where the first security key is the same as the second security key. In this way, when the computing device performs data transmission with the target physical input/output device 300, the computing device may encrypt data by using the first security key in the virtual machine and then transmit the encrypted data to the physical input/output device, and then may decrypt the encrypted data by using the second security key in the physical input/output device; the data can be encrypted by adopting the second security key in the physical input and output equipment and then transmitted to the virtual machine, and then the encrypted data can be decrypted by adopting the first security key in the virtual machine, so that even if the encrypted data is stolen by a malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encrypted data, and the security of data transmission between the computing equipment and the physical input and output equipment is ensured.
In one embodiment, the security processor may configure a first security key for a first encryption/decryption engine in the memory controller 412, and the virtual machine may share the first security key with the target physical input/output device 300, so that the target physical input/output device 300 may configure the same security key for a second encryption/decryption engine. When the target physical input/output device 300 is a local output device, the virtual machine may obtain, through the memory controller 412, the encrypted data encrypted by the first security key in the first encryption/decryption engine from the corresponding location in the memory 42, and write the encrypted data into the virtual input/output device, and then the virtual machine manager reads the encrypted data from the virtual input/output device and writes the encrypted data into the target physical device, so that the target physical input/output device 300 decrypts the encrypted data by the second security key in the second encryption/decryption engine, thereby obtaining decrypted data, and performing subsequent data output operation.
When the target physical input output device 300 is a local input device, the target physical input output device 300 may, after receiving external data (e.g., externally input text information, audio information, etc.), first encrypt the external data with the second security key in the second encryption/decryption engine to generate encrypted data, and store the encrypted data at the target location. The virtual machine manager can read the encrypted data from the target position and store the encrypted data into the virtual physical input/output device, the virtual machine reads the encrypted data from the virtual input/output device and stores the encrypted data into the memory, and the first security key in the first encryption and decryption engine is used for executing decryption operation on the encrypted data, so that decrypted data in a plaintext format is obtained for subsequent processing.
The remote type physical input/output device and the local type physical input/output device have similar data transmission processes, and the difference is that, taking the remote type output device as an example for explaining the principle, after the virtual machine reads the encrypted data encrypted by the first security key in the first encryption/decryption engine from the corresponding position in the memory, the virtual machine calls the driver of the remote output device, stores the encrypted data in the virtual physical input/output device, and then the virtual machine manager reads the encrypted data from the virtual input/output device and sends the encrypted data to the agent program corresponding to the remote physical output device through the network, so that the agent program writes the encrypted data in the physical input/output device. The above is only schematically illustrated by taking the remote physical output device as an example, when the remote physical device is an input device, the data transmission manner of the remote physical device is similar to that of the remote output device, and the difference is only in the data transmission direction, and the data transmission manner of the remote input device is not described in detail herein.
In the prior art, since the physical input/output device does not support the encryption/decryption function, the computing device can only perform data transmission in a plaintext format when performing data transmission with the target physical input/output device 300, and once the input/output data is stolen by the virtual machine manager, a large security risk is generated.
In contrast, in the above two data transmission modes (input data and output data) of the present application, no matter a local input/output device or a remote input/output device, when data is transmitted between the local input/output device and the virtual machine, no matter the virtual machine sends data to the physical output device or the virtual machine receives data from the physical input device, the data needs to be transmitted in a ciphertext form, so that even if the ciphertext data is stolen by a malicious virtual machine manager, the encrypted data cannot be decrypted, thereby ensuring the security of the data in the transmission process.
In order to facilitate the target physical input/output device 300 to determine whether the encrypted data exists in the first memory, in an embodiment of the present application, the virtual machine manager is further configured to virtualize a first virtual register for the first register in the target physical input/output device 300; the virtual machine is also used for assigning a value to the first virtual register; the virtual machine manager reads the value of the first virtual register and assigns the read value of the first virtual register to the first register to indicate whether the first memory stores data to be decrypted or not; wherein the first memory is located in the target physical input output device 300.
In the embodiment of the present application, when the target physical input/output device 300 is an output device, the first memory is used to store data to be decrypted written from the virtual machine manager, and the first memory may be located in the target physical input/output device 300.
The target physical input/output device 300 may further include a first register, where the first register is a flag bit register, and the first register is used to indicate whether there is data to be decrypted in the first memory. The virtual machine manager may virtualize a corresponding first virtual register for a first register in the target physical input output device 300.
Generally, the default value of the first register is 0, which indicates that there is no data to be decrypted in the first memory. When the virtual machine manager writes the encrypted data into the first memory of the target physical input output device 300, the virtual machine manager may read a value in a first virtual register previously assigned to 1 by the virtual machine and assign the value to the first register. Then, the target physical input/output device 300 may read the value of the first register, and may determine whether the data to be decrypted exists in the first memory according to the value of the first register.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first memory, in an embodiment of the present application, the virtual machine manager is further configured to virtualize a second virtual register for the second register in the target physical input/output device 300, and/or virtualize a third virtual register for the third register in the target physical input/output device 300;
the virtual machine is also used for assigning values to the second virtual register and/or the third virtual register;
the virtual machine manager reads the value of the second virtual register and assigns the read value of the second virtual register to the second register so as to indicate the position of the data to be decrypted stored in the first memory; and/or the presence of a gas in the gas,
and the virtual machine manager reads the value of the third virtual register and assigns the read value of the third virtual register to the third register so as to indicate the size of the data to be decrypted stored in the first memory.
In this embodiment, when the target physical input/output device 300 is an output device, a second register and/or a third register may be further disposed in the target physical input/output device 300, and when the virtual machine manager writes encrypted data into the first memory of the target physical input/output device 300, the virtual machine manager may read a value in the second virtual register and/or the third virtual register and assign the value to the second register and/or the third register, where the second virtual register and/or the third virtual register are assigned by the virtual machine in advance according to actual needs.
The second register is used for indicating the position of the data to be decrypted, and the third register is used for indicating the size of the data to be decrypted. For example, when the target physical input/output device 300 is a display device, the value in the second register is used to indicate the initial display position of the display data on the display screen, i.e., the initial abscissa and the initial ordinate of the initial pixel point. The value in the third register is used to indicate the length of the display data occupied in the abscissa direction and the ordinate direction, i.e., how many pixels are occupied. The target physical input/output device 300 may obtain the position information and the size information of the data to be decrypted by reading the values of the second register and the third register, and may further decrypt the data to be decrypted and display the decrypted data at a corresponding position on the display screen.
Optionally, in an embodiment of the present application, the target physical input/output device 300 is a display device or a printing device; when the target physical input/output device 300 is a display device, the first memory is a video memory.
In the embodiment of the present application, the target physical input output device 300 may be a display device or a printing device to implement display output or print output. For example, the physical output device may be a display device, and the first memory may be a video memory for storing image data to be decrypted. Therefore, the video memory in the display device can receive and decrypt the image data to be decrypted from the virtual machine, and then output the decrypted image data, thereby realizing the safe transmission of the image data.
Optionally, in an embodiment of the present application, when the virtual machine manager receives the encrypted data from the target physical input output device 300, the target physical input output device 300 is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In daily application, when information interaction is performed between computing equipment and the outside, encrypted data transmitted by various physical input equipment needs to be received. In the embodiment of the present application, when the target physical input/output device 300 is used as an input device, the input device may be any one of the above input devices, and the application range is wide. Therefore, the embodiment of the application can realize encrypted data transmission between various input devices and the virtual machine, and improves the security of various input data in transmission.
In an eighth aspect, embodiments of the present application provide a physical output device, which can improve security of data transmission between a computing device and the physical output device.
As shown in fig. 7, an embodiment of the present application provides a physical output device, which may include: the input/output interface 51 is used for being electrically connected with an input/output interface of the computing device and receiving encrypted data sent by a virtual machine manager on the computing device; an encryption/decryption engine 52, configured to decrypt the encrypted data received from the virtual machine manager, where the decrypted data is output through the output unit; and an output unit 53, configured to output the decrypted data.
In this embodiment, the physical output device and the virtual machine operate in a non-pass-through state, and the physical output device may be a local device or a remote device.
The physical output device is electrically connected with the computing device through the input/output interface, when the virtual machine needs to output data through the physical output device, the physical output device can receive the encrypted data written by the virtual machine manager through the input/output interface 51, decrypt the encrypted data by using the encryption/decryption engine, and further output the decrypted data through the output unit 53, so that even if the encrypted data is stolen by a malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encrypted data, and the security of data transmission between the computing device and the physical input/output device is ensured.
When the physical output device is a local device or a remote device, the transmission path of the encrypted data may refer to the relevant description in the embodiment of the sixth aspect, and is not described herein again.
In order to facilitate the physical output device to determine whether the encrypted data exists in the first memory, in an embodiment of the present application, the physical output device may further include: a first memory and a first register; the first memory is used for storing encrypted data sent or written by the virtual machine manager; the first register is assigned by the virtual machine manager; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
In this embodiment, the physical output device is provided with a first register and a first memory, where the first register is a flag bit register, the first memory is used to store encrypted data written from the virtual machine manager (applicable to the local physical output device) or sent from the virtual machine manager (applicable to the remote physical output device), and the first register is used to indicate whether there is data to be decrypted in the first memory. For example, the default value of the first register is 0, when the virtual machine writes the encrypted data into the first memory of the physical output device, the value of the first register may be assigned to 1, the virtual machine may assign the value of the first virtual register to 1, and then the virtual machine manager reads the value in the first virtual register and assigns the value to the first register. Furthermore, the target physical input/output device 300 may read the value of the first register, and may determine whether the data to be decrypted exists in the first memory according to the value of the first register. When the data to be decrypted exists, the decryption operation can be executed by utilizing the encryption and decryption engine, otherwise, the decryption operation does not need to be executed.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first memory, in an embodiment of the present application, the physical output device may further include: a second register and/or a third register; the second register and the third register are assigned by the virtual machine manager; the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory; the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
In this embodiment of the application, the physical output device may further be provided with a second register and/or a third register, and when the virtual machine manager writes the encrypted data into the first memory of the physical output device, the virtual machine may assign a value to the second virtual register and/or the third virtual register according to actual needs, and then the virtual machine manager reads a value in the second virtual register and/or the third virtual register and assigns the value to the second register and/or the third register.
The second register is used for indicating the position of the data to be decrypted, and the third register is used for indicating the size of the data to be decrypted. For example, when the physical output device is a display device, the value in the second register is used to indicate the initial display position of the display data on the display screen, i.e. the initial abscissa and the initial ordinate of the initial pixel point. The value in the third register is used to indicate the length of the display data occupied in the abscissa direction and the ordinate direction, i.e., how many pixels are occupied. The physical output device can obtain the position information and the size information of the data to be decrypted by reading the values of the second register and the third register, and then can display the data to be decrypted at the corresponding position of the display screen after decrypting the data to be decrypted.
Optionally, in an embodiment of the present application, the physical output device is a display device or a printing device; when the physical output device is a display device, the first memory is a video memory.
In the embodiment of the present application, the physical output device may be a display device or a printing device, so as to implement display output or print output. For example, the physical output device may be a display device, and the first memory may be a video memory for storing image data to be decrypted. Therefore, the video memory in the display device can receive and decrypt the image data to be decrypted from the virtual machine, and further output the decrypted image data, thereby realizing the safe transmission of the image data.
In a ninth aspect, embodiments of the present application provide a physical input device, which facilitates improving security of data transmission between a computing device and the physical input device.
As shown in fig. 8, an embodiment of the present application provides a physical input device, which may include: an input unit 61 for receiving an external data input; the encryption and decryption engine 62 is configured to encrypt the external input data received by the input unit, and send the encrypted external input data to the virtual machine manager through the input/output interface; and the input/output interface 63 is used for being electrically connected with the input/output interface of the computing device and sending the encrypted data to the virtual machine manager on the computing device.
In the embodiment of the application, the physical input device and the virtual machine work in a non-direct connection state, and the physical output device is a local device or a remote device.
The physical input device is electrically connected with the computing device through the input/output interface, when the physical input device sends external input data to the computing device, the encryption/decryption engine in the physical input device can encrypt the external data received by the input unit and send the encrypted data to the virtual machine manager through the input/output interface, so that encrypted transmission of the data is realized, and the security of data transmission between the computing device and the physical input device is improved.
Optionally, in an embodiment of the present application, the physical input device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In daily application, when information interaction is performed between computing equipment and the outside, encrypted data transmitted by various physical input equipment needs to be received. In the embodiment of the present application, when the target physical input/output device 300 is used as an input device, the input device may be any one of the above input devices, and the application range is wide. Therefore, the embodiment of the application can realize encrypted data transmission between various input devices and the virtual machine, and improves the security of various input data in transmission.
In a tenth aspect, embodiments of the present application provide a data transmission method, which facilitates improving security of data transmission between a computing device and a physical input/output device.
As shown in fig. 9A, a data transmission method provided in an embodiment of the present application is applied to a computing device, and the data transmission method may include:
s41, virtualizing a virtual input and output device by the virtual machine manager;
s42, the virtual machine acquires the encrypted data encrypted by the first encryption and decryption engine from the encrypted memory of the virtual machine through the memory controller, and writes the encrypted data into the virtual input and output device;
s43, the virtual machine manager reads the encrypted data from the virtual input/output device, and writes the encrypted data into the target physical input/output device 300 or sends the encrypted data to the target physical input/output device 300, so that the target physical input/output device 300 receives the encrypted data and decrypts the encrypted data through the second encryption/decryption engine, where the encrypted memory of the virtual machine is an encrypted storage area of the virtual machine in the memory.
In the embodiment of the present application, the virtual machine and the target physical output device operate in a non-pass-through state, and the target physical input output device 300 may be a local device or a remote device. The virtual machine manager may virtualize a virtual input output device corresponding to the physical input output device.
When the target physical input/output device 300 is a local output device, the virtual machine may obtain, by the memory controller, the encrypted data encrypted by the first security key in the first encryption/decryption engine from the corresponding location in the memory, write the encrypted data into the virtual input/output device, and then the virtual machine manager reads the encrypted data from the virtual input/output device and writes the encrypted data into the target physical device, so that the target physical input/output device 300 decrypts the encrypted data by the second security key in the second encryption/decryption engine, thereby obtaining decrypted data to perform subsequent data output operations.
The remote physical input/output device is similar to the local physical input/output device in data transmission process, and the difference is that, taking the remote output device as an example, after the virtual machine reads the encrypted data encrypted by the first security key in the first encryption/decryption engine from the corresponding position in the memory, the virtual machine calls the driver of the remote output device, stores the encrypted data in the virtual physical input/output device, and then the virtual machine manager reads the encrypted data from the virtual input/output device and sends the encrypted data to the agent corresponding to the physical output device through the network, so that the agent writes the encrypted data in the physical input/output device.
In the prior art, since the physical input/output device does not support the encryption/decryption function, when the computing device performs data transmission with the target physical input/output device 300, only data transmission in a plaintext format can be performed, and once the input/output data is stolen by a malicious virtual machine manager, a large security risk is generated.
In contrast, in the embodiment of the present application, when data transmission is performed between the local output device and the virtual machine, the data transmission is performed in a ciphertext form, which may specifically be: the data are encrypted by the first security key in the virtual machine and then transmitted to the physical input and output equipment, and then the encrypted data can be decrypted by the second security key in the physical input and output equipment, so that the encrypted data cannot be decrypted even if the ciphertext data is stolen by the virtual machine manager, and the security of the data in the transmission process is ensured.
In order to facilitate the determination of whether the encrypted data exists in the first storage by the target physical input output device 300, in an embodiment of the present application, when the virtual machine manager virtualizes a virtual input output device, the method may further include: virtualizing a first virtual register for a first register in the target physical input/output device 300 by the virtual machine manager; the virtual machine assigns values to the first virtual register; the virtual machine manager reads the value of the first virtual register and assigns the read value of the first virtual register to the first register to indicate whether data to be decrypted is stored in the first memory; wherein the first memory is located in the target physical input output device 300.
In this embodiment, when the target physical input/output device 300 is an output device, the target physical input/output device 300 may further include a first register, where the first register is a flag register, and the first register is used to indicate whether there is data to be decrypted in the first memory. The virtual machine manager may virtualize a corresponding first virtual register for a first register in the target physical input output device 300.
Generally, the default value of the first register is 0, which indicates that there is no data to be decrypted in the first memory, and the value of the first register is 1, which indicates that there is data to be decrypted in the first memory. When the virtual machine manager writes the encrypted data into the first memory of the target physical input output device 300, the virtual machine manager may read a value in a first virtual register previously assigned to 1 by the virtual machine and assign the value to the first register. Therefore, the target physical input/output device 300 can read the value of the first register and determine whether the data to be decrypted exists in the first memory according to the value of the first register.
In order to facilitate the target physical input/output device 300 to obtain the location information and the size information of the encrypted data in the first storage, in an embodiment of the present application, when the virtual machine manager virtualizes a virtual input/output device, the method may further include:
virtualizing, by the virtual machine manager, a second virtual register for a second register in the target physical input/output device 300, and/or virtualizing a third virtual register for a third register in the target physical input/output device 300; the virtual machine assigns values to the second virtual register and/or the third virtual register; the virtual machine manager reads the value of the second virtual register and assigns the read value of the second virtual register to the second register so as to indicate the position of the data to be decrypted stored in the first memory; and/or the presence of a gas in the gas,
and the virtual machine manager reads the value of the third virtual register and assigns the read value of the third virtual register to the third register so as to indicate the size of the data to be decrypted stored in the first memory.
In this embodiment, when the target physical input/output device 300 is an output device, a second register and/or a third register may be further disposed in the target physical input/output device 300, and when the virtual machine manager writes encrypted data into the first memory of the target physical input/output device 300, the virtual machine manager may read a value in the second virtual register and/or the third virtual register and assign the value to the second register and/or the third register, where the second virtual register and/or the third virtual register are assigned by the virtual machine in advance according to actual needs.
The second register is used for indicating the position of the data to be decrypted, and the third register is used for indicating the size of the data to be decrypted. For example, when the target physical input/output device 300 is a display device, the value in the second register is used to indicate the initial display position of the display data on the display screen, i.e., the initial abscissa and the initial ordinate of the initial pixel point. The value in the third register is used to indicate the length of the display data occupied in the abscissa direction and the ordinate direction, i.e., how many pixels are occupied. The target physical input/output device 300 may obtain the position information and the size information of the data to be decrypted by reading the values of the second register and the third register, and may further decrypt the data to be decrypted and display the decrypted data at the corresponding position on the display screen.
Optionally, in an embodiment of the present application, the target physical input/output device 300 is a display device, and the encrypted data is encrypted image data; the writing or sending, by the virtual machine manager, the read encrypted data to the target physical input output device 300, so that the target physical input output device 300 decrypts the encrypted data through the second encryption/decryption engine may include: the virtual machine manager writes the read encrypted image data into the target physical input/output device 300 or sends the encrypted image data to the target physical input/output device 300, so that the target physical input/output device 300 decrypts the encrypted image data through the second encryption/decryption engine and displays the decrypted image data.
In the embodiment of the present application, the target physical input output device 300 may be a display device, and the encrypted data may be encrypted image data.
When the display device is a local display device, the virtual machine manager may write the read encrypted image data into the display device, specifically, a memory of the display device, and the display device may receive the encrypted image data, decrypt the encrypted image data by using the second encryption and decryption engine, obtain decrypted image data, and display the decrypted image data by using the display screen.
When the display device is a remote display device, the virtual machine may call a driver of the remote output device, store the encrypted image data in the virtual physical input/output device, and then the virtual machine manager reads the encrypted image data from the virtual input/output device and sends the encrypted image data to an agent corresponding to the physical output device through a network, so that the agent writes the encrypted image data in the physical input/output device.
In an eleventh aspect, embodiments of the present application provide a data transmission method, which facilitates improving security of data transmission between a computing device and a physical input/output device.
As shown in fig. 9B, an embodiment of the present application provides a data transmission method applied to a computing device, where the data transmission method may include:
s51, virtualizing a virtual input and output device by the virtual machine manager;
s52, the virtual machine manager receiving the encrypted data from the target physical input output device 300, and writing the encrypted data to the virtual input output device or sending the encrypted data to the virtual input output device;
s53, the virtual machine reads the encrypted data from the virtual input/output device, writes the encrypted data into a memory, and decrypts the encrypted data through a first encryption/decryption engine; wherein the encrypted data received by the virtual machine manager is generated by the target physical input output device 300 encrypting the received external input data through the second encryption/decryption engine.
In this embodiment, when the target physical input/output device 300 is a local input device, after receiving external data (e.g., externally input text information, audio information, etc.), the target physical input/output device 300 may first encrypt the external data with the second security key in the second encryption/decryption engine to generate encrypted data, and store the encrypted data at the target location. The virtual machine manager can read the encrypted data from the target position and store the encrypted data into the virtual physical input and output device, the virtual machine reads the encrypted data from the virtual input and output device and stores the encrypted data into the memory, and the first security key in the first encryption and decryption engine is used for executing decryption operation on the encrypted data, so that decrypted data in a plaintext format is obtained for subsequent processing, and even if the encrypted data is stolen by a malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encrypted data, so that the security of data transmission between the computing device and the physical input and output device is ensured.
In the embodiment of the eleventh aspect, the data transmission process is schematically illustrated by taking the remote physical output device as an example, when the remote physical device is an input device, the data transmission mode is similar to that of the remote output device, the difference is only in the data transmission direction, and the data transmission mode of the remote input device is not described in detail herein.
In a twelfth aspect, embodiments of the present application provide a data transmission method, which can improve security of data transmission between a computing device and a physical output device.
As shown in fig. 10A, an embodiment of the present application provides a data transmission method applied to a physical output device, including:
s61, receiving encrypted data sent or written by a virtual machine manager on the computing equipment;
s62, decrypting the encrypted data through the encryption and decryption engine in the physical output device.
In the embodiment of the application, the physical output device and the virtual machine work in a non-direct connection state, and the physical output device is a local device or a remote device.
The encrypted data written by the virtual machine manager on the computing device (suitable for the local physical output device) or sent over the network (suitable for the remote physical output device) may be received in memory in the physical output device. Furthermore, the physical output device can decrypt the encrypted data by using the encryption and decryption engine so as to obtain decrypted data, so that even if the encrypted data is stolen by a malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encrypted data, and the security of data transmission between the computing device and the physical output device is ensured.
The virtual machine transmits the data to the target output device in a ciphertext mode, so that even if the ciphertext data is stolen by a malicious virtual machine manager, the encrypted data cannot be decrypted, and the safety of the data in the transmission process is guaranteed.
In order to facilitate the physical output device to determine whether encrypted data exists in the first memory, in an embodiment of the present application, the physical output device includes a first memory and a first register;
wherein the method further comprises: storing the received encrypted data in the first memory; receiving the assignment operation of the virtual machine manager to the first register; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
In this embodiment of the present application, the output device is provided with a first register and a first memory, where the first register is a flag bit register, the first memory is used to store encrypted data written from the virtual machine manager, and the first register is used to indicate whether there is data to be decrypted in the first memory.
Generally, the default value of the first register is 0, which indicates that there is no data to be decrypted in the first memory, and the value of the first register is 1, which indicates that there is data to be decrypted in the first memory. When the first memory of the physical output device receives the encrypted data written by the virtual machine manager, the virtual machine manager may read a value in a first virtual register previously assigned by the virtual machine to 1, and assign the value to the first register. Therefore, after receiving the assignment operation of the virtual machine manager on the first register, the physical output device can read the value of the first register, and can determine whether the data to be decrypted exists in the first memory according to the value of the first register. When the data to be decrypted exists, the decryption operation can be executed by utilizing the encryption and decryption engine, otherwise, the decryption operation does not need to be executed.
Similarly, in order to facilitate the physical output device to obtain the location information and/or the size information of the data to be decrypted in the first memory, in an embodiment of the present application, the physical output device further includes a second register and/or a third register; wherein the method further comprises: receiving the assignment operation of the virtual machine manager on the second register and/or the third register; the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory; the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
In this embodiment of the application, a second register and/or a third register and a first memory may also be disposed in the physical output device, where the first memory is used to store data to be decrypted received from the virtual machine manager, the second register is used to indicate a location of the data to be decrypted, and the third register is used to indicate a size of the data to be decrypted.
For example, when the physical output device is a display device, the second register is used to indicate the initial display position of the display data on the display screen, i.e. the abscissa and the ordinate of the initial pixel point. The third register is used for indicating the length of the display data in the abscissa direction and the ordinate direction, namely how many pixel points are occupied. Therefore, after receiving the assignment operation of the virtual machine manager to the second register and/or the third register, the physical output device can read the value of the second register and/or the third register and display the data to be decrypted to the corresponding position of the display screen. When the physical output device is a printing device, the virtual machine manager can set the second register and the third register in the same mode, so that the physical output device can read the numerical values of the second register and the third register after receiving the assignment operation, and further can control the specific area of the printing content.
Optionally, in an embodiment of the present application, the physical output device is a display device, and the first memory is a video memory; wherein the receiving encrypted data sent or written by the virtual machine manager on the computing device comprises: receiving encrypted image data sent or written by the virtual machine manager on the computing device; after receiving encrypted data sent or written by the virtual machine manager on the computing device, the method further comprises: and the encrypted image data received by the display equipment is decrypted by the encryption and decryption engine and then displayed.
In the embodiment of the application, the display device may receive encrypted image data sent by the virtual machine manager (applicable to a remote type display device) or written into the virtual machine manager (applicable to a local type display device), decrypt the encrypted image data by using the encryption and decryption engine to obtain decrypted image data, and display the decrypted image data by using the display screen.
In a thirteenth aspect, embodiments of the present application provide a data transmission method, which can improve security of data transmission between a computing device and a physical input device.
As shown in fig. 10B, an embodiment of the present application provides a data transmission method applied to a physical input device, including:
s71, encrypting the received external input data through an encryption and decryption engine in the physical input device;
s72, sending to the virtual machine on the computing device.
In the embodiment of the application, the physical input device can receive external input data, encrypt the input data through the encryption and decryption engine to obtain encrypted data, and send the encrypted data to the virtual machine on the computing device to complete encrypted transmission of the input data, so that even if ciphertext data is stolen by a malicious virtual machine manager, the encrypted data cannot be decrypted, and the security of the data in the transmission process is ensured.
Optionally, in an embodiment of the present application, when the physical input device encrypts external input data through an encryption/decryption engine and sends the encrypted external input data to the computing device, the physical input device is one of the following: keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
In daily application, when information interaction is performed between computing equipment and the outside, encrypted data transmitted by various physical input equipment needs to be received. In the embodiment of the present application, when the target physical input/output device 300 is used as an input device, the input device may be any one of the above input devices, and the application range is wide. Therefore, the embodiment of the application can realize encrypted data transmission between various input devices and the virtual machine, and improves the security of various input data in transmission.
In a fourteenth aspect, embodiments of the present application provide a computing device, which facilitates improving security of data transmission between the computing device and a physical input/output device.
Fig. 11 is a schematic structural diagram of a computing device and a target physical input/output device provided in an embodiment of the present application, and as shown in fig. 11, the computing device 11 provided in the embodiment of the present application is substantially the same as the computing device 1 provided in the embodiment of the first aspect, except that: the function of the designated area in the memory in the embodiment of the present application is the same as that of the first memory in the embodiment of the first aspect, where the encrypted data is obtained by encrypting, by a first encryption/decryption engine in the memory controller, data to be encrypted in advance and storing the encrypted data in the designated area. When the encrypted data is transmitted, the encrypted data can be read from the designated area and transmitted to the second encryption and decryption engine, so that the second encryption and decryption engine decrypts the encrypted data. In one example, DMA techniques may be employed to read encrypted data from a designated area.
Optionally, in an embodiment of the present application, similar to the embodiment of the first aspect, the virtual machine in the embodiment of the present application may further be configured to: a first register in the target physical input output device 400 is assigned a value to indicate whether data to be decrypted is stored in the designated area. The contents of the rest of the embodiments of the present application are the same as those described in the embodiments of the first aspect, and are not described herein again. Therefore, the target physical input/output device 200 can read the value of the first register and determine whether the data to be decrypted exists in the designated area according to the value of the first register. If so, the target physical input output device 400 may perform the decryption operation using the second encryption/decryption engine, otherwise, the decryption operation need not be performed.
Optionally, in an embodiment of the present application, similar to the embodiment of the first aspect, the virtual machine in the embodiment of the present application may further be configured to: assigning a value to a second register in the target physical input output device 400 to indicate a location of data to be decrypted stored in a designated area; and/or assigning a value to a third register in the target physical input output device 400 to indicate the size of the data to be decrypted stored in the designated area. For example, when the target physical input/output device 400 is a display device, the value in the second register is used to indicate the initial display position of the display data on the display screen, i.e., the initial abscissa and initial ordinate of the initial pixel point. The value in the third register is used to indicate the length of the display data occupied in the abscissa direction and the ordinate direction, i.e., how many pixels are occupied.
Correspondingly, an embodiment of the present application further provides a physical output device, the physical output device of this embodiment is basically the same as the physical output device shown in fig. 2, except that in this embodiment, the input/output interface 21 is configured to directly read encrypted data from a specified area of a memory of the computing device; the encryption and decryption engine 22 is used for decrypting the encrypted data directly read from the specified area in the memory of the computing equipment, and the decrypted data is output through the output unit; and an output unit 23 for outputting the received data. In this embodiment, the data transmitted between the computing device and the physical input/output device is encrypted data, which can improve the security of data transmission between the computing device and the physical input/output device.
The embodiment of the present application further provides a data transmission method, which is applied to a physical input/output device, and includes: and reading the encrypted data from a specified area in a memory on the computing device, and decrypting the encrypted data through an encryption and decryption engine in the physical input and output device. In this embodiment, the data transmitted between the computing device and the physical input/output device is encrypted data, which can improve the security of data transmission between the computing device and the physical input/output device.
In a fifteenth aspect, embodiments of the present application provide a data transmission system, which can improve security of data transmission between a computing device and a physical input/output device.
An embodiment of the present application provides a data transmission system, including: a computing device and a physical output device connected thereto; the computing device is any one of the computing devices provided by the embodiments of the present application, and the physical output device is any one of the physical output devices provided by the embodiments of the present application; alternatively, the data transmission system includes: a computing device and a physical input device connected thereto; the computing device is any one of the computing devices provided by the embodiments of the present application, and the physical input device is any one of the physical input devices provided by the embodiments of the present application.
In the embodiment of the application, even if the encrypted data is stolen by a malicious virtual machine manager in the transmission process, the malicious virtual machine manager cannot decrypt the encrypted data, so that the security of data transmission between the computing equipment and the physical input and output equipment is ensured.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations when the present application is implemented.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (30)

1. A computing device, comprising:
a first processor for running a virtual machine;
the memory controller is electrically connected with the first processor, and a first encryption and decryption engine is arranged in the memory controller;
the memory is electrically connected with the memory controller;
a second processor, configured to configure a first security key for the first encryption/decryption engine and a second security key for a second encryption/decryption engine in a target physical input/output device; wherein the first security key and the second security key are the same;
the virtual machine acquires the encrypted data encrypted by the first encryption and decryption engine from the memory through the memory controller, and writes the encrypted data into the target physical input and output device, so that the target physical input and output device can decrypt the encrypted data through the second encryption and decryption engine; or,
the virtual machine sends data to be encrypted to the memory controller, the data are encrypted through the first encryption and decryption engine and then written into the designated area of the memory, so that the target physical input and output device can read the encrypted data from the designated area and decrypt the encrypted data through the second encryption and decryption engine; or,
the virtual machine receives encrypted data sent by the target physical input and output device, and decrypts the encrypted data through the first encryption and decryption engine; and the encrypted data sent by the target physical input and output device is generated by encrypting the received external input data by the second encryption and decryption engine through the target physical input and output device.
2. The computing device of claim 1,
the virtual machine is further configured to: assigning a value to a first register in the target physical input output device to indicate whether data to be decrypted is stored in a first memory or the designated area; the first memory is located in the target physical input and output device and used for storing the encrypted data written by the virtual machine.
3. The computing device of claim 1,
the virtual machine is further configured to:
assigning a value to a second register in the target physical input/output device to indicate the position of the data to be decrypted stored in the first memory or the designated area; and/or the presence of a gas in the gas,
assigning a value to a third register in the target physical input/output device to indicate the size of the data to be decrypted stored in the first memory or the designated area;
wherein the first memory is located in the target physical input output device.
4. The computing device of claim 2,
when the virtual machine writes the encrypted data into the target physical input/output device, or when the target physical input/output device reads the encrypted data from the designated area, the target physical input/output device is a display device or a printing device, so that the target physical input/output device decrypts the encrypted data through the second encryption/decryption engine and then displays or prints the decrypted data;
when the target physical input and output device is a display device, the first memory is a video memory.
5. The computing device of claim 1,
when the virtual machine receives the encrypted data sent by the target physical input and output device, the target physical input and output device is one of the following:
keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
6. A physical output device, comprising:
an output unit for outputting the received data;
the input/output interface is used for being electrically connected with the input/output interface of the computing equipment and receiving encrypted data sent by a virtual machine or a virtual machine manager on the computing equipment or directly reading the encrypted data from a specified area of a memory of the computing equipment;
and the encryption and decryption engine is used for decrypting the encrypted data received from the virtual machine or the virtual machine manager or the encrypted data directly read from the specified area in the memory of the computing equipment, and the decrypted data is output through the output unit.
7. The physical output device of claim 6, further comprising: a first memory and a first register;
the first memory is used for storing encrypted data sent or written by the virtual machine or a virtual machine manager;
the first register is assigned by the virtual machine or the virtual machine manager; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
8. The physical output device of claim 7, further comprising:
a second register and/or a third register; wherein the second register and the third register are assigned by the virtual machine or the virtual machine manager;
the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory;
the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
9. Physical output device according to claim 6,
the physical output equipment is display equipment or printing equipment;
when the physical output device is a display device, the first memory is a video memory.
10. A physical input device, comprising:
an input unit for receiving an external data input;
the input/output interface is electrically connected with the input/output interface of the computing equipment and used for sending encrypted data to a virtual machine or a virtual machine manager on the computing equipment;
and the encryption and decryption engine is used for encrypting the external input data received by the input unit, and the encrypted external input data is sent to the virtual machine or the virtual machine manager through the input and output interface.
11. Physical input device according to claim 10,
the physical input device is one of:
keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
12. A data transmission method applied to a computing device comprises the following steps:
the memory controller reads data encrypted by the first encryption and decryption engine from the memory; the memory controller sends the encrypted data to the virtual machine; the virtual machine writes the encrypted data into target physical input and output equipment so that the target physical input and output equipment can receive the encrypted data and decrypt the encrypted data through a second encryption and decryption engine; or,
the virtual machine sends data to be encrypted to a memory controller, the data are encrypted by a first encryption and decryption engine and then written into a designated area of a memory, so that target physical input and output equipment can read the encrypted data from the designated area and decrypt the encrypted data by a second encryption and decryption engine; or,
the virtual machine receives encrypted data sent by target physical input and output equipment, and decrypts the encrypted data through a first encryption and decryption engine; and the encrypted data sent by the target physical input and output device is generated by encrypting the received external input data by the second encryption and decryption engine through the target physical input and output device.
13. The method of claim 12,
after the virtual machine writes the encrypted data to a target physical input output device, the method further comprises:
the virtual machine assigns a value to a first register in the target physical input/output equipment to indicate whether data to be decrypted is stored in a first memory; the first memory is located in the target physical input and output device and used for storing the encrypted data written by the virtual machine.
14. The method of claim 12,
after the virtual machine writes the encrypted data to a target physical input output device, the method further comprises:
the virtual machine assigns a value to a second register in the target physical input/output device to indicate the position of the data to be decrypted stored in the first memory; and/or the presence of a gas in the gas,
the virtual machine assigns a value to a third register in the target physical input/output device to indicate the size of the data to be decrypted stored in the first memory;
wherein the first memory is located in the target physical input output device.
15. The method of claim 12,
the target physical input and output equipment is display equipment;
wherein the virtual machine writes the encrypted data into a target physical input output device, comprising:
and the virtual machine writes the encrypted image data into the display equipment so that the display equipment can receive the encrypted image data, and the encrypted image data is decrypted and displayed through a second encryption and decryption engine.
16. A data transmission method is applied to physical input and output equipment and comprises the following steps:
receiving encrypted data sent or written by a virtual machine or a virtual machine manager on computing equipment, and decrypting the encrypted data through an encryption and decryption engine in the physical input and output equipment; or,
reading encrypted data from a designated area in a memory on the computing device, and decrypting the encrypted data through an encryption and decryption engine in the physical input and output device; or,
and after the received external input data is encrypted by an encryption and decryption engine in the physical input and output device, the received external input data is sent to a virtual machine or a virtual machine manager on the computing device.
17. The method of claim 16,
the physical input and output device comprises a first memory and a first register;
wherein the method further comprises:
storing the received encrypted data in the first memory;
receiving assignment operation of the virtual machine or the virtual machine manager to the first register; the value of the first register is used to indicate whether data to be decrypted is stored in the first memory.
18. The method of claim 17,
the physical input and output device further comprises a second register and/or a third register;
wherein the method further comprises:
receiving assignment operation of the virtual machine or the virtual machine manager on the second register and/or the third register;
the value of the second register is used for indicating the position of the data to be decrypted stored in the first memory;
the value of the third register is used to indicate the size of the data to be decrypted stored in the first memory.
19. The method of claim 17, wherein the physical input/output device is a display device, and the first memory is a video memory;
wherein the receiving encrypted data sent or written by a virtual machine on the computing device or the virtual machine manager comprises: receiving encrypted image data sent or written by a virtual machine on the computing device or the virtual machine manager;
after receiving encrypted data sent or written by a virtual machine or the virtual machine manager on the computing device, the method further comprises:
and the encrypted image data received by the display equipment is decrypted by the encryption and decryption engine and then displayed.
20. The method of claim 16,
when the physical input and output device encrypts external input data through an encryption and decryption engine and sends the encrypted external input data to the virtual machine or the virtual machine manager, the physical input and output device is one of the following:
keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
21. A computing device, comprising:
the virtual machine management system comprises a first processor, a second processor and a virtual machine management unit, wherein the first processor is used for operating a virtual machine manager and a virtual machine, and the virtual machine manager is used for virtualizing a virtual input and output device;
the memory controller is electrically connected with the first processor, and a first encryption and decryption engine is arranged in the memory controller;
the memory is electrically connected with the memory controller;
a second processor, configured to configure a first security key for the first encryption/decryption engine and a second security key for a second encryption/decryption engine in a target physical input/output device; wherein the first security key and the second security key are the same;
the virtual machine acquires encrypted data encrypted by the first encryption and decryption engine from an encrypted memory of the virtual machine through the memory controller, and writes the encrypted data into the virtual input and output device, and the virtual machine manager reads the encrypted data from the virtual input and output device, and writes the encrypted data into the target physical input and output device or sends the encrypted data to the target physical input and output device, so that the target physical input and output device receives the encrypted data and decrypts the encrypted data through a second encryption and decryption engine, wherein the encrypted memory of the virtual machine is an encrypted storage area of the virtual machine in the memory;
or,
the virtual machine manager receives encrypted data from the target physical input and output device and writes the encrypted data into the virtual input and output device or sends the encrypted data to the virtual input and output device, and the virtual machine reads the encrypted data from the virtual input and output device and writes the encrypted data into the memory through the memory controller; wherein the encrypted data received by the virtual machine manager is generated by the target physical input output device encrypting the received external input data through the second encryption/decryption engine.
22. The computing device of claim 21,
the virtual machine manager is further configured to virtualize a first virtual register for a first register in the target physical input/output device;
the virtual machine is also used for assigning a value to the first virtual register;
the virtual machine manager reads the value of the first virtual register and assigns the read value of the first virtual register to the first register to indicate whether data to be decrypted is stored in the first memory; wherein the first memory is located in the target physical input output device.
23. The computing device of claim 21,
the virtual machine manager is further configured to virtualize a second virtual register for a second register in the target physical input/output device, and/or virtualize a third virtual register for a third register in the target physical input/output device;
the virtual machine is further used for assigning values to the second virtual register and/or the third virtual register;
the virtual machine manager reads the value of the second virtual register and assigns the read value of the second virtual register to the second register so as to indicate the position of the data to be decrypted stored in the first memory; and/or the presence of a gas in the gas,
and the virtual machine manager reads the value of the third virtual register and assigns the read value of the third virtual register to the third register so as to indicate the size of the data to be decrypted stored in the first memory.
24. The computing device of claim 21, wherein the target physical input output device is a display device or a printing device;
when the target physical input and output device is a display device, the first memory is a video memory.
25. The computing device of claim 21,
when the virtual machine manager receives encrypted data from the target physical input output device, the target physical input output device is one of the following:
keyboard, mouse, camera, scanner, light pen, touch panel, joystick, voice input device.
26. A data transmission method applied to a computing device comprises the following steps:
the virtual machine manager virtualizes a virtual input and output device;
the virtual machine acquires encrypted data encrypted by the first encryption and decryption engine from an encrypted memory of the virtual machine through a memory controller, and writes the encrypted data into the virtual input and output device, the virtual machine manager reads the encrypted data from the virtual input and output device, and writes the encrypted data into a target physical input and output device or sends the encrypted data to the target physical input and output device, so that the target physical input and output device receives the encrypted data and decrypts the encrypted data through a second encryption and decryption engine, wherein the encrypted memory of the virtual machine is an encrypted storage area of the virtual machine in the memory;
or,
the virtual machine manager receives encrypted data from the target physical input and output device and writes the encrypted data into the virtual input and output device or sends the encrypted data to the virtual input and output device, and the virtual machine reads the encrypted data from the virtual input and output device and writes the encrypted data into a memory through the memory controller; wherein the encrypted data received by the virtual machine manager is generated by the target physical input output device encrypting the received external input data through the second encryption and decryption engine.
27. The method of claim 26,
when the virtual machine manager virtualizes a virtual input and output device, the method further comprises:
virtualizing a first virtual register for a first register in the target physical input/output device by the virtual machine manager;
the virtual machine assigns values to the first virtual register;
the virtual machine manager reads the value of the first virtual register and assigns the read value of the first virtual register to the first register to indicate whether data to be decrypted is stored in the first memory; wherein the first memory is located in the target physical input output device.
28. The method of claim 27,
when the virtual machine manager virtualizes a virtual input and output device, the method further comprises:
the virtual machine manager virtualizes a second virtual register for a second register in the target physical input/output device, and/or virtualizes a third virtual register for a third register in the target physical input/output device;
the virtual machine assigns values to the second virtual register and/or the third virtual register;
the virtual machine manager reads the value of the second virtual register and assigns the read value of the second virtual register to the second register so as to indicate the position of the data to be decrypted stored in the first memory; and/or the presence of a gas in the gas,
and the virtual machine manager reads the value of the third virtual register and assigns the read value of the third virtual register to the third register so as to indicate the size of the data to be decrypted stored in the first memory.
29. The method of claim 26,
the target physical input and output device is a display device, and the encrypted data is encrypted image data;
the writing or sending of the read encrypted data to the target physical input/output device by the virtual machine manager so that the target physical input/output device decrypts the encrypted data through a second encryption/decryption engine includes:
and the virtual machine manager writes the read encrypted image data into the target physical input and output device or sends the encrypted image data to the target physical input and output device, so that the target physical input and output device can decrypt the encrypted image data through a second encryption and decryption engine and then display the decrypted image data.
30. A data transmission system, comprising:
a computing device and a physical output device connected thereto; wherein the computing device is the computing device of any of the preceding claims 1 to 5 or 21 to 25, the physical output device is the physical output device of any of the preceding claims 6 to 9; or,
the data transmission system includes:
a computing device and a physical input device connected thereto; wherein the computing device is the computing device of any of the preceding claims 1 to 5 or 21 to 25 and the physical input device is the physical input device of any of the preceding claims 10 to 11.
CN202210453363.5A 2022-04-27 2022-04-27 Computing device, physical input device, physical output device, and data transmission method Pending CN114840862A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210453363.5A CN114840862A (en) 2022-04-27 2022-04-27 Computing device, physical input device, physical output device, and data transmission method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210453363.5A CN114840862A (en) 2022-04-27 2022-04-27 Computing device, physical input device, physical output device, and data transmission method

Publications (1)

Publication Number Publication Date
CN114840862A true CN114840862A (en) 2022-08-02

Family

ID=82567512

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210453363.5A Pending CN114840862A (en) 2022-04-27 2022-04-27 Computing device, physical input device, physical output device, and data transmission method

Country Status (1)

Country Link
CN (1) CN114840862A (en)

Similar Documents

Publication Publication Date Title
KR102451109B1 (en) Generate key proofs that provide device anonymity
EP3047375B1 (en) Virtual machine manager facilitated selective code integrity enforcement
US9246678B2 (en) Secure cloud storage and encryption management system
EP3160103B1 (en) Method, apparatus and system for encryption/decryption in virtualization system
US10180806B2 (en) Information processing apparatus, information processing method, and recording medium
JP6055023B2 (en) Information processing apparatus, terminal apparatus, and storage method for storing data in cloud environment
US9769654B2 (en) Method of implementing a right over a content
US8996883B2 (en) Securing inputs from malware
KR101837678B1 (en) Computing apparatus based on trusted execution environment
US20150220709A1 (en) Security-enhanced device based on virtualization and the method thereof
JP2011048661A (en) Virtual server encryption system
CN102404314A (en) Remote resources single-point sign on
US10045212B2 (en) Method and apparatus for providing provably secure user input/output
CN106203141A (en) The data processing method of a kind of application and device
JP5391756B2 (en) Image forming apparatus, information management method, and program
JP6711042B2 (en) Decryption program, encryption program, decryption device, encryption device, decryption method, and encryption method
CN114244565B (en) Key distribution method, device, equipment and storage medium
CN116450281A (en) Access processing method, virtual machine identifier configuration method, chip and computer equipment
CN114840862A (en) Computing device, physical input device, physical output device, and data transmission method
CN112363800B (en) Network card memory access method, security processor, network card and electronic equipment
CN112416525B (en) Device driver initialization method, direct storage access method and related device
JP7139818B2 (en) Delivery management system and delivery management method
CN110365654B (en) Data transmission control method and device, electronic equipment and storage medium
WO2024115147A1 (en) Selecting an hsm for association to a secure guest
JP5908131B1 (en) COMMUNICATION SYSTEM, COMMUNICATION METHOD, TERMINAL DEVICE, AND TERMINAL PROGRAM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination