CN115688089A - A PCIE protocol security extension method, system and medium - Google Patents

A PCIE protocol security extension method, system and medium Download PDF

Info

Publication number
CN115688089A
CN115688089A CN202211476721.0A CN202211476721A CN115688089A CN 115688089 A CN115688089 A CN 115688089A CN 202211476721 A CN202211476721 A CN 202211476721A CN 115688089 A CN115688089 A CN 115688089A
Authority
CN
China
Prior art keywords
target terminal
pcie
terminal device
cpu
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211476721.0A
Other languages
Chinese (zh)
Inventor
刘威
龚锐
石伟
张剑锋
王蕾
冯权友
张见
潘国腾
罗莉
荀长庆
周海亮
周理
铁俊波
王永文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202211476721.0A priority Critical patent/CN115688089A/en
Publication of CN115688089A publication Critical patent/CN115688089A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method, a system and a medium for safely expanding a PCIE protocol, wherein the method for safely expanding the PCIE protocol comprises the following steps: s101, generating a PCIE message carrying security information by an access request issued by a CPU and sending the PCIE message to a target terminal device; and S102, after the target terminal equipment receives the PCIE message carrying the security information, implementing security access control of the CPU to the target terminal equipment according to the security information, wherein the security access control can adopt access permission and denial of resource granularity or equipment granularity according to requirements. The method, the system and the medium for safely expanding the PCIE protocol introduce safety information into a PCIE protocol message, so that the PCIE protocol is safely sensed, terminal equipment is brought into a trusted execution environment of a processor end in the PIO direction, and safety protection of data unloaded to an off-chip PCIE equipment end is realized.

Description

一种PCIE协议的安全扩展方法、系统及介质A PCIE protocol security extension method, system and medium

技术领域technical field

本发明属于计算机安全领域,具体涉及一种PCIE协议的安全扩展方法、系统及介质。The invention belongs to the field of computer security, and in particular relates to a PCIE protocol security extension method, system and medium.

背景技术Background technique

当前,硬件安全得到越来越多的重视。从底层硬件安全的角度进行系统安全增强,防堵安全漏洞,才能构成更加安全的信息系统。现有的国际主流CPU架构中,都定义了硬件资源隔离相关的机制。基于这些机制,可以在系统中构造一个隔离区域,该区域具有独立的计算、存储、IO资源,并且从硬件上保证该隔离区域内的数据不能被隔离区域以外的资源所访问,保证在该区域中执行的软件是不能被恶意篡改的,从而支持构造一个安全的可信执行环境。At present, hardware security is getting more and more attention. Only by enhancing system security from the perspective of underlying hardware security and preventing security loopholes can a more secure information system be formed. In the existing international mainstream CPU architecture, mechanisms related to hardware resource isolation are defined. Based on these mechanisms, an isolated area can be constructed in the system. This area has independent computing, storage, and IO resources, and it is guaranteed from the hardware that the data in the isolated area cannot be accessed by resources outside the isolated area. The software executed in it cannot be maliciously tampered with, thus supporting the construction of a secure trusted execution environment.

但是传统的硬件资源隔离机制一般围绕处理器内部进行构建。但是,随着片外加速器的算力不断提升,采用主处理芯片和片外加速芯片的异构框架在新型应用领域得到越来越多的应用。在这种异构架构下,大量的用户数据需要卸载到加速芯片上进行执行。一般来说,加速芯片通过PCIE总线与主处理器连接,在目前主流的CPU硬件资源隔离架构下,PCIE总线都没有被纳入隔离区域。因此,从CPU端的安全视角来看,卸载到加速芯片上的数据都是不安全的,是位于可信执行环境之外的,具有较大的硬件安全隐患。However, traditional hardware resource isolation mechanisms are generally built around the interior of the processor. However, as the computing power of off-chip accelerators continues to increase, heterogeneous frameworks using main processing chips and off-chip accelerator chips are being used more and more in new application fields. Under this heterogeneous architecture, a large amount of user data needs to be offloaded to the accelerator chip for execution. Generally speaking, the accelerator chip is connected to the main processor through the PCIE bus. Under the current mainstream CPU hardware resource isolation architecture, the PCIE bus is not included in the isolation area. Therefore, from the security perspective of the CPU side, the data offloaded to the accelerator chip is not safe, and it is located outside the trusted execution environment, which has a large hardware security risk.

在典型的CPU+加速器异构计算系统中,PCIE协议的RC(Root Complex,根复合体)设备位于CPU和PCIE拓扑结构之间,往上与CPU通过总线相连,往下管理各PCIE树形拓扑中的节点。PCIE节点包括交换设备(switch)、EP(终端)设备等。根复合体设备和CPU通过AXI(Advanced eXtensible Interface)总线互连,AXI总线是ARM公司研发推出的第四代片上总线协议,是一种面向高性能、高带宽、低延迟的片内总线,它利用AxPROT信号来区分请求是否是安全请求。In a typical CPU+accelerator heterogeneous computing system, the RC (Root Complex) device of the PCIE protocol is located between the CPU and the PCIE topology, connected to the CPU through the bus at the top, and manages each PCIE tree topology at the bottom of nodes. PCIE nodes include switching equipment (switch), EP (terminal) equipment, and the like. The root complex device and the CPU are interconnected through the AXI (Advanced eXtensible Interface) bus. The AXI bus is the fourth-generation on-chip bus protocol developed by ARM. It is an on-chip bus for high performance, high bandwidth, and low latency. It Use the AxPROT signal to distinguish whether the request is a security request.

图1为一种典型的主处理器外挂PCIE加速设备的系统(System on Chip,SOC)框架图。该PCIE总线系统的拓扑结构为树形拓扑结构,其主要包括根复合体(Root Complex,RC)设备、交换设备(Switch)、终端(Endpoint,EP)设备等PCIE设备。终端设备为能够支持多样性应用功能的设备,其主要包括显卡、网卡等。交换设备为PCIE交换机,可以在PCIE链路无法满足需求的情况下,实现PCIE链路的扩展。在PCIE设备中有两种数据传输方式:DMA(Direct Memory Access,直接存储器访问))和PIO(Programmed Input-Output,可编程输入输出)。其中,在DMA模式的数据传输方式下,可以实现内存与PCIE设备的数据传输,例如,终端设备向内存发送访问请求,内存向终端设备返回请求的数据;在PIO模式的数据传输方式下,可以实现处理器与终端设备的数据传输,例如,处理器向终端设备发送访问请求,终端设备向处理器返回请求的数据。目前,PCIE接口普遍应用于当前处理器和高速外设之间的通信,但PCIE协议发展至今,报文格式里始终没有数据安全的针对性设计。因此,当涉及到数据在处理器片外传输时就不可避免地出现安全漏洞。因此需要进行PCIE协议扩展,使得CPU的安全控制请求传递到外设,已成为一项亟待解决的关键技术问题。FIG. 1 is a typical framework diagram of a system (System on Chip, SOC) in which a main processor is plugged with a PCIE acceleration device. The topology of the PCIE bus system is a tree topology, which mainly includes PCIE devices such as root complex (Root Complex, RC) devices, switching devices (Switch), and terminal (Endpoint, EP) devices. A terminal device is a device capable of supporting diverse application functions, and mainly includes a graphics card, a network card, and the like. The switching device is a PCIE switch, which can realize the expansion of the PCIE link when the PCIE link cannot meet the demand. There are two data transmission methods in PCIE devices: DMA (Direct Memory Access, direct memory access)) and PIO (Programmed Input-Output, programmable input and output). Among them, in the data transmission mode of the DMA mode, the data transmission between the memory and the PCIE device can be realized. For example, the terminal device sends an access request to the memory, and the memory returns the requested data to the terminal device; in the data transmission mode of the PIO mode, you can Realize the data transmission between the processor and the terminal device, for example, the processor sends an access request to the terminal device, and the terminal device returns the requested data to the processor. At present, the PCIE interface is widely used in the communication between current processors and high-speed peripherals. However, since the development of the PCIE protocol, there has never been a targeted design for data security in the message format. Therefore, security breaches are inevitable when it comes to transferring data off-chip of the processor. Therefore, it is necessary to extend the PCIE protocol so that the security control request of the CPU is transmitted to the peripheral hardware, which has become a key technical problem to be solved urgently.

发明内容Contents of the invention

本发明要解决的技术问题:针对现有技术的上述问题,提供一种PCIE协议的安全扩展方法、系统及介质,本发明将PCIE协议报文中引入安全信息,使得PCIE协议是安全感知的,在PIO方向上将终端设备纳入处理器端的可信执行环境,使得CPU的安全控制请求传递到外设,实现对卸载到片外PCIE设备端的数据的安全防护。The technical problem to be solved in the present invention: aim at the above-mentioned problem of prior art, provide a kind of security extension method, system and medium of PCIE protocol, the present invention introduces security information in PCIE protocol message, makes PCIE protocol security perception, In the PIO direction, the terminal device is included in the trusted execution environment on the processor side, so that the security control request of the CPU is transmitted to the peripheral device, and the security protection of the data unloaded to the off-chip PCIE device side is realized.

为了解决上述技术问题,本发明采用的技术方案为:In order to solve the problems of the technologies described above, the technical solution adopted in the present invention is:

一种PCIE协议的安全扩展方法,包括:A security extension method of the PCIE protocol, comprising:

S101,将CPU下发的访问请求生成携带安全信息的PCIE报文并发送给目标终端设备;S101, generate a PCIE message carrying security information from the access request issued by the CPU and send it to the target terminal device;

S102,目标终端设备在收到携带有安全信息的PCIE报文后,根据安全信息实施CPU对目标终端设备的安全访问控制。S102. After receiving the PCIE message carrying the security information, the target terminal device implements security access control of the CPU to the target terminal device according to the security information.

可选地,步骤S102中实施CPU对目标终端设备的安全访问控制是指允许CPU访问目标终端设备的全部资源,或者只允许CPU访问目标终端设备的被设置为非安全的部分资源,且所述目标终端设备的全部资源被划分为非安全的部分资源和安全的部分资源。Optionally, implementing the security access control of the CPU to the target terminal device in step S102 refers to allowing the CPU to access all resources of the target terminal device, or only allowing the CPU to access some resources of the target terminal device that are set as non-secure, and the All resources of the target terminal device are divided into non-secure partial resources and secure partial resources.

可选地,步骤S102中PCIE报文携带的安全信息的值为第一值或第二值两个选项之一,步骤S102中实施CPU对目标终端设备的安全访问控制包括:若安全信息为第一值,则只允许CPU访问目标终端设备的非安全的部分资源;若安全信息为第二值,则允许CPU访问目标终端设备的全部资源。Optionally, the value of the security information carried by the PCIE message in step S102 is one of two options of the first value or the second value. In step S102, implementing the security access control of the CPU to the target terminal device includes: if the security information is the first value If the value is one, the CPU is only allowed to access some non-secure resources of the target terminal device; if the security information is a second value, the CPU is allowed to access all resources of the target terminal device.

可选地,步骤S102中实施CPU对目标终端设备的安全访问控制是指允许CPU访问目标终端设备,或者拒绝CPU访问目标终端设备。Optionally, implementing security access control of the CPU to the target terminal device in step S102 refers to allowing the CPU to access the target terminal device, or denying the CPU to access the target terminal device.

可选地,步骤S102中PCIE报文携带的安全信息的值为第一值或第二值两个选项之一,步骤S102中实施CPU对目标终端设备的安全访问控制包括:在安全信息为第一值时,将目标终端设备的设备信息、预设的安全终端设备信息列表进行比较以确定目标终端设备是否为安全终端设备,仅在目标终端设备为安全终端设备时允许CPU访问目标终端设备;在安全信息为第二值时直接允许CPU访问目标终端设备。Optionally, the value of the security information carried by the PCIE message in step S102 is one of two options of the first value or the second value. In step S102, implementing the security access control of the CPU to the target terminal device includes: when the security information is the first value When the value is one, compare the device information of the target terminal device with the preset security terminal device information list to determine whether the target terminal device is a security terminal device, and only allow the CPU to access the target terminal device when the target terminal device is a security terminal device; When the security information is the second value, the CPU is directly allowed to access the target terminal device.

可选地,步骤S101包括:Optionally, step S101 includes:

S201,根复合体设备通过AXI总线接收CPU下发的AXI请求;S201, the root complex device receives an AXI request sent by the CPU through the AXI bus;

S202,根复合体设备解析获取AXI请求中的AxPROT信号,根据AxPROT信号生成安全信息,并将安全信息编码到PCIE报文;S202, the root complex device parses and obtains the AxPROT signal in the AXI request, generates security information according to the AxPROT signal, and encodes the security information into a PCIE message;

S203,根复合体设备判断与目标终端设备的连接方式,若与目标终端设备直接相连,则直接将PCIE报文发送至目标终端设备,否则将PCIE报文发送给与目标终端设备相连的交换设备;S203, the root complex device judges the connection mode with the target terminal device, if it is directly connected to the target terminal device, then directly sends the PCIE message to the target terminal device, otherwise sends the PCIE message to the switching device connected to the target terminal device ;

S204,通过与目标终端设备相连的交换设备向目标终端设备转发PCIE报文并同时透传PCIE报文中编码的安全信息,最终将PCIE报文发送至目标终端设备。S204. Forward the PCIE message to the target terminal device through the switching device connected to the target terminal device and at the same time transparently transmit the security information encoded in the PCIE message, and finally send the PCIE message to the target terminal device.

可选地,步骤S202中根据AxPROT信号生成安全信息时,生成的安全信息为来自AXI请求中的AxPROT信号中表示访问为安全或不安全的标识位,若AxPROT信号中表示访问为安全或不安全的标识位表示为安全,则将该安全信息的取值为第一值,否则将该安全信息的取值为第二值,其中所述第一值用于只允许CPU访问目标终端设备的非安全的部分资源、所述第二值用于允许CPU访问目标终端设备的全部资源,或者所述第一值用于仅在目标终端设备为安全终端设备时允许CPU访问目标终端设备、所述第二值用于直接允许CPU访问目标终端设备。Optionally, when the security information is generated according to the AxPROT signal in step S202, the generated security information is from the AxPROT signal in the AXI request indicating that the access is safe or unsafe, if the AxPROT signal indicates that the access is safe or unsafe If the identification bit indicates security, then the value of the security information is the first value; otherwise, the value of the security information is the second value, wherein the first value is used to only allow the CPU to access the target terminal device's non- Some of the resources that are safe, the second value is used to allow the CPU to access all resources of the target terminal device, or the first value is used to allow the CPU to access the target terminal device only when the target terminal device is a secure terminal device, the second value is used to allow the CPU to access the target terminal device, the second value The binary value is used to directly allow the CPU to access the target end device.

可选地,步骤S202中将安全信息编码到PCIE报文具体是指将安全信息编码到PCIE报文的保留字段中以实现与标准PCIE报文协议的兼容。Optionally, encoding the security information into the PCIE message in step S202 specifically refers to encoding the security information into a reserved field of the PCIE message to achieve compatibility with the standard PCIE message protocol.

此外,本发明还提供一种PCIE协议的安全扩展系统,包括相互连接的微处理器和存储器,所述微处理器被编程或配置以执行所述PCIE协议的安全扩展方法。In addition, the present invention also provides a security extension system of the PCIE protocol, which includes a microprocessor and a memory connected to each other, and the microprocessor is programmed or configured to execute the security extension method of the PCIE protocol.

此外,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,所述计算机程序用于被微处理器编程或配置以执行所述PCIE协议的安全扩展方法。In addition, the present invention also provides a computer-readable storage medium, and a computer program is stored in the computer-readable storage medium, and the computer program is used to be programmed or configured by a microprocessor to perform the security extension method of the PCIE protocol .

和现有技术相比,本发明主要具有下述优点:本发明PCIE协议的安全扩展方法包括:将CPU下发至目标终端设备的PCIE报文携带安全信息;目标终端设备在收到携带有安全信息的PCIE报文后,根据安全信息选择允许CPU访问目标终端设备的全部资源或被设置为非安全的部分资源,本发明将PCIE协议报文中引入安全信息,使得PCIE协议是安全感知的,在PIO方向(CPU往终端设备的读写方向)上将终端设备纳入处理器端的可信执行环境,使得CPU的安全控制请求传递到外设,实现对卸载到片外PCIE设备端的数据的安全防护。Compared with the prior art, the present invention mainly has the following advantages: the security extension method of the PCIE protocol of the present invention includes: the PCIE message sent by the CPU to the target terminal device carries security information; After the PCIE message of the information, according to the security information, select to allow the CPU to access all resources of the target terminal device or be set as non-safe partial resources. The present invention introduces security information into the PCIE protocol message, so that the PCIE protocol is security-aware. In the direction of PIO (the reading and writing direction from the CPU to the terminal device), the terminal device is included in the trusted execution environment of the processor side, so that the security control request of the CPU is transmitted to the peripheral device, and the security protection of the data unloaded to the off-chip PCIE device side is realized. .

附图说明Description of drawings

图1为现有PCIE应用系统的架构示意图。FIG. 1 is a schematic diagram of an architecture of an existing PCIE application system.

图2为本发明实施例一的方法基本流程示意图。Fig. 2 is a schematic flow diagram of the basic method of the first embodiment of the present invention.

图3为本发明实施例一中安全访问控制的具体实现流程示意图。FIG. 3 is a schematic diagram of a specific implementation flow of security access control in Embodiment 1 of the present invention.

图4为本发明实施例一中步骤S101的流程示意图。FIG. 4 is a schematic flowchart of step S101 in Embodiment 1 of the present invention.

图5为第三代标准PCIE报文协议(PCIe Gen3)的报文头的格式定义。FIG. 5 is a format definition of a packet header of the third generation standard PCIE packet protocol (PCIe Gen3).

图6为本发明实施例二中安全访问控制的具体实现流程示意图。FIG. 6 is a schematic diagram of a specific implementation flow of security access control in Embodiment 2 of the present invention.

具体实施方式Detailed ways

实施例一:Embodiment one:

如图2所示,本实施例PCIE协议的安全扩展方法包括:As shown in Figure 2, the security extension method of the PCIE protocol of the present embodiment includes:

S101,将CPU下发的访问请求生成携带安全信息的PCIE报文并发送给目标终端设备;S101, generate a PCIE message carrying security information from the access request issued by the CPU and send it to the target terminal device;

S102,目标终端设备在收到携带有安全信息的PCIE报文后,根据安全信息实施CPU对目标终端设备的安全访问控制。S102. After receiving the PCIE message carrying the security information, the target terminal device implements security access control of the CPU to the target terminal device according to the security information.

根据安全信息实施CPU对目标终端设备的安全访问控制可根据需要选择可行的安全访问控制的实现方式。例如作为一种可选的实施方式,本实施例步骤S102中实施CPU对目标终端设备的安全访问控制是指允许CPU访问目标终端设备的全部资源,或者只允许CPU访问目标终端设备的被设置为非安全的部分资源,且所述目标终端设备的全部资源被划分为非安全的部分资源和安全的部分资源,本实施例通过对目标终端设备资源的安全等级划分(非安全的部分资源和安全的部分资源),使得对目标终端设备安全控制细粒度更丰富,从而使得目标终端设备的实现更加灵活。To implement the security access control of the CPU to the target terminal device according to the security information, a feasible implementation method of security access control may be selected according to needs. For example, as an optional implementation, implementing the security access control of the CPU to the target terminal device in step S102 of this embodiment refers to allowing the CPU to access all resources of the target terminal device, or only allowing the CPU to access the target terminal device is set to Non-secure partial resources, and all resources of the target terminal device are divided into non-secure partial resources and safe partial resources, this embodiment divides the security level of target terminal device resources (non-secure partial resources and secure Part of the resources), which makes the security control of the target terminal device more fine-grained, thus making the realization of the target terminal device more flexible.

如图3所示,本实施例步骤S102中PCIE报文携带的安全信息的值为第一值或第二值两个选项之一,步骤S102中实施CPU对目标终端设备的安全访问控制包括:若安全信息为第一值,则只允许CPU访问目标终端设备的非安全的部分资源;若安全信息为第二值,则允许CPU访问目标终端设备的全部资源。其中,第一值或第二值仅用于两种安全访问控制方式的区分,可以根据需要采用所需的定义,例如作为一种可选的实施方式,本实施例中定义第一值为1,第二值为0。As shown in Figure 3, in the present embodiment step S102, the value of the security information carried by the PCIE message is one of the first value or the second value, and the security access control of the CPU to the target terminal device in the step S102 includes: If the security information is the first value, the CPU is only allowed to access some non-secure resources of the target terminal device; if the security information is the second value, the CPU is allowed to access all resources of the target terminal device. Wherein, the first value or the second value is only used to distinguish between the two security access control methods, and the required definition can be adopted as required. For example, as an optional implementation mode, the first value is defined as 1 in this embodiment , the second value is 0.

步骤S101中CPU下发的访问请求可为配置请求、IO请求和MEM请求等,本实施例方法并依赖于具体的请求类型。计算机的PCIE协议对应的拓扑结构中包括根复合体设备和目标终端设备,根复合体设备和目标终端设备之间可以直接相连,也可以通过交换设备(特指PCIE交换设备)相连。其中根复合体设备用于接收CPU下发的访问请求,毫无疑问,根复合体设备、CPU之间可以根据需要采用支持安全控制的总线。例如,根复合体设备、CPU之间常见的支持安全控制的总线为AXI总线,下文将以根复合体设备、CPU之间采用AXI总线为例,对本实施例中步骤S101的实现方式进行进一步的详细说明。The access request delivered by the CPU in step S101 may be a configuration request, an IO request, a MEM request, etc., and the method of this embodiment does not depend on the specific request type. The topology corresponding to the PCIE protocol of the computer includes the root complex device and the target terminal device. The root complex device and the target terminal device can be directly connected, or connected through a switching device (specifically referred to as a PCIE switching device). The root complex device is used to receive the access request issued by the CPU. There is no doubt that a bus supporting security control can be used between the root complex device and the CPU as required. For example, the common bus that supports security control between the root complex device and the CPU is the AXI bus. The following will take the AXI bus between the root complex device and the CPU as an example to further describe the implementation of step S101 in this embodiment. Detailed description.

如图4所示,本实施例步骤S101包括:As shown in Figure 4, step S101 of this embodiment includes:

S201,根复合体设备通过AXI总线接收CPU下发的AXI请求;S201, the root complex device receives an AXI request sent by the CPU through the AXI bus;

S202,根复合体设备解析获取AXI请求中的AxPROT信号,根据AxPROT信号生成安全信息,并将安全信息编码到PCIE报文;S202, the root complex device parses and obtains the AxPROT signal in the AXI request, generates security information according to the AxPROT signal, and encodes the security information into a PCIE message;

S203,根复合体设备判断与目标终端设备的连接方式,若与目标终端设备直接相连,则直接将PCIE报文发送至目标终端设备,否则将PCIE报文发送给与目标终端设备相连的交换设备;S203, the root complex device judges the connection mode with the target terminal device, if it is directly connected to the target terminal device, then directly sends the PCIE message to the target terminal device, otherwise sends the PCIE message to the switching device connected to the target terminal device ;

S204,通过与目标终端设备相连的交换设备向目标终端设备转发PCIE报文并同时透传PCIE报文中编码的安全信息,最终将PCIE报文发送至目标终端设备。S204. Forward the PCIE message to the target terminal device through the switching device connected to the target terminal device and at the same time transparently transmit the security information encoded in the PCIE message, and finally send the PCIE message to the target terminal device.

本实施例中,步骤S202中根据AxPROT信号生成安全信息时,生成的安全信息为来自AXI请求中的AxPROT信号中表示访问为安全或不安全的标识位(AxPROT 信号位宽均为3bit,AxPROT[0]将访问标识为非特权或特权。AxPROT[1]将访问标识为安全或不安全。AxPROT[2]指示是数据还是指令访问。但是,并非在所有情况下都是准确的,例如,事务包含指令和数据项的混合),若AxPROT信号中表示访问为安全或不安全的标识位表示为安全,则将该安全信息的取值为第一值,否则将该安全信息的取值为第二值,其中所述第一值用于只允许CPU访问目标终端设备的非安全的部分资源、所述第二值用于允许CPU访问目标终端设备的全部资源。In this embodiment, when the security information is generated according to the AxPROT signal in step S202, the generated security information is from the AxPROT signal in the AXI request indicating that the access is safe or unsafe. 0] identifies the access as non-privileged or privileged. AxPROT[1] identifies the access as secure or unsecure. AxPROT[2] indicates whether it is a data or instruction access. However, it is not accurate in all cases, for example, transaction contains a mix of instructions and data items), if the flag indicating that the access is safe or unsafe in the AxPROT signal is safe, then the value of the security information is the first value, otherwise the value of the security information is the first value Two values, wherein the first value is used to only allow the CPU to access some non-secure resources of the target terminal device, and the second value is used to allow the CPU to access all resources of the target terminal device.

作为一种可选的实施方式,本实施例中步骤S202中将安全信息编码到PCIE报文具体是指将安全信息编码到PCIE报文的保留字段中以实现与标准PCIE报文协议的兼容。图5所示为第三代标准PCIE报文协议(PCIe Gen3)的报文头的格式定义,报文头为四个字节共32位大小,其中的域包括类型Type和传输等级TC之间、传输等级TC和报文属性Attr之间、报文属性Attr和报文处理提示信息标记TH之间各设有一个1位的保留字段R。由于本实施例中定义第一值为1,第二值为0,因此可占用其中一个1位的保留字段R即可。可通过利用其中任意一个1位的保留字段R来进行协议的安全扩展,将处理器内部的安全信息AxPROT传递通过编码到PCIE报文里的保留字段R,传递给外部设备。外部的终端设备接收到这些报文后,还需要对TLP报文中的保留字段R进行译码,将保留字段R译码转换到终端设备内部的安全信息,然后即可根据安全信息实施CPU对目标终端设备的安全访问控制。As an optional implementation manner, encoding the security information into the PCIE message in step S202 in this embodiment specifically refers to encoding the security information into a reserved field of the PCIE message to achieve compatibility with the standard PCIE message protocol. Figure 5 shows the format definition of the packet header of the third-generation standard PCIE packet protocol (PCIe Gen3). The packet header is four bytes with a total size of 32 bits, and the fields include the type between the type Type and the transmission level TC. A 1-bit reserved field R is respectively set between the transmission class TC and the message attribute Attr, and between the message attribute Attr and the message processing prompt information flag TH. Since the first value is defined as 1 and the second value is 0 in this embodiment, one of the 1-bit reserved field R may be occupied. The security extension of the protocol can be carried out by using any 1-bit reserved field R among them, and the security information AxPROT inside the processor is transmitted to the external device through encoding into the reserved field R in the PCIE message. After the external terminal device receives these messages, it needs to decode the reserved field R in the TLP message, convert the decoded reserved field R into the security information inside the terminal device, and then implement the CPU to check the Secure access control for target end devices.

综上所述,本实施例将PCIE协议报文中引入安全信息,使得PCIE协议是安全感知的,在PIO方向(CPU往EP设备的读写方向)上将EP设备(终端设备)纳入处理器端的可信执行环境,实现对卸载到片外PCIE设备端的数据的安全防护。尤其地,为了实现对现有PCIE协议的兼容,本实施例中通过将标准的PCIe协议报文中引入安全信息的安全属性域段,从而使得CPU的安全控制请求传递到外设,可实现在对现有PCIE协议的兼容前体下对PCIE标准协议的安全扩展。To sum up, this embodiment introduces security information into the PCIE protocol message, so that the PCIE protocol is security-aware, and incorporates the EP device (terminal device) into the processor in the PIO direction (the reading and writing direction from the CPU to the EP device) The trusted execution environment on the end realizes the security protection of the data offloaded to the off-chip PCIE device end. In particular, in order to achieve compatibility with the existing PCIE protocol, in this embodiment, the security attribute field segment of the security information is introduced into the standard PCIe protocol message, so that the security control request of the CPU is transmitted to the peripheral device, which can be implemented in A security extension to the PCIE standard protocol under the compatible precursor of the existing PCIE protocol.

此外,本实施例还提供一种PCIE协议的安全扩展系统,包括相互连接的微处理器和存储器,该微处理器被编程或配置以执行前述PCIE协议的安全扩展方法,该PCIE协议的安全扩展系统既可以为CPU+加速器构成的异构系统,也可以不包含加速器的系统。此外,本实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,该计算机程序用于被微处理器编程或配置以执行前述PCIE协议的安全扩展方法。In addition, the present embodiment also provides a security extension system of the PCIE protocol, including interconnected microprocessors and memory, the microprocessor is programmed or configured to perform the security extension method of the aforementioned PCIE protocol, the security extension of the PCIE protocol The system can be a heterogeneous system composed of CPU+accelerator, or a system without accelerator. In addition, this embodiment also provides a computer-readable storage medium, in which a computer program is stored, and the computer program is used to be programmed or configured by a microprocessor to execute the aforementioned security extension method of the PCIE protocol.

实施例二:Embodiment two:

本实施例与实施例一基本相同,其主要区别为:本实施例步骤S102中实施CPU对目标终端设备的安全访问控制是指允许CPU访问目标终端设备,或者拒绝CPU访问目标终端设备,即实现以终端设备为粒度的安全访问控制。This embodiment is basically the same as Embodiment 1, and the main difference is that in step S102 of this embodiment, implementing the security access control of the CPU to the target terminal device refers to allowing the CPU to access the target terminal device, or denying the CPU to access the target terminal device, that is, to implement Security access control at the granularity of terminal devices.

同样地,本实施例步骤S102中PCIE报文携带的安全信息的值为第一值或第二值两个选项之一,但是,与实施例一不同的是,如图6所示,本实施例步骤S102中实施CPU对目标终端设备的安全访问控制包括:在安全信息为第一值时,将目标终端设备的设备信息、预设的安全终端设备信息列表进行比较以确定目标终端设备是否为安全终端设备,仅在目标终端设备为安全终端设备时允许CPU访问目标终端设备(即如果非安全终端设备CPU访问目标终端设备,则会拒绝);在安全信息为第二值时直接允许CPU访问目标终端设备。Similarly, the value of the security information carried in the PCIE message in step S102 of this embodiment is one of the first value or the second value. However, different from Embodiment 1, as shown in FIG. 6 , this embodiment For example, in step S102, implementing the security access control of the CPU to the target terminal device includes: when the security information is the first value, comparing the device information of the target terminal device with the preset security terminal device information list to determine whether the target terminal device is Secure terminal device, allowing the CPU to access the target terminal device only when the target terminal device is a secure terminal device (that is, if the non-secure terminal device CPU accesses the target terminal device, it will be rejected); when the security information is the second value, the CPU is directly allowed to access target end device.

对应地,本实施例步骤S202中根据AxPROT信号生成安全信息时,生成的安全信息为来自AXI请求中的AxPROT信号中表示访问为安全或不安全的标识位,若AxPROT信号中表示访问为安全或不安全的标识位表示为安全,则将该安全信息的取值为第一值,否则将该安全信息的取值为第二值,与实施例一不同的是,本实施例中第一值用于仅在目标终端设备为安全终端设备时允许CPU访问目标终端设备、第二值用于直接允许CPU访问目标终端设备。同样地,第一值或第二值仅用于两种安全访问控制方式的区分,可以根据需要采用所需的定义,例如作为一种可选的实施方式,本实施例中定义第一值为1,第二值为0。Correspondingly, when the security information is generated according to the AxPROT signal in step S202 of this embodiment, the generated security information is the flag indicating whether the access is safe or unsafe from the AxPROT signal in the AXI request, if the AxPROT signal indicates that the access is safe or If the unsafe flag is indicated as safe, then the value of the security information is the first value; otherwise, the value of the security information is the second value. The difference from Embodiment 1 is that the first value in this embodiment The second value is used to allow the CPU to directly access the target terminal device only when the target terminal device is a security terminal device. Similarly, the first value or the second value is only used to distinguish between the two security access control methods, and the required definition can be adopted as required. For example, as an optional implementation mode, the first value defined in this embodiment is 1, the second value is 0.

此外,本实施例还提供一种PCIE协议的安全扩展系统,包括相互连接的微处理器和存储器,该微处理器被编程或配置以执行前述PCIE协议的安全扩展方法,该PCIE协议的安全扩展系统既可以为CPU+加速器构成的异构系统,也可以不包含加速器的系统。此外,本实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,该计算机程序用于被微处理器编程或配置以执行前述PCIE协议的安全扩展方法。In addition, the present embodiment also provides a security extension system of the PCIE protocol, including interconnected microprocessors and memory, the microprocessor is programmed or configured to perform the security extension method of the aforementioned PCIE protocol, the security extension of the PCIE protocol The system can be a heterogeneous system composed of CPU+accelerator, or a system without accelerator. In addition, this embodiment also provides a computer-readable storage medium, in which a computer program is stored, and the computer program is used to be programmed or configured by a microprocessor to execute the aforementioned security extension method of the PCIE protocol.

实施例三:Embodiment three:

本实施例与实施例一基本相同,其主要区别为:本实施例步骤S202中根复合体设备解析获取AXI请求中的AxPROT信号,根据AxPROT信号生成安全信息,并将安全信息编码到PCIE报文时,安全信息并未编码在PCIE协议的报文头中,而是编码进PCIE报文的数据中。目标终端设备可通过对PCIE报文的数据解码,同样可以提取出安全信息。此外,不仅可以将安全信息编码进PCIE报文的数据,还可以根据PCIE报文的格式定义,选择其他可行的有效信息域来写入安全信息,在此不再一一列举。This embodiment is basically the same as Embodiment 1, and the main difference is: the root complex device in step S202 of this embodiment parses and obtains the AxPROT signal in the AXI request, generates security information according to the AxPROT signal, and encodes the security information into the PCIE message. , the security information is not encoded in the packet header of the PCIE protocol, but encoded into the data of the PCIE packet. The target terminal device can also extract security information by decoding the data of the PCIE message. In addition, not only can the security information be encoded into the data of the PCIE message, but also other feasible valid information fields can be selected to write the security information according to the format definition of the PCIE message, which will not be listed here.

此外,本实施例还提供一种PCIE协议的安全扩展系统,包括相互连接的微处理器和存储器,该微处理器被编程或配置以执行前述PCIE协议的安全扩展方法,该PCIE协议的安全扩展系统既可以为CPU+加速器构成的异构系统,也可以不包含加速器的系统。此外,本实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,该计算机程序用于被微处理器编程或配置以执行前述PCIE协议的安全扩展方法。In addition, the present embodiment also provides a security extension system of the PCIE protocol, including interconnected microprocessors and memory, the microprocessor is programmed or configured to perform the security extension method of the aforementioned PCIE protocol, the security extension of the PCIE protocol The system can be a heterogeneous system composed of CPU+accelerator, or a system without accelerator. In addition, this embodiment also provides a computer-readable storage medium, in which a computer program is stored, and the computer program is used to be programmed or configured by a microprocessor to execute the aforementioned security extension method of the PCIE protocol.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可读存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram. These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram. These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.

以上所述仅是本发明的优选实施方式,本发明的保护范围并不仅局限于上述实施例,凡属于本发明思路下的技术方案均属于本发明的保护范围。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理前提下的若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above descriptions are only preferred implementations of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions under the idea of the present invention belong to the protection scope of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications without departing from the principles of the present invention should also be regarded as the protection scope of the present invention.

Claims (10)

1. A method for secure extension of a PCIE protocol is characterized by comprising the following steps:
s101, generating a PCIE message carrying security information by an access request issued by a CPU and sending the PCIE message to a target terminal device;
and S102, after the target terminal equipment receives the PCIE message carrying the safety information, implementing safety access control of the CPU to the target terminal equipment according to the safety information.
2. The method according to claim 1, wherein the step S102 of implementing the security access control of the CPU on the target terminal device means that the CPU is allowed to access all resources of the target terminal device, or only allowed to access a part of resources, which are set as non-secure resources, of the target terminal device, and all resources of the target terminal device are divided into a non-secure part of resources and a secure part of resources.
3. The security extension method of a PCIE protocol according to claim 2, wherein the value of the security information carried in the PCIE packet in step S102 is one of a first value and a second value, and implementing the security access control of the CPU to the target terminal device in step S102 includes: if the safety information is a first value, only allowing the CPU to access the non-safety partial resource of the target terminal equipment; and if the safety information is the second value, allowing the CPU to access all resources of the target terminal equipment.
4. The security extension method of a PCIE protocol of claim 1, wherein the implementation of the security access control of the CPU to the target terminal device in step S102 is to allow the CPU to access the target terminal device or to deny the CPU from accessing the target terminal device.
5. The security extension method of a PCIE protocol according to claim 4, wherein the value of the security information carried in the PCIE packet in step S102 is one of a first value and a second value, and implementing the security access control of the CPU to the target terminal device in step S102 includes: when the safety information is a first value, comparing the equipment information of the target terminal equipment with a preset safety terminal equipment information list to determine whether the target terminal equipment is the safety terminal equipment, and allowing the CPU to access the target terminal equipment only when the target terminal equipment is the safety terminal equipment; and directly allowing the CPU to access the target terminal equipment when the safety information is the second value.
6. The method for securely extending a PCIE protocol according to any one of claims 1 to 5, wherein the step S101 includes:
s201, a root complex device receives an AXI request issued by a CPU through an AXI bus;
s202, the root complex device analyzes and obtains an AxPROT signal in the AXI request, generates safety information according to the AxPROT signal, and codes the safety information into a PCIE message;
s203, the root complex device judges the connection mode with the target terminal device, if the root complex device is directly connected with the target terminal device, the PCIE message is directly sent to the target terminal device, otherwise, the PCIE message is sent to the switching device connected with the target terminal device;
and S204, forwarding the PCIE message to the target terminal equipment through the switching equipment connected with the target terminal equipment, and simultaneously transmitting the safety information coded in the PCIE message, and finally sending the PCIE message to the target terminal equipment.
7. The method according to claim 6, wherein when the security information is generated according to the AxPROT signal in step S202, the generated security information is an identifier bit indicating that access is safe or unsafe in the AxPROT signal from the AXI request, if the identifier bit indicating that access is safe or unsafe in the AxPROT signal indicates safe, the value of the security information is a first value, otherwise, the value of the security information is a second value, where the first value is used to allow only the CPU to access the non-safe part of the target terminal device, the second value is used to allow the CPU to access all the resources of the target terminal device, or the first value is used to allow only the CPU to access the target terminal device when the target terminal device is a safe terminal device, and the second value is used to directly allow the CPU to access the target terminal device.
8. The method according to claim 6, wherein the step S202 of encoding the security information into the PCIE message specifically means encoding the security information into a reserved field of the PCIE message to achieve compatibility with a standard PCIE message protocol.
9. A security extension system of PCIE protocol, comprising a microprocessor and a memory, which are connected to each other, wherein the microprocessor is programmed or configured to execute the security extension method of PCIE protocol according to any one of claims 1 to 8.
10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program is configured or programmed by a microprocessor to perform the method for security extension of a PCIE protocol as defined in any one of claims 1 to 8.
CN202211476721.0A 2022-11-23 2022-11-23 A PCIE protocol security extension method, system and medium Pending CN115688089A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211476721.0A CN115688089A (en) 2022-11-23 2022-11-23 A PCIE protocol security extension method, system and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211476721.0A CN115688089A (en) 2022-11-23 2022-11-23 A PCIE protocol security extension method, system and medium

Publications (1)

Publication Number Publication Date
CN115688089A true CN115688089A (en) 2023-02-03

Family

ID=85056419

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211476721.0A Pending CN115688089A (en) 2022-11-23 2022-11-23 A PCIE protocol security extension method, system and medium

Country Status (1)

Country Link
CN (1) CN115688089A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116932274A (en) * 2023-09-19 2023-10-24 苏州元脑智能科技有限公司 Heterogeneous computing system and server system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116932274A (en) * 2023-09-19 2023-10-24 苏州元脑智能科技有限公司 Heterogeneous computing system and server system
CN116932274B (en) * 2023-09-19 2024-01-09 苏州元脑智能科技有限公司 Heterogeneous computing system and server system

Similar Documents

Publication Publication Date Title
CN113254381B (en) Method and apparatus for supporting multiple interconnect protocols
CN112639741B (en) Method and apparatus for controlling jointly shared memory mapped regions
US11943340B2 (en) Process-to-process secure data movement in network functions virtualization infrastructures
CN102866971B (en) Device, the system and method for transmission data
CN112534418B (en) Logical transport over a fixed PCIE physical transport network
US11836262B2 (en) Protection of communications between trusted execution environment and hardware accelerator utilizing enhanced end-to-end encryption and inter-context security
ES2369715T3 (en) UNIFIED DMA.
US9805221B2 (en) Incorporating access control functionality into a system on a chip (SoC)
US20060242332A1 (en) Distributed I/O bridging functionality
WO2021244194A1 (en) Register reading/writing method, chip, subsystem, register group, and terminal
US7779275B2 (en) Communication of information via an in-band channel using a trusted configuration space
CN112540951A (en) Special main control chip suitable for electric power system control protection device
WO2006131069A1 (en) A separate encryption/decryption equipment for plentiful data and a implementing method thereof
CN100565429C (en) The method and apparatus that is used for the character sequence control of data handling system
CN108491727B (en) Safety processor integrating general calculation, trusted calculation and password calculation
JP2017091543A (en) Multiprocessor system including memory shared by multiprocessors and method of operating the system
CN115102780B (en) Data transmission method, related device, system and computer readable storage medium
CN104021104A (en) Collaborative system based on dual-bus structure and communication method thereof
TW202121879A (en) System, apparatus and method for communicating telemetry information via virtual bus encodings
US20240220624A1 (en) Integrated chiplet-based central processing units with accelerators for system security
CN106610906A (en) Data access method and bus
WO2025002060A1 (en) Method and apparatus for pcie device to pass through to virtual machine, and related device
CN115688089A (en) A PCIE protocol security extension method, system and medium
CN113821472B (en) System single chip and control method
CN103176941B (en) Communication method between cores and agent apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination