CN115934597A - PCIe controller and key update using the same - Google Patents

Abstract

The application discloses a PCIe controller and a loopback path using the PCIe controller to perform key update. The key updating comprises the following steps: processing the key updating command and updating the key data; the updating of the key data includes: receiving a key update command; generating an outgoing DMA command according to the key updating command; decrypting the ciphertext data by using the first key to obtain plaintext data; caching plaintext data in the solid-state storage device through a loopback path; generating a receiving DMA command in response to the completion of the processing of the outgoing DMA command; encrypting the cached plaintext data by using a second key; and writing the encrypted data into the solid-state storage device.

Description

PCIe controller and key update using the same

Technical Field

The present application relates to electronic devices, and more particularly to providing an internal loopback datapath for key updates using a PCIe controller.

Background

The PCIe protocol defines an inter-device communication mechanism. NVMe protocol (see also "NVM Express review 1.2" (hereinafter NVMe protocol) chapter 3, 11/3/2014) defines a mechanism for accessing non-volatile storage. PCIe devices provide Memory Space (Memory Space). A host coupled to the PCIe device may access the memory space of the PCIe device. The PCIe specification defines a Loopback (Loopback) state. In the loopback state, the Slave device (Slave) sends data received from the Master device (Master) back to the Master device.

The PCIe protocol defines a loop where data is sent to the PCIe physical link and returned from the link. In some cases, however, only the loopback functionality need be used to establish a data path internal to the PCIe controller without sending data to the physical link or without returning data via the PCIe controller of the Slave device (Slave). There is no such method of establishing an internal data path.

Disclosure of Invention

The application aims to provide a PCIe controller supporting internal loopback, an internal loopback data path is realized by using the PCIe controller, and a data key is updated by using the internal loopback data path.

According to a first aspect of the present application, there is provided a first PCIe controller according to the first aspect of the present application, including: the device comprises a transmission layer sending module, a transmission layer receiving module, a memory access module and a memory; the transmission layer sending module comprises a first loopback control module, the transmission layer receiving module comprises a second loopback control module, and the first loopback control module is coupled to the second loopback control module; the memory access module is coupled to the transport layer transmit module and the transport layer receive module, and the memory access module is further coupled to the memory.

The first PCIe controller according to the first aspect of the present application provides the second PCIe controller according to the first aspect of the present application, further comprising a PCIe physical layer module, and the PCIe physical layer module is configured to process a PCIe physical layer protocol.

The first or second PCIe controller according to the first aspect of the present application provides the third PCIe controller according to the first aspect of the present application, further comprising a data link layer module, and the data link layer module is configured to process a PCIe data link layer protocol.

According to one of the first to third PCIe controllers of the first aspect of the present application, there is provided a fourth PCIe controller according to the first aspect of the present application, further comprising an outgoing DMA module and a receiving DMA module, the outgoing DMA module being coupled to the memory and the transport layer sending module; the receive DMA module is coupled to the memory transport layer receive module.

According to one of the first to fourth PCIe controllers of the first aspect of the present application, there is provided the fifth PCIe controller according to the first aspect of the present application, further comprising a CPU subsystem, the memory being coupled to the CPU subsystem.

According to one of the first to fifth PCIe controllers of the first aspect of the present application, there is provided a sixth PCIe controller according to the first aspect of the present application, where the transport layer sending module is configured to send the TLP.

According to one of the first to sixth PCIe controllers of the first aspect of the present application, there is provided a seventh PCIe controller according to the first aspect of the present application, and the transport layer reception module is configured to receive the TLP.

According to one of the first to seventh PCIe controllers of the first aspect of the present application, there is provided the eighth PCIe controller of the first aspect of the present application, wherein the first loopback control module sends the partial TLP to the second loopback control module.

According to an eighth PCIe controller of the first aspect of the present application, there is provided the ninth PCIe controller of the first aspect of the present application, where the first loopback control module sends the TLP with the specified identifier and/or the TLP with the specified address space being accessed to the second loopback control module.

According to one of the first to seventh PCIe controllers of the first aspect of the present application, there is provided the tenth PCIe controller of the first aspect of the present application, wherein the first loopback control module sends the partial data to the second loopback control module.

According to a tenth PCIe controller according to the first aspect of the present application, there is provided the eleventh PCIe controller according to the first aspect of the present application, wherein the first loopback control module sends the data with the specified identifier, and/or the specified address space access request, and/or the data associated with the specified address space to the second loopback control module.

According to an eighth PCIe controller or a ninth PCIe controller of the first aspect of the present application, there is provided the twelfth PCIe controller of the first aspect of the present application, wherein the second loopback control module sends the TLP received from the first loopback control module to the memory access module or the pickup DMA module.

According to a tenth or eleventh PCIe controller of the first aspect of the present application, there is provided the thirteenth PCIe controller of the first aspect of the present application, wherein the second loopback control module sends data received from the first loopback control module to the memory access module or the receive DMA module.

According to one of the first to thirteenth PCIe controllers of the first aspect of the present application, there is provided the fourteenth PCIe controller according to the first aspect of the present application, wherein the memory access module is configured to process a TLP for accessing a PCIe device memory space.

According to one of the first to fourteenth PCIe controllers of the first aspect of the present application, there is provided the fifteenth PCIe controller of the first aspect of the present application, wherein the memory access module provides the memory access result through the transport layer sending module.

According to one of the first to fifteenth PCIe controllers of the first aspect of the present application, there is provided the sixteenth PCIe controller according to the first aspect of the present application, wherein the partial memory access result sent by the memory access module to the transport layer sending module is forwarded by the first loopback control module to the transport layer receiving module.

According to one of the first to sixteenth PCIe controllers of the first aspect of the present application, there is provided the seventeenth PCIe controller according to the first aspect of the present application, wherein the transport layer receiving module receives a TLP for accessing a memory space of the PCIe device, and sends the TLP to the memory access module, and the memory access module accesses the memory according to the TLP.

According to one of the first to seventeenth PCIe controllers of the first aspect of the present application, there is provided the eighteenth PCIe controller according to the first aspect of the present application, the CPU subsystem fills the DMA command to the memory.

According to one of the first to eighteenth PCIe controllers of the first aspect of the present application, there is provided the nineteenth PCIe controller according to the first aspect of the present application, the outbound DMA module being for initiating a DMA transfer.

According to one of the first to nineteenth PCIe controllers of the first aspect of the present application, there is provided the twentieth PCIe controller according to the first aspect of the present application, wherein the outbound DMA module acquires the DMA command from the memory, and transfers specified data in the memory or a DRAM coupled to the PCIe controller to a specified address according to the DMA command.

According to one of the first to twentieth PCIe controllers of the first aspect of the present application, there is provided the twenty-first PCIe controller according to the first aspect of the present application, wherein the outbound DMA module sends the module-sent data through the transport layer.

According to one of the first to eighteenth PCIe controllers of the first aspect of the present application, there is provided a twenty-second PCIe controller according to the first aspect of the present application, the receiving DMA module is configured to receive DMA-transferred data.

A twenty-second PCIe controller according to the first aspect of the present application provides the twenty-third PCIe controller according to the first aspect of the present application, wherein the receive DMA module acquires the DMA command from the memory, acquires data from a specified address of the host or the PCIe device according to the DMA command, and writes the data to the memory or the DRAM.

According to a second aspect of the present application, there is provided a method of transmitting data according to the first aspect of the present application, comprising: the CPU subsystem generates a DMA command and provides the DMA command to the outgoing DMA module; the outgoing DMA module acquires data to be transmitted from the DRAM according to the instruction of the DMA command; the external transmission DMA module transmits the data acquired from the DRAM and the destination address of DMA transmission to a transmission layer transmission module; the transmission layer sending module sends the data and the destination address to a second loopback control module of the transmission layer receiving module through the first loopback control module; the transmission layer receiving module writes the data into the memory through the memory access module according to the received data and the destination address.

According to a second aspect of the present application, there is provided a method of transmitting data according to the second aspect of the present application, the DMA command indicating a source address and a destination address located in the DRAM.

According to a second aspect of the present application, there is provided a method of transmitting data according to the second aspect of the present application, wherein the memory access module further generates an acknowledgement message in response to writing the data to the memory, and provides the acknowledgement message to the transport layer transmission module.

According to the third method for sending data of the second aspect of the present application, there is provided the fourth method for sending data of the second aspect of the present application, where the transport layer sending module sends the acknowledgment message to the second loopback control module of the transport layer receiving module using the first loopback control module according to the destination address of the acknowledgment message.

According to a third or fourth method of transmitting data of the second aspect of the present application, there is provided a fifth method of transmitting data of the second aspect of the present application, the transport layer reception module providing an acknowledgement message to the outgoing DMA module in response to receiving the acknowledgement message.

According to one of the methods of transmitting data of the first to fifth aspects of the present application, there is provided the method of transmitting data of the sixth aspect of the present application, wherein the outgoing DMA module updates the DMA command in the memory according to the DMA command execution result.

According to one of the third to sixth methods for sending data in the second aspect of the present application, there is provided the seventh method for sending data in the second aspect of the present application, in which the transport layer sending module encapsulates the acknowledgment message into a TLP, the first loopback control module is used to send the TLP to the second loopback control module of the transport layer receiving module, and the transport layer receiving module receives the TLP from the second loopback control module and parses the TLP to identify the TLP as the acknowledgment message.

According to one of the first to seventh methods for transmitting data of the second aspect of the present application, there is provided an eighth method for transmitting data of the second aspect of the present application, where data and/or addresses are transmitted between the first loopback control module of the transport layer transmission module and the second loopback control module of the transport layer reception module according to a customized protocol.

According to a third aspect of the present application, there is provided a method of acquiring data according to the first aspect of the present application, comprising: the CPU subsystem generates a DMA command and provides the DMA command to a DMA receiving module; receiving the indication of the DMA command, and sending a data access request by the DMA module through the transmission layer sending module; the transmission layer sending module sends the data access request to a second loopback control module of the transmission layer receiving module by using the first loopback control module; the transmission layer receiving module accesses the memory through the memory access module according to the received data access request to acquire the data to be accessed; the transmission layer sending module sends the memory access result to a second loopback control module of the transmission layer receiving module by using the first loopback control module; the transmission layer receiving module receives the memory access result and provides the memory access result to the receiving DMA module; the pickup DMA module writes the memory access result to the memory or DRAM.

According to a first method of obtaining data of the third aspect of the present application, there is provided a second method of obtaining data according to the third aspect of the present application, the DMA command indicating a source address and a destination address located in the DRAM.

According to the first or second method of acquiring data of the third aspect of the present application, there is provided the third method of acquiring data according to the third aspect of the present application, the receiving DMA module further generates a DMA command execution result in response to writing of data to the memory or the DRAM; and updating the DMA command in the memory according to the DMA command execution result.

According to the first or second method of acquiring data of the third aspect of the present application, there is provided the fourth method of acquiring data according to the third aspect of the present application, the receiving DMA module further generating a DMA command execution result in response to writing the data to the DRAM; and writes the DMA command execution result to memory to indicate to the CPU subsystem that the DMA command execution is complete.

According to one of the first to fourth methods for acquiring data of the third aspect of the present application, there is provided a fifth method for acquiring data of the third aspect of the present application, in which the transport layer sending module identifies that a destination address is mapped to the transport layer receiving module according to the destination address of the received data access request.

According to one of the first to fifth methods for acquiring data of the third aspect of the present application, there is provided the sixth method for acquiring data of the third aspect of the present application, in which the transport layer sending module encapsulates the memory access result into a TLP, the TLP is sent to the second loopback control module of the transport layer receiving module by using the first loopback control module, and the transport layer receiving module receives the TLP from the second loopback control module and analyzes the TLP to identify the TLP as the memory access result.

According to one of the first to sixth methods for acquiring data of the third aspect of the present application, there is provided a seventh method for acquiring data of the third aspect of the present application, where data and/or an address are transmitted between a first loopback control module of a transport layer sending module and a second loopback control module of a transport layer receiving module according to a customized protocol.

According to one of the first to seventh methods of acquiring data of the third aspect of the present application, there is provided the eighth method of acquiring data of the third aspect of the present application, wherein the memory access module acquires the memory access result from the memory, and identifies that the memory access result should be submitted to the transport layer reception module according to the source address.

According to a fourth aspect of the present application, there is provided a first PCIe controller according to the fourth aspect of the present application, including: the device comprises a transmission layer sending module, a transmission layer receiving module, a memory access module, an outgoing DMA module, a receiving DMA module, an encryption module, a decryption module and a memory; the transmission layer sending module comprises a first loopback control module, the transmission layer receiving module comprises a second loopback control module, and the first loopback control module is coupled to the second loopback control module; the memory access module is coupled to the transmission layer sending module and the transmission layer receiving module, and is also coupled to the memory; the outgoing DMA module is coupled to the decryption module and the transmission layer sending module; the receiving DMA module is coupled to the encryption module and is also coupled to the transmission layer receiving module; the encryption module and the decryption module are each further coupled to a DRAM external to the PCIe controller.

The first PCIe controller according to the fourth aspect of the present application provides the second PCIe controller according to the fourth aspect of the present application, further comprising a PCIe physical layer module, the PCIe physical layer module is configured to process a PCIe physical layer protocol.

The first or second PCIe controller according to the fourth aspect of the present application provides the third PCIe controller according to the fourth aspect of the present application, further comprising a data link layer module, the data link layer module being configured to process a PCIe data link layer protocol.

According to a third PCIe controller of the fourth aspect of the present application, there is provided the fourth PCIe controller of the fourth aspect of the present application, wherein the encryption module is integrated inside the receive DMA module, and the decryption module is integrated inside the outgoing DMA block.

According to one of the first to fourth PCIe controllers of the fourth aspect of the present application, there is provided the fifth PCIe controller according to the fourth aspect of the present application, wherein the encryption module is configured to encrypt the data provided by the DMA receive module, and provide the encrypted data to the DRAM.

According to one of the first to fifth PCIe controllers of the fourth aspect of the present application, there is provided the sixth PCIe controller of the fourth aspect of the present application, wherein the decryption module is configured to decrypt the data acquired from the DRAM, and provide the decrypted data to the outgoing DMA module.

According to one of the first to sixth PCIe controllers of the fourth aspect of the present application, there is provided a seventh PCIe controller according to the fourth aspect of the present application, further comprising: and the CPU subsystem is coupled with the memory.

According to one of the first to seventh PCIe controllers of the fourth aspect of the present application, there is provided an eighth PCIe controller of the fourth aspect of the present application, and the transport layer sending module is configured to send the TLP.

According to one of the first to eighth PCIe controllers of the fourth aspect of the present application, there is provided the ninth PCIe controller of the fourth aspect of the present application, and the transport layer reception module is configured to receive the TLP.

According to one of the first to ninth PCIe controllers of the fourth aspect of the present application, there is provided the tenth PCIe controller of the fourth aspect of the present application, wherein the first loopback control module sends the partial TLP to the second loopback control module.

According to a tenth PCIe controller of the fourth aspect of the present application, there is provided the eleventh PCIe controller of the fourth aspect of the present application, wherein the first loopback control module sends the TLP with the specified identification and/or the TLP with the specified address space being accessed to the second loopback control module.

According to one of the first to eleventh PCIe controllers of the fourth aspect of the present application, there is provided the twelfth PCIe controller of the fourth aspect of the present application, wherein the first loopback control module transmits the partial data to the second loopback control module.

According to a twelfth PCIe controller according to the fourth aspect of the present application, there is provided the thirteenth PCIe controller according to the fourth aspect of the present application, the first loopback control module sends the data having the specified identification, and/or the specified address space access request, and/or the data associated with the specified address space to the second loopback control module.

According to a tenth or eleventh PCIe controller of the fourth aspect of the present application, there is provided the fourteenth PCIe controller of the fourth aspect of the present application, wherein the second loopback control module sends the TLP received from the first loopback control module to the memory access module or receives the DMA module.

According to a thirteenth or fourteenth PCIe controller of the fourth aspect of the present application, there is provided the fifteenth PCIe controller of the fourth aspect of the present application, wherein the second loopback control module sends data received from the first loopback control module to the memory access module or receives a DMA module.

According to one of the first to fifteenth PCIe controllers of the fourth aspect of the present application, there is provided the sixteenth PCIe controller of the fourth aspect of the present application, wherein the memory access module is configured to process a TLP for accessing a PCIe device memory space.

According to one of the first to sixteenth PCIe controllers of the fourth aspect of the present application, there is provided the seventeenth PCIe controller according to the fourth aspect of the present application, wherein the memory access module sends the module through the transport layer to provide the memory access result.

According to one of the first to seventeenth PCIe controllers of the fourth aspect of the present application, there is provided the eighteenth PCIe controller of the fourth aspect of the present application, wherein the partial memory access result sent by the memory access module to the transport layer sending module is forwarded by the first loopback control module to the transport layer receiving module.

According to one of the first to eighteenth PCIe controllers of the fourth aspect of the present application, there is provided the nineteenth PCIe controller of the fourth aspect of the present application, wherein the transport layer receiving module receives a TLP for accessing a memory space of the PCIe device and sends the TLP to the memory access module, and the memory access module accesses the memory according to the TLP.

According to one of the first to nineteenth PCIe controllers of the fourth aspect of the present application, there is provided the twentieth PCIe controller according to the fourth aspect of the present application, wherein the CPU subsystem fills the DMA command to the memory.

According to one of the first to twentieth PCIe controllers of the fourth aspect of the present application, there is provided the twenty-first PCIe controller according to the fourth aspect of the present application, wherein the outbound DMA module is configured to initiate a DMA transfer.

According to one of the first to twenty-first PCIe controllers of the fourth aspect of the present application, there is provided the twenty-second PCIe controller according to the fourth aspect of the present application, wherein the outbound DMA module acquires the DMA command from the memory, and transfers specified data in the memory or a DRAM coupled to the PCIe controller to a specified address according to the DMA command.

According to one of the first to twenty-second PCIe controllers of the fourth aspect of the present application, there is provided a twenty-third PCIe controller according to the fourth aspect of the present application, wherein the outbound DMA module sends the module-to-send data through the transport layer.

According to one of the first to twenty-third PCIe controllers of the fourth aspect of the present application, there is provided a twenty-fourth PCIe controller according to the fourth aspect of the present application, wherein the receiving DMA module is configured to receive data transferred in a DMA manner.

A twenty-fourth PCIe controller according to a fourth aspect of the present application provides the twenty-fifth PCIe controller according to the fourth aspect of the present application, wherein the receive DMA module acquires the DMA command from the memory, acquires data from a specified address of the host or the PCIe device according to the DMA command, and writes the data to the memory or the DRAM.

According to a fifth aspect of the present application, there is provided a method of processing a key update command according to the fifth aspect of the present application, comprising: reading out data from the logical address indicated by the key update command in response to the key update command, and buffering the read data at the first address; initiating outgoing DMA transmission, moving the data from the first address to the second address, and decrypting the read data by using the old key in the moving process; initiating receiving DMA transmission, moving the data from the second address to the third address, and encrypting the read data by using a new key in the moving process; and writing the data encrypted by the new key at the third address into the logical address.

According to a sixth aspect of the present application, there is provided a method of updating a data key according to the sixth aspect of the present application, comprising: receiving a key update command; generating an outgoing DMA command according to the key updating command; decrypting the ciphertext data by using the first key to obtain plaintext data; caching plaintext data in the solid-state storage device through a loopback path; generating a receiving DMA command in response to the completion of the processing of the outgoing DMA command; encrypting the cached plaintext data by using a second key; and writing the encrypted data into the solid-state storage device.

According to a sixth aspect of the present application, there is provided a method of updating a data key according to the second aspect of the present application, wherein the key update command indicates a new key to be used, a storage address of data of the key to be updated.

According to the first or second method for updating a data key of the sixth aspect of the present application, there is provided the third method for updating a data key of the sixth aspect of the present application, wherein the storage address is a logical address of the solid-state storage device, or a physical address provided by the solid-state storage device to a user.

According to one of the methods of updating the data key of the first to third aspects of the present application, there is provided the method of updating the data key of the fourth aspect of the present application, reading out data from the NVM chip of the solid-state storage device according to the storage address indicated by the key update command, and storing the data at the cached first address.

According to a fourth method of updating a data key of the sixth aspect of the present application, there is provided the fifth method of updating a data key of the sixth aspect of the present application, wherein the cached data at the first address is ciphertext data encrypted by the first key.

According to one of the methods of updating a data key of the sixth aspect of the present application, there is provided the method of updating a data key of the sixth aspect of the present application, which transmits ciphertext data of a cached first address to a cached second address according to an outgoing DMA command, wherein the cached second address stores plaintext data.

According to one of the first to sixth methods for updating a data key of the sixth aspect of the present application, there is provided the seventh method for updating a data key of the sixth aspect of the present application, wherein in the process of transmitting the ciphertext data of the cached first address to the cached second address according to the outgoing DMA command, the ciphertext data is decrypted by the first password to obtain plaintext data.

According to a sixth or seventh method of updating a data key of the sixth aspect of the present application, there is provided the eighth method of updating a data key of the sixth aspect of the present application, wherein the outgoing DMA module sends the plaintext data to the transport layer sending module; the transmission layer sending module sends the plaintext data to the second loopback control module through the first loopback control module according to the destination address of the DMA transmission; the transmission layer receiving module provides the plaintext data received by the second loopback control module for the cache.

According to one of the methods of updating data keys of the first to eighth aspects of the present application, there is provided the method of updating data keys of the ninth aspect of the present application, wherein the cache is a memory of the PCIe controller or a DRAM coupled to the PCIe controller.

According to one of the methods of updating a data key of the sixth aspect of the present application, there is provided the tenth method of updating a data key of the sixth aspect of the present application, wherein the plaintext data at the buffered second address is transferred to the buffered third address in accordance with the receive DMA command, and wherein the buffered third address stores the ciphertext data after the plaintext data is encrypted by the second key.

According to one of the methods of updating a data key of the sixth aspect of the present application, there is provided the eleventh method of updating a data key of the sixth aspect of the present application, wherein when plaintext data at the buffered second address is transferred to the buffered third address in accordance with a receive DMA command, the plaintext data is encrypted with the second cipher to obtain ciphertext data.

According to a tenth or eleventh method for updating a data key of the sixth aspect of the present application, there is provided the twelfth method for updating a data key of the sixth aspect of the present application, wherein the receiving DMA module requests to obtain plaintext data at the second address of the cache; the transmission layer sending module sends the plaintext data to the second loopback control module through the first loopback control module according to the destination address transmitted by the DMA; the transmission layer receiving module provides the plaintext data received by the second loopback control module to the receiving DMA module; and the receiving DMA module encrypts the plaintext data by using the second key to obtain ciphertext data and stores the ciphertext data to the cached third address.

According to one of the methods of updating data keys of the first to twelfth aspects of the present application, there is provided the method of updating a data key of the thirteenth aspect of the present application indicating that the key update command process is completed.

According to one of the first to thirteenth methods of updating a data key of the sixth aspect of the present application, there is provided the fourteenth method of updating a data key of the sixth aspect of the present application, wherein after ciphertext data encrypted by the second key is written into the third address of the cache, the completion of the key update command processing is indicated.

According to a seventh aspect of the present application, there is provided a method of processing a key update command according to the seventh aspect of the present application, including: reading out data from the logical address indicated by the key update command in response to the key update command, and buffering the read data at the first address; initiating outgoing DMA transmission, moving data from a first address to a second address, decrypting the read data by using an old key in the moving process to obtain plaintext data, and encrypting the plaintext data by using a new key to obtain ciphertext data; and writing the ciphertext data of the second address into the logic address.

According to a first method of processing a key update command of a seventh aspect of the present application, there is provided a second method of processing a key update command of a seventh aspect of the present application, in which an outgoing DMA module sends plaintext data to a transport layer sending module; the transmission layer sending module sends the plaintext data to the second loopback control module through the first loopback control module according to the destination address transmitted by the DMA; the transmission layer receiving module provides the plaintext data received by the second loopback control module to the memory access module; and the memory access module stores the ciphertext data to the second address of the cache.

According to an eighth aspect of the present application, there is provided the method of processing a key update command according to the first aspect of the present application, reading out data from a logical address indicated by the key update command in response to the key update command, and buffering the read out data at the first address; initiating receiving DMA transmission, moving data from a first address to a second address, decrypting the read data by using an old key in the moving process to obtain plaintext data, and encrypting the plaintext data by using a new key to obtain ciphertext data; and writing the ciphertext data of the second address into the logic address.

According to the first method for processing a key update command of the eighth aspect of the present application, there is provided a second method for processing a key update command of the eighth aspect of the present application, wherein the receiving DMA module requests to obtain ciphertext data of the cached first address through the transport layer sending module; the transmission layer sending module sends the request to a second loopback control module through the first loopback control module according to the source address transmitted by the DMA; the transmission layer receiving module provides the request received by the second loop back control module to the memory access module; the memory access module acquires ciphertext data from the cached first address and provides the plaintext data decrypted by the first key to the transmission layer sending module; the transmission layer sending module sends the request to a second loopback control module through a first loopback control module according to the destination address of the DMA transmission; the transmission layer receiving module provides the plaintext data received by the second loopback control module to the receiving DMA module; and the receiving DMA module encrypts the plaintext data by using the second key to obtain ciphertext data and stores the ciphertext data to the cached third address.

According to a ninth aspect of the present application, there is provided a program comprising program code which, when loaded into a storage device and executed thereon, causes the storage device to perform one of the methods according to the second, third, fifth, sixth, seventh or eighth aspects of the present application.

The technical scheme of the application has the following advantages: a loopback mechanism inside the PCIe controller is provided, and a host end of the DMA transmission can be replaced by a storage space or DRAM inside the PCIe controller, so that the DMA transmission from the memory/DRAM to the memory/DRAM is realized. And completing the key update without host intervention.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to these drawings.

FIG. 1 illustrates a block diagram of circuitry for a PCIe controller;

FIG. 2A illustrates a block diagram of a PCIe controller in accordance with an embodiment of the present application;

FIG. 2B illustrates a transport layer send module address mapping table according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a PCIe controller "sending" data through a loopback path according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a PCIe controller "receiving" data through a loopback path according to an embodiment of the application;

FIG. 5 is a flow chart of updating keys according to an embodiment of the application;

FIG. 6A illustrates a block diagram of a PCIe controller in accordance with yet another embodiment of the present application;

FIG. 6B is a flow diagram of updating a data key according to an embodiment of the present application;

FIG. 7 illustrates a block diagram of a PCIe controller in accordance with yet another embodiment of the present application;

FIG. 8A is a flow diagram of updating a data key according to yet another embodiment of the present application;

fig. 8B is a flow chart of updating a data key according to still another embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

FIG. 1 illustrates a block diagram of circuitry for a PCIe controller. As shown in fig. 1, the host (host) is coupled to the device through a PCIe PHY module 110. The PCIe controller includes a PCIe PHY module 110, a data link layer module 120, a transport layer module 130, a memory 140, and a CPU subsystem 160. The CPU subsystem 160 includes one or more CPUs. The PCIe PHY module 110 is used to handle PCIe underlying protocols (e.g., the physical layer). Both transport layer module 130 and CPU subsystem 160 may access memory 140. The data link layer module 120 is configured to handle PCIe data link layer protocols and the transport layer module 130 is configured to handle PCIe transport layer protocols. The transport Layer module 130 also accesses the memory 140 according to a TLP (transport Layer Packet) of the memory space. And optionally, the transport layer module 130 writes the TLP into the memory 140, and the CPU subsystem 160 extracts and processes the TLP from the memory 140, and the transport layer module 130 retrieves the TLP from the memory 140 and sends the TLP to the host through the data link layer module 120. Still alternatively, the transport layer module 130 sends the TLP to the CPU subsystem 160, and the TLP is processed by the CPU subsystem 160.

Optionally, the transport layer module 130 also assists in processing access requests of the NVMe protocol, such as converting a request sent by a host to access a specific region of a memory space (memory space) of a device into a controller register access request including an access type, a memory space address, and/or data to be written, and accessing the memory 140 or forwarding to the CPU subsystem 160 for processing.

In NVMe version 1.2 protocol, PCIe registers MLBAR and MUBAR define the memory space for providing NVMe controller registers, while the lower 4KB of this address space is used for attribute/control registers.

When the doorbell register or the device vendor specific register is to be accessed, the transport layer module 130 writes an access request to or reads data from a storage location of the memory 140 corresponding to the memory space address according to the memory space address and returns the data to the host through the data link layer module 120 (and the PCIe PHY module 110).

When a controller register access request of the NVMe protocol sent by the host is to access the attribute/control registers, the transport layer module 130 generates a register access message and inserts the register access message into a message queue in memory. When one or more CPUs in the CPU subsystem 160 finds a message to be processed in the message queue of the memory 140, fetch the message, determine the attribute/control register to be accessed and the access type, process the register access message, and return the access result to the host through the transport layer module 130. In one example, the CPU subsystem 160 adds the access result to a message queue in the memory 140, and the transport layer module 130 retrieves the access result from the message queue and returns it to the host through the data link layer module 120.

In this way, a variety of controller registers in the NVMe protocol are implemented, and efficient processing is achieved for different types of controller registers, access constraints, and the like. And after the NVMe protocol is updated, the modifications introduced in the new version of the protocol to access the controller registers can be efficiently adapted by modifying the program running in the CPU subsystem 160.

FIG. 2A shows a block diagram of a PCIe controller according to an embodiment of the application. The PCIe controller according to the embodiment illustrated in fig. 2A includes a PCIe PHY module 210, a data link layer module 220, a transport layer transmit module 230, a transport layer receive module 232, a memory access module 234, an outbound DMA module 236, a receive DMA module 238, a memory 240, and a CPU subsystem 260.

The PCIe PHY module 210 is used to handle PCIe underlying protocols (e.g., physical layer). The PCIe PHY module 210 couples a host (or other PCIe devices, including an Endpoint (Endpoint), root Complex (Root Complex), and Switch) to the data link layer module 220. The data link layer module 220 is used to process PCIe data link layer protocols. The data link layer module 220 is coupled to a transport layer transmit module 230 and a transport layer receive module 232. The transport layer sending module 230 is configured to send a TLP to the host through the data link layer module 220, and the transport layer receiving module 232 is configured to receive the TLP from the data link layer module 220.

In the embodiment of the present application, the transmission layer sending module 230 further includes a loopback control module, and the transmission layer receiving module 232 also includes a loopback control module. In one example, the transport layer sending module 230 sends a partial TLP (e.g., a TLP with a specified identification and/or a TLP with access to a specified address space) to the loopback control module of the transport layer receiving module 232 instead of to the data link layer module 220 through its loopback control module. In yet another example, rather than being packaged as a TLP, the transport layer sending module 230 sends partial data (e.g., data with a specified identification, and/or a specified address space access request, and/or data associated with a specified address space) to the loopback control module of the transport layer receiving module 232 through its loopback control module to send to the data link layer module 220. Thus forming a loopback path above the data link layer, and even the transport layer, of the PCIe protocol.

The PCIe controller also includes a memory access module 234, an outbound DMA module 236, and a receive DMA module 238. The memory access module 234 is used to process TLPs that access PCIe device memory space. The memory access module 234 is coupled to the transport layer transmit module 230 and provides the memory access results to the host (or PCIe device) through the transport layer transmit module 230. Since the loopback path is provided according to the embodiment of the present application, the partial memory access result sent by the memory access module 234 to the transmission layer sending module 230 is forwarded to the transmission layer receiving module 232 through the loopback path. The memory access module 234 is also coupled to the transport layer receive module 232. A TLP from a host (or PCIe device) to access the memory space is sent by the transport layer receive module 232 to the memory access module 234, and the memory access module 234 generates memory access results from the TLP (by accessing the memory 240 or by processing by the CPU subsystem 260).

The outbound DMA module 236 is used to handle DMA transfers from the PCIe controller to the host (or PCIe device). The outbound DMA module 236 is coupled to the memory 240 and the DRAM to DMA transfer data from the memory 240 or the DRAM to the host. Optionally, the CPU subsystem 260 fills the memory 240 with DMA commands. The outbound DMA module 236 retrieves the DMA command from the memory 240 and transfers the specified data in the memory 240 or DRAM to the specified address of the host in accordance with the DMA command. The outbound DMA module 236 is coupled to the transport layer send module 230 and sends data to the host through the transport layer send module 230.

The receive DMA module 238 is used to handle DMA transfers from the host (or PCIe device) to the PCIe controller. The fetch DMA module 238 is coupled to the memory 240 and the DRAM. The CPU subsystem 260 fills the memory 240 with DMA commands. The fetch DMA module 238 retrieves DMA commands from the memory 240 and data from a specified address of the host (or PCIe device) according to the DMA commands and writes the data to the memory 240 or DRAM. The receive DMA module 238 is further coupled to the transport layer sending module 230 (not shown in fig. 2), and the receive DMA module 238 receives the data provided by the host from the transport layer receiving module 232 by sending a data access request to initiate a DMA transfer to the host by the transport layer sending module 230.

Optionally, the DRAM is a memory external to the PCIe controller chip, or the DRAM is integrated within the same chip as the PCIe controller.

The outbound DMA module 236 is also referred to as "Engress DMA" or "Scatter DMA". The pickup DMA module 238 is also referred to as "Ingress DMA" or "Gather DMA".

According to the embodiment of the application, due to the loopback path, the host end of the DMA transmission can be replaced by the memory space or DRAM inside the PCIe controller, so that the DMA transmission from the memory 240/DRAM to the memory 240/DRAM is realized. For example, the outbound DMA module 236 sends data through the transport layer module 230, the transport layer sending module 230 forwards the data provided by the outbound DMA module 236 through its loopback control module to the loopback control module of the transport layer receiving module 232, and the transport layer receiving module 232 provides data to the memory access module 234/pickup DMA module 238 to write the data to memory 240/DRAM by providing a special identification or a specified address space.

Fig. 2B illustrates a transport layer send module address mapping table according to an embodiment of the application.

As one embodiment, the transport layer sending module 230 (see fig. 2A) maintains an address mapping table as shown in fig. 2B. The portions of the address space that would otherwise both indicate the destination (host or PCIe device) are mapped to the transport layer receive module 232 via the address mapping table. In fig. 2B, the range from address 270 to address 272 is mapped to a host (or PCIe device), and the transport layer sending module 230 sends a TLP or access request for accessing address 270 to address 272 to the host (or PCIe device) through the data link layer 220. In fig. 2B, the range from the address 272 to the address 274 is mapped to the transport layer receiving module 232, and the transport layer sending module 230 sends the TLP or the access request accessing the address 272 to the address 274 to the loopback control module of the transport layer module 232 through its loopback control module.

As an example, only the address 272 is recorded, and a TLP or an access request with an access address smaller than the address 272 is sent to the host, and a TLP or an access request with an access address larger than the address 272 is sent to the transport layer receiving module 232.

FIG. 3 is a diagrammatic representation of a PCIe controller "sending" data through a loopback path in accordance with an embodiment of the present application. By way of example, the embodiment of FIG. 3 illustrates a process of "sending" DRAM data from a PCIe controller to a destination memory space located in memory 240.

To send data, the CPU subsystem 260 generates DMA commands and fills the memory 240. The outbound DMA module 236 polls the memory 240 and, in time, discovers and fetches the pending DMA command (indicated by (1)). The DMA command indicates a source address, and a destination address, located in the DRAM. By way of example, the destination address appears to the outbound DMA module 236 to be an address in the host (or remote PCIe device).

The outbound DMA module 236 retrieves the data to be transferred from the DRAM as instructed by the DMA command (indicated by (2)).

The outbound DMA module 236 sends the data retrieved from the DRAM and the destination address of the DMA transfer to the transport layer send module 230 (indicated by (3)). The transport layer transmitting module 230 recognizes that the destination address is mapped to the transport layer receiving module according to the received destination address, so that the transport layer transmitting module 230 transmits the data and the address to the loopback control module (indicated by (4)) of the transport layer receiving module 232 through the loopback path using its own loopback control module.

The transport layer receiving module 232 writes the data into the memory 240 at the location corresponding to the destination address (indicated by (5)) through the memory access module 234 according to the received destination address and data.

Thus completing the process of "sending" the data in the DRAM to the destination address located in the memory 240.

Optionally, the memory access module 234 also generates an acknowledgement message in response to writing the data to the memory 240 and provides the acknowledgement message to the transport layer transmit module 230 to provide the DMA transfer result to the initiator of the DMA transfer. The transport layer invention module 230 identifies a loopback control module to send the acknowledgment message to the transport layer receive module 232 through a loopback path according to the destination address of the acknowledgment message. The transport layer reception module 232 receives the acknowledgement message and provides the acknowledgement message to the outbound DMA module 236. The outbound DMA module 236 updates the DMA command in the memory 240 according to the DMA command execution result or writes the DMA command execution result to the memory 240 to indicate completion of the DMA command execution to the CPU subsystem 260.

Optionally, the transport layer sending module 230 encapsulates the acknowledgment message into a TLP, and the transport layer receiving module 232 receives the TLP from the loopback path and parses the TLP to identify it as the acknowledgment message. Still optionally, data and/or addresses are transmitted between the loopback control module of the transport layer sending module 230 and the loopback control module of the transport layer receiving module 232 according to a customized protocol.

In the embodiment according to fig. 3, the process of "sending" data over the loopback path does not use the pickup DMA module 238, which is identified by shading.

FIG. 4 is a diagrammatic representation of a PCIe controller "receiving" data through a loopback path in accordance with an embodiment of the present application.

By way of example, the embodiment of FIG. 4 illustrates the PCIe controller's process of retrieving data from memory 240 and storing it in a destination memory space located in DRAM. The data "receive" process is initiated by the receive DMA module 238, appearing to the DMA module 238 to "receive" data from the memory space of the remote device (e.g., host or PCIe device), and storing the received data in the DRAM, although the received data appears to have come from the remote device, the data is actually stored in the memory 240.

To receive data, the CPU subsystem 260 generates DMA commands and fills the memory 240. The pickup DMA module 238 polls the memory 240 and discovers and fetches pending DMA commands (indicated by (1)). The DMA command indicates a destination address located in the DRAM and a source address located remotely. By way of example, the source address appears to the receive DMA module 238 to be an address in a (seemingly) remote device (e.g., to appear to be a host or a remote PCIe device).

The pickup DMA module 238 issues a data access request (indicated by (2)) to the (seemingly) remote device through the transport layer issue module 230 as indicated by the DMA command.

The transport layer transmitting module 230 recognizes that the destination address is mapped to the transport layer receiving module 232 according to the received destination address, so that the transport layer transmitting module 230 transmits the data and the address to the loopback control module (indicated by (3)) of the transport layer receiving module 232 through the loopback path using its own loopback control module.

The transport layer reception module 232 accesses the memory 240 through the memory access module 234 to obtain the data to be accessed (indicated by (4)) according to the received destination address. The memory access module receives the accessed data from memory 240 (again indicated by (4)).

The memory access module 234 returns the memory access results to the (seemingly) remote device via the transport layer send module 230. The transport layer sending module 230 identifies, from the source address to which the memory access result is to be returned, a loopback control module (indicated by (5)) to send the memory access result to the transport layer receiving module 232 through a loopback path. The transport layer reception module 232 receives the memory access result and provides the memory access result to the pickup DMA module 238 (indicated by (6)). Optionally, the transmission layer sending module 230 encapsulates the memory access result into a TLP, and the transmission layer receiving module 232 receives the TLP from the loopback path and parses the TLP to identify it as the memory access result. Still optionally, data and/or addresses are transmitted between the loopback control module of the transport layer sending module 230 and the loopback control module of the transport layer receiving module 232 according to a customized protocol.

The pickup DMA module 238 writes the memory access result to DRAM (indicated by (7)). Thereby completing the process of retrieving data from memory 240 and storing it in the destination memory space located in the DRAM.

In an alternative embodiment, after the memory access module 234 retrieves the memory access results from the memory 240 (indicated by (4)), it identifies that the memory access results should be submitted to the transport layer receive module 232 based on the source address. Next, the transport layer reception module 232 supplies the memory access result to the pickup DMA module 238 (indicated by (6)). The pickup DMA module 238 writes the memory access result to DRAM (indicated by (7)). Thereby completing the process of retrieving data from memory 240 and storing it in the destination memory space located in the DRAM.

Optionally, the pickup DMA module 238 also generates DMA command execution results in response to writing data to the DRAM. The fetch DMA module 238 updates the DMA command in the memory 240 according to the DMA command execution result or writes the DMA command execution result to the memory 240 to indicate the completion of the DMA command execution to the CPU subsystem 260.

In the embodiment according to fig. 4, the process of "receiving" data through the loopback path does not use the outbound DMA module 236, which is identified by shading.

Fig. 5 is a flow chart of updating keys according to an embodiment of the application.

The solid-state storage device supports data encryption, encrypts data written by a user, and writes the encrypted data into an NVM chip of the solid-state storage device. A key for encrypting data by a user is recorded in a solid-state storage device. The solid-state storage device may record multiple sets of keys, and the user may specify which set of keys the solid-state storage device uses to encrypt/decrypt data.

In some cases, the user wishes to change the key used. The user instructs, via the host, the solid-state storage device to read data located at the specified address of the solid-state storage device with the original key (510). The data is transmitted to the host. The host then instructs the solid-state storage device to write the read data to the specified address with the new key (520). Thereby effecting a change in the key. Optionally, the host sets a new key to be used to the solid-state storage device between steps 510 and 520.

According to the local loopback function of the embodiment of the application, the key change is completed in the solid-state storage device, and the data does not need to be transmitted to the host.

FIG. 6A illustrates a block diagram of a PCIe controller in accordance with yet another embodiment of the present application.

The PCIe controller according to the embodiment shown in fig. 6A further includes an encryption module 610 and a decryption module 620 based on the PCIe controller according to the embodiment shown in fig. 2A.

The encryption module 610 is coupled to the receive DMA module 238 for encrypting data written to the DRAM by the receive DMA module 238. The decryption module 620 is coupled to the outbound DMA module 236 for decrypting data read by the outbound DMA module 236 from the DRAM. It will be appreciated that in alternative embodiments, the encryption module 610 and decryption module 620 may be integrated into the DMA module (including within the outbound DMA module 236 and the receive DMA module 238) or interposed between the DMA module and the transport layer transmit module 230/transport layer receive module 232.

According to the embodiment of fig. 6A of the present application, the solid-state storage device provides a function of updating keys inside the solid-state storage device. By way of example, the solid-state storage device supports a rekey command. The host sends a key update command to the solid-state storage device indicating a new password to be used and a storage address of data of the key to be updated. By way of example, the CPU subsystem 260 recognizes the key update command, and in response to the key update command, the CPU subsystem 260 controls the solid-state memory device to read out data encrypted with the old key from the memory address, and to cache the encrypted data in, for example, DRAM. Next, CPU subsystem 260 sends the encrypted data in DRAM, for example, to memory 240 via a local loopback path, and decrypts the data with the old key during the data transfer from DRAM to memory 240 to simulate the process of decrypting and sending the data to the host in step 510 of fig. 5. Next, CPU subsystem 260 transfers the data in memory 240 to DRAM through the local loopback path and encrypts the data with the new key. And the CPU subsystem 260 also writes the data encrypted with the new key in the DRAM to the NVM chip at the specified address of the solid-state storage device to simulate the process of writing the data encrypted with the new key to the specified address in step 520 of fig. 5.

Fig. 6B is a flow diagram of updating a data key according to an embodiment of the present application.

The solid-state storage device receives a key update command from a host (650). The key update command indicates a new key to be used, a storage address of data of the key to be updated. The storage address is, for example, a logical address of the solid-state storage device, or a physical address provided by the solid-state storage device to a user.

The CPU subsystem 260 (see also fig. 6A) recognizes and processes the key update command. The CPU subsystem 260 reads out data from the NVM chip of the solid-state memory device according to the memory address indicated by the key update command and buffers the data in, for example, DRAM. As an example, at this time, the data buffered in the DRAM is ciphertext data encrypted with an old key. Next, the CPU subsystem 260 generates a DMA command (C1) (655) according to the key update command to simulate a process of transmitting the ciphertext data to a remote device (e.g., a host), and decrypts the ciphertext data with an old key during data transmission to obtain plaintext data before encryption. The source address of the DMA command is the address of the ciphertext data in the DRAM and the destination address is the emulated remote device address. Optionally, the CPU subsystem 260 adds DMA commands to the memory 240.

The outgoing DMA module 236 obtains the DMA command from the memory 240, obtains the ciphertext data from the DRAM according to the DMA command, and the decryption module 620 decrypts the ciphertext data to obtain the plaintext data (660). The outbound DMA module 236 directs the transport layer send module 230 to send the plaintext data to the destination address of the DMA command (the emulated remote device address).

According to the destination address of the DMA command, the transport layer sending module 230 writes the plaintext data into the memory 240 via the transport layer receiving module 232 and the memory access module 234 through the loopback path (670). Optionally, the memory access module 234 may also write the plaintext data to the DRAM.

The outbound DMA module 236 indicates to the CPU subsystem that DMA command (C1) processing is complete.

Next, CPU subsystem 260 generates a further DMA command (C2) in response to completion of DMA command (C1) processing (675) to simulate retrieval of the plaintext data from the remote device to the DRAM and to encrypt the plaintext data during the data transfer with the new key indicated by the key update command. The source address of the DMA command (C2) is the emulated far end device address (the plaintext data to be mapped into memory 240 by the transport layer transmit module 230) and the destination address is the address in the DRAM. Optionally, the CPU subsystem 260 adds a DMA command (C2) to the memory 240.

The receive DMA module 238 obtains the DMA command (C2) from the memory 240 and issues a memory access request to the emulated remote device address through the transport layer issue module 230 in accordance with the DMA command (C2). The transmission layer sending module 230 will obtain the plaintext data from the memory 240 through the loopback path via the transmission layer receiving module 232 and the memory accessing module 234 according to the simulated remote device address, the transmission layer receiving module 232 sends the plaintext data to the receiving DMA module 238, and encrypts the plaintext data with the new key indicated by the key updating command via the encryption module 610, and stores the ciphertext data in the DRAM (690).

Next, the receive DMA module 238 indicates to the CPU subsystem 260 that the DMA command (C2) processing is complete. Then, the CPU subsystem 260 writes the data encrypted by the new key in the DRAM to the NVM chip of the solid-state storage device according to the storage address indicated by the key update command. The CPU subsystem 260 also indicates to the host that key update command processing is complete. Alternatively, after writing the ciphertext data encrypted with the new key to the DRAM, the CPU subsystem 260 indicates to the host that the key update command processing is complete, so as to reduce the processing delay of the key update command experienced by the user.

FIG. 7 illustrates a block diagram of a PCIe controller in accordance with yet another embodiment of the present application.

According to the PCIe controller illustrated in fig. 7, the memory access module 734 is coupled with the encryption module 710 and the decryption module 720 respectively based on the PCIe controller according to the embodiment illustrated in fig. 6A. And memory access 734 is also coupled to encryption and decryption module 750.

The encryption module 710 is coupled to the receive DMA module 238 for encrypting data written to the DRAM by the receive DMA module 238. The decryption module 720 is coupled to the outbound DMA module 236 for decrypting data read by the outbound DMA module 236 from the DRAM. It is appreciated that in alternative embodiments, the encryption module 710 and the decryption module 720 may be integrated into the DMA module (including the outbound DMA module 236 and the receive DMA module 238), or inserted between the DMA module and the transport layer transmit module 230/transport layer receive module 232.

Additionally, the encryption module 710 is coupled to the memory access module 734 for encrypting data written into the DRAM by the memory access module 734. The decryption module 720 is coupled to the memory access module 734 for decrypting data read from the DRAM by the memory access module 734. It is to be appreciated that the encryption module 710 and the decryption module 720 can be integrated on the memory access module 734.

The encryption and decryption module 750 encrypts or decrypts data from the memory access module 734 and stores the result of the encryption or decryption to the memory 240. The encryption and decryption module 750 encrypts or decrypts data from the memory 240 and provides the result of the encryption or decryption to the memory access module 734.

According to the embodiment of fig. 7 of the present application, the solid-state storage device provides a function of updating keys inside the solid-state storage device. By way of example, the solid-state storage device supports a rekey command. The host sends a key update command to the solid-state storage device indicating a new password to be used and a storage address of data of the key to be updated. By way of example, the CPU subsystem 260 recognizes the key update command, and in response to the key update command, the CPU subsystem 260 controls the solid-state storage device to read out data from the memory address, the read out data being data encrypted with the old key. The read data is buffered in, for example, DRAM. Next, CPU subsystem 260 generates, for example, an outgoing DMA command to send the encrypted data in the DRAM, for example, to memory 240 over a local loopback path, and decrypts the encrypted data with the old key and encrypts with the new key during the data transfer from the DRAM to memory 240. And the CPU subsystem 260 also writes the data encrypted with the new key in the memory 240 to the NVM chip at the specified address of the solid-state storage device.

As another example, in response to the key update command, the CPU subsystem 260 controls the solid-state storage device to read out data from a storage address, the read out data being data encrypted with an old key. The read data is buffered in, for example, the memory 240. The CPU subsystem 260 generates, for example, a receive DMA command to send the encrypted data in the memory 240 to, for example, the DRAM through the local loopback path, and decrypts the encrypted data with the old key and encrypts with the new key during the data transfer from the memory 240 to the DRAM. And the CPU subsystem 260 also writes the data encrypted with the new key in the DRAM to the NVM chip at the specified address of the solid-state storage device.

FIG. 8A is a flow diagram of updating a data key according to yet another embodiment of the present application.

The solid-state storage device receives a key update command issued by a host (800). The key update command indicates a new key to be used, a logical address of data of which the key is to be updated. CPU subsystem 260 (see also fig. 7) recognizes and processes the rekey command, reads the data from the logical address, and stores it at the cached first address (810). The first address may be located in a DRAM of the solid-state memory device.

As an example, at this time, the data buffered in the first address of the DRAM is ciphertext data encrypted with the old key. Next, CPU subsystem 260 generates an outgoing DMA command from the rekeying command (815) to simulate the process of sending the ciphertext data to a remote device (e.g., a host). The actual transmission of the data is intended for the DRAM or memory 240, and during the data transmission, the ciphertext data is decrypted with the old key to obtain the plaintext data before encryption, and the plaintext data is encrypted with the new key indicated by the key update command to obtain the new ciphertext data. The source address of the DMA command is the address of the ciphertext data in the DRAM and the destination address is the emulated remote device address. The emulated remote device address is mapped to DRAM or memory 240 (second address) by the loopback control module of the outbound DMA module 236.

The outgoing DMA module 236 obtains the DMA command from the memory 240, obtains the ciphertext data from the DRAM according to the DMA command, and the decryption module 720 decrypts the ciphertext data to obtain the plaintext data (820). The outbound DMA module 236 instructs the transport layer send module 230 to send the plaintext data to the destination address of the DMA command (emulated remote device address).

In one example, the emulated remote device is mapped to DRAM. According to the destination address of the DMA command, the transport layer sending module 230 encrypts the plaintext data through the encryption module 710 via the transport layer receiving module 232 and the memory access module 734 through the loopback path by using the new key. The encrypted data is written to the DRAM 830.

In one example, the simulated remote device is mapped to memory 240. According to the destination address of the DMA command, the transport layer sending module 230 encrypts the plaintext data through the transport layer receiving module 232 and the memory access module 734 through the encryption and decryption module 750 by using the new key through the loopback path, and writes the encrypted data into the memory 240 (830).

In response to the outgoing DMA command being processed, the CPU subsystem also writes the data stored in the second address (located in DRAM or memory 240) encrypted with the new key to the logical address of the solid-state storage device to complete the processing of the key update command (840).

Fig. 8B is a flow chart of updating a data key according to still another embodiment of the present application.

The solid-state storage device receives a key update command issued by the host (850). The key update command indicates a new key to be used, a logical address of data of which the key is to be updated. The CPU subsystem 260 (see also fig. 7) recognizes and processes the rekey command, reads the data from the logical address, and stores it at the first address of the cache (860). The first address is located in the memory 240 or DRAM of the solid-state storage device.

In one example, the first address is located in memory 240. At this time, the data buffered in the first address of the memory 240 is ciphertext data encrypted with the old key. Next, CPU subsystem 260 generates a collect DMA command (865) based on the rekey command to simulate the process of transferring ciphertext data from a remote device (e.g., a host) to the DRAM. The actual transmission of the data is intended for the DRAM, and during the data transmission, the ciphertext data is decrypted by using the old key to obtain the plaintext data before encryption, and the plaintext data is encrypted by using the new key indicated by the key updating command to obtain the new ciphertext data. The source address of the DMA command is the emulated far end device address (the address of the ciphertext data in memory 240) and the destination address is the address in DRAM (the second address). The emulated remote device address is mapped to memory 240 (first address) by the loopback control module of the receive DMA module 238.

The receive DMA module 236 obtains the DMA command from the memory 240 and issues a DMA transfer from the emulated remote device address to the destination address through the transport layer issue module in accordance with the DMA command. The transport layer sending module 230 obtains the ciphertext data from the first address of the memory 240 through the encryption and decryption module 750 via the loopback path through the transport layer receiving module 232 and the memory access module 734 according to the destination address, and decrypts the ciphertext data with the old password (870).

In another example, the first address is located in DRAM. At this time, the data buffered in the first address of the memory 240 is ciphertext data encrypted with the old key. Next, CPU subsystem 260 generates a collect DMA command (865) based on the rekey command to simulate the process of transferring ciphertext data from a remote device (e.g., a host) to the DRAM. The actual transfer of data is intended for DRAM. The source address of the DMA command is the emulated remote device address (the first address of the ciphertext data in the DRAM) and the destination address is the address in the DRAM (the second address). The emulated remote device address is mapped to DRAM (first address) by the loopback control module of the pickup DMA module 238. The receive DMA module 236 obtains the DMA command from the memory 240 and issues a DMA transfer from the emulated remote device address to the destination address through the transport layer issue module in accordance with the DMA command. The transmission layer sending module 230 obtains the ciphertext data from the first address of the DRAM through the decryption module 720 via the loopback path via the transmission layer receiving module 232 and the memory access module 734 according to the destination address, and decrypts the ciphertext data with the old password (870).

The memory access module 734 sends the decrypted plaintext data to the transport layer receiving module 232 through the loopback control module of the transport layer sending module 230. The transport layer receive module provides the clear data to the encryption module 710 through the receive DMA module 238. The encryption module 710 encrypts the plaintext data with the new key and stores the encrypted data in the DRAM (second address) (880).

In response to the outgoing DMA command being processed, the CPU subsystem also writes the data stored in the second address (located in DRAM) encrypted with the new key to the logical address of the solid-state storage device to complete processing of the key update command (890).

Embodiments of the present application also provide a program comprising program code which, when loaded into a CPU and executed therein, causes the CPU to perform one of the methods provided above in accordance with embodiments of the present application.

It will be understood that each block of the block diagrams and flowchart illustrations, and combinations of blocks in the block diagrams and flowchart illustrations, respectively, can be implemented by various means including computer program instructions. These computer program instructions may be loaded onto a general purpose computer, special purpose computer, or other programmable data control apparatus to produce a machine, such that the instructions which execute on the computer or other programmable data control apparatus create means for implementing the functions specified in the flowchart block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data control apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including computer-readable instructions for implementing the function specified in the flowchart block or blocks. The computer program instructions may also be loaded onto a computer or other programmable data control apparatus to cause a series of operational operations to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide operations for implementing the functions specified in the flowchart block or blocks.

Accordingly, blocks of the block diagrams and flowchart illustrations support combinations of means for performing the specified functions, combinations of operations for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that each block of the block diagrams and flowchart illustrations, and combinations of blocks in the block diagrams and flowchart illustrations, can be implemented by special purpose hardware-based computer systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Although the present invention has been described with reference to examples, which are intended to be illustrative only and not to be limiting of the application, changes, additions and/or deletions may be made to the embodiments without departing from the scope of the application.

Many modifications and other embodiments of the applications set forth herein will come to mind to one skilled in the art to which these embodiments pertain having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the application is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims (10)

1. A method of processing a rekey command, comprising:

reading out data from the logical address indicated by the key update command in response to the key update command, and buffering the read data at the first address;

initiating outgoing DMA transmission, moving data from a first address to a second address, and decrypting the read data by using an old key in the moving process;

initiating receiving DMA transmission, moving the data from the second address to the third address, and encrypting the read data by using a new key in the moving process;

and writing the data encrypted by the new key at the third address into the logical address.

2. A method of updating a data key, comprising:

receiving a key update command;

generating an outgoing DMA command according to the key updating command;

decrypting the ciphertext data by using the first key to obtain plaintext data;

caching plaintext data in the solid-state storage device through a loopback path;

generating a receiving DMA command in response to the completion of the processing of the outgoing DMA command;

encrypting the cached plaintext data by using a second key;

and writing the encrypted data into the solid-state storage device.

3. The method of claim 2, wherein,

and reading out data from the NVM chip of the solid-state storage device according to the storage address indicated by the key updating command, and storing the data in the cached first address.

4. The method of claim 3, wherein the data stored at the first address of the cache is ciphertext data encrypted with the first key.

5. The method of claim 3 or 4, wherein,

and transmitting the ciphertext data of the cached first address to a cached second address according to the external DMA command, wherein the cached second address stores the plaintext data.

6. The method of claim 5, wherein,

and in the process of transmitting the encrypted text data of the cached first address to the cached second address according to the external DMA command, decrypting the encrypted text data by using the first password to obtain plaintext data.

7. The method of claim 5 or 6, wherein,

and transmitting the plaintext data of the second cached address to a third cached address according to the DMA receiving command, wherein the third cached address stores the ciphertext data obtained by encrypting the plaintext data by the second key.

8. A method of processing a rekey command, comprising:

reading out data from the logical address indicated by the key update command in response to the key update command, and buffering the read data at the first address;

initiating outgoing DMA transmission, moving data from a first address to a second address, decrypting the read data by using an old key in the moving process to obtain plaintext data, and encrypting the plaintext data by using a new key to obtain ciphertext data;

and writing the ciphertext data of the second address into the logic address.

9. A method of processing a rekey command, comprising:

reading out data from the logical address indicated by the key update command in response to the key update command, and buffering the read data at the first address;

initiating receiving DMA transmission, moving data from a first address to a second address, decrypting the read data by using an old key in the moving process to obtain plaintext data, and encrypting the plaintext data by using a new key to obtain ciphertext data;

and writing the ciphertext data of the second address into the logic address.

10. A PCIe controller, wherein the PCIe controller executes the method of any one of claims 1 to 9.

Images