CN116032638A - Unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources - Google Patents
Unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources Download PDFInfo
- Publication number
- CN116032638A CN116032638A CN202310024575.6A CN202310024575A CN116032638A CN 116032638 A CN116032638 A CN 116032638A CN 202310024575 A CN202310024575 A CN 202310024575A CN 116032638 A CN116032638 A CN 116032638A
- Authority
- CN
- China
- Prior art keywords
- encryption
- decryption
- end module
- paravirtualized
- engine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a unified paravirtualized framework for heterogeneous encryption and decryption computing resources, which relates to the field of information security and comprises a paravirtualized back-end module, a virtual machine monitoring program, a driving module and a paravirtualized front-end module, wherein the paravirtualized back-end module receives a control surface set session request from the virtual machine monitoring program and creates a session object in a local process, receives a data surface crypto encryption and decryption request from the paravirtualized front-end module and constructs a local crypto encryption and decryption request; the paravirtualized front-end module can be directly loaded by an application program in a virtual machine as a virtual equipment engine, can be used for constructing and simulating a sess session request and a crypto encryption and decryption request, and adopts the design of front-end and back-end architecture. The invention provides high-performance and universal device virtualization for application programs in the virtual machine when facing different heterogeneous encryption and decryption resources, eliminates virtualization support based on physical hardware, ensures that virtual devices and physical devices can be completely decoupled, and does not limit the number of the virtual devices.
Description
Technical Field
The invention relates to the field of information security, in particular to a unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources.
Background
Since the internet is beginning to develop vigorously, privacy security problems are always the trouble that cannot be removed in cloud computing, and how to avoid privacy security disclosure from causing loss to users is always an important topic in the current cloud security and network security fields. Privacy security problems can be broadly divided into three important sub-topics: (1) Eavesdropping sniffing risk, i.e. a third party may be able to intercept communication data; (2) The risk of identity forging, namely that a third party can impersonate the identity of other people to participate in communication; (3) And the risk of data tampering, namely that a third party can perform malicious modification after acquiring communication data. The effective solution of the privacy security problem is highly dependent on the development of encryption and decryption technology, the encryption and decryption technology can be specifically divided into a plurality of types of algorithms such as a symmetric encryption algorithm, an asymmetric encryption algorithm, a digital digest algorithm and the like, a series of functions such as content encryption, identity authentication, data integrity verification and the like can be provided, and the encryption and decryption technology with high performance and high security has the capability of resisting various attacks of malicious users and has great significance for solving the privacy security problem. Unfortunately, with the vigorous development of 5G technology, the large-scale popularization of social networks and the increasing diversity of attack methods, the encryption and decryption technology is also heavy in cost on computing resources such as CPU resources under the condition of bearing greater pressure, and a new performance bottleneck is generated.
With the development of hardware acceleration technology, engineers begin to gradually try to use hardware such as GPU (Graphic Processing Unit), FPGA (Field Programmable Gate Array), ASIC (Application Specific Integrated Circuit) to offload the overhead of the acceleration encryption and decryption request on the computing resources such as CPU resources, and such hardware may be collectively referred to as heterogeneous encryption and decryption resources. In 2017, wangzhao Cheng et al proposed a high-performance symmetric encryption server based on GPU acceleration, which can alleviate the reduction of various types of security protocols for ensuring end-to-end communication security to the overall performance of the system; in 2019, markku Vajaranta et al analyzed the feasibility of offloading high performance network applications such as IPsec (Internet Protocol Security) from software to FPGA in a cloud computing scenario and considered that in future data centers, relying on hardware acceleration was a great benefit for applications such as IPsec from the perspective of speed and energy efficiency; in 2019, xiaokang Hu et al proposed a technique based on QAT
Quick Assist) high performance TLS (Transport Layer Security) asynchronous offload framework QTLS that solves the problem of offloading I/O long-term blocking in direct offload TLS encryption operations. It is not difficult to find that the acceleration encryption and decryption request by means of heterogeneous encryption and decryption resource unloading becomes a main stream scheme of the current optimized encryption and decryption technology.
Along with development of virtualization technology, in order to improve utilization rate of server resources, cloud service providers enjoy convenience in aspects of fault recovery, service deployment, migration conversion, update maintenance and the like brought by the virtualization technology, more and more application programs needing to use encryption and decryption technology are operated on a virtual machine, and therefore requirements for heterogeneous encryption and decryption resources are met, and the requirements for the virtualization environment are met. The I/O pass-through technology represented by SR-IOV (Single Root I/O Virtualization) is one of the possible schemes to cope with this scenario, where the SR-IOV virtualizes multiple Virtual Functions (VFs) from the physical functions (PFs, physical Function) of the physical hardware device, and each Virtual Function can manage its own required resources and has most of the functions of the physical hardware device, and can be directly provided as a Virtual encryption/decryption device to an application program in the Virtual machine, and obtain performance close to that of using the physical hardware device directly.
Although remarkable results are achieved in recent years for research on unloading the computing overhead of the acceleration encryption and decryption request by using heterogeneous encryption and decryption resources, the heterogeneous encryption and decryption resources are still relatively difficult to be applied to a virtualized environment, so that application programs running in a virtual machine are difficult to benefit from the resources. One type of heterogeneous encryption and decryption resources does not provide support for a virtualized environment, and the other type of heterogeneous encryption and decryption resources only support the use of SR-IOV to realize virtualization inherit the problem of insufficient expandability and flexibility of the technology; these two types of problems can be summarized as the existence of physical hardware-based virtualization support requirements such that virtual devices and physical devices cannot be completely decoupled. The former does not provide support for virtualized environments and is naturally not applicable to applications in virtual machines. The number of virtual devices that the latter relies on for SR-IOV can support is limited, and a 10Gb network card can only support 64 virtual functions. Insufficient number of virtual devices can cause that a system can not provide services for more tenants under the condition of physical resource shortage, so that the density of the tenants is insufficient, and context switching can easily occur under a multi-tenant scene to cause mutual interference of performances. At the same time, SR-IOV also lacks sophisticated live-thermo migration capabilities, limited in the scalability and flexibility offered to applications.
Therefore, a person skilled in the art is dedicated to develop a unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources, when a virtual machine initiates an I/O request through a front end driver, the request is sent to a paravirtualized back end driver running in a virtual machine monitor to be processed through a communication mechanism virtual queue agreed by a paravirtualized front end driver and a back end driver, and the paravirtualized back end driver can either call a real physical hardware device to execute the request or simulate and execute the I/O request in a pure software manner like QEMU, so that high-performance and universal device virtualization can be provided for application programs in the virtual machine when different heterogeneous encryption and decryption resources are faced, virtual support based on physical hardware is eliminated, virtual devices and physical devices can be completely decoupled, and the number of the virtual devices is not limited.
Disclosure of Invention
In view of the above-mentioned drawbacks of the prior art, the technical problem to be solved by the present invention is that heterogeneous encryption and decryption resources are difficult to be applied to virtualized environments.
In order to achieve the above purpose, the invention provides a unified paravirtualized framework for heterogeneous encryption and decryption computing resources, which comprises a paravirtualized back-end module, a virtual machine monitoring program, a driving module and a paravirtualized front-end module, wherein the paravirtualized back-end module receives a control plane sess session request from the virtual machine monitoring program and returns a session ID after a session object is created by a local process; the para-virtualized back-end module receives a data plane crypto encryption and decryption request from the para-virtualized front-end module and constructs a local crypto encryption and decryption request; the paravirtualized back-end module issues a local crypto encryption and decryption request to the physical hardware device and retrieves the processed crypto encryption and decryption request;
The driving module operates in the virtual machine, replaces the kernel of the virtual machine operating system to take over the encryption and decryption equipment of the virtual machine after the virtual machine is started, and exposes a uniform interface to the upper layer;
the paravirtualized front-end module can be loaded to an engine of the virtual encryption and decryption equipment by an application program in the virtual machine through a universal interface and execute an initialization flow; the paravirtualized front-end module receives encryption and decryption metadata from an application process, constructs a sess session request, and sends the sess session request to the virtual machine monitoring program through a control surface queue to acquire a session object; the para-virtualized front-end module receives encryption and decryption data from an application process, constructs a crypto encryption and decryption request, and sends the crypto encryption and decryption request to the para-virtualized back-end module through a data plane queue; the paravirtualized front-end module monitors the completion state of the encryption and decryption request of the crypto, and retrieves and notifies the wake-up application process in batches after the request is completed;
the paravirtualized front-end module provides an encryption and decryption request asynchronous processing mode based on a fiber mechanism provided by OpenSSL; the paravirtualized front-end module comprises an engine front-end module and an engine back-end module.
Further, the paravirtualized back-end module maintains a control plane queue and a data plane queue for each virtual encryption and decryption device to realize communication with the virtual machine monitor and the paravirtualized front-end module, wherein the control plane queue and the data plane queue are realized through virtual queue; the control surface queue transmits a sess session request containing encryption and decryption metadata to be used for creating a session object; the data surface queue transmits a crypto encryption and decryption request containing encryption and decryption data to issue and monitors the completion state of the request; the paravirtualized back-end module maintains a unix socket file descriptor for establishing a communication link with the virtual machine monitoring program, and realizes message transmission based on a vhost-user protocol through a socket interface;
The virtual machine monitoring program uses a host machine large page memory to provide virtual memory support for a virtual machine, the large page memory is managed by the paravirtualized back-end module together with the virtual machine monitoring program based on a Linux file descriptor sharing mechanism, and a crypto encryption and decryption request can be exchanged with the paravirtualized front-end module on the data plane queue in a zero copy mode, so that VM-Exit times are reduced;
the paravirtualized back-end module builds a resource pool, and allows each heterogeneous encryption and decryption resource to divide the complete physical hardware device function into resource groups with finer granularity, so that a plurality of heterogeneous encryption and decryption resources jointly support one virtual device;
the paravirtualized back-end module realizes a sequential ordering layer, maintains an additional intermediate queue to recover completed requests according to the order of encryption and decryption requests, forcibly ensures that a plurality of heterogeneous encryption and decryption resources realize FIFO requirements, and avoids out-of-order execution observed by application programs.
Further, the engine front-end module is implemented as a dynamic link library, registers to the engine library of OpenSSL based on the engine mechanism provided by OpenSSL and provides an initialization entry function, so that the engine front-end module can be loaded as an engine of a virtual encryption and decryption device by an application program in a virtual machine, and receives encryption and decryption metadata and encryption and decryption data issued by the application program on the basis of the request to construct a control plane pass session request and a data plane crypto encryption and decryption request.
Further, when the application process constructs a sess session request to acquire a session object, the engine back-end module cooperates with the virtual machine monitor and the paravirtualized back-end module to create the session object; the engine back-end module locally maintains a form of the session object for caching and allows the session object in the form to be multiplexed by different encryption and decryption processes with the same encryption and decryption metadata;
the multi-process memory sharing mechanism provided based on DPDK, the front end module of the engine and the back end module of the engine are respectively realized as a primary process and a secondary process, which can have the same large-page memory topology structure, and further can create a data transmission queue in the shared memory and transmit a crypto encryption and decryption request in a zero-copy mode;
the engine back-end module firstly locally caches the encryption and decryption requests issued by the engine front-end module after polling each data transmission queue, and then issues the encryption and decryption requests in batch after accumulating a certain amount of encryption and decryption requests;
and the engine back-end module is used as a daemon process, and a single process is independently responsible for polling the completion state of all encryption and decryption requests.
A unified paravirtualized method for heterogeneous encryption and decryption computing resources, based on the unified paravirtualized framework for heterogeneous encryption and decryption computing resources according to any one of claims 1 to 4, the method comprising the following steps:
Step 1, starting an engine back-end module when a virtual machine is initialized; the engine back-end module is realized as a daemon in the virtual machine and is responsible for executing the initialization of resources and the initialization of the virtual encryption and decryption equipment in the initialization stage of the virtual machine; the initialization of the resource comprises the initialization of a crypto encryption and decryption request; the initialization of the virtual encryption and decryption equipment comprises that the engine back-end module calls an interface provided by a driving module to finish the creation of two virtual queues, namely a control plane queue and a data plane queue, and realizes communication with a paravirtualized back-end module through VM-Exit, and shares the control plane queue and the data plane queue with the virtual encryption and decryption equipment;
step 2, the client application program loads an engine front-end module as an engine; the client application program loads an engine of the virtual encryption and decryption device by calling an interface provided by OpenSSL and executes an initialization flow provided by the engine; the engine loaded by the client application program is the engine front-end module which is realized as a dynamic link library, the initialization flow comprises that the engine front-end module actively establishes connection with the engine back-end module, the engine back-end module establishes a data transmission queue, and shares the data transmission queue and a crypto encryption and decryption request to the engine front-end module together;
Step 3, initializing encryption and decryption metadata by an application process; the client application program starts a plurality of fiber fibre-brans through a fiber mechanism provided by OpenSSL, and sequentially switches to each fiber fibre-bran for execution, each fiber fibre-bran indirectly calls the engine front-end module through an interface provided by OpenSSL to initialize encryption and decryption metadata including keys, and the engine front-end module records the encryption and decryption metadata at the same time;
step 4, the application process executes the encryption and decryption request; each fiber fabric indirectly calls the engine front-end module through an interface provided by OpenSSL to execute encryption and decryption requests, encryption and decryption data comprising a plaintext to be encrypted are transmitted to the engine front-end module, and the engine front-end module indirectly calls bottom heterogeneous encryption and decryption resources to process the encryption and decryption requests and obtain processing results;
step 5, executing related cleaning operation; after the execution of the single encryption and decryption request is completed, the paravirtualized front-end module can clean resources at the encryption and decryption request level, and release the space of the encryption and decryption request of the cryptate distributed in the memory pool; when the engine back-end module monitors that a session object which can not be used any more exists in the session form, the paravirtualized front-end module can clean resources at a session level and delete the session object.
Further, the step 4 further includes:
step 4.1, the paravirtualized front-end module acquires a session object;
step 4.2, the paravirtualized front-end module creates a crypto encryption and decryption request; the engine front-end module creates a encryption and decryption request according to encryption and decryption data provided by a client application program, and establishes an index with the session object created in the step 4.1, wherein the engine front-end module adds a fiber asynchronous file descriptor for notifying the completion state of the encryption and decryption request to an application process in the encryption and decryption request;
step 4.3, the paravirtualized front-end module issues a crypto encryption and decryption request;
step 4.4, the paravirtualized back-end module processes the crypto encryption and decryption request; the paravirtualized back-end module actively polls each data surface queue to obtain a crypto encryption and decryption request;
step 4.5, the paravirtualized front-end module retrieves the encryption and decryption request of the crypto; the engine back-end module polls the status bit of the issued crypto encryption and decryption request by calling the interface provided by the driving module, thereby monitoring the processed crypto encryption and decryption request and retrieving in batches;
step 4.6, the paravirtualized front-end module notifies and wakes up an application process; for each processed encryption and decryption request, the engine back-end module obtains a fiber asynchronous file descriptor added in advance by the engine front-end module and wakes up a corresponding application process of falling asleep by virtue of the fiber asynchronous file descriptor;
Step 4.7, the paravirtualized front-end module returns a request processing result to an application process; after the application process is awakened, the execution of the fiber corresponding to the crypto encryption and decryption request is resumed, so that the processing flow of the crypto encryption and decryption request by the engine front-end module is resumed; the engine front-end module acquires an encryption and decryption request processing result added by the heterogeneous encryption and decryption resources from the encryption and decryption request of the crypto, and returns the encryption and decryption request processing result to the application process by means of an interface provided by OpenSSL.
Further, the step 4.1 further includes:
step 4.1.1, the front end module of the engine applies for a session object from the back end module of the engine according to the encryption and decryption metadata provided by the client application program;
and 4.1.2, the engine back-end module queries a local session form according to the encryption and decryption metadata provided by the engine front-end module, if the corresponding session object exists, the session object is directly returned to the engine front-end module, otherwise, the session object is required to be created and added to the session form of the engine back-end module and then returned to the engine front-end module.
Further, the creating the session object in the step 4.1.2 includes the following steps:
4.1.2.1, initializing a blank session object by the engine back-end module in a local process, constructing a pass session request according to encryption and decryption metadata provided by the engine front-end module, and calling an interface provided by the driving module to be added to a control plane queue;
step 4.1.2.2, the virtual machine is sunk into the host machine through a VM-Exit, a virtual machine monitoring program intervenes and communicates with the paravirtualized back-end module, and the paravirtualized back-end module creates a session object in a local process and returns a session ID to the virtual machine monitoring program;
step 4.1.2.3, the virtual machine monitor program transmits the received session ID to the driving module through a subfield of a sess session request;
and 4.1.2.4, adding the session ID into a session object of a local process after receiving the session ID by the engine back-end module, and constructing indexes of the session object in the engine front-end module process and the session object in the paravirtualized back-end module process.
Further, the step 4.3 further includes:
step 4.3.1, the front-end module of the engine adds the encryption and decryption request of the crypto into a data transmission queue shared with the back-end module of the engine, immediately stops the execution of the current fiber and gives control right back to the application program, and the application program starts to process a new encryption and decryption request at the moment; when all fiber of the application process is stopped executing, the application program falls into sleep and monitors the event of asynchronous file descriptors on each fiber;
And 4.3.2, the engine back-end module acquires a crypto encryption and decryption request by polling each data transmission queue, and transmits the crypto encryption and decryption request to the data surface queue after buffering in batch.
Further, the step 4.4 further includes:
step 4.4.1, the paravirtualized backend module obtains a session ID according to a session object indirectly indexed by the crypto encryption and decryption request, obtains a corresponding session object from a local session form, and simultaneously obtains encryption and decryption data in a zero copy way by combining the content of the crypto encryption and decryption request, and constructs the local crypto encryption and decryption request;
step 4.4.2, the paravirtualized back-end module sends the local crypto encryption and decryption request to heterogeneous encryption and decryption resources in batches through a dispatching drive layer;
4.4.3, the paravirtualized back-end module retrieves the processed crypto-encryption and decryption requests in batches from the corresponding heterogeneous encryption and decryption resources, wherein the crypto-encryption and decryption requests already contain encryption and decryption request processing results added by the heterogeneous encryption and decryption resources, and the paravirtualized back-end module further sets a status bit of the crypto-encryption and decryption requests on the basis;
and step 4.4.4, the paravirtualized back-end module continuously circulates the steps 4.4.1 to 4.4.3, and continuously issues and retrieves the crypto encryption and decryption request.
Compared with the prior art, the invention has at least the following beneficial technical effects:
1. the paravirtualized front end can be directly loaded by an application program in the virtual machine as a virtual equipment engine, and an interface presented to the application program in the virtual machine is consistent with a universal interface provided by OpenSSL, so that the application program in the virtual machine can benefit from using heterogeneous encryption and decryption resources conveniently without modifying codes or adding a layer of abstraction;
2. the invention realizes that a plurality of heterogeneous encryption and decryption resources jointly support one virtual device, can expand the functions, the performances and the robustness of the virtual device, and can further meet the complex and diversified demands of application programs in virtual machines in cloud computing environments;
3. the invention avoids the memory copy request of the data surfaces of the front end and the back end of the paravirtualization, eliminates the VM-Exit generated on the data surface, reduces the times of the VM-Exit as much as possible under heavy load and improves the performance of the paravirtualized frame;
4. the invention reduces the competition and the cost of context switching when the batch processing issuing of the cache encryption and decryption request of the paravirtualized front end reduces, in addition, as most of heterogeneous encryption and decryption resources are available for concurrence by a plurality of computing units, the intensive encryption and decryption request to be processed can obviously improve the utilization rate of the heterogeneous encryption and decryption resources, and both can improve the performance of the paravirtualized framework;
5. The invention makes the high CPU resource cost of polling only limited to one process at the back end of the engine of the half-virtualization front end module on the basis of processing encryption and decryption requests by using an asynchronous mode, and avoids the high CPU cost caused by creating polling threads on each application process, thereby improving the performance of the virtualization framework.
The conception, specific structure, and technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, features, and effects of the present invention.
Drawings
FIG. 1 is a general architecture diagram of a preferred embodiment of the present invention;
FIG. 2 is a flow chart of processing a control plane sess session request in accordance with a preferred embodiment of the present invention;
FIG. 3 is a flow chart of processing a data plane encryption and decryption request according to a preferred embodiment of the present invention;
FIG. 4 is a diagram of an engine mechanism provided by OpenSSL in accordance with a preferred embodiment of the present invention;
FIG. 5 is a schematic diagram of a heterogeneous encryption and decryption resource pool according to a preferred embodiment of the present invention.
Detailed Description
The following description of the preferred embodiments of the present invention refers to the accompanying drawings, which make the technical contents thereof more clear and easy to understand. The present invention may be embodied in many different forms of embodiments and the scope of the present invention is not limited to only the embodiments described herein.
In the drawings, like structural elements are referred to by like reference numerals and components having similar structure or function are referred to by like reference numerals. The dimensions and thickness of each component shown in the drawings are arbitrarily shown, and the present invention is not limited to the dimensions and thickness of each component. The thickness of the components is exaggerated in some places in the drawings for clarity of illustration.
The invention solves the dilemma of heterogeneous encryption and decryption resources in a virtualized environment by constructing a high-performance and extensible and flexible paravirtualized frame oriented to heterogeneous encryption and decryption resources, in the embodiment, the frame is named as a UVCrypto frame, the UVCrypto frame names the realization of the paravirtualized front end as UVC-engine, and the UVCrypto frame names the realization of the paravirtualized rear end as UVC-host.
The overall architecture diagram of the uvcrypt framework is shown in fig. 1, and includes four functional modules, namely, a uvcrypt-host (hereinafter abbreviated as UVC-host), a Hypervisor (virtual machine monitor), virtio cryptodev driver, and a uvcrypt-engine (hereinafter abbreviated as UVC-engine) in sequence from the bottom layer to the upper layer, where the uvcrypt-engine further adopts a front-end architecture and a back-end architecture.
In order to build a high-performance paravirtualized frame with expandability, transparency and flexibility, the UVCrypto frame takes a vhost-user as a base, and the communication of the data plane and the communication of the control plane of the front end and the back end of the paravirtualization are both based on a vhost-user protocol. The UVC-host maintains a control plane queue ctrlq and a data plane queue dataq for each virtual encryption and decryption device to realize communication with the QEMU hypervisor and the UVC-engine, and the communication is realized through the virtual queue, wherein the control plane queue ctrlq and the data plane queue are used for transmitting a sess request containing encryption and decryption metadata for creating a session object, and the virtual encryption and decryption device is used for transmitting a crypto request containing encryption and decryption data for issuing and monitoring a request completion state, and the specific process flow of processing the control plane request and the data plane request is shown in fig. 2 and 3. Meanwhile, the UVC-host also maintains an unix socket file descriptor for establishing a communication link with the QEMU hypervisor, and message transmission based on a vhost-user protocol is realized through a socket interface. Therefore, the virtual-queue-based front-end and back-end communication mode is independent of the support of physical hardware on virtualization, the UVCrypto framework can completely decouple virtual devices from physical devices, so that the number of the virtual devices is not limited, and high-performance and general device virtualization can still be provided for application programs in a virtual machine when different heterogeneous encryption and decryption resources are faced.
The UVC-host is used as a paravirtualized back end in the UVC crypto frame, and can realize functions in three directions: 1. receiving a control plane sess session request from a QEMU Hypervisor and returning a session ID after a local process creates a session object; 2. receiving a data plane crypto encryption and decryption request from a UVC-engine and constructing a local crypto encryption and decryption request; 3. and sending the local crypto encryption and decryption request to the physical hardware equipment and retrieving the processed crypto encryption and decryption request.
UVC-host is implemented as an application in the host DPDK, specifically designed with the following three aspects:
1. the UVC-host maintains a control plane queue ctrlq and a data plane queue dataq for each virtual encryption and decryption device to respectively process a control plane set session request and a data plane crypto encryption and decryption request; further, QEMU hypervisor provides virtual memory support maintenance for virtual machines using host large page memory
UVC-host manages the large page memory together with QEMU hypervisor based on Linux file descriptor sharing mechanism to obtain
Is calculated to obtain +.>
According to the linear mapping relation of the virtual machine, UVC-host can completely access encryption and decryption requests in a data surface queue dataq constructed in the virtual machine through pointers in a local virtual address space, so that crypto encryption and decryption requests can be exchanged with a half-virtualization front end on the data surface queue dataq in a zero-copy mode, and VM-Exit times are reduced;
2. The UVC-host builds a resource pool, and allows each heterogeneous encryption and decryption resource to divide the complete physical hardware device function into resource groups with finer granularity, so that a plurality of heterogeneous encryption and decryption resources jointly support one virtual device. The minimum granularity in the resource pool is resource groups, and each resource group should have the capability of providing encryption and decryption request acceleration service for one virtual machine independently. There are many types of resource groups, a complete physical hardware device, a single VF of an SR-IOV device, a CPU capable of performing encryption and decryption calculations, or a free combination of the above resource groups, all of which can be grouped into one resource group, as shown in FIG. 5. The UVCrypto framework also overcomes the defects of limited functions, limited performance and limited robustness of independently processing encryption and decryption requests by a single heterogeneous encryption and decryption resource by providing a plurality of proper scheduling strategies: providing a scheduling strategy based on algorithm matching, analyzing an encryption and decryption algorithm, scheduling the encryption and decryption algorithm to a resource group providing the encryption and decryption algorithm, and expanding the functions of the virtual equipment; providing a round-robin based scheduling strategy, alternately transmitting a crypto request issued by a UVC-host to different heterogeneous encryption and decryption resources, and improving the performance of virtual equipment; and providing a fail-over-based scheduling strategy, dividing the resource group into a main resource group and a secondary resource group, and retransmitting the main resource group to the secondary resource group when the request of the main resource group fails to be issued, so that the robustness of the virtual equipment is enhanced.
3. The UVC-host realizes a sequential ordering layer, an additional intermediate queue is maintained to recover completed requests according to the order sent by encryption and decryption requests, the requirement of realizing First-in-First-out (FIFO) of a plurality of heterogeneous encryption and decryption resources is forcedly ensured, and out-of-order execution is prevented from being observed by an application program.
The UVC-engine is used as a paravirtualized front end in the UVC crypto frame, so that four large-direction functions can be realized: 1. the method comprises the steps that an application program in a virtual machine can load an engine of the virtual encryption and decryption equipment through a universal interface and execute an initialization flow; 2. receiving encryption and decryption metadata from an application process, constructing a sess session request, and sending the sess session request to a QEMU Hypervisor through a control plane queue ctrlq to acquire a session object; 3. receiving encryption and decryption data from an application process, constructing a crypto encryption and decryption request, and transmitting the crypto encryption and decryption request to a UVC-host through a data surface queue dataq; 4. monitoring the completion state of the crypto encryption and decryption request, and after the request is completed, retrieving in batches and notifying the wake-up application process; for a high performance meter, the UVC-engine provides an efficient encryption and decryption request asynchronous processing mode based on a fiber mechanism (fiber mechanism) provided by OpenSSL, and the front end and back end architectures are divided to reduce CPU overhead caused by polling, namely the UVC-engine is subdivided into a UVC-engine front end and a UVC-engine back end. The UVC-engine front-end is implemented as a dynamically linked library, corresponding to the application process and capable of being directly loaded as a virtual device engine by the application in the virtual machine. The UVC-engine back end is realized as a daemon and is independently executed in the background; the UVC-engine only starts one UVC-engine back end and corresponds to a plurality of UVC-engine front ends, on one hand, encryption and decryption requests issued by the plurality of UVC-engine front ends are received, and on the other hand, the completion state of the encryption and decryption requests is continuously polled and monitored in the background, and the processed encryption and decryption requests are retrieved.
The UVC-engine backend is implemented as a daemon, specifically designed with the following four aspects: 1. the UVC-engine backend cooperates with the QEMU Hypervisor and the UVC-host to create session objects when the application process constructs a sess session request to acquire the session objects. In order to reduce repeated creation of session objects, the UVC-engine back end locally maintains a form of the session object for caching and allows the session object in the form to be multiplexed by different encryption and decryption processes with the same encryption and decryption metadata; 2. based on a multi-process memory sharing mechanism provided by DPDK, the front end and the rear end of the UVC-engine are respectively realized into a primary process and a secondary process, which can have the same large-page memory topological structure, and further can create a data transmission queue trans in a shared memory and transmit a crypto encryption and decryption request in a zero-copy mode; 3. after the UVC-engine rear end polls each data transmission queue trans to obtain the encryption and decryption requests issued by the UVC-engine front end, the encryption and decryption requests are locally cached, and are issued in batch after being accumulated to a certain amount, so that the times of calling virtio cryptodev driver interfaces are reduced, the pressure of the paravirtualized front end is reduced, and the density of the encryption and decryption requests is improved, so that the utilization rate of heterogeneous encryption and decryption resources is improved; 4. the UVC-engine back end is used as a daemon, and a single process is independently responsible for polling the completion state of all encryption and decryption requests, so that high CPU resource overhead caused by creating polling threads on all application processes is avoided.
The UVC-engine front end is realized as a dynamic link library, based on an engine mechanism (engine mechanism) provided by OpenSSL, the UVC-engine framework paravirtualized front end is uniformly named as a UVC-engine and is registered in the engine library of the OpenSSL, and an initialization entry function is provided, so that the UVC-engine front end can be loaded into an engine of virtual encryption and decryption equipment by an application program in a virtual machine, the UVC-engine can be identified by an "-engine" parameter of an OpenSSL instruction and is initialized after being loaded, and encryption and decryption metadata and encryption and decryption data issued by the application program are received on the basis to construct a control plane set session request and a data plane encryption and decryption request as shown in FIG. 4.
Hypervisor is a virtual machine monitor, taking the most common QEMU Hypervisor as an example, its main functions include the following three aspects: 1. providing basic resources such as virtual memory for the virtual machine; 2. in the process of starting a virtual machine, the QEMU Hypervisor intercepts PCI bus access behaviors of a virtual machine operating system kernel through a VM-Exit, and simulates a virtual encryption and decryption device conforming to the virtual standard for the virtual machine; 3. in the starting and executing process of the virtual encryption and decryption equipment, the QEMU Hypervisor can still communicate with the post-para-virtualization UVC-host through a VM-Exit auxiliary post-para-virtualization front-end driver virtio cryptodev driver; and maintaining a control surface queue ctrlq for each virtual encryption and decryption device in a shared memory of the QEMU Hypervisor and the paravirtualization front end UVC-engine, transmitting a sess request representing encryption and decryption metadata to the UVC-host, and returning a session ID acquired from the UVC-host to the UVC-engine to complete the creation and coordination of the session object.
virtio cryptodev driver is run in the virtual machine as a user-mode paravirtualized front end driver, and has the main functions of taking over the virtual machine encryption and decryption equipment instead of the virtual machine operating system kernel after the virtual machine is started, and exposing a uniform interface to an upper layer. virtio cryptodev driver interfaces that can be provided include an interface to initialize a virtual encryption and decryption device, an interface to start up and configure a device, an interface to add a sess request to a control plane queue ctrlq, an interface to add a crypto request to a data plane queue dataq, an interface to fetch a crypto request that has been processed, etc.
In order to further clarify the design of the UVCrypto framework from a macroscopic view, a typical workflow which can appear in an actual application scene will be specifically described, the client application programs A and B simultaneously execute encryption and decryption requests and interact with the UVCrypto framework, and for convenience of discussion, the client application programs A and B both adopt symmetric encryption algorithms, and encryption and decryption metadata such as keys are kept unchanged all the time. The exemplary workflow will be described in detail as follows, and can be divided into five steps:
and step 1, starting the UVC-engine back end when the virtual machine is initialized. The UVC-engine back end is realized as a daemon in the virtual machine, and is mainly responsible for executing the initialization of resources and the initialization of virtual encryption and decryption equipment in the initialization stage of the virtual machine, specifically: the initialization process of the resources mainly relates to the memory pool initialization of the resources such as the encryption and decryption requests of the crypts; in the process of initializing the virtual encryption and decryption equipment, the UVC-engine rear end can call an interface provided by virtio cryptodev driver to finish the creation of two virtual queues, namely a control plane queue ctrlq and a data plane queue dataq, and the communication with the UVC-host is realized through a VM-Exit, and the two virtual queues are shared.
And 2, loading the UVC-engine front end as an engine by the client application program. Taking a client application program A as an example, the client application program A loads an engine of the virtual encryption and decryption equipment by calling an interface provided by OpenSSL and executes an initialization flow provided by the engine; the engine loaded by the client application program is a UVC-engine front end implemented as a dynamic link library, and in the initialization flow of the UVC-engine front end, the UVC-engine front end actively establishes connection with the UVC-engine rear end, the UVC-engine rear end creates a data transmission queue trans, and shares the trans and resources such as a crypto encryption and decryption request memory pool to the UVC-engine front end.
And step 3, initializing encryption and decryption metadata by an application process. Taking the client application program A as an example, the client application program A starts a plurality of fiber fabrics through a fiber mechanism provided by OpenSSL, sequentially switches to each fiber fabric for execution, and then indirectly calls a UVC-engine front end through an interface provided by OpenSSL to initialize encryption and decryption metadata including keys, and the UVC-engine front end records the encryption and decryption metadata at the same time.
And 4, executing the encryption and decryption request by the application process. Each fiber fabric indirectly calls the UVC-engine front end through an interface provided by OpenSSL to execute encryption and decryption requests, encryption and decryption data including a plaintext to be encrypted is transmitted to the UVC-engine front end, and the UVC-engine front end calls the bottom heterogeneous encryption and decryption resources to process the encryption and decryption requests and obtain processing results. The specific processing procedure can be further divided into the following sub-steps:
And 4.1, obtaining a session object by the UVC-engine. The process of obtaining a session object is divided into two steps:
step 4.1.1, the front end of the UVC-engine applies for a session object to the back end of the UVC-engine according to the encryption and decryption metadata provided by the client application program;
and 4.1.2, inquiring a local session form by the UVC-engine rear end according to encryption and decryption metadata provided by the UVC-engine front end, if a corresponding session object exists, directly returning the session object to the UVC-engine front end, otherwise, creating the session object, adding the session object to the session form of the UVC-engine rear end, and returning the session object to the UVC-engine front end.
The process of creating a session object is divided into four steps:
step 4.1.2.1, initializing a blank session object at the local process by the UVC-engine back end, constructing a session request (session request) according to encryption and decryption metadata provided by the UVC-engine front end, and calling virtio cryptodev driver to provide an interface to be added to a control plane queue ctrlq;
step 4.1.2.2, the virtual machine is sunk into a host machine through a VM-Exit, the QEMU Hypervisor intervenes and communicates with a UVC-host, the UVC-host creates a session object in a local process and returns a session ID to the QEMU Hypervisor;
step 4.1.2.3, QEMU Hypervisor transfers the received session ID to virtio cryptodev driver through the sub-field of the sess session request;
And 4.1.2.4, after receiving the session ID, the UVC-engine rear end receives the session ID and adds the session ID to the session object of the local process, so as to construct indexes of the session object in the UVC-engine rear end process and the session object in the UVC-host process.
And 4.2, creating a crypto encryption and decryption request by the UVC-engine. The UVC-engine front end creates a crypto encryption and decryption request (crypto request) according to encryption and decryption data provided by the client application program, and establishes an index with the session object created in the step 4.1, so that the crypto encryption and decryption request created by the UVC-engine front end directly contains the encryption and decryption data and indirectly indexes encryption and decryption metadata, and can represent a complete encryption and decryption request. In addition, the UVC-engine front end also adds a fiber asynchronous file descriptor for notifying the completion state of the encryption and decryption request to the application process in the encryption and decryption request of the crypto.
And 4.3, issuing a crypto encryption and decryption request by the UVC-engine. The process of issuing the encryption and decryption request comprises two steps:
step 4.3.1, adding a encryption and decryption request by the front end of the UVC-engine into a data transmission queue trans shared with the rear end of the UVC-engine, immediately stopping the execution of the current fiber and returning control rights to an application program, wherein the application program can start to process a new encryption and decryption request at the moment; when all fiber of the application process is stopped executing, the application program falls into sleep and monitors the event of asynchronous file descriptors on each fiber;
And 4.3.2, the UVC-engine rear end acquires a crypto encryption and decryption request by polling each data transmission queue trans, and the crypto encryption and decryption request is issued to a data surface queue dataq after buffering in batch processing.
And 4.4, processing the crypto encryption and decryption request by using the UVC-host. The UVC-host actively polls each data surface queue dataq to obtain a crypto encryption and decryption request. For each crypto encryption and decryption request UVC-host, the following three steps are performed:
step 4.4.1, UVC-host obtains the session ID according to the session object indirectly indexed by the crypto encryption and decryption request, obtains the corresponding session object from the local session form, and simultaneously obtains the encryption and decryption data in a zero copy way by combining the content of the crypto encryption and decryption request, and constructs the local crypto encryption and decryption request;
step 4.4.2, the UVC-host transmits the local crypto encryption and decryption request to the heterogeneous encryption and decryption resource in batches through the dispatching drive layer;
and 4.4.3, retrieving the processed crypto encryption and decryption requests in batches from the corresponding heterogeneous encryption and decryption resources by using the UVC-host, wherein the crypto encryption and decryption requests already contain encryption and decryption request processing results added by the heterogeneous encryption and decryption resources, and further setting a state bit of the crypto encryption and decryption requests on the basis of the UVC-host. The UVC-host continuously circulates the processes, and continuously issues and retrieves the crypto encryption and decryption requests.
And 4.5, retrieving the encryption and decryption request of the crypto by the UVC-engine. The UVC-engine back end polls the status bit of the issued crypto encryption and decryption request by calling the interface provided by virtio cryptodev driver, thereby monitoring the processed crypto encryption and decryption request and retrieving in batches.
And 4.6, notifying and waking up an application process by using the UVC-engine. And for each processed crypto encryption and decryption request, the UVC-engine rear end acquires a fiber asynchronous file descriptor added in advance by the UVC-engine front end, and wakes up a corresponding application process which falls asleep by virtue of the fiber asynchronous file descriptor.
And 4.7, returning a request processing result to the application process by the UVC-engine. After the application process is awakened, restoring and executing a fiber corresponding to the crypto encryption and decryption request, so as to restore the processing flow of the crypto encryption and decryption request by the UVC-engine front end; the UVC-engine front end obtains an encryption and decryption request processing result added by the heterogeneous encryption and decryption resources from the encryption and decryption request of the crypto, and returns the encryption and decryption request processing result to the application process by means of an interface provided by OpenSSL.
And 5, executing relevant cleaning operation. The cleaning operation involved in the UVCrypto frame mainly includes the following two aspects: after the execution of the single encryption and decryption request is completed, UVC-engine can clean resources at the encryption and decryption request level, and release the space of the encryption and decryption request allocated from the memory pool; when the UVC-engine back end monitors that a session object which can not be used any more exists in the session form, the UVC-engine can clean resources at the session level and delete the session object.
The foregoing describes in detail preferred embodiments of the present invention. It should be understood that numerous modifications and variations can be made in accordance with the concepts of the invention without requiring creative effort by one of ordinary skill in the art. Therefore, all technical solutions which can be obtained by logic analysis, reasoning or limited experiments based on the prior art by the person skilled in the art according to the inventive concept shall be within the scope of protection defined by the claims.
Claims (10)
1. The unified paravirtualized framework for heterogeneous encryption and decryption computing resources is characterized by comprising a paravirtualized back-end module, a virtual machine monitoring program, a driving module and a paravirtualized front-end module, wherein the paravirtualized back-end module receives a control plane sess session request from the virtual machine monitoring program and returns a session ID after a session object is created by a local process; the para-virtualized back-end module receives a data plane crypto encryption and decryption request from the para-virtualized front-end module and constructs a local crypto encryption and decryption request; the paravirtualized back-end module issues a local crypto encryption and decryption request to the physical hardware device and retrieves the processed crypto encryption and decryption request;
The driving module operates in the virtual machine, replaces the kernel of the virtual machine operating system to take over the encryption and decryption equipment of the virtual machine after the virtual machine is started, and exposes a uniform interface to the upper layer;
the paravirtualized front-end module can be loaded to an engine of the virtual encryption and decryption equipment by an application program in the virtual machine through a universal interface and execute an initialization flow; the paravirtualized front-end module receives encryption and decryption metadata from an application process, constructs a sess session request, and sends the sess session request to the virtual machine monitoring program through a control surface queue to acquire a session object; the para-virtualized front-end module receives encryption and decryption data from an application process, constructs a crypto encryption and decryption request, and sends the crypto encryption and decryption request to the para-virtualized back-end module through a data plane queue; the paravirtualized front-end module monitors the completion state of the encryption and decryption request of the crypto, and retrieves and notifies the wake-up application process in batches after the request is completed;
the paravirtualized front-end module provides an encryption and decryption request asynchronous processing mode based on a fiber mechanism provided by OpenSSL; the paravirtualized front-end module comprises an engine front-end module and an engine back-end module.
2. The unified paravirtualized framework for heterogeneous encryption and decryption computing resources of claim 1, wherein the paravirtualized backend module maintains a control plane queue and a data plane queue for each virtual encryption and decryption device to enable communication with the virtual machine monitor and the paravirtualized frontend module, the control plane queue and the data plane queue being both implemented by virtual queue; the control surface queue transmits a sess session request containing encryption and decryption metadata to be used for creating a session object; the data surface queue transmits a crypto encryption and decryption request containing encryption and decryption data to issue and monitors the completion state of the request; the paravirtualized back-end module maintains a unix socket file descriptor for establishing a communication link with the virtual machine monitoring program, and realizes message transmission based on a vhost-user protocol through a socket interface;
The virtual machine monitoring program uses a host machine large page memory to provide virtual memory support for a virtual machine, the large page memory is managed by the paravirtualized back-end module together with the virtual machine monitoring program based on a Linux file descriptor sharing mechanism, and a crypto encryption and decryption request can be exchanged with the paravirtualized front-end module on the data plane queue in a zero copy mode, so that VM-Exit times are reduced;
the paravirtualized back-end module builds a resource pool, and allows each heterogeneous encryption and decryption resource to divide the complete physical hardware device function into resource groups with finer granularity, so that a plurality of heterogeneous encryption and decryption resources jointly support one virtual device;
the paravirtualized back-end module realizes a sequential ordering layer, maintains an additional intermediate queue to recover completed requests according to the order of encryption and decryption requests, forcibly ensures that a plurality of heterogeneous encryption and decryption resources realize FIFO requirements, and avoids out-of-order execution observed by application programs.
3. The unified paravirtualized architecture for heterogeneous encryption and decryption computing resources of claim 1, wherein the engine front-end module is implemented as a dynamic link library, registers to an OpenSSL-based engine library based on an OpenSSL-provided engine mechanism and provides an initialization entry function, so that the engine front-end module can be loaded by an application program in a virtual machine into an engine of a virtual encryption and decryption device, and receives encryption and decryption metadata and encryption and decryption data issued by the application program on the basis of the request to construct a control plane pass session request and a data plane crypto encryption and decryption request.
4. The unified paravirtualized framework for heterogeneous encryption and decryption computing resources of claim 1, wherein the engine back-end module cooperates with the virtual machine monitor and the paravirtualized back-end module to create a session object when an application process constructs a sess session request to obtain the session object; the engine back-end module locally maintains a form of the session object for caching and allows the session object in the form to be multiplexed by different encryption and decryption processes with the same encryption and decryption metadata;
the multi-process memory sharing mechanism provided based on DPDK, the front end module of the engine and the back end module of the engine are respectively realized as a primary process and a secondary process, which can have the same large-page memory topology structure, and further can create a data transmission queue in the shared memory and transmit a crypto encryption and decryption request in a zero-copy mode;
the engine back-end module firstly locally caches the encryption and decryption requests issued by the engine front-end module after polling each data transmission queue, and then issues the encryption and decryption requests in batch after accumulating a certain amount of encryption and decryption requests;
and the engine back-end module is used as a daemon process, and a single process is independently responsible for polling the completion state of all encryption and decryption requests.
5. A unified paravirtualized method for heterogeneous encryption and decryption computing resources, characterized in that the method is based on the unified paravirtualized framework for heterogeneous encryption and decryption computing resources according to any one of claims 1 to 4, and comprises the following steps:
step 1, starting an engine back-end module when a virtual machine is initialized; the engine back-end module is realized as a daemon in the virtual machine and is responsible for executing the initialization of resources and the initialization of the virtual encryption and decryption equipment in the initialization stage of the virtual machine; the initialization of the resource comprises the initialization of a crypto encryption and decryption request; the initialization of the virtual encryption and decryption equipment comprises that the engine back-end module calls an interface provided by a driving module to finish the creation of two virtual queues, namely a control plane queue and a data plane queue, and realizes communication with a paravirtualized back-end module through VM-Exit, and shares the control plane queue and the data plane queue with the virtual encryption and decryption equipment;
step 2, the client application program loads an engine front-end module as an engine; the client application program loads an engine of the virtual encryption and decryption device by calling an interface provided by OpenSSL and executes an initialization flow provided by the engine; the engine loaded by the client application program is the engine front-end module which is realized as a dynamic link library, the initialization flow comprises that the engine front-end module actively establishes connection with the engine back-end module, the engine back-end module establishes a data transmission queue, and shares the data transmission queue and a crypto encryption and decryption request to the engine front-end module together;
Step 3, initializing encryption and decryption metadata by an application process; the client application program starts a plurality of fiber fibre-brans through a fiber mechanism provided by OpenSSL, and sequentially switches to each fiber fibre-bran for execution, each fiber fibre-bran indirectly calls the engine front-end module through an interface provided by OpenSSL to initialize encryption and decryption metadata including keys, and the engine front-end module records the encryption and decryption metadata at the same time;
step 4, the application process executes the encryption and decryption request; each fiber fabric indirectly calls the engine front-end module through an interface provided by OpenSSL to execute encryption and decryption requests, encryption and decryption data comprising a plaintext to be encrypted are transmitted to the engine front-end module, and the engine front-end module indirectly calls bottom heterogeneous encryption and decryption resources to process the encryption and decryption requests and obtain processing results;
step 5, executing related cleaning operation; after the execution of the single encryption and decryption request is completed, the paravirtualized front-end module can clean resources at the encryption and decryption request level, and release the space of the encryption and decryption request of the cryptate distributed in the memory pool; when the engine back-end module monitors that a session object which can not be used any more exists in the session form, the paravirtualized front-end module can clean resources at a session level and delete the session object.
6. The unified paravirtualized method for heterogeneous encryption and decryption computing resources of claim 5, wherein the step 4 further comprises:
step 4.1, the paravirtualized front-end module acquires a session object;
step 4.2, the paravirtualized front-end module creates a crypto encryption and decryption request; the engine front-end module creates a encryption and decryption request according to encryption and decryption data provided by a client application program, and establishes an index with the session object created in the step 4.1, wherein the engine front-end module adds a fiber asynchronous file descriptor for notifying the completion state of the encryption and decryption request to an application process in the encryption and decryption request;
step 4.3, the paravirtualized front-end module issues a crypto encryption and decryption request;
step 4.4, the paravirtualized back-end module processes the crypto encryption and decryption request; the paravirtualized back-end module actively polls each data surface queue to obtain a crypto encryption and decryption request;
step 4.5, the paravirtualized front-end module retrieves the encryption and decryption request of the crypto; the engine back-end module polls the status bit of the issued crypto encryption and decryption request by calling the interface provided by the driving module, thereby monitoring the processed crypto encryption and decryption request and retrieving in batches;
Step 4.6, the paravirtualized front-end module notifies and wakes up an application process; for each processed encryption and decryption request, the engine back-end module obtains a fiber asynchronous file descriptor added in advance by the engine front-end module and wakes up a corresponding application process of falling asleep by virtue of the fiber asynchronous file descriptor;
step 4.7, the paravirtualized front-end module returns a request processing result to an application process; after the application process is awakened, the execution of the fiber corresponding to the crypto encryption and decryption request is resumed, so that the processing flow of the crypto encryption and decryption request by the engine front-end module is resumed; the engine front-end module acquires an encryption and decryption request processing result added by the heterogeneous encryption and decryption resources from the encryption and decryption request of the crypto, and returns the encryption and decryption request processing result to the application process by means of an interface provided by OpenSSL.
7. The unified paravirtualized method for heterogeneous encryption and decryption computing resources of claim 6, wherein the step 4.1 further comprises:
step 4.1.1, the front end module of the engine applies for a session object from the back end module of the engine according to the encryption and decryption metadata provided by the client application program;
and 4.1.2, the engine back-end module queries a local session form according to the encryption and decryption metadata provided by the engine front-end module, if the corresponding session object exists, the session object is directly returned to the engine front-end module, otherwise, the session object is required to be created and added to the session form of the engine back-end module and then returned to the engine front-end module.
8. The unified paravirtualized method for heterogeneous encryption and decryption computing resources of claim 7, wherein the creating the session object in step 4.1.2 comprises the steps of:
4.1.2.1, initializing a blank session object by the engine back-end module in a local process, constructing a pass session request according to encryption and decryption metadata provided by the engine front-end module, and calling an interface provided by the driving module to be added to a control plane queue;
step 4.1.2.2, the virtual machine is sunk into the host machine through a VM-Exit, a virtual machine monitoring program intervenes and communicates with the paravirtualized back-end module, and the paravirtualized back-end module creates a session object in a local process and returns a session ID to the virtual machine monitoring program;
step 4.1.2.3, the virtual machine monitor program transmits the received session ID to the driving module through a subfield of a sess session request;
and 4.1.2.4, adding the session ID into a session object of a local process after receiving the session ID by the engine back-end module, and constructing indexes of the session object in the engine front-end module process and the session object in the paravirtualized back-end module process.
9. The unified paravirtualized method for heterogeneous encryption and decryption computing resources of claim 6, wherein the step 4.3 further comprises:
step 4.3.1, the front-end module of the engine adds the encryption and decryption request of the crypto into a data transmission queue shared with the back-end module of the engine, immediately stops the execution of the current fiber and gives control right back to the application program, and the application program starts to process a new encryption and decryption request at the moment; when all fiber of the application process is stopped executing, the application program falls into sleep and monitors the event of asynchronous file descriptors on each fiber;
and 4.3.2, the engine back-end module acquires a crypto encryption and decryption request by polling each data transmission queue, and transmits the crypto encryption and decryption request to the data surface queue after buffering in batch.
10. The unified paravirtualized method for heterogeneous encryption and decryption computing resources of claim 6, wherein the step 4.4 further comprises:
step 4.4.1, the paravirtualized backend module obtains a session ID according to a session object indirectly indexed by the crypto encryption and decryption request, obtains a corresponding session object from a local session form, and simultaneously obtains encryption and decryption data in a zero copy way by combining the content of the crypto encryption and decryption request, and constructs the local crypto encryption and decryption request;
Step 4.4.2, the paravirtualized back-end module sends the local crypto encryption and decryption request to heterogeneous encryption and decryption resources in batches through a dispatching drive layer;
4.4.3, the paravirtualized back-end module retrieves the processed crypto-encryption and decryption requests in batches from the corresponding heterogeneous encryption and decryption resources, wherein the crypto-encryption and decryption requests already contain encryption and decryption request processing results added by the heterogeneous encryption and decryption resources, and the paravirtualized back-end module further sets a status bit of the crypto-encryption and decryption requests on the basis;
and step 4.4.4, the paravirtualized back-end module continuously circulates the steps 4.4.1 to 4.4.3, and continuously issues and retrieves the crypto encryption and decryption request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310024575.6A CN116032638A (en) | 2023-01-09 | 2023-01-09 | Unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310024575.6A CN116032638A (en) | 2023-01-09 | 2023-01-09 | Unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032638A true CN116032638A (en) | 2023-04-28 |
Family
ID=86072054
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310024575.6A Pending CN116032638A (en) | 2023-01-09 | 2023-01-09 | Unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032638A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248414A (en) * | 2023-05-09 | 2023-06-09 | 杭州海康威视数字技术股份有限公司 | Method and device for realizing password acceleration based on virtualized hardware and electronic equipment |
| CN116257276A (en) * | 2023-05-09 | 2023-06-13 | 珠海星云智联科技有限公司 | Virtual host machine user back-end upgrading method supporting virtualized hardware acceleration |
-
2023
- 2023-01-09 CN CN202310024575.6A patent/CN116032638A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248414A (en) * | 2023-05-09 | 2023-06-09 | 杭州海康威视数字技术股份有限公司 | Method and device for realizing password acceleration based on virtualized hardware and electronic equipment |
| CN116257276A (en) * | 2023-05-09 | 2023-06-13 | 珠海星云智联科技有限公司 | Virtual host machine user back-end upgrading method supporting virtualized hardware acceleration |
| CN116248414B (en) * | 2023-05-09 | 2023-07-25 | 杭州海康威视数字技术股份有限公司 | Method and device for realizing password acceleration based on virtualized hardware and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116032638A (en) | Unified paravirtualized framework oriented to heterogeneous encryption and decryption computing resources | |
| Lu et al. | Accelerating spark with RDMA for big data processing: Early experiences | |
| CN101976200B (en) | Virtual machine system for input/output equipment virtualization outside virtual machine monitor | |
| US11296956B2 (en) | Oversubscribable resource allocation | |
| WO2019014268A1 (en) | Data processing unit for stream processing | |
| EP1257909B1 (en) | Method and apparatus for improving utilization of a resource on a shared client | |
| CN113614722A (en) | Process-to-process secure data movement in a network function virtualization infrastructure | |
| CN105335211B (en) | A kind of FPGA accelerators scheduling system and method based on Xen virtual clusters | |
| US20230185732A1 (en) | Transparent encryption | |
| CN108809975B (en) | Internal and external network isolation system and method for realizing internal and external network isolation | |
| CN106681793A (en) | KVM-based accelerator virtualization data processing system and method | |
| CN104951712A (en) | Data safety protection method in Xen virtualization environment | |
| CN109522114A (en) | Radar data high-speed communication processing module of virtualization framework | |
| CN103501295B (en) | A kind of remote access method based on virtual machine (vm) migration and equipment | |
| Zhou et al. | Optimizations for high performance network virtualization | |
| Pickartz et al. | Application migration in HPC—a driver of the exascale era? | |
| Niu et al. | NetKernel: Making network stack part of the virtualized infrastructure | |
| WO2015121750A1 (en) | System and method for data communication between virtual interfaces | |
| Wang et al. | vSocket: virtual socket interface for RDMA in public clouds | |
| Eran et al. | Flexdriver: A network driver for your accelerator | |
| CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
| Bai et al. | Acceleration of RSA processes based on hybrid ARM-FPGA cluster | |
| CN110647399A (en) | High-performance computing system and method based on artificial intelligence network | |
| Yazdani et al. | Enhancing Edge Computing with Unikernels in 6G Networks | |
| Gupta et al. | Efficient barrier using remote memory operations on VIA-based clusters |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |