CN116225614A - Method and system for virtualizing security cryptographic module in fragments - Google Patents

Method and system for virtualizing security cryptographic module in fragments Download PDF

Info

Publication number
CN116225614A
CN116225614A CN202310068698.XA CN202310068698A CN116225614A CN 116225614 A CN116225614 A CN 116225614A CN 202310068698 A CN202310068698 A CN 202310068698A CN 116225614 A CN116225614 A CN 116225614A
Authority
CN
China
Prior art keywords
password
module
virtual
request
cryptographic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310068698.XA
Other languages
Chinese (zh)
Inventor
邹式论
黄臻
王亚栋
邓俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu 30javee Microelectronics Co ltd
Original Assignee
Chengdu 30javee Microelectronics Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu 30javee Microelectronics Co ltd filed Critical Chengdu 30javee Microelectronics Co ltd
Priority to CN202310068698.XA priority Critical patent/CN116225614A/en
Publication of CN116225614A publication Critical patent/CN116225614A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45579I/O management, e.g. providing access to device drivers or storage
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for virtualizing a security cryptographic module in a slicing way, wherein the method comprises the following steps: device simulation, namely providing virtual PCIE devices for the interior of the virtual machine; address translation, converting GPA into HPA, fixing DMA buffer in host memory, and directly using for virtual machine; initializing memory queues of the virtual password modules, distributing a group of memory queues in a shared BAR space of each virtual password module, and initializing password request descriptors in the memory queues; submitting a password operation request; the password operation request priority blanking is carried out, so that the password request task scheduling based on the priority is realized; executing a password operation request; the cryptographic operation requests a completion notification. The invention has the characteristics of convenient deployment and convenient transplantation.

Description

Method and system for virtualizing security cryptographic module in fragments
Technical Field
The invention relates to the technical field of computer I/O virtualization, in particular to a method and a system for virtualizing a security cryptographic module in a slicing way.
Background
The cryptographic module (cryptographic module) is a computer science technical term approved by the national science and technology term approval committee in 2018. Defined as a relatively independent software or hardware module that performs cryptographic functions and provides a call interface. The hardware physical form is usually a PCI-E plug-in card type cryptographic module, a USB cryptographic module, or a cryptographic module integrated in a processor SOC; and a software cryptographic module in a non-physical form. The system provides various security services for a computer application system in an application program interface mode, including data encryption, digital signature, information integrity verification, identity authentication, access control, repudiation resistance and the like, and is mainly applied to industries such as electronic government affairs, electronic commerce, electronic finance and the like.
However, it is determined by the manner in which the cryptographic module is used, and it generally provides only an application program interface to a physical computer, and cannot directly provide an application program interface to each virtual machine in a virtualized environment. Multiplexing limited external resources by way of IO virtualization is an efficient way to meet the need for multiple virtual machines to use cryptographic modules at the same time. From a processor perspective, the cryptographic module is accessed through a set of IO resources, and device-dependent virtualization is also referred to as IO virtualization.
At present, the existing cryptographic module supporting the IO hardware virtualization technology of the SRIOV can be used in a virtual machine, but the requirements on hardware are severe, the PCI-E cryptographic module hardware is required to support the SRIOV technology, the computer platform is required to support the IOMMU technology, the PCI interface form is only applicable, and the cryptographic module of other hardware interfaces is not supported; in addition, IO paravirtualization technologies, such as virtio technology frameworks, exist to simulate a cryptographic module, and certain efficiency loss exists; finally, there is a scenario of sharing the cryptographic module in a non-IO virtualization manner, that is, a pure software agent is adopted, for example, each virtual machine gives a cryptographic service request to a physical computer installed with the cryptographic module in a network data message manner to indirectly use the cryptographic module, which means that the cryptographic module has low use efficiency and brings certain software overhead and service delay.
With the increasing demands of users on the use of cryptographic devices in virtualized platforms, in order to ensure the performance of data encryption and decryption and high concurrency processing in a server, higher requirements are put forward on the performance of a data center cryptographic module. Meanwhile, the password module on the server needs a more efficient resource utilization mode to perform unified management, so that when limited password module hardware operation resources need to be shared by a large number of data intensive tasks, the data processing performance of all services is ensured as much as possible, and the expandability of the password module equipment is reflected.
VFIO-mdev is a virtual device (Mediated device) bus driving model realized by a Linux kernel after 2016 years, and is expanded on a VFIO kernel framework, so that the support of mdev such virtual devices (mdev bus driver) is increased, and the transparent transmission information is obtained from standard hardware PCI devices and hardware platform devices only by original support, for example: PCI bar space becomes a virtual device interface that supports both direct acquisition from hardware devices and acquisition from mdev device driver definitions. Thus, for example, when the bar space of one PCI device needs to be split as a resource, the bar space can be transmitted to different virtual machines for use with the granularity of 4KB (page size) by implementing a suitable mdev device driver.
In combination with the basic principle of virtualization, it is not difficult to find that virtualization ensures that security must simulate sensitive instructions and privileged instructions, and for some device resources that affect performance but not security, the idea of device pass-through should be better used to enable a virtual machine monitor to manage and directly allocate the resources related to performance to a virtual machine for use, and instructions for operations of the resources do not use instruction simulation. While for sensitive instruction resources, emulation of instructions is still used. The design thought can enable the virtual equipment to obtain performance close to that of the virtual equipment after the equipment is directly connected, and meanwhile has the function of supporting equipment sharing in a management mode by means of a virtual machine monitoring program in a mode of equipment simulation and paravirtualization.
The technology of fragmented virtualization (Mediated Pass-Through) refers to a mode of equipment virtualization of equipment simulation virtualization and equipment direct transmission virtualization, and the core idea is that equipment key resources are directly transmitted to a client virtual machine for operation, and meanwhile, a virtual machine monitor simulates equipment privilege level resources which need to be accessed by the virtual machine.
Therefore, there is a need in the art for a general IO virtualization method for different types of cryptographic modules, which shares the real cryptographic modules in the physical machine to each virtual machine for use, so as to use the cryptographic modules in the virtualized environment, and in particular solve the above-mentioned problems of versatility and performance of enumerating the cryptographic module virtualization manners.
Disclosure of Invention
The invention aims to provide a method and a system for virtualizing a secure cryptographic module in a slicing way, which are used for solving the problem of how to share a real cryptographic module in a physical machine to each virtual machine so as to use the cryptographic module in a virtualized environment, and particularly solving the problem of universality and performance of a cryptographic module virtualization mode.
The invention is realized by adopting the following technical scheme: a secure cryptographic module fragment virtualization method comprises the following steps:
device simulation, namely providing virtual PCIE devices for the interior of the virtual machine;
address translation, converting GPA into HPA, fixing DMA buffer in host memory, and directly using for virtual machine;
initializing memory queues of the virtual password modules, distributing a group of memory queues in a shared BAR space of each virtual password module, and initializing password request descriptors in the memory queues;
submitting a password operation request;
the password operation request priority blanking is carried out, so that the password request task scheduling based on the priority is realized;
executing a password operation request;
the cryptographic operation requests a completion notification.
Further, the device simulation is specifically: by distinguishing the privilege sensitive resources and the performance sensitive resources, equipment simulation is effectively performed on the privilege sensitive resources and equipment direct connection is performed on the performance sensitive resources, so that a complete virtual PCIE device with PCIE characteristics, performance close to a physical native platform and equipment sharing characteristics is provided for the inside of the virtual machine.
Further, the address translation is specifically: GPAs are translated to HPAs using "vfio_pin_pages" address translations, and DMA buffers are fixed in host memory for use by the virtual machines.
Further, the initializing of the virtual cryptographic module memory queue specifically includes: a group of memory queues are allocated to the shared BAR space of each virtual password module, password request descriptors in the memory queues are initialized, if a plurality of virtual machines are operated simultaneously, a plurality of groups of memory queue spaces are allocated, and each queue is given a weight according to the preset, wherein the weight represents the processing priority of the queue.
Further, the cryptographic operation request submission is specifically: when the user in the virtual machine has the password operation requirement, the interface in the virtual password module driver is called by the application program, the password request descriptor of the shared BAR space is filled, and the I/O instruction is started.
Further, the password operation request priority blanking specifically includes: when a request is received, firstly, the weight of the queue in which the request descriptor is positioned is obtained, the value represents the number of continuous processing password requests, when the processing number exceeds the weight, the processing of the password requests on the queue is stopped, and the next queue to be processed is rotated, so that the task scheduling of the password requests based on priority is realized.
Further, the execution of the cryptographic operation request is specifically: when the processing condition of priority arbitration is met, the password request descriptor is analyzed, the descriptor contains the physical memory address of the client machine of the password request data, the address is converted into the physical memory address of the host machine, the physical memory address is handed to the driving interface of the real password module, and then handed to the DMA engine of the real password module for processing.
Further, the notification of completion of the cryptographic operation request specifically includes: when the data information is updated after the hardware processing of the cryptographic module is finished, the physical hardware firstly triggers an interrupt to be injected into the kernel of the physical machine, the operating system of the physical machine updates the related register, and then injects an interrupt into the virtual machine to inform the virtual cryptographic module in the virtual machine to drive the updated information, and then the calculation result is returned to the application program.
The system comprises a simulation module, a translation module, an initialization module, a submitting module, an arbitration module, an execution module and a notification module, wherein the simulation module is used for performing equipment simulation and providing virtual PCIE equipment for the inside of a virtual machine; the translation module is used for performing address translation, converting GPA into HPA, fixing the DMA buffer area in the memory of the host, and directly using the DMA buffer area for the virtual machine; the initialization module is used for initializing the memory queues of the virtual password modules, distributing a group of memory queues in the shared BAR space of each virtual password module, and initializing password request descriptors in the memory queues; the submitting module is used for submitting the password operation request; the arbitration module is used for carrying out priority blanking of the password operation request and realizing the task scheduling of the password request based on priority; the execution module is used for executing the password operation request; the notification module is used for notifying completion of the cryptographic operation request.
The invention has the beneficial effects that: the invention is based on a vfio-mdev framework, is different from the existing virtio paravirtualization scheme, namely, qemu source codes and Linux kernel source codes need to be modified, and has the characteristics of convenient deployment and convenient transplantation in realization; in the invention, the password request data part is only filled once in the virtual machine, and then the memory address is converted and then delivered to the DMA engine of the real password module for processing, the whole process has no data copying process, and the processing performance is ensured to the greatest extent; the invention designs a queue priority arbitration mechanism, so that the password requests in each virtual machine use the real hardware password module resources according to the weight proportion, thereby achieving the effect of controlling the resource flow.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the structures shown in these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic block diagram of the present invention;
FIG. 2 is a schematic diagram of address translation;
fig. 3 is a Loongson SE slice virtualization schematic.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
Some embodiments of the present invention are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
Example 1:
referring to fig. 1, a secure cryptographic module fragment virtualization method is provided for a client virtual machine by a server side virtualization driver (hereinafter referred to as a fragment virtualization driver) to create a virtual cryptographic module that can be shared among a plurality of virtual machines; each virtual machine can access the virtual cryptographic module by using an API library at a user layer through a client driver; the client virtual machine sends the operation request to the virtual password module, and the operation request is converged and concentrated into the physical machine fragment virtualization drive in an IO virtualization mode; and the real password module is used for processing the request according to the sequence through the arbitration of the operation request priority, and then the operation result is returned to the client virtual machine. The invention provides a KVM cloud platform security password module fragment virtualization scheme, which is characterized in that virtual password modules (vCards) are respectively provided in physical machines for users in a plurality of virtual machines to use, and the relationship between the password modules and the users is one-to-one, but one-to-many. The use efficiency of the cryptographic module is improved, and the computing resources of the cryptographic module are simultaneously supported to be distributed to a plurality of virtual machines according to different priorities.
In general, the application designs an interface capable of interacting with the QEMU for each virtual machine based on the vfio-mdev framework, and designs a set of virtual cryptographic modules with PCIE characteristics inside all virtual machines. The server virtualization driving software is implemented in a Linux kernel module, so that software stacks such as a file system in a kernel space of a physical machine are simplified; on the premise of not modifying QEMU source codes, performance related resources are directly connected into a virtual machine as much as possible, and sensitive resources are subjected to equipment simulation.
Specifically, the implementation process of the invention is as follows:
and (5) simulating equipment. The device simulation is a most basic functional module of the partitioned virtualization driver (2)vCard Server Driver in fig. 1), and by distinguishing the privilege sensitive resource and the performance sensitive resource, the device simulation is effectively performed on the privilege resource and the device direct connection is performed on the performance sensitive resource, so that a complete virtual PCIE device with PCIE characteristics, performance close to a physical native platform and device sharing characteristics is provided for the inside of the virtual machine, and the virtual PCIE device comprises complete configuration space and BAR space read-write functions. All functions of one virtual cryptographic module are provided, including the creation and deletion of devices, DMA requests, and specific register operations.
And (5) address translation. The tile virtualization driver translates the GPAs to HPAs and secures this segment of DMA buffers in host memory through use of "vfio_pin_pages" address translations for use by the virtual machine (see FIG. 2). Furthermore, the "vfio_pin_pages" interface may ensure isolation of memory between different virtual clients. The design can prevent a malicious virtual machine from filling malicious commands into the physical machine I/O queues which are mapped and allocated to other virtual machines for use through the virtual I/O queues in the translation process from the virtual machine monitor layer. In addition, in the process of address translation, one virtual machine is not allowed to access to a physical address space on a physical machine actually corresponding to other virtual machines, so that the safety of memory access of each virtual machine is ensured. To complete the data interaction with the corresponding virtual cryptographic module driver (BAR space in (3)vCard Client Driver) of fig. 1) in the client.
And initializing a memory queue of the virtual password module. A set of memory queues is allocated in the shared BAR space of each virtual cryptographic module and the cryptographic request descriptors therein are initialized. If a plurality of virtual machines are operated simultaneously, a plurality of groups of memory queue spaces are allocated, and each queue is given a weight according to the preset, wherein the weight represents the processing priority of the queue.
The cryptographic operation requests submission. When the user in the virtual machine has the password operation requirement, the interface in the virtual password module driver is called by the application program, the password request descriptor of the shared BAR space is filled, and the I/O instruction is started. When an I/O instruction in a guest virtual machine is submitted to a virtualization monitor, an MMIO operation needs to be triggered, and an MMIO operation needs to trigger 'vm-exit', so as to call a corresponding interface in a sliced virtualization driver, and complete one virtual secret code request submission.
The cryptographic operation requests priority arbitration. The fragment virtualization driver receives the request, and first obtains the weight of the queue in which the request descriptor is located, where the weight represents the number of continuous processing password requests. When the processing number exceeds the weight, stopping processing the password request on the queue, and rotating to the next queue to be processed so as to realize the task scheduling of the password request based on priority.
The cryptographic operation requests execution. When the processing condition of priority arbitration is met, the password request descriptor is analyzed, the physical memory address of the client machine containing the password request data in the descriptor is converted into the physical memory address of the host machine, and the physical memory address is delivered to the driving interface (the card Driver in the figure 1) of the real password module, and then is delivered to the DMA engine of the real password module for processing, and is usually delivered to the hardware of the password module.
The cryptographic operation requests a completion notification. When the data information is updated after the hardware processing of the cryptographic module is finished, the physical hardware firstly triggers an interrupt to be injected into the kernel of the physical machine, the operating system of the physical machine updates the related register, and then injects an interrupt into the virtual machine to inform the virtual cryptographic module in the virtual machine to drive the updated information, and then the calculation result is returned to the application program. The lifecycle of a cryptographic processing request is completed.
Referring to fig. 3, the invention is further described by taking Loongson security SE as an example, and the Loongson security SE is a CPU built-in security module which only obtains the secondary qualification of commercial passwords in China at present and accords with the national commercial password industry standard. 3A5000 built-in security module security SE (Security Element). The method carries out chip-level integrated fusion design on the password computing technology and the general computing technology, so that the method has hardware-level password algorithm processing capability and chip-level security protection capability. This example would add a tile virtualization function to it so that it can be shared for use by multiple virtual machine users.
Step 1: the method in fig. 3 (2)vSE Server Driver) is written to simulate a complete virtual PCIE device with PCIE characteristics, performance close to a physical native platform, and device sharing characteristics for the virtual machine, including complete configuration space and BAR space read-write functions. It should be noted that the SE security module is a cpu on-internal bus module, and the Driver is (1) SE Driver in fig. 3.
Step 2: vSE virtual Module BAR space map, FIG. 3 (3)vSE Client Driver, which allows it to read from and write to the same piece of memory as (2)vSE Server Driver), facilitates subsequent data interaction between the two to support cryptographic operation requests.
Step 3: the host loads the vfio-mdev module, starts the qemu virtual machine and assigns priority weights, at which point the vSE virtual module (simulated by 2)vSE Server Driver) in fig. 3 will be seen in the virtual machine. The virtual machine is loaded (3)vSE Client Driver driver module, initialize vSE virtual module memory queues, and initialize the cryptographic request descriptors therein) in fig. 3.
Step 4: the virtual machine service generates the cryptographic operation needs, populates the cryptographic request descriptor of the shared BAR space in step 3 by application call (interface in 3)vSE Client Driver), and issues the I/O instruction. When an I/O instruction in the guest virtual machine is committed to the virtualization monitor, an MMIO operation needs to be triggered, and an MMIO operation needs to trigger "vm-exit", and then a corresponding interface in 2)vSE Server Driver is invoked (completing a virtual machine secret request commit.
Step 5: (2) vSE Server Driver the request is received, firstly, the weight of the queue in which the request descriptor is located is obtained, for example, the weight value is 3, even if 7 password request descriptors are piled up in the queue, at this time, only 3 descriptors are taken according to the priority weight, and the maximum 3 descriptors are taken after the next round of task scheduling.
Step 6: and 5, resolving a password request descriptor, wherein the descriptor contains a client physical memory address of password request data, converting the address into a physical memory address of a host, and delivering the physical memory address to a driving interface (1 SE Driver in FIG. 3) of a real password module, and then delivering the physical memory address to a hardware SE safe password module.
Step 7: after the hardware SE security crypto module processes the data, the DMA engine will carry the result to the physical memory address in the request descriptor. The SE hardware will trigger an interrupt to be injected into the kernel of the physical machine, the operating system of the physical machine will update the related registers, and then inject an interrupt into the virtual machine, notify the virtual machine (3)vSE Client Driver to update information, and then return the calculation result to the application program). The lifecycle of a cryptographic processing request is completed.
The invention has at least the following technical effects:
the invention is based on a vfio-mdev framework, is different from the existing virtio paravirtualization scheme, namely, qemu source codes and Linux kernel source codes need to be modified, and has the characteristics of convenient deployment and convenient transplantation in realization; in the invention, the password request data part is only filled once in the virtual machine, and then the memory address is converted and then delivered to the DMA engine of the real password module for processing, the whole process has no data copying process, and the processing performance is ensured to the greatest extent; the invention designs a queue priority arbitration mechanism, so that the password requests in each virtual machine use the real hardware password module resources according to the weight proportion, thereby achieving the effect of controlling the resource flow.
It should be noted that, for simplicity of description, the foregoing embodiments are all described as a series of combinations of actions, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously according to the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts referred to are not necessarily required for the present application.
In the above embodiments, the basic principle and main features of the present invention and advantages of the present invention are described. It will be appreciated by persons skilled in the art that the present invention is not limited by the foregoing embodiments, but rather is shown and described in what is considered to be illustrative of the principles of the invention, and that modifications and changes can be made by those skilled in the art without departing from the spirit and scope of the invention, and therefore, is within the scope of the appended claims.

Claims (9)

1. The method for virtualizing the secure cryptographic module in the slicing way is characterized by comprising the following steps:
device simulation, namely providing virtual PCIE devices for the interior of the virtual machine;
address translation, converting GPA into HPA, fixing DMA buffer in host memory, and directly using for virtual machine;
initializing memory queues of the virtual password modules, distributing a group of memory queues in a shared BAR space of each virtual password module, and initializing password request descriptors in the memory queues;
submitting a password operation request;
the password operation request priority blanking is carried out, so that the password request task scheduling based on the priority is realized;
executing a password operation request;
the cryptographic operation requests a completion notification.
2. The method for virtualizing the secure cryptographic module according to claim 1, wherein the device simulation is specifically: by distinguishing the privilege sensitive resources and the performance sensitive resources, equipment simulation is effectively performed on the privilege sensitive resources and equipment direct connection is performed on the performance sensitive resources, so that a complete virtual PCIE device with PCIE characteristics, performance close to a physical native platform and equipment sharing characteristics is provided for the inside of the virtual machine.
3. The method for virtualizing the secure cryptographic module according to claim 1, wherein the address translation is specifically: GPAs are translated to HPAs using "vfio_pin_pages" address translations, and DMA buffers are fixed in host memory for use by the virtual machines.
4. The method for virtualizing a secure cryptographic module according to claim 1, wherein the initializing the virtual cryptographic module memory queue is specifically: a group of memory queues are allocated to the shared BAR space of each virtual password module, password request descriptors in the memory queues are initialized, if a plurality of virtual machines are operated simultaneously, a plurality of groups of memory queue spaces are allocated, and each queue is given a weight according to the preset, wherein the weight represents the processing priority of the queue.
5. The method for virtualizing a secure cryptographic module according to claim 1, wherein said cryptographic operation request submission is specifically: when the user in the virtual machine has the password operation requirement, the interface in the virtual password module driver is called by the application program, the password request descriptor of the shared BAR space is filled, and the I/O instruction is started.
6. The method for virtualizing the secure cryptographic module according to claim 1, wherein the cryptographic operation request priority blanking is specifically: when a request is received, firstly, the weight of the queue in which the request descriptor is positioned is obtained, the value represents the number of continuous processing password requests, when the processing number exceeds the weight, the processing of the password requests on the queue is stopped, and the next queue to be processed is rotated, so that the task scheduling of the password requests based on priority is realized.
7. The method for virtualizing a secure cryptographic module according to claim 1, wherein the cryptographic operation request is executed specifically as follows: when the processing condition of priority arbitration is met, the password request descriptor is analyzed, the descriptor contains the physical memory address of the client machine of the password request data, the address is converted into the physical memory address of the host machine, the physical memory address is handed to the driving interface of the real password module, and then handed to the DMA engine of the real password module for processing.
8. The method for virtualizing a secure cryptographic module according to claim 1, wherein the notification of completion of the cryptographic operation request is specifically: when the data information is updated after the hardware processing of the cryptographic module is finished, the physical hardware firstly triggers an interrupt to be injected into the kernel of the physical machine, the operating system of the physical machine updates the related register, and then injects an interrupt into the virtual machine to inform the virtual cryptographic module in the virtual machine to drive the updated information, and then the calculation result is returned to the application program.
9. The secure crypto module slicing virtualization system for implementing the secure crypto module slicing virtualization method according to any one of claims 1-8, which is characterized by comprising a simulation module, a translation module, an initialization module, a submission module, an arbitration module, an execution module and a notification module, wherein the simulation module is used for performing equipment simulation and providing virtual PCIE equipment for the interior of a virtual machine; the translation module is used for performing address translation, converting GPA into HPA, fixing the DMA buffer area in the memory of the host, and directly using the DMA buffer area for the virtual machine; the initialization module is used for initializing the memory queues of the virtual password modules, distributing a group of memory queues in the shared BAR space of each virtual password module, and initializing password request descriptors in the memory queues; the submitting module is used for submitting the password operation request; the arbitration module is used for carrying out priority blanking of the password operation request and realizing the task scheduling of the password request based on priority; the execution module is used for executing the password operation request; the notification module is used for notifying completion of the cryptographic operation request.
CN202310068698.XA 2023-02-06 2023-02-06 Method and system for virtualizing security cryptographic module in fragments Pending CN116225614A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310068698.XA CN116225614A (en) 2023-02-06 2023-02-06 Method and system for virtualizing security cryptographic module in fragments

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310068698.XA CN116225614A (en) 2023-02-06 2023-02-06 Method and system for virtualizing security cryptographic module in fragments

Publications (1)

Publication Number Publication Date
CN116225614A true CN116225614A (en) 2023-06-06

Family

ID=86586669

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310068698.XA Pending CN116225614A (en) 2023-02-06 2023-02-06 Method and system for virtualizing security cryptographic module in fragments

Country Status (1)

Country Link
CN (1) CN116225614A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117453352A (en) * 2023-12-21 2024-01-26 麒麟软件有限公司 Equipment straight-through method under Xen

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117453352A (en) * 2023-12-21 2024-01-26 麒麟软件有限公司 Equipment straight-through method under Xen
CN117453352B (en) * 2023-12-21 2024-04-09 麒麟软件有限公司 Equipment straight-through method under Xen

Similar Documents

Publication Publication Date Title
KR101782398B1 (en) Technologies for secure inter-virtual-machine shared memory communication
US8832352B2 (en) Hypervisor-driven protection of data from virtual machine clones
US8775715B2 (en) Protection of data from virtual machine clones via paravirtualization
Li et al. ACRN: a big little hypervisor for IoT development
EP3968160A1 (en) Inter-process communication method and apparatus, and computer device
Amiri Sani et al. I/O paravirtualization at the device file boundary
CN107924325B (en) Apparatus and method for multi-level virtualization
CN103177212B (en) A kind of computer security input system based on light weight monitor of virtual machine and method
Perez et al. Virtualization and hardware-based security
Hosseinzadeh et al. Security in container-based virtualization through vTPM
CN112817780B (en) Method and system for realizing safety and high-performance interprocess communication
CN107704308B (en) Virtual platform vTPM management system, trust chain construction method and device, and storage medium
EP3701373B1 (en) Virtualization operations for directly assigned devices
US20220083347A1 (en) Adding cycle noise to enclaved execution environment
US20200242264A1 (en) Direct access to host memory for guests
CN105556473A (en) I/O task processing method, device and system
US11954198B2 (en) Unifying hardware trusted execution environment technologies using virtual secure enclave device
Nagesh et al. A Survey on Security Aspects of Server Virtualization in Cloud Computing.
CN116225614A (en) Method and system for virtualizing security cryptographic module in fragments
Gao et al. Building a virtual machine-based network storage system for transparent computing
US20220335109A1 (en) On-demand paging support for confidential computing
Dai et al. Design and verification of a lightweight reliable virtual machine monitor for a many-core architecture
Im et al. On-demand Virtualization for Post-copy OS Migration in Bare-metal Cloud
Aguiar et al. Current techniques and future trends in embedded system's virtualization
Ma et al. A virtual machine cloning approach based on trusted computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination