CN116303142A - Memory access control method, security controller and memory access control device - Google Patents

Memory access control method, security controller and memory access control device Download PDF

Info

Publication number
CN116303142A
CN116303142A CN202310280085.2A CN202310280085A CN116303142A CN 116303142 A CN116303142 A CN 116303142A CN 202310280085 A CN202310280085 A CN 202310280085A CN 116303142 A CN116303142 A CN 116303142A
Authority
CN
China
Prior art keywords
memory
accessed
memory address
access
access type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310280085.2A
Other languages
Chinese (zh)
Other versions
CN116303142B (en
Inventor
请求不公布姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Moore Threads Technology Co Ltd
Original Assignee
Moore Threads Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Moore Threads Technology Co Ltd filed Critical Moore Threads Technology Co Ltd
Priority to CN202310280085.2A priority Critical patent/CN116303142B/en
Publication of CN116303142A publication Critical patent/CN116303142A/en
Application granted granted Critical
Publication of CN116303142B publication Critical patent/CN116303142B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application relates to a memory access control method, a security controller and a memory access control device, wherein the method comprises the following steps: and acquiring a memory access request which comprises a memory address to be accessed and a first access type and corresponds to a target processing module in the graphic processor, and determining whether to access a memory corresponding to the memory address to be accessed according to target configuration information of a target security controller, the memory address to be accessed and the first access type. Because each processing module in the embodiment of the application corresponds to the security controller, the security controller has the pre-configured configuration information, so that when the target processing module needs to access the memory of the graphics processor, the target processing module firstly sends a memory access request to the corresponding security controller, and the security controller determines whether to access the memory corresponding to the memory address to be accessed according to the configuration information, the memory address to be accessed and the first access type, thereby improving the memory security of the graphics processor.

Description

Memory access control method, security controller and memory access control device
Technical Field
The present invention relates to the field of memory access control technologies, and in particular, to a memory access control method, a security controller, and a memory access control device.
Background
In the currently mainstream graphics processor (Graphics Processing Unit, GPU) memory access control scheme, a computer device can access all the memories of the GPU based on a high-speed serial computer expansion bus standard (Peripheral Component Interconnect Express, PCIE), and each module inside the GPU can also access all the memories of the GPU.
However, current memory access control methods present a memory security risk because the data in the memory used by one module inside the GPU may be read or modified by another module.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a memory access control method, a security controller, and a memory access control device that can improve a graphics processor.
In a first aspect, the present application provides a memory access control method. The method is applied to a safety controller in a graphic processor, the graphic processor comprises at least one processing module and at least one safety controller corresponding to the at least one processing module respectively, and the method comprises the following steps:
Acquiring a memory access request corresponding to a target processing module in the graphics processor; the memory access request comprises the memory address to be accessed and a first access type;
determining whether to access a memory corresponding to the memory address to be accessed according to target configuration information of a target security controller, the memory address to be accessed and the first access type; the target safety controller is a safety controller corresponding to the target processing module.
In one embodiment, the determining whether to access the memory corresponding to the memory address to be accessed according to the target configuration information of the target security controller, the memory address to be accessed and the first access type includes:
matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result;
and determining whether to access the memory corresponding to the memory address to be accessed according to the matching result.
In one embodiment, the determining whether to access the memory corresponding to the memory address to be accessed according to the matching result includes:
if the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information, determining to access the memory corresponding to the memory address to be accessed;
If the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed;
if the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit access to the memory corresponding to the second memory address to be accessed; the memory address to be accessed includes the first memory address to be accessed and the second memory address to be accessed.
In one embodiment, the target configuration information includes a memory address range that the target processing module is allowed to access and a second access type corresponding to the memory address range; the matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result, including:
if the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information;
If the memory address to be accessed is not located in the memory address range and/or the second access type is inconsistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are not matched with the target configuration information;
if the first memory address to be accessed is located in the memory address range, the second access type is consistent with the first access type corresponding to the first memory address to be accessed, and the second memory address to be accessed is not located in the memory address range and/or the second access type is inconsistent with the first access type corresponding to the second memory address to be accessed, determining that the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information.
In one embodiment, the graphics processor further comprises a system management unit; the method further comprises the steps of:
under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden, or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden, sending notification information to the system management unit; the notification information is used to indicate that there is an abnormal access.
In one embodiment, the method further comprises:
receiving an authority updating instruction sent by the system management unit; the permission update instruction is an instruction triggered after the system management unit receives a permission update request sent by the computer equipment;
and updating the memory address and the access type of the target security controller according to the permission updating instruction.
In a second aspect, the present application further provides a security controller, where the security controller is configured to perform the above-mentioned memory access control method.
In a third aspect, the present application further provides a memory access control device, where the device is disposed in the security controller, and the device includes:
the acquisition module is used for acquiring a memory access request corresponding to the target processing module in the graphic processor; the memory access request comprises the memory address to be accessed and a first access type;
the determining module is used for determining whether to access the memory corresponding to the memory address to be accessed according to the target configuration information of the target security controller, the memory address to be accessed and the first access type; the target safety controller is a safety controller corresponding to the target processing module.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the memory access control method described above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the memory access control method described above.
According to the memory access control method, the security controller and the memory access control device, the memory access request which comprises the memory address to be accessed and the first access type and corresponds to the target processing module in the graphics processor is obtained, and whether the memory corresponding to the memory address to be accessed is determined according to the target configuration information of the target security controller, the memory address to be accessed and the first access type. Because each processing module in the embodiment of the application corresponds to the security controller, the security controller has the pre-configured configuration information, so that when the target processing module needs to access the memory of the graphics processor, the target processing module firstly sends a memory access request to the corresponding security controller, and the security controller determines whether to access the memory corresponding to the memory address to be accessed according to the configuration information, the memory address to be accessed and the first access type, thereby avoiding the problem that the processing module can access all the memories of the graphics processor in the prior art and improving the memory security of the graphics processor.
Drawings
FIG. 1 is an application environment diagram of a memory access control method in one embodiment;
fig. 2 is a flow chart of a memory access control method according to an embodiment of the present application;
fig. 3 is a flow chart of a memory access method according to an embodiment of the present application;
fig. 4 is a flow chart of a rights updating method according to an embodiment of the present application;
FIG. 5 is a flowchart of another memory access control method according to an embodiment of the present disclosure;
fig. 6 is a signaling flow chart of a memory access control method according to an embodiment of the present application;
fig. 7 is a block diagram of a memory access control device according to an embodiment of the present application;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
In the current mainstream GPU memory access control scheme, the computer device can access all the memories of the GPU based on the high-speed PCIE, each processing module in the GPU can also access all the memories of the GPU, because the computer device and each processing module in the GPU can access all the GPU memories, the GPU memories used by each processing module in the GPU are not safely isolated, and the data in the memories used by one processing module may be read or modified by another processing module, so the current memory access control method lacks management of memory security, and has the problem of memory security risk.
In order to solve the above technical problems, an embodiment of the present application provides a memory access control method, which may be applied to an application environment as shown in fig. 1. The computer equipment communicates with the graphic processor based on the high-speed serial computer expansion bus standard, and the graphic processor comprises a plurality of processing modules and a safety controller corresponding to each processing module. For example, the plurality of processing modules include a PCIE module, a graphics processing module, an audio processing module, a video processing module, and a display processing module as shown in fig. 1, where the PCIE module corresponds to the security controller a, the graphics processing module corresponds to the security controller B, the audio processing module corresponds to the security controller C, the video processing module corresponds to the security controller D, and the display processing module corresponds to the security controller E. The graphics processor also includes a system management unit (System Manage Cell, SMC) for managing the security controllers corresponding to the respective processing modules. The computer device may send a request to a target processing module in the graphics processor, e.g., the computer device sends a memory access request to the graphics processing module of the graphics processor. After receiving the memory access request, the target processing module may send the memory access request to a secure controller corresponding to the target processing module, and after the secure controller obtains the memory access request corresponding to the target processing module in the graphics processor, determine whether to access a memory corresponding to the memory address to be accessed according to configuration information of the secure controller, the memory address to be accessed and the first access type. The memory access request comprises the memory address to be accessed and a first access type. The computer device may be, but is not limited to, various personal computers, notebook computers.
It should be noted that, the memory of the GPU is used for storing data when each processing module runs, the software design divides the memory, each processing module uses a fixed memory area, as each processing module shown in fig. 1 allocates a section of memory, the PCIE module uses the memory a, the graphics processing module uses the memory B, the audio processing module uses the memory C, the video processing module uses the memory D, and the display processing module uses the memory E. The memory address range of the memory allocated by each processing module is a default memory address range, and the SMC configures configuration information of the safety controller according to the default memory address range corresponding to each processing module when the power-on is started.
Based on the application environment shown in fig. 1, the embodiment of the present application provides a memory access control method, as shown in fig. 2, fig. 2 is a flow chart of the memory access control method provided in the embodiment of the present application, where the method is applied to the security controller in fig. 1, and the method includes the following steps:
s201, acquiring a memory access request corresponding to a target processing module in a graphics processor; the memory access request includes a memory address to be accessed and a first access type.
The target processing module may be any one of the processing modules included in the graphics processor, taking the target processing module as the display processing module shown in fig. 1 as an example, the security controller E may obtain a memory access request corresponding to the display processing module, where the memory access request may be a request sent by the computer device to the display processing module. For example, in the case where the computer device needs the display processing module to display the data stored in the memory E on the display, the computer device may send a memory access request to the display processing module, and correspondingly, after the display processing module receives the memory access request, send the memory access request to the security controller E.
The first access type included in the memory access request may be a read type or a write type, where the read type refers to data stored in a memory corresponding to a memory address to be accessed needs to be read, and the write type refers to data needs to be written into the memory corresponding to the memory address to be accessed.
Step 202, determining whether to access a memory corresponding to the memory address to be accessed according to the target configuration information of the target security controller, the memory address to be accessed and the first access type.
The target safety controller is a safety controller corresponding to the target processing module. Taking the target processing module as an example of the display processing module shown in fig. 1, the safety controller E is a target safety controller.
Accessing the memory corresponding to the memory address to be accessed may include reading data in the memory corresponding to the memory address to be accessed, or writing data into the memory corresponding to the memory address to be accessed. The security controller reads the data in the memory corresponding to the memory address to be accessed, which means that the processing module corresponding to the security controller has the read authority of the data in the memory corresponding to the memory address to be accessed. The security controller writes data into the memory corresponding to the memory address to be accessed, which means that the processing module corresponding to the security controller has the write authority of the data in the memory corresponding to the memory address to be accessed.
According to the target configuration information, the memory address to be accessed and the first access type of the target security controller, determining whether to access the memory corresponding to the memory address to be accessed can be achieved by the following modes:
for example, the memory address to be accessed may be first matched with the memory address range configured in the target configuration information, and if the memory address to be accessed is not matched with the memory address range configured in the target configuration information, it is determined that access to the memory corresponding to the memory address to be accessed is prohibited. Wherein, the fact that the memory address to be accessed is not matched with the memory address range configured in the target configuration information means that the memory address to be accessed is not located in the memory address range configured in the target configuration information.
Or the first access type is matched with the access type configured in the target configuration information, and if the access type consistent with the first access type does not exist in the access type configured in the target configuration information, the access to the memory corresponding to the memory address to be accessed is forbidden.
Or, the memory address to be accessed may be matched with the memory address range configured in the target configuration information, if the memory address to be accessed is matched with the memory address range configured in the target configuration information, the first access type is further matched with the access type configured in the target configuration information, and if the first access type is matched with the access type configured in the target configuration information, the memory corresponding to the memory address to be accessed is determined to be accessed. The embodiments of the present application are not limited.
According to the memory access control method provided by the embodiment of the application, the memory access request which comprises the memory address to be accessed and the first access type and corresponds to the target processing module in the graphics processor is obtained, and whether the memory corresponding to the memory address to be accessed is determined according to the target configuration information of the target security controller, the memory address to be accessed and the first access type. Because each processing module in the embodiment of the application corresponds to the security controller, the security controller has the pre-configured configuration information, so that when the target processing module needs to access the memory of the graphics processor, the target processing module firstly sends a memory access request to the corresponding security controller, and the security controller determines whether to access the memory corresponding to the memory address to be accessed according to the configuration information, the memory address to be accessed and the first access type, thereby avoiding the problem that the processing module can access all the memories of the graphics processor in the prior art and improving the memory security of the graphics processor.
In one embodiment, as shown in fig. 3, fig. 3 is a flow chart of a memory access method according to an embodiment of the present application. The present embodiment relates to a possible implementation manner of determining whether to access a memory corresponding to the memory address to be accessed according to the target configuration information of the target security controller, the memory address to be accessed and the first access type, where on the basis of the foregoing embodiment, S202 includes:
s301, the memory address to be accessed and the first access type are respectively matched with the target configuration information, and a matching result is obtained.
In this embodiment, the memory address to be accessed and the first access type may be respectively matched with the target configuration information in the following two ways, so as to obtain a matching result.
Mode one: and firstly matching the memory address to be accessed with the memory address range configured in the target configuration information, and if the memory address to be accessed is matched with the memory address range configured in the target configuration information, further judging whether the access type corresponding to the memory address range matched with the memory address to be accessed is consistent with the first access type, thereby realizing the matching of the memory address to be accessed and the first access type with the target configuration information respectively.
If the memory address to be accessed is matched with the memory address range configured in the target configuration information, and the access type corresponding to the memory address range matched with the memory address to be accessed is consistent with the first access type, the matching result can be determined to be that the memory address to be accessed and the first access type are matched with the target configuration information.
If the memory address to be accessed matches the memory address range configured in the target configuration information, however, the access type corresponding to the memory address range matching the memory address to be accessed is not consistent with the first access type, it may be determined that the matching result is that the memory address to be accessed matches the target configuration information, but the first access type is not matched with the target configuration information.
Mode two: the first access type is matched with the access type configured in the target configuration information of the security controller, if the access type consistent with the first access type exists in the access type configured in the target configuration information, whether the memory address to be accessed is located in a memory address range corresponding to the access type consistent with the first access type is further judged, and accordingly the memory address to be accessed and the first access type are matched with the target configuration information respectively.
If the access type configured in the target configuration information has the access type consistent with the first access type, and the memory address to be accessed is located in the memory address range corresponding to the access type consistent with the first access type, the matching result can be determined to be that the memory address to be accessed and the first access type are both matched with the target configuration information.
If the access type configured in the target configuration information has an access type consistent with the first access type, however, the memory address to be accessed is not located in the memory address range corresponding to the access type consistent with the first access type, it may be determined that the matching result is that the first access type matches the target configuration information, but the memory address to be accessed is not matched with the target configuration information.
S302, determining whether to access the memory corresponding to the memory address to be accessed according to the matching result.
Alternatively, S302 described above may be tried as follows:
if the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information, determining to access the memory corresponding to the memory address to be accessed;
if the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed;
If the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit access to the memory corresponding to the second memory address to be accessed; the memory addresses to be accessed include the first memory address to be accessed and the second memory address to be accessed.
For example, if the matching result is obtained in the first or second mode, and the matching result is determined that the memory address to be accessed and the first access type are both matched with the target configuration information, then the memory corresponding to the memory address to be accessed is determined to be accessed.
For another example, if the matching result is obtained in the above manner, and the matching result is determined to be that the memory address to be accessed is matched with the target configuration information, but the first access type is not matched with the target configuration information, it is determined to prohibit access to the memory corresponding to the memory address to be accessed.
For another example, if the matching result is obtained in the second mode and the matching result is that the first access type is matched with the target configuration information, but the memory address to be accessed is not matched with the target configuration information, it is determined that access to the memory corresponding to the memory address to be accessed is prohibited.
According to the method provided by the embodiment, the memory address to be accessed and the first access type are respectively matched with the target configuration information to obtain the matching result, and whether the memory corresponding to the memory address to be accessed is accessed or not is determined according to the matching result.
In one embodiment, the target configuration information may include a memory address range that allows the target processing module to access and a second access type corresponding to the memory address range, and correspondingly, S301, the matching between the memory address to be accessed and the first access type and the target configuration information, to obtain a matching result may be implemented in the following manner:
if the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information.
For example, the memory address to be accessed is first matched with the memory address range, if the memory address to be accessed is located in the memory address range, whether the second access type is consistent with the first access type is further judged, and if the second access type is consistent with the first access type, the matching result is determined to be that the memory address to be accessed and the first access type are both matched with the target configuration information.
In one embodiment, if the memory address to be accessed is not within the memory address range and/or the second access type is inconsistent with the first access type, the matching result is determined that the memory address to be accessed and the first access type are not matched with the target configuration information.
In one embodiment, if the first to-be-accessed memory address is located in the memory address range, the second access type is consistent with the first access type corresponding to the first to-be-accessed memory address, and the second to-be-accessed memory address is not located in the memory address range and/or the second access type is inconsistent with the first access type corresponding to the second to-be-accessed memory address, the matching result is determined that the first to-be-accessed memory address and the corresponding first access type are matched with the target configuration information, and the second to-be-accessed memory address and/or the corresponding first access type are not matched with the target configuration information.
When a memory access request is used for continuously reading and writing a section of memory address, if part of memory addresses meet the requirement of target configuration information, and other memory addresses do not meet the requirement of target configuration information, the part of memory addresses meeting the requirement are read and written normally, and the part of memory addresses not meeting the requirement are forbidden to be read and written. For example, the memory access request is used for continuously reading and writing the address range of 128M, but only the read-write authority of the front 64M is configured in the target configuration information, and the read-write authority of the rear 64M is not configured, which only allows the memory of the front 64M to be read and written, and prohibits the memory of the rear 64M from being read and written. The memory address corresponding to the memory of the first 64M is the first memory address to be accessed, and the memory address corresponding to the memory of the last 64M is the second memory address to be accessed.
The method provided by the embodiment can match the memory address to be accessed and the first access type with the target configuration information respectively, so that different matching results are determined, whether the memory is accessed or not is determined according to the different matching results, and the security of memory access is further improved.
In one embodiment, the graphics processor further includes a system management unit; the method further comprises the steps of:
Under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden, or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden, sending notification information to the system management unit; the notification information is used to indicate that there is an abnormal access.
The security controller may send notification information to the system management unit in the form of an interrupt, where the system management unit may process according to the notification information when knowing that there is abnormal access to the memory of the graphics manager according to the notification information.
In one embodiment, the system management unit may send a permission update instruction to the security controller, and the security controller updates the memory address and the access type of the target security controller according to the permission update instruction. Specifically, reference may be made to fig. 4, and fig. 4 is a flow chart of a rights updating method provided in an embodiment of the present application, where the method may include:
s401, receiving an authority update instruction sent by a system management unit.
S402, according to the permission updating instruction, the memory address and the access type of the target security controller are updated.
The permission update instruction may include a permission configuration instruction.
The permission configuration instruction is an instruction triggered after the system management unit receives a permission configuration request sent by the computer equipment.
Because each processing module is allocated and used with a section of memory, the memory address range of the memory allocated by each processing module is a default memory address range, and when the GPU is started, the SMC configures the target configuration information of the target security controller according to the default memory address range corresponding to each processing module.
It should be noted that, during the running process of the system on the graphics processor, the system management unit may send an authority configuration instruction to the target security controller, where the target security controller configures the memory address and the access type of the target security controller according to the authority configuration instruction.
For example, as shown in fig. 1, the processing module uses the memory E, that is, the memory address range corresponding to the memory E is the memory address range in the configuration information configured by the SMC for the secure controller E when the power-on is started, and the memory address range corresponding to the memory E is the default memory address range.
If the SMC needs to configure a new address range for the secure controller E, the SMC may send a permission configuration instruction to the secure controller a during the system operation. For example, as shown in fig. 1, a section of memory in the memory a is A1, and taking an example that the computer device needs to read data from the memory A1 through the display processing module and display the read data on the display, the computer device first takes out a section of space A1 in its own memory (i.e. memory a), and writes the data to be displayed into the memory A1; then, the computer equipment sends an authority configuration request to the SMC, wherein the authority configuration request is used for opening the read authority of the A1 address to the display processing module; and triggering an authority configuration instruction after the SMC receives the authority configuration request, and sending the authority configuration instruction to the safety controller E.
Correspondingly, the target security controller configures the memory address and the access type of the target security controller according to the permission configuration instruction.
By combining the above examples, after receiving the permission configuration instruction, the security controller E may add the address range corresponding to the A1 address and the read permission corresponding to the address range to the configuration information of the security controller E, so as to implement configuration on the memory address and the access type of the target security controller.
It should be noted that, the computer device may also change default configuration information, for example, the access type corresponding to the memory address range of the memory E in the default configuration information is a write access type, and the computer device needs to change the write access type to a read access type, and then the computer device may send a permission configuration request to the SMC, where the permission configuration request is used to change the access type in the configuration information of the security controller E. Triggering an authority configuration instruction after the SMC receives the authority configuration request, and sending the authority configuration instruction to the security controller E, wherein the security controller E modifies the access type corresponding to the memory address range of the memory E into a read access type according to the authority configuration instruction.
According to the method provided by the embodiment of the application, the configuration information of the safety controller can be flexibly configured according to actual application requirements by receiving the permission configuration instruction sent by the system management unit and configuring the memory address and the access type of the target safety controller according to the permission configuration instruction, so that the actual application requirements are met.
In one embodiment, the permission update instruction may include a permission cancellation instruction, where the permission cancellation instruction is an instruction triggered by the system management unit after receiving a permission cancellation request sent by the computer device.
The present embodiment is described with reference to the above example, if the computer device does not want the display processing module to read the data in the memory A1 again, the computer device may send a permission cancellation request to the SMC, where the permission cancellation request is used to cancel the read access type of the display processing module to the memory A1. And triggering an authority cancellation instruction after the SMC receives the authority cancellation request, and sending the authority cancellation instruction to the safety controller E, wherein the safety controller E receives the authority cancellation instruction correspondingly. Correspondingly, after receiving the permission instruction, the security controller E deletes the memory address corresponding to the memory A1 and the access type corresponding to the memory address included in the permission cancellation instruction according to the permission cancellation instruction, so as to cancel the read access type of the display processing module to the memory A1.
It should be noted that, in the running process of the system, the computer device may cancel a portion of the memory address range and the corresponding access type configured in the default configuration information according to the actual application requirement, for example, the default configuration information of the security controller B includes that the memory address range 1 and the access type corresponding to the memory address range 1 are read access types, and also includes that the memory address range 2 and the access type corresponding to the memory address range 2 are write access types. If the computer device needs to cancel the memory address range 1 and the access type corresponding to the memory address range 1, the computer device may send a permission cancellation request to the SMC, where the permission cancellation request is used to cancel the memory address range 1 and the corresponding access type in the configuration information of the security controller B. And triggering an authority configuration instruction after the SMC receives the authority cancellation request, and sending the authority cancellation instruction to the safety controller E, wherein the safety controller E deletes the memory address range 1 and the corresponding read access type according to the authority cancellation instruction.
According to the method provided by the embodiment of the application, the memory address and the access type of the security controller included in the permission cancellation instruction are deleted by receiving the permission cancellation instruction sent by the system management unit and according to the permission cancellation instruction, so that the memory address range and the access type allocated to the target processing module can be cancelled in time.
For a clearer description of the memory access control method provided in the embodiment of the present application, the method provided in the embodiment is described herein with reference to fig. 5, where the method is a method for performing memory access control based on default configuration information of a security controller. Fig. 5 is a flowchart of another memory access control method according to an embodiment of the present application. As shown in fig. 5, after receiving a memory access request sent by a computer device, a processing module sends the memory access request to a corresponding security controller, and the security controller determines whether a memory address to be accessed included in the memory access request is located in a memory address range in own configuration information, so as to determine whether address checking is successful, and if the memory address to be accessed is located in the memory address range in own configuration information, then determining that address checking is successful; if the memory address to be accessed is not in the memory address range in the configuration information of the memory address to be accessed, determining that the address check fails.
If the address checking is determined to fail, the security controller sends notification information to the SMC; if the address checking is successful, further judging whether the second access type corresponding to the memory address range is consistent with the first access type or not to check the access type, and if the second access type corresponding to the memory address range is consistent with the first access type, determining that the access type checking is successful; if the second access type corresponding to the memory address range is inconsistent with the first access type, determining that the access type check fails.
If the access type check is determined to fail, the security controller sends notification information to the SMC; if the access type check is successful, the security controller accesses the memory corresponding to the memory address to be accessed.
In the embodiment corresponding to fig. 5, the content of configuring the configuration information of the security controller during the system operation is not described, and for this purpose, the memory access control method provided in the embodiment of the present application is described taking the example that the computer device needs to read data from the memory A1 through the display processing module and display the read data on the display. As shown in fig. 6, fig. 6 is a signaling flow chart of a memory access control method according to an embodiment of the present application.
S601, the computer equipment stores data A to be displayed in a section of memory A1 in the memory A.
S602, the computer equipment sends an authority configuration request to the SMC, wherein the authority configuration request is used for configuring an address A1 corresponding to the memory A1 and a read access type of the address to the display processing module.
S603, the SMC sends an authority configuration instruction to the security controller E.
S604, the security controller E configures the address A1 and the read access type of the address A1 into the configuration information of the security controller E according to the authority configuration instruction.
After the security controller E configures the address A1 and the read access type of the address A1 into its own configuration information, a completion message is sent to the SMC, where the completion message is used to indicate that the authority configuration is completed.
And S605, when the SMC determines that the authority configuration is completed, sending a completion confirmation message to the computer equipment.
The computer equipment receives the completion confirmation message, which indicates that the configuration information of the security controller E is configured, and the display processing module obtains the authority of reading the data in the memory A1 corresponding to the address A1.
S606, the computer equipment sends a memory access request to the display processing module.
The memory access request is used for reading and displaying data in the memory A1.
S607, the display processing module sends a memory access request to the security controller E.
S608, the security controller E performs address checking and access type checking by adopting the memory access control method provided by the embodiment.
S609, the safety controller E reads the data A in the memory A1.
Because the address A1 and the read access type corresponding to the address A1 are already configured in the configuration information of the security controller, the security controller E determines that the memory access request initiated by the display processing module passes the check, and then the security controller E reads the data a in the memory A1.
S610, the display processing module receives the data A sent by the safety controller E.
And after the display processing module receives the data A, displaying the data A on a display.
S611, the display processing module sends a display completion message to the computer equipment.
After the computer device receives the display completion message, if the computer device does not want the display processing module to access the address A1, the access authority of the display processing module to the address A1 can be cancelled. The cancellation of the access authority of the display processing module to the address A1 may be specifically referred to S612 to S614 described below.
And S612, the computer equipment sends a permission cancellation request to the SMC.
S613, the SMC triggers an authority cancellation instruction according to the authority cancellation request and sends the authority cancellation instruction to the safety controller E.
S614, the security controller E deletes the address A1 of the security controller and the read access type corresponding to the address A1 included in the permission cancellation instruction according to the permission cancellation instruction.
S615, the SMC sends a cancel completion message to the computer equipment.
After deleting the address A1 and the read access type of the address A1 in the configuration information, the security controller E sends a cancel completion message to the SMC, where the cancel completion message is used to indicate that authority cancellation is completed.
After receiving the cancellation completion message, the SMC sends the cancellation completion message to the computer device. Correspondingly, after the computer equipment receives the cancellation completion message, the computer equipment indicates that the address A1 is deleted in the configuration information of the safety controller E and the read access type corresponding to the address A1 is deleted, and the read permission of the processing module to the address A1 is cancelled.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the present application further provides a graphics processor, where the graphics processor includes a plurality of processing modules and a security controller corresponding to each processing module, where the security controller is configured to execute the memory access control method provided in the foregoing embodiment.
Optionally, the graphics processor further includes a system management unit;
the system management unit is used for receiving the authority configuration instruction sent by the system management unit; the permission configuration instruction is an instruction triggered after the system management unit receives a permission configuration request sent by the computer equipment; and the security controller is used for configuring the memory address and the access type of the security controller of the target processing module according to the permission configuration instruction.
Optionally, the system management unit is configured to receive an authority cancellation instruction sent by the system management unit; the permission cancellation instruction is an instruction triggered after the system management unit receives a permission cancellation request sent by the computer equipment; and the security controller is used for deleting the memory address and the access type of the security controller included in the permission cancellation instruction according to the permission cancellation instruction.
Based on the same inventive concept, the embodiment of the application also provides a memory access control device for implementing the above-mentioned related memory access control method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the memory access control device provided below may refer to the limitation of the memory access control method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 7, fig. 7 is a block diagram of a memory access control device according to an embodiment of the present application, where the memory access control device 700 includes:
an obtaining module 701, configured to obtain a memory access request corresponding to a target processing module in a graphics processor; the memory access request comprises a memory address to be accessed and a first access type;
a determining module 702, configured to determine whether to access a memory corresponding to the memory address to be accessed according to the target configuration information, the memory address to be accessed, and the first access type of the target security controller; the target safety controller is a safety controller corresponding to the target processing module.
In one embodiment, the determination module 702 includes:
the matching unit is used for respectively matching the memory address to be accessed and the first access type with the target configuration information to obtain a matching result;
and the determining unit is used for determining whether the memory corresponding to the memory address to be accessed is accessed or not according to the matching result.
In one embodiment, the determining unit is specifically configured to determine that the memory corresponding to the memory address to be accessed is accessed if the matching result indicates that both the memory address to be accessed and the first access type are matched with the target configuration information; if the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed; if the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit to access the memory corresponding to the second memory address to be accessed; the memory addresses to be accessed include a first memory address to be accessed and a second memory address to be accessed.
In one embodiment, the configuration information includes a memory address range that the target processing module is allowed to access and a second access type corresponding to the memory address range; the matching unit is specifically configured to determine that the matching result is that the memory address to be accessed and the first access type are both matched with the target configuration information if the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type; if the memory address to be accessed is not in the memory address range and/or the second access type is inconsistent with the first access type, determining that the matching result is that the memory address to be accessed is not matched with the target configuration information and the first access type is not matched with the target configuration information; if the first memory address to be accessed is located in the memory address range, the second access type is consistent with the first access type corresponding to the first memory address to be accessed, and the second memory address to be accessed is not located in the memory address range, and/or the second access type is inconsistent with the first access type corresponding to the second memory address to be accessed, determining that the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information.
In one embodiment, the graphics processor further includes a system management unit; the apparatus 800 further comprises:
the sending module is used for sending notification information to the system management unit under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden; the notification information is used to indicate that there is an abnormal access.
In one embodiment, the apparatus 700 further comprises:
the first receiving module is used for receiving the authority updating instruction sent by the system management unit; the permission update instruction is an instruction triggered after the system management unit receives a permission update request sent by the computer equipment;
and the configuration module is used for updating the memory address and the access type of the target security controller according to the permission updating instruction.
The modules in the memory access control device may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 8. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a memory access control method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a security controller is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
acquiring a memory access request corresponding to a target processing module in a graphics processor; the memory access request comprises a memory address to be accessed and a first access type;
determining whether to access a memory corresponding to the memory address to be accessed according to target configuration information, the memory address to be accessed and the first access type of the target security controller; the target safety controller is a safety controller corresponding to the target processing module.
In one embodiment, the processor when executing the computer program further performs the steps of:
matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result; and determining whether to access the memory corresponding to the memory address to be accessed according to the matching result.
In one embodiment, the processor when executing the computer program further performs the steps of:
if the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information, determining to access the memory corresponding to the memory address to be accessed; if the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed; if the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit to access the memory corresponding to the second memory address to be accessed; the memory addresses to be accessed include a first memory address to be accessed and a second memory address to be accessed.
In one embodiment, the processor when executing the computer program further performs the steps of:
if the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information; if the memory address to be accessed is not in the memory address range and/or the second access type is inconsistent with the first access type, determining that the matching result is that the memory address to be accessed is not matched with the target configuration information and the first access type is not matched with the target configuration information; if the first memory address to be accessed is located in the memory address range, the second access type is consistent with the first access type corresponding to the first memory address to be accessed, and the second memory address to be accessed is not located in the memory address range, and/or the second access type is inconsistent with the first access type corresponding to the second memory address to be accessed, determining that the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information.
In one embodiment, the processor when executing the computer program further performs the steps of:
under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden, or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden, sending notification information to the system management unit; the notification information is used to indicate that there is an abnormal access.
In one embodiment, the processor when executing the computer program further performs the steps of:
receiving an authority updating instruction sent by a system management unit; the permission update instruction is an instruction triggered after the system management unit receives a permission update request sent by the computer equipment; and updating the memory address and the access type of the target security controller according to the permission updating instruction.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring a memory access request corresponding to a target processing module in a graphics processor; the memory access request comprises a memory address to be accessed and a first access type;
determining whether to access a memory corresponding to the memory address to be accessed according to target configuration information, the memory address to be accessed and the first access type of the target security controller; the target safety controller is a safety controller corresponding to the target processing module.
In one embodiment, the computer program when executed by the processor further performs the steps of:
matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result; and determining whether to access the memory corresponding to the memory address to be accessed according to the matching result.
In one embodiment, the processor when executing the computer program further performs the steps of:
if the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information, determining to access the memory corresponding to the memory address to be accessed; if the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed; if the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit to access the memory corresponding to the second memory address to be accessed; the memory addresses to be accessed include a first memory address to be accessed and a second memory address to be accessed.
In one embodiment, the computer program when executed by the processor further performs the steps of:
if the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information; if the memory address to be accessed is not in the memory address range and/or the second access type is inconsistent with the first access type, determining that the matching result is that the memory address to be accessed is not matched with the target configuration information and the first access type is not matched with the target configuration information; if the first memory address to be accessed is located in the memory address range, the second access type is consistent with the first access type corresponding to the first memory address to be accessed, and the second memory address to be accessed is not located in the memory address range, and/or the second access type is inconsistent with the first access type corresponding to the second memory address to be accessed, determining that the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information.
In one embodiment, the graphics processor further includes a system management unit; the computer program when executed by the processor also performs the steps of:
Under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden, or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden, sending notification information to the system management unit; the notification information is used to indicate that there is an abnormal access.
In one embodiment, the computer program when executed by the processor further performs the steps of:
receiving an authority updating instruction sent by a system management unit; the permission update instruction is an instruction triggered after the system management unit receives a permission update request sent by the computer equipment; and updating the memory address and the access type of the target security controller according to the permission updating instruction.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
acquiring a memory access request corresponding to a target processing module in a graphics processor; the memory access request comprises a memory address to be accessed and a first access type;
determining whether to access a memory corresponding to the memory address to be accessed according to target configuration information, the memory address to be accessed and the first access type of the target security controller; the target safety controller is a safety controller corresponding to the target processing module.
In one embodiment, the computer program when executed by the processor further performs the steps of:
matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result; and determining whether to access the memory corresponding to the memory address to be accessed according to the matching result.
In one embodiment, the processor when executing the computer program further performs the steps of:
if the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information, determining to access the memory corresponding to the memory address to be accessed;
if the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed;
if the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit to access the memory corresponding to the second memory address to be accessed; the memory addresses to be accessed include a first memory address to be accessed and a second memory address to be accessed.
In one embodiment, the computer program when executed by the processor further performs the steps of:
if the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information;
if the memory address to be accessed is not in the memory address range and/or the second access type is inconsistent with the first access type, determining that the matching result is that the memory address to be accessed is not matched with the target configuration information and the first access type is not matched with the target configuration information;
if the first memory address to be accessed is located in the memory address range, the second access type is consistent with the first access type corresponding to the first memory address to be accessed, and the second memory address to be accessed is not located in the memory address range, and/or the second access type is inconsistent with the first access type corresponding to the second memory address to be accessed, determining that the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden, or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden, sending notification information to the system management unit; the notification information is used to indicate that there is an abnormal access.
In one embodiment, the computer program when executed by the processor further performs the steps of:
receiving an authority updating instruction sent by a system management unit; the permission update instruction is an instruction triggered after the system management unit receives a permission update request sent by the computer equipment; and updating the memory address and the access type of the target security controller according to the permission updating instruction.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as Static Random access memory (Static Random access memory AccessMemory, SRAM) or dynamic Random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (9)

1. A memory access control method, wherein the method is applied to a secure controller in a graphics processor, the graphics processor including at least one processing module, and at least one of the secure controllers to which the at least one processing module corresponds, the method comprising:
acquiring a memory access request corresponding to a target processing module in the graphics processor; the memory access request comprises a memory address to be accessed and a first access type;
Determining whether to access a memory corresponding to the memory address to be accessed according to target configuration information of a target security controller, the memory address to be accessed and the first access type; the target safety controller is a safety controller corresponding to the target processing module.
2. The method of claim 1, wherein the determining whether to access the memory corresponding to the memory address to be accessed according to the target configuration information of the target security controller, the memory address to be accessed, and the first access type comprises:
matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result;
and determining whether to access the memory corresponding to the memory address to be accessed according to the matching result.
3. The method according to claim 2, wherein the determining whether to access the memory corresponding to the memory address to be accessed according to the matching result includes:
if the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information, determining to access a memory corresponding to the memory address to be accessed;
If the matching result is that the memory address to be accessed and/or the first access type is not matched with the target configuration information, determining to prohibit access to the memory corresponding to the memory address to be accessed;
if the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information, determining to access the memory corresponding to the first memory address to be accessed, and determining to prohibit access to the memory corresponding to the second memory address to be accessed; the memory addresses to be accessed include the first memory address to be accessed and the second memory address to be accessed.
4. The method of claim 3, wherein the target configuration information includes a range of memory addresses that the target processing module is permitted to access and a second access type corresponding to the range of memory addresses; the matching the memory address to be accessed and the first access type with the target configuration information respectively to obtain a matching result includes:
If the memory address to be accessed is located in the memory address range and the second access type is consistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are matched with the target configuration information;
if the memory address to be accessed is not located in the memory address range and/or the second access type is inconsistent with the first access type, determining that the matching result is that the memory address to be accessed and the first access type are not matched with the target configuration information;
if the first memory address to be accessed is located in the memory address range, the second access type is consistent with the first access type corresponding to the first memory address to be accessed, and the second memory address to be accessed is not located in the memory address range and/or the second access type is inconsistent with the first access type corresponding to the second memory address to be accessed, determining that the matching result is that the first memory address to be accessed and the corresponding first access type are matched with the target configuration information, and the second memory address to be accessed and/or the corresponding first access type are not matched with the target configuration information.
5. The method of claim 3, wherein the graphics processor further comprises a system management unit; the method further comprises the steps of:
sending notification information to the system management unit under the condition that the access to the memory corresponding to the memory address to be accessed is forbidden or under the condition that the access to the memory corresponding to the second memory address to be accessed is forbidden; the notification information is used to indicate that there is an abnormal access.
6. The method of claim 5, wherein the method further comprises:
receiving an authority updating instruction sent by the system management unit; the permission update instruction is an instruction triggered after the system management unit receives a permission update request sent by the computer equipment;
and updating the memory address and the access type of the target security controller according to the permission updating instruction.
7. A security controller for performing the memory access control method according to any one of claims 1-6.
8. A memory access control device, wherein the device is disposed in a security controller according to claim 7, the device comprising:
The acquisition module is used for acquiring a memory access request corresponding to the target processing module in the graphic processor; the memory access request comprises the memory address to be accessed and a first access type;
the determining module is used for determining whether to access the memory corresponding to the memory address to be accessed according to the target configuration information of the target security controller, the memory address to be accessed and the first access type; the target safety controller is a safety controller corresponding to the target processing module.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
CN202310280085.2A 2023-03-21 2023-03-21 Memory access control method, security controller and memory access control device Active CN116303142B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310280085.2A CN116303142B (en) 2023-03-21 2023-03-21 Memory access control method, security controller and memory access control device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310280085.2A CN116303142B (en) 2023-03-21 2023-03-21 Memory access control method, security controller and memory access control device

Publications (2)

Publication Number Publication Date
CN116303142A true CN116303142A (en) 2023-06-23
CN116303142B CN116303142B (en) 2024-03-19

Family

ID=86790097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310280085.2A Active CN116303142B (en) 2023-03-21 2023-03-21 Memory access control method, security controller and memory access control device

Country Status (1)

Country Link
CN (1) CN116303142B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170068811A1 (en) * 2014-03-04 2017-03-09 Sanechips Technology Co., Ltd. Method and device for secure access control based on on-chip bus protocol
CN106502926A (en) * 2016-09-26 2017-03-15 华为技术有限公司 A kind of internal memory monitoring method, internal storage access controller and SoC systems
CN109766165A (en) * 2018-11-22 2019-05-17 海光信息技术有限公司 A kind of memory access control method, device, Memory Controller Hub and computer system
CN113312676A (en) * 2021-05-25 2021-08-27 飞腾信息技术有限公司 Data access method and device, computer equipment and readable storage medium
CN114065257A (en) * 2021-11-24 2022-02-18 北京奕斯伟计算技术有限公司 Address space protection method, protection device, equipment and storage medium
CN114691532A (en) * 2020-12-30 2022-07-01 华为技术有限公司 Memory access method, memory address allocation method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170068811A1 (en) * 2014-03-04 2017-03-09 Sanechips Technology Co., Ltd. Method and device for secure access control based on on-chip bus protocol
CN106502926A (en) * 2016-09-26 2017-03-15 华为技术有限公司 A kind of internal memory monitoring method, internal storage access controller and SoC systems
CN109766165A (en) * 2018-11-22 2019-05-17 海光信息技术有限公司 A kind of memory access control method, device, Memory Controller Hub and computer system
CN114691532A (en) * 2020-12-30 2022-07-01 华为技术有限公司 Memory access method, memory address allocation method and device
CN113312676A (en) * 2021-05-25 2021-08-27 飞腾信息技术有限公司 Data access method and device, computer equipment and readable storage medium
CN114065257A (en) * 2021-11-24 2022-02-18 北京奕斯伟计算技术有限公司 Address space protection method, protection device, equipment and storage medium

Also Published As

Publication number Publication date
CN116303142B (en) 2024-03-19

Similar Documents

Publication Publication Date Title
US9952788B2 (en) Method and apparatus for providing a shared nonvolatile memory system using a distributed FTL scheme
CN103198450B (en) Image processing system
US9037824B2 (en) Password accessible microelectronic memory
JP5481308B2 (en) Data control apparatus and program
US8516186B2 (en) Method of accelerating access to primary storage and storage system adopting the method
US9710283B2 (en) System and method for pre-storing small data files into a page-cache and performing reading and writing to the page cache during booting
JP2022500759A (en) Methods and equipment used when sanitizing a network of non-volatile memory express devices
CN110908932B (en) Data processing apparatus and data protection method thereof
CN116303142B (en) Memory access control method, security controller and memory access control device
CN110352411B (en) Method and apparatus for controlling access to secure computing resources
US9921979B2 (en) Position dependent code in virtual machine functions
EP3964996A1 (en) Database access method and device
CN108399076A (en) A kind of firmware update and device based on UEFI
US20140181502A1 (en) Dynamically manipulating rules for adding new devices
CN110928803B (en) Memory management method and device
US9372635B2 (en) Methods and apparatus for dividing secondary storage
CN116089327A (en) Data protection method and related equipment
WO2023038812A1 (en) Protecting memory regions based on occurrence of an event
WO2017024820A1 (en) Mobile application erasing method, mobile terminal and computer readable storage medium
CN114327246A (en) Data storage method in storage medium, storage medium and computer equipment
US11204700B2 (en) Data storage device and non-volatile memory control method, with security extension
JP2002334048A (en) Control method for storage subsystem and storage subsystem
US20220327245A1 (en) Data storage device and method of access
CN117271148B (en) Hardware mutual exclusion lock sharing method and device and computer equipment
CN117439769A (en) Page access method, page access device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant