CN116501664A - Storage device for performing access right control and method of operating the same - Google Patents
Storage device for performing access right control and method of operating the same Download PDFInfo
- Publication number
- CN116501664A CN116501664A CN202310093313.5A CN202310093313A CN116501664A CN 116501664 A CN116501664 A CN 116501664A CN 202310093313 A CN202310093313 A CN 202310093313A CN 116501664 A CN116501664 A CN 116501664A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- information
- storage device
- virtual
- read request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 68
- 230000004044 response Effects 0.000 claims abstract description 33
- 230000015654 memory Effects 0.000 claims description 145
- 230000006870 function Effects 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 18
- 239000010410 layer Substances 0.000 description 16
- 238000007726 management method Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 239000000758 substrate Substances 0.000 description 7
- 230000003936 working memory Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 239000000725 suspension Substances 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 238000012937 correction Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 239000007787 solid Substances 0.000 description 3
- VYPSYNLAJGMNEJ-UHFFFAOYSA-N Silicium dioxide Chemical compound O=[Si]=O VYPSYNLAJGMNEJ-UHFFFAOYSA-N 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 239000012535 impurity Substances 0.000 description 2
- 239000011810 insulating material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 229910052814 silicon oxide Inorganic materials 0.000 description 2
- 239000002210 silicon-based material Substances 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000001152 differential interference contrast microscopy Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 239000012212 insulator Substances 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000005442 molecular electronic Methods 0.000 description 1
- 239000002071 nanotube Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 229920000642 polymer Polymers 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002344 surface layer Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000003313 weakening effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1458—Protection against unauthorised use of memory or access to memory by checking the subject access rights
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
A storage device for performing access rights control and a method of operating the same are disclosed. The storage device includes processing circuitry configured to store a plurality of security information associated with a plurality of namespaces in response to a command from the host, each of the security information including virtual machine information associated with a corresponding one of the plurality of virtual machines and unique information associated with the corresponding virtual machine, the virtual machine information including an identifier of the corresponding virtual machine and the unique information including unique information uniquely set for the corresponding virtual machine, extract at least first information by decoding a data access request received from the host device, and abort processing of the data access request based on the security information and the extracted at least first information.
Description
Cross Reference to Related Applications
The application is based on and claims priority rights of korean patent application No. 10-2022-0011789 filed at the korean intellectual property office on 1 month 26 of 2022 and korean patent application No. 10-2022-0069111 filed at the korean intellectual property office on 7 month 6 of 2022, the disclosures of each of which are incorporated herein by reference in their entirety.
Technical Field
Various example embodiments of the inventive concepts relate to storage devices, systems including storage devices, methods of operating storage devices, and/or non-transitory computer-readable medium devices storing computer-readable instructions for performing the methods of operating storage. More particularly, one or more example embodiments relate to a storage device for performing access rights control in response to a data access request from a host, a system including the storage device, a method of operating the storage device, and/or a non-transitory computer-readable medium storing computer-readable instructions for performing the method of operating the storage device.
An example of a storage device based on a flash memory device is a Solid State Drive (SSD). Interfaces used in storage systems such as SSDs include Serial Advanced Technology Attachment (SATA) interfaces, peripheral component interconnect express (PCIe) interfaces, serial attached small computer system interfaces (serial attached SCSI (SAS)), computing high speed link (CXL) interfaces, and the like, and furthermore, PCIe bus-based interfaces such as nonvolatile memory express (NVMe) interfaces have also been proposed.
The storage device may be shared by multiple hosts, and further, each host may drive multiple Virtual Machines (VMs), where the multiple VMs of each host may share the storage device. For example, a storage medium in a storage device may include multiple namespaces, and different VMs may have access to the different namespaces. In this case, a security policy that can prevent malicious access attempts without normal and/or valid access rights is not employed in the storage device, thereby reducing the security of the user data.
Disclosure of Invention
Various example embodiments of the inventive concepts provide a storage device, a system including the storage device, and/or a method of operating the storage device that are capable of preventing malicious access attempts without normal and/or valid access rights by employing security policies in the storage device.
According to at least one example embodiment of the inventive concepts, there is provided a storage device including a nonvolatile memory including a plurality of unit blocks, the plurality of unit blocks being allocated into a plurality of namespaces, each of the plurality of namespaces being associated with at least one virtual machine of a plurality of virtual machines generated by a host device, and a processing circuit configured to store a plurality of security information associated with the plurality of namespaces in response to a command from the host, each of the security information including virtual machine information associated with a corresponding one of the plurality of virtual machines and unique information associated with the corresponding virtual machine, the virtual machine information including an identifier of the corresponding virtual machine, and the unique information including unique information uniquely set for the corresponding virtual machine, extract at least first information by decoding a data access request received from the host device, and suspend processing of the data access request based on the security information and the extracted at least one first information.
According to at least one example embodiment of the inventive concepts, there is provided a method of operating a storage device, the method of operating including receiving a set command from a host device, storing a plurality of security information in response to the set command, the plurality of security information including a plurality of virtual machine information associated with each of the plurality of virtual machines, the virtual machines being generated by the host device, each of the virtual machine information including a memory address indicating a location in host memory of an input/output queue associated with the associated virtual machine and a namespace Identifier (ID) indicating a namespace associated with the virtual machine, and selectively suspending processing of a read request received from the host device based on the security information and information extracted from the read request.
According to at least one example embodiment of the inventive concepts, a host device is provided that includes a host memory including a plurality of input/output queues allocated to at least one of a plurality of virtual machines, and processing circuitry configured to manage generation of the plurality of virtual machines and allocation of the plurality of input/output queues in the host memory to the plurality of virtual machines, each of the virtual machines configured to generate a read request to access the plurality of namespaces through independent paths according to a virtualization technique, and to send a set command to a storage device, the set information including a plurality of security information associated with the plurality of virtual machines, each of the plurality of security information including virtual machine information identifying the associated virtual machine, a memory address indicating a location of the input/output queue allocated to the associated virtual machine, and a namespace Identifier (ID) indicating a namespace associated with the virtual machine.
Drawings
Various exemplary embodiments of the inventive concept will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a block diagram illustrating a data processing system in accordance with at least one example embodiment;
FIG. 2 is a block diagram illustrating a data processing system to which virtualization techniques are applied in accordance with at least one example embodiment;
FIG. 3 is a block diagram illustrating an example of an implementation of a controller in accordance with at least one example embodiment;
FIG. 4 is a block diagram illustrating a particular example of an implementation of a data processing system in accordance with at least one example embodiment;
FIG. 5 is a block diagram illustrating an example of use security information in accordance with at least one example embodiment;
FIGS. 6 and 7 are flowcharts illustrating methods of operation of data processing systems according to some example embodiments;
FIGS. 8 and 9 are block diagrams illustrating a process of setting and using secure data in accordance with at least one example embodiment;
FIG. 10 is a block diagram illustrating a data processing system in accordance with at least one example embodiment;
FIG. 11 is a perspective view illustrating an implementation example of a cell block included in a non-volatile memory in accordance with at least one example embodiment;
FIG. 12 is a block diagram illustrating a situation in which a Solid State Drive (SSD) is applied to a storage device in a data processing system, according to some example embodiments; and
FIG. 13 is a block diagram illustrating a data center including storage devices in accordance with at least one example embodiment.
Detailed Description
Hereinafter, various exemplary embodiments of the inventive concept will be described in detail with reference to the accompanying drawings.
FIG. 1 is a block diagram illustrating a data processing system 10 in accordance with at least one example embodiment.
Referring to FIG. 1, data processing system 10 may include at least one host 100 and/or storage device 200, etc., but the example embodiments are not so limited, and for example, data processing system 10 may include a greater or lesser number of constituent components, etc. The storage device 200 may include at least one controller 210 and at least one non-volatile memory (NVM) 220, etc. The host 100 (e.g., host device, external host, external computer, host system, etc.) may provide data write and/or read requests to the storage device 200. Further, in response to a data deletion request from the host 100, the storage device 200 may perform a deletion operation on data in an area indicated by the host 100. According to some example embodiments, the host 100 may include a plurality of hosts or the like.
In at least one example embodiment, the storage device 200 includes at least one storage device and/or at least one controller that may be implemented as a processing circuit that may be configured to control the storage device and may be defined by various terms other than the storage device. For example, the storage device 200 may be referred to as a memory system, a storage system, a cloud storage system, a distributed storage system, etc., and the controller 210 may be referred to as a storage controller, a memory controller, etc. The processing circuitry may comprise hardware including logic circuitry; a hardware/software combination, such as a processor executing software and/or firmware; or a combination thereof. For example, the processing circuitry may more specifically include, but is not limited to, a Central Processing Unit (CPU), an Arithmetic Logic Unit (ALU), a digital signal processor, a microcomputer, a Field Programmable Gate Array (FPGA), a system on a chip (SoC), a programmable logic unit, a microprocessor, an Application Specific Integrated Circuit (ASIC), and the like.
The storage device 200 may include a storage medium that stores data in response to a request from the host 100. For example, storage device 200 may include one or more Solid State Drives (SSDs), but is not limited thereto. When storage device 200 includes an SSD, NVM 220 may include multiple flash memory chips (e.g., NAND memory chips, VNAND memory chips, etc.) to store data and NVM 220 may be non-volatile. Hereinafter, in the description of the example embodiment, it is assumed that the storage device 200 includes one or more flash memory chips, but the example embodiment is not limited thereto.
As another example, storage device 200 may include various types of other memory in addition to or in place of NVM. For example, the memory device 200 may include NVM and various types of memory, such as Magnetic Random Access Memory (MRAM), spin transfer torque MRAM, conductive Bridging RAM (CBRAM), ferroelectric RAM (FeRAM), phase RAM (PRAM), resistive RAM, nanotube RAM, polymer RAM (PoRAM), nano Floating Gate Memory (NFGM), holographic memory, molecular electronic memory devices, and/or insulator resistance change memory, etc., may be applied to NVM.
The host 100 may communicate with the storage device 200 through various interfaces. For example, host 100 may communicate with storage device 200 through various interfaces, such as a Universal Serial Bus (USB) interface, a multimedia card (MMC) interface, a PCIe interface, an Advanced Technology Attachment (ATA) interface, a SATA interface, a parallel ATA (PATA) interface, a SCSI, a SAS interface, an enhanced compact disc interface (ESDI), an Integrated Drive Electronics (IDE) interface, a CXL interface, and/or an NVM high speed (NVMe) interface, and the like. According to some example embodiments, it is assumed that in data processing system 10, host 100 and storage device 200 perform an NVMe-based interface over a PCIe bus, but example embodiments are not limited thereto.
According to at least one example embodiment, the host 100 may include, but is not limited to, at least one processor 110 and/or at least one host memory 120, etc. The processor 110 may control memory operations such as data writing and/or data reading performed on the storage device 200 by executing software stored in the host memory 120. In at least one example embodiment, the host 100 may encode and/or decode at least one data packet that meets the criteria defined in the NVMe interface. The host 100 may store at least one data packet corresponding to a write and/or read request in the host memory 120 and store a completion response from the storage device 200 in the host memory 120 in response to the memory request (e.g., write and/or read request, etc.). In some example embodiments below, each of the write request and the read request by the host 100 to the storage device 200 may correspond to an access request Req, and at least one data packet provided by the host 100 may be referred to as a request and/or command, etc. According to at least one example embodiment, the processor 110 may be implemented as processing circuitry and may include hardware including logic circuitry; a hardware/software combination, such as a processor executing software and/or firmware; or a combination thereof. For example, the processing circuitry may more specifically include, but is not limited to, a Central Processing Unit (CPU), an Arithmetic Logic Unit (ALU), a digital signal processor, a microcomputer, a Field Programmable Gate Array (FPGA), a system on a chip (SoC), a programmable logic unit, a microprocessor, an Application Specific Integrated Circuit (ASIC), and the like.
In at least one example embodiment, controller 210 (e.g., processing circuitry) may include access rights controller 211 and NVM 220 may include a plurality of Namespaces (NS), although example embodiments are not limited in this regard. Each flash memory chip included in NVM 220 may include an array of memory cells, and the array of memory cells may include one or more blocks of cells. Fig. 1 illustrates a case where NVM 220 includes multiple namespaces, e.g., first NS 1 through kth NS K. The plurality of cell blocks included in NVM 220 may be categorized (e.g., assigned and/or assigned) to first through kth NSs, NS 1 through NS K, and one or more cell blocks may be assigned to each of the first through nth NSs, NS 1 through NS K.
In at least one example embodiment, the host 100 may generate and/or execute a plurality of Virtual Machines (VMs) based on control of the processor 110. For example, the host 100 may manage the NS by using a virtualization technique, and a plurality of VMs may commonly access the same storage device, but example embodiments are not limited thereto. For example, host memory 120 may include a virtual machine management module (not shown) configured to enable access to storage device 200 based on virtualization technology, and processor 110 may execute the VM management module to generate a plurality of VMs. Multiple VMs may share resources in host 100, such as at least one processor, memory, firmware, and/or software, etc., but for storage device 200, each of the multiple VMs may be virtually recognized as separate virtual hardware access data. In other words, while there is only one physical hardware, multiple VMs may virtually access the same physical hardware, such as multiple virtual hardware, etc.
The first NS 1 through N-th NS ks may be associated with and/or assigned to a plurality of VMs. The storage device 200 may associate the first NS 1 to kth NS K with a plurality of VMs based on the control of the host 100, and for example, each VM may access data associated with the NS by being associated with at least one NS. Each VM may be associated with one or more NS, and additionally and/or alternatively, at least two VMs may share any NS.
The host 100 may generate any number of VMs and the process of verifying access rights of one or more VMs to the NS may be performed by the host 100. For example, when generating the first to kth NS 1 to NS K, the host 100 may manage Identifier (ID) information (hereinafter, referred to as NS ID) of the first to kth NS 1 to NS K, and may provide the NS ID associated with each VM to the corresponding VM. Further, each of the plurality of VMs may generate an access request Req including an NS ID for accessing data in the allocated NS, and transmit the access request Req to the storage device 200 or the like.
However, when a VM is occupied by a malicious user, computer virus, or the like, and attempts to access a particular NS in the storage device 200 through the occupied VM, the storage device 200 may unknowingly decode malicious and/or invalid access requests Req from the host 100, read data from the particular NS indicated by the access requests Req, and provide the read data to the host 100. In such a case, data processing system 10, where security is important, may provide data to malicious users and/or computer viruses without normal and/or valid access rights, thereby weakening and/or compromising the data security of storage device 200, data processing system 10, and/or any person having information stored in storage device 200, etc.
According to at least one example embodiment, security information (not shown) for determining access rights may be set and/or stored in the access rights controller 211 in response to at least one set command cmd_s from the host 100. The access right controller 211 may determine whether the access request Req from the host 100 is a valid request of a user (and/or VM) having normal and/or valid rights based on a comparison between information extracted from the access request Req from the host 100 and security information stored in the access right controller 211, but is not limited thereto. If the access right controller 211 determines that the access request Req is a request of a VM having normal and/or valid rights, the controller 210 may perform a control operation to normally process the access request Req and the like from the host 100. Otherwise, if access rights controller 211 determines that access request Req is not a valid request for a VM having normal and/or valid rights (e.g., access request Req is a malicious request, a rogue request, etc.), access rights controller 211 may abort processing of access request Req from host 100 to reduce and/or prevent data from being read and/or written from NVM 220 maliciously, invalidily, and/or fraudulently.
In at least one example embodiment, the security information set in the access rights controller 211 may include information associated with each of the plurality of VMs generated in the host 100. For example, the security information may include a plurality of entries corresponding to the plurality of VMs, and each entry may include mapping information between VM information indicating an identification of the corresponding VM and at least one piece of unique information uniquely assigned to the corresponding VM.
For example, the host 100 may allocate memory space at a particular, unique, and/or desired location (e.g., memory location, etc.) in the host memory 120 to an input/output queue (IOQ) of each VM, and the unique information may include a memory address indicating the location of the allocated IOQ in the host memory 120. For example, the IOQ may include memory space included within a certain and/or desired address range, and the memory address may include information related to the address range. Further, the host 100 may assign at least one NS to each VM, and the unique information may include an NS ID indicating the NS assigned to each VM. That is, each entry in the security information may include VM information of any single VM, as well as a memory address and/or NS ID mapped to the VM information, etc., but example embodiments are not limited thereto.
According to at least one example embodiment, the controller 210 may decode an access request Req from the host 100 and extract at least one piece of information from the decoded access request Req to compare with security information. The access rights controller 211 may decode the access request Req to determine information about the VM that generated the access request Req, information related to the VM that generated the access request Req, and/or corresponding to the VM that generated the access request Req, and extract a memory address indicating a location of the IOQ associated with the data access and/or NS ID, etc. The access right controller 211 may determine a memory address and/or NS ID mapped to the determined VM information from the security information. In addition, the access right controller 211 may determine whether the access request Req is an access of a VM having normal and/or valid rights, based on the decoded request information and security information, for example, by comparing a memory address and NS ID extracted from the access request Req with a memory address and NS ID included in the security information, and the like. For example, the access right controller 211 may determine whether the memory address extracted from the access request Req is within a memory address range included in the security information, and further, the access right controller 211 may determine whether the NS ID extracted from the access request Req matches the NS ID included in the security information, or the like.
The controller 210 may terminate the processing of the access request Req based on the determination result of the access authority controller 211, thereby enhancing and/or improving user data security. For example, when a malicious user (e.g., an unauthorized user, a computer virus, etc.) that does not have normal and/or valid access rights occupies a particular VM (e.g., a second VM) and attempts to access an NS associated with another VM (e.g., the first VM) through an IOQ in host memory 120 allocated to the first VM, at least one of a memory address and an NS ID extracted from the access request Req may be different from a memory address and an NS ID mapped to VM information indicating the first MV included in the security information. Thus, the controller 210 may abort processing of the access request Req from the second VM without normal and/or valid access rights. In addition, when a malicious user does not know at least one of the memory address of the IOQ allocated to the first VM and the NS ID associated with the first VM, the processing of the access request Req from the second VM having no normal and/or valid access authority may be suspended by the controller 210 by using the comparison program of the security information or the like in the storage device 200.
In at least one example embodiment, in the access right controller 211, the circuit configured to store security information and the circuit configured to determine access rights may be implemented using a single circuit block. In addition, in the access right controller 211, the storage circuit configured to store security information and the circuit configured to determine the access right may be implemented by separate circuit blocks. Further, the storage circuit configured to store the security information may be implemented using a volatile memory and/or an NVM, and for example, when the storage circuit is implemented using the volatile memory, the host 100 may control an operation of setting the security information of the storage device 200 when the data processing system 10 is initially operated, but the example embodiment is not limited thereto.
FIG. 2 is a block diagram illustrating a data processing system 300 to which virtualization techniques are applied, in accordance with at least one example embodiment.
Referring to FIG. 2, a data processing system 300 may include at least one host 310 and at least one storage device 320, etc., and storage device 320 may include at least one controller 321 and at least one NVM322, etc., although example embodiments are not limited thereto. The host 310 may include at least one VM manager 311 and a plurality of VMs, such as a first VM 312_1 through an nth VM 312_n, and the like. The VM manager 311 may be implemented by hardware or a combination of hardware and software, and for example, the functions of the VM manager 311 may be implemented by a processor executing software or the like. The VM manager 311 may be referred to as a hypervisor (hypervisor) and is configured to generate and execute the first to nth VMs 312_1 to 312_n, but the example embodiments are not limited thereto.
The host 310 may request generation and/or deletion of NS associated with each of the first to nth VMs 312_1 to 312_n, but is not limited thereto. For example, the storage device 320 may generate the first NS 1 to the kth NS K as a plurality of NS based on the control and/or instruction of the host 310. According to at least one example embodiment, the plurality of cell blocks included in NVM322 may be classified and/or allocated as first NS 1 through kth NS K, each of first VM 312_1 through nth VM 312_n may be associated with at least one NS, and an access request may be generated to access its associated NS. For example, when each of the first to nth VMs 312_1 to 312_n generates an access request, an NS ID indicating an NS having access right may be included in the access request.
The controller 321 may include an NS management module 321_1 and/or an access right controller 321_2, but is not limited thereto. The NS management module 321_1 may manage an operation of generating and/or deleting the first NS 1 to the kth NS K in response to at least one request from the host 310. In addition, the NS management module 321_1 may control at least one access operation to the first NS 1 to the kth NS K in response to at least one request from the host 310, and for example, the NS management module 321_1 may perform and/or suspend processing of an access request from the host 310 based on control and/or instruction of the access authority controller 321_2. However, example embodiments are not limited thereto, and the controller 321 may include an additional component configured to control read/write operations performed on the first NS 1 to the kth NS K according to and/or based on the access right determination, and/or control the additional component or the like to process the access request and/or suspend the processing of the access request, for example.
According to at least one example embodiment, the access rights controller 321_2 may include a security information storage circuit, and the security information storage circuit may store security information including a plurality of entries in response to a set command (e.g., an allocation command, etc.) from the host 310. For example, according to at least one example embodiment, a plurality of entries may correspond to VMs generated in the host 310, and each entry may include VM information VM Info and/or mapping information as an example of unique information, which is mapping information between a memory address RA indicating a location of an IOQ allocated to a VM and an NS ID NSID, with respect to and/or corresponding to the VM, but example embodiments are not limited thereto, and other unique information may be specific to each VM, for example. The access right controller 321_2 may receive an access request (e.g., a read request req_r) from the host 310, extract one or more pieces of information through a decoding operation of the read request req_r, and determine whether to suspend processing of the read request req_r based on a comparison between the extracted information and security information stored in the security information storage circuit. In other words, the access authority controller 321_2 may determine whether to suspend the read request req_r based on the extracted information and the security information stored in the security information storage circuit, or the like.
As an example of an operation of the first virtual machine VM1 to access an NS (e.g., the first NS 1) having normal and/or valid rights, the first VM1 may generate a read request req_r including a memory address RA indicating an IOQ allocated to the first VM1 and an NS ID NSID indicating the first NS 1. For example, in the packet generation process based on the NVMe interface, VM information indicating the first VM1 may be added to the read request req_r, but the example embodiment is not limited thereto.
The read request req_r from the first virtual machine VM1 may be provided to the storage 320, and the controller 321 may decode the read request req_r to extract VM information indicating the first virtual machine VM1 and the memory addresses RA and NS ID NSID included in the read request req_r. If the first VM VM1 has normal and/or valid access rights to the first NS1, the memory address RA and NS ID NSID mapped to the VM information indicating the first VM VM1 may be matched to the information extracted from the read request req_R, which is included in the security information stored in the access rights controller 321_2, and thus the read request req_R may be processed normally (e.g., may be allowed to execute, etc.).
Otherwise, if the second VM2, which does not have normal and/or valid access rights to the first NS 1, transmits the read request req_r as an attempt to access the first NS 1, information extracted by decoding the read request req_r may not match information included in the security information. For example, the memory address RA and the NS ID NSID mapped to the VM information indicating the second VM2 may include information allocated to the second VM2 during the setting by the host 310, and/or information corresponding to the second VM2, wherein the VM information is included in the security information stored in the access right controller 321_2, and thus, at least one of the memory address RA and the NS ID NSID included in the security information may be different from at least one of the memory address RA and the NS ID NSID extracted from the read request req_r. Thus, the processing of the read request req_r by a malicious user and/or computer virus may be aborted (e.g., not performed).
Fig. 3 is a block diagram illustrating an example of an implementation of a controller 400 in accordance with at least one example embodiment.
Referring to fig. 3, the controller 400 may include a host interface (I/F) circuit 410, a memory I/F circuit 420, at least one processor 430, an access right control module 440, a working memory 450, and/or an Error Correction Code (ECC) circuit 460, etc., but example embodiments are not limited thereto. In at least one example embodiment, various types of software executable by the processor 430 may be loaded into the working memory 450, and for example, when the NVM controlled by the controller 400 includes a flash memory device, a Flash Translation Layer (FTL) may be loaded into the working memory 450, etc. In addition, in another implementation example, when the NS management function according to at least one example embodiment is implemented by software, the NS management module may be loaded into the working memory 450 for execution by the processor 430 or the like. Working memory 450 may be implemented in various forms such as RAM, read Only Memory (ROM), electrically Erasable Programmable ROM (EEPROM), flash memory, and/or other memory technologies.
The processor 430 may control the general operation of the storage device by executing various software stored in the working memory 450. The host I/F circuitry 410 may communicate with a host in accordance with certain and/or desired interfaces, and for example, the controller 400 may connect to the host via a PCIe bus and communicate with the host in accordance with an NVMe interface, although the example embodiments are not limited in this respect. In addition, the memory I/F circuit 420 may provide an interface with a plurality of storage media included in the NVM, and for example, the memory I/F circuit 420 may perform independent communication with the plurality of storage media through a plurality of channels, respectively. Further, the ECC circuit 460 may perform error detection and correction operations on data to be stored in the storage device and/or data already stored on the storage device, and for example, the ECC circuit 460 may generate ECC parity from write data and perform error detection and correction operations by using read data and ECC parity corresponding to the read data, but example embodiments are not limited thereto.
According to at least one example embodiment, the access rights control module 440 may include hardware components and/or software components to be executed on hardware, etc., and when the access rights control module 440 includes software components, software included in the access rights control module 440 may be loaded into the working memory 450 for execution by the processor 430, etc. The access rights control module 440 may determine whether the data access request from the host is an access request from a VM having normal and/or valid rights in response to the data access request. For example, according to some example embodiments, security information may be stored in the access rights control module 440 based on a set command from the host, the access rights control module 440 may decode an access request from the host to extract various information included in the access request, and compare the extracted information with the security information to perform and/or suspend processing of the access request from the host, and the like.
FIG. 4 is a block diagram illustrating a particular example of an implementation of a data processing system 500 in accordance with at least one example embodiment.
Referring to FIG. 4, a data processing system 500 may include at least one host 510 and/or at least one storage device 520, the host 510 may include a VM manager 511, and a plurality of VMs may be generated by the host 510 based on control and/or instructions of the VM manager 511, but example embodiments are not limited thereto. Fig. 4 illustrates a case in which the first VM 512 and the second VM 513 are generated, but example embodiments are not limited thereto.
VM manager 511 may allocate an IOQ to a VM in response to a request (e.g., an IOQ allocation request) from the VM. For example, host 510 may include host memory 514, and although fig. 4 shows the IOQ separate from host memory 514, the IOQ may correspond to a memory space included in host memory 514, but is not limited thereto, and the IOQ may be allocated in a storage other than host memory 514 or the like. In at least one example embodiment, a first IOQ 0 and a second IOQ 1 may be allocated to the first VM 512, and a third IOQ 0 and a fourth IOQ 3 may be allocated to the second VM 513, but the example embodiment is not limited thereto. Further, address information (e.g., memory addresses) indicating the location of the IOQ assigned to each VM may be provided to the first VM 512 and the second VM 513. In addition, each IOQ may include a commit queue (SQ) to store data packets to be transmitted to the storage device 520, a Completion Queue (CQ) to store data packets transmitted from the storage device 520, and the like.
The storage device 520 may include a controller (e.g., a memory controller, etc.), and when a single root input/output virtualization (SR-IOV) function according to an NVMe interface is provided between the host 510 and the storage device 520, the storage device 520 may generate a plurality of Virtual Functions (VFs), e.g., a first VF521 and a second VF 522 corresponding to the first VM512 and the second VM 513, but example embodiments are not limited thereto. The first VF521 and the second VF 522 may be implemented in and/or generated by the controller of the storage device 520 in response to requests from the host 510, and may independently process data access requests from the host 510, and so forth. Further, since each of the first VM 521 and the second VF 522 processes requests from its corresponding VM, each of the first VM512 and the second VM 513 can perform data accesses to the storage 520 via separate paths.
As an example of a read request from the host 510, each of the first VF521 and the second VF 522 may determine whether the read request from the host 510 is a read request from a VM having normal and/or valid permissions. An access rights controller according to some example embodiments may be implemented in each of the first VF521 and the second VF 522 and may include, for example, a security manager and/or security information storage circuitry (e.g., part of the security information storage circuitry allocated to virtual functions) or the like, although example embodiments are not limited in this regard. For example, as shown in FIG. 4, the first VF521 may include a first security manager 521_1 and a first security information storage circuit 521_2, and the second VF 522 may include a second security manager 522_1 and a second security information storage circuit 522_2, but is not limited thereto. In addition, the NVM can include a plurality of NS. Fig. 4 illustrates a case in which the first NS 523 and the second NS 524 are generated, but example embodiments are not limited thereto.
An example in which the second VM 513 without normal and/or valid access rights to the first NS523 maliciously and/or invalidity attempts to access the first NS523 is described below.
When the second VM 513 generates a read request associated with a malicious access attempt to the first NS523, the read request may be provided to the first VF 521 by adding information to the read request indicating a path to the first VF 521, and the memory address allocated to the first VM 512 and the NS ID indicating the first NS523 may be included in the read request. Further, VM information indicating the second VM 513 that has generated the read request may be added to the read request in a block encoding process according to and/or based on an interface with the storage 520.
The first VF 521 may decode the received read request and suspend processing of the read request by comparing the VM information extracted as a result of the decoding with the security information stored in the first security information storage 521_2. In contrast, in a conventional storage device, the first VF 521 may read data from the first NS523 indicated by the read request from the second VM 513 and may store packets including the read data in the IOQ in the host memory 514 allocated to the first VM 512. However, according to at least one example embodiment, the memory address and NS ID mapped to the VM information indicating the second VM 513 extracted from the read request may be read from the first security information storage circuit 521_2. The read security information may not match the memory address and NS ID extracted from the read request, and thus, processing of the read request from the second VM 513 that does not have normal and/or access rights may be aborted, or in other words, the secure access and/or security credentials of the VM requesting the memory operation may be verified, and if the verification is unsuccessful, the requested memory operation may be aborted, cancelled, etc.
Fig. 5 is a block diagram illustrating an example of using security information in accordance with at least one example embodiment.
As an example of the operation of the first VF 521, the first security manager 521_1 may include a request decoder 521_11, a comparator 521_12, and/or a suspension controller 521_13, but is not limited thereto. The first security information storage circuit 521_2 may store security information including a plurality of entries. The security information may include security information corresponding to each of the plurality of VMs accessible to the storage 520, and may include, for example, VM information VM Info indicating and/or corresponding to each of the plurality of VMs, and memory addresses RAM ADDR and NS ID NSID, etc. as information mapped to the VM information VM Info.
In at least one example embodiment, after setting the security information in the storage device 520 in response to at least one command from the host 510, one or more VMs may be additionally generated in the host 510, and thus, the security information in the storage device 520 may be updated. For example, security information may be set for each of the VFs generated in the storage device 520, and the security information set for each of the VFs may be updated accordingly as VMs are added and/or removed in the host 510.
The request decoder 521_11 may perform a decoding operation on the read request req_r provided to the first VF 521 and may extract at least one piece of information from the read request req_r. For example, the request decoder 521_11 may extract VM information indicating the VM that has generated the read request req_r, a memory address indicating the location of the IOQ, and/or an NS ID of the access destination, or the like. In at least one example embodiment, VM information may be added to the packet in a packet generation process according to and/or based on the NVMe interface, and a memory address and NS ID may be generated at the VM requesting data access and included in the packet, etc
The comparator 521_12 may perform a comparison operation by matching the information extracted by the request decoder 521_11 with the security information stored in the first security information storage circuit 521_2, and may provide the comparison result to the suspension controller 521_13. The suspension controller 521_13 may output a suspension signal info_a indicating whether to suspend processing of the read request req_r based on the received comparison result, and the first VF 521 may suspend processing of the read request req_r in response to the suspension signal info_a to reduce and/or prevent access to the NS from VMs that are not normally and/or validly authorized, but the example embodiment is not limited thereto. For example, the memory access request may be any memory operation other than a read request, including a write request, an erase request, a move request, an encrypt request, a decrypt request, and the like.
Fig. 6 and 7 are flowcharts illustrating methods of operation of data processing systems according to some example embodiments. Some of the operations shown in fig. 6 and 7 may be performed by a host, and other operations may be performed by a storage device.
Referring to FIG. 6, a host and a storage device may include a data processing system, and multiple VMs may be generated in and/or by the host. For example, in operation S11, a VM manager in the host may generate the first VM, and may perform various types and/or kinds of management on the first VM to access the storage device. For example, in operation S12, the VM manager may assign the first IOQ and one or more associated first NSs to the first VM. Further, the VM manager may provide the first NS ID and a first memory address indicating a location in host memory of the first IOQ assigned to the first VM.
According to at least one example embodiment, in operation S13, the host may provide security information associated with the first VM to the storage device, and for example, a first VF corresponding to the first VM may be generated in the storage device in response to a request from the host. The security information regarding the multiple VMs may be stored in a first VF, and for example, the security information generated in association with the first VM may be set in (e.g., stored in and/or copied to, etc.) the storage circuitry of the first VF. The security information may include various information, and for example, the security information may include VM information indicating the first VM, associated with the first VM, and/or corresponding to the first VM, such as a first memory address and a first NS ID as unique information associated with the first VM, the first memory address and the first NS ID being mapped to VM information associated with the first VM.
Then, in operation S14, the host may generate an additional VM, for example, generate a second VM. Further, in operation S15, a second IOQ at a location different from that of the first IOQ may be allocated to the second VM, and a second NS may be allocated to the second VM, based on control and/or instructions of the VM manager. Further, the VM manager can provide the second NS ID and a second memory address indicating a location in host memory of a second IOQ assigned to the second VM.
Security information regarding and/or corresponding to each of the plurality of VMs in and/or generated by the host may be provided in each of the plurality of VFs provided to the storage device, and thus, in operation S16, the host may provide the first VF with security information generated in association with the second VM and the security information associated with the second VM in the storage circuitry of the first VF may be updated.
Fig. 7 illustrates an example in which a storage device suspends and/or cancels processing of a read request from a host based on security information, but example embodiments are not limited thereto, and for example, other types of data access requests may be authenticated, such as write requests, delete requests, copy requests, and the like. According to at least one example embodiment, in operation S21, a first VF generated in a storage device may receive a read request from a host, but the example embodiment is not limited thereto. When a first VF is generated corresponding to a first VM of a host, the storage device may determine that the first VM has normal and/or valid access rights to a first NS in the storage device for access to the first VF, while the storage device may determine that a VM other than the first VM (e.g., a second VM) does not have normal and/or valid access rights to the first NS in the storage device.
According to some example embodiments, in operation S22, the security manager in the first VF may extract various types and/or kinds of information by decoding the read request and may check VM information indicating and/or corresponding to the requesting VM that has sent the read request from the extracted information. Further, the security information set in the first VF may include security information corresponding to each of the plurality of VMs, and the security information corresponding to the VM information extracted from the read request may be read from the security information storage circuit in operation S23.
In operation S24, it is determined whether the memory address ra_e included in the extracted VM information matches the memory address ram_addr corresponding to the security information, and a comparison operation of determining whether the NS ID ns_e included in the extracted VM information matches the NS ID NSID corresponding to the security information may be performed. Processing of the read request may continue or be aborted based on and/or based on the comparison. For example, if at least one of the memory addresses ra_e and NS ID ns_e extracted from the read request and at least one of the memory addresses ram_addr and NS ID NSID corresponding to the security information are different, the processing of the read request may be suspended in operation S26. Otherwise, in operation S25, if the memory addresses ra_e and NS ID ns_e extracted from the read request and the memory addresses ram_addr and NS ID NSID corresponding to the security information are identical, the processing of the read request may be continued, and a completion response is transmitted to the host.
Fig. 8 and 9 are block diagrams illustrating a process of setting and using security data according to at least one example embodiment.
Referring to FIG. 8, a data processing system 600 may include at least one host 610 and at least one storage device 620, etc., but the example embodiments are not limited thereto. The host 610 may include at least one VM manager 611, one and/or multiple VMs, e.g., first through fourth VMs, etc., and/or at least one host memory 613, etc. Further, the storage device 620 may include at least one controller 621 (e.g., a memory controller and/or a storage controller, etc.), and an access right controller according to at least one example embodiment may be included in the controller 621, etc. Further, according to some example embodiments, the access rights controller may include a security manager and/or security information storage circuitry 622. Although not shown in fig. 9, multiple VFs may be implemented in the controller 621 and/or generated by the controller 621, and a secure information storage circuit 622 may be included in each VF. Further, the storage device 620 may include a plurality of NS, and data is written to and/or read from the plurality of NS based on the control of the controller 621.
As an example of the first VM 612, the first VM 612 may request the VM manager 611 to generate an IOQ associated with the first VM 612. In response to the request, VM manager 611 may allocate an IOQ to be used for communication between first VM 612 and storage device 620 and/or a memory address RA indicating the IOQ in host memory 613.
The host 610 may provide information associated with the NS and IOQ assigned to the first through fourth VMs to the storage 620, e.g., the host 610 may provide a first command to the storage 620 indicating that the IOQ has been generated. In at least one example embodiment, host 610 may include a management commit queue (ASQ) 614 and the first command may be sent via ASQ 614, but example embodiments are not limited thereto. The storage 620 may store information associated with each of the first to fourth VMs in response to the first command, and for example, information about each generated IOQ, a memory address ram_addr indicating a location of the IOQ, and information (NS ID) indicating NS, wherein data may be exchanged through the IOQ, which may be stored in the security information storage circuit 622.
Then, the host 610 may associate an NS with each of the first to fourth VMs, and according to the association result of the NS, the setting command in at least one example embodiment may be provided as a second command to the storage 620 or the like. The setting command may include information indicating an IOQ allocated to each of the first to fourth VMs, but is not limited thereto.
As shown in fig. 8, the storage device 620 may store security information in the security information storage circuit 622 in response to a set command from the host 610, and for example, the first VM information VM 1 may be mapped to memory addresses a and B indicating the first and second IOQ0 and IOQ1 and mapped to NS IDs indicating the first and second NS 1 and NS 2, or the like. Likewise, the second VM information VM2 may be mapped to memory addresses C and D indicating the third IOQ IOQ2 and the fourth IOQ IOQ3, and mapped to NS IDs indicating the second NS 2 through the fifth NS 5. In at least one example embodiment, data access to the third NS 2 and the fourth NS 4 may be performed through the third IOQ2, and data access to the second NS 2 and the fifth NS 5 may be performed through the fourth IOQ3, but the example embodiment is not limited thereto.
Fig. 9 illustrates a matching operation for security information in accordance with at least one example embodiment. Referring to fig. 9, the first VM 612 may store at least one packet in the first IOQ0 as a read request according to the NVMe interface, and the storage 620 may transmit a request or the like for acquiring information about SQ in the first IOQ0 to the host 610. In addition, the read request stored in the SQ in the first IOQ IOQ0 may be sent to the storage device 620.
The storage 620 may decode the read request to extract various information included in the read request, and for example, may extract an NS ID NSID of an NS indicating an access target of the read request together with information (e.g., VM Info, etc.) about and/or about a VM (e.g., requesting VM) that has generated the read request, a memory address (and/or information (e.g., SQID)) indicating a location of the IOQ, and the like. The security information stored in the controller 621 may include a plurality of entries, and according to an entry corresponding to VM Info of the request VM extracted from the read request, information mapped to the VM Info may be compared with information extracted from the read request. For example, the controller 621 may check, determine, verify, and/or authenticate, etc., whether or not the information (SQID) regarding the SQ and/or corresponding to the SQ belongs to and/or matches the memory address RAM ADDR included in the security information, etc. The controller 621 may determine whether the NS ID NSID extracted from the read request is identical to the NS ID NSID included in the security information.
FIG. 10 is a block diagram illustrating a data processing system 700 in accordance with at least one example embodiment. FIG. 10 illustrates a scenario in which at least one example embodiment is applied to a PCIe Physical Function (PF) when SR-IOV technology is not applied to a storage device.
Referring to fig. 10, a data processing system 700 may include a plurality of VMs 710_1 to 710_n included in at least one host, and the plurality of VMs 710_1 to 710_n may communicate with at least one storage device (e.g., SSD 720) via a PCIe bus, but is not limited thereto. The SSD 720 may include the first PF 721 and the second PF 722 as one and/or more PFs, and may also include a plurality of NS723_1 to 723_k, but is not limited thereto.
The host may assign different IDs to the first PF 721 and the second PF 722 to identify access by the first PF 721 and the second PF 722, and the access request may be provided to the first PF 721 and/or the second PF 722 via the PCIe bus according to and/or based on the ID added to the access request from the host. According to at least one example embodiment, each of the first PF 721 and the second PF 722 may include an access rights controller (and/or security manager), and security information regarding the plurality of VMs 710_1 to 710_n according to some example embodiments may be stored in each of the first PF 721 and the second PF 722.
According to some example embodiments, the plurality of VMs 710_1 to 710_n may access one or more NSs via the first PF 721 and/or the second PF 722, and to determine access rights, each of the first PF 721 and the second PF 722 may perform a matching operation using security information. Processing of the access request by the VM may continue or be aborted based on the result of the match using the security information.
Fig. 11 is a perspective view illustrating an embodiment of a cell block BLKa included in an NVM according to at least one example embodiment.
Referring to fig. 11, a cell block BLKa of an NS, which may be allocated to at least one example embodiment of the inventive concepts, may have a three-dimensional structure, but example embodiments are not limited thereto. For example, the cell blocks BLKa are formed in a vertical direction VD with respect to the substrate SUB, the substrate SUB having a first conductivity type (e.g., p-type), and the common source lines CSL are disposed on the substrate SUB, each CSL extending in the second horizontal direction HD2 and doped with impurities of a second conductivity type (e.g., n-type). In the region of the substrate SUB between the adjacent two common source lines CSL, a plurality of insulating layers IL extending in the second horizontal direction HD2 are sequentially provided in the vertical direction VD, and the plurality of insulating layers IL are separated from each other by a certain distance in the vertical direction VD. For example, the plurality of insulating layers IL may include an insulating material such as silicon oxide or the like.
A plurality of pillars P sequentially arranged in the first horizontal direction HD1 and passing through the plurality of insulating layers IL in the vertical direction are disposed in the region of the substrate SUB between two adjacent common source lines CSL. For example, the plurality of pillars P may be in contact with the substrate SUB by passing through the plurality of insulating layers IL, but is not limited thereto. In addition, the surface layer S of each pillar P may include a silicon material having a first type and may serve as a channel region. The inner layer I of each pillar P may include an insulating material such as silicon oxide and/or an air gap.
In the region between two adjacent common source lines CSL, a charge storage layer CS is provided along the exposed surfaces of the insulating layer IL, the pillars P, and/or the substrate SUB. The charge storage layer CS may include a gate insulating layer (and/or a tunnel insulating layer), a charge trap layer, a blocking insulating layer, and/or the like. For example, the charge storage layer CS may have an oxide-nitride-oxide (ONO) structure, but is not limited thereto. Further, in the region between two adjacent common source lines CSL, gate electrodes GE including selection lines GSL and SSL and word lines WL0 to WL7 are provided to the exposed surface of the charge storage layer CS.
Drain and/or drain contacts DR are provided on the plurality of pillars P, respectively. For example, the drain and/or the drain contact DR may include a silicon material doped with an impurity having the second conductivity type, but is not limited thereto. Bit lines BL1 to BL3 extending in the first horizontal direction HD1 and separated from each other by a certain distance in the second horizontal direction HD2 are provided on the drain and/or the drain contact DR.
Fig. 12 is a block diagram illustrating a case in which SSD 820 is applied to a storage device in data processing system 800, according to some example embodiments.
Referring to FIG. 12, data processing system 800 may include at least one host 810 and SSD 820, among other things. SSD 820 exchanges signals with host 810 through at least one signal connector and receives power through at least one power connector. SSD 820 may include an SSD controller 821, an auxiliary power supply 822, and a plurality of NVM devices 823-825, among others. NVM devices 823 through 825 may be vertically stacked NAND flash memory devices, but are not limited thereto. Herein, the SSD 820 may be implemented using one or more of the example embodiments described above with reference to fig. 1 and 11, but is not limited thereto. That is, the SSD controller 821 may include the access authority controller 821_1, and the access authority controller 821_1 may include security information stored in response to a setting command from the host 810. Further, the access right controller 821_1 may perform an access right determination (e.g., verification and/or authentication) operation using security information and VM information extracted from the access request whenever an access request is received from a plurality of VMs generated in the host 810, and may suspend processing of the access request according to and/or based on the determination result.
Fig. 13 is a block diagram illustrating a data center 900 including a storage device in accordance with at least one example embodiment. In some example embodiments, the storage devices described above with reference to the figures may be included in an application server and/or a storage server, etc. in the data center 900.
Referring to fig. 13, a data center 900 may collect and/or store various data, provide services, and is referred to as a data storage center. For example, the data center 900 may be a system for operating search engines and databases and/or a computing system used in a corporate and/or government organization such as a bank, business, or the like. As shown in fig. 13, the data center 900 may include application servers 50_1 to 50—n and storage servers 60_1 to 60—m. The number n of application servers 50_1 to 50—n and the number m of storage servers 60_1 to 60—m may be selected differently according to example embodiments, and n may be different from m.
The application servers 50_1,..and/or 50_n may include at least one of processors 51_1,..and/or 51_n, memories 52_1,..and/or 52_n, switches 53_1,..and/or 53_n, network Interface Controllers (NIC) 54_1,..and/or 54_n, and storage devices 55_1,..and/or 55_n, etc. The processors 51_1,..and/or 51_n may control general operations of the application servers 50_1,..and/or 50_n, and may access the memories 52_1,..and/or 52_n to execute instructions and/or data loaded into the memories 52_1,..and/or 52_n. As non-limiting examples, the memories 52_1,..and/or 52—n may include double data rate synchronous dynamic random access memory (DDR SDRAM), high Bandwidth Memory (HBM), hybrid Memory Cubes (HMC), dual Inline Memory Modules (DIMMs), options DIMMs, and/or non-volatile DIMMs (NVDIMMs), etc.
According to at least one example embodiment, the number of processors and the number of memories included in the application servers 50_1,..and/or 50—n may be selected differently. In some example embodiments, the processors 51_1,..and/or 51_n and the memories 52_1,..and/or 52_n may provide processor-memory pairs, but are not limited thereto. In some example embodiments, the number of processors 51_1,..and/or 51_n may be different than the number of memories 52_1,..and/or 52_n. The processors 51_1,..and/or 51_n may include single-core processors and/or multi-core processors. In some example embodiments, as shown by the dashed lines in fig. 13, the storage devices 55_1,..and/or 55_n may be omitted from the application servers 50_1,..and/or 50_n. According to some example embodiments, the number of storage devices 55_1,..and/or 55_n included in the application servers 50_1,..and/or 50_n may be selected differently. The processors 51_1, & gt and/or 51_n, the memories 52_1, & gt and/or 52_n, the switches 53_1, & gt and/or 53_n, the NICs 54_1, & gt and/or 54_n, and/or the storage devices 55_1, & gt and/or 55_n may communicate with each other via the links described above with reference to the drawings.
The storage servers 60_1,..and/or 60_m may include processors 61_1,..and/or 61_m, memory 62_1,..and/or 62_m, switches 63_1,..63_m, NIC 64_1,..and/or 64_m, and/or at least one of the memory devices 65_1,..and/or 65_m. The processors 61_1,..and/or 61_m and/or the memories 62_1,..and/or 62_m may operate similar to the processors 51_1,..and/or 51_n and the memories 52_1,..and/or 52_n in the application servers 50_1,..and/or 50_n described above, but the example embodiments are not limited thereto.
The storage devices according to some example embodiments may be applied to the storage devices 55_1 to 55—n and the storage devices 65_1 to 65—m included in the data center 900, and thus, an access right controller and/or a security manager configured to determine data access rights according to some example embodiments may be included in the storage devices 55_1 to 55—n and the storage devices 65_1 to 65—m. Further, security information may be stored in the storage devices 55_1 to 55—n and the storage devices 65_1 to 65—m, and when the virtualization function is applied to the data center 900, the storage devices 55_1 to 55—n and/or the storage devices 65_1 to 65—m65—m may suspend and/or cancel processing of an access request from a VM determined to have no normal and/or valid access right.
The application servers 50_1 to 50—n and the storage servers 60_1 to 60—m may communicate with each other via the network 70. In some example embodiments, the network 70 may be implemented using a Fibre Channel (FC), ethernet, or the like. The FC may be a medium for relatively high-speed data transmission, and an optical switch configured to provide high performance/high availability may be used in the FC. The storage servers 60_1 to 60_m may be provided as file storage, block storage, object storage, and/or the like according to an access scheme of the network 70.
In some example embodiments, the network 70 may be a storage private network, such as a Storage Area Network (SAN), or the like. For example, the SAN may be a FC-SAN, which may be implemented using a FC network and according to the FC protocol (FCP), but is not limited thereto. As another example, the SAN may be an Internet Protocol (IP) -SAN implemented using a Transmission Control Protocol (TCP)/IP network and according to SCSI over TCP/IP and/or internet SCSI (iSCSI) protocols. In some example embodiments, the network 70 may be a general-purpose network, such as a TCP/IP network or the like. For example, the network 70 may be implemented according to the FC over Ethernet (FCoE) protocol, network Attached Storage (NAS) protocol, nvMe over structure (NVMe-oF) protocol, and the like.
Hereinafter, although the application server 50_1 and the storage server 60_1 are mainly described, the description of the application server 50_1 may be applied to other application servers (e.g., 50—n), and the description of the storage server 60_1 may be applied to other storage servers (e.g., 60—m), and the like.
The application server 50_1 may store data requested to be stored by a user and/or a client in one of the storage servers 60_1 to 60_m via the network 70. Further, the application server 50_1 may acquire data that the user and/or the client requests to read from one of the storage servers 60_1 to 60_m via the network 70. For example, the application server 50_1 may be implemented by a web server and/or a database management system (DBMS).
The application server 50_1 can access the memory 52_n and/or the storage device 55_n comprised in the other application server 50_n via the network 70 and/or the memories 62_1 to 62_m and/or the storage devices 65_1 to 65_m comprised in the storage servers 60_1 to 60_m via the network 70. Accordingly, the application server 50_1 may perform various operations on the data stored in the application servers 50_1 to 50—n and/or the storage servers 60_1 to 60—m. For example, the application server 50_1 may execute instructions for moving and/or copying data between the application servers 50_1 to 50—n and/or the storage servers 60_1 to 60—m. In this case, the data may be moved via the memories 62_1 to 62_m in the storage servers 60_1 to 60_m and/or directly from the storage devices 65_1 to 65_m in the ground storage servers 60_1 to 60_m to the memories 52_1 to 52_n in the application servers 50_1 to 50_n. In some example embodiments, the data moved via the network 70 may be data encrypted for security and/or privacy.
In the storage server 60_1, the interface IF may provide a physical connection between the processor 61_1 and the controller CTRL, and may provide a physical connection between the NIC 64_1 and the controller CTRL, or the like. For example, the interface IF may be implemented by a Direct Attached Storage (DAS) scheme of directly connecting the storage device 65_1 using a dedicated cable, but the example embodiment is not limited thereto. In addition, for example, the interface IF may be implemented through various interface schemes such as ATA, SATA, external SATA (e-SATA), SCSI, SAS, PCI, PCIe, NVMe, institute of Electrical and Electronics Engineers (IEEE) 1394, USB, secure Digital (SD) card, MMC, embedded MMC (eMMC), universal Flash (UFS), embedded UFS (eUFS), compact Flash (CF) card interface, and/or CXL, among others.
In the storage server 60_1, the switch 63_1 may selectively connect the processor 61_1 to the storage 65_1 and/or selectively connect the NIC 64_1 to the storage 65_1 under the control of the processor 61_1, but the example embodiment is not limited thereto.
In some example embodiments, NIC 64_1 may include a network interface card, a network adapter, or the like. NIC 64_1 may be connected to network 70 via a wired interface, a wireless interface, a bluetooth interface, an optical interface, or the like. The NIC 64_1 may include an internal memory, a Digital Signal Processor (DSP), a host bus interface, and the like, and may be connected to the processor 61_1, the switch 63_1, and the like through the host bus interface. In some example embodiments, the NIC 64_1 may be integrated with at least one of the processor 61_1, the switch 63_1, the storage device 65_1, and the like.
In the application server 50_1, the..and/or 50_n and/or the storage server 60_1, the..and/or 60_m, the processor 51_1, the..51_n, 61_1, the..and/or 61_m may send commands to the storage device 55_1, the..55_n, 65_1, the..and/or 65_m and/or the memory 52_1, the..52_n, 62_1, the..and/or 61_m to program and/or read data. In this case, the data may be data-corrected by the ECC engine, but is not limited thereto. The data may be data of a Data Bus Inversion (DBI) and/or data masking process and may include Cyclic Redundancy Code (CRC) information. The data may be encrypted for security and/or privacy.
In response to a read command received from the processor 51_1, the., 51—n, 61_1, the..and/or 61—m etc., the memory devices 55_1, 55_n, 65_1, and/or 65_m may send control signals and/or command/address signals to the NVM device (e.g., NAND flash device) NVM. Accordingly, when data is read from the NVM device NVM, a read enable signal is input as a data output control signal and causes the data to be output to a Data Queue (DQ) bus. The data strobe signal may be generated using a read enable signal. The command/address signals may be latched in response to the leading and/or trailing edges of the write enable signal.
The controller CTRL may generally control the operation of the memory device 65_1. In at least one example embodiment, the controller CTRL may include a Static Random Access Memory (SRAM). The controller CTRL may write data in the NVM device NVM in response to a write command and/or read data from the NVM device NVM in response to a read command. For example, the write command and/or the read command may be generated based on a request provided from the host, such as the processor 61_1 in the storage server 60_1, the processor 61_m in the other storage server 60_m, and/or the processor 51_1 in the application server 50_1..and/or 50—n. The buffer BUF may temporarily store (buffer) data to be written to the NVM device NVM and/or data to be read from the NVM device NVM. In some example embodiments, the buffer BUF may include DRAM, but is not limited thereto. In addition, the buffer BUF may store metadata, and the metadata may indicate user data and/or data generated by the controller CTRL for managing the NVM device NVM, etc. The storage device 65_1 may include a Security Element (SE) for security and/or privacy, but is not limited thereto.
While various exemplary embodiments of the inventive concepts have been particularly shown and described herein, it will be understood that various changes in form and details may be made therein without departing from the spirit and scope of the appended claims.
Claims (20)
1. A storage device for communicating with a host device, the storage device comprising:
a non-volatile memory comprising a plurality of unit blocks, the plurality of unit blocks being assigned to a plurality of namespaces, each of the plurality of namespaces being associated with at least one virtual machine of a plurality of virtual machines generated by a host device; and
a processing circuit configured to generate a signal indicative of the first signal,
storing, in response to a command from the host, a plurality of security information associated with the plurality of namespaces, each of the security information including virtual machine information associated with a corresponding one of the plurality of virtual machines and unique information associated with the corresponding virtual machine, the virtual machine information including an identifier of the corresponding virtual machine, and the unique information including unique information uniquely set for the corresponding virtual machine,
extracting at least first information by decoding a data access request received from a host device, and
the processing of the data access request is aborted based on the security information and the extracted at least one first information.
2. The storage device of claim 1, wherein,
each of the virtual machine information includes a virtual machine identifier unique to the corresponding virtual machine; and
each of the unique information includes a memory address indicating a location allocated to an input/output queue of the corresponding virtual machine and a namespace Identifier (ID) indicating a namespace associated with the corresponding virtual machine.
3. The storage device of claim 2, wherein the memory address includes information indicating a location of the input/output queue in a host memory included in the host device.
4. The storage device of claim 2, wherein, in response to generating the additional virtual machine by the host device, the processing circuit is further configured to generate security information about the additional virtual machine.
5. The storage device of claim 1, wherein the processing circuit further comprises a plurality of virtual functions corresponding to a plurality of virtual machines, and
each of the plurality of virtual functions is configured to,
storing security information associated with a corresponding virtual machine, and
in response to a data access request received from a corresponding virtual machine, access rights for the corresponding virtual machine are determined based on stored security information associated with the corresponding virtual machine.
6. The storage device of claim 5, wherein the plurality of virtual functions are configured to provide access to the non-volatile memory to the virtual machine through a plurality of independent paths according to a virtualization technique.
7. The storage device of claim 5, wherein a first virtual function of the plurality of virtual functions is configured to:
receiving a read request from a first virtual machine of the plurality of virtual machines as a data access request;
Extracting first information included in the read request by decoding the read request; and
a read request from the first virtual machine is processed based on the first information included in the read request matching the unique information corresponding to the first virtual machine.
8. The storage device of claim 5, wherein a first virtual function of the plurality of virtual functions is configured to:
receiving a read request from a second virtual machine of the plurality of virtual machines as a data access request;
extracting first information included in the read request by decoding the read request; and
based on the first information included in the read request and the unique information corresponding to the second virtual machine not matching, the processing of the read request from the second virtual machine is suspended.
9. The storage device of claim 1, wherein
The nonvolatile memory includes a plurality of flash memory chips.
Each flash memory chip includes a subset of a plurality of cell blocks; and
each of the plurality of namespaces includes at least one unit block.
10. A method of operation of a storage device for communication with a host device, the storage device comprising a plurality of namespaces, and each namespace comprising at least one unit block, the method of operation comprising:
Receiving a setting command from a host device;
in response to the set command, storing a plurality of security information, the plurality of security information including a plurality of virtual machine information associated with each of the plurality of virtual machines, the virtual machines being generated by the host device, each of the virtual machine information including a memory address indicating a location in host memory of an input/output queue associated with the associated virtual machine, and a namespace Identifier (ID) indicating a namespace associated with the virtual machine; and
based on the security information and the information extracted from the read request, processing of the read request received from the host device is selectively suspended.
11. The method of operation of claim 10, wherein the virtual machine information includes an indication of the associated virtual machine, and the memory address and the namespace ID are mapped to the corresponding virtual machine information.
12. The method of operation of claim 11, further comprising:
the memory address and namespace ID corresponding to the virtual machine information extracted from the read request are compared with the additional information extracted from the read request.
13. The method of operation of claim 10, further comprising:
the plurality of security information is updated with new virtual machine information regarding a new virtual machine generated by the host device, the virtual machine information including a memory address and a namespace ID corresponding to the new virtual machine, the memory address and the namespace ID being mapped to the new virtual machine information.
14. The method of operation of claim 10, further comprising:
a plurality of virtual functions corresponding to the plurality of virtual machines are generated in response to a request from the host device,
wherein a plurality of security information about a plurality of virtual machines is stored in a corresponding virtual function.
15. The method of operation of claim 14, wherein selectively suspending processing of the read request comprises:
decoding, by a first virtual function of the plurality of virtual functions, a read request received from the first virtual machine of the plurality of virtual machines, and extracting a memory address and a namespace ID from the read request; and
a read request from the first virtual machine is processed based on the extracted information matching a memory address and a namespace ID mapped to virtual machine information corresponding to the first virtual machine.
16. The method of operation of claim 14, wherein selectively suspending processing of the read request comprises:
decoding, by a first virtual function of the plurality of virtual functions, a read request received from a second virtual machine of the plurality of virtual machines, and extracting a memory address and a namespace identifier ID from the read request; and
based on the extracted information and the memory address and the namespace ID mapped to the virtual machine information corresponding to the second virtual machine not matching, processing of the read request from the second virtual machine is aborted.
17. The method of operation of claim 10, wherein,
the security information is stored in a volatile memory in the storage device; and
when the storage device is initially operated, a reception setting command is executed.
18. A host device for accessing a plurality of namespaces provided to a storage device, the host device comprising:
a host memory including a plurality of input/output queues allocated to at least one of the plurality of virtual machines; and
a processing circuit configured to generate a signal indicative of the first signal,
managing generation of a plurality of virtual machines and assigning a plurality of input/output queues in host memory to the plurality of virtual machines, each of the virtual machines configured to generate read requests for accessing a plurality of namespaces through independent paths according to a virtualization technique, and
a set command is sent to the storage device, the set command including a plurality of security information associated with the plurality of virtual machines, each of the plurality of security information including virtual machine information identifying the associated virtual machine, a memory address indicating a location of an input/output queue allocated to the associated virtual machine, and a namespace Identifier (ID) indicating a namespace associated with the virtual machine.
19. The host device of claim 18, wherein each of the virtual machine information identifies a single virtual machine, and the memory address and the namespace ID are mapped to the associated virtual machine information.
20. The host device of claim 18, wherein,
a first virtual machine of the plurality of virtual machines is associated with a first namespace of the storage device; and
in response to a second virtual machine of the plurality of virtual machines sending a read request to the storage device, the read request including a memory address corresponding to the first virtual machine or a namespace ID associated with the first namespace, completion of the read request from the second virtual machine is prevented.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR10-2022-0011789 | 2022-01-26 | ||
| KR1020220069111A KR102560696B1 (en) | 2022-01-26 | 2022-06-07 | Storage device performing access authority control and Operating method thereof |
| KR10-2022-0069111 | 2022-06-07 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116501664A true CN116501664A (en) | 2023-07-28 |
Family
ID=87315520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310093313.5A Pending CN116501664A (en) | 2022-01-26 | 2023-01-20 | Storage device for performing access right control and method of operating the same |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116501664A (en) |
-
2023
- 2023-01-20 CN CN202310093313.5A patent/CN116501664A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112313632A (en) | Host acceleration operation in managed NAND devices | |
| CN113015975B (en) | Secure logical to physical cache | |
| US11650937B2 (en) | Storage system and method for secure host controller memory buffer access | |
| US20230145936A1 (en) | Storage device, storage system having the same and method of operating the same | |
| US20230057638A1 (en) | Session Access to Files in a File System Mounted in a Secure Memory Device | |
| CN117693748A (en) | Mechanism to support writing files to a file system installed in a secure memory device | |
| CN114647374A (en) | Storage device for executing processing code and operation method of storage device | |
| KR20240018388A (en) | Anti-malware algorithm and hw/fw for internal ssd health and storage space protection against cyber-attacks | |
| CN117473495A (en) | Storage system and device for luxury software and malware protection and method thereof | |
| EP4220412A1 (en) | Storage device for performing access authority control and operating method thereof | |
| KR102560696B1 (en) | Storage device performing access authority control and Operating method thereof | |
| CN116501664A (en) | Storage device for performing access right control and method of operating the same | |
| EP4155893A1 (en) | Storage controller and storage system comprising the same | |
| US12039053B2 (en) | Secure processor, operating method thereof, and storage device including same | |
| US20240193105A1 (en) | Computational storage device and method of operating the same | |
| KR102430219B1 (en) | Storage device and method for generating key and performing certification of the storage device | |
| US12073095B2 (en) | Storage device performing a data protection operation and operation method thereof | |
| US20240220151A1 (en) | Computational storage device and method for operating the device | |
| EP4177758A1 (en) | A storage device and an operating method of a storage controller thereof | |
| US20230135891A1 (en) | Storage device including storage controller and operating method | |
| EP4332773A1 (en) | Storage server and operation method of storage server | |
| KR20230067457A (en) | A storage controller, a storage system and an operating method of the same | |
| CN117251106A (en) | Memory device and method of operating the same | |
| KR20240030021A (en) | Storage server and opration method of storage server | |
| KR20230067436A (en) | Trusted computing device and operating method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |