CN116527257A - Heterogeneous computing system and resource processing method based on same - Google Patents

Heterogeneous computing system and resource processing method based on same Download PDF

Info

Publication number
CN116527257A
CN116527257A CN202310764757.7A CN202310764757A CN116527257A CN 116527257 A CN116527257 A CN 116527257A CN 202310764757 A CN202310764757 A CN 202310764757A CN 116527257 A CN116527257 A CN 116527257A
Authority
CN
China
Prior art keywords
computing
host
heterogeneous
resource
pcie
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310764757.7A
Other languages
Chinese (zh)
Other versions
CN116527257B (en
Inventor
蓝晏翔
熊军
邵乐希
王嘉平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Digital Economy Academy IDEA
Original Assignee
International Digital Economy Academy IDEA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Digital Economy Academy IDEA filed Critical International Digital Economy Academy IDEA
Priority to CN202310764757.7A priority Critical patent/CN116527257B/en
Publication of CN116527257A publication Critical patent/CN116527257A/en
Application granted granted Critical
Publication of CN116527257B publication Critical patent/CN116527257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention provides a heterogeneous computing system and a resource processing method based on the heterogeneous computing system, wherein the system comprises the following steps: the system comprises a host, a PCIe bridge connected with the host through a PCIe bus and heterogeneous computing equipment connected with the PCIe bridge; when receiving a calculation task instruction from a host machine as a confidential calculation task instruction, the PCIe bridge acquires a symmetric key, decrypts the encrypted resource from the host machine through the symmetric key to acquire a first resource to be calculated and sends the first resource to heterogeneous calculation equipment connected with the first resource to be calculated; the heterogeneous computing device calculates a first to-be-calculated resource from the PCIe bridge to obtain a first calculation result; the PCIe bridge encrypts the first calculation result from the heterogeneous calculation device through the symmetric key, and sends the encrypted first calculation result to the host machine through the PCIe bus, and the host machine obtains the first calculation result through symmetric key decryption, so that the resource security in the heterogeneous secret calculation process is improved.

Description

Heterogeneous computing system and resource processing method based on same
Technical Field
The invention relates to the technical field of information security, in particular to a heterogeneous computing system and a resource processing method based on the heterogeneous computing system.
Background
Along with the rapid development of cloud computing and big data, the computing amount is larger and larger, the real-time requirement is higher and higher, and at present, certain computing demands cannot be met by realizing certain computing in a general CPU in a software mode. In the related art, it is proposed to connect heterogeneous computing devices (e.g., GPU, DPU, etc.) through PCIe interfaces to implement external heterogeneous accelerated computing to meet higher and higher computing demands.
However, with the rapid development of internet technology, users have an increasing demand for data security computation. The currently proposed secret computing technology mainly concentrates on a CPU, and by Intel SGX or ARM trust zone, a "secure area" guaranteed by the CPU is divided from the CPU as a secret computing resource, and other areas are called "normal areas" and are used as normal computing resources, and codes and programs in the secure area are not allowed to be accessed and used by other programs (even software of operating system level authority cannot be accessed and used), so that the CPU can implement secret computing and normal computing at the same time.
However, since the current confidential computing technology mainly focuses on that the CPU can only guarantee the security of data at the CPU end, the current confidential computing technology cannot be directly extended to heterogeneous computing devices (e.g., DPU, GPU), and thus cannot guarantee the security of data in the heterogeneous computing devices.
Although some companies now offer GPUs that support confidential computations, such as the H100 GPU recently introduced by NVIDIA company. However, when the heterogeneous computing device is required to realize confidential computation, the GPU chip can only be adopted, so that universality is not realized, and the development of heterogeneous computation and data security is affected.
Based on this, how to provide a technology with universality and capable of realizing confidential computation of heterogeneous computing devices is a technical problem to be solved.
Disclosure of Invention
The invention mainly aims to provide a heterogeneous computing system and a resource processing method based on the heterogeneous computing system, and aims to solve the problems that heterogeneous computing equipment in the prior art is low in universality of confidential computing and low in data security of heterogeneous confidential computing.
To achieve the above object, the present invention provides a heterogeneous computing system including: a host, a PCIe bridge, and the heterogeneous computing device connected to the PCIe bridge; the PCIe bridge is connected and communicated with the host machine through a PCIe bus;
the PCIe bridge is used for receiving the calculation task instruction from the host machine, and acquiring a symmetric key when the calculation task instruction is a confidential calculation task instruction;
the PCIe bridge is further used for decrypting the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated, and sending the first resource to be calculated to heterogeneous computing equipment connected with the PCIe bridge;
the encryption resource is obtained by encrypting a first resource to be calculated by the host according to the obtained symmetric key;
the heterogeneous computing device is used for computing the first to-be-computed resource from the PCIe bridge to obtain a first computing result;
the PCIe bridge is also used for encrypting the first calculation result from the heterogeneous calculation device through the symmetric key and sending the encrypted first calculation result to the host through a PCIe bus;
the host is used for decrypting the encrypted first calculation result according to the obtained symmetric key to obtain the first calculation result.
Optionally, the PCIe bridge is specifically configured to: and when the computing task instruction is a confidential computing task instruction, carrying out identity authentication with the host machine through a PCIe bus, and acquiring the symmetric key after the identity authentication is successful.
Optionally, the heterogeneous computing devices are multiple, each heterogeneous computing device is connected with the PCIe bridge in a one-to-one correspondence manner, and each PCIe bridge is connected with the host through the PCIe bus.
Optionally, the host is further configured to: after the computing task instruction is generated, acquiring the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host;
a heterogeneous computing device for the computing task instruction is determined based on a current amount of free resources for each of the heterogeneous computing devices and an amount of computing resources required for the computing task instruction.
Optionally, the host is further configured to: before the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host is obtained, determining a task type corresponding to the computing task instruction; the task types include: confidential computing tasks, general computing tasks;
when the task type corresponding to the computing task instruction is the confidential computing task, acquiring the current idle resource amount of the confidential computing environment of the host;
when the task type corresponding to the calculation task instruction is the common calculation task, acquiring the current idle resource quantity of the common calculation environment of the host;
and when the current idle resource quantity of the confidential computing environment is smaller than the computing resource quantity of the confidential computing task or the current idle resource quantity of the common computing environment is smaller than the computing resource quantity of the common computing task, acquiring the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host.
Optionally, the PCIe includes: an uplink port and a downlink port;
the uplink port is connected with a PCIe interface of the host through a PCIe bus, and the downlink port is connected with a PCIe interface of the heterogeneous computing device. Optionally, when the computing task instruction is a normal computing task instruction, the PCIe bridge is further configured to receive a second resource to be computed from the host through a PCIe bus and send the second resource to be computed to a heterogeneous computing device connected to the PCIe bridge;
the heterogeneous computing device is further configured to calculate the second resource to be calculated, obtain a second calculation result, and send the second calculation result to the PCIe bridge;
the host is configured to receive a second computation result from the PCIe bridge.
Optionally, the host machine includes: confidential computing environments and general computing environments;
wherein the confidential computing task instruction is generated for a confidential computing environment in the host based on a confidential computing task;
the general computing task instruction is generated for a general computing environment in the host based on a general computing task.
Optionally, the host is configured to: when a corresponding calculation result is obtained, generating a task ending instruction and sending the task ending instruction to the PCIe bridge;
the PCIe bridge is used for deleting all resources stored in the corresponding heterogeneous computing device based on the task ending instruction.
In order to achieve the above object, the present invention further provides a resource processing method based on a heterogeneous computing system, where the heterogeneous computing system is a heterogeneous computing system as described in any of the above, and the resource processing method includes:
the PCIe bridge receives the calculation task instruction from the host, and when the calculation task instruction is a confidential calculation task instruction, the symmetric key is obtained;
the PCIe bridge decrypts the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated and sends the first resource to the heterogeneous computing device connected with the PCIe bridge;
the encryption resource is obtained by encrypting a first resource to be calculated by the host according to the obtained symmetric key;
the PCIe bridge encrypts the first calculation result from the heterogeneous calculation device according to the symmetric key, and sends the encrypted first calculation result to the host computer through a PCIe bus, so that the host computer decrypts the encrypted first calculation result through the symmetric key to obtain the first calculation result;
the first calculation result is obtained by calculating the first to-be-calculated resource from the PCIe bridge through the heterogeneous calculation.
Optionally, the method further comprises: when the computing task instruction is a common computing task instruction, the PCIe bridge receives a second resource to be computed from the host machine through a PCIe bus and sends the second resource to be computed to heterogeneous computing equipment connected with the PCIe bridge; the PCIe bridge receives the second calculation result from the heterogeneous calculation device and sends the second calculation result to the host machine so that the host machine obtains the second calculation result; the second calculation result is obtained by calculating the second resource to be calculated by the heterogeneous calculation device.
According to the invention, the host machine is connected with the heterogeneous computing device through the PCIe bridge, in the confidential computing process, the PCIe bridge and the host machine acquire symmetric keys firstly, and the communication between the confidential computing environment of the host machine and the PCIe bridge is encrypted and decrypted by using the symmetric keys, on one hand, the PCIe bridge and the host machine acquire the symmetric keys, and in the confidential computing task process, the PCIe bridge and the host machine transmit data in an encrypted form, so that the security of a first resource to be computed from the host machine end to the PCIe bridge is ensured, and the first resource to be computed can be data security in the whole heterogeneous confidential computing process; on the other hand, the heterogeneous computing device and the host are connected through the PCIe bridge to realize heterogeneous secret computation, the topological structure of the original computing system is not changed, the communication protocol of the PCIe interface of the heterogeneous computing device is not required to be changed, the heterogeneous computing resource is not required to be modified, the original functions and capabilities of the heterogeneous computing device are not required to be changed, and the heterogeneous computing device can be suitable for heterogeneous computing devices with different types of PCIe interfaces, so that the universality of the heterogeneous secret computation is improved.
Drawings
FIG. 1 is a schematic diagram of a heterogeneous computing system according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a second embodiment of a heterogeneous computing system according to the present invention;
fig. 3 is a flowchart of a resource processing method based on a heterogeneous computing system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clear and clear, the present invention will be further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Fig. 1 is a schematic structural diagram of a heterogeneous computing system according to an embodiment of the present invention, where, as shown in fig. 1, the heterogeneous computing system at least includes: host 100, PCIe bridge 200, heterogeneous computing device 300.
The PCIe bridge 200 includes an upstream port and a downstream port, where the upstream port is connected to a PCIe interface of the host 100 through a PCIe bus, so that the PCIe bridge 200 is connected to and communicates with the host 100 through the PCIe bus. The downstream port of PCIe bridge 200 interfaces with the PCIe interface of heterogeneous computing device 300 to enable connection of PCIe bridge 200 with heterogeneous computing device 300. Based on this, communication between the host 100 and the heterogeneous computing device 300 through the PCIe bridge 200 is achieved. The PCIe bridge is a transparent bridge that adds security functions (such as encryption, decryption, authentication, access control, state management, etc.), for example: PCI-PCI Bridge, PCIe Switch.
The host 100 includes a confidential computing environment and a general computing environment. The confidential computing environment is an area of the host 100 for performing confidential computation, and the general computing environment is an area of the host 100 for general computation other than confidential computation. In the embodiment of the present invention, a "secure area" ensured by the CPU may be divided from the CPU of the host 100 through Intel SGX or ARM trust zone as a confidential computing environment, and other areas are called "normal areas" and are used as ordinary computing environments.
The heterogeneous computing device 300 has PCIe interfaces, such as GPU board, DPU board, NPU board, FPGA accelerator card, ASIC accelerator card, etc., which are not specifically limited in the embodiments of the present invention.
In the embodiment of the present invention, the host 100 is configured to generate a calculation task instruction, and send the generated calculation task instruction to the PCIe bridge 200 through the PCIe bus. The calculation task instruction includes: confidential computational task instructions, general computational task instructions. Wherein the confidential computational task instruction is generated by the confidential computational environment in the host 100 based on the confidential computational task for instructing to perform confidential computation; the general computing task instruction is generated by the general computing environment in the host 100 based on the general computing task, and is used to instruct the general computing.
The PCIe bridge is configured to receive a computing task instruction from the host 100 and determine a type of the computing task instruction, thereby implementing state management. When the compute task instruction is a confidential compute task instruction, the symmetric key is obtained so that both the host 100 and the PCIe bridge 200 can obtain the symmetric key. The confidential computing environment of the host 100 is configured to encrypt a first resource to be computed corresponding to the confidential computing task instruction according to the symmetric key, obtain a first encrypted resource, and send the first encrypted resource to the PCIe bridge 200 through the PCIe bus. The PCIe bridge 200 is configured to decrypt the first encrypted resource according to the symmetric key, obtain a first resource to be calculated, and send the first resource to the heterogeneous computing device 300 connected to the PCIe bridge 200. The heterogeneous computing device 300 is configured to perform computing on a first resource to be computed, obtain a corresponding first computing result, and send the corresponding first computing result to the PCIe bridge 200 connected to the first computing result. The PCIe bridge 200 is configured to encrypt the first calculation result according to the symmetric key, and send the encrypted first calculation result to the confidential computing environment of the host 100 through the PCIe bus. The confidential computing environment of the host 100 decrypts the encrypted first computing result according to the symmetric key, thereby obtaining the first computing result.
In the embodiment of the present invention, a PCIe bridge 200 is disposed between a host 100 having a confidential computing environment and a heterogeneous computing device 300 corresponding thereto, after the host 100 sends a confidential computing task instruction generated by the confidential computing environment based on the confidential computing task to the corresponding PCIe bridge 200 through a PCIe bus, a symmetric key for communication between the confidential computing environment of the host 100 and the PCIe bridge 200 is obtained first, the host 100 encrypts a first to-be-computed resource through the symmetric key and sends the encrypted first to-be-computed resource to the PCIe bridge 200 through the PCIe bus, the PCIe bridge 200 decrypts the first to-be-computed resource and sends the decrypted first to the heterogeneous computing device 300 connected thereto, the heterogeneous computing device 300 calculates the first to-be-computed resource and sends the obtained first computation result to the PCIe bridge 200 connected thereto, the PCIe bridge 200 encrypts the first computation result according to the symmetric key and sends the encrypted first computation result to the confidential computing environment of the host 100 through the PCIe bus, and the PCIe bridge decrypts the encrypted first computation result through the symmetric key to obtain the corresponding first computation result, thereby completing the confidential computing result in the heterogeneous computing device 300.
In some embodiments of the invention, when the computing task instruction is a confidential computing task instruction, the PCIe bridge may obtain the symmetric key at least by any one of:
when the computing task instruction is a confidential computing task instruction, the PCIe bridge performs key exchange with a confidential computing environment of the host machine to obtain a symmetric key;
when the computing task instruction is a confidential computing task instruction, the confidential computing environment of the host machine sends a symmetric key which is generated in advance to the PCIe bridge.
Based on the heterogeneous computing system provided by the invention, in the confidential computing process, the communication between the confidential computing environment of the host 100 and the PCIe bridge 200 is encrypted and decrypted by using the symmetric key, so that on one hand, the security between the first resource to be computed from the host 100 end to the PCIe bridge 200 is ensured, and the security of the data of the first resource to be computed in the whole heterogeneous confidential computing process is ensured; on the other hand, the heterogeneous computing device 300 and the host 100 are connected through the PCIe bridge 200, the topology structure of the original computing system is not changed, the communication protocol of the PCIe interface of the heterogeneous computing device 300 is not required to be changed, any modification is not required to be made to the heterogeneous computing resource, the original functions and capabilities of the heterogeneous computing device 300 are not required to be changed, and the heterogeneous computing device 300 can be suitable for heterogeneous computing devices 300 with PCIe interfaces, so that the universality of heterogeneous confidential computing is improved.
Further, the PCIe bridge 200 is specifically configured to perform identity authentication with the host 100 through the PCIe bus when the computing task instruction is a confidential computing task instruction, and acquire the symmetric key after the identity authentication is successful.
In the embodiment of the present invention, when the received computing task instruction is a confidential computing task instruction, the PCIe bridge 200 needs to perform identity authentication with the confidential computing environment of the host 100, and acquire the symmetric key after the identity authentication successfully establishes a trusted connection, so that the security of the heterogeneous computing system during confidential computing is further improved.
It can be understood that the identity authentication may be an existing public identity authentication method, and the embodiment of the invention is not specifically limited.
In some embodiments of the present invention, the PCIe bridge 200 is further configured to receive, when the computing task instruction is a normal computing task instruction, a second resource to be computed from the host 100 through the PCIe bus and send the second resource to the heterogeneous computing device 300 connected to the PCIe bridge 200. The heterogeneous computing device 300 is further configured to perform computing on a second resource to be computed, obtain a second computing result, and send the second computing result to the PCIe bridge 200, where the PCIe bridge 200 is configured to send the second computing result to the host 100 through the PCIe bus, that is, the host 100 is further configured to receive the second computing result from the PCIe bridge 200.
In the heterogeneous computing system provided by the embodiment of the invention, not only heterogeneous secret computation but also heterogeneous general computation can be performed, when the received computing task instruction is the general computing task instruction, the PCIe bridge 200 directly receives the second to-be-computed resource from the general computing environment of the host 100 and sends the second to-be-computed resource to the heterogeneous computing device 300 connected with the second to-be-computed resource, and directly sends the second computing result obtained by the heterogeneous computing device 300 for computing the second to-be-computed resource to the general computing environment of the host 100, thereby realizing heterogeneous general computation.
It can be understood that the first resource to be calculated is a resource to be calculated which needs to perform confidential calculation, and the second resource to be calculated is a resource to be calculated which performs general calculation. Moreover, the first resource to be calculated or the second resource to be calculated may be data or code, which is not specifically limited in the embodiment of the present invention.
The heterogeneous computing system provided by the invention can realize heterogeneous confidential computation and heterogeneous general computation, namely, state switching can be realized between confidential computation and general computation, so that the heterogeneous computing device 300 can be used for confidential computation and general computation, thereby improving the utilization rate of the heterogeneous computing device and improving user experience.
As shown in fig. 2, in the heterogeneous computing system provided by the present invention, the host 100 may correspond to a plurality of heterogeneous computing devices 300, where each heterogeneous computing device 300 is connected to one PCIe bridge 200 in a one-to-one correspondence manner, and each PCIe bridge 200 is connected to the host 100 through a PCIe bus.
In the embodiment of the present invention, setting a plurality of heterogeneous computing devices 300 for the host 100 can increase the computation amount of the heterogeneous computing system, and can also perform a plurality of heterogeneous computations at the same time, thereby further improving the user experience.
In some embodiments of the present invention, the host 100 is further configured to obtain, after generating the computing task instruction, a current amount of idle resources of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100; the heterogeneous computing devices 300 for the computing task instruction are determined based on the current amount of free resources of each heterogeneous computing device 300 and the amount of computing resources required for the computing task instruction.
Specifically, after generating the calculation task instruction, the host 100 may first obtain, through the PCIe bridge 200 connected to the host, the current free resource amount of each heterogeneous computing device 300, then compare the current space resource amount of each heterogeneous computing device 300 with the calculation resource amount required by the calculation task instruction, and randomly select one heterogeneous computing device 300 from heterogeneous computing devices 300 with the current space resource amount greater than the calculation resource amount as the heterogeneous computing device 300 for executing the calculation task corresponding to the calculation task instruction.
The amount of computing resources required by the computing task instruction is the amount of computing resources required by the computing task corresponding to the computing task instruction, and the computing task can be a confidential computing task or a common computing task.
Still further, when the current amount of idle resources of the heterogeneous computing device 300 is smaller than the amount of computing resources, the host 100 may divide the computing task corresponding to the computing task instruction into a plurality of sub-tasks, and allocate a corresponding heterogeneous computing device 300 to each sub-task, so as to ensure the efficiency of heterogeneous computing.
It may be understood that the above-mentioned computing task may be divided into a plurality of subtasks, which may be distributed evenly according to the amount of computing resources, or may be divided according to the current amount of spatial resources of the heterogeneous computing device, which is not specifically limited in the embodiment of the present invention.
If the host machine 100 in the heterogeneous computing system corresponds to a plurality of heterogeneous computing devices 300, after the host machine 100 generates a computing task instruction, the current free resource amount of each heterogeneous computing device 300 may be acquired through the PCIe bridge 200 to allocate the corresponding heterogeneous computing device 300 for the computing task instruction.
In some embodiments of the present invention, host 100 is further configured to: before the current idle resource amount of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100 is obtained, determining a task type corresponding to the computing task instruction, and when the task type corresponding to the computing task instruction is a confidential computing task, obtaining the current idle resource amount of the confidential computing environment of the host 100; when the task type corresponding to the calculation task instruction is a common calculation task, acquiring the current idle resource amount of the common calculation environment of the host 100; when the current amount of free resources of the confidential computing environment is smaller than the amount of computing resources of the confidential computing task or the current amount of free resources of the general computing environment is smaller than the amount of computing resources of the general computing task, the current amount of free resources of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100 is obtained.
In the embodiment of the present invention, before the current idle resource amount of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100 is obtained, the host 100 determines the current idle resource amount of the host, thereby determining whether heterogeneous computing is required by the heterogeneous computing device 300, and further improving the computing efficiency of the computing task.
In some embodiments of the present invention, the host 100 is further configured to generate a task end instruction and send the task end instruction to the PCIe bridge 200 when the calculation result is obtained. The PCIe bridge 200 is further configured to delete all resources stored in the heterogeneous computer device based on the task end instruction.
The calculation results include a first calculation result and a second calculation result, the task end instruction is generated by the confidential calculation environment of the host 100 when the calculation result is the first calculation result, and the task end instruction is generated by the general calculation environment of the host 100 when the calculation result is the second calculation result. All of the resources described above refer to all data or code received and generated by the heterogeneous computing device 300 during confidential or general computing processes.
Specifically, after the host 100 obtains the calculation result, a corresponding task end instruction is generated and sent to the corresponding PCIe bridge 200 through the PCIe bus, and after receiving the task end instruction, the PCIe bridge 200 deletes all the stored resources.
According to the method and the device, after the calculation task is finished, all the resources received or generated by the heterogeneous calculation device 300 in the calculation task process are deleted, so that the resources are prevented from being stolen, and the safety of heterogeneous calculation is further ensured.
Based on the heterogeneous computing system, the invention also provides a resource processing method based on the heterogeneous computing system, as shown in fig. 3, the resource processing method at least comprises the following steps:
s301, the PCIe bridge receives the calculation task instruction from the host, and when the calculation task instruction is a confidential calculation task instruction, the symmetric key is obtained.
Specifically, the confidential computing environment of the host determines the PCIe bridge that performs the current confidential computing task after generating the confidential computing task. After the PCIe bridge executing the current confidential computing task is determined, the PCIe bridge and the confidential computing environment of the host machine carry out identity authentication in a pre-agreed mode, and after the identity authentication is passed, the PCIe bridge acquires the symmetric key.
And S302, the PCIe bridge decrypts the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated and sends the first resource to the heterogeneous computing device connected with the PCIe bridge.
The encryption resource is obtained by encrypting the first resource to be calculated by the host machine according to the symmetric key.
In the embodiment of the invention, after the PCIe bridge acquires the symmetric key, the confidential computing environment of the host starts the confidential computing task and sends the encrypted resource to the PCIe bridge.
S303, the PCIe bridge encrypts the first calculation result from the heterogeneous calculation device according to the symmetric key, and sends the encrypted first calculation result to the host computer through the PCIe bus, so that the host computer decrypts the encrypted first calculation result through the symmetric key to obtain the first calculation result.
The first calculation result is obtained by calculating a first resource to be calculated from the PCIe bridge by the heterogeneous calculation device.
In some embodiments of the present invention, after the host obtains the first calculation result, a corresponding task end instruction is generated and sent to the PCIe bridge, and after receiving the task end instruction, the PCIe bridge deletes all resources in the heterogeneous computing device corresponding to the PCIe bridge, so as to further improve data security in the data modeling process.
In some embodiments of the present invention, the above resource processing method may further include the steps of: when the calculation task instruction is a common calculation task instruction, the PCIe bridge receives a second resource to be calculated from the host machine through the PCIe bus and sends the second resource to be calculated to heterogeneous calculation equipment connected with the PCIe bridge; the PCIe bridge receives the second calculation result from the heterogeneous calculation device and sends the second calculation result to the host machine so that the host machine obtains the second calculation result.
The second calculation result is obtained by calculating the second resource to be calculated by the heterogeneous calculation device.
In the present invention, each embodiment is described in a progressive manner, and the same and similar parts of each embodiment are mutually referred to, and each embodiment is mainly described and different from other embodiments. In particular, for the method embodiments, since they are substantially similar to the system embodiments, the description is relatively simple, with reference to the partial description of the system embodiments being relevant.
In addition, the systems and the methods provided by the embodiment of the invention are in one-to-one correspondence, so that the methods also have similar beneficial technical effects as the corresponding systems. Since the beneficial effects of the system have been described in detail above, the beneficial technical effects of the method are not described here again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Of course, those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by a computer program for instructing relevant hardware (e.g., processor, controller, etc.), the program may be stored on a computer readable storage medium, and the program may include the above described methods when executed. The computer readable storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited in its application to the examples described above, but is capable of modification and variation in light of the above teachings by those skilled in the art, and that all such modifications and variations are intended to be included within the scope of the appended claims.

Claims (11)

1. A heterogeneous computing system, the heterogeneous computing system comprising: a host, a PCIe bridge, and a heterogeneous computing device connected to the PCIe bridge; the PCIe bridge is connected and communicated with the host machine through a PCIe bus;
the PCIe bridge is used for receiving the calculation task instruction from the host machine, and acquiring a symmetric key when the calculation task instruction is a confidential calculation task instruction;
the PCIe bridge is further used for decrypting the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated, and sending the first resource to be calculated to heterogeneous computing equipment connected with the PCIe bridge;
the encryption resource is obtained by encrypting a first resource to be calculated by the host according to the obtained symmetric key;
the heterogeneous computing device is used for computing the first to-be-computed resource from the PCIe bridge to obtain a first computing result;
the PCIe bridge is also used for encrypting the first calculation result from the heterogeneous calculation device through the symmetric key and sending the encrypted first calculation result to the host through a PCIe bus;
the host is used for decrypting the encrypted first calculation result according to the obtained symmetric key to obtain the first calculation result.
2. The heterogeneous computing system of claim 1, wherein the PCIe bridge is specifically configured to:
and when the computing task instruction is a confidential computing task instruction, carrying out identity authentication with the host machine through a PCIe bus, and acquiring the symmetric key after the identity authentication is successful.
3. The heterogeneous computing system of claim 1, wherein the heterogeneous computing devices are a plurality of, each of the heterogeneous computing devices being connected in a one-to-one correspondence with the PCIe bridge, each of the PCIe bridges being connected to the host via the PCIe bus.
4. A heterogeneous computing system according to claim 3, wherein the host is further to:
after the computing task instruction is generated, acquiring the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host;
a heterogeneous computing device for the computing task instruction is determined based on a current amount of free resources for each of the heterogeneous computing devices and an amount of computing resources required for the computing task instruction.
5. The heterogeneous computing system of claim 4, wherein the host is further to:
before the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host is obtained, determining a task type corresponding to the computing task instruction; the task types include: confidential computing tasks, general computing tasks;
when the task type corresponding to the computing task instruction is the confidential computing task, acquiring the current idle resource amount of the confidential computing environment of the host;
when the task type corresponding to the calculation task instruction is the common calculation task, acquiring the current idle resource quantity of the common calculation environment of the host;
and when the current idle resource quantity of the confidential computing environment is smaller than the computing resource quantity of the confidential computing task or the current idle resource quantity of the common computing environment is smaller than the computing resource quantity of the common computing task, acquiring the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host.
6. The heterogeneous computing system of claim 1, wherein the PCIe comprises: an uplink port and a downlink port;
the uplink port is connected with a PCIe interface of the host through a PCIe bus, and the downlink port is connected with a PCIe interface of the heterogeneous computing device.
7. The heterogeneous computing system of claim 1, wherein the PCIe bridge is further configured to receive a second resource to be computed from the host over a PCIe bus and send the second resource to be computed to a heterogeneous computing device connected to the PCIe bridge when the computing task instruction is a normal computing task instruction;
the heterogeneous computing device is further configured to calculate the second resource to be calculated, obtain a second calculation result, and send the second calculation result to the PCIe bridge;
the host is configured to receive a second computation result from the PCIe bridge.
8. The heterogeneous computing system of claim 7, wherein the host machine comprises: confidential computing environments and general computing environments;
wherein the confidential computing task instruction is generated for a confidential computing environment in the host based on a confidential computing task;
the general computing task instruction is generated for a general computing environment in the host based on a general computing task.
9. The heterogeneous computing system of claim 1 or 7, wherein the host is configured to: when a corresponding calculation result is obtained, generating a task ending instruction and sending the task ending instruction to the PCIe bridge;
the PCIe bridge is used for deleting all resources stored in the corresponding heterogeneous computing device based on the task ending instruction.
10. A method of resource processing based on a heterogeneous computing system, wherein the heterogeneous computing system is a heterogeneous computing system according to any one of claims 1 to 9, the method of resource processing comprising:
the PCIe bridge receives the calculation task instruction from the host, and when the calculation task instruction is a confidential calculation task instruction, a symmetric key is obtained;
the PCIe bridge decrypts the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated and sends the first resource to the heterogeneous computing device connected with the PCIe bridge;
the encryption resource is obtained by encrypting the first resource to be calculated by the host according to the obtained symmetric key;
the PCIe bridge encrypts the first calculation result from the heterogeneous calculation device through the symmetric key, and sends the encrypted first calculation result to the host computer through a PCIe bus, so that the host computer decrypts the encrypted first calculation result through the symmetric key to obtain the first calculation result;
the first calculation result is obtained by calculating the first to-be-calculated resource from the PCIe bridge through the heterogeneous calculation.
11. The heterogeneous computing system-based resource processing method of claim 10, wherein the method further comprises:
when the computing task instruction is a common computing task instruction, the PCIe bridge receives a second resource to be computed from the host machine through a PCIe bus and sends the second resource to be computed to heterogeneous computing equipment connected with the PCIe bridge;
the PCIe bridge receives the second calculation result from the heterogeneous calculation device and sends the second calculation result to the host machine so that the host machine obtains the second calculation result; the second calculation result is obtained by calculating the second resource to be calculated by the heterogeneous calculation device.
CN202310764757.7A 2023-06-27 2023-06-27 Heterogeneous computing system and resource processing method based on same Active CN116527257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310764757.7A CN116527257B (en) 2023-06-27 2023-06-27 Heterogeneous computing system and resource processing method based on same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310764757.7A CN116527257B (en) 2023-06-27 2023-06-27 Heterogeneous computing system and resource processing method based on same

Publications (2)

Publication Number Publication Date
CN116527257A true CN116527257A (en) 2023-08-01
CN116527257B CN116527257B (en) 2023-10-31

Family

ID=87408567

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310764757.7A Active CN116527257B (en) 2023-06-27 2023-06-27 Heterogeneous computing system and resource processing method based on same

Country Status (1)

Country Link
CN (1) CN116527257B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170139867A1 (en) * 2015-11-16 2017-05-18 Apacer Technology Inc. PCIe BRIDGE TRANSFORMATION DEVICE AND METHOD THEREOF
CN111897398A (en) * 2020-08-11 2020-11-06 曙光信息产业(北京)有限公司 Heterogeneous computing expansion device and electronic equipment
CN112035388A (en) * 2020-08-12 2020-12-04 北京数盾信息科技有限公司 High-performance encryption and decryption method based on PCI-e channel
CN112685352A (en) * 2020-12-31 2021-04-20 深圳安捷丽新技术有限公司 Bridging chip for PCIE-SATA protocol and operation method thereof
CN114600108A (en) * 2019-08-16 2022-06-07 边信联科技股份有限公司 System and method for performing trusted operation with remote authentication and information independence by heterogeneous processor through open connector
CN115237843A (en) * 2022-09-23 2022-10-25 粤港澳大湾区数字经济研究院(福田) Trusted computing system and method
CN116226940A (en) * 2022-12-08 2023-06-06 广州万协通信息技术有限公司 PCIE-based data security processing method and data security processing system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170139867A1 (en) * 2015-11-16 2017-05-18 Apacer Technology Inc. PCIe BRIDGE TRANSFORMATION DEVICE AND METHOD THEREOF
CN114600108A (en) * 2019-08-16 2022-06-07 边信联科技股份有限公司 System and method for performing trusted operation with remote authentication and information independence by heterogeneous processor through open connector
CN111897398A (en) * 2020-08-11 2020-11-06 曙光信息产业(北京)有限公司 Heterogeneous computing expansion device and electronic equipment
CN112035388A (en) * 2020-08-12 2020-12-04 北京数盾信息科技有限公司 High-performance encryption and decryption method based on PCI-e channel
CN112685352A (en) * 2020-12-31 2021-04-20 深圳安捷丽新技术有限公司 Bridging chip for PCIE-SATA protocol and operation method thereof
CN115237843A (en) * 2022-09-23 2022-10-25 粤港澳大湾区数字经济研究院(福田) Trusted computing system and method
CN116226940A (en) * 2022-12-08 2023-06-06 广州万协通信息技术有限公司 PCIE-based data security processing method and data security processing system

Also Published As

Publication number Publication date
CN116527257B (en) 2023-10-31

Similar Documents

Publication Publication Date Title
CN111541785B (en) Block chain data processing method and device based on cloud computing
KR102377187B1 (en) Method and apparatus for processing privacy data of block chain, device, storage medium
Zhao et al. A security framework in G-Hadoop for big data computing across distributed Cloud data centres
JP2021189431A5 (en)
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
US9948616B2 (en) Apparatus and method for providing security service based on virtualization
CN105700945A (en) Clean room environment-based safe virtual machine migration method
WO2020042798A1 (en) Cryptographic operation and working key creation method and cryptographic service platform and device
CN113971289A (en) Trusted starting method and device of block chain all-in-one machine
KR102258215B1 (en) Security System and Method Thereof Using Both KMS and HSM
CN104951712A (en) Data safety protection method in Xen virtualization environment
CN109600337B (en) Resource processing method, device, system and computer readable medium
CN114039753A (en) Access control method and device, storage medium and electronic equipment
CN116527257B (en) Heterogeneous computing system and resource processing method based on same
CN116070240B (en) Data encryption processing method and device of multi-chip calling mechanism
CN115237843B (en) Trusted computing system and method
CN108616517B (en) High-reliability cloud platform service providing method
WO2022001842A1 (en) Method, host and apparatus for processing data
EP3872671A1 (en) Secure key management system
CN108449358B (en) Cloud-based low-delay secure computing method
CN114329574B (en) Encrypted partition access control method and system based on domain management platform and computing equipment
Wong et al. Security support for mobile grid services framework
CN116893903B (en) Encryption resource allocation method, system, equipment and storage medium
CN115643051A (en) Access authority management method and device
Thakkar et al. An Analysis of Elliptic Curve Cryptography Secret Keys For Use In Cloud Workload Balancing And Security Provisioning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20230801

Assignee: Shenzhen Qiangji Computing Technology Co.,Ltd.

Assignor: Guangdong Hong Kong Macao Dawan District Digital Economy Research Institute (Futian)

Contract record no.: X2023980045750

Denomination of invention: Heterogeneous computing systems and resource processing methods based on heterogeneous computing systems

Granted publication date: 20231031

License type: Exclusive License

Record date: 20231103