Disclosure of Invention
The invention mainly aims to provide a heterogeneous computing system and a resource processing method based on the heterogeneous computing system, and aims to solve the problems that heterogeneous computing equipment in the prior art is low in universality of confidential computing and low in data security of heterogeneous confidential computing.
To achieve the above object, the present invention provides a heterogeneous computing system including: a host, a PCIe bridge, and the heterogeneous computing device connected to the PCIe bridge; the PCIe bridge is connected and communicated with the host machine through a PCIe bus;
the PCIe bridge is used for receiving the calculation task instruction from the host machine, and acquiring a symmetric key when the calculation task instruction is a confidential calculation task instruction;
the PCIe bridge is further used for decrypting the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated, and sending the first resource to be calculated to heterogeneous computing equipment connected with the PCIe bridge;
the encryption resource is obtained by encrypting a first resource to be calculated by the host according to the obtained symmetric key;
the heterogeneous computing device is used for computing the first to-be-computed resource from the PCIe bridge to obtain a first computing result;
the PCIe bridge is also used for encrypting the first calculation result from the heterogeneous calculation device through the symmetric key and sending the encrypted first calculation result to the host through a PCIe bus;
the host is used for decrypting the encrypted first calculation result according to the obtained symmetric key to obtain the first calculation result.
Optionally, the PCIe bridge is specifically configured to: and when the computing task instruction is a confidential computing task instruction, carrying out identity authentication with the host machine through a PCIe bus, and acquiring the symmetric key after the identity authentication is successful.
Optionally, the heterogeneous computing devices are multiple, each heterogeneous computing device is connected with the PCIe bridge in a one-to-one correspondence manner, and each PCIe bridge is connected with the host through the PCIe bus.
Optionally, the host is further configured to: after the computing task instruction is generated, acquiring the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host;
a heterogeneous computing device for the computing task instruction is determined based on a current amount of free resources for each of the heterogeneous computing devices and an amount of computing resources required for the computing task instruction.
Optionally, the host is further configured to: before the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host is obtained, determining a task type corresponding to the computing task instruction; the task types include: confidential computing tasks, general computing tasks;
when the task type corresponding to the computing task instruction is the confidential computing task, acquiring the current idle resource amount of the confidential computing environment of the host;
when the task type corresponding to the calculation task instruction is the common calculation task, acquiring the current idle resource quantity of the common calculation environment of the host;
and when the current idle resource quantity of the confidential computing environment is smaller than the computing resource quantity of the confidential computing task or the current idle resource quantity of the common computing environment is smaller than the computing resource quantity of the common computing task, acquiring the current idle resource quantity of the heterogeneous computing device corresponding to each PCIe bridge connected with the host.
Optionally, the PCIe includes: an uplink port and a downlink port;
the uplink port is connected with a PCIe interface of the host through a PCIe bus, and the downlink port is connected with a PCIe interface of the heterogeneous computing device. Optionally, when the computing task instruction is a normal computing task instruction, the PCIe bridge is further configured to receive a second resource to be computed from the host through a PCIe bus and send the second resource to be computed to a heterogeneous computing device connected to the PCIe bridge;
the heterogeneous computing device is further configured to calculate the second resource to be calculated, obtain a second calculation result, and send the second calculation result to the PCIe bridge;
the host is configured to receive a second computation result from the PCIe bridge.
Optionally, the host machine includes: confidential computing environments and general computing environments;
wherein the confidential computing task instruction is generated for a confidential computing environment in the host based on a confidential computing task;
the general computing task instruction is generated for a general computing environment in the host based on a general computing task.
Optionally, the host is configured to: when a corresponding calculation result is obtained, generating a task ending instruction and sending the task ending instruction to the PCIe bridge;
the PCIe bridge is used for deleting all resources stored in the corresponding heterogeneous computing device based on the task ending instruction.
In order to achieve the above object, the present invention further provides a resource processing method based on a heterogeneous computing system, where the heterogeneous computing system is a heterogeneous computing system as described in any of the above, and the resource processing method includes:
the PCIe bridge receives the calculation task instruction from the host, and when the calculation task instruction is a confidential calculation task instruction, the symmetric key is obtained;
the PCIe bridge decrypts the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated and sends the first resource to the heterogeneous computing device connected with the PCIe bridge;
the encryption resource is obtained by encrypting a first resource to be calculated by the host according to the obtained symmetric key;
the PCIe bridge encrypts the first calculation result from the heterogeneous calculation device according to the symmetric key, and sends the encrypted first calculation result to the host computer through a PCIe bus, so that the host computer decrypts the encrypted first calculation result through the symmetric key to obtain the first calculation result;
the first calculation result is obtained by calculating the first to-be-calculated resource from the PCIe bridge through the heterogeneous calculation.
Optionally, the method further comprises: when the computing task instruction is a common computing task instruction, the PCIe bridge receives a second resource to be computed from the host machine through a PCIe bus and sends the second resource to be computed to heterogeneous computing equipment connected with the PCIe bridge; the PCIe bridge receives the second calculation result from the heterogeneous calculation device and sends the second calculation result to the host machine so that the host machine obtains the second calculation result; the second calculation result is obtained by calculating the second resource to be calculated by the heterogeneous calculation device.
According to the invention, the host machine is connected with the heterogeneous computing device through the PCIe bridge, in the confidential computing process, the PCIe bridge and the host machine acquire symmetric keys firstly, and the communication between the confidential computing environment of the host machine and the PCIe bridge is encrypted and decrypted by using the symmetric keys, on one hand, the PCIe bridge and the host machine acquire the symmetric keys, and in the confidential computing task process, the PCIe bridge and the host machine transmit data in an encrypted form, so that the security of a first resource to be computed from the host machine end to the PCIe bridge is ensured, and the first resource to be computed can be data security in the whole heterogeneous confidential computing process; on the other hand, the heterogeneous computing device and the host are connected through the PCIe bridge to realize heterogeneous secret computation, the topological structure of the original computing system is not changed, the communication protocol of the PCIe interface of the heterogeneous computing device is not required to be changed, the heterogeneous computing resource is not required to be modified, the original functions and capabilities of the heterogeneous computing device are not required to be changed, and the heterogeneous computing device can be suitable for heterogeneous computing devices with different types of PCIe interfaces, so that the universality of the heterogeneous secret computation is improved.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clear and clear, the present invention will be further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Fig. 1 is a schematic structural diagram of a heterogeneous computing system according to an embodiment of the present invention, where, as shown in fig. 1, the heterogeneous computing system at least includes: host 100, PCIe bridge 200, heterogeneous computing device 300.
The PCIe bridge 200 includes an upstream port and a downstream port, where the upstream port is connected to a PCIe interface of the host 100 through a PCIe bus, so that the PCIe bridge 200 is connected to and communicates with the host 100 through the PCIe bus. The downstream port of PCIe bridge 200 interfaces with the PCIe interface of heterogeneous computing device 300 to enable connection of PCIe bridge 200 with heterogeneous computing device 300. Based on this, communication between the host 100 and the heterogeneous computing device 300 through the PCIe bridge 200 is achieved. The PCIe bridge is a transparent bridge that adds security functions (such as encryption, decryption, authentication, access control, state management, etc.), for example: PCI-PCI Bridge, PCIe Switch.
The host 100 includes a confidential computing environment and a general computing environment. The confidential computing environment is an area of the host 100 for performing confidential computation, and the general computing environment is an area of the host 100 for general computation other than confidential computation. In the embodiment of the present invention, a "secure area" ensured by the CPU may be divided from the CPU of the host 100 through Intel SGX or ARM trust zone as a confidential computing environment, and other areas are called "normal areas" and are used as ordinary computing environments.
The heterogeneous computing device 300 has PCIe interfaces, such as GPU board, DPU board, NPU board, FPGA accelerator card, ASIC accelerator card, etc., which are not specifically limited in the embodiments of the present invention.
In the embodiment of the present invention, the host 100 is configured to generate a calculation task instruction, and send the generated calculation task instruction to the PCIe bridge 200 through the PCIe bus. The calculation task instruction includes: confidential computational task instructions, general computational task instructions. Wherein the confidential computational task instruction is generated by the confidential computational environment in the host 100 based on the confidential computational task for instructing to perform confidential computation; the general computing task instruction is generated by the general computing environment in the host 100 based on the general computing task, and is used to instruct the general computing.
The PCIe bridge is configured to receive a computing task instruction from the host 100 and determine a type of the computing task instruction, thereby implementing state management. When the compute task instruction is a confidential compute task instruction, the symmetric key is obtained so that both the host 100 and the PCIe bridge 200 can obtain the symmetric key. The confidential computing environment of the host 100 is configured to encrypt a first resource to be computed corresponding to the confidential computing task instruction according to the symmetric key, obtain a first encrypted resource, and send the first encrypted resource to the PCIe bridge 200 through the PCIe bus. The PCIe bridge 200 is configured to decrypt the first encrypted resource according to the symmetric key, obtain a first resource to be calculated, and send the first resource to the heterogeneous computing device 300 connected to the PCIe bridge 200. The heterogeneous computing device 300 is configured to perform computing on a first resource to be computed, obtain a corresponding first computing result, and send the corresponding first computing result to the PCIe bridge 200 connected to the first computing result. The PCIe bridge 200 is configured to encrypt the first calculation result according to the symmetric key, and send the encrypted first calculation result to the confidential computing environment of the host 100 through the PCIe bus. The confidential computing environment of the host 100 decrypts the encrypted first computing result according to the symmetric key, thereby obtaining the first computing result.
In the embodiment of the present invention, a PCIe bridge 200 is disposed between a host 100 having a confidential computing environment and a heterogeneous computing device 300 corresponding thereto, after the host 100 sends a confidential computing task instruction generated by the confidential computing environment based on the confidential computing task to the corresponding PCIe bridge 200 through a PCIe bus, a symmetric key for communication between the confidential computing environment of the host 100 and the PCIe bridge 200 is obtained first, the host 100 encrypts a first to-be-computed resource through the symmetric key and sends the encrypted first to-be-computed resource to the PCIe bridge 200 through the PCIe bus, the PCIe bridge 200 decrypts the first to-be-computed resource and sends the decrypted first to the heterogeneous computing device 300 connected thereto, the heterogeneous computing device 300 calculates the first to-be-computed resource and sends the obtained first computation result to the PCIe bridge 200 connected thereto, the PCIe bridge 200 encrypts the first computation result according to the symmetric key and sends the encrypted first computation result to the confidential computing environment of the host 100 through the PCIe bus, and the PCIe bridge decrypts the encrypted first computation result through the symmetric key to obtain the corresponding first computation result, thereby completing the confidential computing result in the heterogeneous computing device 300.
In some embodiments of the invention, when the computing task instruction is a confidential computing task instruction, the PCIe bridge may obtain the symmetric key at least by any one of:
when the computing task instruction is a confidential computing task instruction, the PCIe bridge performs key exchange with a confidential computing environment of the host machine to obtain a symmetric key;
when the computing task instruction is a confidential computing task instruction, the confidential computing environment of the host machine sends a symmetric key which is generated in advance to the PCIe bridge.
Based on the heterogeneous computing system provided by the invention, in the confidential computing process, the communication between the confidential computing environment of the host 100 and the PCIe bridge 200 is encrypted and decrypted by using the symmetric key, so that on one hand, the security between the first resource to be computed from the host 100 end to the PCIe bridge 200 is ensured, and the security of the data of the first resource to be computed in the whole heterogeneous confidential computing process is ensured; on the other hand, the heterogeneous computing device 300 and the host 100 are connected through the PCIe bridge 200, the topology structure of the original computing system is not changed, the communication protocol of the PCIe interface of the heterogeneous computing device 300 is not required to be changed, any modification is not required to be made to the heterogeneous computing resource, the original functions and capabilities of the heterogeneous computing device 300 are not required to be changed, and the heterogeneous computing device 300 can be suitable for heterogeneous computing devices 300 with PCIe interfaces, so that the universality of heterogeneous confidential computing is improved.
Further, the PCIe bridge 200 is specifically configured to perform identity authentication with the host 100 through the PCIe bus when the computing task instruction is a confidential computing task instruction, and acquire the symmetric key after the identity authentication is successful.
In the embodiment of the present invention, when the received computing task instruction is a confidential computing task instruction, the PCIe bridge 200 needs to perform identity authentication with the confidential computing environment of the host 100, and acquire the symmetric key after the identity authentication successfully establishes a trusted connection, so that the security of the heterogeneous computing system during confidential computing is further improved.
It can be understood that the identity authentication may be an existing public identity authentication method, and the embodiment of the invention is not specifically limited.
In some embodiments of the present invention, the PCIe bridge 200 is further configured to receive, when the computing task instruction is a normal computing task instruction, a second resource to be computed from the host 100 through the PCIe bus and send the second resource to the heterogeneous computing device 300 connected to the PCIe bridge 200. The heterogeneous computing device 300 is further configured to perform computing on a second resource to be computed, obtain a second computing result, and send the second computing result to the PCIe bridge 200, where the PCIe bridge 200 is configured to send the second computing result to the host 100 through the PCIe bus, that is, the host 100 is further configured to receive the second computing result from the PCIe bridge 200.
In the heterogeneous computing system provided by the embodiment of the invention, not only heterogeneous secret computation but also heterogeneous general computation can be performed, when the received computing task instruction is the general computing task instruction, the PCIe bridge 200 directly receives the second to-be-computed resource from the general computing environment of the host 100 and sends the second to-be-computed resource to the heterogeneous computing device 300 connected with the second to-be-computed resource, and directly sends the second computing result obtained by the heterogeneous computing device 300 for computing the second to-be-computed resource to the general computing environment of the host 100, thereby realizing heterogeneous general computation.
It can be understood that the first resource to be calculated is a resource to be calculated which needs to perform confidential calculation, and the second resource to be calculated is a resource to be calculated which performs general calculation. Moreover, the first resource to be calculated or the second resource to be calculated may be data or code, which is not specifically limited in the embodiment of the present invention.
The heterogeneous computing system provided by the invention can realize heterogeneous confidential computation and heterogeneous general computation, namely, state switching can be realized between confidential computation and general computation, so that the heterogeneous computing device 300 can be used for confidential computation and general computation, thereby improving the utilization rate of the heterogeneous computing device and improving user experience.
As shown in fig. 2, in the heterogeneous computing system provided by the present invention, the host 100 may correspond to a plurality of heterogeneous computing devices 300, where each heterogeneous computing device 300 is connected to one PCIe bridge 200 in a one-to-one correspondence manner, and each PCIe bridge 200 is connected to the host 100 through a PCIe bus.
In the embodiment of the present invention, setting a plurality of heterogeneous computing devices 300 for the host 100 can increase the computation amount of the heterogeneous computing system, and can also perform a plurality of heterogeneous computations at the same time, thereby further improving the user experience.
In some embodiments of the present invention, the host 100 is further configured to obtain, after generating the computing task instruction, a current amount of idle resources of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100; the heterogeneous computing devices 300 for the computing task instruction are determined based on the current amount of free resources of each heterogeneous computing device 300 and the amount of computing resources required for the computing task instruction.
Specifically, after generating the calculation task instruction, the host 100 may first obtain, through the PCIe bridge 200 connected to the host, the current free resource amount of each heterogeneous computing device 300, then compare the current space resource amount of each heterogeneous computing device 300 with the calculation resource amount required by the calculation task instruction, and randomly select one heterogeneous computing device 300 from heterogeneous computing devices 300 with the current space resource amount greater than the calculation resource amount as the heterogeneous computing device 300 for executing the calculation task corresponding to the calculation task instruction.
The amount of computing resources required by the computing task instruction is the amount of computing resources required by the computing task corresponding to the computing task instruction, and the computing task can be a confidential computing task or a common computing task.
Still further, when the current amount of idle resources of the heterogeneous computing device 300 is smaller than the amount of computing resources, the host 100 may divide the computing task corresponding to the computing task instruction into a plurality of sub-tasks, and allocate a corresponding heterogeneous computing device 300 to each sub-task, so as to ensure the efficiency of heterogeneous computing.
It may be understood that the above-mentioned computing task may be divided into a plurality of subtasks, which may be distributed evenly according to the amount of computing resources, or may be divided according to the current amount of spatial resources of the heterogeneous computing device, which is not specifically limited in the embodiment of the present invention.
If the host machine 100 in the heterogeneous computing system corresponds to a plurality of heterogeneous computing devices 300, after the host machine 100 generates a computing task instruction, the current free resource amount of each heterogeneous computing device 300 may be acquired through the PCIe bridge 200 to allocate the corresponding heterogeneous computing device 300 for the computing task instruction.
In some embodiments of the present invention, host 100 is further configured to: before the current idle resource amount of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100 is obtained, determining a task type corresponding to the computing task instruction, and when the task type corresponding to the computing task instruction is a confidential computing task, obtaining the current idle resource amount of the confidential computing environment of the host 100; when the task type corresponding to the calculation task instruction is a common calculation task, acquiring the current idle resource amount of the common calculation environment of the host 100; when the current amount of free resources of the confidential computing environment is smaller than the amount of computing resources of the confidential computing task or the current amount of free resources of the general computing environment is smaller than the amount of computing resources of the general computing task, the current amount of free resources of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100 is obtained.
In the embodiment of the present invention, before the current idle resource amount of the heterogeneous computing device 300 corresponding to each PCIe bridge 200 connected to the host 100 is obtained, the host 100 determines the current idle resource amount of the host, thereby determining whether heterogeneous computing is required by the heterogeneous computing device 300, and further improving the computing efficiency of the computing task.
In some embodiments of the present invention, the host 100 is further configured to generate a task end instruction and send the task end instruction to the PCIe bridge 200 when the calculation result is obtained. The PCIe bridge 200 is further configured to delete all resources stored in the heterogeneous computer device based on the task end instruction.
The calculation results include a first calculation result and a second calculation result, the task end instruction is generated by the confidential calculation environment of the host 100 when the calculation result is the first calculation result, and the task end instruction is generated by the general calculation environment of the host 100 when the calculation result is the second calculation result. All of the resources described above refer to all data or code received and generated by the heterogeneous computing device 300 during confidential or general computing processes.
Specifically, after the host 100 obtains the calculation result, a corresponding task end instruction is generated and sent to the corresponding PCIe bridge 200 through the PCIe bus, and after receiving the task end instruction, the PCIe bridge 200 deletes all the stored resources.
According to the method and the device, after the calculation task is finished, all the resources received or generated by the heterogeneous calculation device 300 in the calculation task process are deleted, so that the resources are prevented from being stolen, and the safety of heterogeneous calculation is further ensured.
Based on the heterogeneous computing system, the invention also provides a resource processing method based on the heterogeneous computing system, as shown in fig. 3, the resource processing method at least comprises the following steps:
s301, the PCIe bridge receives the calculation task instruction from the host, and when the calculation task instruction is a confidential calculation task instruction, the symmetric key is obtained.
Specifically, the confidential computing environment of the host determines the PCIe bridge that performs the current confidential computing task after generating the confidential computing task. After the PCIe bridge executing the current confidential computing task is determined, the PCIe bridge and the confidential computing environment of the host machine carry out identity authentication in a pre-agreed mode, and after the identity authentication is passed, the PCIe bridge acquires the symmetric key.
And S302, the PCIe bridge decrypts the encrypted resources from the host according to the symmetric key to obtain a first resource to be calculated and sends the first resource to the heterogeneous computing device connected with the PCIe bridge.
The encryption resource is obtained by encrypting the first resource to be calculated by the host machine according to the symmetric key.
In the embodiment of the invention, after the PCIe bridge acquires the symmetric key, the confidential computing environment of the host starts the confidential computing task and sends the encrypted resource to the PCIe bridge.
S303, the PCIe bridge encrypts the first calculation result from the heterogeneous calculation device according to the symmetric key, and sends the encrypted first calculation result to the host computer through the PCIe bus, so that the host computer decrypts the encrypted first calculation result through the symmetric key to obtain the first calculation result.
The first calculation result is obtained by calculating a first resource to be calculated from the PCIe bridge by the heterogeneous calculation device.
In some embodiments of the present invention, after the host obtains the first calculation result, a corresponding task end instruction is generated and sent to the PCIe bridge, and after receiving the task end instruction, the PCIe bridge deletes all resources in the heterogeneous computing device corresponding to the PCIe bridge, so as to further improve data security in the data modeling process.
In some embodiments of the present invention, the above resource processing method may further include the steps of: when the calculation task instruction is a common calculation task instruction, the PCIe bridge receives a second resource to be calculated from the host machine through the PCIe bus and sends the second resource to be calculated to heterogeneous calculation equipment connected with the PCIe bridge; the PCIe bridge receives the second calculation result from the heterogeneous calculation device and sends the second calculation result to the host machine so that the host machine obtains the second calculation result.
The second calculation result is obtained by calculating the second resource to be calculated by the heterogeneous calculation device.
In the present invention, each embodiment is described in a progressive manner, and the same and similar parts of each embodiment are mutually referred to, and each embodiment is mainly described and different from other embodiments. In particular, for the method embodiments, since they are substantially similar to the system embodiments, the description is relatively simple, with reference to the partial description of the system embodiments being relevant.
In addition, the systems and the methods provided by the embodiment of the invention are in one-to-one correspondence, so that the methods also have similar beneficial technical effects as the corresponding systems. Since the beneficial effects of the system have been described in detail above, the beneficial technical effects of the method are not described here again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Of course, those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by a computer program for instructing relevant hardware (e.g., processor, controller, etc.), the program may be stored on a computer readable storage medium, and the program may include the above described methods when executed. The computer readable storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited in its application to the examples described above, but is capable of modification and variation in light of the above teachings by those skilled in the art, and that all such modifications and variations are intended to be included within the scope of the appended claims.