CN117667297A - Memory management method, device, chip, vehicle and medium in security island - Google Patents
Memory management method, device, chip, vehicle and medium in security island Download PDFInfo
- Publication number
- CN117667297A CN117667297A CN202211049220.4A CN202211049220A CN117667297A CN 117667297 A CN117667297 A CN 117667297A CN 202211049220 A CN202211049220 A CN 202211049220A CN 117667297 A CN117667297 A CN 117667297A
- Authority
- CN
- China
- Prior art keywords
- memory
- domain
- security
- virtual machine
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 78
- 238000012544 monitoring process Methods 0.000 claims abstract description 86
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000005192 partition Methods 0.000 claims description 68
- 230000006978 adaptation Effects 0.000 claims description 37
- 230000002159 abnormal effect Effects 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 13
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 230000006870 function Effects 0.000 abstract description 13
- 238000002955 isolation Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 14
- 238000004891 communication Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 238000013461 design Methods 0.000 description 6
- 238000013473 artificial intelligence Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013519 translation Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000003924 mental process Effects 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The disclosure provides a memory management method, a device, a chip, a vehicle and a medium in a safety island, relates to the technical field of automatic driving, and particularly relates to the technical field of safety islands. The specific implementation scheme is as follows: constructing a first-level memory map and a second-level memory map, and dividing the first-level memory map into a security management space and an object space; the security management space is distributed to the security monitoring engine for exclusive access, and the security monitoring engine is authorized to access the object space; distributing domain segments in the object space to a virtual machine operating system for isolated access; and dividing the second-level memory map into fine-grained regions respectively corresponding to the domain segments, and distributing the fine-grained regions to a virtual machine operating system matched with the domain segments for isolated access. The system and the method can realize all functions of the traditional security island, provide a safe real-time virtualization platform, host virtual machine operating systems with different security levels and construct a hybrid key system.
Description
Technical Field
The disclosure relates to the technical field of automatic driving, in particular to the technical field of safety islands, and specifically relates to a memory management method, a device, a chip, a vehicle and a medium in a safety island.
Background
The conventional design of the Safety island of the autopilot System is mainly implemented by using an SOC (System On a Chip) or an external low-end MCU (Microcontroller Unit, micro control unit), which can only provide a relatively simple Safety monitoring function, and meanwhile, in the conventional design of the autopilot software of the automobile, software with functions such as Safety monitoring, safety decision, vehicle control and the like is respectively placed in a plurality of different Safety processors and Safety operating systems to be implemented, which brings great challenges to the rapid iteration and Safety of the next-generation intelligent automobile software.
That is, the current Safety island design can only provide a simpler function of Safety monitoring, has limited hardware resources and difficult software iteration, and is difficult to adapt to the rapidly-developed L4/L5 automatic driving requirement.
Disclosure of Invention
The disclosure provides a memory management method, a device, a chip, a vehicle and a medium in a security island.
According to an aspect of the present disclosure, there is provided a memory management method in a security island, performed by a security monitoring engine, the security island including a first-level privilege level operating environment in which the security monitoring engine is installed, and a second-level privilege level operating environment in which at least one virtual machine manipulation system is installed, comprising:
Constructing a first-level memory map and a second-level memory map, dividing the first-level memory map into a security management space and an object space, and dividing the object space into at least one domain segment;
the security management space is distributed to the security monitoring engine for exclusive access, and the security monitoring engine is authorized to access the object space;
assigning at least one domain segment in the object space to at least one virtual machine operating system for isolated access;
and dividing the second-level memory map into fine-grained regions respectively corresponding to the at least one domain segment, and distributing the fine-grained regions to a virtual machine operating system matched with the at least one domain segment for isolated access.
According to another aspect of the present disclosure, there is provided a memory management device in a security island configured in a security monitoring engine, the security island including a first-level privilege level operating environment in which the security monitoring engine is installed, and a second-level privilege level operating environment in which at least one virtual machine manipulation system is installed, comprising:
the memory space division module is configured to construct a first-level memory map and a second-level memory map, divide the first-level memory map into a security management space and an object space, and divide the object space into at least one domain segment;
The first access right distribution module is configured to distribute the security management space to the security monitoring engine for exclusive access and authorize the security monitoring engine to access the object space;
the second access right allocation module is configured to allocate at least one domain segment in the object space to at least one virtual machine operating system for isolated access;
the fine-grained region allocation module is configured to divide the second-level memory map into fine-grained regions respectively corresponding to the at least one domain segment, and allocate the fine-grained regions to the virtual machine operating system matched with the at least one domain segment for isolated access.
According to another aspect of the present disclosure, there is provided an autopilot chip including a security island for implementing a memory management method in the security island as in any one of the embodiments of the present disclosure;
wherein, in the second level privilege level operating environment of the security island, a plurality of real-time operating systems with different security levels are installed.
An autonomous vehicle comprising an autopilot chip in any one of the embodiments of the present disclosure.
According to another aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a memory management method in a security island of any of the embodiments of the present disclosure.
The technical scheme of the embodiment of the disclosure not only can realize all functions of the traditional security island, but also can provide a safe real-time virtualization platform, and can host virtual machine operating systems with different security levels to construct a hybrid key system.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a flowchart of a memory management method in a security island according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of another method for memory management in a security island according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of an application of an ARMv8-R chip in the automotive field according to an embodiment of the disclosure;
fig. 4 is a schematic structural diagram of a security island of an autopilot chip provided in an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a security island of another autopilot chip provided in an embodiment of the present disclosure;
fig. 6 is a schematic diagram of memory protection in a memory isolation environment according to an embodiment of the disclosure;
FIG. 7 is a schematic diagram of a memory protection strategy according to an embodiment of the disclosure;
FIG. 8 is a schematic diagram of a two-thread memory protection isolation provided by an embodiment of the present disclosure;
fig. 9 is a schematic diagram of a memory management device in a security island according to an embodiment of the disclosure;
FIG. 10 illustrates a schematic block diagram of an example autopilot chip that may be used to implement embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In one example, fig. 1 is a flowchart of a memory management method in a security island provided in an embodiment of the present disclosure, where the embodiment may be applicable to a case of memory isolation access management of the security island, the method may be performed by a security monitoring engine, and the security monitoring engine may be configured in an autopilot chip. Two different levels of operating environments may be configured in a security island running a security monitoring engine, one being a first level privilege level operating environment in which the security monitoring engine is installed and the other being a second level privilege level operating environment in which at least one virtual machine operating system is installed. Accordingly, as shown in fig. 1, the method includes the following operations:
Step 110, a first-level memory map and a second-level memory map are constructed, the first-level memory map is divided into a security management space and an object space, and the object space is divided into at least one domain segment.
The first level memory map and the second level memory map may be two different levels of memory maps. The first level memory map may be a memory map in a first level privilege level operating environment. The second-level memory map may be a memory map in a second-level privilege level operating environment. The first-level privilege level operating environment may be an operating environment in which the security monitoring engine is installed. The second-level privilege level operating environment may be the operating environment in which the virtual machine operating system is installed. The first-level privilege level operating environment is higher in level than the second-level privilege level operating environment.
The security monitoring engine may be an engine with security monitoring and spatially isolated access functions. The security management space may be a space that is only accessible by the security monitoring engine in the first level privilege level operating environment. The guest space may be a space that can be accessed by the security monitoring engine and the virtual machine operating system in a first level privilege level operating environment.
In the embodiment of the disclosure, the first-level memory map and the second-level memory map may be respectively established based on the first-level privilege level operating environment and the second-level privilege level operating environment of the security island, so as to divide the first-level memory map into two spaces, namely, a security management space and an object space, and further divide the object space into at least one domain according to the number of virtual machine operating systems using the second-level privilege level operating environment in the security island.
Alternatively, assuming the number of virtual machine operating systems in the security island that use the second level privilege level runtime environment is n, the guest space may be partitioned into at least n domain segments.
And 120, distributing the security management space to the security monitoring engine for exclusive access, and authorizing the security monitoring engine to access the object space.
In the embodiment of the disclosure, the security management space can be exclusively accessed through the security monitoring engine, that is, the virtual machine operating system in the security island cannot access the security management space, and the security monitoring engine is authorized to access the object space, so that the security monitoring engine has access rights to the security management space and the object space.
And 130, distributing at least one domain segment in the object space to at least one virtual machine operating system for isolated access.
In the embodiment of the disclosure, a corresponding domain segment can be allocated to each virtual machine operating system in the object space, and an access right to a corresponding domain segment in the object space is allocated to each virtual machine operating system, so that each virtual machine operating system only accesses the corresponding domain segment in the allocated object space.
By way of example, assuming that domain segment 1 in the object space is assigned to virtual machine operating system a, domain segment 2 in the object space is assigned to virtual machine operating system b, and domain segment 3 in the object space is assigned to virtual machine operating system c, and the virtual machine operating system has isolated access to the domain segment of the object space, it is understood that virtual machine operating system a has access to domain segment 1 only, virtual machine operating system b has access to domain segment 2 only, and virtual machine operating system c has access to domain segment 3 only.
And 140, dividing the second-level memory map into fine-grained regions respectively corresponding to the at least one domain segment, and distributing the fine-grained regions to a virtual machine operating system matched with the at least one domain segment for isolated access.
The fine-grained region may be a memory region in the second-level memory map for storing data required by the operating system of the virtual machine.
In the embodiment of the disclosure, the second-level memory map may be divided into fine-grained regions corresponding to each domain segment of the guest space according to the number of virtual machine operating systems using the second-level privilege level operating environment in the security island, so that access rights of each fine-grained region are allocated to the virtual machine operating systems matched with each domain segment, so that each virtual machine operating system can only access the fine-grained region matched with the corresponding domain segment, and isolated access of the virtual machine operating system to the fine-grained region is realized.
As described above, if the object space is divided into 3 domain segments (domain segment 1, domain segment 2, and domain segment 3), the second hierarchical memory map may be divided into 3 fine-grained regions (fine-grained region a, fine-grained region B, and fine-grained region C), assuming that domain segment 1 corresponds to fine-grained region a, domain segment 2 corresponds to fine-grained region B, and domain segment 3 corresponds to fine-grained region C. Further, the access right of the fine granularity area A is only allocated to the virtual machine operating system a matched with the domain segment 1, the access right of the granularity area B is only allocated to the virtual machine operating system B matched with the domain segment 2, and the access right of the granularity area C is only allocated to the virtual machine operating system C matched with the domain segment 3, so that the isolated access of the virtual machine operating system to the corresponding fine granularity area is realized.
According to the technical scheme, a first-level memory map and a second-level memory map are constructed through a security monitoring engine, the first-level memory map is divided into a security management space and an object space, the object space is divided into at least one domain segment, so that the security management space is allocated to the security monitoring engine for exclusive access, access permission of the security monitoring engine to the object space is authorized, at least one domain segment in the object space is allocated to at least one virtual machine operating system for isolated access, the second-level memory map is divided into fine-grained regions corresponding to the at least one domain segment respectively, and the fine-grained regions are allocated to the virtual machine operating system matched with the at least one domain segment for isolated access. In the scheme, the safety island is provided with two running environments with different levels for the safety monitoring engine and the virtual machine operating system respectively, and through the isolation setting of the access rights of the safety monitoring engine and the access rights of the virtual machine operating system, on the basis of ensuring safety, the safety island can support application scenes with different safety requirements in automatic driving, solves the problems that the hardware resources of the safety island are limited, the software iteration is difficult and the automatic driving requirements cannot be met in the prior art, can realize all functions of the traditional safety island, can provide a safe real-time virtualization platform, and can host the virtual machine operating systems with different safety levels to construct a hybrid key system.
In an example, fig. 2 is a flowchart of another method for memory management in a security island according to an embodiment of the present disclosure, where an alternative implementation is given in this embodiment. Accordingly, as shown in fig. 2, the method includes the following operations:
step 210, constructing a first-level memory map and a second-level memory map, dividing the first-level memory map into a security management space and an object space, and dividing the object space into at least one domain segment.
And 220, distributing the security management space to the security monitoring engine for exclusive access, and authorizing the security monitoring engine to access the object space.
Step 230, assigning at least one domain segment in the object space to at least one virtual machine operating system for isolated access.
Step 240, dividing the second level memory map into fine-grained regions corresponding to at least one domain segment, and allocating the fine-grained regions to the virtual machine operating system matched with the at least one domain segment for isolated access.
Step 250, in response to the new instruction to the target virtual machine operating system, the new domain segment is divided in the object space, and the new domain segment is allocated to the target virtual machine operating system.
The target virtual machine operating system may be a virtual machine operating system newly added in the security island. The newly added domain segment may be a domain segment allocated in the guest space for the target virtual machine operating system.
In the embodiment of the disclosure, after the security monitoring engine receives the new instruction to the target virtual machine operating system, the target virtual machine operating system may be installed in the second-level privilege level operating environment, and the security monitoring engine divides the newly added domain segment in the object space, so as to allocate the access right of the newly added domain segment to the target virtual machine operating system.
Step 260, dividing the newly added fine granularity area corresponding to the newly added domain segment in the second level memory map, and distributing the newly added fine granularity area to the target virtual machine operating system.
The newly increased fine granularity area may be a memory space storing data required by the operating system of the target virtual machine in the second level memory map.
In the embodiment of the disclosure, after the security monitoring engine allocates the newly added domain segment to the target virtual machine operating system, the newly added domain segment needs to be further divided into the newly added fine granularity region in the second level memory map, and the divided newly added fine granularity region has a corresponding relation with the newly added domain segment, so that the access authority of the newly added fine granularity region corresponding to the newly added domain segment is allocated to the target virtual machine operating system, the isolated access of the target virtual machine operating system to the newly added fine granularity region is realized, the addition of the newly added domain segment and the newly added virtual machine operating system is realized, the isolated access of the newly added fine granularity region corresponding to the newly added domain segment by the newly added virtual machine operating system is also realized, the access of the newly added domain segment and the newly added fine granularity region by other virtual machine operating systems is avoided, and the security of data access is ensured.
In an optional embodiment of the disclosure, the memory management method in the security island may further include: reading a memory configuration description file in the process of executing the engine initialization of the security monitoring engine; and executing the memory management method according to the memory configuration information in the memory configuration description file.
The memory configuration description file may be a file for performing memory configuration on the security monitoring engine. The memory configuration information may be data related to memory configuration in a memory configuration description file.
In the embodiment of the disclosure, before two levels of memory mapping are constructed, the security monitoring engine may perform engine initialization first, and in the process of executing the engine initialization of the security monitoring engine, the memory configuration description file needs to be read, and then the memory configuration description file is parsed to obtain the memory configuration information in the memory configuration description file, so that the memory management method is executed according to the memory configuration information, and the configuration of the security management space, the object space and the fine-grained region access authority is realized, thereby providing an implementation mode for partition data configuration.
In an optional embodiment of the disclosure, the memory management method in the security island may further include: responding to memory switching instructions corresponding to a first virtual machine operating system and a second virtual machine operating system, and acquiring a first fine-grained region corresponding to the first virtual machine operating system and a second fine-grained region corresponding to the second virtual machine operating system in a second level memory map; switching the memory configuration information in the first fine-grained region to the memory configuration information of the second virtual machine operating system, and switching the memory configuration information in the second fine-grained region to the memory configuration information of the first virtual machine operating system; in the object space, removing the allocation relation between the first virtual machine operating system and the first domain segment, and removing the allocation relation between the second virtual machine operating system and the second domain segment; the first domain segment is reassigned to the second virtual machine operating system and the second domain segment is reassigned to the first virtual machine operating system.
The first virtual machine operating system and the second virtual machine operating system are two virtual machine operating systems in the security island. The data in the first virtual machine operating system memory space needs to be switched with the data in the second virtual machine operating system memory space. The memory switch instruction may be used to switch data in different memory spaces. The first fine-grained region may be a fine-grained region allocated for the first virtual machine operating system. The second fine-grained region may be a fine-grained region allocated for a second virtual machine operating system. The first domain segment may be a domain segment in a guest space corresponding to the first virtual machine operating system. The second domain segment may be a domain segment in a guest space corresponding to the second virtual machine operating system.
In this embodiment of the present disclosure, after receiving memory switching instructions corresponding to a first virtual machine operating system and a second virtual machine operating system, a security monitoring engine may parse the memory switching instructions, obtain a first fine-grained region corresponding to the first virtual machine operating system and a second fine-grained region corresponding to the second virtual machine operating system in a second level memory map, determine, according to a memory configuration description file, memory configuration information of the first fine-grained region and memory configuration information of the second fine-grained region, and further switch the memory configuration information in the first fine-grained region to the memory configuration information of the second virtual machine operating system, and switch the memory configuration information in the second fine-grained region to the memory configuration information of the first virtual machine operating system. After the memory switching of the fine-grained regions of the first virtual machine operating system and the second virtual machine operating system is completed, the allocation relation between the first virtual machine operating system and the first domain segment in the object space and the allocation relation between the second virtual machine operating system and the second domain segment are deleted, the first domain segment is further reassigned to the second virtual machine operating system, the second domain segment is reassigned to the first virtual machine operating system, and flexible switching of memory spaces corresponding to different virtual machine operating systems is achieved.
In an optional embodiment of the disclosure, the memory management method in the security island may further include: establishing a plurality of memory abstraction domains, wherein each memory abstraction domain can comprise a plurality of memory partitions, and each memory abstraction domain has a set domain security level; in response to installing new software in the security monitoring engine or the virtual machine operating system, acquiring a target software security level matched with the new software and at least one new software adaptation thread; matching the security level of the target software with the domain security levels of a plurality of memory abstract domains to obtain at least one matching success domain; each new software adaptation thread is respectively added into at least one matching success domain, wherein each new software adaptation thread can only access the memory partition in the matching success domain added by the new software adaptation thread.
The memory abstraction domain may be a domain formed by a set of memory partitions. The memory partition may be the smallest unit of memory contained in the memory protection unit of the security island. The memory partition is composed of the head and tail addresses of the memory, the memory size and the memory access attribute. The domain security level may be a security level set for a memory abstraction domain. Alternatively, the memory abstraction domains of the same domain security level can contain one or more identical memory partitions. The target software security level may be the security level of the security monitoring engine or the security level of installing new software in the virtual machine operating system. The new software adaptation thread may be a thread adapted to install new software in the security monitoring engine or virtual machine operating system. The match success domain may be a memory abstraction domain that matches successfully with the target software security level.
In the embodiment of the present disclosure, the memory partitions may be grouped according to threads, and a plurality of memory abstraction domains may be established, so that each memory abstraction domain may include a plurality of memory partitions, and further, a domain security level may be set for each memory abstraction domain. When new software is detected to be installed in the security monitoring engine or the virtual machine operating system, the new software is installed in the security monitoring engine or the virtual machine operating system, the target software security level of the installed new software is determined, at least one new software adaptation thread for installing the new software and the domain security levels of all memory abstract domains are obtained, so that the target software security level is matched with the domain security levels of a plurality of memory abstract domains, the domain security level successfully matched with the target software security level is determined, at least one successfully matched domain is determined according to the successfully matched domain security level and the screening strategy, each new software adaptation thread is further added into at least one successfully matched domain, so that each new software adaptation thread can only access a memory partition in the added successfully matched domain, access isolation of threads is realized, the occurrence of conditions that software threads access unauthorized memory domains is reduced, and the data access abnormality of a security island is reduced.
Optionally, the screening policy may include selecting a matching success domain in at least one memory abstract domain corresponding to a domain security level matching the target software security level in a random selection manner, or designating a matching success domain in at least one memory abstract domain corresponding to a domain security level matching the target software security level in a manually designated manner, and determining the success matching domain according to an occupation condition of a memory partition of the at least one memory abstract domain corresponding to a domain security level matching the target software security level.
In an optional embodiment of the disclosure, matching the target software security level with domain security levels of a plurality of memory abstraction domains to obtain at least one matching success domain may include: matching the security level of the target software with the domain security levels of a plurality of memory abstract domains; and acquiring all memory abstract domains with the domain security level lower than or equal to the security level of the target software, and determining the memory abstract domains as the successfully matched domains.
In the embodiment of the disclosure, the target software security level and the domain security levels of the plurality of memory abstraction domains can be matched, so that all memory abstraction domains with the domain security level lower than or equal to the target software security level are determined, and all memory abstraction domains with the domain security level lower than or equal to the target software security level are used as matching success domains, so that the matching success domains are allocated to the new software adaptation process according to the target software security level, and the new software adaptation process is prevented from accessing the memory abstraction domains with the domain security level higher than the self target software security level.
In an optional embodiment of the disclosure, the memory management method in the security island may further include: responding to an operation scheduling instruction of a target thread in target software, and acquiring at least one target memory abstract domain added by the target thread; acquiring all target memory partitions included in at least one target memory abstract domain; all target memory partitions are set to an accessible state to the target thread and other memory partitions are set to an inaccessible state to the target thread.
The target software may be software in a security monitoring engine or a virtual machine operating system. The target thread may be a thread that needs to be started by the target software to run. Running the scheduling instruction may run an instruction that schedules a software thread. The target memory abstraction domain may be a match success domain that matches a target software security level of the target software. The target memory partition may be a memory partition included in the target memory abstraction domain.
In the embodiment of the disclosure, after receiving the operation scheduling instruction of the target thread in the target software, the security monitoring engine may first obtain at least one target memory abstract domain added by the target thread, and further determine all target memory partitions included in the at least one target memory abstract domain, so as to set all target memory partitions included in all target memory abstract domains to be accessible states to the target thread, and set memory partitions in other memory abstract domains to be inaccessible states to the target thread, thereby implementing different configuration of access states of different memory partitions to the target thread, avoiding access of the target thread to non-target memory partitions, and improving the data access security level.
In an alternative embodiment of the present disclosure, after adding each new software adaptation thread to at least one matching success domain, respectively, may include: planning the permission state of each memory partition in at least one matching success domain added by each new software adaptation thread to the read-write operation of the new software adaptation thread, and generating planning information corresponding to each new software adaptation thread respectively; after setting all of the target memory partitions to an accessible state to the target threads, it may further include: and respectively setting the permission states of each target memory partition for the read-write operation of the target thread according to the planning information corresponding to the target thread.
The programming information can be used for configuring read-write permission of each new software adaptation thread in each memory partition.
In the embodiment of the disclosure, in at least one matching success domain to which each new software adaptation thread is added, each memory partition plans an allowed state of read-write operation of the new software adaptation thread, generates planning information corresponding to each new software adaptation thread, further determines each target memory partition matched with the target thread according to the planning information corresponding to the target thread after setting all the target memory partitions to be accessible states of the target thread, further sets an allowed state of read-write operation of each target memory partition to the target thread, realizes accurate control of read-write operation of the target memory partition to the target thread, and prevents occurrence of erroneous read-write operation.
In an optional embodiment of the disclosure, the memory management method in the security island may further include: and in response to the abnormal access of the target thread to the target memory partition in the inaccessible state, executing an abnormal processing strategy matched with the abnormal access to perform abnormal protection.
The exception handling policy may be a handling policy when the target thread makes an exception access to the inaccessible state. Optionally, the exception handling policy includes a backup security policy at the time of failure operation.
In the embodiment of the disclosure, if the monitor of the security monitoring engine monitors that the target thread is on the target memory partition in the inaccessible state, abnormal access of the target memory partition can be confirmed, the security monitoring engine responds to the abnormal access of the target memory partition, an abnormal processing strategy matched with the abnormal access is determined, and further, abnormal protection is realized by executing the abnormal processing strategy matched with the abnormal access, so that a Fault monitoring function of the security island is realized.
In an alternative embodiment of the present disclosure, the processing chip used in the security island may be an ARMv8-R chip, giving an example of a chip that supports the installation of a two-level privileged execution environment.
The ARMv8-R chip is a real-time V8 series product pushed by ARM, the biggest bright spot is to support real-time virtualization of EL2 (an abnormal level), and the ARMv8-R chip is utilized to realize local installation in a real-time scene and directly run Hypervisor (a system software for managing isolation between virtual machines from interference and controlled communication) on a physical host; a two-stage MPU (Memory Protection Unit ) supports isolation of Safe Task and OS (Operating System); fast and Deterministic context switches, i.e., thread switches. Hypervisor and monitor can manage OS scheduling and CPU (Central Processing Unit ) binding.
Application of the ARMv8-R chip in the automobile field can be seen in FIG. 3, and the performance and the safety of the system are ensured by isolating running codes of different vender/different automobile safety levels.
According to the technical scheme, a first-level memory map and a second-level memory map are constructed through a security monitoring engine, the first-level memory map is divided into a security management space and an object space, the object space is divided into at least one domain segment, the security management space is distributed to the security monitoring engine for exclusive access, access permission of the security monitoring engine to the object space is authorized, the at least one domain segment in the object space is distributed to at least one virtual machine operating system for isolated access, the second-level memory map is divided into fine-grained regions respectively corresponding to the at least one domain segment, the fine-grained regions are distributed to the virtual machine operating system matched with the at least one domain segment for isolated access, a new added domain segment is further distributed to the object space in response to a new instruction of the target virtual machine operating system, the new added domain segment is distributed to the target virtual machine operating system, a new added fine-grained region corresponding to the new added domain segment is distributed to the second-level memory map, and the new added fine-grained region is distributed to the target virtual machine operating system. In the scheme, the safety island is provided with two running environments with different levels for the safety monitoring engine and the virtual machine operating system respectively, and through the isolation setting of the access rights of the safety monitoring engine and the access rights of the virtual machine operating system, on the basis of ensuring safety, the safety island can support application scenes with different safety requirements in automatic driving, solves the problems that the hardware resources of the safety island are limited, the software iteration is difficult and the automatic driving requirements cannot be met in the prior art, can realize all functions of the traditional safety island, can provide a safe real-time virtualization platform, and can host the virtual machine operating systems with different safety levels to construct a hybrid key system.
Fig. 4 is a schematic structural diagram of a security island of an autopilot chip provided in an embodiment of the present disclosure, as shown in fig. 4, an ARMv8-R chip used in the security island, and a security monitoring engine may support running multiple RTOSs (Real Time Operating System, real-time operating systems). The security monitoring engine can monitor the RTOS of the virtual machine 1 and the AUTOSAR OS of the virtual machine 2 (also can be called as an automobile open system framework operating system), and can monitor the ARMv8-R chip, namely, the isolation between the OSs is ensured, and meanwhile, the faults of the system and the OS are monitored in real time through the monitor. Wherein the virtual machine operating system 1 and the virtual machine operating system 2 belong to a low anomaly level by the security monitoring engine belonging to a high anomaly level.
Fig. 5 is a schematic structural diagram of another chip-on-chip security island on an autopilot provided in an embodiment of the present disclosure, as shown in fig. 5, where the security monitoring engine may support running a single RTOS, and the security monitoring engine is used as a monitoring layer with the highest privilege of the system to monitor errors of the ARMv8-R chip and the OS in real time.
Memory virtualization and isolation in the critical security domain is not typically implemented using MMU (Memory Management Unit ) of the ARMv8-a family, because the TLB (translation lookaside buffer ) of the MMU adds delay to memory access and introduces memory access uncertainty in cache miss and Table walk. Thus, in such a system, an MPU is generally used to protect the memory. Typical advantages of MPU are: deterministic address translation may be provided, with a 1:1 planar mapping of physical and virtual addresses; no TLB and Table walk are provided, and address translation delay is greatly shortened on the basis of ensuring certainty; through configuration of the memory attribute, the memory area is protected.
In the current safety island design, cortex-R/M series MCU at the lower end of ARM is mostly adopted for implementation, MPU has better application in the MCU of the series, and usually RTOS can construct different memory isolation protection areas for OS kernel and different applications by configuring a primary MPU module. ARMv8-R adds support for virtualization, providing a two-stage MPU, but how to support memory virtualization and isolation for multiple VMs on software presents the following challenges: the area of the MPU of each stage is typically limited, such as 32; how to plan the map of the memory and reduce fragments at the same time; how the security authority of the memory is set and how the memory isolation between the virtual machines is ensured; deterministic static allocation.
Based on the challenges faced by the design of the safety island, the ARMv8-R chip is isolated by two layers of memory, and abstract definition is firstly carried out: the security management space is denoted as el2_hyp_zone, the object space is denoted as el2_guest_zone, and el2_hyp_zone is the memory space of the security monitoring engine. EL2 is a first level privilege level operating environment and EL1/EL0 is a second level privilege level operating environment.
The memory isolation process specifically comprises the following steps: based on the physical address (same as the virtual address), a two-hierarchy memory MAP is constructed, the first hierarchy memory MAP (el2_mem_map) being managed by the EL2 MPU2 of the CPU, and the second hierarchy memory MAP (el1_mem_map) being managed by the EL1 MPU1 of the CPU. The first level of memory map is divided into el2_hyp_zone and el2_guest_zone. The EL2_hyp_zone is used by a security monitoring engine or a first level program, generally can be configured when initialized for the first time, is not modifiable later, and does not allow the Guest virtual machine (Guest VM) of EL1 to access. The el2_guest_zone is a memory area which can be accessed by the GUEST VM, and is subdivided into a plurality of el2_guest_session for use by a plurality of GUEST VMs, and the area used by each GUEST VM is isolated, as can be seen in fig. 6.
The memory switching process comprises the following steps: in fig. 6, when VM1 is switched to VM2, the corresponding Region register of the EL1 MPU1 is reprogrammed, the memory configuration information of regions 0-3 of the EL1 MPU1 is switched to the memory configuration information of VM2, that is, the memory is simply changed from the el1_mem_map, and then the corresponding Region register of the EL2 MPU2 is reprogrammed, for example, when the EL2 is changed from VM1 to VM2, it is necessary to set the VM1 Section to be inaccessible in the el2_settings_zone of the el2_mem_map, and restore the VM2 Section to be accessible.
The newly added VM process is as follows: the EL2 MPU2 is reprogrammed to increase the GUEST space portion in the el2_guest_zone.
Implementation of the above-mentioned isolation policy may describe internal configuration information of the hardware by using a DTS (Device Tree Source, device tree source code) description file commonly used in an OS system such as Linux, that is, partition and configuration information of the memory may be defined by the DTS description file.
The automatic driving chip safety island executes the memory management method in the safety island based on the ARMv8-R MPU, can perform space isolation on software modules with different safety levels, can ensure that memory errors of software modules with low safety levels cannot affect software modules with high safety levels, and can protect memory spaces of software modules with the same safety levels and safe shared data among the modules.
ASIL (Automotive Safety Integration Level, automotive safety integrity rating) in automotive certification standard ISO26262 evaluates and quantifies risk following failure to achieve safety goals. ISO26262 defines 5 automotive safety integrity levels: QM (quality management ), A, B, C and D, where D is the highest security level.
Alternatively, the ASIL Domain may be a memory abstraction Domain having a level of security integrity for automobiles above ASIL a, and may be further subdivided into a plurality of different domains. QM Domain is a memory abstraction Domain without ASIL requirements for a generic QM software module.
The memory protection process is as follows: 1. each OS thread is added to at least one Domain. 2. Each Domain may add multiple threads. 3. Each Domain includes a plurality of partitions (corresponding to Regions of one MPU). 4. When a thread of a low security level cannot join Domain of a high security level, such as a QM-level thread cannot join ASIL Domain, and a thread of ASIL a cannot join a thread of ASIL D. 5. A low security level thread may not have access to a high security level Region, such as a QM level thread may not have access to a Region of an ASIL. 6. When the OS performs context switching, the Regions of the MPU are dynamically recoded according to the Partitions defined in the corresponding Domain, and the memory protection area switching of the threads is completed.
Fig. 7 is a schematic diagram of a memory protection policy provided by an embodiment of the present disclosure, as shown in fig. 7, for thread 1 and thread 2 of QM application 1, QM application 1_domain_a and QM application 1_domain_b are defined, and both domains include QM application 1Partition. Thread 1 of QM application 1 does not have access to the operating system kernel Partition, and in addition QM application 1_domain_b, and QM application 2_domain_a of thread 1 of QM application 2 both contain QM application Sharing Partition, so that both thread 2 of QM application 1 and thread 1 of QM application 2 can access QM application Sharing Partition for data exchange. Thread 1 of QM application 2 may not join the ASIL application_domain nor access the ASIL application Partition. The ASIL application 1 thread may access the ASIL application Partition in ASIL application_domain.
In a specific example, as shown in FIG. 8, two threads may be defined, QM thread 1 and ASIL-D thread 2, respectively, with QM thread 1 joining QM Domain A, which includes three Partitions (MPU Regions): region1, region2, region3.ASIL-D thread 2 joins ASIL Domain B, which includes two partitions: region8, region9. When the execution scheduling instruction selects QM thread 1 as the next thread to be executed, the following MPU programming is required when performing a context switch (corresponding to the programming of the thread): 1. the memory attribute of Region1 is set to Read Only (2, region2 is set to Read/Write permission (Read/Write), the memory attribute of 3, region3 is set to Read/Write permission (not) and the memory attribute of 4, region8 is set to inaccessible, and the memory attribute of 5, region9 is set to inaccessible. After the context switch of the thread is completed, the Region8 and the Region9 can not be accessed by the QM thread 1, even if the Region8 is accessed by an exception caused by the failure of the QM thread 1, the MPU can immediately capture the exception and process the exception, so that the memory of the Region8 (ASIL) is protected from the error of the QM thread.
Of course, it is understood that the memory protection isolation of two threads shown in FIG. 8 is by way of example only, and indeed, embodiments of the present disclosure may implement memory protection isolation between any number of threads (particularly multiple threads of different security level software).
The embodiments of the present disclosure also have the beneficial effects described in the foregoing embodiments, which are not described herein again.
The embodiment of the disclosure also provides a memory management device in a security island, which is configured in a security monitoring engine, wherein the security island comprises a first-level privilege level running environment for installing the security monitoring engine and a second-level privilege level running environment for installing at least one virtual machine operating system, and the memory management device is used for executing the memory management method in the security island.
Fig. 9 is a schematic diagram of a memory management device in a security island according to an embodiment of the disclosure, where, as shown in fig. 9, the device includes: a memory space partitioning module 310, a first access right allocation module 320, a second access right allocation module 330, and a fine-grained region allocation module 340, wherein:
the memory space division module 310 is configured to construct a first-level memory map and a second-level memory map, divide the first-level memory map into a security management space and an object space, and divide the object space into at least one domain segment;
A first access right allocation module 320 configured to allocate the security management space to the security monitoring engine for exclusive access and to grant the security monitoring engine access rights to the guest space;
a second access right allocation module 330 configured to allocate at least one domain segment in the guest space to at least one virtual machine operating system for isolated access;
the fine-grained region allocation module 340 is configured to divide the second level memory map into fine-grained regions respectively corresponding to the at least one domain segment, and allocate the fine-grained regions to isolated accesses by a virtual machine operating system that matches the at least one domain segment.
According to the technical scheme, a first-level memory map and a second-level memory map are constructed through a security monitoring engine, the first-level memory map is divided into a security management space and an object space, the object space is divided into at least one domain segment, so that the security management space is allocated to the security monitoring engine for exclusive access, access permission of the security monitoring engine to the object space is authorized, at least one domain segment in the object space is allocated to at least one virtual machine operating system for isolated access, the second-level memory map is divided into fine-grained regions corresponding to the at least one domain segment respectively, and the fine-grained regions are allocated to the virtual machine operating system matched with the at least one domain segment for isolated access. In the scheme, the safety island is provided with two running environments with different levels for the safety monitoring engine and the virtual machine operating system respectively, and through the isolation setting of the access rights of the safety monitoring engine and the access rights of the virtual machine operating system, on the basis of ensuring safety, the safety island can support application scenes with different safety requirements in automatic driving, solves the problems that the hardware resources of the safety island are limited, the software iteration is difficult and the automatic driving requirements cannot be met in the prior art, can realize all functions of the traditional safety island, can provide a safe real-time virtualization platform, and can host the virtual machine operating systems with different safety levels to construct a hybrid key system.
Optionally, the memory management device in the security island further includes a description file reading module and a memory management method executing module, where the description file reading module is configured to read the memory configuration description file in a process of executing the engine initialization of the security monitoring engine; and the memory management method execution module is configured to execute the memory management method according to the memory configuration information in the memory configuration description file.
Optionally, the memory management device in the security island further includes a newly added domain segment allocation module and a newly added fine granularity region allocation module, where the newly added domain segment allocation module is configured to partition a newly added domain segment in the object space in response to a newly added instruction to the target virtual machine operating system, and allocate the newly added domain segment to the target virtual machine operating system; the newly added fine granularity area allocation module is configured to divide the newly added fine granularity area corresponding to the newly added domain segment in the second level memory map and allocate the newly added fine granularity area to the target virtual machine operating system.
Optionally, the memory management device in the security island further includes a fine-grained region acquisition module, a memory configuration information switching module, an allocation relation deletion module and a domain allocation module, where the fine-grained region acquisition module is configured to acquire, in response to a memory switching instruction corresponding to the first virtual machine operating system and the second virtual machine operating system, a first fine-grained region corresponding to the first virtual machine operating system and a second fine-grained region corresponding to the second virtual machine operating system in the second hierarchical memory map; the memory configuration information switching module is configured to switch the memory configuration information in the first fine-grained region into the memory configuration information of the second virtual machine operating system and switch the memory configuration information in the second fine-grained region into the memory configuration information of the first virtual machine operating system; the allocation relation deleting module is configured to remove the allocation relation between the first virtual machine operating system and the first domain segment and remove the allocation relation between the second virtual machine operating system and the second domain segment in the object space; and the domain segment allocation module is configured to reallocate the first domain segment to the second virtual machine operating system and reallocate the second domain segment to the first virtual machine operating system.
Optionally, the memory management device in the security island further includes a memory abstract domain building module, a new software matching data obtaining module, a matching success domain obtaining module and a thread joining module, where the memory abstract domain building module is configured to build a plurality of memory abstract domains, each memory abstract domain includes a plurality of memory partitions, and each memory abstract domain has a set domain security level; a new software matching data acquisition module configured to acquire a target software security level and at least one new software adaptation thread matching the new software in response to installing the new software in the security monitoring engine or the virtual machine operating system; the matching success domain acquisition module is configured to match the security level of the target software with the domain security levels of the plurality of memory abstract domains to acquire at least one matching success domain; and a thread joining module configured to join each new software adaptation thread into at least one matching success domain, wherein each new software adaptation thread has access only to memory partitions in the matching success domain to which the new software adaptation thread joins.
Optionally, the matching success domain acquisition module comprises a level matching unit and a matching success domain determining unit, wherein the level matching unit is configured to match the security level of the target software with the domain security levels of the plurality of memory abstract domains; and the successful matching domain determining unit is configured to acquire all memory abstract domains with the domain security level lower than or equal to the security level of the target software and determine the memory abstract domains as successful matching domains.
Optionally, the memory management device in the security island further includes a target thread joining module, a target memory partition obtaining module, and an access state configuration module, where the target thread joining module is configured to obtain at least one target memory abstract domain joined by the target thread in response to an operation scheduling instruction for the target thread in the target software; the target memory partition acquisition module is configured to acquire all target memory partitions included in at least one target memory abstract domain; the access state configuration module is configured to set all the target memory partitions to be in an accessible state for the target thread and set other memory partitions to be in an inaccessible state for the target thread.
Optionally, the memory management device in the security island further includes a planning information generating module and a read-write status configuration module, where the planning information generating module is configured to plan an allowed status of each memory partition in at least one matching success domain added by each new software adaptation thread for read-write operation of the new software adaptation thread, and generate planning information corresponding to each new software adaptation thread respectively; the read-write state configuration module is configured to set the permission states of each target memory partition for the read-write operation of the target thread according to the planning information corresponding to the target thread after setting all the target memory partitions to be accessible states of the target thread.
Optionally, the memory management device in the security island further includes an exception protection module configured to execute an exception handling policy matching the exception access to perform exception protection in response to an exception access of the target thread to the target memory partition in the inaccessible state.
Alternatively, the processing chip used in the security island is an ARMv8-R chip.
According to embodiments of the present disclosure, the present disclosure also provides an autopilot chip, an autopilot vehicle, and a computer readable storage medium. Wherein the autonomous vehicle may include an autopilot chip in embodiments of the present disclosure.
FIG. 10 illustrates a schematic block diagram of an example autopilot chip that may be used to implement embodiments of the present disclosure. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 10, the autopilot chip 400 includes a security island 401 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the autopilot chip 400 may also be stored. The security island 401, ROM 402, and RAM 403 are connected to each other by a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
The various components in autopilot chip 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, etc.; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, etc.; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the autopilot chip 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunications networks.
Security island 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of security island 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The security island 401 performs the various methods and processes described above, such as the memory management method in the security island. For example, in some embodiments, the memory management method in the security island may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the autopilot chip 400 via the ROM 402 and/or the communication unit 409. When a computer program is loaded into RAM 403 and executed by security island 401, one or more steps of the memory management method in the security island described above may be performed. Alternatively, in other embodiments, security island 401 may be configured to perform the memory management method in the security island in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome. The server may also be a server of a distributed system or a server that incorporates a blockchain.
Artificial intelligence is the discipline of studying the process of making a computer mimic certain mental processes and intelligent behaviors (e.g., learning, reasoning, thinking, planning, etc.) of a person, both hardware-level and software-level techniques. Artificial intelligence hardware technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing, and the like; the artificial intelligent software technology mainly comprises a computer vision technology, a voice recognition technology, a natural language processing technology, a machine learning/deep learning technology, a big data processing technology, a knowledge graph technology and the like.
Cloud computing (cloud computing) refers to a technical system that a shared physical or virtual resource pool which is elastically extensible is accessed through a network, resources can comprise servers, operating systems, networks, software, applications, storage devices and the like, and resources can be deployed and managed in an on-demand and self-service mode. Through cloud computing technology, high-efficiency and powerful data processing capability can be provided for technical application such as artificial intelligence and blockchain, and model training.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the technical solutions provided by the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (18)
1. A memory management method in a security island, performed by a security monitoring engine, the security island including a first level privilege level operating environment in which the security monitoring engine is installed and a second level privilege level operating environment in which at least one virtual machine operating system is installed, comprising:
constructing a first-level memory map and a second-level memory map, dividing the first-level memory map into a security management space and an object space, and dividing the object space into at least one domain segment;
the security management space is distributed to the security monitoring engine for exclusive access, and the security monitoring engine is authorized to access the object space;
assigning at least one domain segment in the object space to at least one virtual machine operating system for isolated access;
and dividing the second-level memory map into fine-grained regions respectively corresponding to the at least one domain segment, and distributing the fine-grained regions to a virtual machine operating system matched with the at least one domain segment for isolated access.
2. The method of claim 1, further comprising:
reading a memory configuration description file in the process of executing the engine initialization of the security monitoring engine;
and executing the memory management method according to the memory configuration information in the memory configuration description file.
3. The method of claim 1, further comprising:
responding to a new instruction to the target virtual machine operating system, dividing a new domain segment in the object space, and distributing the new domain segment to the target virtual machine operating system;
and dividing an newly added fine granularity area corresponding to the newly added domain segment in the second-level memory map, and distributing the newly added fine granularity area to a target virtual machine operating system.
4. The method of claim 1, further comprising:
responding to memory switching instructions corresponding to a first virtual machine operating system and a second virtual machine operating system, and acquiring a first fine-grained region corresponding to the first virtual machine operating system and a second fine-grained region corresponding to the second virtual machine operating system in a second level memory map;
switching the memory configuration information in the first fine-grained region to the memory configuration information of the second virtual machine operating system, and switching the memory configuration information in the second fine-grained region to the memory configuration information of the first virtual machine operating system;
In the object space, removing the allocation relation between the first virtual machine operating system and the first domain segment, and removing the allocation relation between the second virtual machine operating system and the second domain segment;
the first domain segment is reassigned to the second virtual machine operating system and the second domain segment is reassigned to the first virtual machine operating system.
5. The method of claim 1, further comprising:
establishing a plurality of memory abstraction domains, wherein each memory abstraction domain comprises a plurality of memory partitions, and each memory abstraction domain has a set domain security level;
in response to installing new software in the security monitoring engine or the virtual machine operating system, acquiring a target software security level matched with the new software and at least one new software adaptation thread;
matching the security level of the target software with the domain security levels of a plurality of memory abstract domains to obtain at least one matching success domain;
each new software adaptation thread is respectively added into at least one matching success domain, wherein each new software adaptation thread can only access the memory partition in the matching success domain added by the new software adaptation thread.
6. The method of claim 5, wherein matching the target software security level with domain security levels of a plurality of memory abstraction domains to obtain at least one matching success domain comprises:
Matching the security level of the target software with the domain security levels of a plurality of memory abstract domains;
and acquiring all memory abstract domains with the domain security level lower than or equal to the security level of the target software, and determining the memory abstract domains as the successfully matched domains.
7. The method of claim 5, further comprising:
responding to an operation scheduling instruction of a target thread in target software, and acquiring at least one target memory abstract domain added by the target thread;
acquiring all target memory partitions included in at least one target memory abstract domain;
all target memory partitions are set to an accessible state to the target thread and other memory partitions are set to an inaccessible state to the target thread.
8. The method of claim 7, after adding each new software adaptation thread to at least one matching success domain separately, further comprising:
planning the permission state of each memory partition in at least one matching success domain added by each new software adaptation thread to the read-write operation of the new software adaptation thread, and generating planning information corresponding to each new software adaptation thread respectively;
after setting all of the target memory partitions to an accessible state to the target threads, further comprising:
And respectively setting the permission states of each target memory partition for the read-write operation of the target thread according to the planning information corresponding to the target thread.
9. The method of claim 7, further comprising:
and in response to the abnormal access of the target thread to the target memory partition in the inaccessible state, executing an abnormal processing strategy matched with the abnormal access to perform abnormal protection.
10. The method of any one of claims 1-9, wherein the processing chip used in the security island is an ARMv8-R chip.
11. A memory management device in a security island including a first level privilege level operating environment in which a security monitoring engine is installed and a second level privilege level operating environment in which at least one virtual machine operating system is installed, comprising:
the memory space division module is configured to construct a first-level memory map and a second-level memory map, divide the first-level memory map into a security management space and an object space, and divide the object space into at least one domain segment;
the first access right distribution module is configured to distribute the security management space to the security monitoring engine for exclusive access and authorize the security monitoring engine to access the object space;
The second access right allocation module is configured to allocate at least one domain segment in the object space to at least one virtual machine operating system for isolated access;
the fine-grained region allocation module is configured to divide the second-level memory map into fine-grained regions respectively corresponding to the at least one domain segment, and allocate the fine-grained regions to the virtual machine operating system matched with the at least one domain segment for isolated access.
12. The apparatus of claim 11, further comprising a fine-grained region acquisition module, a memory configuration information switching module, an allocation relationship deletion module, and a domain segment allocation module, wherein,
the fine-grained region acquisition module is configured to respond to memory switching instructions corresponding to the first virtual machine operating system and the second virtual machine operating system and acquire a first fine-grained region corresponding to the first virtual machine operating system and a second fine-grained region corresponding to the second virtual machine operating system in the second level memory map;
the memory configuration information switching module is configured to switch the memory configuration information in the first fine-grained region into the memory configuration information of the second virtual machine operating system and switch the memory configuration information in the second fine-grained region into the memory configuration information of the first virtual machine operating system;
The allocation relation deleting module is configured to remove the allocation relation between the first virtual machine operating system and the first domain segment and remove the allocation relation between the second virtual machine operating system and the second domain segment in the object space;
and the domain segment allocation module is configured to reallocate the first domain segment to the second virtual machine operating system and reallocate the second domain segment to the first virtual machine operating system.
13. The apparatus of claim 11, further comprising a memory abstraction domain setup module, a new software match data acquisition module, a match success domain acquisition module, and a thread join module, wherein,
the memory abstraction domain building module is configured to build a plurality of memory abstraction domains, wherein each memory abstraction domain comprises a plurality of memory partitions, and each memory abstraction domain has a set domain security level;
a new software matching data acquisition module configured to acquire a target software security level and at least one new software adaptation thread matching the new software in response to installing the new software in the security monitoring engine or the virtual machine operating system;
the matching success domain acquisition module is configured to match the security level of the target software with the domain security levels of the plurality of memory abstract domains to acquire at least one matching success domain;
And a thread joining module configured to join each new software adaptation thread into at least one matching success domain, respectively, wherein each new software adaptation thread can only access the memory partition in the matching success domain to which the new software adaptation thread joins.
14. The matching success domain acquisition module as claimed in claim 13, comprising a rank matching unit and a matching success domain determination unit, wherein,
a level matching unit configured to match the target software security level with domain security levels of the plurality of memory abstraction domains;
and the successful matching domain determining unit is configured to acquire all memory abstract domains with the domain security level lower than or equal to the security level of the target software and determine the memory abstract domains as successful matching domains.
15. The apparatus of claim 11, further comprising an exception protection module configured to execute an exception handling policy matching the exception access to perform exception protection in response to an exception access by the target thread to the target memory partition in the inaccessible state.
16. An autopilot chip comprising a security island for implementing a memory management method in the security island of any one of claims 1-10;
Wherein, in the second level privilege level operating environment of the security island, a plurality of real-time operating systems with different security levels are installed.
17. An autonomous vehicle comprising the autopilot chip of claim 16.
18. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the memory management method in a security island according to any one of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211049220.4A CN117667297A (en) | 2022-08-30 | 2022-08-30 | Memory management method, device, chip, vehicle and medium in security island |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211049220.4A CN117667297A (en) | 2022-08-30 | 2022-08-30 | Memory management method, device, chip, vehicle and medium in security island |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117667297A true CN117667297A (en) | 2024-03-08 |
Family
ID=90064860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211049220.4A Pending CN117667297A (en) | 2022-08-30 | 2022-08-30 | Memory management method, device, chip, vehicle and medium in security island |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117667297A (en) |
-
2022
- 2022-08-30 CN CN202211049220.4A patent/CN117667297A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9594592B2 (en) | Dynamic sharing of unused bandwidth capacity of virtualized input/output adapters | |
| US10222985B2 (en) | Autonomous dynamic optimization of platform resources | |
| US20160266946A1 (en) | Executing a kernel device driver as a user space process | |
| US9047131B2 (en) | Hardware resource allocation and provisioning for composite applications | |
| US9286133B2 (en) | Verification of dynamic logical partitioning | |
| US20140136711A1 (en) | Pre-provisioning resources for composite applications | |
| US10666572B2 (en) | Dynamic management of computing platform resources | |
| US20120331466A1 (en) | Secure Recursive Virtualization | |
| US10268595B1 (en) | Emulating page modification logging for a nested hypervisor | |
| US10853259B2 (en) | Exitless extended page table switching for nested hypervisors | |
| US8832401B2 (en) | Iteratively de-allocating active objects associated with virtual functions of an adapter | |
| US10534739B2 (en) | Indicating a privilege level | |
| US9330037B2 (en) | Dynamically resizing direct memory access (DMA) windows | |
| CN117667297A (en) | Memory management method, device, chip, vehicle and medium in security island | |
| US20160048463A1 (en) | Assignment control method, system, and recording medium | |
| US11036647B2 (en) | Suspending translation look-aside buffer purge execution in a multi-processor environment | |
| US9274837B2 (en) | Assigning levels of pools of resources to a super process having sub-processes | |
| US10671417B2 (en) | Server optimization control | |
| US11550607B2 (en) | Processor core power management in a virtualized environment | |
| US11748142B2 (en) | High-availability admission control for accelerator devices | |
| Buczyński et al. | Resource partitioning in phoenix-RTOS for critical and noncritical software for UAV systems | |
| US20220405135A1 (en) | Scheduling in a container orchestration system utilizing hardware topology hints | |
| CN114816648A (en) | Computing device and computing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |