CN117909998A - Method for sharing host computer hardware encryption card in cloud computer - Google Patents
Method for sharing host computer hardware encryption card in cloud computer Download PDFInfo
- Publication number
- CN117909998A CN117909998A CN202311702852.0A CN202311702852A CN117909998A CN 117909998 A CN117909998 A CN 117909998A CN 202311702852 A CN202311702852 A CN 202311702852A CN 117909998 A CN117909998 A CN 117909998A
- Authority
- CN
- China
- Prior art keywords
- password card
- virtual
- cloud computer
- card
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000006978 adaptation Effects 0.000 claims abstract description 14
- 230000003993 interaction Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 7
- 239000011800 void material Substances 0.000 claims description 3
- 230000001133 acceleration Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of virtual machines, in particular to a method for sharing a host machine hardware encryption card in a cloud computer, which comprises the following steps: each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with the host computer; the virtual password card is used for driving, and is exposed to an application layer for application in the cloud computer; the back end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
Description
Technical Field
The invention relates to the technical field of virtual machines, in particular to a method for sharing a host machine hardware encryption card in a cloud computer.
Background
Due to the special industry, the data security is required to be high in part of industries, and encryption and decryption of the data are required to be performed through a special hardware password card.
The encryption and decryption of data by software can occupy a large amount of CPU computing power, thereby affecting the performance of the cloud computer, and the work is handed to a special hardware password card for processing, so that the CPU computing power can be released, and the performance of the cloud computer is improved.
Because of the limitation of the natural isolation characteristic of the cloud computer, the password card hardware equipment cannot be directly perceived in the cloud computer, and the cloud computer cannot be used in any way. The method is characterized in that the equipment is directly and thoroughly transmitted into the cloud computer in a device transmission mode, so that the cloud computer can directly see the password card equipment.
Disclosure of Invention
The invention aims to provide a method for sharing and using host hardware encryption cards in a cloud computer, which realizes a virtual password card device in the cloud computer, receives encryption and decryption tasks and transmits the tasks to the password card device on the host computer to finish, gets rid of the limitation of one-to-one binding of the cloud computer and the password card, improves the utilization rate of resources, eliminates the dependence on hardware virtualization acceleration technology, and shields the difference of various password card devices of different manufacturers.
The technical scheme of the invention is as follows:
a method for sharing and using host hardware encryption card in cloud computer includes the following steps:
S1, each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with a host;
S2, the virtual password card is used for driving, and the virtual password card is exposed to an application layer for application in the cloud computer;
And S3, the rear end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
The invention further improves the implementation mode that the virtual password card in the S1 uses the virtual PCI equipment, and the content specifically comprises two steps of data interaction and notification.
The invention is further improved in that the specific steps of the data interaction are as follows:
S11, when the virtual password card equipment is created, a sending queue and a receiving queue are created, a complete task is initiated by the driver and is processed by the virtual password card, and then the virtual password card returns the result to the driver;
S12, after the driver prepares the data to be transmitted, the data is delivered to a transmission queue, then a notification is sent to the virtual password card, the running state of the cloud computer is exited, the running state of the virtual password card is activated, the virtual password card takes the data out of the transmission queue and sends the data to the hardware password card for processing;
And S13, after the processing is completed, the virtual password card delivers the encrypted data into a receiving queue, then sends a notification to the driver, and at the moment, reenters the running state of the cloud computer, and the driver takes the data out of the receiving queue and returns the data to the application.
A further improvement of the present invention is that the notifying step is implemented by ioeventfd mechanism, ioeventfd associates eventfd a user mode program for a specific address based on eventfd mechanism, and monitors the eventfd for events, and when an event occurs, directly notifies the user mode program.
A further improvement of the present invention is that the data structure of the data interaction consists of three fields, namely a message number int32, a message length int32 and a message address void.
The invention is further improved in that when the message is an encrypted message, three fields of algorithm type int32, token and data string to be encrypted are required to be transmitted.
The invention further improves that the virtual password card driver in the S2 comprises a kernel mode driver and a user mode driver
The invention is further improved in that the kernel mode driver is a bridge for communicating the virtual password card device and the upper layer application, and the lower driver converts the request of the upper layer application into data which can be identified by the virtual password card device and sends the data to the virtual password card for execution; in contrast, the kernel mode driver exposes the interface to the user mode driver by means of ioctl.
The invention further improves that the interface exposed by the kernel mode driver is encapsulated into a user-friendly interface by the user mode driver, and the interface is used by upper-layer application.
The invention is further improved in that the cipher card adaptation layer comprises a core function and an expansion function, and for the core function, a unified interface is packaged; for the extended function, a negotiation protocol is defined, when the virtual password card device needs to use the extended function, the virtual password card device needs to inquire whether the adaptation layer is supported or not through the negotiation protocol, and if not, the virtual password card device needs to fall back to the supported function.
The invention has the following technical effects:
The method for sharing the host computer hardware encryption card in the cloud computer is provided, a virtual password card device is realized in the cloud computer, the encrypted and decrypted tasks are received and forwarded to the password card device on the host computer, the limitation of one-to-one binding of the cloud computer and the password card is eliminated, the utilization rate of resources is improved, the dependence on hardware virtualization acceleration technology is eliminated, the difference of various password card devices of different manufacturers is shielded, and therefore the method has the advantages of good operability, high flexibility and high efficiency.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings in which:
Fig. 1 is a flowchart of a method for sharing a host hardware encryption card in a cloud computer according to an embodiment of the present invention.
Detailed Description
Example 1
The embodiment provides a method for sharing and using host hardware encryption cards in a cloud computer, which is implemented by realizing a virtual password card device in the cloud computer, receives encryption and decryption tasks and transmits the tasks to the password card device on the host, so that the limitation of one-to-one binding of the cloud computer and the password card is eliminated, the utilization rate of resources is improved, the dependence on hardware virtualization acceleration technology is eliminated, and the difference of various password card devices of different manufacturers is shielded, so that the method has good operability, high flexibility and high efficiency.
Specifically, as shown in fig. 1, the method for sharing and using the host hardware encryption card in the cloud computer according to the embodiment includes the following specific steps:
S1, each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with a host;
S2, the virtual password card is used for driving, and the virtual password card is exposed to an application layer for application in the cloud computer;
And S3, the rear end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
In this embodiment, the implementation manner of using the virtual PCI device by the virtual cryptographic card in S1 specifically includes two steps of data interaction and notification.
In this embodiment, the specific steps of data interaction are:
S11, when the virtual password card equipment is created, a sending queue and a receiving queue are created, a complete task is initiated by the driver and is processed by the virtual password card, and then the virtual password card returns the result to the driver;
S12, after the driver prepares the data to be transmitted, the data is delivered to a transmission queue, then a notification is sent to the virtual password card, the running state of the cloud computer is exited, the running state of the virtual password card is activated, the virtual password card takes the data out of the transmission queue and sends the data to the hardware password card for processing;
And S13, after the processing is completed, the virtual password card delivers the encrypted data into a receiving queue, then sends a notification to the driver, and at the moment, reenters the running state of the cloud computer, and the driver takes the data out of the receiving queue and returns the data to the application.
In this embodiment, the notification step is implemented by ioeventfd mechanism, ioeventfd associates eventfd a user mode program for a specific address based on eventfd mechanism, and monitors eventfd for events, and when an event occurs, directly notifies the user mode program.
In this embodiment, the data structure of the data interaction is composed of three fields, namely, a message number int32, a message length int32, and a message address void.
In this embodiment, when the message is an encrypted message, three fields of algorithm types int32, token and data string to be encrypted are required to be transferred.
In this embodiment, the virtual cryptographic card driver in S2 includes two parts, i.e., kernel mode driver and user mode driver
In this embodiment, the kernel mode driver is a bridge for communicating the virtual password card device and the upper layer application, and for the lower part, the driver converts the request of the upper layer application into data that can be identified by the virtual password card device and sends the data to the virtual password card for execution; in contrast, the kernel mode driver exposes the interface to the user mode driver by means of ioctl.
In this embodiment, the user state driver repackages the interface exposed by the kernel state driver into a user-friendly interface for use by the upper layer application.
In this embodiment, the cryptographic card adaptation layer includes a core function and an extension function, and for the core function, a unified interface is encapsulated; for the extended function, a negotiation protocol is defined, when the virtual password card device needs to use the extended function, the virtual password card device needs to inquire whether the adaptation layer is supported or not through the negotiation protocol, and if not, the virtual password card device needs to fall back to the supported function.
Claims (10)
1. A method for sharing and using host hardware encryption card in cloud computer is characterized in that: the method comprises the following specific steps:
S1, each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with a host;
S2, the virtual password card is used for driving, and the virtual password card is exposed to an application layer for application in the cloud computer;
And S3, the rear end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
2. The method for sharing and using host hardware encryption cards in cloud computers according to claim 1, wherein the method comprises the following steps: the virtual password card in the S1 uses the implementation mode of the virtual PCI equipment, and the content specifically comprises two steps of data interaction and notification.
3. The method for sharing and using host hardware encryption card in cloud computer according to claim 2, wherein: the data interaction comprises the following specific steps:
S11, when the virtual password card equipment is created, a sending queue and a receiving queue are created, a complete task is initiated by the driver and is processed by the virtual password card, and then the virtual password card returns the result to the driver;
S12, after the driver prepares the data to be transmitted, the data is delivered to a transmission queue, then a notification is sent to the virtual password card, the running state of the cloud computer is exited, the running state of the virtual password card is activated, the virtual password card takes the data out of the transmission queue and sends the data to the hardware password card for processing;
And S13, after the processing is completed, the virtual password card delivers the encrypted data into a receiving queue, then sends a notification to the driver, and at the moment, reenters the running state of the cloud computer, and the driver takes the data out of the receiving queue and returns the data to the application.
4. A method for sharing a host hardware encryption card in a cloud computer according to claim 3, wherein: the notification step is implemented by ioeventfd mechanism, ioeventfd associates eventfd a user mode program for a specific address based on eventfd mechanism, and monitors for events on eventfd, and when an event occurs, directly notifies the user mode program.
5. The method for sharing and using host hardware encryption cards in cloud computers according to claim 4, wherein: the data structure of the data interaction consists of three fields, namely a message number int32, a message length int32 and a message address void.
6. The method for sharing a host hardware encryption card in a cloud computer according to claim 5, wherein: when the message is an encrypted message, three fields of algorithm types int32, token and data string to be encrypted are required to be transmitted.
7. The method for sharing a host hardware encryption card in a cloud computer according to claim 6, wherein: the virtual password card driver in the S2 comprises a kernel mode driver and a user mode driver.
8. The method for sharing and using host hardware encryption cards in cloud computers according to claim 7, wherein: the kernel mode driver is a bridge for communicating the virtual password card device and the upper layer application, and the lower driver converts the request of the upper layer application into data which can be identified by the virtual password card device and sends the data to the virtual password card for execution; in contrast, the kernel mode driver exposes the interface to the user mode driver by means of ioctl.
9. The method for sharing and using host hardware encryption cards in cloud computers according to claim 8, wherein: the user mode driver encapsulates the interface exposed by the kernel mode driver into a user-friendly interface for upper application.
10. The method for sharing a host hardware encryption card in a cloud computer according to claim 9, wherein: the password card adaptation layer comprises a core function and an expansion function, and a unified interface is packaged for the core function; for the extended function, a negotiation protocol is defined, when the virtual password card device needs to use the extended function, the virtual password card device needs to inquire whether the adaptation layer is supported or not through the negotiation protocol, and if not, the virtual password card device needs to fall back to the supported function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702852.0A CN117909998A (en) | 2023-12-12 | 2023-12-12 | Method for sharing host computer hardware encryption card in cloud computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702852.0A CN117909998A (en) | 2023-12-12 | 2023-12-12 | Method for sharing host computer hardware encryption card in cloud computer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117909998A true CN117909998A (en) | 2024-04-19 |
Family
ID=90691418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311702852.0A Pending CN117909998A (en) | 2023-12-12 | 2023-12-12 | Method for sharing host computer hardware encryption card in cloud computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117909998A (en) |
-
2023
- 2023-12-12 CN CN202311702852.0A patent/CN117909998A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10762204B2 (en) | Managing containerized applications | |
| EP3074867B1 (en) | Managing containerized applications | |
| EP2375328A2 (en) | Methods and Systems for Providing Access to a Computing Environment | |
| EP3783518A1 (en) | Display method and device, and storage medium | |
| CN106127059B (en) | The realization of credible password module and method of servicing on a kind of ARM platform | |
| WO2015062339A1 (en) | Method and device for running remote application program | |
| JP2018511956A (en) | Technology to enhance data encryption using secure enclaves | |
| Keromytis et al. | The design of the OpenBSD cryptographic framework | |
| CN112035900B (en) | High-performance password card and communication method thereof | |
| US20070180228A1 (en) | Dynamic loading of hardware security modules | |
| KR100799305B1 (en) | High-Performance Cryptographic Device using Multiple Ciphercores and its Operation Method | |
| CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
| CN111585976B (en) | Communication method, communication apparatus, storage medium, and electronic device | |
| CN105472030A (en) | Remote mirror image method and system based on iSCSI | |
| CN117909998A (en) | Method for sharing host computer hardware encryption card in cloud computer | |
| CN112506674B (en) | System and method for communication between user mode TCP/IP protocol stack and local application in Linux system | |
| WO2024040846A1 (en) | Data processing method and apparatus, electronic device, and storage medium | |
| CN113810397B (en) | Protocol data processing method and device | |
| WO2022001842A1 (en) | Method, host and apparatus for processing data | |
| CN117083612A (en) | Handling unaligned transactions for inline encryption | |
| WO2021164167A1 (en) | Key access method, apparatus, system and device, and storage medium | |
| US7895344B2 (en) | Method and apparatus for remote management | |
| Keromytis et al. | Cryptography as an operating system service: A case study | |
| KR20130138929A (en) | Apparatus for providing security service and method of security service using the same | |
| CN215378951U (en) | Portable VPN device and remote access system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |