CN117909998A - Method for sharing host computer hardware encryption card in cloud computer - Google Patents
Method for sharing host computer hardware encryption card in cloud computer Download PDFInfo
- Publication number
- CN117909998A CN117909998A CN202311702852.0A CN202311702852A CN117909998A CN 117909998 A CN117909998 A CN 117909998A CN 202311702852 A CN202311702852 A CN 202311702852A CN 117909998 A CN117909998 A CN 117909998A
- Authority
- CN
- China
- Prior art keywords
- password card
- virtual
- cloud computer
- card
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000006978 adaptation Effects 0.000 claims abstract description 14
- 230000003993 interaction Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 7
- 239000011800 void material Substances 0.000 claims description 3
- 230000001133 acceleration Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of virtual machines, in particular to a method for sharing a host machine hardware encryption card in a cloud computer, which comprises the following steps: each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with the host computer; the virtual password card is used for driving, and is exposed to an application layer for application in the cloud computer; the back end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
Description
Technical Field
The invention relates to the technical field of virtual machines, in particular to a method for sharing a host machine hardware encryption card in a cloud computer.
Background
Due to the special industry, the data security is required to be high in part of industries, and encryption and decryption of the data are required to be performed through a special hardware password card.
The encryption and decryption of data by software can occupy a large amount of CPU computing power, thereby affecting the performance of the cloud computer, and the work is handed to a special hardware password card for processing, so that the CPU computing power can be released, and the performance of the cloud computer is improved.
Because of the limitation of the natural isolation characteristic of the cloud computer, the password card hardware equipment cannot be directly perceived in the cloud computer, and the cloud computer cannot be used in any way. The method is characterized in that the equipment is directly and thoroughly transmitted into the cloud computer in a device transmission mode, so that the cloud computer can directly see the password card equipment.
Disclosure of Invention
The invention aims to provide a method for sharing and using host hardware encryption cards in a cloud computer, which realizes a virtual password card device in the cloud computer, receives encryption and decryption tasks and transmits the tasks to the password card device on the host computer to finish, gets rid of the limitation of one-to-one binding of the cloud computer and the password card, improves the utilization rate of resources, eliminates the dependence on hardware virtualization acceleration technology, and shields the difference of various password card devices of different manufacturers.
The technical scheme of the invention is as follows:
a method for sharing and using host hardware encryption card in cloud computer includes the following steps:
S1, each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with a host;
S2, the virtual password card is used for driving, and the virtual password card is exposed to an application layer for application in the cloud computer;
And S3, the rear end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
The invention further improves the implementation mode that the virtual password card in the S1 uses the virtual PCI equipment, and the content specifically comprises two steps of data interaction and notification.
The invention is further improved in that the specific steps of the data interaction are as follows:
S11, when the virtual password card equipment is created, a sending queue and a receiving queue are created, a complete task is initiated by the driver and is processed by the virtual password card, and then the virtual password card returns the result to the driver;
S12, after the driver prepares the data to be transmitted, the data is delivered to a transmission queue, then a notification is sent to the virtual password card, the running state of the cloud computer is exited, the running state of the virtual password card is activated, the virtual password card takes the data out of the transmission queue and sends the data to the hardware password card for processing;
And S13, after the processing is completed, the virtual password card delivers the encrypted data into a receiving queue, then sends a notification to the driver, and at the moment, reenters the running state of the cloud computer, and the driver takes the data out of the receiving queue and returns the data to the application.
A further improvement of the present invention is that the notifying step is implemented by ioeventfd mechanism, ioeventfd associates eventfd a user mode program for a specific address based on eventfd mechanism, and monitors the eventfd for events, and when an event occurs, directly notifies the user mode program.
A further improvement of the present invention is that the data structure of the data interaction consists of three fields, namely a message number int32, a message length int32 and a message address void.
The invention is further improved in that when the message is an encrypted message, three fields of algorithm type int32, token and data string to be encrypted are required to be transmitted.
The invention further improves that the virtual password card driver in the S2 comprises a kernel mode driver and a user mode driver
The invention is further improved in that the kernel mode driver is a bridge for communicating the virtual password card device and the upper layer application, and the lower driver converts the request of the upper layer application into data which can be identified by the virtual password card device and sends the data to the virtual password card for execution; in contrast, the kernel mode driver exposes the interface to the user mode driver by means of ioctl.
The invention further improves that the interface exposed by the kernel mode driver is encapsulated into a user-friendly interface by the user mode driver, and the interface is used by upper-layer application.
The invention is further improved in that the cipher card adaptation layer comprises a core function and an expansion function, and for the core function, a unified interface is packaged; for the extended function, a negotiation protocol is defined, when the virtual password card device needs to use the extended function, the virtual password card device needs to inquire whether the adaptation layer is supported or not through the negotiation protocol, and if not, the virtual password card device needs to fall back to the supported function.
The invention has the following technical effects:
The method for sharing the host computer hardware encryption card in the cloud computer is provided, a virtual password card device is realized in the cloud computer, the encrypted and decrypted tasks are received and forwarded to the password card device on the host computer, the limitation of one-to-one binding of the cloud computer and the password card is eliminated, the utilization rate of resources is improved, the dependence on hardware virtualization acceleration technology is eliminated, the difference of various password card devices of different manufacturers is shielded, and therefore the method has the advantages of good operability, high flexibility and high efficiency.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings in which:
Fig. 1 is a flowchart of a method for sharing a host hardware encryption card in a cloud computer according to an embodiment of the present invention.
Detailed Description
Example 1
The embodiment provides a method for sharing and using host hardware encryption cards in a cloud computer, which is implemented by realizing a virtual password card device in the cloud computer, receives encryption and decryption tasks and transmits the tasks to the password card device on the host, so that the limitation of one-to-one binding of the cloud computer and the password card is eliminated, the utilization rate of resources is improved, the dependence on hardware virtualization acceleration technology is eliminated, and the difference of various password card devices of different manufacturers is shielded, so that the method has good operability, high flexibility and high efficiency.
Specifically, as shown in fig. 1, the method for sharing and using the host hardware encryption card in the cloud computer according to the embodiment includes the following specific steps:
S1, each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with a host;
S2, the virtual password card is used for driving, and the virtual password card is exposed to an application layer for application in the cloud computer;
And S3, the rear end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
In this embodiment, the implementation manner of using the virtual PCI device by the virtual cryptographic card in S1 specifically includes two steps of data interaction and notification.
In this embodiment, the specific steps of data interaction are:
S11, when the virtual password card equipment is created, a sending queue and a receiving queue are created, a complete task is initiated by the driver and is processed by the virtual password card, and then the virtual password card returns the result to the driver;
S12, after the driver prepares the data to be transmitted, the data is delivered to a transmission queue, then a notification is sent to the virtual password card, the running state of the cloud computer is exited, the running state of the virtual password card is activated, the virtual password card takes the data out of the transmission queue and sends the data to the hardware password card for processing;
And S13, after the processing is completed, the virtual password card delivers the encrypted data into a receiving queue, then sends a notification to the driver, and at the moment, reenters the running state of the cloud computer, and the driver takes the data out of the receiving queue and returns the data to the application.
In this embodiment, the notification step is implemented by ioeventfd mechanism, ioeventfd associates eventfd a user mode program for a specific address based on eventfd mechanism, and monitors eventfd for events, and when an event occurs, directly notifies the user mode program.
In this embodiment, the data structure of the data interaction is composed of three fields, namely, a message number int32, a message length int32, and a message address void.
In this embodiment, when the message is an encrypted message, three fields of algorithm types int32, token and data string to be encrypted are required to be transferred.
In this embodiment, the virtual cryptographic card driver in S2 includes two parts, i.e., kernel mode driver and user mode driver
In this embodiment, the kernel mode driver is a bridge for communicating the virtual password card device and the upper layer application, and for the lower part, the driver converts the request of the upper layer application into data that can be identified by the virtual password card device and sends the data to the virtual password card for execution; in contrast, the kernel mode driver exposes the interface to the user mode driver by means of ioctl.
In this embodiment, the user state driver repackages the interface exposed by the kernel state driver into a user-friendly interface for use by the upper layer application.
In this embodiment, the cryptographic card adaptation layer includes a core function and an extension function, and for the core function, a unified interface is encapsulated; for the extended function, a negotiation protocol is defined, when the virtual password card device needs to use the extended function, the virtual password card device needs to inquire whether the adaptation layer is supported or not through the negotiation protocol, and if not, the virtual password card device needs to fall back to the supported function.
Claims (10)
1. A method for sharing and using host hardware encryption card in cloud computer is characterized in that: the method comprises the following specific steps:
S1, each cloud computer virtually generates a virtual password card device which is used as a bridge for communicating the cloud computer with a host;
S2, the virtual password card is used for driving, and the virtual password card is exposed to an application layer for application in the cloud computer;
And S3, the rear end of the virtual password card is communicated with the password card adaptation layer, and the password card adaptation layer finally forwards the task to hardware password card equipment for execution.
2. The method for sharing and using host hardware encryption cards in cloud computers according to claim 1, wherein the method comprises the following steps: the virtual password card in the S1 uses the implementation mode of the virtual PCI equipment, and the content specifically comprises two steps of data interaction and notification.
3. The method for sharing and using host hardware encryption card in cloud computer according to claim 2, wherein: the data interaction comprises the following specific steps:
S11, when the virtual password card equipment is created, a sending queue and a receiving queue are created, a complete task is initiated by the driver and is processed by the virtual password card, and then the virtual password card returns the result to the driver;
S12, after the driver prepares the data to be transmitted, the data is delivered to a transmission queue, then a notification is sent to the virtual password card, the running state of the cloud computer is exited, the running state of the virtual password card is activated, the virtual password card takes the data out of the transmission queue and sends the data to the hardware password card for processing;
And S13, after the processing is completed, the virtual password card delivers the encrypted data into a receiving queue, then sends a notification to the driver, and at the moment, reenters the running state of the cloud computer, and the driver takes the data out of the receiving queue and returns the data to the application.
4. A method for sharing a host hardware encryption card in a cloud computer according to claim 3, wherein: the notification step is implemented by ioeventfd mechanism, ioeventfd associates eventfd a user mode program for a specific address based on eventfd mechanism, and monitors for events on eventfd, and when an event occurs, directly notifies the user mode program.
5. The method for sharing and using host hardware encryption cards in cloud computers according to claim 4, wherein: the data structure of the data interaction consists of three fields, namely a message number int32, a message length int32 and a message address void.
6. The method for sharing a host hardware encryption card in a cloud computer according to claim 5, wherein: when the message is an encrypted message, three fields of algorithm types int32, token and data string to be encrypted are required to be transmitted.
7. The method for sharing a host hardware encryption card in a cloud computer according to claim 6, wherein: the virtual password card driver in the S2 comprises a kernel mode driver and a user mode driver.
8. The method for sharing and using host hardware encryption cards in cloud computers according to claim 7, wherein: the kernel mode driver is a bridge for communicating the virtual password card device and the upper layer application, and the lower driver converts the request of the upper layer application into data which can be identified by the virtual password card device and sends the data to the virtual password card for execution; in contrast, the kernel mode driver exposes the interface to the user mode driver by means of ioctl.
9. The method for sharing and using host hardware encryption cards in cloud computers according to claim 8, wherein: the user mode driver encapsulates the interface exposed by the kernel mode driver into a user-friendly interface for upper application.
10. The method for sharing a host hardware encryption card in a cloud computer according to claim 9, wherein: the password card adaptation layer comprises a core function and an expansion function, and a unified interface is packaged for the core function; for the extended function, a negotiation protocol is defined, when the virtual password card device needs to use the extended function, the virtual password card device needs to inquire whether the adaptation layer is supported or not through the negotiation protocol, and if not, the virtual password card device needs to fall back to the supported function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702852.0A CN117909998A (en) | 2023-12-12 | 2023-12-12 | Method for sharing host computer hardware encryption card in cloud computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702852.0A CN117909998A (en) | 2023-12-12 | 2023-12-12 | Method for sharing host computer hardware encryption card in cloud computer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117909998A true CN117909998A (en) | 2024-04-19 |
Family
ID=90691418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311702852.0A Pending CN117909998A (en) | 2023-12-12 | 2023-12-12 | Method for sharing host computer hardware encryption card in cloud computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117909998A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118245233A (en) * | 2024-05-28 | 2024-06-25 | 山东三未信安信息科技有限公司 | Cloud password card calculation force control system and method |
-
2023
- 2023-12-12 CN CN202311702852.0A patent/CN117909998A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118245233A (en) * | 2024-05-28 | 2024-06-25 | 山东三未信安信息科技有限公司 | Cloud password card calculation force control system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10762204B2 (en) | Managing containerized applications | |
| EP3074867B1 (en) | Managing containerized applications | |
| EP2375328A2 (en) | Methods and Systems for Providing Access to a Computing Environment | |
| CN117909998A (en) | Method for sharing host computer hardware encryption card in cloud computer | |
| EP3783518A1 (en) | Display method and device, and storage medium | |
| GB2515536A (en) | Processing a guest event in a hypervisor-controlled system | |
| CN106127059B (en) | The realization of credible password module and method of servicing on a kind of ARM platform | |
| CN104951712A (en) | Data safety protection method in Xen virtualization environment | |
| Keromytis et al. | The design of the OpenBSD cryptographic framework | |
| US20070180228A1 (en) | Dynamic loading of hardware security modules | |
| CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
| WO2022001842A1 (en) | Method, host and apparatus for processing data | |
| KR20070061329A (en) | High-performance cryptographic device using multiple ciphercores and its operation method | |
| CN113810397A (en) | Protocol data processing method and device | |
| CN111585976B (en) | Communication method, communication apparatus, storage medium, and electronic device | |
| WO2024040846A1 (en) | Data processing method and apparatus, electronic device, and storage medium | |
| CN102664887A (en) | Input information protecting method, device and system | |
| CN112506674A (en) | System and method for communication between user state TCP/IP protocol stack and local application in Linux system | |
| US7895344B2 (en) | Method and apparatus for remote management | |
| CN117083612A (en) | Handling unaligned transactions for inline encryption | |
| JP2003345664A (en) | Transmission device, data processing system, and data processing program | |
| WO2021164167A1 (en) | Key access method, apparatus, system and device, and storage medium | |
| CN111859351A (en) | Method, system, server and storage medium for writing information into chip | |
| Keromytis et al. | Cryptography as an operating system service: A case study | |
| Xiao et al. | Hardware/software adaptive cryptographic acceleration for big data processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |