CN117992368A - Near storage computing system and method for data protection - Google Patents
Near storage computing system and method for data protection Download PDFInfo
- Publication number
- CN117992368A CN117992368A CN202311416100.8A CN202311416100A CN117992368A CN 117992368 A CN117992368 A CN 117992368A CN 202311416100 A CN202311416100 A CN 202311416100A CN 117992368 A CN117992368 A CN 117992368A
- Authority
- CN
- China
- Prior art keywords
- computing
- access request
- storage device
- memory
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000006870 function Effects 0.000 claims abstract description 155
- 238000012545 processing Methods 0.000 claims description 27
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 239000000872 buffer Substances 0.000 description 8
- 230000002085 persistent effect Effects 0.000 description 7
- 238000002955 isolation Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 101000894525 Homo sapiens Transforming growth factor-beta-induced protein ig-h3 Proteins 0.000 description 1
- 102100021398 Transforming growth factor-beta-induced protein ig-h3 Human genes 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 235000019580 granularity Nutrition 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 150000003071 polychlorinated biphenyls Chemical class 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
Systems and methods for data protection. In some embodiments, a computing storage device includes a controller circuit, a first computing function of a first application, a second computing function of the first application, a common memory region; a permanent storage device. The controller circuit may be configured to: receiving a first request from a host, the first request defining a first allocated function data memory region for a first computing function; receiving a first memory access request from a first computing function for a first memory location in a common memory region and outside of a first allocated functional data memory region; and rejecting the first memory access request.
Description
Cross Reference to Related Applications
The present application claims priority and benefit from U.S. provisional application No. 63/421,476, entitled "COMPUTATIONAL STORAGE DEVICE IDENTIFICATION AND PROCESS PROTECTION AND ISOLATION (computing storage device identification and handling protection and quarantine)" filed on 1,11, 2022, the entire contents of which are incorporated herein by reference.
Technical Field
One or more aspects in accordance with embodiments of the present disclosure relate to computing storage, and more particularly, to systems and methods for data protection.
Background
The computing storage may include persistent storage and the computing may be performed in the vicinity of the persistent storage. The results of such calculations may be stored in persistent storage. In some implementations, multiple computing storage devices may be connected to a single host. The computing storage device may perform multiple computing functions that access or have access to a common memory area.
Aspects of the present disclosure relate to this general technical environment.
Disclosure of Invention
According to an embodiment of the present disclosure, there is provided a computing storage device including: a controller circuit; a first computing function of a first application; a second computing function of the first application; a common memory area; and a permanent storage device, the controller circuit configured to: receiving a first request from a host, the first request defining a first allocated function data memory region for a first computing function; receiving a first memory access request from a first computing function for a first memory location in a common memory region and outside of a first allocated functional data memory region; and rejecting the first memory access request.
In some embodiments: the first allocated functional data memory area is used for reading operation; and the first memory access request is a read access request.
In some embodiments, the first request further defines a second allocated functional data memory region for the first computing function for the write operation.
In some embodiments, the controller circuit is configured to: receiving a second memory access request from the first computing function for a second memory location in the common memory region and outside the first allocated functional data memory region; and approving the second memory access request.
In some embodiments: the second memory access request is a write access request and the second memory location is within the second allocated functional data memory region.
In some embodiments: the first request further defining a third allocated function data memory region for the second computing function for the read operation; and the third allocated functional data memory region overlaps the second allocated functional data memory region in an overlapping portion of the third allocated functional data memory region.
In some embodiments, the controller circuit is further configured to: receiving a third memory access request from the first computing function for a third memory location in the overlapping portion of the third allocated functional data memory region; and approving the third memory access request, wherein the third memory access request is a write access request.
In some embodiments, the controller circuit is further configured to: receiving a fourth memory access request from the second computing function for a fourth memory location in the overlapping portion of the third allocated functional data memory region; and approving the fourth memory access request, wherein the fourth memory access request is a read access request.
In some embodiments, the controller circuit is further configured to: receiving a fifth memory access request from the second computing function for a fifth memory location in the overlapping portion of the third allocated functional data memory region; and rejecting a fifth memory access request, wherein the fifth memory access request is a write access request.
In some embodiments, the controller circuit is configured to maintain an access rights table that includes read access rights and write access rights for the first computing function.
In some embodiments, the controller circuit is further configured to receive an identification tag from the host and confirm receipt of the identification tag.
In some embodiments, the controller circuit is further configured to: comparing a subset of the plurality of bits of the logical block address of the first request with the identification tag; and determining that the subset of the plurality of bits matches the identification tag.
In some embodiments, the controller circuit is further configured to: receiving a second request from the host; comparing a subset of the plurality of bits of the logical block address of the second request with the identification tag; determining that a subset of the plurality of bits does not match the identification tag; and returning an error code to the host.
According to an embodiment of the present disclosure, there is provided a method comprising: receiving, by the computing storage device from the host, a first request defining a first allocated function data memory region for a first computing function of a first application of the computing storage device, the first application including the first computing function and a second computing function; receiving, by a controller circuit of a computing storage device, a first memory access request from a first computing function for a first memory location that is in a common memory region of the computing storage device and outside of a first allocated functional data memory region; and rejecting the first memory access request.
In some embodiments: the first allocated functional data memory area is used for reading operation; and the first memory access request is a read access request.
In some embodiments, the first request further defines a second allocated functional data memory region for the first computing function for the write operation.
In some embodiments, the method further comprises: receiving a second memory access request from the first computing function for a second memory location in the common memory region and outside the first allocated functional data memory region; and approving the second memory access request.
In some embodiments: the second memory access request is a write access request and the second memory location is within the second allocated functional data memory region.
In some embodiments: the first request further defining a third allocated function data memory region for the second computing function for the read operation; and the third allocated functional data memory region overlaps the second allocated functional data memory region in an overlapping portion of the third allocated functional data memory region.
According to an embodiment of the present disclosure, there is provided a computing storage device including: means for processing; a first computing function of a first application; a second computing function of the first application; a common memory area; and a persistent storage device, the means for processing configured to: receiving a first request from a host, the first request defining a first allocated function data memory region for a first computing function; receiving a first memory access request from a first computing function for a first memory location in a common memory region and outside of a first allocated functional data memory region; and rejecting the first memory access request.
Drawings
These and other features and advantages of the present disclosure will be appreciated and understood with reference to the specification, claims and appended drawings, wherein:
FIG. 1 is a block diagram of a computing storage device according to an embodiment of the present disclosure;
FIG. 2A is a block diagram of a host application interacting with multiple computing storage devices according to an embodiment of the present disclosure;
FIG. 2B is a bit allocation diagram according to an embodiment of the present disclosure;
FIG. 2C is an operational diagram of a computing system according to an embodiment of the present disclosure;
FIG. 3A is a diagram of a common memory region and multiple computing functions according to an embodiment of the present disclosure;
FIG. 3B is an operational diagram of a computing system according to an embodiment of the present disclosure; and
Fig. 4 is a flow chart of a method according to an embodiment of the present disclosure.
Detailed Description
The detailed description set forth below in connection with the appended drawings is intended as a description of exemplary embodiments of the systems and methods for data protection provided in accordance with the present disclosure and is not intended to represent the only forms in which the present disclosure may be constructed or utilized. The description sets forth the features of the present disclosure in connection with the illustrated embodiments. However, it is to be understood that the same or equivalent functions and structures may be accomplished by different embodiments that are also intended to be encompassed within the scope of the disclosure. Like element numbers are intended to indicate like elements or features, as shown elsewhere herein.
In computing systems where a host is connected to multiple computing storage devices, there may be a risk that incorrect or malicious code may cause a request (e.g., a read request or a write request) to be sent to the wrong one of the computing storage devices. In some embodiments, this risk may be mitigated by assigning an identifier to each computing storage device at startup, transmitting the corresponding identifier to each computing storage device, and including the identifier in the logical block address portion of any requests subsequently sent to the computing storage device (e.g., within bits of the logical block address that are unused and reserved for future use). Each computing storage device may then be configured to process each request it receives only if the unique identifier in the request matches its identifier.
Fig. 1 is a block diagram of a computing storage device 105. Computing storage device 105 includes a controller (or controller circuit) 110, a persistent storage 115, one or more computing functions 120 (or computing storage functions), and a common memory area 125. As used herein, a "computing function" is (i) circuitry that enables computing storage device 105 to perform a computation or (ii) a combination of hardware (e.g., processing circuitry) and software or firmware in computing storage device 105. As such, the computing functionality may be circuitry for performing computations or a combination of general-purpose processing circuitry and instructions (e.g., software or firmware) configured to read the instructions from memory and execute the instructions to perform the computations. The computing storage 105 may include multiple computing functions (e.g., multiple circuits for performing computations, or a single processing circuit for performing computations in combination with multiple instruction sets). Computing functions in a computing storage device may share a memory region, which may be referred to as a common memory region, and errors in accessing the common memory region may cause one computing function to interfere with the memory of another computing function. Thus, in some embodiments, the registration module may store metadata that specifies which regions of the computing functions 120 each computing function 120 is allowed to read from and which regions of the computing functions 120 each computing function 120 is allowed to write to. Any attempt by the computing function to perform a non-permitted read or write operation may then be blocked by the memory management module, which may be implemented as a firmware module running on the controller 110.
FIG. 2A illustrates a host application interacting with multiple computing storage devices 105. Due in part to the complexity of host applications that can utilize computing storage device 105, the risk of errors in the code of such applications can be significant. For example, such an error may result in a request to be sent to the wrong computing storage device 105 (in fig. 2A, this is shown as an incorrect query ("false LBA query") being sent to CSD3, rather than a correct query ("expected LBA query") being sent to CSD 2) involving a particular logical block address (logical block address, LBA).
FIG. 2B is a bit allocation map of a 64-bit logical block address. The logical block address is an 8-byte address used to map the device memory. An operating system (e.g., a host operating system) may use only the lower 48 bits (e.g., the 48 least significant bits) of this eight byte address at most; the higher (most significant) 16 bits may not be used (e.g., reserved for future use) and, in some embodiments, may be encoded for various uses. For example, to help ensure that the host application only accesses the correct computing storage device 105, the upper portion of each logical block address may be marked, e.g., set to a unique set of tag bits corresponding to the drive with which the logical block address is associated. The encoded logical block address may then be used as device-level authentication metadata when the request is passed to computing storage device 105. Before allowing access to the logical block address identified by the lower (least significant) 48 bits of the logical block address, the computing storage device 105 may verify whether the requested logical block address tag bit matches its own unique identifier and process the request only if there is a match. If there is no match, the computing storage device 105 may return the appropriate error code to the host.
At application start-up (or at device or host start-up), the host may initially discover all available computing storage devices 105 (e.g., using appropriate commands that will cause each device to report its presence, or as a result of each device registering with the host at start-up), and assign a unique tag to each of them. Upon restarting the application or restarting the host, the unique tag may be reassigned. A separate request may then be issued to each computing storage device 105 to let each computing storage device 105 know the unique tag assigned to it by the host. An application programming interface (application programming interface, API) (which may be referred to as a "tagging API") may be employed to generate the unique tag, and it may maintain a table of device names and corresponding unique tags.
After each computing storage device 105 has been assigned a unique tag, when an application running on the host generates any requests (e.g., read requests, write requests, or requests to perform processing in the computing storage device 105) that target logical block addresses, the application may call a tag API to obtain the unique tag corresponding to the computing storage device 105 to which the request is to be sent, and the application may include the unique tag as an argument to a function call to a driver API (or simply "driver") of the computing storage device 105. The driver API may insert a unique 16-bit tag of the destination computing storage device 105 in the upper 16 bits of the logical block address to form a modified logical block address (which may be referred to as an encoded logical block address). The request including the encoded logical block address may then be sent to the next layer of the stack of the driver API of the computing storage device 105. In some embodiments, tags may be added to calls at other points in the process. The encoded logical block address may then be verified within the computing storage device 105 against a tag associated with the computing storage device 105, and in the event of a discrepancy, the computing storage device 105 may refuse to follow the request. The driver may also check for differences at each layer of the driver stack in a similar manner.
In systems employing such encoding and verification methods, the effects of certain types of errors that might otherwise have relatively serious consequences, including, for example, data loss, may be mitigated. For example, if a programming error (or malicious content) in the driver causes a write operation to be sent to the wrong computing storage device 105, the consequences of the error may be limited to the failure of the write request (which may be reported back to the host by the affected computing storage device 105, allowing the host application to take remedial action). In the absence of the protection provided by the tagging system described herein, sending a write request to the wrong computing storage device 105 may instead cause potentially costly corruption of saved data.
Fig. 2C is a process diagram depicting interaction of host 205 with computing storage device 105 for processing read requests. At 211, the host looks up the computing storage devices 105 and assigns each computing storage device a unique tag, and at 212, the computing storage device 105 sends a corresponding acknowledgement to the host 205. At 213, the host 205 (e.g., an application running in the host) generates a request (e.g., a read request, a write request, or a request to perform a process in the computing storage device 105) and invokes at 213 the appropriate function of the Application Programming Interface (API) 210, which invokes at 214 the function of the driver 220. The driver 220 then issues 215 a request to the computing storage device 105 (e.g., CSD x), which computing storage device 105 is identified by the driver as the appropriate target computing storage device 105 for the request. Computing storage device 105 then determines 225 whether the tag that is part of the logical block address matches the tag it was assigned at startup. If there is no match, computing storage device 105 sends an error code back to the host to indicate that the request has been denied; if there is a match, the computing storage device 105 decodes the logical block address (e.g., it extracts the least significant 48 bits from the 64-bit logical block address) and retrieves the data stored in persistent storage (e.g., flash memory) at that location at 216. It may then encode the logical block address (e.g., it may tag the 16-bit back to the least significant 48 bits) and return an acknowledgement (including the data read from the persistent storage) to the host 205 at 217.
Fig. 3A shows four different computing functions (or computing storage functions) 120, labeled P1, P2, P3, and P4, respectively, interacting with a shared common memory region 125. Different portions of the common memory area 125 are respectively assigned to different computing functions 120, wherein a first portion 305 is assigned to P4, a second portion 310 is assigned to P2, a third portion 315 is assigned to P1, and a fourth portion 320 is assigned to P3. If there is no mechanism to restrict access to any one of the computing functions 120 within the common memory area 125, then any computing function 120 may perform both proper access (within the portion of the common memory area 125 allocated thereto) and improper access (not within the portion of the common memory area 125 allocated thereto). Fig. 3A shows an example of a proper access 330 (by P2 in the second portion 310 of the common memory area 125) and two improper accesses 335 (by P2 in the third portion 315 of the common memory area 125 and by P3 in the fourth portion 320 of the common memory area 125). Each portion of the common memory area 125 allocated to a respective computing function 120 may be referred to as an allocated function data memory (allocated function data memory, AFDM) area or as an allocated function data memory buffer. Improper access of one computing function 120 may interfere with the computation of another computing function 120.
An application running on host 205 may use a computing storage device by batching multiple computing function pipelines based on resource availability for execution. The computing function 120 may have an allocated function data memory buffer associated therewith in the common memory area 125; the allocated functional dataram buffer may be allocated by the host application. These buffers may be used by the computing function for internal processing and storage.
In some embodiments, isolation between computing functions 120 may be provided to prevent improper access to common memory area 125. The memory page level metadata may be used as part of the system and method for providing such isolation. In such an embodiment, the host application may send the context for each compute request and its associated allocated functional data memory buffers. The access rights may also be sent as metadata with the context (a context is a payload that the host may send to the computing storage device 105 with a batch request). The batch request may be a single command that instructs the computing storage device 105 to perform certain operations on multiple data sets or to perform multiple operations on a single data set. The computing storage 105 may maintain page-specific metadata to track the read and write permissions of different computing functions 120 for different pages separately. The metadata may be maintained at different granularities.
For example, each computing storage device 105 may maintain metadata for pages in the common memory area 125, the metadata specifying: (i) Which computing function 120 has read rights to which regions of the common memory region 125 (e.g., which allocated functional data memory buffers), and (ii) which computing function 120 has write rights to which regions of the common memory region 125 (e.g., which allocated functional data memory buffers). Each computing function (or equivalently each functional slot (discussed in further detail below)) may have its own set of permissions. When an application prepares a context for a request (e.g., a request to perform a process in computing storage device 105), the host application may be aware of the access rights that will be required by computing function 120. The access rights information may then be transferred to the computing storage device 105 along with the remainder of the context for the request to the computing storage device. The access rights information for the request may be received by a registration module in computing storage device 105, and the registration module may update the rights in the metadata stored in computing storage device 105. The registration module may be firmware executed by the controller 110 of the computing storage device 105 that maintains and implements access rights that specify which computing functions 120 may access which portions of the common memory region 125 (e.g., which allocated functional data memory buffers). The registration module may implement a policy that specifies that each computing function 120 cannot access any common memory area 125 by default, such that it is allowed to access the common memory area 125 through the registration module only if the computing function 120 is explicitly authorized to access by the host-requested context.
In fig. 3B, F0, F1, F2, and F3 are computing functions that run on slots S0, S1, S2, and S3, respectively. When a running computing function 120 or kernel requests access to a region of common memory region 125, the request may be processed by registration module 350, and registration module 350 may look up metadata access bits corresponding to the function slots and the requested memory page or pages. If the access bit specifies that the requested operation should be allowed, registration module 350 may process the request; otherwise, the request may be blocked and kernel execution may be aborted. Such a process may ensure that the computing function 120 is not allowed to access memory regions that are not within its access range. In some embodiments, the protection provided may be against programming errors and against malicious code. In some embodiments, a slot may store an application that includes several computing functions; in such an embodiment, the above-described process may prevent interference between any two computing functions, whether or not they are all included in the same application.
For example, in the example of fig. 3B, a row of an access right table for storing metadata is shown. The row shows the access rights for each of the n compute function slots S0, S1, S2, S3, … … Sn for one page of the common memory area 125. This information may be stored in a table using two bits per computing function 120 (one bit for read rights and one bit for write rights). The content of the illustrated row is "R (1)/W (1)" for S0, which means that the computing function slot S0 has both read access and write access to the page corresponding to the illustrated row. Similarly, the row shows that S1 has write rights but no read rights to the page, S2 has read rights but no write rights, and S3 has neither read nor write rights. Fig. 3B also shows examples of read and write requests by the computing function 120 and processing of these requests. For example, the compute function running on slot 0 submits a read request that is authorized (because slot S0 has read rights to the page according to the row shown in the page access table). Similarly, based on the metadata stored in the rows shown in the table, the read request for the compute function in slot S1, the write request for the compute function in slot S2, and the read/write (R/W) request for the compute function in slot S3 are all denied. Any page in the common memory area 125 to which the first computing function 120 has write access and to which the second computing function 120 has read access may be used for data transfer between the two computing functions 120; for example, the first computing function 120 may store the result of a first operation in such a page, and the second computing function 120 may then use the result as input for subsequent operations. In operation, the host application may send a batch request with access information at 311; registration module 350 may update the page metadata at 312; registration module 350 may confirm to the higher level firmware module that the page metadata has been updated at 313; and may perform a computing function at 314.
Fig. 4 is a flow chart of a method in some embodiments. The method includes, at 405, receiving, by a computing storage device from a host, a first request defining a first allocated function data memory region for a first computing function of the computing storage device; at 410, receiving, by a controller circuit of a computing storage device, a first memory access request from a first computing function for a first memory location in a common memory region of the computing storage device and outside of a first allocated functional data memory region; and rejecting the first memory access request at 415.
As used herein, a "portion" of an item means "at least some" of the item, and as such may mean less than all or all of the item. As such, a "portion" of a thing includes the whole thing as a special case, i.e., the whole thing is an example of a portion of the thing. As used herein, when the second number is "within" the first number X, this means that the second number is at least X-Y, and the second number is at most x+y. As used herein, when the second number is "within Y% of the first number, this means that the second number is at least a multiple of the first number (1-Y/100) and the second number is at most a multiple of the first number (1+Y/100). As used herein, the term "or" should be interpreted as "and/or" such that, for example, "a or B" means "a" or "B" or any one of "a and B".
The background provided in the background section of this disclosure is only included to set context and the contents of this section are not considered prior art. Any component or any combination of components described (e.g., in any system diagram included herein) may be used to perform one or more operations of any flowchart included herein. Furthermore, (i) these operations are example operations and may involve various additional steps not explicitly covered, and (ii) the temporal order of these operations may vary.
Each of the terms "processing circuitry" and "means for processing" is used herein to represent any combination of hardware, firmware, and software for processing data or digital signals. The processing circuit hardware may include, for example, an application-specific integrated circuit (ASIC), a general-purpose or special-purpose central processing unit (central processing unit, CPU), a digital signal processor (DIGITAL SIGNAL processor, DSP), a graphics processing unit (graphics processing unit, GPU), and a programmable logic device such as a field programmable gate array (field programmable GATE ARRAY, FPGA). As used herein, each function is performed in processing circuitry by either hardware configured (i.e., hardwired) to perform the function or by more general purpose hardware (such as a CPU) configured to execute instructions stored in a non-transitory storage medium. The processing circuitry may be fabricated on a single printed circuit board (printed circuit board, PCB) or distributed over several interconnected PCBs. The processing circuitry may comprise other processing circuitry; for example, the processing circuitry may include two processing circuits interconnected on a PCB, an FPGA and a CPU.
As used herein, when a method (e.g., adjustment) or a first quantity (e.g., a first variable) is referred to as being "based on" a second quantity (e.g., a second variable), this means that the second quantity is an input to the method or affects the first quantity, e.g., the second quantity may be an input (e.g., a unique input or one of several inputs) that calculates a function of the first quantity, or the first quantity may be equal to the second quantity, or the first quantity may be the same as the second quantity (e.g., one or more locations stored in memory that are the same as the second quantity).
It will be understood that, although the terms "first," "second," "third," etc. may be used herein to describe various elements, components, regions, layers and/or sections, these elements, components, regions, layers and/or sections should not be limited by these terms. These terms are only used to distinguish one element, component, region, layer or section from another element, component, region, layer or section. Thus, a first element, component, region, layer or section discussed herein could be termed a second element, component, region, layer or section without departing from the spirit and scope of the present inventive concept.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the inventive concepts. As used herein, the terms "substantially," "about," and the like are used as approximate terms, rather than to the extent, and are intended to illustrate inherent deviations in measured or calculated values that one of ordinary skill in the art would recognize
As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. When preceding an element list, expressions such as "… … at least one of" modify the entire element list, without modifying individual elements of the list. Furthermore, when describing embodiments of the inventive concepts, use of "may" refers to "one or more embodiments of the present disclosure. Furthermore, the term "exemplary" is intended to refer to an example or illustration. As used herein, the terms "use," "in use," and "used" may be considered synonymous with the terms "utilized," "in use," and "utilized," respectively.
It will be understood that when an element or layer is referred to as being "on," "connected to," "coupled to," or "adjacent to" another element or layer, it can be directly on, connected to, coupled to, or adjacent to the other element or layer, or one or more intervening elements or layers may be present. In contrast, when an element or layer is referred to as being "directly on," "directly connected to," "directly coupled to," or "immediately adjacent to" another element or layer, there are no intervening elements or layers present.
Some embodiments may include the features set forth in the following numbers.
1. A computing storage device, comprising:
A controller circuit;
A first computing function of a first application;
a second computing function of the first application;
A common memory area; and
A permanent storage device is provided which is configured to store a plurality of data items,
The controller circuit is configured to:
Receiving a first request from a host, the first request defining a first allocated function data memory region for the first computing function;
receiving a first memory access request from the first computing function for a first memory location in the common memory region and outside the first allocated functional data memory region;
And
And rejecting the first memory access request.
2. The computing storage device of statement 1, wherein:
the first allocated functional data memory area is used for reading operation; and
The first memory access request is a read access request.
3. The computing storage device of statement 1 or statement 2, wherein the first request further defines a second allocated functional data memory region for the first computing function for a write operation.
4. The computing storage device of statement 3, wherein the controller circuit is configured to:
Receiving a second memory access request from the first computing function for a second memory location in the common memory region and outside the first allocated functional data memory region; and
And approving the second memory access request.
5. The computing storage device of statement 4, wherein:
The second memory access request is a write access request, and
The second memory location is within the second allocated functional data memory region.
6. The computing storage device of statement 5, wherein:
The first request further defining a third allocated function data memory region for a read operation for the second computing function; and
And the overlapping part of the third allocated functional data memory area and the second allocated functional data memory area overlap.
7. The computing storage device of statement 6, wherein the controller circuit is further configured to:
Receiving a third memory access request from the first computing function for a third memory location in the overlapping portion of the third allocated functional data memory region; and
The third memory access request is granted,
Wherein the third memory access request is a write access request.
8. The computing storage device of statement 6 or statement 7, wherein the controller circuit is further configured to:
Receiving a fourth memory access request from the second computing function for a fourth memory location in the overlapping portion of the third allocated functional data memory region; and
The fourth memory access request is granted,
Wherein the fourth memory access request is a read access request.
9. The computing storage device of any of statements 6-8, wherein the controller circuit is further configured to:
Receiving a fifth memory access request from the second computing function for a fifth memory location in the overlapping portion of the third allocated functional data memory region; and
The fifth memory access request is denied,
Wherein the fifth memory access request is a write access request.
10. The computing storage device of any preceding statement, wherein the controller circuitry is configured to maintain an access rights table comprising read access rights and write access rights for the first computing function.
11. The computing storage device of any preceding statement, wherein the controller circuit is further configured to receive an identification tag from the host and confirm receipt of the identification tag.
12. The computing storage device of statement 11, wherein the controller circuit is further configured to:
comparing a subset of the plurality of bits of the first requested logical block address with the identification tag; and
A subset of the plurality of bits is determined to match the identification tag.
13. The computing storage device of statement 11 or statement 12, wherein the controller circuit is further configured to:
Receiving a second request from the host;
Comparing a subset of the plurality of bits of the second requested logical block address with the identification tag;
Determining that a subset of the plurality of bits does not match the identification tag; and
An error code is returned to the host.
14. A method, comprising:
Receiving, by a computing storage device from a host, a first request defining a first allocated function data memory area for a first computing function of a first application of the computing storage device, the first application including the first computing function and a second computing function;
Receiving, by controller circuitry of the computing storage device, a first memory access request from the first computing function for a first memory location in a common memory region of the computing storage device and outside the first allocated functional data memory region; and
And rejecting the first memory access request.
15. The method of statement 14, wherein:
the first allocated functional data memory area is used for reading operation; and
The first memory access request is a read access request.
16. The method of statement 14 or 15, wherein the first request further defines a second allocated functional data memory region for the first computing function for a write operation.
17. The method of statement 16, further comprising:
Receiving a second memory access request from the first computing function for a second memory location in the common memory region and outside the first allocated functional data memory region; and
And approving the second memory access request.
18. The method of statement 17, wherein:
The second memory access request is a write access request, and
The second memory location is within the second allocated functional data memory region.
19. The method of statement 18, wherein:
The first request further defining a third allocated function data memory region for a read operation for the second computing function; and
And the overlapping part of the third allocated functional data memory area and the second allocated functional data memory area overlap.
20. A computing storage device, comprising:
means for processing;
A first computing function of a first application;
a second computing function of the first application;
A common memory area; and
A permanent storage device is provided which is configured to store a plurality of data items,
The means for processing is configured to:
Receiving a first request from a host, the first request defining a first allocated function data memory region for the first computing function;
Receiving a first memory access request from the first computing function for a first memory location in the common memory region and outside the first allocated functional data memory region; and
And rejecting the first memory access request.
Although exemplary embodiments of systems and methods for data protection have been described and illustrated herein in detail, many modifications and variations will be apparent to those skilled in the art. Accordingly, it should be understood that systems and methods for data protection constructed in accordance with the principles of the present disclosure may be embodied in other ways than specifically described herein. The invention is also defined in the following claims and their equivalents.
Claims (20)
1. A computing storage device, comprising:
A controller circuit;
A first computing function of a first application;
A common memory area; and
A permanent storage device is provided which is configured to store a plurality of data items,
The controller circuit is configured to:
Receiving a first request from a host, the first request defining a first allocated function data memory region for the first computing function;
Receiving a first memory access request from the first computing function for a first memory location in the common memory region and outside the first allocated functional data memory region; and
And rejecting the first memory access request.
2. The computing storage device of claim 1, wherein:
the first allocated functional data memory area is used for reading operation; and
The first memory access request is a read access request.
3. The computing storage device of claim 1, wherein the first request further defines a second allocated function data memory region for the first computing function for write operations.
4. The computing storage device of claim 3, wherein the controller circuit is configured to:
Receiving a second memory access request from the first computing function for a second memory location in the common memory region and outside the first allocated functional data memory region; and
And approving the second memory access request.
5. The computing storage device of claim 4, wherein:
The second memory access request is a write access request, and
The second memory location is within the second allocated functional data memory region.
6. The computing storage device of claim 5, further comprising: a second computing function of the first application; and
Wherein:
The first request further defining a third allocated function data memory region for a read operation for the second computing function; and
And the overlapping part of the third allocated functional data memory area and the second allocated functional data memory area overlap.
7. The computing storage device of claim 6, wherein the controller circuit is further configured to:
Receiving a third memory access request from the first computing function for a third memory location in the overlapping portion of the third allocated functional data memory region; and
The third memory access request is granted,
Wherein the third memory access request is a write access request.
8. The computing storage device of claim 6, wherein the controller circuit is further configured to:
Receiving a fourth memory access request from the second computing function for a fourth memory location in the overlapping portion of the third allocated functional data memory region; and
The fourth memory access request is granted,
Wherein the fourth memory access request is a read access request.
9. The computing storage device of claim 6, wherein the controller circuit is further configured to:
Receiving a fifth memory access request from the second computing function for a fifth memory location in the overlapping portion of the third allocated functional data memory region; and
The fifth memory access request is denied,
Wherein the fifth memory access request is a write access request.
10. The computing storage device of claim 1, wherein the controller circuit is configured to maintain an access rights table that includes read access rights and write access rights for the first computing function.
11. The computing storage device of claim 1, wherein the controller circuit is further configured to receive an identification tag from the host and confirm receipt of the identification tag.
12. The computing storage device of claim 11, wherein the controller circuit is further configured to:
comparing a subset of the plurality of bits of the first requested logical block address with the identification tag; and
A subset of the plurality of bits is determined to match the identification tag.
13. The computing storage device of claim 11, wherein the controller circuit is further configured to:
Receiving a second request from the host;
Comparing a subset of the plurality of bits of the second requested logical block address with the identification tag;
Determining that a subset of the plurality of bits does not match the identification tag; and
An error code is returned to the host.
14. A method, comprising:
Receiving, by a computing storage device from a host, a first request defining a first allocated function data memory area for a first computing function of a first application of the computing storage device, the first application including the first computing function;
Receiving, by controller circuitry of the computing storage device, a first memory access request from the first computing function for a first memory location in a common memory region of the computing storage device and outside the first allocated functional data memory region; and
And rejecting the first memory access request.
15. The method according to claim 14, wherein:
the first allocated functional data memory area is used for reading operation; and
The first memory access request is a read access request.
16. The method of claim 14, wherein the first request further defines a second allocated function data memory region for the first computing function for a write operation.
17. The method of claim 16, further comprising:
Receiving a second memory access request from the first computing function for a second memory location in the common memory region and outside the first allocated functional data memory region; and
And approving the second memory access request.
18. The method according to claim 17, wherein:
The second memory access request is a write access request, and
The second memory location is within the second allocated functional data memory region.
19. The method of claim 18, wherein the first application further comprises a second computing function, and wherein:
The first request further defining a third allocated function data memory region for a read operation for the second computing function; and
And the overlapping part of the third allocated functional data memory area and the second allocated functional data memory area overlap.
20. A computing storage device, comprising:
means for processing;
A first computing function of a first application;
A common memory area; and
A permanent storage device is provided which is configured to store a plurality of data items,
The means for processing is configured to:
Receiving a first request from a host, the first request defining a first allocated function data memory region for the first computing function;
Receiving a first memory access request from the first computing function for a first memory location in the common memory region and outside the first allocated functional data memory region; and
And rejecting the first memory access request.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US63/421,476 | 2022-11-01 | ||
| US18/157,553 US20240143517A1 (en) | 2022-11-01 | 2023-01-20 | Near storage computation system and methods for data protection |
| US18/157,553 | 2023-01-20 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117992368A true CN117992368A (en) | 2024-05-07 |
Family
ID=90891650
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311416100.8A Pending CN117992368A (en) | 2022-11-01 | 2023-10-30 | Near storage computing system and method for data protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117992368A (en) |
-
2023
- 2023-10-30 CN CN202311416100.8A patent/CN117992368A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10564997B2 (en) | Computing system for securely executing a secure application in a rich execution environment | |
| US10235097B2 (en) | Area and performance optimized namespace sharing method in virtualized PCIE based SSD controller | |
| US7725663B2 (en) | Memory protection system and method | |
| US10255088B2 (en) | Modification of write-protected memory using code patching | |
| US20080282256A1 (en) | Apparatus for inter partition communication within a logical partitioned data processing system | |
| US20180060249A1 (en) | Code loading hardening by hypervisor page table switching | |
| US20020062401A1 (en) | Technique for efficiently transferring moderate amounts of data across address space boundary | |
| US20160350260A1 (en) | Dynamic Non-Uniform Memory Architecture (NUMA) Locality for Remote Direct Memory Access (RDMA) Applications | |
| US20160239323A1 (en) | Virtual Remote Direct Memory Access Management | |
| CN114064302B (en) | Inter-process communication method and device | |
| US20080301389A1 (en) | Memory-protection method and apparatus | |
| CN116583840A (en) | Fast peripheral component interconnect protection controller | |
| US20110072433A1 (en) | Method to Automatically ReDirect SRB Routines to a ZIIP Eligible Enclave | |
| CN112131019A (en) | Method for rapidly communicating processes of microkernel operating system | |
| US20100122009A1 (en) | I/o space request suppressing method for pci device | |
| CN114003168B (en) | Storage device and method for processing commands | |
| US9477518B1 (en) | Method to automatically redirect SRB routines to a zIIP eligible enclave | |
| EP4372568A1 (en) | Near storage computation system and methods for data protection | |
| CN117992368A (en) | Near storage computing system and method for data protection | |
| EP3249540B1 (en) | Method for writing multiple copies into storage device, and storage device | |
| CN110929304A (en) | RISC-V based memory protection method | |
| US11429412B2 (en) | Guest protection from application code execution in kernel mode | |
| CN113961366A (en) | Kernel function calling method of operating system and computer equipment | |
| CN117692416B (en) | Network message processing method, device, computer equipment and storage medium | |
| US9652296B1 (en) | Efficient chained post-copy virtual machine migration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |