JP2005167870A - Method and apparatus for processing data - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve a processing efficiency by performing parallel processing of a plurality of processings in an apparatus for processing data in an engine part according to a plurality of processing instructions generated from a main system. <P>SOLUTION: In the apparatus for processing the data, a data processing unit 240 includes function units 242a, 242b, and 244, 246 which operate independently according to the processing instruction. A central operation control processing unit 110 divides data to be processed into a predetermined size by a primary driver 130. A secondary driver 140 decides a transfer sequence of the divided data based on a predetermined reference, and sequentially transfers information of the divided data and processing content corresponding to the divided data according to the decided transfer sequence. An instruction controller 266 controls selectors 250, 252 to input the divided data to the respective function units 242a, 242b, 244, and 246 for processing corresponding to the divided data and to input the processed data from the function units 242a, 242b, 244, and 246 to the instruction controller 266. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a data processing method and a data processing apparatus that perform predetermined processing on processing target data transferred from a main system and transfer processed data to the main system in an engine unit configured by hardware. For example, the present invention relates to a technique for performing security processing such as encryption processing, decryption processing, or authentication processing in a communication protocol and checksum processing in a communication protocol layer.

  In recent years, in the field of computers and communication technology, there is an information concealment technology (security technology / security technology) that obtains distributed data content by encrypting data and distributing the data and decrypting the distributed data. Are known. For example, in data communication using a network, data authentication for protection against data tampering, encryption and decryption (collectively referred to as concealment or confidentiality) and data tampering to ensure data confidentiality and integrity. Technology is used, and transmission data is encrypted and transmitted, and reception data is decrypted to obtain reception contents.

  In addition, an authentication technique for performing authentication (integrity guarantee) for confirming the identity of the data in the encrypted payload part and other parts is also known in combination with this secret technique. In addition, depending on the communication protocol, checksum calculation processing is performed to confirm the identity of data including headers (Headers) that include information such as destination and what data is added to the protocol layer hierarchy. May be performed.

  Hereinafter, the authentication process for ensuring the integrity and the checksum process for checking the identity of the header and the data are collectively referred to as an identity confirmation process. Further, the secret technology (security technology) and the identity confirmation technology are collectively referred to as information security technology. Note that both security technology (encryption security technology) such as encryption, decryption, or authentication and information security technology (broad security technology) including checksum processing for confirming the identity of the header and data are data tampering. This is common in that it is a corresponding process.

  Here, in this type of information security technology, conventionally, confidential processing such as encryption processing and decryption processing, authentication processing such as creation and deletion of an authentication code, and checksum processing for confirming the identity of the header and data are performed by software. The mechanism to do in was adopted. Although the mechanism performed by this software can flexibly cope with parallel processing and continuous processing, the processing time becomes longer as the processing becomes complicated, so that a reduction in processing speed becomes a problem.

  As a technique for improving this problem, as proposed in, for example, Patent Documents 1 to 3, security processing (confidential processing and authentication processing) is performed by a hardware processing circuit, and the accelerator system is designed to increase speed. A mechanism is considered. Even if the processing is complicated, this accelerator system can prevent a reduction in processing speed and can obtain a high throughput.

Japanese Patent Laid-Open No. 10-320191 Japanese translation of PCT publication No. 2003-512649 US Published Patent Publication 2002 / 0073324A1

  Here, in the accelerator system, when parallel processing of block encryption / authentication is performed on one piece of data, the data is transferred in parallel to the encryption processing unit and the authentication processing unit for processing. In addition, when performing block cipher / authentication continuous processing on one piece of data, the data is first processed by the encryption processing unit and then transferred to the authentication processing unit.

  As a network protocol, for example, IPSec (Internet Protocol Security), SSL (Secure Sockets Layer) or TLS (Transport Layer Security) improved based on SSL (hereinafter also referred to as SSL / TLS), or TCP (Transmission Control) Protocol) and UDP (User Datagram Protocol) (hereinafter collectively referred to as TCP / UDP), IPv4 (Internet Protocol Version 4), IPv6 (Internet Protocol Version 6), and the like.

  On the other hand, there is a concept of handling a series of processes by considering them in a hierarchical structure. For example, in the network protocol, the concept of the hierarchical structure of the protocol is introduced like a basic reference model of OSI (Open Systems Interconnection) and a communication protocol model corresponding thereto. Note that a plurality of processing layers may be included in one protocol layer in the OSI basic reference model or the communication protocol model.

  In the case of executing a series of processes by sequentially performing a predetermined process independently for each processing hierarchy, for example, the flow of data at the time of communication processing is transmitted. From the upper protocol layer to the lower protocol layer, the receiving side flows from the lower protocol layer to the upper protocol layer. Further, in each protocol layer on the transmission side, data necessary for communication control is added as a header, and on the reception side, communication is performed by sequentially interpreting the header. Depending on the application, a plurality of pieces of processing target data may be processed in parallel.

  When executing a part of a series of processes represented by the processing hierarchy model using an accelerator configured with a single device, the processing target data stored in the main memory (main memory) is stored in the accelerator system. The processing is transferred from the main system side including the CPU for controlling the entire apparatus and the main memory for storing data to the accelerator system, and when the processing is completed in the accelerator system, the processed data is transferred (returned) to the main system side. ). When a plurality of processing requests are generated from the application almost at the same time, the plurality of processing requests and the corresponding processing target data are passed to the accelerator system.

  Here, if a single accelerator receives a plurality of processing requests almost at the same time, the other processing is kept waiting while processing one data. If the data size during processing is large, the waiting time for other processing also increases. As a result, there is a problem in that data that is originally intended to be transmitted without a gap is longer if the data size of other processes is large, the process takes time, and there is a gap in the data transmission / reception. .

  FIG. 19 is a diagram for explaining this problem in the prior art. In FIG. 19, although the processing requests are issued almost simultaneously, the processing requests arrive at the accelerator driver in the order of checksum calculation → decryption → encryption → authentication processing. For this reason, when the accelerator driver processes the processing requests in the order of arrival, the data processing for the processing request that arrives later cannot be executed until the data processing for the processing request that has arrived earlier is completed, and it will wait for a long time. Become.

  For example, the decryption, encryption, and authentication processes are kept waiting until the checksum calculation is completed. If decryption is performed thereafter, the encryption and authentication processes are kept waiting until the decryption process is completed. As a result, transmission fluctuations occur during communication. This is a problem in a communication system that must transmit and receive stream data in real time, for example.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a technique capable of performing efficient processing with an accelerator even when a plurality of processing requests are generated almost simultaneously.

  A data processing method according to the present invention is a data processing method for transferring processing target data to an engine unit configured by hardware from a main system, performing predetermined processing, and transferring processed data to the main system, For a plurality of processes with different processing contents handled by the engine unit, first, the processing target data to be processed in each of the plurality of processes is divided into a predetermined size and divided based on a predetermined criterion regarding the processing contents. In addition, the transfer order of each divided data to the engine unit is determined. Then, according to the determined transfer order, each divided data is sequentially transferred to the engine unit, and the engine unit sequentially executes processing according to the processing content of the divided data transferred from the main system, and the processed data is transferred to the main unit. We decided to transfer it to the system. In this way, a series of processes consisting of a plurality of processes is completed.

  A data processing apparatus according to the present invention is a suitable apparatus for carrying out the data processing method according to the present invention, and processing target data to be processed in each of a plurality of processes is stored in the main system. A processing procedure control unit that divides the data into a predetermined size and determines the transfer order of the divided data to the engine unit based on a predetermined standard is provided.

  When the divided data is actually transferred to the engine unit in the transfer order determined by the processing procedure control unit, the main system side may become the master, or the engine unit becomes the master as in DMA transfer. Also good. In addition, a first-in first-out method using a descriptor queue may be used.

  The invention described in the dependent claims defines further advantageous specific examples of the data processing method and the data processing apparatus according to the present invention.

  For example, it is preferable to determine a predetermined standard or division size related to the processing contents according to the application applied by the main system. In this way, the processing characteristics can be controlled so as to suit the application.

  In addition, the engine unit has, as different processing contents, a security processing unit that performs security processing such as encryption processing, decryption processing, or authentication processing in a communication protocol, or a checksum processing unit that performs checksum processing. It is preferable to have a hardware circuit.

  Of course, in the case of performing cooperative processing between the main system and the engine unit, any system configuration in which a part of a plurality of independent processes is performed by an engine unit configured by hardware may be used. The processing content is not limited to the processing related to the communication protocol.

  The processing procedure control unit on the main system side can be realized by software using an electronic computer (computer), and a program for this purpose and a recording medium storing this program can be extracted as an invention. is there. The program may be provided by being stored in a computer-readable storage medium, or may be distributed via wired or wireless communication means.

  According to the present invention, when a plurality of processing requests are generated almost simultaneously, the processing target data to be processed in each of the plurality of processing is divided by a predetermined size, and in a transfer order according to a predetermined standard. The divided data is sequentially transferred to the engine unit to execute processing.

  For this reason, the engine unit can sequentially execute the required processing on the divided data corresponding to each processing request transferred sequentially, and substantially performs parallel processing on a plurality of processing requests. Can do. As a result, it is possible to process a plurality of processing requests almost simultaneously, waiting for the processing requests, reducing transmission fluctuations during communication, and guaranteeing the communication band.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

<Device configuration>
FIG. 1 is a block diagram showing a configuration of a computer apparatus including an embodiment of a data processing apparatus according to the present invention.

  As shown in the figure, the computer apparatus 1 includes a main system 100, an engine unit 200 that is a processing circuit portion configured by hardware, and a peripheral device 300.

  The main system 100 includes a central processing control processing unit 110 such as a CPU (Central Processing Unit) and an MPU (Micro Processing Unit) that perform operation control of the entire computer device 1 and other processing and control processing functions. A ROM (Read Only Memory) 122 that is an example of a storage unit and a memory unit 120 that is an example of a rewritable storage unit and includes a RAM (Random Access Memory) 124 that functions as a main memory.

  The main system 100 also includes an interface unit 150 that performs an interface function with various peripheral devices 300 and a communication network such as an intranet or the Internet, and a drive function that reads and writes data from the recording medium 400. A media IF unit 170 having an interface function and an internal bus 180 including an address bus and a data bus for connecting the units to each other are provided. Processing data and control data are exchanged between the hardware of the computer apparatus 1 through the internal bus 180.

  The ROM 122 has a program storage area in which a control program for the CPU of the central processing control processing unit 110 and the like for performing various processings is stored therein, and other items necessary for the central processing control processing unit 110 to perform various processings. Data storage area. Furthermore, the program storage area stores programs such as BIOS (Basic Input / Output System), OS (Operating Systems; basic software), and GUI (Graphical User Interface) processing. The central processing control processing unit 110 implements the functions of various units that perform various processes by executing programs in the ROM 122 while using the BIOS, OS, and GUI processing.

  The RAM 124 is a work area used as a work memory when the central processing control processing unit 110 executes various processes, and is a data storage area for storing data taken from outside, or an area for storing other processing target data. Is included.

  The peripheral device 300 includes a display unit 302 having a display device such as a CRT (Cathode Ray Tube) or an LCD (Liquid Crystal Display), a touch panel 304a for operating the computer apparatus 1 and operation keys (for example, pressing keys). An operation unit 304 such as a keyboard 304b or a mouse 304c having a formula button), a printer unit 306 for printing out processing results on a paper medium or the like, a scanner unit 308 for capturing images, and an external storage medium that is an example of a storage medium A hard disk device 310 is provided. The peripheral device 300 is connected to the internal bus 180 via IF (interface) units 151, 152, 154, 156, and 158 according to each.

  The recording medium 400 causes a change state of energy such as magnetism, light, electricity, and the like to the reading device provided in the hardware resource of the computer device 1 according to the description content of the program, and a corresponding signal In this format, the program description can be transmitted to the reader.

  For example, the program may be configured by a ROM 122, a hard disk device 174, an external hard disk device 310 (404), or the like that is provided to the user in a state of being pre-installed in the computer device 1 and stores a program. Alternatively, in addition to the computer device 1, a nonvolatile memory such as a flash memory such as a semiconductor memory card of various types such as an IC card or a miniature card that is distributed to provide a program to a user and that stores the program. Recording medium 402 using a flexible semiconductor memory, magnetic disk (including flexible disk (FD) 406), optical disk (including CD-ROM (Compact Disc-Read Only Memory), DVD (Digital Versatile Disc)) 408, optical It may be configured by a package medium (portable storage medium) such as a magnetic disk (including MD (Mini Disc)).

  With the above-described configuration, the computer apparatus 1 can realize the processing function performed by dedicated hardware in software based on the program code that realizes the function.

  The software incorporated in the computer apparatus 1 includes those similar to those in various conventional apparatuses such as a copy application, a printer application, a facsimile (FAX) application, or a processing program for other applications. In addition, an access control process or an authentication process for the device to process an image read by the scanner unit 308 or to transmit / receive data to / from the outside via the network IF unit 158 in response to a request for accessing a Web site. A program for is also included.

  For example, a program suitable for realizing a functional part that controls a hardware processing circuit for performing data processing according to the present invention by software using an electronic computer (computer) or a computer-readable computer storing this program New storage media can also be extracted as an invention. By adopting a mechanism that is executed by software, it is possible to enjoy the advantage that the processing procedure and the like can be easily changed without changing hardware.

  When a series of processing is executed by software, a program constituting the software is a computer (such as an embedded microcomputer) incorporated in dedicated hardware, or a CPU, MPU, logic circuit, storage device, etc. System on a chip (SOC) that implements a desired system by mounting functions on a single chip, or general-purpose personal that can execute various functions by installing various programs It is installed from the recording medium 400 into a computer or the like. Alternatively, a program constituting the software may be provided via the network IF unit 158 and a communication network such as wired or wireless.

  For example, a storage medium 400 in which a program code of software that realizes a function of performing an access control process and an authentication process for a Web server is supplied to the computer apparatus 1 and the computer (or CPU or MPU) is stored in the storage medium. Even when the program code is read out and executed, the same effect as that achieved by hardware can be achieved.

  Note that the program code itself read from the recording medium 400 may realize the functions of the access control process and the authentication process, or the OS running on the computer based on the instruction of the program code may actually perform the process. A part or all of the above may be performed. Further, the program files are not limited to be provided as a batch program file, and may be provided as individual program modules according to the hardware configuration of a system configured by a computer.

  Here, in the computer apparatus 1 according to the present embodiment, the engine is used as a processing circuit for performing a part of these functional parts by hardware, rather than performing all the processes of various control processing functions by software. Part 200 is provided. By performing the processing with hardware, the processing speed can be increased as compared with the software processing.

  Specifically, the engine unit 200 according to the present embodiment is configured to function as a crypto engine (crypto engine), and includes secret processing such as encryption processing and decryption processing, authentication processing, and checksum processing. And a control unit 260 that passes processing target data for the data processing unit 240 to the data processing unit 240 and returns the processed data to the main system 100. The data processing unit 240 and the control unit 260 have a small-capacity work memory (register) (not shown) for performing each processing. The engine unit 200 that functions as the crypto engine may be configured by a single hardware device.

  Thus, the computer apparatus 1 is configured such that the engine unit 200 is connected to the central processing control processing unit 110 having a CPU and the like, and the memory unit 120 having a ROM 122 and a RAM 124, whereby data processing according to the present invention is performed. A device 3 is configured.

  The data processing device 3 is connected to a communication network such as an intranet or the Internet via the internal bus 180 and the network IF unit 158, and transmits / receives data to / from other devices. At this time, the communication data is subjected to authentication processing using a hash function, concealment processing using a common key method or public key method, or checksum processing, for example, according to a predetermined protocol.

  In the data processing device 3, the central processing control processing unit 110 of the main system 100 is an accelerator driver 117 having a data analysis unit 113 and a processing procedure control unit 115 as functional units (configured by software) unique to the present embodiment. It has.

  The data analysis unit 113 includes a portion that performs parallel processing in the processing target data of each processing request in a plurality of processing requests handled by the data processing unit 240 such as concealment processing, authentication processing, and checksum processing. It is determined whether or not.

  The processing procedure control unit 115 includes processing procedure information indicating processing procedures of a plurality of processing requests in the data processing unit 240, and a data processing unit, on condition that the data analysis unit 113 determines that there is a part that performs parallel processing. Data storage location information indicating the storage location of the processing target data handled by 240 is stored in a predetermined storage area (data pool) of a predetermined memory in association with it.

  In addition, when the engine unit 200 waits for processing, the processing procedure control unit 115 sequentially transfers various information stored in the data pool to the engine unit 200 and activates the engine unit 200.

  The engine unit 200 configured by hardware is requested in accordance with processing procedure information and data storage location information stored in a predetermined data pool on condition that an activation instruction is received from the processing procedure control unit 115. The processing is sequentially performed, and the processed data is returned to the main system 100.

  For example, the CPU that forms the main part of the central control unit 110 sequentially displays necessary GUI screens on the display unit 302 based on a control program stored in the ROM 122 or the hard disk device 174 in advance, as well as the control program and the touch panel 304a. Based on the user input given via, a client device or a Web server (not shown) is accessed to download the content desired by the user (image to be output here), and the printer unit 306 prints it out.

  At this time, the CPU of the central processing control processing unit 110 authenticates the user by making an inquiry to the authentication server in which the user has an account, and then permits the user to use the computer device 1 and further uses the Web server. Also controls access to. As a result, the user can use the computer device 1 and access the Web server using the account.

  Next, data processing performed by the data processing device 3 according to the present invention will be described in detail.

<Configuration that realizes processing procedure control method for data processing apparatus>
2 to 4 are diagrams illustrating an example of a configuration of a system architecture for realizing a processing procedure control function for a data processing device when data processing is performed using the data processing device 3.

  When the main system 100 includes a portion that performs parallel processing in the processing target data of each processing request in a plurality of processing requests in charge of the concealment processing and authentication processing performed by the data processing device 3, the data processing device 3 Information is generated by associating processing procedure information indicating processing procedures of a plurality of processing requests with data storage location information indicating storage locations in the memory unit 120 of processing target data handled by the data processing unit.

  As a function unique to the present embodiment, when the processing request is handled in a hierarchical model and the engine unit 200 can execute a plurality of processing layers simultaneously in parallel, the main system 100 allows the engine unit 200 to efficiently perform parallel processing. A procedure for notifying the engine unit 200 of a plurality of processing requests and corresponding processing target data so as to be executed is determined, and the processing target data requested for each processing is transferred to the engine unit 200 according to this determination, and the engine unit 200 is to start.

  Here, as a mechanism for transferring the processing procedure information, the data storage location information, or the processing target data to the engine unit 200, various methods for reading out data of a required portion from the memory, as in the memory management method in the computer architecture. Can be used. In addition, when reading data, the CPU 260 functions as a memory control unit and serves as a bus master, and the control unit 260 is provided with a DMA (Direct Memory Access) controller as a memory control unit. The data transfer between the memory unit 120 and the engine unit 200 may be performed without using the central processing control processing unit 110 of the main system 100 by performing DMA transfer as a bus master. If DMA transfer is used, the CPU load can be reduced and the transfer efficiency can be increased.

  In addition, as a transfer mode in data transfer, a burst transfer mode in which a plurality of data is transferred continuously with one address designation can be saved, thereby eliminating the trouble of executing a cycle for designating addresses one by one at the time of data transfer. It is better to improve the data transfer rate. In this case, the data is stored at consecutive addresses in the RAM 124 of the memory unit 120.

  In any case, between the central processing control processing unit 110 and the engine unit 200, based on information notified to the engine unit 200, an authentication process using a hash function, a common key method or a public key method is used. A method for storing and reading data in the memory is incorporated so that the data processing unit 240 in the engine unit 200 can execute the concealment process or the checksum process performed in parallel.

  For example, in the first configuration example shown in FIG. 2, by providing the DMA controller 232 in the control unit 260, the control unit 260 becomes a bus master for the memory unit 120, and data is autonomously transmitted from the memory unit 120. The example of a structure of the form read in is shown. Here, in the first configuration example, the central processing control processing unit 110 sets processing procedure information and data storage location information in a register (a type of memory) 234 in the control unit 260. A so-called register system is used. In the processing procedure information, notification order information in a series of processing is also described.

  As shown in FIG. 2B, the register 268 includes processing procedure information and data storage location information set by the processing procedure control unit 115 of the central processing control processing unit 110 as a register (storage unit) that is a data storage area. Is stored in association with a procedure register (Descriptor Registers) 268a, a control register (Control Registers) 268b that stores a processing instruction command from the processing procedure control unit 115, and a command register that stores processing commands read in sequence from the procedure register 268a (Command Registers) 268c and data registers (Data Registers) 268d for storing processing target data (source data) fetched from the processing data storage area 125 of the RAM 124 and processed data are provided. As a form of storing and reading information, a queue structure described later is adopted.

  When the control unit 260 receives a processing start instruction from the processing procedure control unit 115 of the central processing control processing unit 110, the control unit 260 refers to the processing procedure information and the data storage location information set in the procedure register 268a. In accordance with the order, the necessary data to be processed is read from the processing data storage area 125 in the RAM 124 in the memory unit 120 and the processing is executed in order.

  In the second configuration example shown in FIG. 3, the DMA controller 232 is provided in the control unit 260, so that the control unit 260 becomes a bus master for the memory unit 120 and reads data from the memory unit 120. A configuration example is shown.

  Here, the second configuration example is characterized in the form of data storage and reading in the hardware configuration, and the memory unit 120 uses a descriptor in which processing procedure information and data storage location information are associated with each other as a queue structure. A form in which data is stored in and read from the descriptor area 127 in the RAM 124 is adopted. Since the storage order and the reading order for each processing request occurrence are associated with each other, the processing procedure information does not require description of processing order information in a series of processing.

  Upon receiving an activation instruction from the processing procedure control unit 115, the control unit 260 refers to the processing procedure information and data storage location information set in the descriptor area 127 in the memory unit 120 in a queue structure, and the memory unit 120. A necessary portion of processing target data is read from the processing data storage area 125 in the internal RAM 124 and the processing is executed in order.

  The configuration of the third example shown in FIG. 4 is an example of a configuration in which the central processing control processing unit 110 serves as a bus master for the memory unit 120 and reads processing target data from the memory unit 120 and passes it to the control unit 260. Is shown. Although the CPU load increases, the system becomes compact because no DMA controller is required. In this case as well, as shown in FIG. 4A, a register method in which each information is set in the register (storage unit) 119 in the central processing control processing unit 110, or as shown in FIG. A descriptor method in which the respective positions are set in the descriptor area 127 corresponding to the processing data storage area 125 in the RAM 124 in the memory unit 120 can be adopted. Further, a queue structure is adopted as a form of data storage and reading.

  In any case, the central processing control processing unit 110 refers to the processing content instruction (command) set in the register 119 or the descriptor area 127 and the information indicating the storage location of the processing target data. A necessary portion of data is read from the processing data storage area 125 in the RAM 124 in 120, and the processing target data is transferred to the control unit 260 together with an instruction (command) of processing contents.

  When receiving the activation instruction from the central processing control processing unit 110, the control unit 260 sequentially applies the processing target data to the processing target data (command) based on the processing target data and the processing content instruction (command) received in sequence. Execute the process.

<Descriptor>
FIG. 5 shows a storage form (command descriptor) B10 of address information of commands and processing target data to the procedure register 268a or the descriptor area 127, and processing procedure information and data storage location information as individual commands to be stored. It is the figure which showed an example. As shown in FIG. 5A, in the procedure register 268a and the descriptor area 127, for each processing request of the processing hierarchy, the command structure (Command Structure) 1,... A series of instruction structures, such as N, is stored. Depending on processing contents, processing may be executed with only one instruction structure.

  Regardless of the order of words (instruction structure), continuous addresses on the memory are used so that the burst transfer mode can be adopted so that commands for performing a series of processing can be read continuously in a single address designation. It should be the storage position.

  In order to define a command structure for data processing, within one command structure CS, encryption, decryption, or authentication method, processing contents, encryption, decryption, or authentication start and end positions Such information is written.

  As an example, FIG. 5 (B) shows a case presented using the C programming language, which is necessary for operations such as security processing as a control status command CS1 during DMA transfer. Starting address CS2 for specifying the storage address of the source data, Starting destination address CS3 for specifying the storage address of the processed data, Number of bytes to transfer CS4, and the following Information indicating a command (Ptr to next command struct) CS5 is written as a series of instructions.

  6 to 9 are diagrams illustrating the structure of the descriptor. Here, FIG. 6 shows the structure of a queue. The queue is a queue, and the queue structure is an image data structure in which data is arranged in a line for temporarily storing a plurality of data. By using the queue, a memory area for temporarily storing data can be secured, and the memory area can be automatically released by extracting the data. When retrieving data, it is possible to retrieve data based on the order in which the data is stored without using information such as an index to identify the data.

  A typical example of the queue structure is such that data is extracted in the order in which the data is stored, as shown in FIG. 6, and the data that can be extracted first is the data that was input last. Such a data structure is generally called first-in first-out (FIFO). Such a memory structure is hereinafter also referred to as a queue structure memory.

  When the queue structure memory is employed in the present embodiment, a series of processing content instructions for the processing target data in the data processing device 3 and information indicating the storage location of the processing target data are collectively incorporated in the descriptor queue. It is. Further, when the engine unit 200 can process a plurality of processing hierarchies in parallel, the processing target data of the plurality of processing hierarchies is divided by a predetermined size, and the divided individual processing target data and corresponding data Instructions for processing contents are stored in the descriptor area 127 in an order that can be notified to the engine unit 200 in a predetermined order.

  Upon receiving the activation instruction from the processing procedure control unit 115, the control unit 260 sequentially reads out the processing procedure information set in the queue structure and the data storage location information, which are instructed at that time, one by one in the engine unit 200. These processes can be performed in order.

  In order to realize the queue structure, it is sufficient that the data can be read out in the first-in first-out order regardless of the address where the data is stored. This can be realized by writing For example, as shown in FIG. 6B, the storage area of the memory may be divided and stored for each collected processing instruction, and the processing link to the downstream side may be sequentially set.

  As shown in FIG. 7, a stack structure can be adopted instead of the queue structure. Stack is a term for “mountains” such as hay and straw, and is a term used to refer to a structure in which the same kind of data is stacked. When data is handled, an area for storing data is called a stack area, and data is taken out in the reverse order of data storage. That is, contrary to the above-described FIFO, the data stored first is at the bottom, and the data is stacked one after another. When retrieving the data, the data is retrieved in order from the topmost data entered last. Such a stack structure is generally called a last-in first-out (LIFO) method. Hereinafter, such a memory structure is also referred to as a stack structure memory.

  When the stack structure memory is used, when processing is performed according to a plurality of commands in a certain processing hierarchy, the engine unit 200 does not perform processing for each individual command, but reads all commands in a certain processing hierarchy at once. It is preferable that the processing of the engine unit 200 be performed after the data is stored in the command register 268c in a stack structure. In this case, it is preferable that not only the command but also the processing target data corresponding to the command is read at a time and stored in the data register 268d of the engine unit 200 in a stack structure. By doing so, there is an advantage that the internal bus 180 can be opened quickly.

  Even when the stack structure is realized, it is only necessary to be able to read data in the last-in first-out order regardless of the address where the data is stored. By declaring the array, the operation is LIFO. It can be realized by describing the processing by.

  Here, it is preferable to adopt a queue structure or a stack structure for each of a plurality of processing requests regardless of whether or not a plurality of processing hierarchies can be processed simultaneously in parallel. Further, as a memory structure unique to the present embodiment, in the OSI or TCP / IP processing hierarchy model, a plurality of processing requests in different processing hierarchies are almost simultaneously processed regardless of whether they are the same hierarchy or different hierarchies. When the engine unit 200 responds to this, a queue structure or a stack structure is adopted for a plurality of processing requests. In any case, a queue structure is particularly preferable.

  FIG. 8 shows an example in which a descriptor B10 adopting a queue structure is configured for each processing request B00 in each processing hierarchy. Regardless of the hierarchy of the reference model, a command descriptor that associates the processing content with the data to be processed is generated for each processing request of each processing hierarchy. Then, the command descriptor queue B20 is created by sequentially storing them according to the processing hierarchy.

  FIG. 9 shows a memory structure (hereinafter also referred to as a descriptor queue) B20 when a plurality of processing requests are processed in the engine unit 200 in parallel, and the plurality of processing requests also adopt a queue structure. An example of the case is shown. In this case, the data to be processed in a plurality of processing layers to be simultaneously processed are divided by a predetermined division size, and the portions to be simultaneously processed are arranged in accordance with the processing order for each division unit. Since the amount of data is distributed equally, the number of words allocated within one division size may be different.

  For example, when the engine unit 200 performs parallel processing based on command descriptors B11, B12,... Bm of a plurality of processing layers, the command descriptors B11-1, B11-2,. ,..., Bm-1, Bm-2,..., B11-1, B12-1,..., Bm-1, B11-2, B12-2,. , Bm-2,..., And sequentially stored in the descriptor area 127, the command descriptor queue B20 may be created.

  Note that the processing hierarchy in this specification is a concept different from the OSI reference model and the TCP / IP communication protocol hierarchy. For example, as shown in FIG. 10A, when IPSec is adopted as a security protocol and TCP / IP and IPv4 are adopted as communication protocols, they are located in the same layer in the OSI reference model and the TCP / IP protocol. However, the IPSec processing request S12 and the IP header checksum processing request S14 are located in different processing layers.

  In the case where the processing of each processing layer is sequentially executed for packets that are sequentially transmitted and received, and the processing content includes what the engine unit 200 is in charge of, as shown in FIG. 10B, the encryption processing S12a In some cases, requests for the decryption process S12b, the authentication process S12c, and the checksum processes S10 and S14 are issued to the engine unit 200 almost simultaneously.

  In the case of the ESP format, the IPSec processing request may include at least one of a concealment process and an authentication process as a security process, and may be a process of both or only one of them. On the other hand, in the case of the AH format, the IPSec processing request includes at least an authentication process as a security process, and the confidential process may be performed as necessary, and the confidential process is an option.

<Configuration example of data processing device>
FIG. 11 is a block diagram showing a detailed configuration example of the data processing device 3 provided in the computer device 1 shown in FIG. Unless otherwise specified in the following description, as a form of data transfer from the main system 100 to the engine unit 200, the central processing control processing unit 110 serves as a bus master for the memory unit 120, and the memory unit It is assumed that the processing target data is read from 120 and transferred to the controller 260 (third configuration example shown in FIG. 4A).

  As shown in the figure, first, the central processing control processing unit 110 of the data processing device 3 receives a processing request from the CPU, performs data division when necessary, and transfers the data, and a primary driver 130. And a secondary driver 140 that selects which data to be processed by the engine unit 200 from among the data passed from 130 and issues a processing request to the engine unit 200.

  In the present embodiment, the memory unit 120 is connected to the internal bus 180, and based on instructions from the central processing control processing unit 110 that is also connected to the internal bus 180, hash processing, common key encryption processing, In order to execute the concealment process using the public key encryption process or the checksum process in the engine unit 200, an instruction of processing contents for the processing target data, information indicating the processing target data, and the processing target data are stored in the memory unit. The data is stored in a predetermined area in 120 RAM 124.

  Further, the engine unit 200 uses a secret processing unit (Crypto Block) 242 that performs encryption processing and decryption processing using common key encryption processing and public key encryption processing, and a one-way hash function for the data processing unit 240. The authentication processing unit (Digest Block) 244 that performs the authentication processing (integrity guarantee processing), the checksum processing unit (CheckSum Block) 246 that performs the checksum processing, and the selectors 250 and 252 are provided.

  The concealment processing unit 242 includes an encryption processing unit 242a and a decryption processing unit 242b. The encryption processing unit 242a, the decryption processing unit 242b, the authentication processing unit 244, and the checksum processing unit 246 are configured by independent individual hardware circuits. The confidential processing unit 242 and the authentication processing unit 244 constitute a security processing unit 248. Further, the authentication processing unit 244 and the checksum processing unit 246 constitute an identity confirmation processing unit 249.

  The authentication processing unit 244 uses a hash function (Hash Function) to send a message of a certain length (plain text in which character strings are arranged) to a certain length. A digest (summary; also called a hash code) composed of a fixed-length bit string compressed into a fixed-length character string (bit string) is created.

  For example, in IPSec ESP format or AH format, ICV (Integrity Check Value) is calculated in advance. ICV is an authentication value for message integrity check calculated using a keyed hash function such as HMAC-MD5-96 or HMAC-SHA-1-96, which is an example of a secret symmetric key. The original message cannot be known from the attached hash value, and the keyed hash value cannot be calculated from the message without knowing the secret symmetric key.

  Here, in the ESP format, the authentication (integrity guarantee) target range is a portion including the encryption payload from the ESP header to the ESP trailer. On the other hand, in the AH format, by adding an ICV (authentication value for integrity guarantee) in which almost the whole packet is subject to authentication (integrity guarantee), almost the entire packet including the outer IP header for transfer Is to guarantee the integrity of.

  In SSL / TLS, a message authentication code MAC (Message Authentication Code) is used as authentication data. This MAC value differs from the IPSec format authentication code ICV in terms of specifications and specific calculation methods, but basically has the same function, both of which are authentication data, and the difference between them is the application of the embodiment. In doing so, it has no effect.

  The checksum processing unit 246 verifies the identity of the target. For example, at the time of TCP / IP communication, data reliability is ensured by calculating a checksum with the header portion and the data portion as the processing target range. Further, during communication using IPv4, a header checksum included in the IP header format is calculated.

  The control unit 260 includes a bus IF unit 262 and an instruction control unit 266 that controls the overall operation of the engine unit 200. The controller 260 of the engine unit 200 serves as a bus master and performs DMA transfer, whereby data transfer is performed between the memory unit 120 and the engine unit 200 without going through the central processing control processing unit 110 of the main system 100. When the (first or second configuration example shown in FIG. 4) is employed, a DMA controller unit 264 is provided between the bus IF unit 262 and the instruction control unit 266 as indicated by a dotted line in the figure. .

  The instruction control unit 266 analyzes the processing content instruction for the processing target data, the information for instructing the processing target data, and the processing target data, and executes the request from the central processing control processing unit 110. 24, selection instructions CN2 and CN3 for any of the authentication processing unit 244 and the checksum processing unit 246 are given to the corresponding selectors 250 and 252.

  When the DMA controller unit 264 is provided, the instruction control unit 266 gives a data read instruction CN1 to the DMA controller unit 264 connected to the internal bus 180 via the bus IF unit 262. In this case, the DMA controller unit 264 performs processing content instruction (command) for the processing target data stored in the RAM 124 of the memory unit 120, information indicating the storage destination of the processing target data, and transfer of the processing target data. This is performed for the instruction control unit 266.

  The selector 250 selects one of the concealment processing unit (CryptoD Block) 242, the hash processing unit (Digest Block) 244, and the checksum processing unit (Checksum Block) 246 based on the selection instruction CN2 from the instruction control unit 266. Then, the output of the instruction control unit 266 is input.

  Each output of the concealment processing unit 242, the authentication processing unit 244, and the checksum processing unit 246 is input to the selector 252. Based on the selection instruction CN3 from the instruction control unit 266, the selector 252 selects any of the calculation results in the respective function units (modules) 242, 244, 246, and sends the selection output to the instruction control unit 266. input.

  FIG. 12 is a schematic diagram illustrating the relationship between the primary driver 130 and the secondary driver 140 of the accelerator driver 117 and the processing procedure represented by the hierarchical model. Central arithmetic control processing unit 110 (for example, CPU) performs a series of processes in one process represented by a hierarchical model. The process is divided into several layers, and processing is performed independently for each processing layer.

  For example, as illustrated, a series of processes P10 composed of P11 to P17 in the OSI model and a series of processes P20 composed of P21 to P24 in the TCP / IP model are taken as examples.

  Since the CPU of the central processing control processing unit 110 may process a plurality of processes in parallel, processing requests may be sent to the engine unit 200 from a plurality of layers of the plurality of processes.

  Various processing instructions such as security processing and checksum processing such as encryption, decryption or authentication from a certain hierarchy in a series of processes to the engine unit 200, and processing target data necessary for each processing to the engine unit 200 The transfer is performed via the accelerator driver 117.

  The engine unit 200 functioning as an accelerator can output the internal state after the calculation in addition to the processed calculation result. When other processing is specified to be performed continuously with the previous calculation, Processing is performed in conjunction with the processed data.

  Here, as described in the explanation of FIG. 11, the accelerator driver 117 receives a processing request from the CPU, performs data division if necessary, and passes the data to the secondary driver 140. It is constructed by being divided into secondary drivers 140 that select which data to be processed by the engine unit 200 out of the data passed from the primary driver 130 and issue a processing request to the engine unit 200. Here, “if necessary” includes at least the case where the processing of a plurality of processing layers is performed in parallel in the engine unit 200.

<Configuration and operation of primary driver>
FIG. 13 is a block diagram illustrating a detailed configuration example of the primary driver 130. As shown in the figure, the primary driver 130 needs to divide data based on the data analysis unit 132 corresponding to the data analysis unit 113 that analyzes the data passed from the application AP10 and the analysis result of the data analysis unit 132. The data division examination unit 134 for judging the data division, the division condition setting unit 136 for setting the data division condition for the data division examination unit 134, and the judgment result of the data division examination unit 134 indicate that the division is necessary. And a division processing unit 138 that divides the processing data on the condition that

  The data division examination unit 134, the division condition setting unit 136, the division processing unit 138, and the secondary driver 140 of the primary driver 130 constitute a processing procedure control unit 115.

  Threshold information is input from the application AP 10 to the division condition setting unit 136. The division condition setting unit 136 acquires the threshold value Th1 from the application AP10 and sets it in the data division examination unit 134. The threshold Th1 is determined by the CPU of the central processing control processing unit 110 according to the application application of the system.

  FIG. 14 is a flowchart showing an outline of processing in the primary driver 130. First, the primary driver 130 receives a processing request and processing target data as an application AP10 from the CPU of the central processing control processing unit 110 (S100). Upon receiving these, the primary driver 130 checks the size of the processing data and the protocol used by the data analysis unit 132, and determines whether or not data division is necessary or not based on the information and the threshold Th1 set by the application (S102 to S102). S110).

  For example, the primary driver 130 to which data is passed after receiving the processing request from the application AP 10 checks the size of the processing data and the protocol used by the data analysis unit 132 and divides the data by using the information and the threshold value Th1 set by the application. Is determined whether or not is necessary (S102).

  When the processing size is larger than the threshold Th1 (S102-YES), the data analysis unit 132 determines that the division is necessary and notifies the data division examination unit 134 of the determination result. In this case, the data division examination unit 134 specifies an algorithm used for processing such as encryption, decryption, authentication, checksum, and the like based on the communication protocol and the security protocol (S104). Then, the division size is determined by calculating a maximum value that is a multiple of the minimum processing unit in the used algorithm and does not exceed the threshold value Th1, and the determined division size is notified to the division processing unit 138 (S106). In response to this, the division processing unit 138 divides the data by the maximum value (S108), divides the data, and then sends the data (the processing content instruction for the processing target data and the processing target data to the secondary driver 140). The information to be instructed and the data to be processed).

  On the other hand, when the processing size is smaller than the threshold value, the data analysis unit 132 determines that the division is not necessary, and notifies the data division examination unit 134 of the determination result. In this case, the data division examination unit 134 sends the data passed from the application AP 10 (the instruction of the processing content for the processing target data, the information indicating the processing target data, and the processing target data) to the secondary driver 140 as it is. .

  By doing so, the data size passed to the engine unit 200 can be made substantially uniform with the threshold value Th1 or less.

<Configuration and operation of secondary driver>
FIG. 15 is a block diagram illustrating a detailed configuration example of the secondary driver 140. As shown in the figure, the secondary driver 140 sends which data to the engine unit 200 from among the data pool 142 as a storage unit for storing data passed from the primary driver 130 and the data accumulated in the data pool 142. A data selector 144 that determines and selects the data, and an order reference setting unit 146 that sets conditions for determining and selecting which data to send to the engine unit 200 with respect to the data selector 144.

  The order reference setting unit 146 receives control information CN10 indicating a reference for determining a transfer order from the application AP10. The order reference setting unit 146 acquires the control information CN10 from the application AP10 and sets it in the data selector 144. The control information CN10 is determined by the CPU of the central processing control processing unit 110 according to the application application of the system. Thereby, the selection method in the data selector 144 can be controlled by the application AP10.

  FIG. 16 is a flowchart showing an overview of data transfer by the secondary driver 140 and processing in the engine unit 200. First, the secondary driver 140 stores the data passed from the primary driver 130 in the data pool 142 (S200). This is to make the application AP 10 and the primary driver 130 and the engine unit 200 non-interfering with each other.

  The data selector 144 monitors whether or not data waiting for processing exists in the data pool 142, that is, whether or not the engine unit 200 is waiting for processing (S202-NO). Therefore, the data selector 144 can determine that the engine unit 200 is waiting for processing by storing the data passed from the primary driver 130 in the data pool 142.

  The data selector 144 sends the data stored in the data pool 142 to the engine unit 200 under the instruction control CN10 that defines the selection method by the application AP10 when the engine unit 200 waits for processing (S202-YES). Forward.

  Here, when the data divided by the division processing unit 138 of the primary driver 130 is accumulated in the data pool 142, the data selector 144 controls the transfer order of the divided data to the engine unit 200 by the application AP10. The process is scheduled by sequentially transferring the divided data to the engine unit 200 in accordance with this determination (S204).

  In the engine unit 200 that has received the data (the processing content instruction for the processing target data, the information for instructing the processing target data, and the processing target data) via the secondary driver 140, first, the instruction control unit 266 first selects the processing target. The processing content instruction for the data, the information indicating the processing target data, and the processing target data are analyzed, and the functional unit of the data processing unit 240 is in charge of processing. (S206). After this, the instruction control unit 266 performs the request from the central processing control processing unit 110 on the basis of the specific result for any of the concealment processing unit 242, the authentication processing unit 244, and the checksum processing unit 246. Selection instructions CN2 and CN3 are given to the corresponding selectors 250 and 252, respectively.

  Based on the selection instruction CN2 from the instruction control unit 266, the selector 250 selects any one of the concealment processing unit 242, the hash processing unit 244, and the checksum processing unit 246 and inputs the output of the instruction control unit 266. Based on the selection instruction CN3 from the instruction control unit 266, the selector 252 selects any of the calculation results in the respective function units (modules) 242, 244, 246, and sends the selection output to the instruction control unit 266. By inputting, the hardware for executing the process is set (S208).

  The function units 242, 244, and 246 that are configured by hardware in the data processing unit 240 that has received the data execute processing that they are in charge of, and send the processed data to the instruction control unit 266 via the selector 252. Pass (S210).

  In the same manner, the processes in steps S202 to S210 are repeated until all the processes for the data stored in the data pool 142 are completed.

  Here, as a reference for determining the order in which the data selector 144 transfers the data divided by the division processing unit 138 of the primary driver 130 and accumulated in the data pool 142 to the engine unit 200 under the control of the application AP10, For example, priority order, bandwidth reservation order, arrival order, or the like may be adopted.

  Even when a plurality of processing requests are generated in the engine unit 200 to perform parallel communication processing by selecting according to a communication protocol or security protocol used by the application AP 10, the divided data is processed in an appropriate order in the engine unit 200. Therefore, other processing requests are not waited while one process is being performed. Even if the data size currently being processed is large, dividing the data with a size that conforms to the communication protocol or security protocol can reduce the waiting time in a well-balanced manner and cause fluctuations in data transmission. Can be prevented.

  For example, the selection method in the order of priority by the data selector 144 is a method in which priority is given to data stored in the data pool 142 and processing is performed in the order of higher priority. In the case of the conventional method in which data division is not performed, when data having a low priority but a large processing size is being processed, the processing cannot be started even if the accelerator driver 117 receives a processing request having a high priority. .

  On the other hand, by applying this embodiment, data with a large processing size is divided by the division processing unit 138 into a predetermined size, so that the waiting time for a processing request with a high priority is shortened.

  Further, in the method of selecting the band securing order by the data selector 144, first, a subtraction counter is prepared for each processing request to the accelerator driver 117. When the secondary driver 140 passes data to the engine unit 200 as an accelerator, the counter of the corresponding processing request is returned to the initial value, and all other counters are set to “−1”. The data selector 144 sends the processing request data having the smallest counter value to the engine unit 200 among the data waiting for processing.

  By doing this, the maximum value of the data processing interval for each processing request is set, and a communication band can be secured for each processing request.

  This method of selecting the bandwidth reservation order is suitable for transmitting a plurality of data such as images and audio data that can be clearly seen to be disconnected when the communication interval is large.

  The arrival order selection method by the data selector 144 is a method of processing the divided data in the arrival order. However, when there are data from a plurality of processing requests, the processing is sequentially performed in the order of processing requests.

  This arrival order selection method is not an advanced process like the priority order or bandwidth reservation order selection method described above, but it does not require searching for data to be processed based on the priority or counter value, thus speeding up the processing. There is an advantage that can be done. Therefore, this arrival order selection method is suitable when it is desired to speed up communication in an environment where priority and bandwidth reservation are not so important.

  FIG. 17 is a diagram showing an outline of processing when the transfer order is determined in arrival order, and corresponds to FIG. 19 shown in the prior art. In FIG. 17, the data selection method in the secondary driver 140 performs processing in the order of arrival as in FIG. 19, but by dividing the data, each data is divided into units, and each function of the data processing unit 240 is processed. Since the units 242, 244, and 246 are sequentially processed, substantially all processing requests can be processed in parallel (as viewed in a macro).

  As described above, according to the method of the present embodiment, the data size processed by the engine unit 200 as an accelerator is divided, for example, with the threshold value Th1 being substantially uniform, and the divided data is based on a predetermined standard. The data is sequentially transferred to the engine unit 200 to execute the processing. Therefore, even in the case of the engine unit 200 as an accelerator having only a single hardware device, the function units 242, 244 and 246 of the data processing unit 240 corresponding to the divided data are almost uniformized. Can be executed sequentially in units of processing time. As a result, each functional unit 242, 244, 246 of the data processing unit 240 can substantially perform parallel processing. Thus, by devising the data transfer control method, for example, even in the case where real-time communication is performed using the IP protocol, fluctuations in data transmission do not occur, and this embodiment is very effective.

  In addition, the device characteristics are changed by changing the threshold Th1 setting in the data division examination unit 134 of the primary driver 130 and the transfer order selection method in the data selector 144 of the secondary driver 140 according to the application protocol usage environment. It is possible to perform optimum processing.

  For example, if the priority is determined for each process and processing is performed in order of priority, necessary processes can be preferentially processed. Further, since the processing time in the accelerator driver 117 is reduced by increasing the threshold value Th1 to reduce the number of divisions and making the processing data selection method in a simple arrival order, such a control method is important if communication speed is important. It is good to use.

  In this way, by changing the threshold Th1 corresponding to the division size for the data division examination unit 134 and the control information CN1 corresponding to the transfer order for the data selector 144 according to the application AP10, the processing characteristics (device characteristics) of the engine unit 200 are changed. In other words, an accelerator having only a single hardware device can control the processing characteristics according to the use of the system.

<Applicable protocol>
As described above, when a plurality of processing requests are generated almost simultaneously, the data is divided by a predetermined size, and the engine unit 200 is based on a criterion according to the application such as priority order, bandwidth reservation order, arrival order, for example. The basic processing technique has been described with respect to the mechanism that enables the engine unit 200 to perform efficient parallel processing by determining the order of transfer to the above. The present invention can be applied to various protocols used in a security communication system that guarantees confidentiality and integrity.

  For example, SRTP (Secure RTP), which adds a security function to the real-time data transmission protocol RTP (Real time protocol), and mutual authentication between the client and server, can be used to establish an authenticated and encrypted connection. Secure Sockets Layer (SSL) that realizes transport layer security by establishing it, and applied to TLS (Transport Layer Security) standardized by IETF (Internet Engineering Task Force) based on this SSL protocol be able to.

  Alternatively, encryption payload ESP (Encapsulating Security Payload) in IPSec (Internet Protocol Security) using block encryption algorithms such as DES / 3DES / AES as the encryption algorithm, and ICV (integrity assurance authentication) for almost the entire packet By adding (value), it can be applied to the AH format that guarantees the integrity of almost the entire packet including the outer IP header for transfer.

  Further, the present invention can be applied not only to a protocol for wired communication but also to a protocol for wireless communication. For example, a wireless device or a wireless LAN standardized by IEEE (Institute of Electrical and Electronics Engineers, Inc.) Also applied to WEP (Wired Equivalent Privacy), a protocol for protecting information transmission security, and WPA (Wi-Fi Protected Access), an encryption standard that replaces WEP established by Wi-Fi Alliance. Is possible.

  At this stage, standardization work in IEEE is not finished, but the processing described in the above embodiment can be applied to a security protocol established in IEEE802.11i.

  Whether or not processing requests such as encryption, decryption, authentication, and checksum are almost simultaneous in a plurality of processing layers is determined by the relationship between the communication protocol applied by the application and the security protocol applied thereto. Is.

  In any case, as described above, when processing requests such as encryption, decryption, authentication, checksum, etc. are almost simultaneously in a plurality of processing layers, the engine unit 200 is paralleled in response to the requests. The engine unit 200 executes efficient parallel processing by dividing the data into a predetermined size so as to be processed and sequentially transferring the divided data in a transfer order according to the application.

<Specific examples>
FIG. 18 is a diagram illustrating a specific example of a protocol to which the data processing described in the above embodiment is applied. In this example, the SSL / TLS protocol (P31) that performs security processing in the application layer P21 (session layer P13) and IPSec that performs security processing in the IP layer P33 as the Internet layer P23 are used in combination as security communication. The layer P22 shows a case where TCP / UDP (P32) is used.

  Here, data transfer is required between the main system 100 and the engine unit 200 during the security processing based on the SSL / TLS format in the application layer P21. Further, data transfer is required between the main system 100 and the engine unit 200 at the time of TCP or UDP checksum processing in the transport layer P22. Furthermore, data transfer is required between the main system 100 and the engine unit 200 during security processing based on the IPSec format in the Internet layer P23. In these processes, processing requests may be issued almost simultaneously from the application.

  In this case, as described above, the data is divided by a predetermined size, the order of transfer to the engine unit 200 is determined based on the standard according to each protocol, and the divided data is sequentially processed in the determined order. 200. By doing this, among the processes in the network protocol stack P30, IPsec encryption and decryption in the IP layer P33, creation of an authentication code, confirmation of the authentication code (A3), check of TCP / UDP (P32) By performing sum generation and checksum confirmation (A2) in parallel in the engine unit 200, it is possible to process the plurality of processing contents at high speed.

  In addition, when SSL / TLS (P31) is used as an application, the engine unit 200 also performs parallel processing of encryption, decryption, creation of an authentication code, and confirmation of the authentication code (A1). It can be processed at high speed.

  In this manner, by applying the processing described in the above embodiment to the security communication system, data transmission / reception for a plurality of objects can be performed while ensuring confidentiality and integrity.

  As mentioned above, although this invention was demonstrated using embodiment, the technical scope of this invention is not limited to the range as described in the said embodiment. Various changes or improvements can be added to the above-described embodiment without departing from the gist of the invention, and embodiments to which such changes or improvements are added are also included in the technical scope of the present invention.

  Further, the above embodiments do not limit the invention according to the claims (claims), and all combinations of features described in the embodiments are not necessarily essential to the solution means of the invention. Absent. The embodiments described above include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. Even if some constituent requirements are deleted from all the constituent requirements shown in the embodiment, as long as an effect is obtained, a configuration from which these some constituent requirements are deleted can be extracted as an invention.

  For example, in the above embodiment, the data processing in the network protocol in the wired system or the wireless system has been described. However, when the cooperative processing is performed between the main system and the engine unit, the processing is hierarchically defined, A system configuration in which a part of the processing is performed by an engine unit configured by hardware is sufficient, and the processing content performed by the engine unit is not limited to processing related to a communication protocol.

  In the above embodiment, the data analysis unit 113 and the processing procedure control unit 115 on the central processing control processing unit 110 side of the main system are configured by software processing, and software (central processing control processing unit 110) and hardware (engine unit) 200), the data analysis unit 113 and the processing procedure control unit 115 on the central processing control processing unit 110 side may be configured by a hardware processing circuit.

  Further, in the specific configuration example of the data processing device 3 shown in FIG. 11 described above, the central processing control processing unit 110 serves as a bus master for the memory unit 120 and reads processing target data from the memory unit 120. Although the form transferred to the control unit 260 is used, the data transfer form is not necessarily limited to this, and any of the forms shown in FIGS. 2 to 4 can be adopted, for example.

  For example, the engine unit 200 may be provided with the DMA controller unit 264 so that the engine unit 200 side controls the data transfer. In this case, for example, in accordance with the transfer order of the divided data shown in FIG. 12, the divided data and the processing content for the divided data are preferably stored in the descriptor area 127 in the descriptor queue structure.

  In the above embodiment, the data processing apparatus according to the present invention is applied to an information processing apparatus such as a personal computer. However, the present invention is not limited to this, and the technology described in the above embodiment is applied to various types of apparatuses. Can be applied. For example, the present invention can also be applied to an access point as a base station used in a wireless local area network (LAN) or a LAN card incorporated in a terminal-side device. It goes without saying that the device configuration in these cases only needs to include at least the portion of the data processing device 3 shown in FIG. Further, the engine unit 200 may be provided as a module (for example, a substrate module) of a detachable data processing device mounted on the main system 100.

It is the block diagram which showed the structure of the computer apparatus provided with one Embodiment of the data processor which concerns on this invention. It is the figure which showed the 1st structural example of the system architecture for implement | achieving the process procedure control function with respect to an engine part. It is the figure which showed the 2nd structural example of the system architecture for implement | achieving the process procedure control function with respect to an engine part. It is the figure which showed the 3rd structural example of the system architecture for implement | achieving the process procedure control function with respect to an engine part. It is a figure showing an example of command descriptor, processing procedure information, and data storage location information. It is a figure explaining the queue structure of a descriptor. It is a figure explaining the stack structure of a descriptor. It is the figure which showed an example of the descriptor queue in a process hierarchy model. It is the figure which showed an example of the command descriptor queue corresponding to the case where an engine part processes simultaneously in response to a some process request. It is a figure explaining the relationship between the hierarchy model in a communication protocol, and a process hierarchy. It is the block diagram which showed the detailed structural example of the data processor with which the computer apparatus shown in FIG. 1 was equipped. It is the schematic diagram which showed the relationship between a primary driver and a secondary driver, and the process sequence represented by the hierarchy model. It is a block diagram explaining the detailed structural example of a primary driver. It is the flowchart which showed the process outline | summary in a primary driver. It is a block diagram explaining the detailed structural example of a secondary driver. It is the flowchart which showed the outline | summary of the data transfer by a secondary driver, and the process in an engine part. It is the figure which showed the process outline | summary in the case of determining a transfer order by arrival order. It is a figure explaining the specific example of the protocol which applies the data processing demonstrated by the said embodiment. It is a figure explaining the problem of the prior art in the case where a plurality of processing requests are issued simultaneously.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Computer apparatus, 3 ... Data processing apparatus, 100 ... Main system, 110 ... Central processing control processing part, 113 ... Data analysis part, 115 ... Processing procedure control part, 117 ... Accelerator driver, 120 ... Memory part, 122 ... ROM , 124 ... RAM (main storage section), 125 ... processing data storage area, 126 ... command storage area, 127 ... descriptor area, 130 ... primary driver, 132 ... data analysis section, 134 ... data division examination section, 136 ... division conditions Setting unit, 138 ... division processing unit, 140 ... secondary driver, 142 ... data pool, 144 ... data selector, 146 ... order reference setting unit, 150 ... interface unit, 180 ... internal bus, 200 ... engine unit, 240 ... processing , 242 ... Concealment processing unit, 242a ... Encryption processing unit, 242b ... Decryption processing 244: Authentication processing unit, 246 ... Checksum processing unit, 248 ... Security processing unit, 249 ... Identity confirmation processing unit, 250, 252 ... Selector, 260 ... Control unit, 262 ... Bus IF unit, 264 ... DMA controller unit 266 ... Instruction control unit

Claims (18)

A data processing method of transferring processing target data from a main system to an engine unit configured by hardware, performing predetermined processing on the processing target data, and transferring processed data to the main system,
For a plurality of processes with different processing contents in charge of the engine unit,
Dividing the processing target data to be processed in each of the plurality of processes into a predetermined size;
Based on a predetermined standard, determine the transfer order of each divided data to the engine unit,
According to the determined transfer order, sequentially transfer the divided data to the engine unit,
In the engine unit, sequentially execute processing according to the processing content of the divided data transferred from the main system,
A data processing method characterized by transferring processed data to the main system. The data processing method according to claim 1, wherein the predetermined criterion is determined according to an application applied by the main system. The data processing method according to claim 1, wherein the predetermined criterion is any one of a priority order of processing contents, a bandwidth reservation order in communication, and a processing request arrival order. The data processing method according to claim 1, wherein the plurality of processes having different processing contents are an encryption process, a decryption process, an authentication process, or a checksum process in a communication protocol. The data processing method according to claim 4, wherein the encryption process, the decryption process, and the authentication process are in accordance with an SSL protocol, a TLS protocol, or an IPsec protocol. The data processing method according to claim 4, wherein the checksum processing is in accordance with a TCP protocol or a UDP protocol. Information on the processing content notified to the engine unit for each of the divided data and address information indicating the storage position in the main system of the processing target data corresponding to the processing content are associated with each other and sequentially stored in a predetermined manner. Store in the department,
The processing content information and the address information are sequentially read from the storage unit at a predetermined timing, and processing corresponding to the processing content is sequentially executed on the divided data. The data processing method described. The data processing method according to claim 7, wherein the information on the processing contents and the address information are stored in and read from the storage unit by a first-in first-out method. An engine unit configured by hardware and a main system are provided, the processing target data is transferred from the main system to the engine unit, and predetermined processing is performed on the processing target data. A data processing device for transfer to a system,
The main system is
For a plurality of processes having different processing contents handled by the engine unit, the processing target data to be processed in each of the plurality of processes is divided into a predetermined size, and each of the divided processes is performed based on a predetermined criterion. A data processing apparatus comprising: a processing procedure control unit that determines a transfer order of divided data to the engine unit. The processing procedure control unit
A data division examination unit that determines the predetermined size when dividing the processing target data to be processed in each of the plurality of processes;
The data processing apparatus according to claim 9, further comprising: a division processing unit that divides the processing target data at the predetermined size according to a determination result of the data division examination unit. The processing procedure control unit
Furthermore, the data division examination unit has a division condition setting unit that sets conditions for determining the predetermined size,
The data division examination unit determines the predetermined size for dividing the processing target data in accordance with the condition set by the division condition setting unit, and notifies the division processing unit of the determined predetermined size. The data processing apparatus according to claim 10. The processing procedure control unit
A data analysis unit for determining whether or not it is necessary to divide the processing target data for each of the processing target data to be processed in each of the plurality of processes;
The processing procedure control unit determines the predetermined size and notifies the division processing unit when determining that the data analysis unit needs to divide the processing target data. The data processing apparatus described in 1. The engine unit includes a data processing unit that performs predetermined data processing and a control unit that controls the data processing unit,
The data processing unit is composed of individual hardware circuits that independently perform encryption processing, decryption processing, authentication processing, or checksum processing in a communication protocol as the plurality of processes having different processing contents. The data processing device according to claim 9, further comprising: a functional unit configured as described above. A storage for sequentially storing the information on the processing content notified to the engine unit for each of the divided data and the address information indicating the storage position in the main system of the processing target data corresponding to the processing content The data processing apparatus according to claim 9, further comprising: a unit. When the engine unit receives an instruction to start processing from the processing procedure control unit of the main system, the information on the processing content and address information indicating the storage location in the main system of the processing target data corresponding to the processing content The data processing apparatus according to claim 14, wherein the processing is sequentially executed from the storage unit, and processing corresponding to the processing content is sequentially executed on the divided data. The data processing apparatus according to claim 14, further comprising a memory control unit that performs storage and reading of the processing content information and the address information in the storage unit by a first-in first-out method. The data processing apparatus according to claim 16, wherein the memory control unit is provided in the engine unit. The data processing apparatus according to claim 14, wherein the engine unit includes a memory control unit that performs reading of the processing content information and the address information from the storage unit by DMA transfer.

Images