TW201243599A - Secure and scalable solid state disk system - Google Patents

Abstract

A solid state disk system is disclosed. The system comprises a user token and at least one level secure virtual storage controller, coupled to the host system. The system includes a plurality of virtual storage devices coupled to at least one secure virtual storage controller. A system and method in accordance with the present invention could be utilized in flash based storage, disk storage systems, portable storage devices, corporate storage systems, PCs, servers, wireless storage, and multimedia storage systems.

Description

201243599. VI. Description of the Invention: 'Technical Field to Which the Invention Alonged>> The present invention relates to a memory system; more particularly, the present invention relates to a secure and scalable solid state disk system. [Prior Art] Flash-based solid state disks (SSDs) have slowly picked up and are widely accepted by general consumer users from industrial, defense, and enterprise applications. . The main driving force behind this trend is the development of advanced flash technology and the advantages of the flash components themselves. Compared with the conventional hard disk drive (HDD), the flash type solid state disk has the following advantages: 1. Low power consumption. 2. Lighter weight. 3. The heat dissipation is low. 4. No noise. 5. No mechanical components. However, while gradually replacing hard drives, solid-state disks also have some problems to be solved, such as: 1. Higher cost. 2. The density is low. 3. System performance is poor. In addition, the general solid state disk usually only manages one of the 4th, 8th, 16th, 32th or more flash memory groups, so the more difficult 201243599 design challenges in the following aspects: 1 · Management The output pins (pin-outs) of many flash device interfaces. 2. Uniform wear-leveling across many flash components. 3. The manufacturability and testability of solid state disk systems. 4. Support the new flash technology and the time gap that can benefit from it. 5. Time to market. 6. The cost savings from the new flash technology. The conventional hard disk drive has no built-in security protection. If a host system with a hard disk drive is stolen, the contents of the hard disk drive can be easily accessed and stolen. Even if the entire disk can be encrypted by a software, the conventional hard disk drive still has the following problems in practical applications: 1. The system performance sacrifice due to encryption and decryption of the software. 2. The driver must be installed separately for encryption. 3. If the password authentication function belongs to the hard drive only, there is still a risk of being attacked. If solid-state disks become mainstream by the conversion of niche products into more common user products, solid-state disks must be improved for these shortcomings, and other advantages such as safety and expandability must be added. 1 is a block diagram of a conventional secure digital (SD) flash card including a physical interface 11, a secure digital card controller 12, and a flash memory 13. The physical interface 11 is connected to a host system via an interface bus 14. A simple solid-state disk can be formed using a secure digital card, a compact flash (CF) card, and a universal serial bus (USB) drive.

4 S 201243599 in a conventional storage system, for example, U.S. Patent Application Serial No. 10/707,871, the disclosure of which is incorporated herein by reference. A storage system disclosed in No. 6,883,083, No. 6,877,044, No. 6,421,760, No. 6, 138, 176, No. 6, 134, 630, No. 6, 549, 981, and U.S. Patent No. 20030120865, during system startup or operation, The storage controller will automatically install and configure the disk drive. The aforementioned storage controller can perform basic storage identification and aggregation functionality. The main advantage of the prior art is that it can detect the insertion and removal of the disk drive during operation. However, conventional techniques fail to identify the non-synchronous characteristics between the host system and the storage system during system startup. Since the function of the storage controller is equivalent to a virtual controller, it takes time for the storage controller to identify, test, and configure the physical drive during startup of the host system. If there is no mechanism to re-synchronize the host system with the storage system, the host system will only stop and there is no way to identify and install the virtual logical storage. As a result, conventional systems can only be used as a secondary storage system rather than a primary storage system. Another disadvantage of U.S. Patent No. 6,098,119 is that the system requires that each of the via drivers be provided with a plurality of "preloading" "parameters". This shortcoming will limit the automatic installation. Most conventional systems do not provide a solution to the expandabnity or scalability of the storage. U.S. Patent Application Serial No. 10/707,871 (the disclosure of which is incorporated herein by reference in its entirety in its entirety in the entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire all all all Emphasis is placed on describing an "external" storage virtual controller coupled to a physical host (possibly a host computer or a server). These patents do not address the issue of the initiation of virtual storage described above. The architecture of these patented virtual storages can still only be used as a secondary storage. In addition, the conventional system cannot solve the problem of driver security for password authentication and hardware encryption. Among them, hardware encryption has become an indispensable main driving application in notebook computers. As shown in Fig. 2, U.S. Patent No. 7,003,623 is a relatively simple solid state disk system. The solid state disk system includes a serial advanced technology attachment (SATA) to flash memory controller 25 and a set of flash memory 13. The SATA to flash memory controller 25 includes a SATA host interface 251 and a plurality of flash device interfaces 252. The SATA host interface is used to interfacing the SATA host controller 21 of the host system 20, and the flash device interface 252 is used to connect the flash memory 13. Each flash memory 13 has approximately 15 to 23 signal pins for connection to the controller 25. SATA host interface 251 requires 4 signal pins to connect to the §αΤΑ host controller 21 ° SATA to flash memory controller 25 requires a total of at least 124 signal pins to control 8 flash memory 13 Or a total of 244 signal pins to control 16 flash memories 13. Also as shown in Fig. 2, the controller 25 must control the error correction code (ERC), uniform erasure, bad block remapping (bad bi〇ck re-mapping), allocation of idle storage space. And a number of internal-to-flash memory solid-state disk-based book keeping tasks. This shows that with the flash

S 201243599 The number of memory components increases, and the complexity of the controller will also increase. In this way, not only will the cost of the controller be affected, but the problem of manufacturability and testability is further increased on the conventional solid-state disk system. In essence, conventional techniques do not have scalable features, meaning that the same controller will not be used in two or more different types of designs. If the same controller is to be used in two or more different types of density designs, the number of pins on the controller must accommodate at least 124 pins to connect four flash memories; or 244 pins to Connect eight flash memories; or even 484 pins to connect up to sixteen flash memory chips. Therefore, conventional systems can only be used for solid-state disks for low-density applications without full extendability and expandability. Accordingly, a system and method that solves the above problems are necessary. The present invention can meet such needs. SUMMARY OF THE INVENTION The present invention discloses a solid state disk system. The system includes a user token and a first layer of secure virtual storage controller that interfaces to a host system. The system also includes a plurality of Layer 2 secure virtual storage controllers and a plurality of Layer 3 virtual storage devices. The second layer of virtual storage controllers are all compatible with the first virtual secure storage controller, and the third layer of virtual storage devices are coupled to the second layer of virtual storage controls. Device. The system and method in accordance with the present invention provide the following advantages. 1. The system and method employ a secure virtual storage controller architecture. 2. The system and method employs an expandable solid state disk system based on the secure virtual storage controller architecture. 201243599 3. The system and method is based on the block built on the popular and popular flash card/devices today to adopt the cost, density and system performance of the latest flash component technology. 4. The system and method use a virtual storage processor to integrate density and system performance. 5. The system and method can be used to expand the density and system performance by using multiple virtual storage controllers. 6. The system and method can optionally use an encoding engine in the virtual storage controller to process the encryption/decryption operations of the data exchange between the upload stream and the downstream stream on-the-fly. The exchange of data is performed between the host and the device. ^ 7. The system and method use a USB beacon as a separate password for solid state disks. 8. The system and method allows the secure-and-scalable solid state disk (SNS-SSD) to replace the hard disk drive with the user's experience of self-booting, hibernation, and general use. The system and method in accordance with the present invention is applicable to a flash memory, a disk storage system, a portable storage device, an enterprise storage system, a personal computer, a server, a wireless storage, and a multimedia storage system. [Embodiment] The present invention relates to a memory system. More particularly, the present invention relates to a secure and scalable solid state disk system. The following description is made to enable those skilled in the art to utilize the present invention while providing the application and conditions of the present invention. The following examples are merely illustrative of the embodiments of the present invention, and the techniques of the present invention are illustrated.

S 201243599 is not intended to limit the scope of the invention by κ 。. Anyone who is familiar with the technology can easily complete the change or the sum of the " ^ boastful women's volleyball is within the scope of the present invention. Figure 3 is a block diagram of a SATA-type secure and expandable solid-state tank system that is connected to a USB controller and a USB beacon. The host system 30 includes a processor (not shown), a recovery, k ~ I diagram is not continued, input / output (input / outputi / j / O), 'a USB interface f fgj soil _ circle is not painted And a SATA host controller 34. The SATA host controller 3 4 is connected to a USB beacon 35 by a USB interface, and is operated by a SATA host, q, @321, together with the secure and expandable solid state disk system 31. The system is used to provide a password after the power-on and access to the secure and expandable solid state disk system SB Ring 35 as a separate medium (哗(3)丨). a force this function can be - the software function belonging to the USB signal 35. Or better, it can be a USB symbol 35. The reason for connecting to the web browser of the web service is that it is more common and it only takes up a small part of the system resources. It can operate on different platform devices. The secure and expandable solid state disk system 31 includes a first layer of secure virtual storage controller 32, a second layer of secure virtual storage controller 33, and eight third layer storage device security digital cards.

The first layer virtual storage controller 32 includes a SATA host interface 321, an encoding engine 323, and a plurality of SATA device interfaces 322 connected in parallel. In this embodiment, the storage interface of the host side may be a serial ATA or SATA. The storage host interface may be any type of input/output interface, such as SATA, tandem small computer 、-, - first " (serial attached small computer system interface; SAS), peripheral controller control interface (PCI 201243599 express), parallel advanced technology attachment (PATA), USB, Bluetooth, ultra-wideband ( Ultra-wideband; UWB) or wireless interface. The virtual storage controller 32 will be described in more detail in the secure virtual storage controller 40 illustrated in FIG. The second layer virtual storage controller 33 includes a SATA host interface 331, an encoding engine 333, and a plurality of secure digital device interfaces 332 in parallel. The virtual storage controller 33 is not directly coupled to the flash memory, but is coupled to the third layer storage device, that is, a secure digital (SD) card 10. As long as the number of pins, cost, and system performance are reasonable, the SD card 1 can be replaced by any flash card or drive, such as: compact flash card (CF card), multimedia card (multimedia compact card; MMC card) ), USB drive or memory stick. In this embodiment, each of the secure digital cards 1 has six signal pins. A four digit security element requires a total of 24 signal pins, each of which has two flash memory elements instead of the 'eight flashes in the prior art. The total number of hidden components required is 120 signal pins. Therefore, the present invention can reduce the cost of the self-controller wafer by a large amount of cost, and has better manufacturability and testability. Even though the first layer of secure virtual storage controller 32 and the second layer of secure virtual storage controller 33 can have different types of device interfaces, the structure of the two is substantially the same. As long as the storage device interface 322 is compatible with the storage host interface 331, the first layer of secure virtual storage controller 32 can be cascaded while expanding more of the second layer of secure virtual storage controller 33. Accordingly, by this expansion, the density and performance of the system will increase exponentially. In the structure of the simplest secure and expandable solid state disk system 201243599, the host system 30 is directly coupled to one of the second layer virtual storage controllers 33. This minimally safe and expandable solid state disk system includes only a two-layer structure of the second layer storage controller 33 and the third layer storage device 10. Both the first layer of the encoding engine 323 and the second layer of the encoding engine 333 are independently enabled, disabled, and configured. In general, only the upper coding engine is needed, and the other lower coding engines will be disabled. The coding engine will be explained in more detail in Figure 13. On the host storage interface, a SATA host interface 331 can be coupled to the first layer virtual storage controller 32. In this embodiment, the storage interface can be a serial port or SATA. The virtual storage controller 33 will be described in more detail in the secure virtual storage controller 40 illustrated in FIG. As shown in FIG. 4, the secure virtual storage controller 40 includes a storage host interface 41, an interrupt processor 42, a host command and data processor 43, a central processing unit (CPU) 44, and a program. The memory 45, a random access memory (RAM) and buffer 46, a data writing processor 401, a data reading processor 402, a pass-through instruction processor 403, A state and attribute retrieval processor 404, a region instruction processor 405, an encoding engine 406, a virtual storage processor 407, and a plurality of storage device interfaces 408. The virtual storage controller of the present invention can be cascaded and expanded as long as the storage interface is compatible. If you need to increase the density, you can achieve the goal of expanding density by adding a second layer of virtual storage controller. Accordingly, more third layer storage devices can be further added to expand the density. Compared with the prior art, the safe and expandable solid 201243599 state disk system of the present invention can provide exponential storage density expansion. Compared with the solid state disk system of the prior art, the safe and expandable solid state of the present invention. The disk system can bring many benefits by using a standard (four) card (such as a secure digital card (8) as a flash memory base block. The average erase of the h flash memory is specified to be done locally. Secure digital card H). The overall flash component does not require a large average erase. 2. The manufacturable property thief-like material is all (four) W (four) layered. The device layer is easier to manage than the solid state disk system layer. 3. Because of the material and the frequency of the needle (7), the number of fresh and safe digital control 12' supports and gains the advantage of the new flash technology without any time delay. 4· The city time is shorter. As long as the Secure Digital Card 1() is licensed under Cost, Density, and System Performance, the 4 Secure and Scalable Solid State Drive System 31 will begin shipping. Thanks to the basic block structure of the Queen Digital Card, many of the costs can be saved from the new flash technology. On the virtual storage processors 32, 33, system performance is improved. Virtual Storage 〇〇 33 can be used for a collection of virtual storage densities (aggregati〇n) and system performance. Parallel transport, in theory, the line efficiency will be the same as the number of female all-digit cards and the actual system performance of each secure digital card. 7. Female fullness is provided by the hardware coding engine 323 or 333. Password authentication function Bay J belongs to a USB beacon 35 independently. Therefore, it is safe and scalable

12 S 201243599 Solid state disk system with better system performance and security. The storage host interface 41 is coupled to the upload streaming host system 30 or another upper layer secure virtual storage controller. The storage device interface 408 is coupled to the downstream streaming storage device 10 or another lower level secure virtual storage controller. Figure 5 is a block diagram of a secure and scalable solid state disk system 39 having a PATA interface in accordance with another embodiment of the present invention. The host system 50 includes a processor (not shown), a memory (not shown), an input and output (not shown), a USB interface (not shown), and a PATA host controller 54. The PATA host controller 54 is coupled to a USB beacon 35 via a USB interface and operates through a PATA host interface 381 with a secure and scalable solid state disk system having a PATA interface. The secure and expandable solid state disk system 39 having a PATA interface includes a first layer secure virtual storage controller 38, a second layer secure virtual storage controller 32, and two third layer secure virtual storage controllers 33. Eight fourth layer storage devices secure the digital card 10. As noted above, the structure of the present invention can also be expanded and cascaded in terms of density and system performance. As shown in Fig. 4, the program memory 45 can store firewall and virtual storage controller information, and the random access memory and buffer 46 can store data packets for caching operations. The data writing processor 401 is coupled to the virtual storage processor 407 via an encoding engine for performing an instant hardware encryption operation. The data can be converted, encrypted and transferred from the buffer to the virtual storage processor 407. The data reading processor 402 is coupled to the virtual storage processor 13 201243599 407 through an encoding engine, and the encoding engine is used for real-time hardware decryption operations. The data can be converted, encrypted and transferred from the virtual storage processor 407 to the buffer. The pass instruction processor 403 is used to process instructions that do not require any area processing. The pass-through command is transmitted directly to the downstream stream without being encrypted or translated. The status and attribute capture processor 404 reports a particular status and/or attribute to the upload stream host system, or a higher level virtual storage controller. If the status or attribute consumes too much time for the regional controller to report, the status and attribute retrieval processor 404 will display a busy status for the host system or the upper level virtual storage controller that uploaded the request. When the particular state or attribute collection is complete, the interrupt handler 42 and computer routine 70 will begin the job. The interrupt processor 42 generates a software reset 47 to the central processing unit 44 for warming up the secure virtual storage controller 40. Accordingly, the interrupt handler 42 interrupts the upload stream of the system and again queries the virtual memory controller 40 to report the correct status or attributes. This mechanism will synchronize the host and device at different speeds, and the device will take more time to schedule after the synchronization request is made. Each secure virtual storage controller 40 will be identifiable by pre-planning one of the specific identities in the program memory 45. Figure 6 is a flow chart for initializing a secure virtual storage controller. After booting up, the secure virtual storage controller 40 is initialized 60 for the first time. In step 61, it is determined whether the virtual storage controller is ready. If so, then in step 62, the host instruction processor is started. Otherwise, in step 63, the controller will send an identification command to the storage device directory of the downstream stream. Once the downstream streamed storage device 10 is identified, the physical storage devices 10 will be tested in step 64. Next, via step 65, the encoding engine is initialized. Virtual storage control

S 14 201243599 • The controller is set to 'Ready' in step 66. Then step 67 is executed and the interrupt handler is started. Figure 7 is a flow chart for interrupt processor execution. First, it is determined via step 71 whether there is an interrupt request for the stream under the virtual storage controller. If so, the service requested for the interruption is agreed via step 74. Otherwise, in step 72, an interrupt is generated to the upstream streaming host, or a higher level virtual storage controller to configure the secure virtual controller 40 again. Step 73 essentially generates a software reset 47 to the regional central processing unit 44 for warm booting of the secure virtual storage controller 40. This mechanism will synchronize the host and device when operating at different speeds, where the device takes more time to schedule after power-on initialization. The above description is the process of initializing the secure virtual storage controller 40. Figure 8 is a flow chart of the execution of the host instruction processor. The host command queues with the data processor 43 and buffers the instructions and data packets between the storage host interface 41 and the encoding engine 406. Via step 80, the retrieved array of instructions is handed over to the routine of the host instruction processor for processing. In step 83, if the fetched instruction queue is judged to be a data write command, a data write command processor 401 is woken up. In step 84, if the fetched instruction queue is judged to be a data read command, a data read command processor 402 is woken up. In step 82, if the fetched instruction queue is determined to be a pass instruction, a pass instruction processor 403 is woken up. In step 85, if the fetched instruction queue is determined to be a state/attribute fetch instruction, a state/attribute fetch processor 404 is woken up. Otherwise, an area command processor 405 will be woken up. The region instruction processor 405 processes the region functions of the encoding engine 406, the virtual storage processor 407 15 201243599, and the regional virtual storage controller 40. As shown in Figure 9, the regional command set 90 contains: A. User-supplied instructions 91 i. Password function command 94 1. Set password 941 2. Change password 942 3. Password authentication 943 4. Set password prompt 944 5. Get Password prompt 945 6. Get the number of attempts (946) 7. Initialization and splitting requirements 947 a. Set the encryption key 9471 b. Obtain the new encryption key 9472 储存. Store the split instruction 95 7. Obtain the virtual storage attribute 951 8. Initialize split size 952 9. Format 953 B. Area status capture 92 C. Vendor-supplied instructions 93 i. Virtual storage processor configuration 96 10. Get virtual storage controller identification (identity; ID) 961 11. Set virtual storage Mode (Bundle Disk, Redundant Array of Independent Disks or Other) 962

S 16 201243599 Η· Encoding Engine Configuration 97 12. Setting the Encoding Mode 971 13. Enabling the Encoding Engine 972 14. Obtaining the Encrypted Gold Input 973 11'1·Password Attribute Configuration 98 14. Setting the Master Password 981 15. Setting the Number of Attempts The maximum value of 982 16. Setting the management mode flag (flag) 983 17. Setting the default password 984 iv·Test mode command 99 The user-provided command 91 is used by the professional domain application, which includes the USB target 35. Password authentication function. The user-provided command 91 includes a password function command 94 and a store split command 95. The manufacturer uses the manufacturer's instructions 93 to configure the solid-% disk system. Vendor-provided instructions 93 include a virtual storage processor configuration 96, an encoding engine level instruction 97, a password attribute configuration 98, and a test mode instruction 99. The area status capture command 92 is used to return the corresponding state of the virtual storage controller. The virtual storage controller ID command 961 is used to return the specific ID stored in the program memory 45. Set virtual storage mode command 962 visual system performance requirements or power consumption, set a bunch of disks (JBOD), independent arrays of independent disks (RAID) or other Operating mode. The set encoding mode command 971 is used to set the encryption mode of the encoding engine. The enable encoding engine command 972 is used to enable the encoding engine. The Set Management Mode Flag 983 is used to enable or disable the provision of the Solid State 201243599 dish system in the field. If the flag is set to unmanaged mode, the USB beacon must be utilized to provide and initialize the solid state disk system again. If the flag is set to management mode, the user must connect back to the management server to provide and initialize the solid state disk system again. This flag can only be set by the manufacturer. The test mode command 99 can be reserved by the manufacturer to test the solid state disk system. Before being ready for use, the solid state disk system must be prepared by the manufacturer before the production process. As shown in FIG. 3, the preparation is accomplished by attaching a secure and expandable solid state disk system 31 to a host system 30 via a suitable SATA host controller 34 or a USB beacon 35. Figure 10 is a flow chart for configuring the manufacturer. First in step 101, wait for the secure virtual storage controller to be ready. When the controller is ready, the factory preset settings are loaded in step 102. In step 103, the virtual storage processor begins to be configured. Thereafter, in step 104, the encoding engine begins to be configured. In step 105, the encoding engine is enabled as needed. Figure 11 is a flow chart for configuring a virtual storage processor. As shown in Fig. 11, in step 111, the virtual storage mode is set, i.e., the virtual storage mode 962 is set using one of the regional commands. The virtual storage operating mode can be set to JBOD, RAID or others. Thus, based on the physical storage device directory 64 (see Figure 6), a virtual storage set is completed in step 112. Create a virtual storage to identify the directory. In step 113, a virtual storage device directory is created. Via step 114, an entity to logical address translation directory is created using virtual storage processor 407 (see Figure 4). Then, in step 115, the virtual storage preparation is set to the ready state. Figure 12 is a flow chart of configuring the encoding engine. In step 121, via the zones

18 S 201243599 • One of the domain instructions configures the encoding 'engine and sends an encoding mode setting command 971. Next, in step 122, an instruction 982 to attempt to set the maximum number of times is sent. In step 1220, a get encryption key command 973 is sent. Therefore, in the encoding engine 406, a random number generator RNG 134 will be utilized to generate a random number key (not shown). The hash key is encrypted and returned in step 1220 to obtain the encryption key command 973. If a master password is required in step 1221, a master password command procedure is initiated and a master password command 981 is sent in step 1222. In step 123, it is determined whether the flag is in the management mode. If so, in step 124, the encryption key is stored in the management server as needed. If not, the encrypted key is stored in the USB beacon 35 via step 125. In step 126, the master password is sent to the encoding engine via the password setting command 981. Then, the encrypted master password will be stored in the solid disk system (not shown). In step 1260, a predetermined password is set via command 984. Then, the encrypted default password will be stored in the solid state disk system (not shown). The encoding engine can be disabled or enabled. If the encoding engine is enabled, the encoding engine is set to perform a particular encryption mode in step 127. Subsequently, the encoding engine ready flag flag is set to ready in step 128. Figure 13 is a block diagram of the encoding engine. The encoding engine 406 includes a random number generator RNG 134, a hash function HASH 131, a first universal encryption engine ENG2 132, a second data encryption engine ENG3 133, a storage upload stream interface 135, and a storage downstream stream. Interface 136. For a detailed implementation of the coding engine, please refer to U.S. Patent Application Serial No. 11/643,101. The host system 30 will perform password authentication depending on the inserted USB beacon 35. Referring to Figure 14A, in step 140, host system 30 is after a cold boot. In step 19 201243599, in step 141, the USB beacon 35 is also cold-booted. And the USB beacon operation is started via step 142. Referring to FIG. 14B, in step 143, after the host system 30 is powered off. In step 144, the solid state disk system is also turned off. And due to power interruption, in step 145, the encryption key in the solid state disk system will be lost. In step 146, the solid state disk system will remain encrypted as long as the encryption key has not been replied by the password authentication function of the USB symbol 35. Referring to FIG. 14D, in step 1403, after host system 30 is dormant. In step 1404, the solid state disk system also sleeps. And due to power interruption, in step 1405, the encryption key of the solid state disk system will be lost. In step 1406, the solid state disk system will remain encrypted as long as the encryption key has not been replied via the password authentication function loaded into the USB beacon 35. Referring to Figure 14C, in step 1400 ' after host system 30 is woken up from sleep. In step 1401, the USB beacon 35 is also cold-booted, as shown in Figure 14A. Finally, in step 1402, the USB beacon operation is initiated. Figure 15 is a flow chart of USB signal activation. As shown in Figure 15, in step 151, once the USB beacon network server is powered on. In step 152, the USB beacon waits for the storage and encoding engine to be ready. Next, in step 153, the password authentication function is activated. For detailed implementation steps of the password authentication function, please refer to U.S. Patent Application Serial No. 11/643,101. In step 154, if the initial and split requests are generated via the user command 947, the encoding engine will obtain a new random number key (not shown) from the random number generator 134. Then, in step 1541, the flag will be judged whether it is the management mode. If not, then

S 20 201243599 In step 1543, the encryption key is retrieved from the USB beacon 35. Otherwise, in step 1542, the self-management server retrieves the encrypted gold input. Then, in step 1544, the encryption key is sent to the encoding engine via the set encryption key command 9471. The code engine decrypts and retrieves the key (not shown). The encoding engine (not shown) retrieves and decrypts the encrypted master password. Subsequently, a random number key is generated from the random number generator RNG 134 (not shown). The master password can be encrypted using the new key by an encoding engine (not shown). In step 1545, the function will acquire a new encryption key command 9472 via initialization one. In steps 1546 and 1547, the new encryption key is stored in the management server or USB beacon 35 as needed. In step 1548, the user requests and configures a new user password. Both the master password and the user password are regenerated by the hash function 13 i and stored in the solid state disk system (not shown). And in step 549, the solid state disk system segmentation is configured. If the request is not initialization and splitting, then in step 155, a determination is made as to whether a password authentication request is generated. If yes, in step 155, the password authentication is initiated. If not, in step 156, a determination is made as to whether a change password request has been generated. If so, in step 157, the password change function is activated. Otherwise, via step 154, return to step 155 to continue to determine if there is a new cryptographic function request. Figure 16 is a flow chart for password authentication. First, in step 161, it is determined whether the password has been authenticated. If so, in step 164, the coded engine is loaded into the encoding engine and the access is turned on. Subsequently, in (4) 165, the clock is dismounted. (d) 166 towel, the solid state disk system is installed. At step 丨67, control transfers to the solid state (four) system. If the password is not authenticated, it is judged in step i62 whether it is exceeded - the maximum value of the attempt (_imum face (6) 〇 f 21 201243599 attempts; MNOA). If the result is affirmative, then in step 163, a counter measure is initiated to resist the malicious attack. Otherwise, in step 168, the count of number of attempts (NOA) is incremented. Finally, in step 169, the process returns to step 154 of the password loop shown in FIG. Although the secure and expandable solid state disk system according to the present invention can operate on secure digital cards, multimedia cards, micro flash cards, USB devices, memory sticks, high speed cards, logical block addressing- NAND; LBA-NAND), open anti-flash memory interface (〇p nand to interface; ONFI), embedded multimedia card (embed muhimedia card; eMMC) and embedded security digital card (embed security digital Card ; eSD) any interface. One skilled in the art can readily replace the disk system with any type of memory device without departing from the spirit and scope of the invention. The above-described embodiments are merely illustrative of the embodiments of the present invention, and the technical features of the present invention are not intended to limit the protective materials of the present invention. Any changes or equivalents that can be easily made by those skilled in the art are within the scope of the invention. The scope of the invention should be determined by the scope of the claims. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a secure digital card of the prior art; FIG. 2 is a schematic diagram of a conventional host system and a conventional solid state disk system; m @ It is a block diagram of a three-layer SATA-based secure and expandable solid-state disk system; Figure 4 is a block diagram of a secure virtual storage controller;

22 S 201243599 Figure 5 is a block diagram of a host system with a USB beacon coupled to a four-layer PATA-based secure and expandable solid-state disk system; Figure 6 is an initialization of the secure virtual storage Figure 7 is a flow chart of the execution of the interrupt processor; Figure 8 is a flow chart executed by the host command processor; Figure 9 is a regional command processor of the secure virtual storage controller, Internal regional command table; Figure 10 is a flow chart for the execution of the manufacturer; Figure 11 is a flow chart for configuring the virtual storage processor; Figure 12 is a flow chart for configuring the coding engine; The block diagram of the encoding engine; the 14A-14D diagrams are respectively a cold boot, shutdown, hibernation, and wake-up of the host system; Figure 15 is a flowchart of the USB beacon booting; and Figure 16 It is a flow chart for password authentication. [Main component symbol description] 10 : Secure digital card 11 : Physical interface 12 : Secure digital card controller 13 : Flash memory 14 : Interface bus

131 : hash function HASH 132 : first universal encryption engine ENG2 23 201243599 133 : second data encryption engine ENG3

134: Random Number Generator RNG 135: Store Upload Streaming Interface 136: Store Downstream Streaming Interface 20: Host System 21: SATA Host Controller 22: Flash Solid State Disk System 25: SATA to Flash Memory Control 251: SATA Host Interface 252: Flash Device Interface 30: Host System 31: Secure and Scalable Solid State Disk System 32: First Layer Secure Virtual Storage Controller 33: Layer 2 Secure Virtual Storage Controller 34: SATA Host Controller 35: USB Signal 38: First Layer Secure Virtual Storage Controller 39: Secure and Scalable Solid State Disk System 321 : SATA Host Interface 322: SATA Device Interface 323: Encoding Engine 331: SATA Host Interface 332: Secure digital interface

24 S 201243599 333 : Coding Engine 381 : PATA Host Interface 382 : SATA Device Interface 383 : Encoding Engine 40 : Secure Virtual Storage Controller 41 : Storage Host Interface 42 : Interrupt Processor 43 : Host Command / Data Processor 44 : Central Processing Unit 45: Program Memory 46: Random Access Memory/Buffer 47: Reset 401: Data Write Processor 402: Data Read Processor 403: Access Instruction Processor 404: Status and Attribute Capture Processor 405 : area command processor 406: encoding engine 407: virtual storage processor 408: storage device interface 50: host system 54: PATA host controller 90: regional instruction set 25 201243599 91: user provides instruction 92: area status capture 93 : Vendor provides instruction 94: Password function instruction 95: Storage split instruction 96: Virtual storage processor configuration 97: Encoding engine configuration 98: Password attribute configuration 99: Test mode command 941: Set password 942: Change password 943: Password Authentication 944: Set password prompt 945: Get password prompt 946: Get a number of attempts 947: Initialization and split request 9471: Set encryption key 9472: Get Encryption key 951: obtaining the virtual storage attributes 952: 953 initializes the segment sizes: 961 Format: Get the controller identifies the virtual storage 962: the virtual storage setting mode

26 S 201243599 9 71 .Setting the encoding mode 972 : Enabling the encoding engine 973 : Obtaining the encryption key 981 : Setting the master password 982 : Setting the maximum number of attempts 983 : Setting the management mode flag 984 : Setting the default password 27

Claims (1)

201243599 VII. Patent application scope: 1. A solid state disk system, comprising: a user token; at least one secure virtual storage controller coupled to a host system; A plurality of virtual storage devices are coupled to the at least one secure virtual storage controller. 2. The system of claim 1, wherein the at least one virtual storage controller comprises: a first layer secure storage controller; and a plurality of second layer virtual storage controllers having an interface, the second layer The virtual storage controller is compatible with the first layer virtual storage controller. 3. The system of claim 2, wherein the number of the second layer of secure virtual storage controllers is increased by the interface to the first layer of secure virtual storage controllers. 4. The system of claim 2, wherein the first layer of secure virtual storage controller utilizes a first encoding engine to provide security. 5. The system of claim 4, wherein each of the second layer of secure virtual storage controllers utilizes a second encoding engine to provide security. 6. The system of claim 1 wherein the at least one virtual storage controller comprises an encoding engine to provide security. 7. The system of claim 5, wherein the user beacon is a medium that provides password authentication for the host system. 8. The system of claim 5, wherein the first encoding engine and each of the second encoding engines are respectively enabled, disabled, and configured. 28 S 201243599 (configured) ° 9. The system of claim 2, wherein the first layer of secure virtual storage controller comprises: a storage host interface; an interrupt processor coupled to the storage host interface; a host command and data processor; and a central processing a software resetter coupled to the central processing unit; a program memory; a controller identifier code; a random access memory (RAM) and a buffer; Into the processor; a data reading processor: a pass-through instruction processor; a state and attribute retrieval processor; an area instruction processor; an encoding engine; a virtual storage processor; and a plurality of Storage device interface. 10. The system of claim 2, wherein each of the second layer of secure virtual storage controllers comprises: a storage host interface; 29 201243599 - an interrupt processor coupled to the storage host interface; - host instructions and data a central processing unit; a software resetter coupled to the central processing unit; a program memory; a controller identifier code; a random access memory and a buffer; a processor; a data read processor: a pass instruction processor; a state and attribute capture processor; a region instruction processor; an encoding engine; a virtual storage processor; and a plurality of storage device interfaces. 11. The system of claim 9, wherein the storage host interface comprises a serial advanced technology attachment (SATA) interface and each of the storage device interfaces comprises a serial high speed hard disk interface. 12. The system of claim 9, wherein the storage host interface comprises a parallel advanced technology attachment (PATA) interface and each of the storage device interfaces comprises a tandem high speed hard disk interface. The system of claim 10, wherein the storage host interface comprises a series of hard disk interfaces, and each of the storage device interfaces comprises a secure digit (secudty 13, 201243599 digital; SD) interface. 14. The system of claim 13, wherein the secure digital interface comprises a storage device (SD) card, a multimedia card (MMC), a compact flash card (CF card); , universal serial bus (USB) device, memory stick (MS), high speed card (express card), logical block addressing-NAND (LBA-NAND), Open interface with open NAND flash interface (ΟΝΠ), embedded multimedia card (eMMC) and embed security digital card (eSD). 15. The system of claim 1 wherein the storage capacity and performance are enhanced by adding an additional secure virtual storage controller. 16. The system of claim 9, wherein the S-Hui interrupt processor and the software resetter form a mechanism to synchronize the host with the device when the host and the device operate at different speeds. 17. The system of claim 1, wherein the δ 玄 interrupt handler and the software resetter form a mechanism to synchronize the host with the master when the host and the device operate at different speeds. 18. A solid state disk system comprising: a user signal; a first layer of secure virtual storage controller coupled to a host system; a plurality of second layer virtual storage controllers having an interface The second layer of virtual storage controller is compatible with the first layer virtual storage controller; and 31 201243599 19. 20. 21. 22. 23. 24. A plurality of layers of the second layer of virtual storage devices are coupled to The second layer of virtual storage controllers above. The system of claim 18, wherein the number of the second layer of secure virtual storage controllers is increased by the interface to the first layer of secure virtual storage controller. The system of claim 18, wherein the first layer of secure virtual storage controller provides security to the first layer of secure virtual storage controllers using a first encoding engine. The system of claim 20, wherein each of the second layer of secure virtual storage controllers provides security to each of the second layer of secure virtual storage controllers using a second encoding engine. A system as claimed in claim 21, wherein a beacon is used as a medium for providing a password authentication for the host system. The system of claim 21, wherein the first encoding engine and each of the second encoding engines are separately enabled, disabled, and configured. The system of claim 18, wherein the first layer of secure virtual storage controller comprises: a storage host interface; an interrupt processor coupled to the storage host interface; a host command and data processor; a software resetter coupled to the central processing unit; a program memory; S 32 201243599 a controller identifier code; a random access memory and a buffer; a data write processor A data read processor: a pass instruction processor; a state and attribute capture processor; a region instruction processor; an encoding engine; a virtual storage processor; and a plurality of storage device interfaces. 25. The system of claim 18, wherein each of the second layer of secure virtual storage controllers comprises: a storage host interface; an interrupt handler coupled to the storage host interface; a host command and data processor a central processing unit; a software resetter coupled to the central processing unit; a program memory; a controller identifier code; a random access memory and a buffer; a data write processor A data read processor: a pass instruction processor; 201243599 - state and attribute capture processor; - area instruction processor; - coding engine; virtual storage processor; and a plurality of storage device interfaces. 26. 27. 28. 29. 30. 31. 32. The system of claim 2, wherein the storage host interface comprises a column of high-speed hard disk interface ′ and each of the storage device interfaces comprises a __column high-speed hard disk interface The system of claim 24, wherein the storage host interface includes a parallel high speed DVD interface and each of the storage device interfaces includes a serial high speed hard disk interface. The system of claim 25, wherein the storage host interface comprises a high-speed hard disk interface, and each of the storage device interfaces includes a security digital interface. The system of claim 28, wherein the secure digital interface includes a storage device card media card, a micro flash card, a universal serial bus device, a memory stick, a high speed card, a logical block address, and a Any interface between the open fiscal flash memory interface, the embedded multimedia card and the embedded secure digital card. ~ As described in claim 18, the cap is enhanced by additional security virtual storage controllers to enhance storage capacity and performance. The interrupt handler and the software resetter may form a mechanism to synchronize the host with the device as the line's device of claim 24 operates at the same speed as the device. The system of claim 25, wherein when the host and the device operate at different speeds, the interrupt handler and the software resetter can form a mechanism to synchronize the host with the device. 34 S 201243599 - 33. A regional instruction processor for a solid state disk system, comprising: a processor; and a region instruction directory, executed in the processor, the instruction directory containing instructions provided by a user, An area status capture instruction and a vendor-supplied instruction. 34. The regional instruction processor of claim 33, wherein the user-provided instruction is used by a function in a professional domain application, the user-provided instruction comprising a cryptographic function instruction and a storage split instruction, wherein the vendor provides The instructions are for the vendor to configure the solid state disk system, and the manufacturer provides instructions including a virtual storage processor instruction, programming, engine configuration instructions, password attribute configuration instructions, and a test mode instruction. 35. The regional instruction processor of claim 34, wherein the instructions provided by the vendor comprise a virtual storage processor configuration instruction, an encoding engine configuration instruction, a password attribute configuration instruction, and a test mode instruction. 36. The regional instruction processor of claim 35, wherein the virtual storage processor configuration instructions comprise a virtual storage attribute retrieval instruction and a virtual storage command mode setting instruction. 37. The regional instruction processor of claim 35, wherein the encoding engine configuration instructions include an encoding mode setting instruction, an encoding engine enable instruction, and a decode key capture instruction. 38. The regional instruction processor of claim 33, wherein the user-provided instructions include a cryptographic function instruction and a store segmentation instruction. 39. The area command processor of claim 38, wherein the password function instructions 'contain a password setting instruction, a password change instruction, a password authentication instruction, 35 201243599 a password directory setting instruction, an attempt (attempts) The number of times of instruction and the initialization of a split request instruction. 40. The regional instruction processor of claim 39, wherein the initialization split request instruction includes a decode key set instruction and a new decode key capture pointer 41. The region instruction processing as described in claim 38 The storage partitioning instruction includes a virtual storage attribute retrieval instruction, an initialization split size instruction, and a formatting instruction. 42. A method provided by a manufacturer of a solid state disk system, comprising the steps of: loading a manufacturer preset setting in a secure virtual storage controller of the solid state disk system; configuring the secure virtual storage controller; configuring the An encoding engine of one of the solid state disk systems; and enabling the encoding engine to use the solid state disk system. 43. A method for configuring a virtual storage processor of a solid state disk system, comprising the steps of: setting the virtual storage processor to a virtual storage mode; aggregating the virtual storage according to a physical storage device directory; establishing a a virtual storage device directory; according to the device directory, an entity to a logical address table is established by the virtual storage processor; and a state of one of the virtual storage processors is set to ready. 44. A method for configuring an encoding engine of a solid state disk system, comprising the steps of: S36 201243599: transmitting an encoding mode setting command; transmitting an attempt to set a maximum number of instructions; transmitting a decoding key 撷Obtaining a command and providing a random number key; when a master password is requested, sending a master password capture command; when a master password is requested, sending a master password setting command; storing the decode key; and The encoding engine provision flag is set to ready. The method of claim 44, wherein when the solid state disk system is set to a management mode, the decoding key is stored in a management server, wherein the solid state disk system is not set to In a management mode, the decoding key is stored in a universal serial bus device beacon. The method of claim 45, wherein the encoding engine is disabled. 47. A computer readable recording medium, the computer readable recording medium comprising program instructions for configuring a virtual storage processor, the program instructions comprising: setting the virtual storage processor to a virtual storage mode; The storage device directory aggregates the virtual storage; establishing a virtual storage device directory; establishing, by the virtual storage processor, an entity to a logical address table according to the device directory; and setting a state of one of the virtual storage processors to be ready. 48. A computer readable recording medium, the computer readable recording medium comprising program instructions for configuring an encoding engine of a solid state disk system, the program instruction package 37 201243599 includes: transmitting an encoding mode setting instruction; One attempt to set a maximum number of instructions; send a decode key capture command and provide a random number key; when a master password is requested, a master password capture command is sent; when a master password is required, Sending a master password setting command; storing the decoding key; and setting an encoding engine supply flag to be ready. 49. The computer-readable recording medium containing the program instructions as claimed in claim 48, wherein the decoding key is stored in a management server when the solid state disk system is set to a management mode, wherein When the solid state disk system is not set to a management mode, the decoding key is stored in a universal serial bus device beacon. A computer readable recording medium containing program instructions as described in claim 49, wherein the encoding engine can be disabled. 33 S