WO2021008105A1 - Data transmission method and device in tee system - Google Patents

Data transmission method and device in tee system Download PDF

Info

Publication number
WO2021008105A1
WO2021008105A1 PCT/CN2020/071288 CN2020071288W WO2021008105A1 WO 2021008105 A1 WO2021008105 A1 WO 2021008105A1 CN 2020071288 W CN2020071288 W CN 2020071288W WO 2021008105 A1 WO2021008105 A1 WO 2021008105A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
data
offset address
bytes
tee
Prior art date
Application number
PCT/CN2020/071288
Other languages
French (fr)
Chinese (zh)
Inventor
刘琦
赵博然
闫莺
魏长征
Original Assignee
创新先进技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 创新先进技术有限公司 filed Critical 创新先进技术有限公司
Priority to US16/785,312 priority Critical patent/US10699015B1/en
Priority to US16/915,585 priority patent/US11042642B2/en
Publication of WO2021008105A1 publication Critical patent/WO2021008105A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes

Definitions

  • the embodiments of this specification relate to the field of TEE technology, and more specifically, to a data transmission method and device in a TEE system.
  • TEE-Trusted Execution Environment is a secure and trusted zone in the processor, which can ensure the security, confidentiality and integrity of the code and data placed in it.
  • TEE provides an isolated execution environment. Code and data can run in this trusted area. During the operation, it can ensure that the calculation is not interfered by the conventional operating system, so that the confidentiality and integrity of the code and data can be guaranteed.
  • TEE EAL2+
  • SE EAL5
  • TEE provides a higher level of security; compared with SE (EAL5), it provides more functions and better performance.
  • TEE Intel's SGX, AMD's SEV, ARM's TrustZone, etc.
  • TEE provides an isolated execution environment
  • the communication between the non-TEE environment and the TEE environment is generally invoked through special instructions, such as smccall (TrustZone) or ecallOcall (SGX).
  • smccall TrustZone
  • SGX ecallOcall
  • the embodiments of this specification aim to provide a more effective solution for data transmission in the TEE system to solve the deficiencies in the prior art.
  • the TEE system includes a TEE side and a non-TEE side.
  • the non-TEE side includes shared memory, and the shared memory includes a first Address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates the start of the plurality of third addresses that can be written Address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE side Data, the method is executed by the first thread from the TEE side, including:
  • the first data is any one of the following data: logs, monitoring data, and statistical data.
  • the method further includes waiting when the number of bytes of the first data is greater than the number of writable bytes.
  • the shared memory further includes a fourth address for storing the number of discarded data
  • the method further includes, in a case where the number of bytes of the first data is greater than the number of writable bytes, The first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
  • the number of discarded data is an atomic variable.
  • the write offset address is before the read offset address, and the number of writable bytes is equal to the difference between the read offset address minus the write offset address.
  • the write offset address is after the read offset address, and the number of writable bytes is equal to the number of the third address minus the difference between the number of unwritable bytes, wherein the unwritable The number of bytes is equal to the difference between the write offset address and the read offset address.
  • the write offset address is the same as the read offset address, and the number of writable bytes is equal to the number of all third addresses.
  • the TEE system is an SGX system
  • the predetermined function is an Ocall function
  • the TEE system includes a TEE side and a non-TEE side.
  • the non-TEE side includes a shared memory, and the shared memory includes a first address and a second address. Address and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates a writable start address among the plurality of third addresses, and The second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE side.
  • the device is deployed in the first thread from the TEE side, including:
  • the first obtaining unit is configured to obtain first data
  • the calling unit is configured to call a predetermined function using the first data as an input parameter to switch to the non-TEE side;
  • the second obtaining unit is configured to obtain the write offset address by reading the first address
  • the third obtaining unit is configured to obtain the read offset address by reading the second address
  • the determining unit is configured to determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address, Among them, each address corresponds to a byte;
  • the writing unit is configured to write the first data into a third address starting from the write offset address when the number of bytes of the first data is less than or equal to the number of writable bytes;
  • the update unit is configured to update the write offset address in the first address
  • the return unit is configured to return to the TEE side.
  • the device further includes a waiting unit configured to wait when the number of bytes of the first data is greater than the number of writable bytes.
  • the shared memory further includes a fourth address for storing the number of discarded data
  • the device further includes a discarding unit configured to: when the number of bytes of the first data is greater than the number of writable bytes In the case of the number, the first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
  • Another aspect of this specification provides a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed in a computer, the computer is caused to execute any of the above methods.
  • Another aspect of this specification provides a computing device including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, any one of the above methods is implemented.
  • a high-performance asynchronous data transmission system is provided for the TEE environment, such as an asynchronous log printing system, which reduces the overhead of the TEE system for printing logs and improves the operation of the TEE system Speed, while meeting some basic requirements of the log system.
  • FIG. 1 shows a schematic diagram of a TEE system 100 and data flow therein according to an embodiment of the present specification
  • Figure 2 shows a flow chart of a data transmission method in a TEE system according to an embodiment of this specification
  • Fig. 3 schematically shows a schematic diagram of a data structure in a shared memory according to an embodiment of the present specification
  • Figures 4 to 8 respectively show the write offset address and the read offset address in the process of transmitting data through the shared memory
  • Figure 9 shows a shared memory data structure according to another embodiment of this specification.
  • Fig. 10 shows a flow chart of a data transmission method in a TEE system according to an embodiment of this specification
  • FIG. 11 shows a data transmission device 1100 in a TEE system according to an embodiment of this specification.
  • FIG. 1 shows a schematic diagram of the TEE system 100 and the data flow therein according to an embodiment of the present specification.
  • the system 100 includes a TEE side 11 and a non-TEE side 12.
  • a dedicated buffer register 121 is preset on the non-TEE side 12 as a shared memory for buffering specific data (such as logs) transmitted from the TEE side.
  • a first thread runs on the TEE side 11, and the first thread can acquire first data (for example, log data), and stores the first data in the buffer register 121 by calling, for example, a printing function (_pringf).
  • _pringf a printing function
  • the _pringf function can be switched to a non-TEE side thread by calling the Ocall function.
  • the first thread writes the log into the buffer register 121, after which, the first thread returns to the TEE side for subsequent steps.
  • a second thread runs on the non-TEE side 12, and the second thread reads the stored data from the buffer register 121 by periodically calling the pop function, for example, in a polling manner, for example, reads the second data in one read. After reading the second data, the second thread sends the second data to a specific program on the non-TEE side (for example, the log system log4cplus) for data printing.
  • Fig. 2 shows a flow chart of a data transmission method in a TEE system according to an embodiment of the specification.
  • the TEE system includes a TEE side and a non-TEE side.
  • the non-TEE side includes shared memory, and the shared memory includes A first address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates which of the plurality of third addresses can be written A start address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE Side data, the method is executed by the first thread from the TEE side, including:
  • Step S202 obtain first data
  • Step S204 calling a predetermined function with the first data as an input parameter to switch to the non-TEE side;
  • Step S206 Obtain the write offset address by reading the first address
  • Step S208 Obtain a read offset address by reading the second address
  • Step S210 Determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, where each Each address corresponds to one byte;
  • Step S212 in the case that the number of bytes of the first data is less than or equal to the number of writable bytes, write the first data into a third address starting from the write offset address;
  • Step S214 updating the write offset address in the first address
  • Step S216 return to the TEE side.
  • Fig. 3 schematically shows a schematic diagram of a data structure in a shared memory according to an embodiment of the present specification.
  • the shared memory includes a first address, a second address, and a plurality of consecutive third addresses.
  • Each address in the memory can write one byte, where the first address is used to store the write offset address, and the write offset address indicates the start address that can be written in the third address; the second address is used to A read offset address is stored, and the read offset address indicates a readable start address in the third address; the third address is used to store data that is expected to be transmitted from the TEE side to the non-TEE side.
  • the start address that can be written in the third address is the first address, that is, address "1". Therefore, the first address stores The write offset address is "1".
  • the read offset address in the second address at this time is also address "1", as shown schematically in the figure
  • the third address (ie address "1") corresponding to the read offset address (indicated by R in the figure) and the write offset address (indicated by W in the figure) respectively are shown.
  • the shared memory only multiple third addresses are limited to be consecutive addresses, and the positional relationship between the first address, the second address, and the third address is not particularly limited, for example, the first address, the second address
  • the addresses may be located at both ends of the third address, or the first address and the second address may be located after the third address, and so on.
  • FIG. 3 schematically shows that the shared memory includes 10 consecutive third addresses
  • the number of third addresses included in the shared memory can be determined according to the specific number of bytes of data to be transmitted.
  • the data to be transmitted is a log on the TEE side.
  • the log usually has tens of bytes. Therefore, the shared memory can be set to include hundreds of consecutive third addresses.
  • the method is executed by the first thread running the TEE side to write data to the third address of the shared memory.
  • the first thread is for example used to transfer data from the TEE side to the non-TEE side.
  • the process of transmitting data on the TEE side After writing data to the shared memory through this method, the data will be transferred to the target program through another thread on the non-TEE side. Therefore, the method of data transmission is asynchronous transmission mode, so this method is suitable For data that does not require high real-time performance, large transmission volume, and high performance requirements.
  • the specific data is, for example, logs, monitoring data, statistical data, and so on.
  • step S202 first data is acquired.
  • the first data is, for example, a log generated in the TEE.
  • the TEE side stores it, for example, in a predetermined memory location on the TEE side.
  • the first thread may be preset to periodically read the log from the predetermined memory location, so that the data to be transmitted may be periodically acquired to periodically execute the method.
  • Step S204 calling a predetermined function with the first data as an input parameter to switch to the non-TEE side.
  • the TEE system is, for example, an SGX system, and the SGX system includes an enclave as a trusted execution environment (TEE).
  • the first thread can switch to the non-enclave side by calling the Ocall function ( That is, the non-TEE side).
  • the Ocall function is a data transmission method provided in the SGX system.
  • the cpu is switched to the non-circle side.
  • the Ocall function is called with the first data as the input parameter
  • the register on the circle side is backed up on the circle side, and the first data is transferred to the non-TEE side by using the first data as the input parameter, and then on the non-TEE side.
  • the circle side restores the register information of the non-circle side, which includes storing the first data as the input parameter in the register.
  • the subsequent steps can then be performed by calling other functions.
  • step S206 the write offset address is obtained by reading the first address.
  • step S208 the read offset address is obtained by reading the second address.
  • FIGS. 4 to 8 respectively show the process of transmitting data through the shared memory.
  • the write offset address and read offset address In Figure 4-8, each box corresponds to an address, the data inside the box is one byte of data stored in it, the number below the box is the address identification, "R" and "W" are as above.
  • the instructions correspond to the read offset address and the write offset address respectively.
  • data reading has been performed from the read offset address on the non-TEE side through the method described below, and the read can only read up to an address before the write offset address, that is, the read
  • the process reads the eight bytes "ab ⁇ n ⁇ 0cd ⁇ n ⁇ 0" that have been written in the shared memory.
  • the write offset address stored in the first address still points to address 9
  • the read offset address stored in the second address points to the address after the second " ⁇ 0", that is, it is also address 9.
  • the shared memory has been read on the non-TEE side again. Specifically, from the read offset address (address 9) to the previous address (address 2) of the write offset address, after the read, the write offset address in the first address still points to address 3. , The read offset address in the second address also points to address 3.
  • step S210 it is judged whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address, wherein, Each address corresponds to a byte.
  • the read offset address and the write offset address point to the same address, and the number of writable bytes is the total number of third addresses, that is, 10.
  • the write offset address is after the read offset address
  • the number of writable bytes is the number of the third address minus the number of unwritable bytes
  • the number of unwritable bytes is the write offset
  • the write offset address is before the read offset address.
  • the number of writable bytes is the difference between the read offset address and the write offset address.
  • step S212 in the case where the number of bytes of the first data is less than or equal to the number of writable bytes, the first data is written into a third address starting from the write offset address.
  • the number of writable bytes is 6, when the first data to be written is "ef ⁇ n ⁇ 0 In the case of 4 bytes, since 4 ⁇ 6, 4 bytes of "ef ⁇ n ⁇ 0" can be written into the four addresses of 5, 6, 7, and 8.
  • Figure 9 shows a shared memory data structure according to another embodiment of the specification. In this data structure, in addition to the first address, the second address, and the third address described in FIG.
  • the fourth address stores the number of discarded data. After discarding the first data as described above, the number of discarded data is increased by 1 in the fourth address. In one embodiment, the number of discarded data is an atomic variable, so that data security can be ensured when the TEE side and non-TEE side dual threads operate simultaneously.
  • step S214 the write offset address in the first address is updated.
  • the initial write offset address "1" is updated to the write offset address "5" to facilitate the next write or Read the write offset address when reading.
  • the latest write offset address "5" can be read, so as to calculate the number of writable bytes.
  • step S216 return to the TEE side.
  • the first thread may be preset to return to the TEE side after performing step S214, so that the first thread will automatically return to the TEE side after performing step S214 to perform subsequent steps on the TEE side, for example, repeat the method again.
  • Fig. 10 shows a flow chart of a data transmission method in a TEE system according to an embodiment of the present specification.
  • the TEE system includes a TEE side and a non-TEE side.
  • the non-TEE side includes shared memory, and the shared memory includes A first address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates which of the plurality of third addresses can be written A start address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE Side data, the method is executed by the non-TEE side, including:
  • Step S1002 obtain the write offset address by reading the first address
  • Step S1004 Obtain a read offset address by reading the second address
  • Step S1006 Read unread bytes in the write data in the third address as second data, where the unread bytes are determined based on the write offset address and the read offset address, Among them, each address corresponds to a byte;
  • Step S1008 Update the read offset address in the second address.
  • This method may be executed by a second thread running on the non-TEE side, and the second thread may also belong to the aforementioned process for transmitting data from the TEE side to the non-TEE side.
  • step S1002 and step S1004 reference may be made to the above description of step S206 and step S208, which will not be repeated here.
  • step S1006 read unread bytes in the write data in the third address as second data, and the unread bytes are determined based on the write offset address and the read offset address , Where each address corresponds to a byte.
  • the read offset address and the write offset address point to the same address, and the third address does not include unread bytes.
  • the write offset address is after the read offset address, and all unread bytes in the third address include starting from the read offset address to the write offset address Each byte in the previous address.
  • the write offset address is 5 and the read offset address is 1, so that all unread bytes are the bytes in addresses 1 to 4.
  • the write offset address is before the read offset address.
  • the all unread bytes are the bytes other than the read bytes in the third address.
  • the read byte includes each byte from the write offset address to the previous address of the read offset address.
  • the write offset address is 3 and the read offset address is 9, so that the read bytes are the bytes in each address from address 3 to address 8, so that all unread bytes For each byte in address 1-2 and address 9-10.
  • it can be understood that in this step, it is not necessary to read all the unread bytes in the third address, but only part of the unread bytes may be read. For example, it can be preset to read only 3 bytes at a time, so that the first three bytes of all unread bytes can be read in one read, and the remaining unread byte can be reserved for It will be read the next time it is read.
  • step S1008 the read offset address in the second address is updated.
  • the second data is log data
  • the method further includes, after updating the read offset address in the second address, sending the second data to the log on the non-TEE side
  • the printing program is used to print the second data.
  • the printing includes, for example, displaying on a display or storing in a hard disk.
  • FIG. 11 shows a data transmission device 1100 in a TEE system according to an embodiment of the present specification.
  • the TEE system includes a TEE side and a non-TEE side.
  • the non-TEE side includes a shared memory, and the shared memory includes a first One address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates the start of the plurality of third addresses that can be written A start address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE side
  • the device is deployed in the first thread from the TEE side, including:
  • the first obtaining unit 1101 is configured to obtain first data
  • the calling unit 1102 is configured to call a predetermined function using the first data as an input parameter to switch to the non-TEE side;
  • the second obtaining unit 1103 is configured to obtain the write offset address by reading the first address
  • the third obtaining unit 1104 is configured to obtain the read offset address by reading the second address
  • the determining unit 1105 is configured to determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address , Among them, each address corresponds to a byte;
  • the writing unit 1106 is configured to write the first data into a third address starting from the write offset address when the number of bytes of the first data is less than or equal to the number of writable bytes ;
  • the update unit 1107 is configured to update the write offset address in the first address
  • the returning unit 1108 is configured to return to the TEE side.
  • the device further includes a waiting unit 1109 configured to wait when the number of bytes of the first data is greater than the number of writable bytes.
  • the shared memory further includes a fourth address for storing the number of discarded data
  • the device further includes a discarding unit 1110 configured to: when the number of bytes of the first data is greater than the number of words that can be written In the case of the number of nodes, the first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
  • Another aspect of this specification provides a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed in a computer, the computer is caused to execute any of the above methods.
  • Another aspect of this specification provides a computing device including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, any one of the above methods is implemented.
  • the shared memory includes the above-mentioned first address-fourth address. For the first address and the second address, only one side can be written, and the other side can only be read, so there is no problem of simultaneous writing.
  • a high-performance asynchronous data transmission system is provided for the TEE environment, such as an asynchronous log printing system, which reduces the overhead of the TEE system for printing logs, improves the running speed of the TEE system, and satisfies the Some basic requirements of the log system.
  • the steps of the method or algorithm described in the embodiments disclosed herein can be implemented by hardware, a software module executed by a processor, or a combination of the two.
  • the software module can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or all areas in the technical field. Any other known storage media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)

Abstract

The embodiments of the present invention provide a data transmission method and device in a TEE system. The method is executed by a first thread from a TEE side, and comprises: obtaining first data; calling a predetermined function by taking the first data as an input parameter so as to switch to a non-TEE side; obtaining a write offset address by reading a first address; obtaining a read offset address by reading a second address; determining whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address, and each address corresponds to one byte; if the number of bytes of the first data is less than or equal to the number of writable bytes, writing the first data into a third address starting from the write offset address; updating the write offset address in the first address; and returning to the TEE side.

Description

TEE系统中的数据传输方法和装置Data transmission method and device in TEE system 技术领域Technical field
本说明书实施例涉及TEE技术领域,更具体地,涉及TEE系统中的数据传输方法和装置。The embodiments of this specification relate to the field of TEE technology, and more specifically, to a data transmission method and device in a TEE system.
背景技术Background technique
可信执行环境(TEE-Trusted Execution Environment)是处理器中的安全可信区域,可以保证放入其中的代码和数据的安全性、机密性和完整性。TEE提供一个隔离的执行环境,代码和数据可以在这个可信区域内运行,运行过程中可以保证不被常规操作系统干扰的计算,这样就可以达到保证代码和数据的机密性和完整性。TEE(EAL2+)与常规操作系统相比,提供更高级别的安全性;与SE(EAL5)相比,提供更多的功能,更好的性能。TEE有很多种实现方式,比如Intel的SGX,AMD的SEV,ARM的TrustZone(可信区)等。因为TEE提供的是一个隔离的执行环境,所以非TEE环境与TEE环境的通信一般都是通过特殊的指令调用,比如smc call(TrustZone)或ecall Ocall(SGX)。例如,在TEE侧通过调用Ocall函数进行日志打印的情况中,在通过调用Ocall函数引起CPU从TEE侧切换到非TEE侧,恢复寄存器等上下文信息之后,通常需要在非TEE侧等待日志打印完成之后再返回TEE侧,带来一定的性能损耗。Trusted Execution Environment (TEE-Trusted Execution Environment) is a secure and trusted zone in the processor, which can ensure the security, confidentiality and integrity of the code and data placed in it. TEE provides an isolated execution environment. Code and data can run in this trusted area. During the operation, it can ensure that the calculation is not interfered by the conventional operating system, so that the confidentiality and integrity of the code and data can be guaranteed. Compared with conventional operating systems, TEE (EAL2+) provides a higher level of security; compared with SE (EAL5), it provides more functions and better performance. There are many ways to implement TEE, such as Intel's SGX, AMD's SEV, ARM's TrustZone, etc. Because TEE provides an isolated execution environment, the communication between the non-TEE environment and the TEE environment is generally invoked through special instructions, such as smccall (TrustZone) or ecallOcall (SGX). For example, in the case of log printing by calling the Ocall function on the TEE side, after calling the Ocall function to cause the CPU to switch from the TEE side to the non-TEE side, and restore context information such as registers, it is usually necessary to wait for the log printing to complete on the non-TEE side Returning to the TEE side will bring a certain performance loss.
因此,需要一种更有效的在TEE系统中进行数据传输的方案。Therefore, there is a need for a more effective data transmission scheme in the TEE system.
发明内容Summary of the invention
本说明书实施例旨在提供一种更有效的在TEE系统中进行数据传输的方案,以解决现有技术中的不足。The embodiments of this specification aim to provide a more effective solution for data transmission in the TEE system to solve the deficiencies in the prior art.
为实现上述目的,本说明书一个方面提供一种TEE系统中的数据传输方法,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第一地址、第二地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述方法由来自TEE侧的第一线程执行,包括:To achieve the above objective, one aspect of this specification provides a data transmission method in a TEE system. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes shared memory, and the shared memory includes a first Address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates the start of the plurality of third addresses that can be written Address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE side Data, the method is executed by the first thread from the TEE side, including:
获取第一数据;Get the first data;
以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧;Calling a predetermined function with the first data as an input parameter to switch to the non-TEE side;
通过读取第一地址,获取写偏移地址;Obtain the write offset address by reading the first address;
通过读取第二地址,获取读偏移地址;Obtain the read offset address by reading the second address;
判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;Determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, wherein each address corresponds to Less than one byte;
在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中;In the case that the number of bytes of the first data is less than or equal to the number of writable bytes, writing the first data into a third address starting from the write offset address;
更新所述第一地址中的写偏移地址;以及Update the write offset address in the first address; and
返回TEE侧。Return to the TEE side.
在一个实施例中,所述第一数据为以下任一种数据:日志、监控数据、统计数据。In an embodiment, the first data is any one of the following data: logs, monitoring data, and statistical data.
在一个实施例中,所述方法还包括,在所述第一数据的字节数大于可写字节数的情况中,进行等待。In an embodiment, the method further includes waiting when the number of bytes of the first data is greater than the number of writable bytes.
在一个实施例中,所述共享内存中还包括第四地址,用于存储丢弃数据数目,所述方法还包括,在所述第一数据的字节数大于可写字节数的情况中,丢弃所述第一数据,并将第四地址中存储的丢弃数据数目加一。In an embodiment, the shared memory further includes a fourth address for storing the number of discarded data, and the method further includes, in a case where the number of bytes of the first data is greater than the number of writable bytes, The first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
在一个实施例中,所述丢弃数据数目为原子变量。In one embodiment, the number of discarded data is an atomic variable.
在一个实施例中,所述写偏移地址在所述读偏移地址之前,所述可写字节数等于所述读偏移地址减去所述写偏移地址之差。In an embodiment, the write offset address is before the read offset address, and the number of writable bytes is equal to the difference between the read offset address minus the write offset address.
在一个实施例中,所述写偏移地址在所述读偏移地址之后,所述可写字节数等于第三地址的数目减去不可写字节数之差,其中,所述不可写字节数等于所述写偏移地址减去所述读偏移地址之差。In one embodiment, the write offset address is after the read offset address, and the number of writable bytes is equal to the number of the third address minus the difference between the number of unwritable bytes, wherein the unwritable The number of bytes is equal to the difference between the write offset address and the read offset address.
在一个实施例中,所述写偏移地址与所述读偏移地址相同,所述可写字节数等于全部第三地址的数目。In one embodiment, the write offset address is the same as the read offset address, and the number of writable bytes is equal to the number of all third addresses.
在一个实施例中,所述TEE系统为SGX系统,其中,所述预定函数为Ocall函数。In one embodiment, the TEE system is an SGX system, and the predetermined function is an Ocall function.
本说明书另一方面提供一种TEE系统中的数据传输装置,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第一地址、第二 地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述装置部署于来自TEE侧的第一线程中,包括:Another aspect of this specification provides a data transmission device in a TEE system. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes a shared memory, and the shared memory includes a first address and a second address. Address and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates a writable start address among the plurality of third addresses, and The second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE side. The device is deployed in the first thread from the TEE side, including:
第一获取单元,配置为,获取第一数据;The first obtaining unit is configured to obtain first data;
调用单元,配置为,以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧;The calling unit is configured to call a predetermined function using the first data as an input parameter to switch to the non-TEE side;
第二获取单元,配置为,通过读取第一地址,获取写偏移地址;The second obtaining unit is configured to obtain the write offset address by reading the first address;
第三获取单元,配置为,通过读取第二地址,获取读偏移地址;The third obtaining unit is configured to obtain the read offset address by reading the second address;
判断单元,配置为,判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;The determining unit is configured to determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address, Among them, each address corresponds to a byte;
写入单元,配置为,在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中;The writing unit is configured to write the first data into a third address starting from the write offset address when the number of bytes of the first data is less than or equal to the number of writable bytes;
更新单元,配置为,更新所述第一地址中的写偏移地址;以及The update unit is configured to update the write offset address in the first address; and
返回单元,配置为,返回TEE侧。The return unit is configured to return to the TEE side.
在一个实施例中,所述装置还包括等待单元,配置为,在所述第一数据的字节数大于可写字节数的情况中,进行等待。In an embodiment, the device further includes a waiting unit configured to wait when the number of bytes of the first data is greater than the number of writable bytes.
在一个实施例中,所述共享内存中还包括第四地址,用于存储丢弃数据数目,所述装置还包括丢弃单元,配置为,在所述第一数据的字节数大于可写字节数的情况中,丢弃所述第一数据,并将第四地址中存储的丢弃数据数目加一。In one embodiment, the shared memory further includes a fourth address for storing the number of discarded data, and the device further includes a discarding unit configured to: when the number of bytes of the first data is greater than the number of writable bytes In the case of the number, the first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
本说明书另一方面提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行上述任一项方法。Another aspect of this specification provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is caused to execute any of the above methods.
本说明书另一方面提供一种计算设备,包括存储器和处理器,其特征在于,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现上述任一项方法。Another aspect of this specification provides a computing device including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, any one of the above methods is implemented.
通过根据本说明书实施例的TEE系统中的数据传输方案,为TEE环境提供一种高性能的异步数据传输系统,例如异步日志打印系统,减少了TEE系统打印日志的开销,提高了TEE系统的运行速度,同时满足了对日志系统的一些基本要求。Through the data transmission scheme in the TEE system according to the embodiment of this specification, a high-performance asynchronous data transmission system is provided for the TEE environment, such as an asynchronous log printing system, which reduces the overhead of the TEE system for printing logs and improves the operation of the TEE system Speed, while meeting some basic requirements of the log system.
附图说明Description of the drawings
通过结合附图描述本说明书实施例,可以使得本说明书实施例更加清楚:By describing the embodiments of this specification in conjunction with the accompanying drawings, the embodiments of this specification can be made clearer:
图1示出根据本说明书实施例的TEE系统100及其中的数据流向示意图;FIG. 1 shows a schematic diagram of a TEE system 100 and data flow therein according to an embodiment of the present specification;
图2示出根据本说明书实施例的一种TEE系统中的数据传输方法流程图;Figure 2 shows a flow chart of a data transmission method in a TEE system according to an embodiment of this specification;
图3示意示出根据本说明书实施例的共享内存中数据结构的示意图;Fig. 3 schematically shows a schematic diagram of a data structure in a shared memory according to an embodiment of the present specification;
图4-图8分别示出了通过所述共享内存传输数据过程中的写偏移地址和读偏移地址;Figures 4 to 8 respectively show the write offset address and the read offset address in the process of transmitting data through the shared memory;
图9示出了根据本说明书另一实施例的共享内存数据结构;Figure 9 shows a shared memory data structure according to another embodiment of this specification;
图10示出根据本说明书实施例的一种TEE系统中的数据传输方法流程图;Fig. 10 shows a flow chart of a data transmission method in a TEE system according to an embodiment of this specification;
图11示出根据本说明书实施例的一种TEE系统中的数据传输装置1100。FIG. 11 shows a data transmission device 1100 in a TEE system according to an embodiment of this specification.
具体实施方式Detailed ways
下面将结合附图描述本说明书实施例。The embodiments of this specification will be described below with reference to the drawings.
图1示出根据本说明书实施例的TEE系统100及其中的数据流向示意图。如图中所示,系统100包括TEE侧11和非TEE侧12。其中,在非TEE侧12预设有专用的缓冲寄存器121作为共享内存,用于缓存从TEE侧传输出的特定数据(例如日志)。在TEE侧11运行有第一线程,该第一线程可获取第一数据(例如,日志数据),其通过调用例如打印函数(_pringf),而将第一数据存入所述缓冲寄存器121中。具体是,例如,所述TEE系统为SGX系统,则_pringf函数可通过调用Ocall函数切换为非TEE侧线程。在非TEE侧12,第一线程将日志写入缓冲寄存器121,之后,第一线程返回到TEE侧,以进行后续步骤。在非TEE侧12运行有第二线程,该第二线程例如通过轮询的方式通过定期调用pop函数从缓冲寄存器121中读取存入的数据,例如在一次读取中读取第二数据。该第二线程在读取到第二数据之后,将该第二数据发送给非TEE侧的特定程序(例如日志系统log4cplus)进行数据打印。FIG. 1 shows a schematic diagram of the TEE system 100 and the data flow therein according to an embodiment of the present specification. As shown in the figure, the system 100 includes a TEE side 11 and a non-TEE side 12. Among them, a dedicated buffer register 121 is preset on the non-TEE side 12 as a shared memory for buffering specific data (such as logs) transmitted from the TEE side. A first thread runs on the TEE side 11, and the first thread can acquire first data (for example, log data), and stores the first data in the buffer register 121 by calling, for example, a printing function (_pringf). Specifically, for example, if the TEE system is an SGX system, the _pringf function can be switched to a non-TEE side thread by calling the Ocall function. On the non-TEE side 12, the first thread writes the log into the buffer register 121, after which, the first thread returns to the TEE side for subsequent steps. A second thread runs on the non-TEE side 12, and the second thread reads the stored data from the buffer register 121 by periodically calling the pop function, for example, in a polling manner, for example, reads the second data in one read. After reading the second data, the second thread sends the second data to a specific program on the non-TEE side (for example, the log system log4cplus) for data printing.
在上述示意图中,为了保证第一线程和第二线程同时访问共享内存的数据安全性,设计了特定的数据结构以允许进行上述过程,下文将对此进行详细描述。In the above schematic diagram, in order to ensure the data security of the first thread and the second thread simultaneously accessing the shared memory, a specific data structure is designed to allow the above process to be performed, which will be described in detail below.
图2示出根据本说明书实施例的一种TEE系统中的数据传输方法流程图,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第 一地址、第二地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述方法由来自TEE侧的第一线程执行,包括:Fig. 2 shows a flow chart of a data transmission method in a TEE system according to an embodiment of the specification. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes shared memory, and the shared memory includes A first address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates which of the plurality of third addresses can be written A start address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE Side data, the method is executed by the first thread from the TEE side, including:
步骤S202,获取第一数据;Step S202, obtain first data;
步骤S204,以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧;Step S204, calling a predetermined function with the first data as an input parameter to switch to the non-TEE side;
步骤S206,通过读取第一地址,获取写偏移地址;Step S206: Obtain the write offset address by reading the first address;
步骤S208,通过读取第二地址,获取读偏移地址;Step S208: Obtain a read offset address by reading the second address;
步骤S210,判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;Step S210: Determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, where each Each address corresponds to one byte;
步骤S212,在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中;Step S212, in the case that the number of bytes of the first data is less than or equal to the number of writable bytes, write the first data into a third address starting from the write offset address;
步骤S214,更新所述第一地址中的写偏移地址;以及Step S214, updating the write offset address in the first address; and
步骤S216,返回TEE侧。Step S216, return to the TEE side.
图3示意示出根据本说明书实施例的共享内存中数据结构的示意图。如图3中所示,所述共享内存中包括第一地址、第二地址和连续的多个第三地址。图中示意示出10个第三地址,该10个连续的第三地址例如可分别标识为“1,2,…,10”。该内存中的每个地址可写入一个字节,其中,第一地址用于存储写偏移地址,该写偏移地址指示第三地址中可写入的起始地址;第二地址用于存储读偏移地址,该读偏移地址指示第三地址中可读取的起始地址;第三地址用于存储希望从TEE侧传输到非TEE侧的数据。例如,在初始还未从TEE侧向该共享内存存入数据的情况中,第三地址中可写入的起始地址为第1个地址,即地址“1”,因此,第一地址中存储的写偏移地址为“1”。在该情况中,在读取数据时,由于最多只能读到写偏移地址前一个地址,因此此时的第二地址中的读偏移地址也为地址“1”,图中示意示出了读偏移地址(图中以R表示)和写偏移地址(图中以W表示)分别对应的第三地址(即地址“1”)。可以理解,在该共享内存中,只限定了多个第三地址是连续的地址,对于第一地址、第二地址和第三地址的位置关系并没有特别限定,例如,第一地址、第二地址可以分别位于第三地址的两头,或者第一地址、第二地址可位于第三地址之后等等。另外,图3中虽然示意示出该共享内存中包括10个连续第三地址,在实际应用中,可根据待传输数据的具体字节数确定共享内存 中包括的第三地址的数目。例如,待传输数据为TEE侧的日志,例如,该日志通常有几十个字节,从而,可将该共享内存设置为包括几百个连续的第三地址。Fig. 3 schematically shows a schematic diagram of a data structure in a shared memory according to an embodiment of the present specification. As shown in FIG. 3, the shared memory includes a first address, a second address, and a plurality of consecutive third addresses. The figure schematically shows ten third addresses, and the ten consecutive third addresses may be respectively identified as "1,2,...,10", for example. Each address in the memory can write one byte, where the first address is used to store the write offset address, and the write offset address indicates the start address that can be written in the third address; the second address is used to A read offset address is stored, and the read offset address indicates a readable start address in the third address; the third address is used to store data that is expected to be transmitted from the TEE side to the non-TEE side. For example, in the case where data has not been initially stored in the shared memory from the TEE side, the start address that can be written in the third address is the first address, that is, address "1". Therefore, the first address stores The write offset address is "1". In this case, when reading data, since only the address before the write offset address can be read at most, the read offset address in the second address at this time is also address "1", as shown schematically in the figure The third address (ie address "1") corresponding to the read offset address (indicated by R in the figure) and the write offset address (indicated by W in the figure) respectively are shown. It can be understood that in the shared memory, only multiple third addresses are limited to be consecutive addresses, and the positional relationship between the first address, the second address, and the third address is not particularly limited, for example, the first address, the second address The addresses may be located at both ends of the third address, or the first address and the second address may be located after the third address, and so on. In addition, although FIG. 3 schematically shows that the shared memory includes 10 consecutive third addresses, in practical applications, the number of third addresses included in the shared memory can be determined according to the specific number of bytes of data to be transmitted. For example, the data to be transmitted is a log on the TEE side. For example, the log usually has tens of bytes. Therefore, the shared memory can be set to include hundreds of consecutive third addresses.
当TEE侧希望向非TEE侧传输特定数据时,通过运行TEE侧的第一线程执行该方法而向共享内存的第三地址中写入数据,该第一线程例如属于用于从TEE侧向非TEE侧传输数据的进程。由于在通过该方法向共享内存中写入数据之后,在非TEE侧将通过另外的线程将该数据传送至目标程序,因此,该方法对数据的传输方式为异步传输方式,因此,该方法适用于对实时性要求不高、传输量较大、且对性能要求较高的数据。从而,所述特定数据例如为日志、监控数据、统计数据等等。When the TEE side wants to transmit specific data to the non-TEE side, the method is executed by the first thread running the TEE side to write data to the third address of the shared memory. The first thread is for example used to transfer data from the TEE side to the non-TEE side. The process of transmitting data on the TEE side. After writing data to the shared memory through this method, the data will be transferred to the target program through another thread on the non-TEE side. Therefore, the method of data transmission is asynchronous transmission mode, so this method is suitable For data that does not require high real-time performance, large transmission volume, and high performance requirements. Thus, the specific data is, for example, logs, monitoring data, statistical data, and so on.
首先,在步骤S202,获取第一数据。First, in step S202, first data is acquired.
所述第一数据例如为TEE中生成的日志。TEE侧在生成日志之后例如将其存储到TEE侧的预定内存位置。所述第一线程可预设为定期从所述预定内存位置读取日志,从而可定期获取待传输的数据,以定期执行该方法。The first data is, for example, a log generated in the TEE. After generating the log, the TEE side stores it, for example, in a predetermined memory location on the TEE side. The first thread may be preset to periodically read the log from the predetermined memory location, so that the data to be transmitted may be periodically acquired to periodically execute the method.
步骤S204,以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧。Step S204, calling a predetermined function with the first data as an input parameter to switch to the non-TEE side.
所述TEE系统例如为SGX系统,在该SGX系统中包括围圈(enclave)作为可信执行环境(TEE),在该围圈中,第一线程可通过调用Ocall函数切换到非围圈侧(即非TEE侧)。Ocall函数是SGX系统中提供的一种数据传输方式,围圈侧的线程调用Ocall函数之后,使得cpu切换到非围圈侧。具体是,在以第一数据作为输入参数调用Ocall函数之后,在围圈侧备份围圈侧的寄存器,通过以第一数据作为输入参数从而将该第一数据传输到非TEE侧,然后在非围圈侧恢复非围圈侧的寄存器信息,其中包括,将作为输入参数的第一数据存储到寄存器中。第一线程切换到非TEE侧之后,然后可通过调用其它函数进行后续步骤。The TEE system is, for example, an SGX system, and the SGX system includes an enclave as a trusted execution environment (TEE). In the enclave, the first thread can switch to the non-enclave side by calling the Ocall function ( That is, the non-TEE side). The Ocall function is a data transmission method provided in the SGX system. After the thread on the circle side calls the Ocall function, the cpu is switched to the non-circle side. Specifically, after the Ocall function is called with the first data as the input parameter, the register on the circle side is backed up on the circle side, and the first data is transferred to the non-TEE side by using the first data as the input parameter, and then on the non-TEE side. The circle side restores the register information of the non-circle side, which includes storing the first data as the input parameter in the register. After the first thread is switched to the non-TEE side, the subsequent steps can then be performed by calling other functions.
在步骤S206,通过读取第一地址,获取写偏移地址。在步骤S208,通过读取第二地址,获取读偏移地址。In step S206, the write offset address is obtained by reading the first address. In step S208, the read offset address is obtained by reading the second address.
除了上述图3示出的写偏移地址和读偏移地址分别指示第三地址中的地址“1”的情况之外,图4-图8分别示出了通过所述共享内存传输数据过程中的写偏移地址和读偏移地址。在图4-图8中,每个方框对应于一个地址,方框内部的数据为其中存储一个字节的数据,方框下方的数字为其地址标识,“R”和“W”如上文指示分别对应于读偏移地址和写偏移地址。Except for the case where the write offset address and the read offset address shown in FIG. 3 respectively indicate the address "1" in the third address, FIGS. 4 to 8 respectively show the process of transmitting data through the shared memory. The write offset address and read offset address. In Figure 4-8, each box corresponds to an address, the data inside the box is one byte of data stored in it, the number below the box is the address identification, "R" and "W" are as above The instructions correspond to the read offset address and the write offset address respectively.
在图4中,已经通过该方法从地址1开始向第三地址中顺序写入了四个字节”ab\n\0”, 并且在非TEE侧还未对该共享内存进行数据读取,在该情况中,第一地址中存储的写偏移地址(W)指向存储“\0”之后的地址,即,地址5,第二地址中存储的读偏移地址(R)仍指向地址1。In Figure 4, four bytes "ab\n\0" have been sequentially written from address 1 to the third address through this method, and the shared memory has not been read yet on the non-TEE side. In this case, the write offset address (W) stored in the first address points to the address after "\0" is stored, that is, address 5, and the read offset address (R) stored in the second address still points to address 1. .
在图5中,已经又通过该方法从地址5开始顺序写入了四个字节“cd\n\0”,并且在非TEE侧仍未对该共享内存进行数据读取,在该情况中,写偏移地址(W)指向存储第二个“\0”之后的地址,即,地址9,读偏移地址(R)仍指向地址1。In Figure 5, four bytes "cd\n\0" have been written sequentially from address 5 through this method, and the shared memory has not been read yet on the non-TEE side. In this case , The write offset address (W) points to the address after the second "\0" is stored, that is, address 9, and the read offset address (R) still points to address 1.
在图6中,已经在非TEE侧通过下文将描述的方法从读偏移地址开始进行数据读取,该读取最多只能读到所述写偏移地址之前的一个地址,即该读取过程读取了共享内存中已经写入的八个字节“ab\n\0cd\n\0”。在该情况中,在第一地址中存储的写偏移地址仍指向地址9,在第二地址中存储的读偏移地址指向第二个“\0”之后的地址,即,也是地址9。In FIG. 6, data reading has been performed from the read offset address on the non-TEE side through the method described below, and the read can only read up to an address before the write offset address, that is, the read The process reads the eight bytes "ab\n\0cd\n\0" that have been written in the shared memory. In this case, the write offset address stored in the first address still points to address 9, and the read offset address stored in the second address points to the address after the second "\0", that is, it is also address 9.
在图7中,已经又通过图2所示方法从地址9开始向第三地址中顺序写入“ef\n\0”四个字节。在该情况中,读偏移地址未发生变化,仍为地址9,在写入数据的过程中,当10个地址都写满了之后,由于在读偏移地址之前的数据都是经过读取的数据,从而,从地址1到读偏移地址(在该情况中为地址9)之前的地址(即地址8)的每个地址都是可以写入的,因此从地址10跳到地址1继续进行写入,在写完之后,写偏移地址指向地址3。In Figure 7, four bytes of "ef\n\0" have been sequentially written into the third address from address 9 through the method shown in Figure 2. In this case, the read offset address has not changed and is still address 9. In the process of writing data, when all 10 addresses are filled, the data before the read offset address is read Data, thus, each address from address 1 to the address before the read offset address (address 9 in this case) (ie address 8) can be written, so jump from address 10 to address 1 to continue Write, after writing, the write offset address points to address 3.
在图8中,已经又在非TEE侧进行对该共享内存的读取。具体是,从读偏移地址(地址9)开始一直读取到写偏移地址的前一个地址(地址2),在进行该读取之后,第一地址中的写偏移地址仍指向地址3,第二地址中的读偏移地址也指向地址3。In Figure 8, the shared memory has been read on the non-TEE side again. Specifically, from the read offset address (address 9) to the previous address (address 2) of the write offset address, after the read, the write offset address in the first address still points to address 3. , The read offset address in the second address also points to address 3.
在步骤S210,判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节。In step S210, it is judged whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address, wherein, Each address corresponds to a byte.
本领域技术人员根据写偏移地址和读偏移地址可容易地确定多个第三地址中的可写地址,由于一个地址对应于一个字节,从而可确定可写字节数。Those skilled in the art can easily determine the writable addresses among the multiple third addresses according to the write offset address and the read offset address. Since one address corresponds to one byte, the number of writable bytes can be determined.
例如,在图3、图6和图8所示的情况中,读偏移地址和写偏移地址指向同一个地址,则可写字节数为全部第三地址的数目,即10个。For example, in the situations shown in FIG. 3, FIG. 6 and FIG. 8, the read offset address and the write offset address point to the same address, and the number of writable bytes is the total number of third addresses, that is, 10.
在图4、5所示的情况中,写偏移地址在读偏移地址之后,可写字节数是第三地址的数目减去不可写字节数,所述不可写字节数为写偏移地址减去读偏移地址的差。例如,在图4中,写偏移地址为5,读偏移地址为1,从而,不可写字节数为5-1=4,可写字节 数为10-4=6,其分别对应于地址5到地址10共六个地址。In the cases shown in Figures 4 and 5, the write offset address is after the read offset address, the number of writable bytes is the number of the third address minus the number of unwritable bytes, and the number of unwritable bytes is the write offset The difference of the shift address minus the read offset address. For example, in Figure 4, the write offset address is 5 and the read offset address is 1, so the number of unwritable bytes is 5-1=4, and the number of writable bytes is 10-4=6, which correspond to There are six addresses from address 5 to address 10.
在图7所示的情况中,写偏移地址在读偏移地址之前,在该情况中,可写字节数为读偏移地址减去写偏移地址之差。例如,在图7中,写偏移地址为3,读偏移地址为9,从而,可写字节数为9-3=6,其分别对应于地址3到地址8共六个地址。In the case shown in FIG. 7, the write offset address is before the read offset address. In this case, the number of writable bytes is the difference between the read offset address and the write offset address. For example, in FIG. 7, the write offset address is 3 and the read offset address is 9, so that the number of writable bytes is 9-3=6, which respectively correspond to a total of six addresses from address 3 to address 8.
在步骤S212,在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中。In step S212, in the case where the number of bytes of the first data is less than or equal to the number of writable bytes, the first data is written into a third address starting from the write offset address.
例如,在所述共享内存中已存储的数据如图4所示的情况中,如上文所述,可写字节数为6个,当将要写入的第一数据为“ef\n\0”4个字节的情况中,由于4<6,因此,可将“ef\n\0”4个字节写入5、6、7、8四个地址中。For example, in the case where the data stored in the shared memory is shown in Figure 4, as described above, the number of writable bytes is 6, when the first data to be written is "ef\n\0 In the case of 4 bytes, since 4<6, 4 bytes of "ef\n\0" can be written into the four addresses of 5, 6, 7, and 8.
在所述共享内存中已存储的数据如图7所示的情况中,如上文所述,可写字节数为6个,当将要写入的第一数据为“ghijkl\n\0”8个字节的情况中,即第一数据的字节数大于可写字节数,从而,将不能向共享内存中写入该数据。在该情况中,该写入线程或者进行等待,直到共享内存中有足够的可写字节数,或者可丢弃该第一数据并返回。图9示出了根据本说明书另一实施例的共享内存数据结构。在该数据结构中,除了包括图3所述的第一地址、第二地址和第三地址之外,还包括第四地址,第四地址中存储丢弃数据数目。在如上文所述丢弃第一数据之后,在第四地址中将该丢弃数据数目加1。在一个实施例中,该丢弃数据数目为原子变量,从而在TEE侧和非TEE侧双线程同时操作的情况下,可保证数据安全性。In the case where the data stored in the shared memory is shown in Figure 7, as described above, the number of writable bytes is 6, when the first data to be written is "ghijkl\n\0" 8 In the case of bytes, that is, the number of bytes of the first data is greater than the number of writable bytes, and therefore, the data cannot be written to the shared memory. In this case, the writing thread either waits until there are enough writable bytes in the shared memory, or it can discard the first data and return. Figure 9 shows a shared memory data structure according to another embodiment of the specification. In this data structure, in addition to the first address, the second address, and the third address described in FIG. 3, it also includes a fourth address, and the fourth address stores the number of discarded data. After discarding the first data as described above, the number of discarded data is increased by 1 in the fourth address. In one embodiment, the number of discarded data is an atomic variable, so that data security can be ensured when the TEE side and non-TEE side dual threads operate simultaneously.
在步骤S214,更新所述第一地址中的写偏移地址。In step S214, the write offset address in the first address is updated.
例如,在对图3中的第三地址写入“ab\n\0”之后,将初始的写偏移地址“1”更新为写偏移地址“5”,从而以便于下次写入或读取时对写偏移地址的读取。例如,在对图4所示的第三地址写入时,可读取到最新的写偏移地址“5”,从而进行可写字节数的计算。For example, after writing "ab\n\0" to the third address in Figure 3, the initial write offset address "1" is updated to the write offset address "5" to facilitate the next write or Read the write offset address when reading. For example, when writing to the third address shown in FIG. 4, the latest write offset address "5" can be read, so as to calculate the number of writable bytes.
在步骤S216,返回TEE侧。In step S216, return to the TEE side.
所述第一线程可预设为在进行完步骤S214之后返回TEE侧,从而,第一线程在进行步骤S214之后将自动返回到TEE侧,以进行TEE侧的后续步骤,例如再次重复该方法。The first thread may be preset to return to the TEE side after performing step S214, so that the first thread will automatically return to the TEE side after performing step S214 to perform subsequent steps on the TEE side, for example, repeat the method again.
图10示出根据本说明书实施例的一种TEE系统中的数据传输方法流程图,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第 一地址、第二地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述方法由非TEE侧执行,包括:Fig. 10 shows a flow chart of a data transmission method in a TEE system according to an embodiment of the present specification. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes shared memory, and the shared memory includes A first address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates which of the plurality of third addresses can be written A start address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE Side data, the method is executed by the non-TEE side, including:
步骤S1002,通过读取第一地址,获取写偏移地址;Step S1002, obtain the write offset address by reading the first address;
步骤S1004,通过读取第二地址,获取读偏移地址;Step S1004: Obtain a read offset address by reading the second address;
步骤S1006,读取所述第三地址中的写入数据中的未读取字节作为第二数据,所述未读取字节基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;以及Step S1006: Read unread bytes in the write data in the third address as second data, where the unread bytes are determined based on the write offset address and the read offset address, Among them, each address corresponds to a byte; and
步骤S1008,更新所述第二地址中的读偏移地址。Step S1008: Update the read offset address in the second address.
该方法可通过非TEE侧运行的第二线程执行,该第二线程可同样属于上述用于从TEE侧向非TEE侧传输数据的进程。This method may be executed by a second thread running on the non-TEE side, and the second thread may also belong to the aforementioned process for transmitting data from the TEE side to the non-TEE side.
其中,步骤S1002和步骤S1004可参考上述对步骤S206和步骤S208的描述,在此不再赘述。For step S1002 and step S1004, reference may be made to the above description of step S206 and step S208, which will not be repeated here.
在步骤S1006,读取所述第三地址中的写入数据中的未读取字节作为第二数据,所述未读取字节基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节。In step S1006, read unread bytes in the write data in the third address as second data, and the unread bytes are determined based on the write offset address and the read offset address , Where each address corresponds to a byte.
本领域技术人员根据写偏移地址和读偏移地址可容易地确定第三地址中的未读取字节。Those skilled in the art can easily determine the unread bytes in the third address according to the write offset address and the read offset address.
例如,在图3、图6和图8所示的情况中,读偏移地址和写偏移地址指向同一个地址,则第三地址中不包括未读取字节。For example, in the cases shown in FIG. 3, FIG. 6 and FIG. 8, the read offset address and the write offset address point to the same address, and the third address does not include unread bytes.
在图4、5所示的情况中,写偏移地址在读偏移地址之后,所述第三地址中的全部未读取字节包括从所述读偏移地址开始到所述写偏移地址的前一个地址中的各个字节。例如,在图4中,写偏移地址为5,读偏移地址为1,从而,全部未读取字节为地址1到4中各个字节。In the cases shown in FIGS. 4 and 5, the write offset address is after the read offset address, and all unread bytes in the third address include starting from the read offset address to the write offset address Each byte in the previous address. For example, in FIG. 4, the write offset address is 5 and the read offset address is 1, so that all unread bytes are the bytes in addresses 1 to 4.
在图7所示的情况中,写偏移地址在读偏移地址之前,在该情况中,所述全部未读取字节为所述第三地址中除已读取字节之外的字节,所述已读取字节包括从所述写偏移地址开始到所述读偏移地址的前一个地址中的各个字节。例如,在图7中,写偏移地址 为3,读偏移地址为9,从而,已读取字节为地址3到地址8中各个地址中的字节,从而,全部未读取字节为地址1-2和地址9-10中的各个字节。可以理解,在该步骤中,不一定读取所述第三地址中的全部未读取字节,而可以仅读取部分未读取字节。例如,可预设为一次仅读取3个字节,从而,在一次读取中可读取全部未读取字节中的前三个字节,剩余的一个未读取字节可留到下一次读取时读取。In the case shown in FIG. 7, the write offset address is before the read offset address. In this case, the all unread bytes are the bytes other than the read bytes in the third address. , The read byte includes each byte from the write offset address to the previous address of the read offset address. For example, in Figure 7, the write offset address is 3 and the read offset address is 9, so that the read bytes are the bytes in each address from address 3 to address 8, so that all unread bytes For each byte in address 1-2 and address 9-10. It can be understood that in this step, it is not necessary to read all the unread bytes in the third address, but only part of the unread bytes may be read. For example, it can be preset to read only 3 bytes at a time, so that the first three bytes of all unread bytes can be read in one read, and the remaining unread byte can be reserved for It will be read the next time it is read.
在步骤S1008,更新所述第二地址中的读偏移地址。In step S1008, the read offset address in the second address is updated.
例如,在从图5所示的第三地址读取八个字节“ab\n\0cd\n\0”之后,将读偏移地址从“1”更新为“9”,从而便于下次写入或读取时对读偏移地址的读取。For example, after reading eight bytes "ab\n\0cd\n\0" from the third address shown in Figure 5, update the read offset address from "1" to "9" to facilitate the next time Reading the read offset address when writing or reading.
在一个实施例中,所述第二数据为日志数据,所述方法还包括,在更新所述第二地址中的读偏移地址之后,将所述第二数据发送给在非TEE侧的日志打印程序,以用于打印该第二数据。该打印例如包括在显示器上显示,或者存入硬盘中等。In an embodiment, the second data is log data, and the method further includes, after updating the read offset address in the second address, sending the second data to the log on the non-TEE side The printing program is used to print the second data. The printing includes, for example, displaying on a display or storing in a hard disk.
图11示出根据本说明书实施例的一种TEE系统中的数据传输装置1100,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第一地址、第二地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述装置部署于来自TEE侧的第一线程中,包括:FIG. 11 shows a data transmission device 1100 in a TEE system according to an embodiment of the present specification. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes a shared memory, and the shared memory includes a first One address, a second address, and a plurality of consecutive third addresses, wherein the first address is used to store a write offset address, and the write offset address indicates the start of the plurality of third addresses that can be written A start address, the second address is used to store a read offset address, the read offset address indicates a readable start address among the plurality of third addresses, and the third address is used to store data from the TEE side The device is deployed in the first thread from the TEE side, including:
第一获取单元1101,配置为,获取第一数据;The first obtaining unit 1101 is configured to obtain first data;
调用单元1102,配置为,以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧;The calling unit 1102 is configured to call a predetermined function using the first data as an input parameter to switch to the non-TEE side;
第二获取单元1103,配置为,通过读取第一地址,获取写偏移地址;The second obtaining unit 1103 is configured to obtain the write offset address by reading the first address;
第三获取单元1104,配置为,通过读取第二地址,获取读偏移地址;The third obtaining unit 1104 is configured to obtain the read offset address by reading the second address;
判断单元1105,配置为,判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;The determining unit 1105 is configured to determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address , Among them, each address corresponds to a byte;
写入单元1106,配置为,在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中;The writing unit 1106 is configured to write the first data into a third address starting from the write offset address when the number of bytes of the first data is less than or equal to the number of writable bytes ;
更新单元1107,配置为,更新所述第一地址中的写偏移地址;以及The update unit 1107 is configured to update the write offset address in the first address; and
返回单元1108,配置为,返回TEE侧。The returning unit 1108 is configured to return to the TEE side.
在一个实施例中,所述装置还包括等待单元1109,配置为,在所述第一数据的字节数大于可写字节数的情况中,进行等待。In an embodiment, the device further includes a waiting unit 1109 configured to wait when the number of bytes of the first data is greater than the number of writable bytes.
在一个实施例中,所述共享内存中还包括第四地址,用于存储丢弃数据数目,所述装置还包括丢弃单元1110,配置为,在所述第一数据的字节数大于可写字节数的情况中,丢弃所述第一数据,并将第四地址中存储的丢弃数据数目加一。In one embodiment, the shared memory further includes a fourth address for storing the number of discarded data, and the device further includes a discarding unit 1110 configured to: when the number of bytes of the first data is greater than the number of words that can be written In the case of the number of nodes, the first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
本说明书另一方面提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行上述任一项方法。Another aspect of this specification provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is caused to execute any of the above methods.
本说明书另一方面提供一种计算设备,包括存储器和处理器,其特征在于,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现上述任一项方法。Another aspect of this specification provides a computing device including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, any one of the above methods is implemented.
在本说明书实施例中,因为所述共享内存会被TEE和非TEE环境同时使用,TEE的特殊性使得无法使用锁来保证线程安全,所以在本方案中,使用了无锁数据结构,并通过特殊设计保证线程安全。具体是,在共享内存中包括上述第一地址-第四地址,其中,对于第一地址和第二地址,只会单侧写,另一侧只会读,所以没有同时写的问题。另外,针对一边读另一边在写的情况,因为写的时候是在写完了更新写偏地址,读的时候是在读完了更新读偏移地址,因此不存在偏移地址更新了,但是数据还没处理的情况,所以不会读到未写完的数据,也不会写数据覆盖掉未读的数据。第三地址中存储的数据虽然是双侧读写,但是通过由写偏移地址和读偏移地址控制读写的范围,所以其实是分开的区域,互不干扰。另外,对于第四地址中的丢弃数据数目,虽然也是同时读写,但是通过将其设置为原子变量而保证了数据安全性。In the embodiment of this specification, because the shared memory will be used by both TEE and non-TEE environments, the particularity of TEE makes it impossible to use locks to ensure thread safety. Therefore, in this solution, a lock-free data structure is used and passed Special design ensures thread safety. Specifically, the shared memory includes the above-mentioned first address-fourth address. For the first address and the second address, only one side can be written, and the other side can only be read, so there is no problem of simultaneous writing. In addition, for the situation that one side is reading and the other is writing, because when writing, the write offset address is updated after writing, and when reading, the offset address is updated after reading, so there is no offset address update, but the data has not yet In the case of processing, the unwritten data will not be read, and the unread data will not be overwritten by writing data. Although the data stored in the third address is read and written on both sides, the read and write range is controlled by the write offset address and the read offset address, so they are actually separate areas and do not interfere with each other. In addition, although the number of discarded data in the fourth address is read and written at the same time, data security is ensured by setting it as an atomic variable.
通过上述无锁数据结构的设计,为TEE环境提供一种高性能的异步数据传输系统,例如异步日志打印系统,减少了TEE系统打印日志的开销,提高了TEE系统的运行速度,同时满足了对日志系统的一些基本要求。Through the design of the above lock-free data structure, a high-performance asynchronous data transmission system is provided for the TEE environment, such as an asynchronous log printing system, which reduces the overhead of the TEE system for printing logs, improves the running speed of the TEE system, and satisfies the Some basic requirements of the log system.
需要理解,本文中的“第一”,“第二”等描述,仅仅为了描述的简单而对相似概念进行区分,并不具有其他限定作用。It should be understood that the descriptions of "first", "second", etc. in this text are merely used to distinguish similar concepts for simplicity of description, and do not have other limiting effects.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见 方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps described in the claims may be performed in a different order than in the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
本领域普通技术人员应该还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执轨道,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art should be further aware that the units and algorithm steps of the examples described in the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two, in order to clearly illustrate the hardware For the interchangeability with software, the composition and steps of each example have been described generally in accordance with the function in the above description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those of ordinary skill in the art can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of this application.
结合本文中所公开的实施例描述的方法或算法的步骤可以用硬件、处理器执轨道的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the method or algorithm described in the embodiments disclosed herein can be implemented by hardware, a software module executed by a processor, or a combination of the two. The software module can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or all areas in the technical field. Any other known storage media.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present invention in further detail. It should be understood that the above are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. The scope of protection, any modification, equivalent replacement, improvement, etc., made within the spirit and principle of the present invention shall be included in the scope of protection of the present invention.

Claims (20)

  1. 一种TEE系统中的数据传输方法,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第一地址、第二地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述方法由来自TEE侧的第一线程执行,包括:A data transmission method in a TEE system. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes a shared memory, and the shared memory includes a first address, a second address, and a plurality of consecutive addresses. The third address, wherein the first address is used to store a write offset address, the write offset address indicates a writable start address among the plurality of third addresses, and the second address is used to store Read offset address, the read offset address indicates a readable start address among the plurality of third addresses, the third address is used to store data from the TEE side, and the method is determined by the method from the TEE side The first thread execution includes:
    获取第一数据;Get the first data;
    以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧;Calling a predetermined function with the first data as an input parameter to switch to the non-TEE side;
    通过读取第一地址,获取写偏移地址;Obtain the write offset address by reading the first address;
    通过读取第二地址,获取读偏移地址;Obtain the read offset address by reading the second address;
    判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;Determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, wherein each address corresponds to Less than one byte;
    在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中;In the case that the number of bytes of the first data is less than or equal to the number of writable bytes, writing the first data into a third address starting from the write offset address;
    更新所述第一地址中的写偏移地址;以及Update the write offset address in the first address; and
    返回TEE侧。Return to the TEE side.
  2. 根据权利要求1所述的方法,其中,所述第一数据为以下任一种数据:日志、监控数据、统计数据。The method according to claim 1, wherein the first data is any one of the following data: logs, monitoring data, and statistical data.
  3. 根据权利要求1所述的方法,还包括,在所述第一数据的字节数大于可写字节数的情况中,进行等待。The method according to claim 1, further comprising, in a case where the number of bytes of the first data is greater than the number of writable bytes, waiting.
  4. 根据权利要求1所述的方法,所述共享内存中还包括第四地址,用于存储丢弃数据数目,所述方法还包括,在所述第一数据的字节数大于可写字节数的情况中,丢弃所述第一数据,并将第四地址中存储的丢弃数据数目加一。The method according to claim 1, wherein the shared memory further comprises a fourth address for storing the number of discarded data, and the method further comprises: when the number of bytes of the first data is greater than the number of writable bytes In this case, the first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
  5. 根据权利要求4所述的方法,其中,所述丢弃数据数目为原子变量。The method according to claim 4, wherein the number of discarded data is an atomic variable.
  6. 根据权利要求1所述的方法,其中,所述写偏移地址在所述读偏移地址之前,所述可写字节数等于所述读偏移地址减去所述写偏移地址之差。The method according to claim 1, wherein the write offset address is before the read offset address, and the number of writable bytes is equal to the difference between the read offset address minus the write offset address .
  7. 根据权利要求1所述的方法,其中,所述写偏移地址在所述读偏移地址之后,所述可写字节数等于第三地址的数目减去不可写字节数之差,其中,所述不可写字节数等于所述写偏移地址减去所述读偏移地址之差。The method according to claim 1, wherein the write offset address is after the read offset address, and the number of writable bytes is equal to the number of the third address minus the difference of the number of unwritable bytes, wherein , The number of unwritable bytes is equal to the difference between the write offset address and the read offset address.
  8. 根据权利要求1所述的方法,其中,所述写偏移地址与所述读偏移地址相同,所 述可写字节数等于全部第三地址的数目。The method according to claim 1, wherein the write offset address is the same as the read offset address, and the number of writable bytes is equal to the number of all third addresses.
  9. 根据权利要求1所述的方法,其中,所述TEE系统为SGX系统,其中,所述预定函数为Ocall函数。The method according to claim 1, wherein the TEE system is an SGX system, and wherein the predetermined function is an Ocall function.
  10. 一种TEE系统中的数据传输装置,所述TEE系统包括TEE侧和非TEE侧,在所述非TEE侧包括共享内存,所述共享内存中包括第一地址、第二地址和连续的多个第三地址,其中,所述第一地址用于存储写偏移地址,所述写偏移地址指示所述多个第三地址中可写入的起始地址,所述第二地址用于存储读偏移地址,所述读偏移地址指示所述多个第三地址中可读取的起始地址,所述第三地址用于存储来自TEE侧的数据,所述装置部署于来自TEE侧的第一线程中,包括:A data transmission device in a TEE system. The TEE system includes a TEE side and a non-TEE side. The non-TEE side includes a shared memory, and the shared memory includes a first address, a second address, and a plurality of consecutive addresses. The third address, wherein the first address is used to store a write offset address, the write offset address indicates a writable start address among the plurality of third addresses, and the second address is used to store A read offset address, where the read offset address indicates a readable start address among the plurality of third addresses, the third address is used to store data from the TEE side, and the device is deployed from the TEE side The first thread includes:
    第一获取单元,配置为,获取第一数据;The first obtaining unit is configured to obtain first data;
    调用单元,配置为,以所述第一数据作为输入参数调用预定函数,以切换到非TEE侧;The calling unit is configured to call a predetermined function using the first data as an input parameter to switch to the non-TEE side;
    第二获取单元,配置为,通过读取第一地址,获取写偏移地址;The second obtaining unit is configured to obtain the write offset address by reading the first address;
    第三获取单元,配置为,通过读取第二地址,获取读偏移地址;The third obtaining unit is configured to obtain the read offset address by reading the second address;
    判断单元,配置为,判断所述第一数据的字节数是否小于等于可写字节数,其中,所述可写字节数基于所述写偏移地址和所述读偏移地址确定,其中,每个地址对应于一个字节;The determining unit is configured to determine whether the number of bytes of the first data is less than or equal to the number of writable bytes, wherein the number of writable bytes is determined based on the write offset address and the read offset address, Among them, each address corresponds to a byte;
    写入单元,配置为,在所述第一数据的字节数小于等于可写字节数的情况中,将所述第一数据写入从所述写偏移地址开始的第三地址中;The writing unit is configured to write the first data into a third address starting from the write offset address when the number of bytes of the first data is less than or equal to the number of writable bytes;
    更新单元,配置为,更新所述第一地址中的写偏移地址;以及The update unit is configured to update the write offset address in the first address; and
    返回单元,配置为,返回TEE侧。The return unit is configured to return to the TEE side.
  11. 根据权利要求10所述的装置,其中,所述第一数据为以下任一种数据:日志、监控数据、统计数据。The device according to claim 10, wherein the first data is any one of the following data: logs, monitoring data, and statistical data.
  12. 根据权利要求10所述的装置,还包括等待单元,配置为,在所述第一数据的字节数大于可写字节数的情况中,进行等待。The apparatus according to claim 10, further comprising a waiting unit configured to wait when the number of bytes of the first data is greater than the number of writable bytes.
  13. 根据权利要求10所述的装置,所述共享内存中还包括第四地址,用于存储丢弃数据数目,所述装置还包括丢弃单元,配置为,在所述第一数据的字节数大于可写字节数的情况中,丢弃所述第一数据,并将第四地址中存储的丢弃数据数目加一。The device according to claim 10, wherein the shared memory further comprises a fourth address for storing the number of discarded data, and the device further comprises a discarding unit configured to: when the number of bytes of the first data is greater than the available In the case of writing the number of bytes, the first data is discarded, and the number of discarded data stored in the fourth address is increased by one.
  14. 根据权利要求13所述的装置,其中,所述丢弃数据数目为原子变量。The apparatus according to claim 13, wherein the number of discarded data is an atomic variable.
  15. 根据权利要求10所述的装置,其中,所述写偏移地址在所述读偏移地址之前,所述可写字节数等于所述读偏移地址减去所述写偏移地址之差。11. The device according to claim 10, wherein the write offset address is before the read offset address, and the number of writable bytes is equal to the difference between the read offset address minus the write offset address .
  16. 根据权利要求10所述的装置,其中,所述写偏移地址在所述读偏移地址之后,所述可写字节数等于第三地址的数目减去不可写字节数之差,其中,所述不可写字节数等于所述写偏移地址减去所述读偏移地址之差。11. The device according to claim 10, wherein the write offset address is after the read offset address, and the number of writable bytes is equal to the number of the third address minus the number of unwritable bytes, wherein , The number of unwritable bytes is equal to the difference between the write offset address and the read offset address.
  17. 根据权利要求10所述的装置,其中,所述写偏移地址与所述读偏移地址相同,所述可写字节数等于全部第三地址的数目。11. The device of claim 10, wherein the write offset address is the same as the read offset address, and the number of writable bytes is equal to the number of all third addresses.
  18. 根据权利要求10所述的装置,其中,所述TEE系统为SGX系统,其中,所述预定函数为Ocall函数。The apparatus according to claim 10, wherein the TEE system is an SGX system, and wherein the predetermined function is an Ocall function.
  19. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-9中任一项的所述的方法。A computer-readable storage medium with a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method according to any one of claims 1-9.
  20. 一种计算设备,包括存储器和处理器,其特征在于,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-9中任一项所述的方法。A computing device, comprising a memory and a processor, characterized in that executable code is stored in the memory, and when the processor executes the executable code, the device described in any one of claims 1-9 is implemented method.
PCT/CN2020/071288 2019-07-16 2020-01-10 Data transmission method and device in tee system WO2021008105A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US16/785,312 US10699015B1 (en) 2020-01-10 2020-02-07 Method and apparatus for data transmission in a tee system
US16/915,585 US11042642B2 (en) 2019-07-16 2020-06-29 Method and apparatus for data transmission in a TEE system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910641063.8A CN110442463B (en) 2019-07-16 2019-07-16 Data transmission method and device in TEE system
CN201910641063.8 2019-07-16

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/785,312 Continuation US10699015B1 (en) 2019-07-16 2020-02-07 Method and apparatus for data transmission in a tee system

Publications (1)

Publication Number Publication Date
WO2021008105A1 true WO2021008105A1 (en) 2021-01-21

Family

ID=68430519

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/071288 WO2021008105A1 (en) 2019-07-16 2020-01-10 Data transmission method and device in tee system

Country Status (3)

Country Link
CN (1) CN110442463B (en)
TW (1) TWI718000B (en)
WO (1) WO2021008105A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110399235B (en) * 2019-07-16 2020-07-28 阿里巴巴集团控股有限公司 Multithreading data transmission method and device in TEE system
CN110442463B (en) * 2019-07-16 2020-07-07 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
US10699015B1 (en) 2020-01-10 2020-06-30 Alibaba Group Holding Limited Method and apparatus for data transmission in a tee system
CN110427274B (en) * 2019-07-16 2020-07-17 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
CN110442462B (en) 2019-07-16 2020-07-28 阿里巴巴集团控股有限公司 Multithreading data transmission method and device in TEE system
US11003785B2 (en) 2019-07-16 2021-05-11 Advanced New Technologies Co., Ltd. Data transmission method and apparatus in tee systems
CN115113799A (en) 2021-03-18 2022-09-27 慧荣科技股份有限公司 Host command execution method and device
TWI774277B (en) * 2021-03-18 2022-08-11 慧榮科技股份有限公司 Method and apparatus for executing host commands
CN114372260B (en) * 2022-03-22 2022-07-22 荣耀终端有限公司 Multithreading processing method and electronic equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103150220A (en) * 2011-12-07 2013-06-12 腾讯科技(深圳)有限公司 Method and system for interprocess communications
CN103645863A (en) * 2013-12-12 2014-03-19 北京奇虎科技有限公司 Data reading and writing-in methods and systems of shared memory
CN105183665A (en) * 2015-09-08 2015-12-23 福州瑞芯微电子股份有限公司 Data-caching access method and data-caching controller
CN106354687A (en) * 2016-08-29 2017-01-25 珠海市魅族科技有限公司 Data transmission method and system
EP3379448A1 (en) * 2017-03-21 2018-09-26 Nxp B.V. Method and system for operating a cache in a trusted execution environment
CN110399235A (en) * 2019-07-16 2019-11-01 阿里巴巴集团控股有限公司 Multi-thread data transmission method and device in TEE system
CN110427274A (en) * 2019-07-16 2019-11-08 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
CN110442463A (en) * 2019-07-16 2019-11-12 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
CN110442462A (en) * 2019-07-16 2019-11-12 阿里巴巴集团控股有限公司 Multi-thread data transmission method and device in TEE system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9292712B2 (en) * 2012-09-28 2016-03-22 St-Ericsson Sa Method and apparatus for maintaining secure time
TWI463320B (en) * 2012-11-29 2014-12-01 Mstar Semiconductor Inc Memory access control method and memory management system thereof
CN109871717A (en) * 2016-02-29 2019-06-11 华为技术有限公司 A kind of data security transmission device and method
TWI575402B (en) * 2016-03-25 2017-03-21 晨星半導體股份有限公司 Computing device and data processing method
KR20180043451A (en) * 2016-10-19 2018-04-30 삼성전자주식회사 Computing system and operating method thereof
KR102519458B1 (en) * 2016-11-01 2023-04-11 삼성전자주식회사 Nonvolatile memory device and operating method thereof
CN109460373B (en) * 2017-09-06 2022-08-26 阿里巴巴集团控股有限公司 Data sharing method, terminal equipment and storage medium
CN109840436A (en) * 2017-11-29 2019-06-04 阿里巴巴集团控股有限公司 The application method and device of data processing method, trusted user interface resource data
CN109086100B (en) * 2018-07-26 2020-03-31 中国科学院信息工程研究所 High-security credible mobile terminal security system architecture and security service method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103150220A (en) * 2011-12-07 2013-06-12 腾讯科技(深圳)有限公司 Method and system for interprocess communications
CN103645863A (en) * 2013-12-12 2014-03-19 北京奇虎科技有限公司 Data reading and writing-in methods and systems of shared memory
CN105183665A (en) * 2015-09-08 2015-12-23 福州瑞芯微电子股份有限公司 Data-caching access method and data-caching controller
CN106354687A (en) * 2016-08-29 2017-01-25 珠海市魅族科技有限公司 Data transmission method and system
EP3379448A1 (en) * 2017-03-21 2018-09-26 Nxp B.V. Method and system for operating a cache in a trusted execution environment
CN110399235A (en) * 2019-07-16 2019-11-01 阿里巴巴集团控股有限公司 Multi-thread data transmission method and device in TEE system
CN110427274A (en) * 2019-07-16 2019-11-08 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
CN110442463A (en) * 2019-07-16 2019-11-12 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
CN110442462A (en) * 2019-07-16 2019-11-12 阿里巴巴集团控股有限公司 Multi-thread data transmission method and device in TEE system

Also Published As

Publication number Publication date
CN110442463B (en) 2020-07-07
TWI718000B (en) 2021-02-01
CN110442463A (en) 2019-11-12
TW202105219A (en) 2021-02-01

Similar Documents

Publication Publication Date Title
WO2021008105A1 (en) Data transmission method and device in tee system
WO2021008110A1 (en) Multi-thread data transmission method and apparatus in tee system
WO2021008111A1 (en) Multi-thread data transmission method and device in tee system
WO2021008104A1 (en) Data transmission methods and devices in tee system
US11042642B2 (en) Method and apparatus for data transmission in a TEE system
WO2018082695A1 (en) Cache replacement method and device
EP3276494B1 (en) Memory space management
JP7461895B2 (en) Network Packet Templating for GPU-Driven Communication
CN108762915B (en) Method for caching RDF data in GPU memory
US20170018050A1 (en) Communication between integrated graphics processing units
US10101963B2 (en) Sending and receiving data between processing units
US10467162B2 (en) Interrupt based on a last interrupt request indicator and a work acknowledgement
US11080195B2 (en) Method of cache prefetching that increases the hit rate of a next faster cache
CN115174673B (en) Data processing device, data processing method and apparatus having low-latency processor
JP2018536230A (en) Cache access
US11250145B2 (en) Data transmission method and apparatus in tee systems
US7089387B2 (en) Methods and apparatus for maintaining coherency in a multi-processor system
US20220405218A1 (en) System to use descriptor rings for i/o communication
CN114356834A (en) Method and system for communication between processors without lock

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20841077

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20841077

Country of ref document: EP

Kind code of ref document: A1