WO2021057273A1 - Method and apparatus for realizing efficient contract calling on fpga - Google Patents

Method and apparatus for realizing efficient contract calling on fpga Download PDF

Info

Publication number
WO2021057273A1
WO2021057273A1 PCT/CN2020/107162 CN2020107162W WO2021057273A1 WO 2021057273 A1 WO2021057273 A1 WO 2021057273A1 CN 2020107162 W CN2020107162 W CN 2020107162W WO 2021057273 A1 WO2021057273 A1 WO 2021057273A1
Authority
WO
WIPO (PCT)
Prior art keywords
chip
fpga
cache
code program
external storage
Prior art date
Application number
PCT/CN2020/107162
Other languages
French (fr)
Chinese (zh)
Inventor
潘国振
魏长征
闫莺
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021057273A1 publication Critical patent/WO2021057273A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/76Architectures of general purpose stored program computers
    • G06F15/78Architectures of general purpose stored program computers comprising a single central processing unit
    • G06F15/7807System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
    • G06F15/781On-chip cache; Off-chip memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Definitions

  • One or more embodiments of this specification relate to the field of blockchain technology, and in particular to a method and device for implementing efficient contract invocation on FPGA.
  • Blockchain technology is built on a transmission network (such as a peer-to-peer network).
  • the network nodes in the transmission network use chained data structures to verify and store data, and use distributed node consensus algorithms to generate and update data.
  • TEE Trusted Execution Environment
  • TEE can play the role of a black box in the hardware. Neither the code executed in the TEE nor the data operating system layer can be peeped, and only the pre-defined interface in the code can operate on it.
  • plaintext data is calculated in TEE instead of complex cryptographic operations in homomorphic encryption. There is no loss of efficiency in the calculation process. Therefore, the combination with TEE can achieve less performance loss. Under the premise, the security and privacy of the blockchain are greatly improved. At present, the industry is very concerned about the TEE solution.
  • TEE solutions including TPM (Trusted Platform Module) in software and Intel SGX (Software Guard Extensions) in hardware. , Software Protection Extension), ARM Trustzone (trust zone) and AMD PSP (Platform Security Processor, platform security processor).
  • one or more embodiments of this specification provide a method and device for implementing efficient contract invocation on FPGA.
  • a method for implementing efficient contract invocation on FPGA includes: FPGA structure loads the deployed circuit logic configuration file to the FPGA chip contained in itself, so that the An on-chip processor and an on-chip cache are respectively formed on the FPGA chip; wherein the FPGA structure further includes an external storage connected to the FPGA chip; the FPGA structure determines the smart contract of the transaction call received by the belonging blockchain node; The FPGA structure reads the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached in the on-chip cache.
  • an apparatus for implementing efficient contract invocation on FPGA including: a loading unit, which enables the FPGA structure to load the deployed circuit logic configuration file to the FPGA chip contained in itself , To respectively form an on-chip processor and an on-chip cache on the FPGA chip; wherein the FPGA structure further includes an external storage connected to the FPGA chip; the determining unit enables the FPGA structure to determine the blockchain node to which it belongs The smart contract invoked by the transaction; the reading unit causes the FPGA structure to read the code program of the smart contract from the on-chip cache for the on-chip processor to run, the code program from the FPGA structure The external storage acquires and caches to the on-chip cache.
  • an electronic device including: a processor; a memory for storing executable instructions of the processor; wherein the processor runs the executable instructions In order to realize the method as described in the first aspect.
  • a computer-readable storage medium on which computer instructions are stored, and when the instructions are executed by a processor, the steps of the method described in the first aspect are implemented.
  • Fig. 1 is a flowchart of a method for implementing efficient contract invocation on FPGA provided by an exemplary embodiment.
  • Fig. 2 is a schematic structural diagram of a blockchain node provided by an exemplary embodiment.
  • Fig. 3 is a schematic diagram of forming a functional module on an FPGA chip provided by an exemplary embodiment.
  • Fig. 4 is a schematic structural diagram of an on-chip cache module provided by an exemplary embodiment.
  • Fig. 5 is a schematic diagram of implementing preloading in an on-chip cache module according to an exemplary embodiment.
  • Fig. 6 is a block diagram of a device for implementing efficient contract invocation on FPGA provided by an exemplary embodiment.
  • the steps of the corresponding method are not necessarily executed in the order shown and described in this specification.
  • the method may include more or fewer steps than described in this specification.
  • a single step described in this specification may be decomposed into multiple steps for description in other embodiments; and multiple steps described in this specification may also be combined into a single step in other embodiments. description.
  • Block chains are generally divided into three types: Public Blockchain, Private Blockchain and Consortium Blockchain.
  • the public chain is represented by Bitcoin and Ethereum. Participants who join the public chain can read the data records on the chain, participate in transactions, and compete for the accounting rights of new blocks. Moreover, each participant (ie, node) can freely join and exit the network, and perform related operations.
  • the private chain is the opposite.
  • the write permission of the network is controlled by an organization or institution, and the data read permission is regulated by the organization.
  • the private chain can be a weakly centralized system with strict restrictions and few participating nodes.
  • This type of blockchain is more suitable for internal use by specific institutions.
  • Consortium chain is a block chain between public chain and private chain, which can realize "partial decentralization".
  • Each node in the alliance chain usually has a corresponding entity or organization; participants are authorized to join the network and form a stakeholder alliance to jointly maintain the operation of the blockchain.
  • the nodes in the blockchain network may use a solution that combines the blockchain and the TEE (Trusted Execution Environment).
  • TEE Trusted Execution Environment
  • TEE is a secure extension based on CPU hardware and a trusted execution environment that is completely isolated from the outside.
  • TEE was first proposed by Global Platform to solve the security isolation of resources on mobile devices, and parallel to the operating system to provide a trusted and secure execution environment for applications.
  • ARM's Trust Zone technology is the first to realize the real commercial TEE technology. With the rapid development of the Internet, security requirements are getting higher and higher. Not only mobile devices, cloud devices, and data centers have put forward more demands on TEE.
  • TEE has also been rapidly developed and expanded.
  • the TEE now referred to is a more generalized TEE compared to the original concept.
  • server chip manufacturers Intel and AMD have successively introduced hardware-assisted TEE and enriched the concepts and features of TEE, which has been widely recognized in the industry.
  • SGX provides an enclave (also known as an enclave), which is an encrypted trusted execution area in the memory, and the CPU protects data from being stolen.
  • enclave also known as an enclave
  • the CPU protects data from being stolen.
  • a part of the area EPC Enclave Page Cache, enclave page cache or enclave page cache
  • the encryption engine MEE Memory Encryption Engine
  • the first step in using TEE is to confirm the authenticity of TEE.
  • the related technology provides a remote certification mechanism for the above-mentioned SGX technology to prove that the SGX platform on the target device and the challenger have deployed the same configuration file.
  • the TEE technology in the related technology is implemented by software or a combination of software and hardware, even if the remote attestation method can indicate to a certain extent that the configuration file deployed in the TEE has not been tampered with, the TEE itself depends on the operation The environment cannot be verified.
  • a virtual machine for executing smart contracts needs to be configured in the TEE.
  • the instructions executed by the virtual machine are not directly executed, but actually executed corresponding X86 instructions (Assuming that the target device adopts the X86 architecture), which poses a certain degree of security risk.
  • this specification proposes a hardware TEE technology based on FPGA implementation.
  • FPGA implements hardware TEE by loading circuit logic configuration files. Because the content of the circuit logic configuration file can be checked and verified in advance, and the FPGA is configured and operated completely based on the logic recorded in the circuit logic configuration file, it can be ensured that the hardware TEE implemented by the FPGA has relatively higher security.
  • the code programs of the smart contracts in related technologies are all deployed at the blockchain nodes, which makes the FPGA need to frequently obtain the code programs from the blockchain nodes, which consumes a lot of resources.
  • Fig. 1 is a flowchart of a method for implementing efficient contract invocation on FPGA provided by an exemplary embodiment. As shown in Figure 1, the method is applied to the FPGA structure and may include steps 102-106.
  • Step 102 The FPGA structure loads the deployed circuit logic configuration file to the FPGA chip contained in itself, so as to form an on-chip processor and an on-chip cache on the FPGA chip; wherein, the FPGA structure also includes a connection to the FPGA chip External storage.
  • the FPGA chip contains a number of editable hardware logic units. After these hardware logic units are configured via a circuit logic configuration file, they can be implemented as corresponding functional modules to implement corresponding logic functions. Specifically, the circuit logic configuration file can be burned to the FPGA structure based on the form of a bit stream.
  • the above-mentioned on-chip processor is formed by the deployed circuit logic configuration file, and by further deploying other related functional modules, the FPGA structure can be configured as a hardware TEE on the blockchain node. Since these functional modules are completely configured by the circuit logic configuration file, it is possible to determine the logic and other aspects of the information realized by the functional module configured by checking the circuit logic configuration file to ensure that the functional module can be configured according to the complete user’s requirements. Needs to be formed and run.
  • the above-mentioned on-chip processor is used to implement virtual machine logic.
  • the virtual machine logic may include the execution logic of the Ethereum virtual machine or the execution logic of the WASM virtual machine, etc. This specification does not limit this.
  • the circuit logic configuration file can be deployed locally to the FPGA structure.
  • the deployment operation can be implemented in an offline environment to ensure safety.
  • the user can remotely deploy the circuit logic configuration file to the FPGA structure.
  • Step 104 The FPGA structure determines the smart contract called by the transaction received by the blockchain node to which it belongs.
  • the FPGA structure can obtain the contract address of the smart contract called by the exchange by parsing the to field of the transaction, and obtain the code program of the corresponding smart contract based on the contract address. If the transaction is encrypted and submitted to the blockchain by the transaction initiator, the FPGA structure needs to decrypt the transaction to read the information in the to field. Wherein, by loading the above-mentioned deployed circuit logic configuration file, a decryption module can be formed on the FPGA chip, so that the transaction can be decrypted by the decryption module.
  • the FPGA structure can maintain a node private key, and the node public key corresponding to the node private key is disclosed. Then, on the one hand, the transaction initiator can obtain the above-mentioned node public key, on the other hand, it can generate a symmetric key by itself, and implement a digital envelope encryption operation on the plaintext transaction content based on the node’s public key and symmetric key: The key encrypts the plaintext transaction content to obtain the ciphertext transaction content, encrypts the symmetric key with the node public key to obtain the ciphertext symmetric key, and the above transaction includes the ciphertext transaction content and the ciphertext symmetric key.
  • the aforementioned decryption module can decrypt the ciphertext symmetric key contained in the exchange based on the node private key to obtain the symmetric key, and then the decryption module can decrypt the ciphertext transaction content based on the symmetric key to obtain the plaintext transaction content , So as to read the information in the to field in the plaintext transaction content, and determine the contract address of the smart contract called by the exchange.
  • Step 106 The FPGA structure reads the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached in the On-chip cache.
  • the on-chip processor reads data from the on-chip cache relatively faster, but the storage space of the on-chip cache is usually relatively small and has poor scalability, which cannot meet the deployment requirements of a large number of code programs.
  • the on-chip processor is relatively slow to read data from external storage, but the storage space of external storage is usually relatively large and has good scalability, which can meet the deployment requirements of a large number of code programs. Therefore, by deploying the code program in external storage, and caching the code program from the external storage to the on-chip cache when in use, and reading the code program from the on-chip cache by the on-chip processor to run, it can satisfy the need to perform a large number of code programs.
  • the deployment requirements can also enable the on-chip processor to quickly read and run code programs to improve transaction execution efficiency.
  • the read speed that the external storage can achieve is relatively lower than the on-chip cache, compared to deploying the code program on the blockchain node, the on-chip processor reads the code program from the external storage much faster than Read from the blockchain node.
  • the above-mentioned on-chip buffer is located inside the FPGA chip and is formed by the storage device on the FPGA chip.
  • the external storage is located outside the FPGA chip and can be plugged into the interface of the FPGA structure.
  • the external storage may include an external DDR. Since the inside of the FPGA chip is considered to be in the security range and the outside of the FPGA chip is considered to be a security risk, when the code program is in the on-chip cache, it can be cached directly in plaintext, and when the code program is stored in external storage, it needs to pass through the FPGA chip.
  • the encryption module above encrypts the code program and realizes storage.
  • the encryption module is formed by loading the aforementioned deployed circuit logic configuration file on the FPGA chip.
  • the key used can be the business root key maintained by the FPGA structure or its derived secret. key.
  • the FPGA structure decrypts the code program through the decryption module described above on the FPGA chip, so as to cache the decrypted code program to the on-chip cache, so that the on-chip processor
  • the decrypted code program can be read directly from the on-chip cache.
  • a preprocessing module can be formed on the FPGA chip, and the FPGA structure can preprocess the obtained code program through the preprocessing module, and cache the preprocessed code program on the chip Cache to be read and run by the on-chip processor.
  • the preprocessing here refers to the processing operations that must be implemented in advance before executing the original code program (that is, the code program that has not been preprocessed).
  • the preprocessing is performed before being stored in the on-chip cache, so that the on-chip processor executes the code in the subsequent During the program, the computing resources and processing time required for temporary execution of preprocessing can be saved, which helps to speed up the execution of the code program.
  • the aforementioned preprocessing may include at least one of the following: parsing and converting each field contained in the code program into a preset data structure, and adjusting the offset of the jump instruction (jump instruction) in the code program.
  • the on-chip processor does not read and execute all the operating instructions contained in the code program at one time, but reads and executes the operating instructions contained in the code program one by one. Therefore, the on-chip processor can first try to read the required operation instructions from the on-chip cache; if the required operation instructions exist in the on-chip cache, the on-chip processor can read the corresponding operation instructions from the on-chip cache and execute them Compared with reading the operation instruction from external storage or blockchain nodes, it has relatively higher efficiency; and, when the required operation instruction does not exist in the on-chip cache, the FPGA structure can obtain the operation instruction from the external storage. Operation instructions are cached to the on-chip cache for the on-chip processor to read and execute.
  • the storage addresses corresponding to each operation instruction of the same code program are usually arranged in sequence. Therefore, in the case that the on-chip processor wishes to read a certain operation instruction, the on-chip processor will usually continue to read and execute other nearby operation instructions until the contract code to which these operation instructions belong is executed.
  • the FPGA structure can only obtain an operation instruction required by the on-chip processor from the external storage, in fact the FPGA structure can also obtain the code program segment containing the operation instruction from the external storage, that is, the code program segment also contains the on-chip
  • the on-chip processor can subsequently directly read the above-mentioned other operation instructions from the on-chip cache without temporarily reading from external storage. Help improve efficiency.
  • the FPGA structure can determine the initial storage address in the external storage of the above-mentioned operation instructions required by the on-chip processor, and obtain the preset address segment containing the initial storage address from the external storage, and ensure that the above-mentioned code program segment is located in the external storage. The preset address segment. Then, by reading the data corresponding to the preset address segment from the external storage, the above-mentioned code program segment can be obtained.
  • the aforementioned preset address segment may include the aforementioned initial storage address and an address located after the initial storage address, so that other operation instructions contained in the aforementioned code program segment are arranged after the aforementioned operation instructions; taking into account the on-chip
  • the processor executes the processing logic of each operation instruction from front to back in the process of executing the code program, as well as the storage logic in which the storage address of the operation instruction in the external storage is arranged in sequence.
  • the above scheme enables the operation instructions cached in the on-chip cache to be on-chip
  • the processor has a relatively higher probability of reading and executing, avoiding other operation instructions that are arranged before the above operation instructions and have a relatively lower probability of being read and executed by the on-chip processor to be stored in the on-chip cache, which helps to optimize the on-chip Reasonable use of cache.
  • the cache space in the on-chip cache can be divided into several cache blocks, and these cache blocks are respectively used to store corresponding data. Therefore, when the FPGA structure reads the code program segment corresponding to the preset address segment from the external storage, the length of the preset address segment used can be the cache length of a single cache block in the on-chip cache, that is, each time it is stored in the on-chip cache All data occupies a cache block to facilitate effective management of the on-chip cache space.
  • the read ratio of the code program segment in the on-chip cache of the FPGA structure reaches the preset ratio
  • other code program segments after the code program segment can be automatically pre-fetched from the external storage and cached in the on-chip cache without the need
  • the on-chip processor temporarily initiates a request, so that when the on-chip processor executes the contract code of the same smart contract, it only needs to request the FPGA structure to obtain it from the external storage and store it in the on-chip cache when reading the first operation instruction.
  • Other operation instructions can be efficiently read from the on-chip cache directly, which helps to improve the execution efficiency of smart contracts.
  • the FPGA structure can read the code segment corresponding to a cache block from the external storage every time and store it in the on-chip cache; when it is monitored that the read ratio of the code segment stored in the on-chip cache reaches 50% , FPGA structure can automatically read the subsequent code program segments from the external storage according to the corresponding storage address in the external storage of the previously read code program segment.
  • each cache block can be provided with a corresponding weight, and the value of the weight is negatively related to the probability that the data in the corresponding cache block is eliminated, that is, the more the weight is The smaller the probability of a large cache block being eliminated (the data contained in the cache block is eliminated) and the smaller the weight of the cache block, the greater the probability of being eliminated.
  • the cache block containing the first operation instruction in the smart contract can be stored in the on-chip cache for a relatively longer time, so that the on-chip processor has a greater probability and can directly Read the first operation instruction of a certain contract code from the on-chip cache, without the need for the FPGA structure to temporarily read from the external storage, and cooperate with the above-mentioned automatic loading scheme for subsequent operation instructions, so that the on-chip processor can always be from the on-chip cache Read the required operation instructions in the middle, so as to achieve higher operation instruction reading and execution efficiency.
  • Fig. 2 is a schematic structural diagram of a blockchain node provided by an exemplary embodiment.
  • an FPGA structure can be added to the blockchain node to implement hardware TEE.
  • the FPGA structure can be an FPGA board as shown in FIG. 2.
  • the FPGA board can be connected to the blockchain node through the PCIE interface to realize the data interaction between the FPGA board and the blockchain node.
  • FPGA boards can include FPGA chips, Flash chips, secret tube chips, and external DDR structures; of course, in some embodiments, in addition to FPGA chips and external DDRs, they may only include the remaining Flash chips and secret tube chips, etc. Part of the structure of, or may contain more structures, here are just examples.
  • no user-defined logic is programmed on the FPGA chip, which is equivalent to the FPGA chip in a blank state.
  • Users can burn circuit logic configuration files on the FPGA chip to form corresponding functions or logic on the FPGA chip.
  • the FPGA board does not have the capability of security protection, so it usually needs to provide an external security environment.
  • users can implement the programming of the circuit logic configuration file in an offline environment to achieve physical security isolation. Instead of implementing remote programming online.
  • the corresponding logic code can be formed through FPGA hardware language, and then the logic code can be mirrored to obtain the above-mentioned circuit logic configuration file.
  • the user can check the above-mentioned logic code. Especially, when multiple users are involved at the same time, multiple users can check the above logic code separately to ensure that the FPGA board can finally meet the needs of all users and prevent security risks, logic errors, fraud and other abnormalities. problem.
  • the user can burn the circuit logic configuration file to the FPGA board in the above-mentioned offline environment.
  • the circuit logic configuration file is transferred from the blockchain node to the FPGA board, and then deployed to the Flash chip as shown in Figure 2, so that even if the FPGA board is powered off, the Flash chip can still save the above-mentioned circuit logic. Configuration file.
  • Fig. 3 is a schematic diagram of forming a functional module on an FPGA chip provided by an exemplary embodiment.
  • the hardware logic unit contained in the FPGA chip can be configured to form corresponding functional modules on the FPGA chip, such as the formed functional modules It may include an on-chip cache module, a preprocessing module, a plaintext calculation module, a key agreement module, a decryption verification module, an encryption and decryption module, etc. as shown in FIG. 3.
  • the circuit logic configuration file can also be used to transmit the information that needs to be stored to the FPGA board.
  • the preset certificate can be stored on the FPGA chip, and the authentication root key can be stored in the secret tube chip (the authentication root key can also be Stored on the FPGA chip) and so on.
  • the FPGA board can realize remote key agreement with the user.
  • the key agreement process can use related technologies. Any algorithm or standard can be implemented, and this specification does not limit it.
  • the key agreement process can include: the user can generate a key Ka-1 at the local client, the key agreement module can generate a key Kb-1 locally, and the client can generate a key Kb-1 based on the key Ka- 1 Calculate the key agreement information Ka-2, the key agreement module can calculate the key agreement information Kb-2 based on the key Kb-1, and then the client sends the key agreement information Ka-2 to the key agreement module, The key agreement module sends the key agreement information Kb-2 to the client, so that the client can generate a secret value based on the key Ka-1 and the key agreement information Kb-2, and the key agreement module can be based on the key Kb -1 generates the same secret value as the key agreement information Ka-2, and finally the client and the key agreement module respectively derive the same
  • the key agreement information Ka-2 and key agreement information Kb-2 are transmitted between the client and the key agreement module via the blockchain node
  • the key Ka-1 is controlled by the client
  • the key Kb-1 is controlled by the key agreement module, so it can ensure that the blockchain node cannot know the final secret value and the configuration file deployment key, so as to avoid possible security risks.
  • the secret value is also used to derive the business secret deployment key; for example, the secret value can be derived as a 32-bit value, the first 16 bits can be used as the configuration file deployment key, and the last 16 bits can be used as the business secret deployment Key.
  • the user can deploy the service key to the FPGA board through the service secret deployment key.
  • the service key may include the node private key and the service root key.
  • the user can use the business secret deployment key on the client to sign, encrypt the node private key or the business root key, and send it to the FPGA board, so that after the FPGA board is decrypted and verified through the decryption verification module, Deploy the obtained node private key or service root key.
  • the FPGA board can be implemented as a TEE on the blockchain node to meet privacy requirements. For example, when a blockchain node receives a transaction, if the transaction is a plaintext transaction, the blockchain node can directly process the plaintext transaction, if the transaction is a private transaction, the blockchain node transmits the private transaction to the FPGA The board is processed.
  • the transaction content of a plaintext transaction is in plaintext form, and the contract status generated after the transaction is executed is also stored in plaintext form.
  • the transaction content of a private transaction is in the form of cipher text, which is obtained by encrypting the content of the transaction in plain text by the transaction initiator, and the contract state generated after the transaction is executed needs to be stored in the form of cipher text to ensure the protection of transaction privacy.
  • the transaction initiator can generate a symmetric key randomly or based on other methods.
  • the business public key corresponding to the above-mentioned business private key is disclosed, then the transaction initiator can perform transaction content in plaintext based on the symmetric key and the business public key.
  • the transaction initiator encrypts the plaintext transaction content with a symmetric key, and encrypts the symmetric key with the business public key.
  • the two parts obtained are included in the above-mentioned private transaction; in other words, the private transaction includes Two parts of content: the content of the transaction in plaintext encrypted with a symmetric key, and the symmetric key encrypted with the business public key.
  • the encryption and decryption module can use the business private key to decrypt the symmetric key encrypted with the business public key to obtain the symmetric key, and then the encryption and decryption module
  • the symmetric key is used to decrypt the plaintext transaction content encrypted with the symmetric key to obtain the plaintext transaction content.
  • Private transactions can be used to deploy smart contracts, then the data field of the plaintext transaction content can contain the contract code of the smart contract to be deployed; or, the privacy transaction can be used to call the smart contract, then the to field of the plaintext transaction content can contain the called The contract address of the smart contract, and the FPGA board can retrieve the corresponding contract code based on the contract address.
  • the FPGA board is equipped with an on-chip cache module and an external DDR at the same time.
  • the storage space of the external DDR is often larger or even much larger than the storage space of the on-chip cache module, and has a high degree of scalability, so that the external DDR can store more data. Therefore, when private transactions are used to deploy smart contracts, the FPGA board can deploy the contract code contained in the data field of the plaintext transaction content to the external DDR. Then, when the FPGA board subsequently receives a private transaction for invoking the smart contract, the FPGA board can find the corresponding contract code from the external DDR based on the contract address contained in the to field of the clear text transaction content to pass The plaintext calculation module executes the contract code.
  • the plaintext calculation module formed on the FPGA chip is used to implement virtual machine logic in related technologies, that is, the plaintext calculation module is equivalent to the "hardware virtual machine" on the FPGA board. Therefore, after the contract code is determined based on the foregoing plaintext transaction content, the contract code can be passed into the plaintext calculation module, so that the plaintext calculation module executes the contract code.
  • the plaintext calculation module is equivalent to the on-chip processor formed on the FPGA chip in this specification.
  • the FPGA board For private transactions used to deploy smart contracts, after the FPGA board obtains the contract code to be deployed, it can be directly stored in the external DDR, or it can be preprocessed through the preprocessing module, and then the preprocessed contract code can be stored in the external DDR. If it is not preprocessed by the preprocessing module before storing in the external DDR, the plaintext calculation module needs to temporarily perform preprocessing operations through the preprocessing module before it is used to execute the contract code, and then the plaintext calculation module performs preprocessing operations on the preprocessed Contract code for processing.
  • preprocessing of contract code can include several dimensions, and the preprocessing dimensions involved may be different for contract codes written in different languages or rules.
  • preprocessing can include the following two aspects:
  • Adjust the offset of the jump instruction may cause the offset of the jump instruction to be updated: by parsing the jump instruction in the contract code, the symbol identifier corresponding to the jump instruction is converted into address information that can be recognized by the on-chip processor, so that the length of the contract code changes ; Decode the encoded operands in the contract code, so that the length of the contract code changes.
  • the encoding method here may include LEB (Little-Endian Base) encoding or other encodings, for example.
  • the FPGA board can read the contract address from the to field of the privacy transaction, and obtain the corresponding code program from the external DDR based on the contract address for plaintext calculations Module execution.
  • the plaintext calculation module needs to read and execute each operation instruction contained in the code program from front to back:
  • the plaintext calculation module first accesses the on-chip cache module to read the first operation instruction from the on-chip cache module; if the read fails, that is, the first operation instruction of the corresponding code program is not cached in the on-chip cache module, the FPGA board needs Read the first operation instruction from the external DDR. After determining the storage address of the first operation instruction in the external DDR, the FPGA board does not only read the first operation instruction, but reads a code segment corresponding to the storage address and subsequent addresses, and stores it on the chip Cache module.
  • FIG. 4 is a schematic structural diagram of an on-chip cache module provided by an exemplary embodiment.
  • the on-chip cache module contains cache blocks such as B1, B2, B3, B4, B5, and B6, and these cache blocks are initially empty.
  • the FPGA board can read the above-mentioned code program segment from the external DDR according to the size of a single cache block.
  • the code program segment can be stored in the B1 cache block shown in FIG. 4. Therefore, in addition to the above-mentioned first operation instruction, that is, instruction 1, the B1 cache block also contains other instructions after instruction 1.
  • the plaintext calculation module can read instruction 1, that is, the above-mentioned first operation instruction, from the cache block B1 of the on-chip cache module and execute it. After completing the execution operation of instruction 1, the plaintext calculation module needs to execute subsequent operation instructions in sequence. In the previous steps, the FPGA board has read instruction 1 and several subsequent instructions together and stored them in the cache block B1, so the plaintext calculation module can directly read the subsequent instructions from the cache block B1 of the on-chip cache module. Operation instructions, without the need for the FPGA board to temporarily read from the external DDR, saves the waiting time of the plaintext calculation module, and can speed up the execution of the smart contract.
  • FIG. 5 is a schematic diagram of implementing preloading in an on-chip cache module according to an exemplary embodiment. As shown in Figure 5, if it is detected that the data previously stored in the buffer block B1 has been read by the plaintext calculation module to reach or exceed 50% (or other proportions), then the FPGA board can automatically read the operation instructions from the external DDR And stored in the on-chip cache module.
  • the FPGA board can read the corresponding end address in the external DDR according to the code segment previously stored in the buffer block B1, and read a code segment backward from the memory address after the end address, and store it in the on-chip cache In the module, such as cache block B2, for the plaintext calculation module to continue reading.
  • the plaintext calculation module can always read the operation instructions directly from the on-chip cache module without waiting for the FPGA board to temporarily read from the external DDR.
  • the storage space of the on-chip cache module is limited. Therefore, the on-chip cache module eliminates the stored infrequently used data through the elimination mechanism to improve the efficiency of the storage space. For example, a weight can be set for each cache block, so that a cache block with a relatively larger weight is relatively less likely to be eliminated, and a cache block with a relatively smaller weight is relatively easy to be eliminated.
  • a relatively larger weight can be set for the cache block containing the first operation instruction of the contract code of the smart contract, so that the cache block containing the first operation instruction is relatively less likely to be eliminated, so for some smart contracts that are often executed Contract, the plaintext calculation module can directly read its first operation instruction from the on-chip cache module, and then cooperate with the preload operation of the subsequent operation instructions in the above scheme, so that the plaintext calculation module can read the corresponding from the on-chip cache module without delay All contract codes of smart contracts have extremely high execution efficiency.
  • the user may want to update the version of the circuit logic configuration file deployed on the FPGA board.
  • the authentication root key contained in the circuit logic configuration file may be known by risky users, or the user wants to update the version on the FPGA board.
  • the deployed functional modules are upgraded, etc. This manual does not limit this.
  • the circuit logic configuration file that has been deployed in the above process can be referred to as the old version of the circuit logic configuration file, and the circuit logic configuration file that needs to be deployed is referred to as the new version of the circuit logic configuration file.
  • the user can generate a new version of the circuit logic configuration file through the process of writing code and mirroring. Further, the user can sign the new version of the circuit logic configuration file with his own private key, and then encrypt the signed new version of the circuit logic configuration file with the configuration file deployment key negotiated above to obtain the encrypted new version of the circuit Logical configuration file. In some cases, there may be multiple users at the same time, so the old version of the circuit logic configuration file needs to deploy the preset certificates corresponding to these users to the FPGA board, and these users need to use their own private keys to pair the new version of the circuit. Sign the logical configuration file.
  • the user can remotely send the encrypted new version of the circuit logic configuration file to the blockchain node through the client, and the blockchain node will further transfer it to the FPGA board.
  • the decryption verification module formed on the FPGA chip in the foregoing process is located on the transmission path between the PCIE interface and the Flash chip, so that the encrypted new version of the circuit logic configuration file must first be successfully processed by the decryption verification module before it can be
  • the Flash chip is passed in to achieve a credible update, and the Flash chip cannot be updated directly without bypassing the process of decryption and verification.
  • the decryption verification module After the decryption verification module receives the encrypted new version of the circuit logic configuration file, it first decrypts it with the configuration file deployment key deployed on the FPGA board. If the decryption is successful, the decryption verification module is further based on the preset certificate deployed on the FPGA chip , To perform signature verification on the decrypted new version of the circuit logic configuration file.
  • the decryption and signature verification module will trigger the termination of the update operation; and if the decryption is successful and the signature verification is passed, you can It is determined that the obtained new version of the circuit logic configuration file is from the aforementioned user and has not been tampered with during the transmission process.
  • the new version of the circuit logic configuration file can be further transmitted to the Flash chip to update and deploy the old version of the circuit logic configuration file in the Flash chip.
  • the above-mentioned plaintext calculation module, on-chip cache module, key agreement module, encryption and decryption module, decryption verification module, and storage in the FPGA chip can also be formed on the FPGA chip. Enter the preset certificate, and store the authentication root key to the secret management chip and other information.
  • the formed plaintext calculation module, on-chip cache module, key agreement module, encryption/decryption module, decryption and signature verification module, etc., the implemented functional logic can be changed and upgraded, and stored in the deployed preset certificate, authentication root Information such as keys may also be different from the information before the update.
  • the FPGA board can remotely negotiate with the user to obtain a new configuration file deployment key based on the updated key agreement module, authentication root key, etc., and the configuration file deployment key can be used for the next renewal Update process. Similarly, a reliable update operation for FPGA boards can be continuously implemented accordingly.
  • the FPGA board can generate certification results for the new version of the circuit logic configuration file.
  • the above-mentioned key agreement module can calculate the hash value of the new version of the circuit logic configuration file and the hash value of the configuration file deployment key negotiated based on the new version of the circuit logic configuration file through an algorithm such as sm3 or other algorithms.
  • the calculation result can be used as the above-mentioned authentication result, and the key agreement module sends the authentication result to the user.
  • the user can verify the authentication result on the client based on the maintained new version of the circuit logic configuration file and the configuration file deployment key negotiated accordingly. If the verification is successful, it indicates that the new version of the circuit logic configuration file is successful on the FPGA board. Deployed, and the user and the FPGA board successfully negotiated accordingly to obtain a consistent configuration file deployment key, thereby confirming the successful completion of the circuit logic configuration file update deployment.
  • Fig. 6 is a schematic structural diagram of an apparatus for implementing efficient contract invocation on FPGA provided by an exemplary embodiment.
  • the device may include: a loading unit 601, which causes the FPGA structure to load the deployed circuit logic configuration file to the FPGA chip contained in itself, so as to form an on-chip processor on the FPGA chip.
  • the FPGA structure also includes an external storage connected to the FPGA chip; a determining unit 602, enabling the FPGA structure to determine the smart contract of the transaction call received by the blockchain node to which it belongs; reading unit 603 , Enabling the FPGA structure to read the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached on the chip Cache.
  • it further includes: an instruction determining unit 604 to enable the FPGA structure to determine the operation instructions that the on-chip processor needs to read from the code program; an instruction cache unit 605 to enable the FPGA structure to be on the chip If the operation instruction does not exist in the cache, the operation instruction is obtained from the external storage and cached in the on-chip cache, so as to be further provided to the on-chip processor.
  • the instruction cache unit 605 is specifically configured to: enable the FPGA structure to obtain the code program segment containing the operation instruction from the external storage, and cache it in the on-chip cache.
  • the instruction cache unit 605 is specifically configured to: enable the FPGA structure to determine the initial storage address of the operation instruction in the external storage; and enable the FPGA structure to obtain from the external storage including the The preset address segment of the initial storage address, and the code program segment is located in the preset address segment.
  • the preset address segment includes the initial storage address and an address located after the initial storage address.
  • the length of the preset address segment is the cache length of a single cache block in the on-chip cache.
  • the instruction cache unit 605 is specifically configured to: in the case where the read ratio of the code program segments in the on-chip cache of the FPGA structure reaches a preset ratio, store the preset ratio from the outside. Obtain other code program segments after the code program segment and cache them in the on-chip cache.
  • the code program is encrypted and stored in the external storage; the device further includes: a decryption unit 606, which enables the FPGA structure to decrypt the code program through a decryption module on the FPGA chip , To cache the decrypted code program to the on-chip cache; wherein, the decryption module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
  • a decryption unit 606 which enables the FPGA structure to decrypt the code program through a decryption module on the FPGA chip , To cache the decrypted code program to the on-chip cache; wherein, the decryption module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
  • a preprocessing unit 607 which enables the FPGA structure to preprocess the code program through the preprocessing module on the FPGA chip, so as to cache the preprocessed code program in the on-chip cache ;
  • the preprocessing module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
  • the preprocessing includes at least one of the following: parsing and converting each field contained in the code program into a preset data structure; adjusting the offset of the jump instruction in the code program.
  • the on-chip cache includes several cache blocks; wherein, the cache block containing the first operation instruction in the smart contract corresponds to a relatively larger weight, so that the on-chip cache has a relatively longer duration .
  • a typical implementation device is a computer.
  • the specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game control A console, a tablet computer, a wearable device, or a combination of any of these devices.
  • the computer includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
  • processors CPU
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • first, second, third, etc. may be used to describe various information in one or more embodiments of this specification, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as second information, and similarly, the second information may also be referred to as first information.
  • word “if” as used herein can be interpreted as "when” or “when” or "in response to determination”.

Abstract

Provided are a method and apparatus for realizing efficient contract calling on an FPGA. The method may comprise: an FPGA structure loading a deployed circuit logic configuration file onto an FPGA chip included in the FPGA structure, such that an on-chip processor and an on-chip cache are respectively formed on the FPGA chip, wherein the FPGA structure further includes an external memory connected to the FPGA chip; the FPGA structure determining an intelligent contract called by a transaction that is received by a blockchain node to which the FPGA structure belongs; and the FPGA structure reading a code program of the intelligent contract from the on-chip cache, such that the on-chip processor operates the code program, wherein the code program is acquired from the external storage by the FPGA structure and is cached in the on-chip cache.

Description

在FPGA上实现高效合约调用的方法及装置Method and device for implementing efficient contract calling on FPGA 技术领域Technical field
本说明书一个或多个实施例涉及区块链技术领域,尤其涉及一种在FPGA上实现高效合约调用的方法及装置。One or more embodiments of this specification relate to the field of blockchain technology, and in particular to a method and device for implementing efficient contract invocation on FPGA.
背景技术Background technique
区块链技术构建在传输网络(例如点对点网络)之上。传输网络中的网络节点利用链式数据结构来验证与存储数据,并采用分布式节点共识算法来生成和更新数据。Blockchain technology is built on a transmission network (such as a peer-to-peer network). The network nodes in the transmission network use chained data structures to verify and store data, and use distributed node consensus algorithms to generate and update data.
目前企业级的区块链平台技术上最大的两个挑战就是隐私和性能,往往这两个挑战很难同时解决。大多解决方案都是通过损失性能换取隐私,或者不大考虑隐私去追求性能。常见的解决隐私问题的加密技术,如同态加密(Homomorphic encryption)和零知识证明(Zero-knowledge proof)等复杂度高,通用性差,而且还可能带来严重的性能损失。At present, the two biggest challenges in enterprise-level blockchain platform technology are privacy and performance. It is often difficult to solve these two challenges at the same time. Most of the solutions are to lose performance in exchange for privacy, or do not consider privacy to pursue performance. Common encryption technologies that solve privacy problems, such as Homomorphic encryption and Zero-knowledge proof, are highly complex, have poor versatility, and may also cause serious performance losses.
可信执行环境(Trusted Execution Environment,TEE)是另一种解决隐私问题的方式。TEE可以起到硬件中的黑箱作用,在TEE中执行的代码和数据操作系统层都无法偷窥,只有代码中预先定义的接口才能对其进行操作。在效率方面,由于TEE的黑箱性质,在TEE中进行运算的是明文数据,而不是同态加密中的复杂密码学运算,计算过程效率没有损失,因此与TEE相结合可以在性能损失较小的前提下很大程度上提升区块链的安全性和隐私性。目前工业界十分关注TEE的方案,几乎所有主流的芯片和软件联盟都有自己的TEE解决方案,包括软件方面的TPM(Trusted Platform Module,可信赖平台模块)以及硬件方面的Intel SGX(Software Guard Extensions,软件保护扩展)、ARM Trustzone(信任区)和AMD PSP(Platform Security Processor,平台安全处理器)。Trusted Execution Environment (TEE) is another way to solve privacy issues. TEE can play the role of a black box in the hardware. Neither the code executed in the TEE nor the data operating system layer can be peeped, and only the pre-defined interface in the code can operate on it. In terms of efficiency, due to the black box nature of TEE, plaintext data is calculated in TEE instead of complex cryptographic operations in homomorphic encryption. There is no loss of efficiency in the calculation process. Therefore, the combination with TEE can achieve less performance loss. Under the premise, the security and privacy of the blockchain are greatly improved. At present, the industry is very concerned about the TEE solution. Almost all mainstream chip and software alliances have their own TEE solutions, including TPM (Trusted Platform Module) in software and Intel SGX (Software Guard Extensions) in hardware. , Software Protection Extension), ARM Trustzone (trust zone) and AMD PSP (Platform Security Processor, platform security processor).
发明内容Summary of the invention
有鉴于此,本说明书一个或多个实施例提供一种在FPGA上实现高效合约调用的方法及装置。In view of this, one or more embodiments of this specification provide a method and device for implementing efficient contract invocation on FPGA.
为实现上述目的,本说明书一个或多个实施例提供技术方案如下。To achieve the foregoing objectives, one or more embodiments of the present specification provide technical solutions as follows.
根据本说明书一个或多个实施例的第一方面,提出了一种在FPGA上实现高效合 约调用的方法,包括:FPGA结构向自身包含的FPGA芯片加载已部署的电路逻辑配置文件,以在所述FPGA芯片上分别形成片上处理器和片上缓存;其中,所述FPGA结构还包含与所述FPGA芯片相连的外部存储;所述FPGA结构确定所属区块链节点接收到的交易调用的智能合约;所述FPGA结构从所述片上缓存读取所述智能合约的代码程序以供所述片上处理器运行,所述代码程序由所述FPGA结构从所述外部存储获取并缓存至所述片上缓存。According to the first aspect of one or more embodiments of this specification, a method for implementing efficient contract invocation on FPGA is proposed, which includes: FPGA structure loads the deployed circuit logic configuration file to the FPGA chip contained in itself, so that the An on-chip processor and an on-chip cache are respectively formed on the FPGA chip; wherein the FPGA structure further includes an external storage connected to the FPGA chip; the FPGA structure determines the smart contract of the transaction call received by the belonging blockchain node; The FPGA structure reads the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached in the on-chip cache.
根据本说明书一个或多个实施例的第二方面,提出了一种在FPGA上实现高效合约调用的装置,包括:加载单元,使FPGA结构向自身包含的FPGA芯片加载已部署的电路逻辑配置文件,以在所述FPGA芯片上分别形成片上处理器和片上缓存;其中,所述FPGA结构还包含与所述FPGA芯片相连的外部存储;确定单元,使所述FPGA结构确定所属区块链节点接收到的交易调用的智能合约;读取单元,使所述FPGA结构从所述片上缓存读取所述智能合约的代码程序以供所述片上处理器运行,所述代码程序由所述FPGA结构从所述外部存储获取并缓存至所述片上缓存。According to the second aspect of one or more embodiments of the present specification, an apparatus for implementing efficient contract invocation on FPGA is proposed, including: a loading unit, which enables the FPGA structure to load the deployed circuit logic configuration file to the FPGA chip contained in itself , To respectively form an on-chip processor and an on-chip cache on the FPGA chip; wherein the FPGA structure further includes an external storage connected to the FPGA chip; the determining unit enables the FPGA structure to determine the blockchain node to which it belongs The smart contract invoked by the transaction; the reading unit causes the FPGA structure to read the code program of the smart contract from the on-chip cache for the on-chip processor to run, the code program from the FPGA structure The external storage acquires and caches to the on-chip cache.
根据本说明书一个或多个实施例的第三方面,提出了一种电子设备,包括:处理器;用于存储处理器可执行指令的存储器;其中,所述处理器通过运行所述可执行指令以实现如第一方面所述的方法。According to a third aspect of one or more embodiments of this specification, an electronic device is proposed, including: a processor; a memory for storing executable instructions of the processor; wherein the processor runs the executable instructions In order to realize the method as described in the first aspect.
根据本说明书一个或多个实施例的第四方面,提出了一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如第一方面所述方法的步骤。According to the fourth aspect of one or more embodiments of the present specification, a computer-readable storage medium is provided, on which computer instructions are stored, and when the instructions are executed by a processor, the steps of the method described in the first aspect are implemented.
附图说明Description of the drawings
图1是一示例性实施例提供的一种在FPGA上实现高效合约调用的方法的流程图。Fig. 1 is a flowchart of a method for implementing efficient contract invocation on FPGA provided by an exemplary embodiment.
图2是一示例性实施例提供的一种区块链节点的结构示意图。Fig. 2 is a schematic structural diagram of a blockchain node provided by an exemplary embodiment.
图3是一示例性实施例提供的一种在FPGA芯片上形成功能模块的示意图。Fig. 3 is a schematic diagram of forming a functional module on an FPGA chip provided by an exemplary embodiment.
图4是一示例性实施例提供的一种片上缓存模块的结构示意图。Fig. 4 is a schematic structural diagram of an on-chip cache module provided by an exemplary embodiment.
图5是一示例性实施例提供的一种在片上缓存模块中实现预加载的示意图。Fig. 5 is a schematic diagram of implementing preloading in an on-chip cache module according to an exemplary embodiment.
图6是一示例性实施例提供的一种在FPGA上实现高效合约调用的装置的框图。Fig. 6 is a block diagram of a device for implementing efficient contract invocation on FPGA provided by an exemplary embodiment.
具体实施方式detailed description
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书一个或多个实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书一个或多个实施例的一些方面相一致的装置和方法的例子。The exemplary embodiments will be described in detail here, and examples thereof are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements. The implementation manners described in the following exemplary embodiments do not represent all implementation manners consistent with one or more embodiments of this specification. Rather, they are merely examples of devices and methods consistent with some aspects of one or more embodiments of this specification as detailed in the appended claims.
需要说明的是:在其他实施例中并不一定按照本说明书示出和描述的顺序来执行相应方法的步骤。在一些其他实施例中,其方法所包括的步骤可以比本说明书所描述的更多或更少。此外,本说明书中所描述的单个步骤,在其他实施例中可能被分解为多个步骤进行描述;而本说明书中所描述的多个步骤,在其他实施例中也可能被合并为单个步骤进行描述。It should be noted that in other embodiments, the steps of the corresponding method are not necessarily executed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. In addition, a single step described in this specification may be decomposed into multiple steps for description in other embodiments; and multiple steps described in this specification may also be combined into a single step in other embodiments. description.
区块链一般被划分为三种类型:公有链(Public Blockchain),私有链(Private Blockchain)和联盟链(Consortium Blockchain)。此外,还有多种类型的结合,比如私有链+联盟链、联盟链+公有链等不同组合形式。其中去中心化程度最高的是公有链。公有链以比特币、以太坊为代表,加入公有链的参与者可以读取链上的数据记录、参与交易以及竞争新区块的记账权等。而且,各参与者(即节点)可自由加入以及退出网络,并进行相关操作。私有链则相反,该网络的写入权限由某个组织或者机构控制,数据读取权限受组织规定。简单来说,私有链可以为一个弱中心化系统,参与节点具有严格限制且少。这种类型的区块链更适合于特定机构内部使用。联盟链则是介于公有链以及私有链之间的区块链,可实现“部分去中心化”。联盟链中各个节点通常有与之相对应的实体机构或者组织;参与者通过授权加入网络并组成利益相关联盟,共同维护区块链运行。Block chains are generally divided into three types: Public Blockchain, Private Blockchain and Consortium Blockchain. In addition, there are many types of combinations, such as private chain + alliance chain, alliance chain + public chain and other different combinations. Among them, the most decentralized one is the public chain. The public chain is represented by Bitcoin and Ethereum. Participants who join the public chain can read the data records on the chain, participate in transactions, and compete for the accounting rights of new blocks. Moreover, each participant (ie, node) can freely join and exit the network, and perform related operations. The private chain is the opposite. The write permission of the network is controlled by an organization or institution, and the data read permission is regulated by the organization. In simple terms, the private chain can be a weakly centralized system with strict restrictions and few participating nodes. This type of blockchain is more suitable for internal use by specific institutions. Consortium chain is a block chain between public chain and private chain, which can realize "partial decentralization". Each node in the alliance chain usually has a corresponding entity or organization; participants are authorized to join the network and form a stakeholder alliance to jointly maintain the operation of the blockchain.
不论是公有链、私有链还是联盟链,区块链网络中的节点出于隐私保护的目的,均可能通过区块链与TEE(Trusted Execution Environment,可信执行环境)相结合的解决方案,在TEE内执行收到的交易。TEE是基于CPU硬件的安全扩展,且与外部完全隔离的可信执行环境。TEE最早是由Global Platform提出的概念,用于解决移动设备上资源的安全隔离,平行于操作系统为应用程序提供可信安全的执行环境。ARM的Trust Zone技术最早实现了真正商用的TEE技术。伴随着互联网的高速发展,安全的需求越来越高,不仅限于移动设备,云端设备,数据中心都对TEE提出了更多的需求。TEE的概念也得到了高速的发展和扩充。现在所说的TEE相比与最初提出的概念已经是更 加广义的TEE。例如,服务器芯片厂商Intel,AMD等都先后推出了硬件辅助的TEE并丰富了TEE的概念和特性,在工业界得到了广泛的认可。现在提起的TEE通常更多指这类硬件辅助的TEE技术。Regardless of whether it is a public chain, a private chain or a consortium chain, for the purpose of privacy protection, the nodes in the blockchain network may use a solution that combines the blockchain and the TEE (Trusted Execution Environment). Execute received transactions within TEE. TEE is a secure extension based on CPU hardware and a trusted execution environment that is completely isolated from the outside. TEE was first proposed by Global Platform to solve the security isolation of resources on mobile devices, and parallel to the operating system to provide a trusted and secure execution environment for applications. ARM's Trust Zone technology is the first to realize the real commercial TEE technology. With the rapid development of the Internet, security requirements are getting higher and higher. Not only mobile devices, cloud devices, and data centers have put forward more demands on TEE. The concept of TEE has also been rapidly developed and expanded. The TEE now referred to is a more generalized TEE compared to the original concept. For example, server chip manufacturers Intel and AMD have successively introduced hardware-assisted TEE and enriched the concepts and features of TEE, which has been widely recognized in the industry. The TEE mentioned now usually refers more to this kind of hardware-assisted TEE technology.
以Intel SGX技术为例,SGX提供了围圈(enclave,也称为飞地),即内存中一个加密的可信执行区域,由CPU保护数据不被窃取。以第一区块链节点采用支持SGX的CPU为例,利用新增的处理器指令,在内存中可以分配一部分区域EPC(Enclave Page Cache,围圈页面缓存或飞地页面缓存),通过CPU内的加密引擎MEE(Memory Encryption Engine)对其中的数据进行加密。EPC中加密的内容只有进入CPU后才会被解密成明文。因此,在SGX中,用户可以不信任操作系统、VMM(Virtual Machine Monitor,虚拟机监控器)、甚至BIOS(Basic Input Output System,基本输入输出系统),只需要信任CPU便能确保隐私数据不会泄漏。因此,围圈就相当于SGX技术下产生的TEE。Taking Intel SGX technology as an example, SGX provides an enclave (also known as an enclave), which is an encrypted trusted execution area in the memory, and the CPU protects data from being stolen. Taking the first blockchain node using a CPU that supports SGX as an example, using the newly added processor instructions, a part of the area EPC (Enclave Page Cache, enclave page cache or enclave page cache) can be allocated in the memory, and through the CPU The encryption engine MEE (Memory Encryption Engine) encrypts the data in it. The encrypted content in EPC will be decrypted into plain text only after entering the CPU. Therefore, in SGX, users can distrust the operating system, VMM (Virtual Machine Monitor), and even BIOS (Basic Input Output System). They only need to trust the CPU to ensure that private data will not leakage. Therefore, the enclosure is equivalent to the TEE produced under SGX technology.
不同于移动端,云端访问需要远程访问,终端用户对硬件平台不可见,因此使用TEE的第一步就是要确认TEE的真实可信。例如,相关技术中提供了针对上述SGX技术的远程证明机制,以用于证明目标设备上的SGX平台与挑战方部署了相同的配置文件。但是,由于相关技术中的TEE技术是以软件或软硬件结合的方式实现,使得即便通过远程证明方式可以在一定程度上表明TEE内所部署的配置文件未经篡改,但是TEE本身所依托的运行环境却无法被验证。例如,在需要实现隐私功能的区块链节点上,TEE内需要配置用于执行智能合约的虚拟机,该虚拟机所执行的指令并非直接执行,而是实际上执行了对应的若干条X86指令(假定目标设备采用X86架构),从而造成了一定程度上的安全性风险。Different from the mobile terminal, cloud access requires remote access, and the end user is invisible to the hardware platform. Therefore, the first step in using TEE is to confirm the authenticity of TEE. For example, the related technology provides a remote certification mechanism for the above-mentioned SGX technology to prove that the SGX platform on the target device and the challenger have deployed the same configuration file. However, because the TEE technology in the related technology is implemented by software or a combination of software and hardware, even if the remote attestation method can indicate to a certain extent that the configuration file deployed in the TEE has not been tampered with, the TEE itself depends on the operation The environment cannot be verified. For example, on a blockchain node that needs to implement privacy functions, a virtual machine for executing smart contracts needs to be configured in the TEE. The instructions executed by the virtual machine are not directly executed, but actually executed corresponding X86 instructions (Assuming that the target device adopts the X86 architecture), which poses a certain degree of security risk.
为此,本说明书提出了一种基于FPGA实现的硬件TEE技术,FPGA通过加载电路逻辑配置文件而实现硬件TEE。由于电路逻辑配置文件的内容可以被预先查看与检验,并且FPGA完全基于电路逻辑配置文件中记载的逻辑而配置运行,因而可以确保FPGA所实现的硬件TEE具有相对更高的安全性。但是,相关技术中智能合约的代码程序都部署于区块链节点处,使得FPGA需要频繁从区块链节点获取代码程序,导致消耗大量资源。To this end, this specification proposes a hardware TEE technology based on FPGA implementation. FPGA implements hardware TEE by loading circuit logic configuration files. Because the content of the circuit logic configuration file can be checked and verified in advance, and the FPGA is configured and operated completely based on the logic recorded in the circuit logic configuration file, it can be ensured that the hardware TEE implemented by the FPGA has relatively higher security. However, the code programs of the smart contracts in related technologies are all deployed at the blockchain nodes, which makes the FPGA need to frequently obtain the code programs from the blockchain nodes, which consumes a lot of resources.
以下结合实施例说明本说明书提供的一种在FPGA上实现高效合约调用的方法,以减少数据交互次数。The following describes a method for implementing efficient contract invocation on FPGA provided in this specification in conjunction with embodiments, so as to reduce the number of data interactions.
图1是一示例性实施例提供的一种在FPGA上实现高效合约调用的方法的流程图。 如图1所示,该方法应用于FPGA结构,可以包括步骤102~106。Fig. 1 is a flowchart of a method for implementing efficient contract invocation on FPGA provided by an exemplary embodiment. As shown in Figure 1, the method is applied to the FPGA structure and may include steps 102-106.
步骤102,FPGA结构向自身包含的FPGA芯片加载已部署的电路逻辑配置文件,以在所述FPGA芯片上分别形成片上处理器和片上缓存;其中,所述FPGA结构还包含与所述FPGA芯片相连的外部存储。Step 102: The FPGA structure loads the deployed circuit logic configuration file to the FPGA chip contained in itself, so as to form an on-chip processor and an on-chip cache on the FPGA chip; wherein, the FPGA structure also includes a connection to the FPGA chip External storage.
FPGA芯片上包含若干可编辑的硬件逻辑单元,这些硬件逻辑单元经由电路逻辑配置文件进行配置后,可以实现为相应的功能模块,以用于实现相应的逻辑功能。具体的,该电路逻辑配置文件可以基于比特流的形式被烧录至FPGA结构。例如,上述的片上处理器等即为通过已部署的电路逻辑配置文件而形成,而通过进一步部署相关的其他功能模块,可以将FPGA结构配置为区块链节点上的硬件TEE。由于这些功能模块完全由电路逻辑配置文件进行配置而形成,因而通过检查电路逻辑配置文件即可确定由此配置得到的功能模块所实现的逻辑等各方面的信息,确保功能模块能够按照完全用户的需求而形成和运行。其中,上述的片上处理器用于实现虚拟机逻辑,譬如该虚拟机逻辑可以包括以太坊虚拟机的执行逻辑或者WASM虚拟机的执行逻辑等,本说明书并不对此进行限制。The FPGA chip contains a number of editable hardware logic units. After these hardware logic units are configured via a circuit logic configuration file, they can be implemented as corresponding functional modules to implement corresponding logic functions. Specifically, the circuit logic configuration file can be burned to the FPGA structure based on the form of a bit stream. For example, the above-mentioned on-chip processor is formed by the deployed circuit logic configuration file, and by further deploying other related functional modules, the FPGA structure can be configured as a hardware TEE on the blockchain node. Since these functional modules are completely configured by the circuit logic configuration file, it is possible to determine the logic and other aspects of the information realized by the functional module configured by checking the circuit logic configuration file to ensure that the functional module can be configured according to the complete user’s requirements. Needs to be formed and run. The above-mentioned on-chip processor is used to implement virtual machine logic. For example, the virtual machine logic may include the execution logic of the Ethereum virtual machine or the execution logic of the WASM virtual machine, etc. This specification does not limit this.
用户生成电路逻辑配置文件后,如果位于FPGA结构所在地点处,则可以在本地将该电路逻辑配置文件部署至FPGA结构,譬如可以在离线环境下实施部署操作,以确保安全性。或者,在FPGA结构处于线上环境的情况下,用户可以将电路逻辑配置文件远程部署至FPGA结构。After the user generates the circuit logic configuration file, if it is located at the location of the FPGA structure, the circuit logic configuration file can be deployed locally to the FPGA structure. For example, the deployment operation can be implemented in an offline environment to ensure safety. Or, when the FPGA structure is in an online environment, the user can remotely deploy the circuit logic configuration file to the FPGA structure.
步骤104,所述FPGA结构确定所属区块链节点接收到的交易调用的智能合约。Step 104: The FPGA structure determines the smart contract called by the transaction received by the blockchain node to which it belongs.
FPGA结构通过解析交易的to字段,可以获得该交易所调用的智能合约的合约地址,并基于该合约地址获取相应智能合约的代码程序。如果该交易由交易发起方经过加密后提交至区块链,那么FPGA结构需要对该交易进行解密,以读取to字段的信息。其中,通过加载上述已部署的电路逻辑配置文件,可以在FPGA芯片上形成解密模块,从而通过该解密模块对交易进行解密。The FPGA structure can obtain the contract address of the smart contract called by the exchange by parsing the to field of the transaction, and obtain the code program of the corresponding smart contract based on the contract address. If the transaction is encrypted and submitted to the blockchain by the transaction initiator, the FPGA structure needs to decrypt the transaction to read the information in the to field. Wherein, by loading the above-mentioned deployed circuit logic configuration file, a decryption module can be formed on the FPGA chip, so that the transaction can be decrypted by the decryption module.
例如,FPGA结构可以维护有节点私钥,且该节点私钥对应的节点公钥被公开。那么,交易发起方一方面可以获得上述的节点公钥,另一方面可以自行生成一对称密钥,并基于该节点公钥和对称密钥对明文交易内容实施数字信封形式的加密操作:通过对称密钥对明文交易内容进行加密、得到密文交易内容,通过节点公钥对该对称密钥进行加密、得到密文对称密钥,而上述的交易包括密文交易内容和密文对称密钥。相应地,上 述的解密模块可以基于节点私钥对交易所含的密文对称密钥进行解密、得到对称密钥,然后解密模块可以基于对称密钥对密文交易内容进行解密、得到明文交易内容,从而在明文交易内容中读取to字段的信息,确定交易所调用的智能合约的合约地址。For example, the FPGA structure can maintain a node private key, and the node public key corresponding to the node private key is disclosed. Then, on the one hand, the transaction initiator can obtain the above-mentioned node public key, on the other hand, it can generate a symmetric key by itself, and implement a digital envelope encryption operation on the plaintext transaction content based on the node’s public key and symmetric key: The key encrypts the plaintext transaction content to obtain the ciphertext transaction content, encrypts the symmetric key with the node public key to obtain the ciphertext symmetric key, and the above transaction includes the ciphertext transaction content and the ciphertext symmetric key. Correspondingly, the aforementioned decryption module can decrypt the ciphertext symmetric key contained in the exchange based on the node private key to obtain the symmetric key, and then the decryption module can decrypt the ciphertext transaction content based on the symmetric key to obtain the plaintext transaction content , So as to read the information in the to field in the plaintext transaction content, and determine the contract address of the smart contract called by the exchange.
步骤106,所述FPGA结构从所述片上缓存读取所述智能合约的代码程序以供所述片上处理器运行,所述代码程序由所述FPGA结构从所述外部存储获取并缓存至所述片上缓存。Step 106: The FPGA structure reads the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached in the On-chip cache.
片上处理器从片上缓存读取数据的速度相对更快,但是片上缓存的存储空间通常相对较小且扩展性差,无法满足大量代码程序的部署需求。而片上处理器从外部存储读取数据的速度相对较慢,但是外部存储的存储空间通常相对较大且扩展性好,可以满足大量代码程序的部署需求。因此,通过将代码程序部署在外部存储,而在使用时将代码程序从外部存储缓存至片上缓存,并由片上处理器从片上缓存中读取代码程序以运行,既可以满足对代码程序进行大量部署的需求,又可以使得片上处理器快速读取和运行代码程序,以提升交易执行效率。实际上,虽然外部存储所能实现的读取速度相对低于片上缓存,但相比于将代码程序部署在区块链节点而言,片上处理器从外部存储读取代码程序的速度远快于从区块链节点处进行读取。The on-chip processor reads data from the on-chip cache relatively faster, but the storage space of the on-chip cache is usually relatively small and has poor scalability, which cannot meet the deployment requirements of a large number of code programs. The on-chip processor is relatively slow to read data from external storage, but the storage space of external storage is usually relatively large and has good scalability, which can meet the deployment requirements of a large number of code programs. Therefore, by deploying the code program in external storage, and caching the code program from the external storage to the on-chip cache when in use, and reading the code program from the on-chip cache by the on-chip processor to run, it can satisfy the need to perform a large number of code programs. The deployment requirements can also enable the on-chip processor to quickly read and run code programs to improve transaction execution efficiency. In fact, although the read speed that the external storage can achieve is relatively lower than the on-chip cache, compared to deploying the code program on the blockchain node, the on-chip processor reads the code program from the external storage much faster than Read from the blockchain node.
上述的片上缓存位于FPGA芯片内部,由该FPGA芯片上的存储器件形成。外部存储位于FPGA芯片外部,可以插接至FPGA结构的接口上,譬如该外部存储可以包括外接DDR等。由于FPGA芯片内部被认为处于安全范围、FPGA芯片外部被认为存在安全风险,因而当代码程序位于片上缓存时,可以直接以明文形式进行缓存,而当代码程序存储于外部存储时,需要通过FPGA芯片上的加密模块对代码程序进行加密后实现存储,其中加密模块由FPGA芯片加载前述已部署的电路逻辑配置文件而形成,采用的密钥可以为FPGA结构所维护的业务根密钥或其衍生密钥。而在代码程序被加密后存储于外部存储的情况下,FPGA结构通过FPGA芯片上如前所述的解密模块对代码程序进行解密,以将解密后的代码程序缓存至片上缓存,使得片上处理器可以直接从片上缓存读取解密后的代码程序。The above-mentioned on-chip buffer is located inside the FPGA chip and is formed by the storage device on the FPGA chip. The external storage is located outside the FPGA chip and can be plugged into the interface of the FPGA structure. For example, the external storage may include an external DDR. Since the inside of the FPGA chip is considered to be in the security range and the outside of the FPGA chip is considered to be a security risk, when the code program is in the on-chip cache, it can be cached directly in plaintext, and when the code program is stored in external storage, it needs to pass through the FPGA chip. The encryption module above encrypts the code program and realizes storage. The encryption module is formed by loading the aforementioned deployed circuit logic configuration file on the FPGA chip. The key used can be the business root key maintained by the FPGA structure or its derived secret. key. When the code program is encrypted and stored in external storage, the FPGA structure decrypts the code program through the decryption module described above on the FPGA chip, so as to cache the decrypted code program to the on-chip cache, so that the on-chip processor The decrypted code program can be read directly from the on-chip cache.
通过加载前述已部署的电路逻辑配置文件,可以在FPGA芯片上形成预处理模块,而FPGA结构可以通过该预处理模块对获得的代码程序进行预处理,并将预处理后的代码程序缓存至片上缓存,以由片上处理器读取和运行。这里的预处理是指在执行原始的代码程序(即未经过预处理的代码程序)之前必须预先实施的处理操作,通过在存入片上缓存之前实施预处理,使得片上处理器在后续执行该代码程序时,可以省去临时执行 预处理所需消耗的运算资源和处理时间,有助于加快代码程序的执行速度。其中,上述预处理可以包括以下至少之一:将代码程序所含的各个字段解析并转换为预设数据结构,调整代码程序中的跳转指令(jump指令)的偏移量(offset)。By loading the aforementioned deployed circuit logic configuration file, a preprocessing module can be formed on the FPGA chip, and the FPGA structure can preprocess the obtained code program through the preprocessing module, and cache the preprocessed code program on the chip Cache to be read and run by the on-chip processor. The preprocessing here refers to the processing operations that must be implemented in advance before executing the original code program (that is, the code program that has not been preprocessed). The preprocessing is performed before being stored in the on-chip cache, so that the on-chip processor executes the code in the subsequent During the program, the computing resources and processing time required for temporary execution of preprocessing can be saved, which helps to speed up the execution of the code program. Wherein, the aforementioned preprocessing may include at least one of the following: parsing and converting each field contained in the code program into a preset data structure, and adjusting the offset of the jump instruction (jump instruction) in the code program.
片上处理器并非一次性读取和执行代码程序所含的所有操作指令,而是逐条读取和执行代码程序所含的操作指令。因此,片上处理器可以首先尝试从片上缓存中读取所需的操作指令;在片上缓存中存在所需的操作指令的情况下,片上处理器可以从片上缓存读取相应的操作指令并予以执行,相比于从外部存储或区块链节点读取该操作指令,具有相对更高的效率;以及,在片上缓存中不存在所需的操作指令的情况下,FPGA结构可以从外部存储获取该操作指令并缓存至片上缓存,以供片上处理器读取和执行。The on-chip processor does not read and execute all the operating instructions contained in the code program at one time, but reads and executes the operating instructions contained in the code program one by one. Therefore, the on-chip processor can first try to read the required operation instructions from the on-chip cache; if the required operation instructions exist in the on-chip cache, the on-chip processor can read the corresponding operation instructions from the on-chip cache and execute them Compared with reading the operation instruction from external storage or blockchain nodes, it has relatively higher efficiency; and, when the required operation instruction does not exist in the on-chip cache, the FPGA structure can obtain the operation instruction from the external storage. Operation instructions are cached to the on-chip cache for the on-chip processor to read and execute.
由于数据在外部存储中通常按顺序进行依次存储,譬如同一代码程序的各个操作指令对应的存储地址通常是依次排列的。因此,在片上处理器希望读取某一操作指令的情况下,该片上处理器通常会继续读取和执行附近的其他操作指令,直至这些操作指令所属的合约代码执行完毕。所以,虽然FPGA结构可以仅从外部存储获取上述片上处理器所需的一条操作指令,但是实际上FPGA结构还可以从外部存储获取包含该操作指令的代码程序段,即该代码程序段还包含片上处理器后续可能需要的其他操作指令,通过将该代码程序段缓存至片上缓存,可使片上处理器后续直接从片上缓存读取上述的其他操作指令,而无需临时从外部存储进行读取,有助于提升效率。Since data is usually stored in sequence in the external storage, for example, the storage addresses corresponding to each operation instruction of the same code program are usually arranged in sequence. Therefore, in the case that the on-chip processor wishes to read a certain operation instruction, the on-chip processor will usually continue to read and execute other nearby operation instructions until the contract code to which these operation instructions belong is executed. Therefore, although the FPGA structure can only obtain an operation instruction required by the on-chip processor from the external storage, in fact the FPGA structure can also obtain the code program segment containing the operation instruction from the external storage, that is, the code program segment also contains the on-chip For other operation instructions that the processor may need later, by caching the code program segment to the on-chip cache, the on-chip processor can subsequently directly read the above-mentioned other operation instructions from the on-chip cache without temporarily reading from external storage. Help improve efficiency.
例如,FPGA结构可以确定片上处理器所需的上述操作指令在外部存储中的起始存储地址,并从外部存储获取包含该起始存储地址的预设地址段,并确保上述的代码程序段位于该预设地址段。那么,通过从外部存储读取对应于该预设地址段的数据,即可获得上述的代码程序段。其中,上述的预设地址段可以包括上述的起始存储地址和位于该起始存储地址之后的地址,使得上述代码程序段所含的其他操作指令均排列于上述的操作指令之后;考虑到片上处理器在执行代码程序的过程中从前向后依次执行各个操作指令的处理逻辑,以及操作指令在外部存储中的存储地址依次排列的存储逻辑,上述方案可使片上缓存中缓存的操作指令被片上处理器读取和执行的概率相对更高,避免将排列在上述操作指令之前、被片上处理器读取和执行的概率相对更低的其他操作指令被存入片上缓存,有助于优化对片上缓存的合理使用。For example, the FPGA structure can determine the initial storage address in the external storage of the above-mentioned operation instructions required by the on-chip processor, and obtain the preset address segment containing the initial storage address from the external storage, and ensure that the above-mentioned code program segment is located in the external storage. The preset address segment. Then, by reading the data corresponding to the preset address segment from the external storage, the above-mentioned code program segment can be obtained. Wherein, the aforementioned preset address segment may include the aforementioned initial storage address and an address located after the initial storage address, so that other operation instructions contained in the aforementioned code program segment are arranged after the aforementioned operation instructions; taking into account the on-chip The processor executes the processing logic of each operation instruction from front to back in the process of executing the code program, as well as the storage logic in which the storage address of the operation instruction in the external storage is arranged in sequence. The above scheme enables the operation instructions cached in the on-chip cache to be on-chip The processor has a relatively higher probability of reading and executing, avoiding other operation instructions that are arranged before the above operation instructions and have a relatively lower probability of being read and executed by the on-chip processor to be stored in the on-chip cache, which helps to optimize the on-chip Reasonable use of cache.
片上缓存中的缓存空间可以被划分为若干缓存块,这些缓存块分别用于存入相应数据。因此,当FPGA结构从外部存储读取预设地址段对应的代码程序段时,所采用的预设地址段的长度可以为片上缓存中的单个缓存块的缓存长度,即每次存入片上缓存的 数据均占用一个缓存块,以便于对片上缓存的缓存空间进行有效管理。其中,FPGA结构在片上缓存内的代码程序段的已读取比例达到预设比例的情况下,可以自动从外部存储预获取代码程序段之后的其他代码程序段,并缓存至片上缓存,而无需片上处理器临时发起请求,使得片上处理器在执行同一智能合约的合约代码的过程中,至多仅需要在读取首条操作指令时需要请求FPGA结构从外部存储获取并存入片上缓存,后续均可以直接从片上缓存高效地读取其他的操作指令,有助于提升对智能合约的执行效率。例如,FPGA结构每次可以从外部存储读取一个缓存块对应的代码程序段,并存入片上缓存;在监测到片上缓存已存入的代码程序段的已读取比例达到50%的情况下,FPGA结构可以针对前一次读取的代码程序段在外部存储中对应的存储地址,自动从外部存储读取后续的代码程序段。The cache space in the on-chip cache can be divided into several cache blocks, and these cache blocks are respectively used to store corresponding data. Therefore, when the FPGA structure reads the code program segment corresponding to the preset address segment from the external storage, the length of the preset address segment used can be the cache length of a single cache block in the on-chip cache, that is, each time it is stored in the on-chip cache All data occupies a cache block to facilitate effective management of the on-chip cache space. Among them, when the read ratio of the code program segment in the on-chip cache of the FPGA structure reaches the preset ratio, other code program segments after the code program segment can be automatically pre-fetched from the external storage and cached in the on-chip cache without the need The on-chip processor temporarily initiates a request, so that when the on-chip processor executes the contract code of the same smart contract, it only needs to request the FPGA structure to obtain it from the external storage and store it in the on-chip cache when reading the first operation instruction. Other operation instructions can be efficiently read from the on-chip cache directly, which helps to improve the execution efficiency of smart contracts. For example, the FPGA structure can read the code segment corresponding to a cache block from the external storage every time and store it in the on-chip cache; when it is monitored that the read ratio of the code segment stored in the on-chip cache reaches 50% , FPGA structure can automatically read the subsequent code program segments from the external storage according to the corresponding storage address in the external storage of the previously read code program segment.
进一步的,在片上缓存中包含若干缓存块的情况下,每一缓存块可以设有相应的权重,而权重的取值大小与相应缓存块中的数据被淘汰的概率呈负相关,即权重越大的缓存块被淘汰(缓存块所含数据被淘汰)的概率越小、权重越小的缓存块被淘汰的概率越大。因此,通过将包含有智能合约中首条操作指令的缓存块设置为对应于相对更大的权重,可使其在片上缓存中的存留时长相对更长,那么片上处理器具有更大概率可以直接从片上缓存读取某一合约代码的首条操作指令,而无需FPGA结构临时从外部存储进行读取,再配合上述对后续操作指令的自动加载方案,可使片上处理器总是能够从片上缓存中读取所需的操作指令,从而实现更高的操作指令读取和执行效率。Further, in the case that the on-chip cache contains several cache blocks, each cache block can be provided with a corresponding weight, and the value of the weight is negatively related to the probability that the data in the corresponding cache block is eliminated, that is, the more the weight is The smaller the probability of a large cache block being eliminated (the data contained in the cache block is eliminated) and the smaller the weight of the cache block, the greater the probability of being eliminated. Therefore, by setting the cache block containing the first operation instruction in the smart contract to correspond to a relatively larger weight, it can be stored in the on-chip cache for a relatively longer time, so that the on-chip processor has a greater probability and can directly Read the first operation instruction of a certain contract code from the on-chip cache, without the need for the FPGA structure to temporarily read from the external storage, and cooperate with the above-mentioned automatic loading scheme for subsequent operation instructions, so that the on-chip processor can always be from the on-chip cache Read the required operation instructions in the middle, so as to achieve higher operation instruction reading and execution efficiency.
图2是一示例性实施例提供的一种区块链节点的结构示意图。基于本说明书的技术方案,可以在区块链节点上添加FPGA结构以实现硬件TEE,譬如该FPGA结构可以为如图2所示的FPGA板卡。FPGA板卡可以通过PCIE接口连接至区块链节点上,以实现FPGA板卡与区块链节点之间的数据交互。FPGA板卡可以包括FPGA芯片、Flash芯片、密管芯片和外接DDR等结构;当然,在一些实施例中除了包含FPGA芯片和外接DDR之外,可能仅包含剩余的Flash芯片和密管芯片等中的部分结构,或者可能包含更多结构,此处仅用于举例。Fig. 2 is a schematic structural diagram of a blockchain node provided by an exemplary embodiment. Based on the technical solution in this specification, an FPGA structure can be added to the blockchain node to implement hardware TEE. For example, the FPGA structure can be an FPGA board as shown in FIG. 2. The FPGA board can be connected to the blockchain node through the PCIE interface to realize the data interaction between the FPGA board and the blockchain node. FPGA boards can include FPGA chips, Flash chips, secret tube chips, and external DDR structures; of course, in some embodiments, in addition to FPGA chips and external DDRs, they may only include the remaining Flash chips and secret tube chips, etc. Part of the structure of, or may contain more structures, here are just examples.
在初始阶段,FPGA芯片上并未烧录用户定义的任何逻辑,相当于FPGA芯片处于空白状态。用户可以通过向FPGA芯片上烧录电路逻辑配置文件,以在FPGA芯片上形成相应的功能或逻辑。在首次烧录电路逻辑配置文件时,FPGA板卡不具有安全防护的能力,因而通常需要外部提供安全环境,比如用户可以在离线环境下实施对电路逻辑配置文件的烧录以实现物理安全隔离,而非在线上实施远程烧录。In the initial stage, no user-defined logic is programmed on the FPGA chip, which is equivalent to the FPGA chip in a blank state. Users can burn circuit logic configuration files on the FPGA chip to form corresponding functions or logic on the FPGA chip. When programming the circuit logic configuration file for the first time, the FPGA board does not have the capability of security protection, so it usually needs to provide an external security environment. For example, users can implement the programming of the circuit logic configuration file in an offline environment to achieve physical security isolation. Instead of implementing remote programming online.
针对用户所需实现的功能或逻辑,可以通过FPGA硬件语言形成相应的逻辑代码,并进而对该逻辑代码进行镜像化处理,即可得到上述的电路逻辑配置文件。在烧录至FPGA板卡之前,用户可以针对上述的逻辑代码进行检查。尤其是,当同时涉及到多个用户时,多个用户可以分别对上述的逻辑代码进行检查,以确保FPGA板卡最终能够满足所有用户的需求,防止出现安全性风险、逻辑错误、欺诈等异常问题。For the function or logic that the user needs to implement, the corresponding logic code can be formed through FPGA hardware language, and then the logic code can be mirrored to obtain the above-mentioned circuit logic configuration file. Before programming to the FPGA board, the user can check the above-mentioned logic code. Especially, when multiple users are involved at the same time, multiple users can check the above logic code separately to ensure that the FPGA board can finally meet the needs of all users and prevent security risks, logic errors, fraud and other abnormalities. problem.
在确定代码无误后,用户可以在上述的离线环境下,将电路逻辑配置文件烧录至FPGA板卡上。具体的,电路逻辑配置文件被从区块链节点传入FPGA板卡,进而部署至如图2所示的Flash芯片中,使得即便FPGA板卡发生掉电,Flash芯片仍然能够保存上述的电路逻辑配置文件。After confirming that the code is correct, the user can burn the circuit logic configuration file to the FPGA board in the above-mentioned offline environment. Specifically, the circuit logic configuration file is transferred from the blockchain node to the FPGA board, and then deployed to the Flash chip as shown in Figure 2, so that even if the FPGA board is powered off, the Flash chip can still save the above-mentioned circuit logic. Configuration file.
图3是一示例性实施例提供的一种在FPGA芯片上形成功能模块的示意图。通过将Flash(闪存)芯片中所部署的电路逻辑配置文件加载至FPGA芯片,可以对FPGA芯片所含的硬件逻辑单元进行配置,从而在FPGA芯片上形成相应的功能模块,譬如所形成的功能模块可以包括如图3所示的片上缓存模块、预处理模块、明文计算模块、密钥协商模块、解密验签模块、加解密模块等。同时,电路逻辑配置文件还可以用于向FPGA板卡传输需要存储的信息,比如可以将预置证书存储于FPGA芯片上、将认证根密钥存储于密管芯片中(认证根密钥也可以存储于FPGA芯片上)等。Fig. 3 is a schematic diagram of forming a functional module on an FPGA chip provided by an exemplary embodiment. By loading the circuit logic configuration file deployed in the Flash (flash memory) chip to the FPGA chip, the hardware logic unit contained in the FPGA chip can be configured to form corresponding functional modules on the FPGA chip, such as the formed functional modules It may include an on-chip cache module, a preprocessing module, a plaintext calculation module, a key agreement module, a decryption verification module, an encryption and decryption module, etc. as shown in FIG. 3. At the same time, the circuit logic configuration file can also be used to transmit the information that needs to be stored to the FPGA board. For example, the preset certificate can be stored on the FPGA chip, and the authentication root key can be stored in the secret tube chip (the authentication root key can also be Stored on the FPGA chip) and so on.
基于FPGA芯片上所形成的密钥协商模块,以及部署于FPGA板卡上的认证根密钥,使得FPGA板卡可以与用户实现远程的密钥协商,该密钥协商过程可以采用相关技术中的任意算法或标准来实现,本说明书并不对此进行限制。举例而言,密钥协商过程可以包括:用户可以在本地的客户端生成一密钥Ka-1、密钥协商模块可以在本地生成一密钥Kb-1,且客户端可以基于密钥Ka-1计算得到密钥协商信息Ka-2、密钥协商模块可以基于密钥Kb-1计算得到密钥协商信息Kb-2,然后客户端将密钥协商信息Ka-2发送至密钥协商模块、密钥协商模块将密钥协商信息Kb-2发送至客户端,使得客户端可以基于密钥Ka-1与密钥协商信息Kb-2生成一秘密值,而密钥协商模块可以基于密钥Kb-1与密钥协商信息Ka-2生成相同的秘密值,最后由客户端、密钥协商模块分别基于密钥导出函数从该相同的秘密值导出相同的配置文件部署密钥,该配置文件部署密钥可以存在FPGA芯片或密管芯片。在上述过程中,虽然密钥协商信息Ka-2、密钥协商信息Kb-2是经由区块链节点在客户端与密钥协商模块之间传输,但是由于密钥Ka-1由客户端掌握、密钥Kb-1由密钥协商模块掌握,因而可以确保区块链节点无法获知最终得到的秘密值和配置文件部署密钥,避免可能造成的安全性风险。Based on the key agreement module formed on the FPGA chip and the authentication root key deployed on the FPGA board, the FPGA board can realize remote key agreement with the user. The key agreement process can use related technologies. Any algorithm or standard can be implemented, and this specification does not limit it. For example, the key agreement process can include: the user can generate a key Ka-1 at the local client, the key agreement module can generate a key Kb-1 locally, and the client can generate a key Kb-1 based on the key Ka- 1 Calculate the key agreement information Ka-2, the key agreement module can calculate the key agreement information Kb-2 based on the key Kb-1, and then the client sends the key agreement information Ka-2 to the key agreement module, The key agreement module sends the key agreement information Kb-2 to the client, so that the client can generate a secret value based on the key Ka-1 and the key agreement information Kb-2, and the key agreement module can be based on the key Kb -1 generates the same secret value as the key agreement information Ka-2, and finally the client and the key agreement module respectively derive the same configuration file deployment key from the same secret value based on the key derivation function, and the configuration file deployment The key can be stored in the FPGA chip or the secret management chip. In the above process, although the key agreement information Ka-2 and key agreement information Kb-2 are transmitted between the client and the key agreement module via the blockchain node, the key Ka-1 is controlled by the client , The key Kb-1 is controlled by the key agreement module, so it can ensure that the blockchain node cannot know the final secret value and the configuration file deployment key, so as to avoid possible security risks.
除了配置文件部署密钥之外,秘密值还用于导出业务秘密部署密钥;例如,秘密值可以导出32位数值,可以将前16位作为配置文件部署密钥、后16位作为业务秘密部署密钥。用户可以通过业务秘密部署密钥向FPGA板卡部署业务密钥,譬如该业务密钥可以包括节点私钥和业务根密钥。例如,用户可以在客户端上采用业务秘密部署密钥对节点私钥或业务根密钥进行签名、加密并发送至FPGA板卡,使得FPGA板卡通过解密验签模块进行解密、验签后,对得到的节点私钥或业务根密钥进行部署。In addition to the configuration file deployment key, the secret value is also used to derive the business secret deployment key; for example, the secret value can be derived as a 32-bit value, the first 16 bits can be used as the configuration file deployment key, and the last 16 bits can be used as the business secret deployment Key. The user can deploy the service key to the FPGA board through the service secret deployment key. For example, the service key may include the node private key and the service root key. For example, the user can use the business secret deployment key on the client to sign, encrypt the node private key or the business root key, and send it to the FPGA board, so that after the FPGA board is decrypted and verified through the decryption verification module, Deploy the obtained node private key or service root key.
基于部署的节点密钥、业务根密钥和FPGA芯片上的加解密模块、明文计算模块,使得FPGA板卡可以实现为区块链节点上的TEE,以满足隐私需求。例如,当区块链节点收到一笔交易时,如果该交易为明文交易,区块链节点可以直接处理该明文交易,如果该交易为隐私交易,区块链节点将该隐私交易传入FPGA板卡进行处理。Based on the deployed node key, service root key, encryption and decryption module and plaintext calculation module on the FPGA chip, the FPGA board can be implemented as a TEE on the blockchain node to meet privacy requirements. For example, when a blockchain node receives a transaction, if the transaction is a plaintext transaction, the blockchain node can directly process the plaintext transaction, if the transaction is a private transaction, the blockchain node transmits the private transaction to the FPGA The board is processed.
明文交易的交易内容为明文形式,并且交易执行后所产生的合约状态等同样采用明文形式进行存储。隐私交易的交易内容为密文形式,由交易发起方对明文交易内容进行加密而得到,且交易执行后产生的合约状态等需要采用密文形式进行存储,从而确保交易隐私保护。例如,交易发起方可以随机或基于其他方式生成一对称密钥,同样上述的业务私钥对应的业务公钥被公开,那么交易发起方可以基于该对称密钥和业务公钥对明文交易内容进行数字信封加密:交易发起方通过对称密钥加密明文交易内容,并通过业务公钥对该对称密钥进行加密,得到的两部分内容均被包含于上述的隐私交易中;换言之,隐私交易中包含两部分内容:采用对称密钥加密的明文交易内容、采用业务公钥加密的对称密钥。The transaction content of a plaintext transaction is in plaintext form, and the contract status generated after the transaction is executed is also stored in plaintext form. The transaction content of a private transaction is in the form of cipher text, which is obtained by encrypting the content of the transaction in plain text by the transaction initiator, and the contract state generated after the transaction is executed needs to be stored in the form of cipher text to ensure the protection of transaction privacy. For example, the transaction initiator can generate a symmetric key randomly or based on other methods. Similarly, the business public key corresponding to the above-mentioned business private key is disclosed, then the transaction initiator can perform transaction content in plaintext based on the symmetric key and the business public key. Digital Envelope Encryption: The transaction initiator encrypts the plaintext transaction content with a symmetric key, and encrypts the symmetric key with the business public key. The two parts obtained are included in the above-mentioned private transaction; in other words, the private transaction includes Two parts of content: the content of the transaction in plaintext encrypted with a symmetric key, and the symmetric key encrypted with the business public key.
因此,FPGA板卡在收到区块链节点传入的隐私交易后,可由加解密模块通过业务私钥对采用业务公钥加密的对称密钥进行解密、得到对称密钥,然后由加解密模块通过对称密钥对采用对称密钥加密的明文交易内容进行解密、得到明文交易内容。隐私交易可以用于部署智能合约,那么明文交易内容的data字段可以包含待部署的智能合约的合约代码;或者,隐私交易可以用于调用智能合约,那么明文交易内容的to字段可以包含被调用的智能合约的合约地址,而FPGA板卡可以基于该合约地址调取相应的合约代码。Therefore, after the FPGA board receives the private transaction from the blockchain node, the encryption and decryption module can use the business private key to decrypt the symmetric key encrypted with the business public key to obtain the symmetric key, and then the encryption and decryption module The symmetric key is used to decrypt the plaintext transaction content encrypted with the symmetric key to obtain the plaintext transaction content. Private transactions can be used to deploy smart contracts, then the data field of the plaintext transaction content can contain the contract code of the smart contract to be deployed; or, the privacy transaction can be used to call the smart contract, then the to field of the plaintext transaction content can contain the called The contract address of the smart contract, and the FPGA board can retrieve the corresponding contract code based on the contract address.
如前所述,FPGA板卡上同时设有片上缓存模块和外接DDR。外接DDR的存储空间往往大于甚至远大于片上缓存模块的存储空间,并且具有高度的可扩展性,使得外接DDR可以实现更多数据的存储。因此,当隐私交易用于部署智能合约时,FPGA板卡可以将明文交易内容的data字段所含的合约代码部署至外接DDR中。那么,当FPGA板卡后续收到用于调用该智能合约的隐私交易时,FPGA板卡可以基于明文交易内容的to 字段所含的合约地址,从外接DDR中查找到相应的合约代码,以通过明文计算模块执行该合约代码。其中,FPGA芯片上形成的明文计算模块用于实现相关技术中的虚拟机逻辑,即明文计算模块相当于FPGA板卡上的“硬件虚拟机”。因此,基于上述明文交易内容确定出合约代码后,可以将该合约代码传入明文计算模块中,以由该明文计算模块执行该合约代码。该明文计算模块相当于本说明书中在FPGA芯片上形成的片上处理器。As mentioned earlier, the FPGA board is equipped with an on-chip cache module and an external DDR at the same time. The storage space of the external DDR is often larger or even much larger than the storage space of the on-chip cache module, and has a high degree of scalability, so that the external DDR can store more data. Therefore, when private transactions are used to deploy smart contracts, the FPGA board can deploy the contract code contained in the data field of the plaintext transaction content to the external DDR. Then, when the FPGA board subsequently receives a private transaction for invoking the smart contract, the FPGA board can find the corresponding contract code from the external DDR based on the contract address contained in the to field of the clear text transaction content to pass The plaintext calculation module executes the contract code. Among them, the plaintext calculation module formed on the FPGA chip is used to implement virtual machine logic in related technologies, that is, the plaintext calculation module is equivalent to the "hardware virtual machine" on the FPGA board. Therefore, after the contract code is determined based on the foregoing plaintext transaction content, the contract code can be passed into the plaintext calculation module, so that the plaintext calculation module executes the contract code. The plaintext calculation module is equivalent to the on-chip processor formed on the FPGA chip in this specification.
针对用于部署智能合约的隐私交易,FPGA板卡在获得待部署的合约代码后,可以直接存入外接DDR,或者可以通过预处理模块进行预处理,然后将预处理后的合约代码存入外接DDR。如果在存入外接DDR之前未通过预处理模块进行预处理,那么明文计算模块在用于执行该合约代码之前,需要临时通过预处理模块实施预处理操作,然后由明文计算模块对预处理后的合约代码进行处理。可见,如果将经过预处理模块实施预处理之后的合约代码存入外接DDR,则从外接DDR获得的合约代码已经过预处理,使得明文计算模块无需临时实施预处理操作而可以直接执行该合约代码,从而加快交易执行速度、降低延迟。For private transactions used to deploy smart contracts, after the FPGA board obtains the contract code to be deployed, it can be directly stored in the external DDR, or it can be preprocessed through the preprocessing module, and then the preprocessed contract code can be stored in the external DDR. If it is not preprocessed by the preprocessing module before storing in the external DDR, the plaintext calculation module needs to temporarily perform preprocessing operations through the preprocessing module before it is used to execute the contract code, and then the plaintext calculation module performs preprocessing operations on the preprocessed Contract code for processing. It can be seen that if the contract code that has been preprocessed by the preprocessing module is stored in the external DDR, the contract code obtained from the external DDR has been preprocessed, so that the plaintext calculation module can directly execute the contract code without temporarily performing preprocessing operations. , Thereby speeding up transaction execution and reducing delays.
针对合约代码的预处理可以包括若干维度,并且针对不同语言或规则所编写的合约代码,所涉及的预处理维度可能存在差异。以wasm智能合约的合约代码为例,预处理可以包括以下两个方面:The preprocessing of contract code can include several dimensions, and the preprocessing dimensions involved may be different for contract codes written in different languages or rules. Taking the contract code of the wasm smart contract as an example, preprocessing can include the following two aspects:
1)数据格式转换。对合约代码进行数据结构解析,并转换为所需的预设格式的数据结构,以便于后续执行。1) Data format conversion. Analyze the data structure of the contract code and convert it to the required data structure of the preset format for subsequent execution.
2)调整jump指令的偏移量。下述两个方面可能导致jump指令的偏移量产生更新:通过解析合约代码中的jump指令,将jump指令对应的symbol标识转换为片上处理器能够识别的地址信息,使得合约代码的长度发生变化;对合约代码中经过编码的操作数进行解码,使得合约代码的长度发生变化,这里的编码方式譬如可以包括LEB(Little-Endian Base)编码或其他编码。2) Adjust the offset of the jump instruction. The following two aspects may cause the offset of the jump instruction to be updated: by parsing the jump instruction in the contract code, the symbol identifier corresponding to the jump instruction is converted into address information that can be recognized by the on-chip processor, so that the length of the contract code changes ; Decode the encoded operands in the contract code, so that the length of the contract code changes. The encoding method here may include LEB (Little-Endian Base) encoding or other encodings, for example.
当FPGA板卡收到的隐私交易用于调用智能合约时,FPGA板卡可以从隐私交易的to字段读取合约地址,并基于该合约地址从外接DDR中获得相应的代码程序,以供明文计算模块执行。其中,明文计算模块需要从前向后依次读取和执行代码程序所含的各条操作指令:When the privacy transaction received by the FPGA board is used to call the smart contract, the FPGA board can read the contract address from the to field of the privacy transaction, and obtain the corresponding code program from the external DDR based on the contract address for plaintext calculations Module execution. Among them, the plaintext calculation module needs to read and execute each operation instruction contained in the code program from front to back:
明文计算模块首先访问片上缓存模块,以从片上缓存模块中读取首条操作指令; 如果读取失败,即片上缓存模块中并未缓存有相应代码程序的首条操作指令,则FPGA板卡需要从外接DDR中读取该首条操作指令。确定出首条操作指令在外接DDR中的存储地址后,FPGA板卡并非仅读取该首条操作指令,而是读取该存储地址及其后续地址对应的一代码程序段,并存入片上缓存模块。The plaintext calculation module first accesses the on-chip cache module to read the first operation instruction from the on-chip cache module; if the read fails, that is, the first operation instruction of the corresponding code program is not cached in the on-chip cache module, the FPGA board needs Read the first operation instruction from the external DDR. After determining the storage address of the first operation instruction in the external DDR, the FPGA board does not only read the first operation instruction, but reads a code segment corresponding to the storage address and subsequent addresses, and stores it on the chip Cache module.
例如,图4是一示例性实施例提供的一种片上缓存模块的结构示意图。如图4所示,假定片上缓存模块包含B1、B2、B3、B4、B5和B6等缓存块,这些缓存块初始时为空。FPGA板卡可以按照单个缓存块的大小从外接DDR中读取上述的代码程序段,比如该代码程序段可以被存入图4所示的B1缓存块中。因此,在B1缓存块中除了包含上述的首条操作指令即指令1之外,还包含位于该指令1之后的其他指令。For example, FIG. 4 is a schematic structural diagram of an on-chip cache module provided by an exemplary embodiment. As shown in Figure 4, it is assumed that the on-chip cache module contains cache blocks such as B1, B2, B3, B4, B5, and B6, and these cache blocks are initially empty. The FPGA board can read the above-mentioned code program segment from the external DDR according to the size of a single cache block. For example, the code program segment can be stored in the B1 cache block shown in FIG. 4. Therefore, in addition to the above-mentioned first operation instruction, that is, instruction 1, the B1 cache block also contains other instructions after instruction 1.
在将上述代码程序段存入片上缓存模块之后,明文计算模块可以从片上缓存模块的缓存块B1中读取指令1即上述的首条操作指令并执行。在完成对指令1的执行操作后,明文计算模块需要依次执行后续的操作指令。而由于FPGA板卡在前述步骤中,已经将指令1及其后续的若干指令一并读取并存入了缓存块B1,因而明文计算模块可以直接从片上缓存模块的缓存块B1读取后续的操作指令,而无需FPGA板卡临时从外接DDR读取,省去了明文计算模块的等待时间,可以加快对智能合约的执行速度。After the above code program segment is stored in the on-chip cache module, the plaintext calculation module can read instruction 1, that is, the above-mentioned first operation instruction, from the cache block B1 of the on-chip cache module and execute it. After completing the execution operation of instruction 1, the plaintext calculation module needs to execute subsequent operation instructions in sequence. In the previous steps, the FPGA board has read instruction 1 and several subsequent instructions together and stored them in the cache block B1, so the plaintext calculation module can directly read the subsequent instructions from the cache block B1 of the on-chip cache module. Operation instructions, without the need for the FPGA board to temporarily read from the external DDR, saves the waiting time of the plaintext calculation module, and can speed up the execution of the smart contract.
类似地,FPGA板卡还可以自动从外接DDR中读取后续的其他指令,而明文计算模块等待。例如,图5是一示例性实施例提供的一种在片上缓存模块中实现预加载的示意图。如图5所示,如果监测到先前存入缓存块B1中的数据已经被明文计算模块读取达到或超过50%(或者其他比例),那么FPGA板卡可以自动从外接DDR中读取操作指令并存入片上缓存模块。例如,FPGA板卡可以根据先前存入缓存块B1的代码程序段在外接DDR中对应的终止地址,并从终止地址的后一存储地址开始向后读取一代码程序段,并存入片上缓存模块中的诸如缓存块B2中,以供明文计算模块继续读取。基于上述方式,明文计算模块总是能够在片上缓存模块中直接读取操作指令,而无需等待FPGA板卡临时从外接DDR进行读取。Similarly, the FPGA board can also automatically read other subsequent instructions from the external DDR, while the plaintext calculation module waits. For example, FIG. 5 is a schematic diagram of implementing preloading in an on-chip cache module according to an exemplary embodiment. As shown in Figure 5, if it is detected that the data previously stored in the buffer block B1 has been read by the plaintext calculation module to reach or exceed 50% (or other proportions), then the FPGA board can automatically read the operation instructions from the external DDR And stored in the on-chip cache module. For example, the FPGA board can read the corresponding end address in the external DDR according to the code segment previously stored in the buffer block B1, and read a code segment backward from the memory address after the end address, and store it in the on-chip cache In the module, such as cache block B2, for the plaintext calculation module to continue reading. Based on the above method, the plaintext calculation module can always read the operation instructions directly from the on-chip cache module without waiting for the FPGA board to temporarily read from the external DDR.
片上缓存模块的存储空间有限。因而,片上缓存模块通过淘汰机制对所存储的不常用数据进行淘汰,以提升存储空间的使用效率。例如,可以为每一缓存块设定权重,使得权重相对更大的缓存块相对不容易被淘汰,权重相对更小的缓存块相对容易被淘汰。相应地,可以为包含智能合约的合约代码的首条操作指令的缓存块设置相对更大的权重,使得包含首条操作指令的缓存块相对更加不容易被淘汰,那么对于一些经常被执行的智能合约,明文计算模块可以直接从片上缓存模块中读取其首条操作指令,再配合上述方 案中对后续操作指令的预加载操作,可使明文计算模块无延迟地从片上缓存模块中读取相应智能合约的所有合约代码,具有极高的执行效率。The storage space of the on-chip cache module is limited. Therefore, the on-chip cache module eliminates the stored infrequently used data through the elimination mechanism to improve the efficiency of the storage space. For example, a weight can be set for each cache block, so that a cache block with a relatively larger weight is relatively less likely to be eliminated, and a cache block with a relatively smaller weight is relatively easy to be eliminated. Correspondingly, a relatively larger weight can be set for the cache block containing the first operation instruction of the contract code of the smart contract, so that the cache block containing the first operation instruction is relatively less likely to be eliminated, so for some smart contracts that are often executed Contract, the plaintext calculation module can directly read its first operation instruction from the on-chip cache module, and then cooperate with the preload operation of the subsequent operation instructions in the above scheme, so that the plaintext calculation module can read the corresponding from the on-chip cache module without delay All contract codes of smart contracts have extremely high execution efficiency.
基于一些原因,用户可能希望对FPGA板卡上部署的电路逻辑配置文件进行版本更新,比如该电路逻辑配置文件所含的认证根密钥可能被风险用户获知、再比如用户希望对FPGA板卡上部署的功能模块进行升级等,本说明书并不对此进行限制。为了便于区分,可以将上述过程中已部署的电路逻辑配置文件称之为旧版电路逻辑配置文件,而将需要部署的电路逻辑配置文件称之为新版电路逻辑配置文件。For some reasons, the user may want to update the version of the circuit logic configuration file deployed on the FPGA board. For example, the authentication root key contained in the circuit logic configuration file may be known by risky users, or the user wants to update the version on the FPGA board. The deployed functional modules are upgraded, etc. This manual does not limit this. In order to facilitate the distinction, the circuit logic configuration file that has been deployed in the above process can be referred to as the old version of the circuit logic configuration file, and the circuit logic configuration file that needs to be deployed is referred to as the new version of the circuit logic configuration file.
与旧版电路逻辑配置文件相类似的,用户可以通过编写代码、镜像化等过程生成新版电路逻辑配置文件。进一步的,用户可以通过自身持有的私钥对新版电路逻辑配置文件进行签名,然后通过上文协商出的配置文件部署密钥对签名后的新版电路逻辑配置文件进行加密,得到加密后新版电路逻辑配置文件。在一些情况下,可能同时存在多名用户,那么旧版电路逻辑配置文件需要将这些用户对应的预置证书均部署至FPGA板卡中,且这些用户需要分别采用自身持有的私钥对新版电路逻辑配置文件进行签名。Similar to the old version of the circuit logic configuration file, the user can generate a new version of the circuit logic configuration file through the process of writing code and mirroring. Further, the user can sign the new version of the circuit logic configuration file with his own private key, and then encrypt the signed new version of the circuit logic configuration file with the configuration file deployment key negotiated above to obtain the encrypted new version of the circuit Logical configuration file. In some cases, there may be multiple users at the same time, so the old version of the circuit logic configuration file needs to deploy the preset certificates corresponding to these users to the FPGA board, and these users need to use their own private keys to pair the new version of the circuit. Sign the logical configuration file.
用户可以通过客户端远程将加密后新版电路逻辑配置文件发送至区块链节点,并由区块链节点进一步将其传入FPGA板卡。前述过程中在FPGA芯片上形成的解密验签模块位于PCIE接口与Flash芯片之间的传输通路上,使得加密后新版电路逻辑配置文件必然需要优先经过解密验签模块的成功处理后,才能够被传入Flash芯片以实现可信更新,无法绕过解密验签的过程而直接对Flash芯片进行更新。The user can remotely send the encrypted new version of the circuit logic configuration file to the blockchain node through the client, and the blockchain node will further transfer it to the FPGA board. The decryption verification module formed on the FPGA chip in the foregoing process is located on the transmission path between the PCIE interface and the Flash chip, so that the encrypted new version of the circuit logic configuration file must first be successfully processed by the decryption verification module before it can be The Flash chip is passed in to achieve a credible update, and the Flash chip cannot be updated directly without bypassing the process of decryption and verification.
解密验签模块在收到加密后新版电路逻辑配置文件后,首先通过FPGA板卡上部署的配置文件部署密钥进行解密,如果解密成功则解密验签模块进一步基于FPGA芯片上部署的预置证书,对解密后的新版电路逻辑配置文件进行签名验证。如果解密失败或者签名验证未通过,则说明收到的文件并非来自上述用户或者遭到篡改,解密验签模块将触发终止本次的更新操作;而在解密成功且验签通过的情况下,可以确定得到的新版电路逻辑配置文件来自上述用户且传输过程中未遭到篡改,可以将该新版电路逻辑配置文件进一步传输至Flash芯片,以针对Flash芯片中的旧版电路逻辑配置文件进行更新部署。After the decryption verification module receives the encrypted new version of the circuit logic configuration file, it first decrypts it with the configuration file deployment key deployed on the FPGA board. If the decryption is successful, the decryption verification module is further based on the preset certificate deployed on the FPGA chip , To perform signature verification on the decrypted new version of the circuit logic configuration file. If the decryption fails or the signature verification fails, it means that the received file is not from the above-mentioned user or has been tampered with, and the decryption and signature verification module will trigger the termination of the update operation; and if the decryption is successful and the signature verification is passed, you can It is determined that the obtained new version of the circuit logic configuration file is from the aforementioned user and has not been tampered with during the transmission process. The new version of the circuit logic configuration file can be further transmitted to the Flash chip to update and deploy the old version of the circuit logic configuration file in the Flash chip.
新版电路逻辑配置文件被加载至FPGA芯片后,同样可以在该FPGA芯片上形成诸如上述的明文计算模块、片上缓存模块、密钥协商模块、加解密模块、解密验签模块,以及向FPGA芯片存入预置证书、向密管芯片存入认证根密钥等信息。其中,所形成的明文计算模块、片上缓存模块、密钥协商模块、加解密模块、解密验签模块等,所实现 的功能逻辑可以发生变化和升级,所存入部署的预置证书、认证根密钥等信息也可能区别于更新前的信息。那么,FPGA板卡可以基于更新后的密钥协商模块、认证根密钥等,与用户进行远程协商得到新的配置文件部署密钥,该配置文件部署密钥可以被用于下一次的可新更新过程。类似地,可以据此不断实现针对FPGA板卡的可信更新操作。After the new version of the circuit logic configuration file is loaded into the FPGA chip, the above-mentioned plaintext calculation module, on-chip cache module, key agreement module, encryption and decryption module, decryption verification module, and storage in the FPGA chip can also be formed on the FPGA chip. Enter the preset certificate, and store the authentication root key to the secret management chip and other information. Among them, the formed plaintext calculation module, on-chip cache module, key agreement module, encryption/decryption module, decryption and signature verification module, etc., the implemented functional logic can be changed and upgraded, and stored in the deployed preset certificate, authentication root Information such as keys may also be different from the information before the update. Then, the FPGA board can remotely negotiate with the user to obtain a new configuration file deployment key based on the updated key agreement module, authentication root key, etc., and the configuration file deployment key can be used for the next renewal Update process. Similarly, a reliable update operation for FPGA boards can be continuously implemented accordingly.
在完成更新部署后,FPGA板卡可以针对新版电路逻辑配置文件生成认证结果。例如,上述的密钥协商模块可以通过诸如sm3算法或其他算法对新版电路逻辑配置文件的哈希值、基于新版电路逻辑配置文件协商得到的配置文件部署密钥的哈希值进行计算,得到的计算结果可以被作为上述的认证结果,并由密钥协商模块将该认证结果发送至用户。相应地,用户可以在客户端上基于所维护的新版电路逻辑配置文件和据此协商的配置文件部署密钥对认证结果进行验证,如果验证成功则表明新版电路逻辑配置文件在FPGA板卡上成功部署,且用户与FPGA板卡之间据此成功协商得到了一致的配置文件部署密钥,从而确认成功完成了针对电路逻辑配置文件的更新部署。After completing the update deployment, the FPGA board can generate certification results for the new version of the circuit logic configuration file. For example, the above-mentioned key agreement module can calculate the hash value of the new version of the circuit logic configuration file and the hash value of the configuration file deployment key negotiated based on the new version of the circuit logic configuration file through an algorithm such as sm3 or other algorithms. The calculation result can be used as the above-mentioned authentication result, and the key agreement module sends the authentication result to the user. Correspondingly, the user can verify the authentication result on the client based on the maintained new version of the circuit logic configuration file and the configuration file deployment key negotiated accordingly. If the verification is successful, it indicates that the new version of the circuit logic configuration file is successful on the FPGA board. Deployed, and the user and the FPGA board successfully negotiated accordingly to obtain a consistent configuration file deployment key, thereby confirming the successful completion of the circuit logic configuration file update deployment.
图6是一示例性实施例提供的一种在FPGA上实现高效合约调用的装置的示意结构图。请参考图6,在软件实施方式中,该装置可以包括:加载单元601,使FPGA结构向自身包含的FPGA芯片加载已部署的电路逻辑配置文件,以在所述FPGA芯片上分别形成片上处理器和片上缓存;其中,所述FPGA结构还包含与所述FPGA芯片相连的外部存储;确定单元602,使所述FPGA结构确定所属区块链节点接收到的交易调用的智能合约;读取单元603,使所述FPGA结构从所述片上缓存读取所述智能合约的代码程序以供所述片上处理器运行,所述代码程序由所述FPGA结构从所述外部存储获取并缓存至所述片上缓存。Fig. 6 is a schematic structural diagram of an apparatus for implementing efficient contract invocation on FPGA provided by an exemplary embodiment. Please refer to FIG. 6, in a software implementation, the device may include: a loading unit 601, which causes the FPGA structure to load the deployed circuit logic configuration file to the FPGA chip contained in itself, so as to form an on-chip processor on the FPGA chip. And on-chip cache; wherein, the FPGA structure also includes an external storage connected to the FPGA chip; a determining unit 602, enabling the FPGA structure to determine the smart contract of the transaction call received by the blockchain node to which it belongs; reading unit 603 , Enabling the FPGA structure to read the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached on the chip Cache.
可选的,还包括:指令确定单元604,使所述FPGA结构确定所述片上处理器需要从所述代码程序中读取的操作指令;指令缓存单元605,使所述FPGA结构在所述片上缓存中不存在所述操作指令的情况下,从所述外部存储获取所述操作指令并缓存至所述片上缓存,以进一步提供至所述片上处理器。Optionally, it further includes: an instruction determining unit 604 to enable the FPGA structure to determine the operation instructions that the on-chip processor needs to read from the code program; an instruction cache unit 605 to enable the FPGA structure to be on the chip If the operation instruction does not exist in the cache, the operation instruction is obtained from the external storage and cached in the on-chip cache, so as to be further provided to the on-chip processor.
可选的,所述指令缓存单元605具体用于:使所述FPGA结构从所述外部存储获取包含所述操作指令的代码程序段,并缓存至所述片上缓存。Optionally, the instruction cache unit 605 is specifically configured to: enable the FPGA structure to obtain the code program segment containing the operation instruction from the external storage, and cache it in the on-chip cache.
可选的,所述指令缓存单元605具体用于:使所述FPGA结构确定所述操作指令在所述外部存储中的起始存储地址;使所述FPGA结构从所述外部存储获取包含所述起始存储地址的预设地址段,所述代码程序段位于所述预设地址段。Optionally, the instruction cache unit 605 is specifically configured to: enable the FPGA structure to determine the initial storage address of the operation instruction in the external storage; and enable the FPGA structure to obtain from the external storage including the The preset address segment of the initial storage address, and the code program segment is located in the preset address segment.
可选的,所述预设地址段包括所述起始存储地址和位于所述起始存储地址之后的 地址。Optionally, the preset address segment includes the initial storage address and an address located after the initial storage address.
可选的,所述预设地址段的长度为所述片上缓存中的单个缓存块的缓存长度。Optionally, the length of the preset address segment is the cache length of a single cache block in the on-chip cache.
可选的,所述指令缓存单元605具体用于:使所述FPGA结构在所述片上缓存内的所述代码程序段的已读取比例达到预设比例的情况下,从所述外部存储预获取所述代码程序段之后的其他代码程序段,并缓存至所述片上缓存。Optionally, the instruction cache unit 605 is specifically configured to: in the case where the read ratio of the code program segments in the on-chip cache of the FPGA structure reaches a preset ratio, store the preset ratio from the outside. Obtain other code program segments after the code program segment and cache them in the on-chip cache.
可选的,所述代码程序被加密后存储于所述外部存储中;所述装置还包括:解密单元606,使所述FPGA结构通过所述FPGA芯片上的解密模块对所述代码程序进行解密,以将解密后的代码程序缓存至所述片上缓存;其中,所述解密模块由所述FPGA芯片加载所述已部署的电路逻辑配置文件而形成。Optionally, the code program is encrypted and stored in the external storage; the device further includes: a decryption unit 606, which enables the FPGA structure to decrypt the code program through a decryption module on the FPGA chip , To cache the decrypted code program to the on-chip cache; wherein, the decryption module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
可选的,还包括:预处理单元607,使所述FPGA结构通过所述FPGA芯片上的预处理模块对所述代码程序进行预处理,以将预处理后的代码程序缓存至所述片上缓存;其中,所述预处理模块由所述FPGA芯片加载所述已部署的电路逻辑配置文件而形成。Optionally, it further includes: a preprocessing unit 607, which enables the FPGA structure to preprocess the code program through the preprocessing module on the FPGA chip, so as to cache the preprocessed code program in the on-chip cache ; Wherein, the preprocessing module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
可选的,所述预处理包括以下至少之一:将代码程序所含的各个字段解析并转换为预设数据结构;调整所述代码程序中的跳转指令的偏移量。Optionally, the preprocessing includes at least one of the following: parsing and converting each field contained in the code program into a preset data structure; adjusting the offset of the jump instruction in the code program.
可选的,所述片上缓存中包含若干缓存块;其中,包含智能合约中首条操作指令的缓存块对应于相对更大的权重,以使其在所述片上缓存中的存留时长相对更长。Optionally, the on-chip cache includes several cache blocks; wherein, the cache block containing the first operation instruction in the smart contract corresponds to a relatively larger weight, so that the on-chip cache has a relatively longer duration .
上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The systems, devices, modules, or units explained in the above embodiments may be implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. The specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game control A console, a tablet computer, a wearable device, or a combination of any of these devices.
在一个典型的配置中,计算机包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, the computer includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、 只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带、磁盘存储、量子存储器、基于石墨烯的存储介质或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or they also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps described in the claims may be performed in a different order than in the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
在本说明书一个或多个实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本说明书一个或多个实施例。在本说明书一个或多个实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in one or more embodiments of this specification are only for the purpose of describing specific embodiments, and are not intended to limit one or more embodiments of this specification. The singular forms "a", "said" and "the" used in one or more embodiments of this specification and the appended claims are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that the term "and/or" as used herein refers to and includes any or all possible combinations of one or more associated listed items.
应当理解,尽管在本说明书一个或多个实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本说明书一个或多个实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that, although the terms first, second, third, etc. may be used to describe various information in one or more embodiments of this specification, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of one or more embodiments of this specification, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information. Depending on the context, the word "if" as used herein can be interpreted as "when" or "when" or "in response to determination".
以上所述仅为本说明书一个或多个实施例的较佳实施例而已,并不用以限制本说明书一个或多个实施例,凡在本说明书一个或多个实施例的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书一个或多个实施例保护的范围之内。The foregoing descriptions are only preferred embodiments of one or more embodiments of this specification, and are not intended to limit one or more embodiments of this specification. All within the spirit and principle of one or more embodiments of this specification, Any modification, equivalent replacement, improvement, etc. made should be included in the protection scope of one or more embodiments of this specification.

Claims (14)

  1. 一种在FPGA上实现高效合约调用的方法,包括:A method for implementing efficient contract calls on FPGA, including:
    FPGA结构向自身包含的FPGA芯片加载已部署的电路逻辑配置文件,以在所述FPGA芯片上分别形成片上处理器和片上缓存;其中,所述FPGA结构还包含与所述FPGA芯片相连的外部存储;The FPGA structure loads the deployed circuit logic configuration files to the FPGA chip contained therein to form an on-chip processor and an on-chip cache respectively on the FPGA chip; wherein, the FPGA structure also includes an external storage connected to the FPGA chip ;
    所述FPGA结构确定所属区块链节点接收到的交易调用的智能合约;The FPGA structure determines the smart contract called by the transaction received by the blockchain node to which it belongs;
    所述FPGA结构从所述片上缓存读取所述智能合约的代码程序以供所述片上处理器运行,所述代码程序由所述FPGA结构从所述外部存储获取并缓存至所述片上缓存。The FPGA structure reads the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached in the on-chip cache.
  2. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    所述FPGA结构确定所述片上处理器需要从所述代码程序中读取的操作指令;The FPGA structure determines the operation instructions that the on-chip processor needs to read from the code program;
    所述FPGA结构在所述片上缓存中不存在所述操作指令的情况下,从所述外部存储获取所述操作指令并缓存至所述片上缓存,以进一步提供至所述片上处理器。When the operation instruction does not exist in the on-chip cache, the FPGA structure obtains the operation instruction from the external storage and caches the operation instruction in the on-chip cache, so as to be further provided to the on-chip processor.
  3. 根据权利要求2所述的方法,所述FPGA结构从所述外部存储获取所述操作指令并缓存至所述片上缓存,包括:The method according to claim 2, wherein the FPGA structure obtains the operation instruction from the external storage and caches it in the on-chip cache, comprising:
    所述FPGA结构从所述外部存储获取包含所述操作指令的代码程序段,并缓存至所述片上缓存。The FPGA structure obtains the code program segment containing the operation instruction from the external storage, and caches it in the on-chip cache.
  4. 根据权利要求3所述的方法,所述FPGA结构从所述外部存储获取包含所述操作指令的代码程序段,包括:The method according to claim 3, the FPGA structure obtaining the code program segment containing the operation instruction from the external storage, comprising:
    所述FPGA结构确定所述操作指令在所述外部存储中的起始存储地址;The FPGA structure determines the initial storage address of the operation instruction in the external storage;
    所述FPGA结构从所述外部存储获取包含所述起始存储地址的预设地址段,所述代码程序段位于所述预设地址段。The FPGA structure obtains a preset address segment including the initial storage address from the external storage, and the code program segment is located in the preset address segment.
  5. 根据权利要求4所述的方法,所述预设地址段包括所述起始存储地址和位于所述起始存储地址之后的地址。The method according to claim 4, wherein the preset address segment includes the initial storage address and an address located after the initial storage address.
  6. 根据权利要求4所述的方法,所述预设地址段的长度为所述片上缓存中的单个缓存块的缓存长度。The method according to claim 4, wherein the length of the preset address segment is the cache length of a single cache block in the on-chip cache.
  7. 根据权利要求3所述的方法,所述FPGA结构从所述外部存储获取所述操作指令并缓存至所述片上缓存,还包括:The method according to claim 3, wherein the FPGA structure obtains the operation instructions from the external storage and caches them in the on-chip cache, further comprising:
    所述FPGA结构在所述片上缓存内的所述代码程序段的已读取比例达到预设比例的情况下,从所述外部存储预获取所述代码程序段之后的其他代码程序段,并缓存至所述片上缓存。When the FPGA structure has a read ratio of the code program segment in the on-chip cache reaching a preset ratio, pre-fetch other code program segments after the code program segment from the external storage, and cache it To the on-chip cache.
  8. 根据权利要求1所述的方法,所述代码程序被加密后存储于所述外部存储中; 所述方法还包括:The method according to claim 1, wherein the code program is encrypted and stored in the external storage; the method further comprises:
    所述FPGA结构通过所述FPGA芯片上的解密模块对所述代码程序进行解密,以将解密后的代码程序缓存至所述片上缓存;The FPGA structure decrypts the code program through a decryption module on the FPGA chip, so as to cache the decrypted code program in the on-chip cache;
    其中,所述解密模块由所述FPGA芯片加载所述已部署的电路逻辑配置文件而形成。Wherein, the decryption module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
  9. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    所述FPGA结构通过所述FPGA芯片上的预处理模块对所述代码程序进行预处理,以将预处理后的代码程序缓存至所述片上缓存;The FPGA structure preprocesses the code program through the preprocessing module on the FPGA chip, so as to cache the preprocessed code program to the on-chip cache;
    其中,所述预处理模块由所述FPGA芯片加载所述已部署的电路逻辑配置文件而形成。Wherein, the preprocessing module is formed by loading the deployed circuit logic configuration file by the FPGA chip.
  10. 根据权利要求9所述的方法,所述预处理包括以下至少之一:将代码程序所含的各个字段解析并转换为预设数据结构;调整所述代码程序中的跳转指令的偏移量。The method according to claim 9, wherein the preprocessing comprises at least one of the following: parsing and converting each field contained in the code program into a preset data structure; adjusting the offset of the jump instruction in the code program .
  11. 根据权利要求1所述的方法,所述片上缓存中包含若干缓存块;其中,包含智能合约中首条操作指令的缓存块对应于相对更大的权重,以使其在所述片上缓存中的存留时长相对更长。The method according to claim 1, wherein the on-chip cache contains a number of cache blocks; wherein the cache block containing the first operation instruction in the smart contract corresponds to a relatively larger weight, so that the The retention time is relatively longer.
  12. 一种在FPGA上实现高效合约调用的装置,包括:A device for implementing efficient contract invocation on FPGA, including:
    加载单元,使FPGA结构向自身包含的FPGA芯片加载已部署的电路逻辑配置文件,以在所述FPGA芯片上分别形成片上处理器和片上缓存;其中,所述FPGA结构还包含与所述FPGA芯片相连的外部存储;The loading unit causes the FPGA structure to load the deployed circuit logic configuration file to the FPGA chip contained therein to form an on-chip processor and an on-chip cache respectively on the FPGA chip; wherein, the FPGA structure further includes the FPGA chip Connected external storage;
    确定单元,使所述FPGA结构确定所属区块链节点接收到的交易调用的智能合约;The determining unit enables the FPGA structure to determine the smart contract called by the transaction received by the blockchain node to which it belongs;
    读取单元,使所述FPGA结构从所述片上缓存读取所述智能合约的代码程序以供所述片上处理器运行,所述代码程序由所述FPGA结构从所述外部存储获取并缓存至所述片上缓存。The reading unit causes the FPGA structure to read the code program of the smart contract from the on-chip cache for the on-chip processor to run, and the code program is obtained by the FPGA structure from the external storage and cached to The on-chip cache.
  13. 一种电子设备,包括:An electronic device including:
    处理器;processor;
    用于存储处理器可执行指令的存储器;A memory for storing processor executable instructions;
    其中,所述处理器通过运行所述可执行指令以实现如权利要求1-11中任一项所述的方法。Wherein, the processor implements the method according to any one of claims 1-11 by running the executable instruction.
  14. 一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如权利要求1-11中任一项所述方法的步骤。A computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, implements the steps of the method according to any one of claims 1-11.
PCT/CN2020/107162 2019-09-25 2020-08-05 Method and apparatus for realizing efficient contract calling on fpga WO2021057273A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910913458.9A CN110688341B (en) 2019-09-25 2019-09-25 Method and device for realizing efficient contract calling on FPGA (field programmable Gate array)
CN201910913458.9 2019-09-25

Publications (1)

Publication Number Publication Date
WO2021057273A1 true WO2021057273A1 (en) 2021-04-01

Family

ID=69110287

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/107162 WO2021057273A1 (en) 2019-09-25 2020-08-05 Method and apparatus for realizing efficient contract calling on fpga

Country Status (2)

Country Link
CN (2) CN113157635B (en)
WO (1) WO2021057273A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113157635B (en) * 2019-09-25 2024-01-05 支付宝(杭州)信息技术有限公司 Method and device for realizing contract call on FPGA
CN113485791B (en) * 2021-07-07 2022-06-03 上海壁仞智能科技有限公司 Configuration method, access method, device, virtualization system and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653315A (en) * 2015-12-23 2016-06-08 北京工业大学 Block chain technology-based node operation system downloading method
US20180365686A1 (en) * 2017-06-19 2018-12-20 Hitachi, Ltd. Smart contract lifecycle management
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 The method of security update key and node, storage medium in block chain
CN109886682A (en) * 2019-01-31 2019-06-14 阿里巴巴集团控股有限公司 The method and node, storage medium that contract calls are realized in block chain
WO2019120315A2 (en) * 2019-03-26 2019-06-27 Alibaba Group Holding Limited Field-programmable gate array based trusted execution environment for use in a blockchain network
CN110688341A (en) * 2019-09-25 2020-01-14 支付宝(杭州)信息技术有限公司 Method and device for realizing efficient contract calling on FPGA (field programmable Gate array)

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5369707A (en) * 1993-01-27 1994-11-29 Tecsec Incorporated Secure network method and apparatus
JP4755772B2 (en) * 2001-04-20 2011-08-24 テンパール工業株式会社 Program data remote update system for terminal equipment
CN102148754B (en) * 2010-12-30 2013-12-11 杭州华三通信技术有限公司 Loading method and device for FPGA (field programmable gate array) logic editions
EP2733617A4 (en) * 2012-06-30 2014-10-08 Huawei Tech Co Ltd Data buffer device, data storage system and method
CN104346584B (en) * 2014-10-31 2017-07-14 成都朗锐芯科技发展有限公司 A kind of FPGA system encryption and method for parameter configuration
US10095891B2 (en) * 2015-06-08 2018-10-09 Nuvoton Technology Corporation Secure access to peripheral devices over a bus
CN105376061B (en) * 2015-10-10 2019-02-01 广州慧睿思通信息科技有限公司 A kind of decryption hardware platform based on FPGA
CN106227503A (en) * 2016-07-29 2016-12-14 苏州国芯科技有限公司 Safety chip COS firmware update, service end, terminal and system
CN106569858B (en) * 2016-10-31 2019-08-20 锐捷网络股份有限公司 A kind of update method and circuit board of configuration file
CN108628638B (en) * 2017-03-16 2021-02-09 华为技术有限公司 Data processing method and device
JP2019092134A (en) * 2017-11-17 2019-06-13 株式会社シーエスサービス Encryption key generation method
CN107977217B (en) * 2017-11-22 2020-10-23 西南电子技术研究所(中国电子科技集团公司第十研究所) Method for online loading XILINX-FPGA multi-version updating program
CN109525400A (en) * 2018-11-01 2019-03-26 联想(北京)有限公司 Security processing, system and electronic equipment
CN110264195B (en) * 2019-05-20 2021-03-16 创新先进技术有限公司 Receipt storage method and node combining code marking with transaction and user type
CN110266644B (en) * 2019-05-20 2021-04-06 创新先进技术有限公司 Receipt storage method and node combining code marking and transaction types
CN113240519A (en) * 2019-05-30 2021-08-10 创新先进技术有限公司 Intelligent contract management method and device based on block chain and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653315A (en) * 2015-12-23 2016-06-08 北京工业大学 Block chain technology-based node operation system downloading method
US20180365686A1 (en) * 2017-06-19 2018-12-20 Hitachi, Ltd. Smart contract lifecycle management
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 The method of security update key and node, storage medium in block chain
CN109886682A (en) * 2019-01-31 2019-06-14 阿里巴巴集团控股有限公司 The method and node, storage medium that contract calls are realized in block chain
WO2019120315A2 (en) * 2019-03-26 2019-06-27 Alibaba Group Holding Limited Field-programmable gate array based trusted execution environment for use in a blockchain network
CN110688341A (en) * 2019-09-25 2020-01-14 支付宝(杭州)信息技术有限公司 Method and device for realizing efficient contract calling on FPGA (field programmable Gate array)

Also Published As

Publication number Publication date
CN110688341A (en) 2020-01-14
CN110688341B (en) 2021-01-29
CN113157635A (en) 2021-07-23
CN113157635B (en) 2024-01-05

Similar Documents

Publication Publication Date Title
WO2021103794A1 (en) Method for realizing highly efficient privacy-preserving transaction in blockchain, and device
CN110032885B (en) Method, node and storage medium for implementing privacy protection in block chain
WO2020233623A1 (en) Receipt storage method and node combining transaction type and judgment condition
CN110020549B (en) Method, node and storage medium for implementing privacy protection in block chain
WO2020233635A1 (en) Receipt storage method combining conditional restrictions of multiple types of dimensions and node
WO2020233625A1 (en) Receipt storage method combining user type and determination conditions and node
WO2020233626A1 (en) Receipt storage method and node in combination with conditional limitation of transaction and user types
WO2020233615A1 (en) Receipt storage method combining user type and event function type and node
CN111901402A (en) Method, node and storage medium for implementing privacy protection in block chain
WO2020233631A1 (en) Transaction type-based receipt storage method and node
WO2020233628A1 (en) Receipt storage method and node based on combination of event function type and judgment condition
WO2021057181A1 (en) Fpga-based key negotiation method and device
WO2020233624A1 (en) Receipt storage method and node employing transaction type in combination with event function type
WO2020233619A1 (en) Receipt storage method and node in combination with user type and transaction type
WO2021057166A1 (en) Method and apparatus for implementing external call in fpga
WO2020233630A1 (en) User type-based receipt storing method and node
WO2021057168A1 (en) Method and apparatus for realizing virtual machine operation on the basis of fpga
WO2021057182A1 (en) Trusted update method and apparatus for fpga logic
WO2020233627A1 (en) Receipt storage method and node based on multiple types of dimensions
WO2021057180A1 (en) Fpga-based privacy blockchain implementation method, and device
WO2020233632A1 (en) Receipt storage method and node based on event function type
WO2020233629A1 (en) Object-level receipt storage method and node based on code labeling
WO2020233634A1 (en) Method and node for receipt storage combining transaction and event type condition restrictions
WO2020233633A1 (en) Receipt storage method and node based on determination condition
WO2021057184A1 (en) Efficient operation method and apparatus for security intelligent contract processor based on fpga

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20869903

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20869903

Country of ref document: EP

Kind code of ref document: A1