+

CN111090869B - A data encryption method, processor and computer equipment - Google Patents

A data encryption method, processor and computer equipment Download PDF

Info

Publication number
CN111090869B
CN111090869B CN201911300244.0A CN201911300244A CN111090869B CN 111090869 B CN111090869 B CN 111090869B CN 201911300244 A CN201911300244 A CN 201911300244A CN 111090869 B CN111090869 B CN 111090869B
Authority
CN
China
Prior art keywords
data
memory
encrypted
address
destination address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911300244.0A
Other languages
Chinese (zh)
Other versions
CN111090869A (en
Inventor
丁宁
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hygon Information Technology Co Ltd
Original Assignee
Hygon Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hygon Information Technology Co Ltd filed Critical Hygon Information Technology Co Ltd
Priority to CN201911300244.0A priority Critical patent/CN111090869B/en
Publication of CN111090869A publication Critical patent/CN111090869A/en
Application granted granted Critical
Publication of CN111090869B publication Critical patent/CN111090869B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

本申请涉及一种数据加密方法、处理器及计算机设备,属于计算机技术领域。该方法包括:安全处理器获取待加密的物理内存信息;安全处理器基于物理内存信息生成指示命令,其中,指示命令中携带有数据长度、用于从内存中读取数据的源地址,以及用于向内存写入数据的目的地址,数据长度用于读取对应的数据;安全处理器将指示命令发送给密码协处理器,以使密码协处理器执行指示命令,以将从源地址指向的内存空间中读取与数据长度对应的待加密数据加密后写入目的地址指向的内存空间。通过利用密码协处理器的DMA硬件模块执行指示命令代替现有的纯软件方法,来提高虚拟机内存的加密速度,有效减少虚拟机启动的整体时间。

Figure 201911300244

The present application relates to a data encryption method, processor and computer equipment, belonging to the technical field of computers. The method includes: the security processor obtains physical memory information to be encrypted; the security processor generates an instruction command based on the physical memory information, wherein the instruction command carries a data length, a source address for reading data from the memory, and a For the destination address of writing data to the memory, the data length is used to read the corresponding data; the security processor sends the instruction command to the cryptographic coprocessor, so that the cryptographic coprocessor executes the instruction command, so as to point to the The data to be encrypted corresponding to the data length is read from the memory space and written to the memory space pointed to by the destination address after being encrypted. By using the DMA hardware module of the cryptographic coprocessor to execute the instruction command instead of the existing pure software method, the encryption speed of the memory of the virtual machine is improved, and the overall time for starting the virtual machine is effectively reduced.

Figure 201911300244

Description

Data encryption method, processor and computer equipment
Technical Field
The application belongs to the technical field of computers, and relates to a data encryption method, a processor and computer equipment.
Background
In a current hardware platform supporting a secure virtualization technology, memory data of a virtual machine is encrypted by a virtual machine encryption key. In the whole life cycle of the virtual machine operation, the encryption and decryption processes of the physical memory for storing the virtual machine data are all completed by the memory controller. However, in the starting stage of the virtual machine, the virtual machine monitor needs to perform encryption processing once on the physical memory storing the virtual machine data in advance by means of a Security Processor (PSP) to ensure that the memory data read from the memory during the starting process of the virtual machine can be correctly decrypted by the memory controller.
Disclosure of Invention
In view of this, an object of the present application is to provide a data encryption method, a processor, and a computer device, so as to overcome the defects of slow speed and low operating efficiency of the existing processing method for copying memory data by using a software program in a secure processor.
The embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a data encryption method, where the method includes: the security processor acquires physical memory information to be encrypted; the safety processor generates an indication command based on the physical memory information, wherein the indication command carries a data length, a source address for reading data from a memory and a destination address for writing data into the memory, and the data length is used for reading corresponding data; and the safety processor sends the indication command to a password coprocessor to enable the password coprocessor to execute the indication command so as to encrypt data to be encrypted, which is read from a memory space pointed by the source address and corresponds to the data length, and then write the encrypted data into the memory space pointed by the destination address. In the embodiment of the application, the indication command is packaged to the password coprocessor by the security processor, and then the DMA (direct memory access) hardware module of the password coprocessor is used for executing the indication command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine based on the security virtual machine technology is improved, and the whole starting time of the virtual machine is effectively reduced.
With reference to a possible implementation manner of the embodiment of the first aspect, the generating, by the security processor, an indication command based on the physical memory information, where the generating the indication command includes: the security processor acquires a physical address and the data length in the physical memory information; the security processor marks a source address for reading data from the memory space pointed by the physical address as unencrypted, and marks a destination address for writing data into the memory space as encrypted; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In the embodiment of the application, the memory controller is controlled to encrypt the written-back data by configuring the encryption flag bit, the encryption function of the memory controller is fully utilized to encrypt the data, and the encryption speed of the memory of the virtual machine can be improved to the maximum extent.
With reference to a possible implementation manner of the embodiment of the first aspect, the generating, by the secure processor, an indication command based on the physical memory information includes: the security processor acquires a physical address and the data length in the physical memory information; the security processor obtains a source address used for reading data from the memory space pointed by the physical address and a destination address used for writing data into the memory space based on the physical address; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In the embodiment of the application, the encryption function of the password coprocessor is used for encrypting the write-back data, so that the security processor does not need to configure the encryption mark bit when generating the indication command, and the time for configuring the encryption mark bit can be saved.
With reference to a possible implementation manner of the embodiment of the first aspect, before the secure processor encapsulates the data length, the source address, and the destination address, and generates the indication command, the method further includes: the safety processor judges whether the width of a physical address bus of the safety processor is smaller than that of a physical address bus of the memory; when yes, the secure processor maps the physical address bus width of the source address from the physical address bus width of the memory to the own physical address bus width, and maps the physical address bus width of the destination address from the physical address bus width of the memory to the own physical address bus width. In the embodiment of the application, before the indication command is generated by encapsulating the required information, whether the physical address bus width of the memory is lower than that of the memory is judged, if so, the address mapping processing needs to be performed on the source address and the destination address, the physical address bus widths of the source address and the destination address are mapped to the physical address bus width of the memory from the physical address bus width of the memory, then the safety processor encapsulates the data length, the mapped source address and the mapped destination address to generate the indication command, so that the memory controller can successfully finish the memory access, and the success rate of the memory controller accessing the memory is ensured.
With reference to one possible implementation manner of the embodiment of the first aspect, the sending, by the secure processor, the indication command to the cryptographic coprocessor includes: and the safety processor sends the indication command to the password coprocessor through the middleware. In the embodiment of the application, a data channel is not directly established between the security processor and the password coprocessor, but asynchronous communication is realized through middleware, so that the requirement on equipment is reduced, and the receiving equipment and the sending equipment do not need to use the same clock.
In a second aspect, an embodiment of the present application further provides a data encryption method, where the method includes: the password coprocessor receives an indication command sent by a security processor, wherein the indication command comprises: the method comprises the following steps of (1) writing data into a memory according to the data length, a source address for reading the data from the memory and a destination address with an encrypted mark bit for writing the data into the memory; the cipher coprocessor sends a read instruction to a memory controller so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; when the password coprocessor receives the data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address. In the embodiment of the application, the indication command is packaged to the password coprocessor through the security processor, and then the DMA hardware module of the password coprocessor executes the indication command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine based on the security virtual machine technology is improved, the whole starting time of the virtual machine is effectively reduced, meanwhile, the encryption function of the memory controller is fully utilized to realize the encryption of data, and the encryption speed of the memory of the virtual machine can be improved to the maximum extent.
In a third aspect, an embodiment of the present application further provides a data encryption method, where the method includes: the password coprocessor receives an indication command sent by a security processor, wherein the indication command comprises: the data length is used for reading a source address of data from a memory and writing a destination address of the data into the memory; the cipher coprocessor sends a read instruction to a memory controller so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; the password coprocessor encrypts the data to be encrypted and sends a write instruction to the memory controller, so that the memory controller writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the encrypted data to be written and the destination address. In the embodiment of the application, the indication command is packaged to the password coprocessor through the security processor, and then the DMA hardware module of the password coprocessor executes the indication command to replace the existing pure software method, so that the encryption speed of the memory of the virtual machine based on the security virtual machine technology is improved, the whole starting time of the virtual machine is effectively reduced, and meanwhile, the write-back data is encrypted by the encryption function of the password coprocessor, so that the encryption mark bit does not need to be configured, and the time for configuring the encryption mark bit can be saved.
With reference to a possible implementation manner of the third aspect, when the destination address carries identification information for characterizing an identity of a virtual machine, the cryptographic coprocessor encrypts the data to be encrypted, including: and the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted. In the embodiment of the application, different keys are distributed to different virtual machines, so that when the data of the virtual machines are encrypted, the keys corresponding to the identification information are selected to encrypt the data to be encrypted, and the security of the data can be further improved.
In a fourth aspect, an embodiment of the present application further provides a processor, including: a security processor and a cryptographic coprocessor; the security processor is used for acquiring physical memory information to be encrypted; the password coprocessor is used for generating an indication command based on the physical memory information and sending the indication command to the password coprocessor; the indication command carries a data length, a source address for reading data from a memory, and a destination address for writing data into the memory, wherein the data length is used for reading corresponding data; and the password coprocessor is used for receiving the indication command and executing the indication command so as to encrypt the data to be encrypted read from the memory space pointed by the source address and corresponding to the data length and write the encrypted data into the memory space pointed by the destination address.
With reference to a possible implementation manner of the embodiment of the fourth aspect, the destination address carries an encryption flag bit, and the security processor is configured to: acquiring a physical address and the data length in the physical memory information; marking a source address for reading data from the memory space pointed by the physical address as unencrypted, and marking a destination address for writing data into the memory space as encrypted; packaging the data length, the source address and the destination address to generate the indication command; accordingly, the processor further comprises a memory controller; the password coprocessor is used for sending a read instruction to the memory controller, wherein the read instruction carries the data length and the source address; the memory controller is used for reading data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the reading instruction, and sending the data to be encrypted to the password coprocessor; the password coprocessor is further configured to send a write instruction to the memory controller, where the write instruction carries the data to be encrypted and the destination address; and the memory controller is further used for encrypting the data to be encrypted and writing the encrypted data into the memory space pointed by the destination address based on the write instruction.
With reference to a possible implementation manner of the fourth aspect, the destination address carries identification information for representing an identity of a virtual machine, and the memory controller is configured to select a key corresponding to the identification information to encrypt the data to be encrypted.
In combination with one possible implementation manner of the embodiment of the fourth aspect, the secure processor is configured to: acquiring a physical address and the data length in the physical memory information; based on the physical address, obtaining a source address for reading data from a memory space pointed by the physical address and a destination address for writing data into the memory space; packaging the data length, the source address and the destination address to generate the indication command; accordingly, the processor further comprises a memory controller; the password coprocessor is used for sending a read instruction to the memory controller, wherein the read instruction carries the data length and the source address; the memory controller is used for reading data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the reading instruction, and sending the data to be encrypted to the password coprocessor; the password coprocessor is further used for encrypting the data to be encrypted and sending a write instruction to the memory controller, wherein the write instruction carries the encrypted data and the destination address; and the memory controller is further configured to write the encrypted data into a memory space to which the destination address points based on the write instruction.
With reference to a possible implementation manner of the embodiment of the fourth aspect, the secure processor is further configured to determine whether a physical address bus width of the secure processor is lower than a physical address bus width of the memory before encapsulating the data length, the source address, and the destination address and generating the indication command; and if so, mapping the physical address bus width of the source address from the physical address bus width of the memory to the physical address bus width of the destination address, and mapping the physical address bus width of the destination address from the physical address bus width of the memory to the physical address bus width of the destination address.
With reference to a possible implementation manner of the fourth aspect, the destination address carries identification information for representing an identity of a virtual machine, and the password coprocessor is configured to select a key corresponding to the identification information to encrypt the data to be encrypted. With reference to one possible implementation manner of the embodiment of the fourth aspect, the processor further includes a processor core, where a virtual machine monitor is deployed on the processor core; and the virtual machine monitor is used for sending an interaction request to the security processor, wherein the interaction request carries the physical memory information.
In a fifth aspect, an embodiment of the present application further provides a computer device, including: the memory and the processor provided in the fourth aspect embodiment and/or in combination with any possible implementation manner of the fourth aspect embodiment, where the processor is electrically connected to the memory.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts. The foregoing and other objects, features and advantages of the application will be apparent from the accompanying drawings. Like reference numerals refer to like parts throughout the drawings. The drawings are not intended to be to scale as practical, emphasis instead being placed upon illustrating the subject matter of the present application.
Fig. 1 shows a schematic diagram of interaction between a processor and a memory according to an embodiment of the present disclosure.
Fig. 2 shows a flow chart of a data encryption method provided in an example of the present application.
Fig. 3 is a schematic diagram illustrating a flow chart of a secure processor interacting with a cryptographic coprocessor according to an embodiment of the present application.
Fig. 4 is a schematic flow chart illustrating interaction between a secure processor and a cryptographic coprocessor according to an embodiment of the present application.
Fig. 5 shows a schematic structural diagram of a computer device provided in an example of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, relational terms such as "first," "second," and the like may be used solely in the description herein to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Further, the term "and/or" in the present application is only one kind of association relationship describing the associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone.
Fig. 1 is a schematic diagram of interaction between a processor and a memory according to an embodiment of the present disclosure. The processor includes: a Processor core (kernel), a Security Processor (PSP), a Cryptographic Coprocessor (CC), and a Memory Controller (UMC). Each processor core is connected with a security processor and a memory controller, and the security processor is also connected with a password coprocessor and the memory controller. The crypto coprocessor and the security processor can be two independent integrated chips, and in one embodiment, the crypto coprocessor can be integrated in the security processor to reduce the volume of the circuit as much as possible.
The Processor may be a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), an Accelerated Processing Unit (Accelerated Processing Unit), or other types of processors, such as a Network Processor (NP) and an application Processor, and of course, in some products, the application Processor is the CPU.
In the embodiment of the application, the number of the processor cores in the processor is at least one, so that the computing capability is improved, the stability of a system is improved, and the like, and even if a certain processor core is damaged, the stable operation can be ensured. A Virtual Machine (VM) and a Virtual Machine Monitor (VMM) are disposed on at least one of the processor cores. In hardware virtualization technology, a VMM is used to isolate the virtual system from the host hardware. The VMM may also be referred to as a virtual machine manager and may run directly on the system hardware or on the host operating system. The VMM performs the mapping from virtual resources to physical resources and performs computations using local physical resources. When the virtual system accesses the system resource, the VMM takes over the request and returns the processing result to the virtual machine system, thus realizing the virtualization of a plurality of hardware devices and ensuring the effective isolation of the virtual system.
The Memory may be a Double Data Rate (DDR) Memory, or other memories, such as a Random Access Memory (RAM), a Dynamic Random Access Memory (DRAM), or the like.
In the starting stage of the virtual machine, the virtual machine monitor needs to encrypt the physical memory for storing the virtual machine data once in advance by virtue of the security processor, and the process needs the security processor to copy the unencrypted virtual machine memory data to the local by calling a software program and then write the data back to the virtual machine memory. Because the processing mode realized by software can only be processed according to a specific word length, if the data volume is larger, the processing speed completely depends on the instruction execution speed, and the instruction running speed of the safety processor is far lower than that of the central processing unit, the processing mode for copying the memory data by adopting a software program has the defects of low speed, low running efficiency and long time consumption of the whole process. It should be noted that the defects existing in the above solutions are the results obtained after the inventor has practiced and studied carefully, and therefore, the discovery process of the above problems and the solutions proposed by the following embodiments of the present application to the above problems should be the contribution of the inventor to the present application in the process of the present application.
In view of this, the present application provides a method for increasing an encryption speed by using a DMA (Direct Memory Access) hardware module of a password coprocessor, so as to solve the defects that when a current virtual machine monitor based on a secure virtualization technology performs encryption processing on a physical Memory storing virtual machine data in advance by using a secure processor, a processing mode in which the secure processor uses a software program to copy the Memory data is slow in speed and low in operation efficiency. The process of using the DMA hardware module of the cryptographic coprocessor to increase the encryption speed will be described with reference to the schematic diagram shown in fig. 1.
In the initial stage of starting the virtual machine, the virtual machine monitor prepares the physical memory storing the data of the virtual machine, and then carries the prepared physical memory information in the interaction request to send to the security processor for processing and waiting. The physical memory is used for storing virtual machine data of a virtual machine to be started and operated. As an implementation manner, different virtual machines may correspond to different physical memories, so that virtual machine data of different virtual machines are stored in different memories, so as to ensure that the stored virtual machine data do not interfere with each other.
And after receiving the interactive request of the virtual machine monitor, the security processor acquires the physical memory information to be encrypted from the interactive request and acquires an idle command queue corresponding to the password coprocessor. And the safety processor generates an indication command based on the physical memory information, adds the indication command into the idle command queue, and submits the idle command queue to the password coprocessor for processing. Wherein the physical memory information includes: the method comprises the following steps of obtaining a physical address of a memory and a length of data to be encrypted, wherein the length of the data to be encrypted is required to be read, and correspondingly, the indication command comprises: the data length is used for reading a source address of data from the specified memory and writing a destination address of the data into the specified memory. In addition, the secure processor sends the instruction command to the password coprocessor through a middleware (queue or stack), and also can send the instruction command to the password coprocessor based on a direct connection mode, at the moment, a data channel is directly established between the secure processor and the password coprocessor, and synchronous communication is adopted.
As one embodiment, the encryption and decryption functions of the memory controller may be utilized to implement the encryption of the virtual machine data. Since the encryption and decryption processes are performed by the memory controller in this embodiment, after acquiring the physical address and the data length in the physical memory information, the security processor needs to set the encryption flag bit based on the physical address, mark the source address for reading data from the memory space pointed by the physical address as unencrypted, mark the destination address for writing data into the memory as encrypted, and encapsulate the data length, the source address (physical address without the encryption flag bit) and the destination address (physical address with the encryption flag bit) to generate the indication command. In this embodiment, the instruction command includes: the data length, the source address without the encryption flag bit for reading data from the specified memory space, and the destination address with the encryption flag bit for writing data into the specified memory space. In this embodiment, 1 bit in the destination address is used to represent the encryption flag bit to control the memory controller to encrypt the written-back data. For example, if the bit is 1, it indicates that the data to be written back needs to be encrypted, and if the bit is 0, it indicates that the data to be written back does not need to be encrypted. Of course, the other way around, if the bit is 0, it means that the data to be written back needs to be encrypted, and if the bit is 1, it means that the data to be written back does not need to be encrypted. Other values or identifiers may be used to represent the encryption flag bits.
As one embodiment, the encryption of the virtual machine data may be implemented without utilizing the encryption and decryption functions of the memory controller. In such an embodiment, encryption of the virtual machine data may be implemented using the encryption and decryption functions of the cryptographic co-process. Since the encryption and decryption processes are performed by the cryptographic coprocessor, the encryption flag bit may not be set in this embodiment. After acquiring the physical address and the data length in the physical memory information, the security processor directly encapsulates the data length, a source address for reading data from the memory space pointed by the physical address and a destination address for writing data into the memory, and generates an instruction command. In this embodiment, the instruction command includes: the data length is used for reading a source address of data from a specified memory and writing a destination address of the data into the specified memory.
It should be noted that, in the present application, the source address is relative to the read data, and the destination address is relative to the write data. In one embodiment, the source address and the destination address are the same physical address and both point to the same memory space.
It is contemplated that the physical address bus width of the secure processor may sometimes be lower than the physical address bus width of the system memory. Therefore, optionally, before encapsulating the data length, the source address and the destination address and generating the instruction command, the security processor may further determine whether the physical address bus width of the security processor is lower than that of the system memory; if so, the security processor needs to perform address mapping processing on the source address and the destination address, map the physical address bus width of the source address from the physical address bus width of the system memory to the physical address bus width of the security processor, map the physical address bus width of the destination address from the physical address bus width of the system memory to the physical address bus width of the security processor, and then encapsulate the data length, the mapped source address and the mapped destination address to generate an indication command; if not, the safety processor does not need to map the address of the source address and the destination address, and directly encapsulates the data length, the source address and the destination address to generate the indication command.
When the destination address carries the encryption flag bit, in the embodiment, after receiving the indication command sent by the security processor, the password coprocessor analyzes the indication command to obtain the length of the data carried in the indication command, a source address without the encryption flag bit for reading the data from the specified memory, and a destination address with the encryption flag bit for writing the data into the specified memory; the method comprises the steps that a password coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by a source address based on the read instruction, and sends the data to be encrypted to the password coprocessor, wherein the read instruction carries the data length and the source address; when the password coprocessor receives data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by a destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address. In the embodiment, the password coprocessor copies the data of the virtual machine memory to be encrypted to the local based on a DMA mode, then writes the data back to the virtual machine memory, and encrypts the written-back data by the memory controller in the process of writing back. Since the memory controller completes the encryption process of the memory data, the memory controller needs to be configured with the encryption flag bit of the system memory physical address to control the memory controller to encrypt the written-back data.
When the destination address does not carry the encryption flag bit, in the embodiment, after receiving the indication command sent by the security processor, the password coprocessor analyzes the indication command to obtain the length of the data carried in the indication command, a source address for reading the data from the specified memory and a destination address for writing the data into the specified memory; the method comprises the steps that a password coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by a source address based on the read instruction, and sends the data to be encrypted to the password coprocessor, wherein the read instruction carries the data length and the source address; when receiving data to be encrypted returned by a memory controller, a password coprocessor encrypts the data and then sends a write instruction to the memory controller so that the memory controller writes the encrypted data into a memory space pointed by a destination address based on the write instruction, wherein the write instruction carries the encrypted data to be encrypted and the destination address. In this embodiment, the crypto coprocessor copies the virtual machine memory data to be encrypted to the local based on a DMA (direct memory access) mode (hardware), then encrypts the data, and then writes back the encrypted data to the virtual machine memory. Because the encryption process of the memory data is completed by the password coprocessor, the memory controller can be controlled to encrypt the written-back data without configuring an encryption flag bit of a system memory physical address.
When data is encrypted, different virtual machines can correspond to different encryption and decryption keys, so that the security of the data is guaranteed to the maximum extent. Therefore, as an embodiment, the physical Address in the physical memory information sent by the virtual machine monitor to the secure processor also carries identification information for characterizing the virtual machine identity, such as an index value (ASID), and correspondingly, the destination Address in the indication command sent by the secure processor also carries the identification information, so that when the memory controller or the cryptographic coprocessor encrypts data, the data is encrypted based on a key corresponding to the identification information (such as the index value) carried in the destination Address. For convenience of understanding, taking the example that the password coprocessor encrypts the data to be encrypted, if the destination address carries identification information for representing the identity of the virtual machine, the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted; and if the destination address does not carry identification information for representing the identity of the virtual machine, the password coprocessor selects a default key to encrypt the data to be encrypted. In this embodiment, 1 bit in the destination address is used to represent the identity tag of the virtual machine, so that when encrypting, the data is encrypted based on the key corresponding to the identification information of the bit.
And after receiving the processing result returned by the password coprocessor, the security processor returns the processing result to the virtual machine monitor and waits for the next interaction request. And then, the virtual machine monitor acquires the return result and then processes the memory data to complete the memory encryption process of the virtual machine.
Because the processing mode of copying the memory data is realized by adopting the software program, the data can be processed only according to a specific word length, if the data volume is larger, the processing speed completely depends on the instruction execution speed, and the instruction operation speed of the safety processor is far lower than that of the central processing unit, the speed of copying the data from the memory by adopting the software mode in the safety processor is low, the execution efficiency is low, and the time consumption of the whole process is long. According to the method and the device, the indication command is packaged to the password coprocessor through the security processor, the DMA hardware module of the password coprocessor is further utilized to improve the encryption speed of the memory of the virtual machine based on the security virtual machine technology, the hardware module is utilized to execute the indication command to replace an existing pure software method, and the whole time for starting the virtual machine is effectively shortened. By adopting the scheme, the memory encryption speed of the virtual machine based on the safe virtualization technology is greatly increased, about 6400% is increased compared with that before optimization, the starting time of the virtual machine is shortened, and the market competitiveness of a server CPU based on the safe virtualization technology is enhanced.
As shown in fig. 2, the present embodiment further provides a data encryption method applied to the above-mentioned processor, and the steps included in the method will be described with reference to fig. 2.
Step S101: the security processor obtains physical memory information to be encrypted.
At the initial stage of starting the virtual machine, the virtual machine monitor prepares a physical memory storing virtual machine data, and then sends the prepared physical memory information to the security processor, and after receiving an interaction request of the virtual machine monitor, the security processor acquires physical memory information to be encrypted from the interaction request. Wherein the physical memory information includes: the method comprises the steps of storing physical addresses and obtaining the length of data to be encrypted, wherein the data are required to be read.
Step S102: the secure processor sends an indication command to the cryptographic coprocessor.
And the safety processor generates an indication command based on the physical memory information. In one embodiment, the process of the secure processor generating the indication command based on the physical memory information may be: the security processor acquires a physical address and the data length in the physical memory information; the security processor configures an encryption mark bit based on the physical address, marks a source address for reading data from a memory space pointed by the physical address as unencrypted, and marks a destination address for writing data into the memory as encrypted; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In this embodiment, the instruction command includes: the data length, the source address without the encrypted flag bit for reading data from the memory space, and the destination address with the encrypted flag bit for writing data into the memory space.
In another embodiment, the process of the secure processor generating the indication command based on the physical memory information may be: the security processor acquires a physical address and the data length in the physical memory information; the security processor obtains a source address used for reading data from a memory space pointed by the physical address and a destination address used for writing the data into the memory based on the physical address; and the safety processor encapsulates the data length, the source address and the destination address to generate the indication command. In this embodiment, the instruction command includes: a data length, a source address for reading data from the memory space and a destination address for writing data into the memory space.
It is considered that the physical address bus width of the secure processor may sometimes be lower than the physical address bus width of the memory. Therefore, in an embodiment, before the secure processor encapsulates the data length, the source address and the destination address and generates the indication command, it may be determined whether the physical address bus width of the secure processor is lower than that of the memory; if so, the security processor needs to perform address mapping processing on the source address and the destination address, map the physical address bus width of the source address and the destination address from the physical address bus width of the memory to the physical address bus width of the security processor, and then encapsulate the data length, the mapped source address and the mapped destination address to generate an indication command; if not, the safety processor does not need to map the address of the source address and the destination address, and directly encapsulates the data length, the source address and the destination address to generate the indication command.
Step S103: and the password coprocessor executes the instruction command so as to encrypt the data to be encrypted, which is read from the memory space pointed by the source address and corresponds to the data length, and then write the encrypted data into the memory space pointed by the destination address.
Under one embodiment, the instruction command includes: the data length, the source address without the encrypted flag bit for reading data from memory, and the destination address with the encrypted flag bit for writing data to memory. At this time, the cipher coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; when the password coprocessor receives the data to be encrypted returned by the memory controller, the password coprocessor sends a write instruction to the memory controller, so that the memory controller encrypts the data to be encrypted and writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the data to be encrypted and the destination address.
Under another embodiment, the instruction command includes: the data length is used for reading a source address of data from the memory and writing a destination address of the data into the memory. At this time, the cipher coprocessor sends a read instruction to a memory controller, so that the memory controller reads data to be encrypted corresponding to the data length from a memory space pointed by the source address based on the read instruction, wherein the read instruction carries the data length and the source address; the password coprocessor encrypts the data to be encrypted and sends a write instruction to the memory controller based on the destination address, so that the memory controller writes the encrypted data into a memory space pointed by the destination address based on the write instruction, wherein the write instruction carries the encrypted data to be written and the destination address.
When data is encrypted, different virtual machines may correspond to different encryption and decryption keys. Therefore, as an embodiment, the physical Address in the physical memory information sent by the virtual machine monitor to the secure processor also carries identification information for representing the virtual machine identity, such as an index value (ASID), and correspondingly, the destination Address in the indication command sent by the secure processor also carries the identification information, and when the memory controller or the cryptographic coprocessor encrypts data, the memory controller or the cryptographic coprocessor encrypts the data based on a key corresponding to the identification information (such as the index value) carried in the destination Address. For convenience of understanding, taking the example that the password coprocessor encrypts the data to be encrypted, if the destination address carries identification information for representing the identity of the virtual machine, the password coprocessor selects a key corresponding to the identification information to encrypt the data to be encrypted; and if the destination address does not carry identification information for representing the identity of the virtual machine, the password coprocessor selects a default key to encrypt the data to be encrypted.
To facilitate understanding of the above-described interaction diagrams, reference may be made to the diagrams shown in fig. 3 and 4. Fig. 3 is an interaction diagram illustrating that data is encrypted by using the encryption and decryption functions of the memory controller, and fig. 4 is an interaction diagram illustrating that data is encrypted by using the encryption and decryption functions of the cryptographic coprocessor.
The data encryption method provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing device embodiment, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing device embodiment for the part of the method embodiment that is not mentioned.
An embodiment of the present application further provides a computer device, as shown in fig. 5. The computer device includes: the memory is electrically connected with the processor and the memory. The processor has been described in detail above, and the interaction process between the two is also described in detail, so that the details are not repeated here.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1.一种数据加密方法,其特征在于,所述方法包括:1. a data encryption method, is characterized in that, described method comprises: 安全处理器获取待加密的物理内存信息;The security processor obtains the physical memory information to be encrypted; 所述安全处理器基于所述物理内存信息生成指示命令,其中,所述指示命令中携带有数据长度、用于从内存中读取数据的源地址,以及用于向所述内存写入数据的目的地址,所述数据长度用于读取对应的数据;The security processor generates an instruction command based on the physical memory information, wherein the instruction command carries a data length, a source address used for reading data from the memory, and an address used for writing data to the memory. destination address, the data length is used to read the corresponding data; 所述安全处理器将所述指示命令发送给密码协处理器的DMA硬件模块,以使所述密码协处理器的DMA硬件模块执行所述指示命令,以将从所述源地址指向的内存空间中读取与所述数据长度对应的待加密数据加密后写入所述目的地址指向的内存空间。The security processor sends the instruction command to the DMA hardware module of the cryptographic coprocessor, so that the DMA hardware module of the cryptographic coprocessor executes the instruction command, so as to point to the memory space from the source address The data to be encrypted corresponding to the data length is read and written into the memory space pointed to by the destination address after being encrypted. 2.根据权利要求1所述的方法,其特征在于,所述安全处理器基于所述物理内存信息生成指示命令,包括:2. The method according to claim 1, wherein the security processor generates an instruction command based on the physical memory information, comprising: 所述安全处理器获取所述物理内存信息中的物理地址和所述数据长度;The security processor acquires the physical address and the data length in the physical memory information; 所述安全处理器将用于从所述物理地址指向的内存空间中读取数据的源地址标记为不加密,将用于向所述内存空间中写入数据的目的地址标记为加密;The security processor marks the source address for reading data from the memory space pointed to by the physical address as not encrypted, and marks the destination address for writing data into the memory space as encrypted; 所述安全处理器将所述数据长度、所述源地址以及所述目的地址进行封装,生成所述指示命令。The security processor encapsulates the data length, the source address and the destination address to generate the instruction command. 3.根据权利要求1所述的方法,其特征在于,所述安全处理器基于所述物理内存信息生成指示命令,包括:3. The method according to claim 1, wherein the security processor generates an instruction command based on the physical memory information, comprising: 所述安全处理器获取所述物理内存信息中的物理地址和所述数据长度;The security processor acquires the physical address and the data length in the physical memory information; 所述安全处理器基于所述物理地址,获得用于从所述物理地址指向的内存空间中读取数据的源地址和用于向所述内存空间中写入数据的目的地址;The security processor obtains, based on the physical address, a source address for reading data from the memory space pointed to by the physical address and a destination address for writing data into the memory space; 所述安全处理器将所述数据长度、所述源地址和所述目的地址,进行封装,生成所述指示命令。The security processor encapsulates the data length, the source address and the destination address to generate the instruction command. 4.根据权利要求2或3所述的方法,其特征在于,在所述安全处理器将所述数据长度、所述源地址以及所述目的地址进行封装,生成所述指示命令之前,所述方法还包括:The method according to claim 2 or 3, characterized in that, before the security processor encapsulates the data length, the source address and the destination address, and generates the instruction command, the Methods also include: 所述安全处理器判断自身的物理地址总线宽度是否低于所述内存的物理地址总线宽度;The security processor judges whether its own physical address bus width is lower than the physical address bus width of the memory; 在为是时,所述安全处理器将所述源地址的物理地址总线宽度从所述内存的物理地址总线宽度映射到所述自身的物理地址总线宽度,以及将所述目的地址的物理地址总线宽度从所述内存的物理地址总线宽度映射到所述自身的物理地址总线宽度。When yes, the secure processor maps the physical address bus width of the source address from the physical address bus width of the memory to the physical address bus width of the own, and maps the physical address bus width of the destination address The width is mapped from the physical address bus width of the memory to the own physical address bus width. 5.根据权利要求1所述的方法,其特征在于,所述安全处理器将所述指示命令发送给密码协处理器的DMA硬件模块,包括:5. The method according to claim 1, wherein the security processor sends the instruction command to a DMA hardware module of a cryptographic coprocessor, comprising: 所述安全处理器通过中间件将所述指示命令发送给密码协处理器的DMA硬件模块。The security processor sends the instruction command to the DMA hardware module of the cryptographic coprocessor through the middleware. 6.一种数据加密方法,其特征在于,所述方法包括:6. A data encryption method, wherein the method comprises: 密码协处理器的DMA硬件模块接收安全处理器发送的指示命令,所述指示命令包括:数据长度、用于从内存中读取数据的源地址以及向所述内存中写入数据的带有加密标记位的目的地址;The DMA hardware module of the cryptographic coprocessor receives the instruction command sent by the security processor, the instruction command includes: the data length, the source address for reading data from the memory, and the encryption with encryption for writing data into the memory. The destination address of the marker bit; 所述密码协处理器的DMA硬件模块向内存控制器发送读指令,以使所述内存控制器基于所述读指令从所述源地址指向的内存空间中读取与所述数据长度对应的待加密数据,其中,所述读指令中携带有所述数据长度和所述源地址;The DMA hardware module of the cryptographic co-processor sends a read instruction to the memory controller, so that the memory controller reads the pending data corresponding to the data length from the memory space pointed to by the source address based on the read instruction. Encrypted data, wherein the read instruction carries the data length and the source address; 所述密码协处理器的DMA硬件模块在接收到所述内存控制器返回的所述待加密数据时,所述密码协处理器的DMA硬件模块向所述内存控制器发送写指令,以使所述内存控制器基于所述写指令,将所述待加密数据加密后写入所述目的地址指向的内存空间,其中,所述写指令中携带有所述待加密数据和所述目的地址。When the DMA hardware module of the cryptographic coprocessor receives the to-be-encrypted data returned by the memory controller, the DMA hardware module of the cryptographic coprocessor sends a write instruction to the memory controller, so that all The memory controller encrypts the to-be-encrypted data and writes it into the memory space pointed to by the destination address based on the write instruction, wherein the write instruction carries the to-be-encrypted data and the destination address. 7.一种数据加密方法,其特征在于,所述方法包括:7. A data encryption method, wherein the method comprises: 密码协处理器的DMA硬件模块接收安全处理器发送的指示命令,所述指示命令包括:数据长度,用于从内存中读取数据的源地址以及向所述内存中写入数据的目的地址;The DMA hardware module of the cryptographic coprocessor receives an instruction command sent by the security processor, and the instruction command includes: data length, a source address for reading data from the internal memory and a destination address for writing data into the internal memory; 所述密码协处理器的DMA硬件模块向内存控制器发送读指令,以使所述内存控制器基于所述读指令从所述源地址指向的内存空间中读取与所述数据长度对应的待加密数据,其中,所述读指令中携带有所述数据长度和所述源地址;The DMA hardware module of the cryptographic co-processor sends a read instruction to the memory controller, so that the memory controller reads the pending data corresponding to the data length from the memory space pointed to by the source address based on the read instruction. Encrypted data, wherein the read instruction carries the data length and the source address; 所述密码协处理器的DMA硬件模块对所述待加密数据进行加密,并向所述内存控制器发送写指令,以使所述内存控制器基于所述写指令,将加密后的数据写入所述目的地址指向的内存空间,其中,所述写指令中携带有所述加密后的数据和所述目的地址。The DMA hardware module of the cryptographic coprocessor encrypts the data to be encrypted, and sends a write instruction to the memory controller, so that the memory controller writes the encrypted data based on the write instruction The memory space pointed to by the destination address, wherein the write instruction carries the encrypted data and the destination address. 8.根据权利要求7所述的方法,其特征在于,所述目的地址中携带有用于表征虚拟机身份的标识信息时,所述密码协处理器的DMA硬件模块对所述待加密数据进行加密,包括:8. The method according to claim 7, wherein, when the destination address carries identification information for characterizing the identity of the virtual machine, the DMA hardware module of the cryptographic coprocessor encrypts the data to be encrypted ,include: 所述密码协处理器的DMA硬件模块选取所述标识信息对应的密钥对所述待加密数据进行加密。The DMA hardware module of the cryptographic coprocessor selects the key corresponding to the identification information to encrypt the data to be encrypted. 9.一种处理器,其特征在于,包括:9. A processor, characterized in that, comprising: 安全处理器,用于获取待加密的物理内存信息;用于基于所述物理内存信息生成指示命令,以及用于将所述指示命令发送给密码协处理器的DMA硬件模块;其中,所述指示命令中携带有数据长度、用于从内存中读取数据的源地址,以及用于向所述内存写入数据的目的地址,所述数据长度用于读取对应的数据;a security processor, configured to acquire physical memory information to be encrypted; used to generate an instruction command based on the physical memory information, and used to send the instruction command to a DMA hardware module of a cryptographic coprocessor; wherein the instruction The command carries a data length, a source address for reading data from the memory, and a destination address for writing data to the memory, and the data length is used to read corresponding data; 所述密码协处理器的DMA硬件模块,用于接收所述指示命令,并执行所述指示命令,以将从所述源地址指向的内存空间中读取与所述数据长度对应的待加密数据加密后写入所述目的地址指向的内存空间。The DMA hardware module of the cryptographic coprocessor is configured to receive the instruction command and execute the instruction command to read the to-be-encrypted data corresponding to the data length from the memory space pointed to by the source address After encryption, write into the memory space pointed to by the destination address. 10.根据权利要求9所述的处理器,其特征在于,所述目的地址中携带有加密标记位,所述安全处理器,用于:获取所述物理内存信息中的物理地址和所述数据长度;将用于从所述物理地址指向的内存空间中读取数据的源地址标记为不加密,将用于向所述内存空间中写入数据的目的地址标记为加密;将所述数据长度、所述源地址以及所述目的地址进行封装,生成所述指示命令;10 . The processor according to claim 9 , wherein the destination address carries an encryption flag bit, and the security processor is configured to: acquire the physical address and the data in the physical memory information. 11 . length; mark the source address for reading data from the memory space pointed to by the physical address as not encrypted, and mark the destination address for writing data in the memory space as encrypted; mark the data length , the source address and the destination address are encapsulated to generate the instruction command; 相应地,所述处理器还包括内存控制器;Correspondingly, the processor further includes a memory controller; 所述密码协处理器的DMA硬件模块,用于向所述内存控制器发送读指令,所述读指令中携带有所述数据长度和所述源地址;The DMA hardware module of the cryptographic coprocessor is used to send a read instruction to the memory controller, where the read instruction carries the data length and the source address; 所述内存控制器,用于基于所述读指令从所述源地址指向的内存空间中读取与所述数据长度对应的待加密数据,并将所述待加密数据发送给密码协处理器的DMA硬件模块;The memory controller is configured to read the data to be encrypted corresponding to the data length from the memory space pointed to by the source address based on the read instruction, and send the data to be encrypted to the cryptographic coprocessor. DMA hardware module; 所述密码协处理器的DMA硬件模块,还用于向所述内存控制器发送写指令,其中,所述写指令中携带有所述待加密数据和所述目的地址;The DMA hardware module of the cryptographic coprocessor is further configured to send a write instruction to the memory controller, wherein the write instruction carries the data to be encrypted and the destination address; 所述内存控制器,还用于基于所述写指令,将所述待加密数据加密后写入所述目的地址指向的内存空间。The memory controller is further configured to encrypt the to-be-encrypted data into the memory space pointed to by the destination address based on the write instruction. 11.根据权利要求10所述的处理器,其特征在于,所述目的地址中携带有用于表征虚拟机身份的标识信息,所述内存控制器,用于选取所述标识信息对应的密钥对所述待加密数据进行加密。11. The processor according to claim 10, wherein the destination address carries identification information used to represent the identity of the virtual machine, and the memory controller is used to select a key pair corresponding to the identification information The data to be encrypted is encrypted. 12.根据权利要求9所述的处理器,其特征在于,所述安全处理器用于:获取所述物理内存信息中的物理地址和所述数据长度;基于所述物理地址,获得用于从所述物理地址指向的内存空间中读取数据的源地址和用于向所述内存空间写入数据的目的地址;将所述数据长度、所述源地址和所述目的地址,进行封装,生成所述指示命令;12. The processor according to claim 9, wherein the security processor is configured to: obtain the physical address and the data length in the physical memory information; The source address of reading data in the memory space pointed to by the physical address and the destination address for writing data to the memory space; the data length, the source address and the destination address are encapsulated to generate all the instruction command; 相应地,所述处理器还包括内存控制器;Correspondingly, the processor further includes a memory controller; 所述密码协处理器的DMA硬件模块,用于向所述内存控制器发送读指令,所述读指令中携带有所述数据长度和所述源地址;a DMA hardware module of the cryptographic coprocessor, configured to send a read instruction to the memory controller, where the read instruction carries the data length and the source address; 所述内存控制器,用于基于所述读指令从所述源地址指向的内存空间中读取与所述数据长度对应的待加密数据,并将所述待加密数据发送给密码协处理器的DMA硬件模块;The memory controller is configured to read the to-be-encrypted data corresponding to the data length from the memory space pointed to by the source address based on the read instruction, and send the to-be-encrypted data to the cryptographic coprocessor. DMA hardware module; 所述密码协处理器的DMA硬件模块,还用于对所述待加密数据进行加密,并向所述内存控制器发送写指令,其中,所述写指令中携带有加密后的数据和所述目的地址;The DMA hardware module of the cryptographic coprocessor is further configured to encrypt the data to be encrypted and send a write instruction to the memory controller, wherein the write instruction carries the encrypted data and the Destination address; 所述内存控制器,还用于基于所述写指令,将所述加密后的数据写入所述目的地址指向的内存空间。The memory controller is further configured to write the encrypted data into the memory space pointed to by the destination address based on the write instruction. 13.根据权利要求10或12所述的处理器,其特征在于,所述安全处理器,还用于在将所述数据长度、所述源地址以及所述目的地址进行封装,生成所述指示命令之前,判断自身的物理地址总线宽度是否低于所述内存的物理地址总线宽度;并在为是时,将所述源地址的物理地址总线宽度从所述内存的物理地址总线宽度映射到所述自身的物理地址总线宽度,以及将所述目的地址的物理地址总线宽度从所述内存的物理地址总线宽度映射到所述自身的物理地址总线宽度。13. The processor according to claim 10 or 12, wherein the security processor is further configured to generate the indication after encapsulating the data length, the source address and the destination address Before the command, judge whether its own physical address bus width is lower than the physical address bus width of the memory; and if so, map the physical address bus width of the source address from the physical address bus width of the memory to the physical address bus width of the memory. and mapping the physical address bus width of the destination address from the physical address bus width of the memory to the own physical address bus width. 14.根据权利要求12所述的处理器,其特征在于,所述目的地址中携带有用于表征虚拟机身份的标识信息,所述密码协处理器的DMA硬件模块,用于选取所述标识信息对应的密钥对所述待加密数据进行加密。14. The processor according to claim 12, wherein the destination address carries identification information for characterizing the identity of the virtual machine, and a DMA hardware module of the cryptographic coprocessor is used to select the identification information The corresponding key encrypts the data to be encrypted. 15.一种计算机设备,其特征在于,包括:内存和如权利要求9-14任一项所述的处理器,所述处理器和所述内存电连接。15. A computer device, comprising: a memory and the processor according to any one of claims 9-14, wherein the processor and the memory are electrically connected.
CN201911300244.0A 2019-12-16 2019-12-16 A data encryption method, processor and computer equipment Active CN111090869B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911300244.0A CN111090869B (en) 2019-12-16 2019-12-16 A data encryption method, processor and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911300244.0A CN111090869B (en) 2019-12-16 2019-12-16 A data encryption method, processor and computer equipment

Publications (2)

Publication Number Publication Date
CN111090869A CN111090869A (en) 2020-05-01
CN111090869B true CN111090869B (en) 2022-04-05

Family

ID=70396473

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911300244.0A Active CN111090869B (en) 2019-12-16 2019-12-16 A data encryption method, processor and computer equipment

Country Status (1)

Country Link
CN (1) CN111090869B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112052069B (en) * 2020-08-25 2024-03-12 海光信息技术股份有限公司 A method, device and related equipment for writing and reading virtual machine identification
CN112231239B (en) * 2020-10-19 2022-05-17 海光信息技术股份有限公司 Page exchange method and device, CPU, trusted hardware and computer equipment
CN112257092B (en) * 2020-11-05 2023-10-27 海光信息技术股份有限公司 Data transmission control method, key management method, configuration method and related devices
CN112416526B (en) * 2020-11-27 2023-02-17 海光信息技术股份有限公司 Direct storage access method, device and related equipment
CN112433817B (en) * 2020-11-27 2022-11-25 海光信息技术股份有限公司 Information configuration method, direct storage access method and related device
CN112560086B (en) * 2020-12-11 2022-11-08 海光信息技术股份有限公司 Configuration method and device for password coprocessor, CPU and electronic equipment
CN114238185B (en) * 2021-12-20 2025-05-23 海光信息技术股份有限公司 Direct storage access and command data transmission method, device and related equipment
CN114237718A (en) * 2021-12-30 2022-03-25 海光信息技术股份有限公司 Instruction processing method and configuration method, device and related equipment
CN114722410A (en) * 2022-04-13 2022-07-08 海光信息技术股份有限公司 A cryptographic module, cryptographic operation method, CPU chip and electronic device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007208696A (en) * 2006-02-02 2007-08-16 Seiko Epson Corp Cryptographic processing circuit and printing apparatus
CN107229415B (en) * 2016-03-24 2020-06-02 华为技术有限公司 A data writing method, data reading method and related equipment and system
CN107092835B (en) * 2017-04-21 2020-02-21 杭州华澜微电子股份有限公司 Computer data encryption device and method for virtual storage disk
CN109670345A (en) * 2018-12-21 2019-04-23 成都海光集成电路设计有限公司 Guard method, accelerator module and the SOC chip of memory pages swapping in and out

Also Published As

Publication number Publication date
CN111090869A (en) 2020-05-01

Similar Documents

Publication Publication Date Title
CN111090869B (en) A data encryption method, processor and computer equipment
CN112433817B (en) Information configuration method, direct storage access method and related device
CN103995732B (en) Virtual trusted platform module function implementation method and management equipment
CN111949372B (en) A virtual machine migration method, general-purpose processor and electronic device
CN112099903B (en) A virtual machine memory management method, device, CPU chip and server
US10938559B2 (en) Security key identifier remapping
CN114238185B (en) Direct storage access and command data transmission method, device and related equipment
CN112363801B (en) Virtual machine migration method, processing method, system, device, chip and medium
CN111967065B (en) Data protection method, processor and electronic equipment
CN116841691B (en) Configuration method of encryption hardware, data confidentiality calculation method and related equipment
CN113342735B (en) Processor chip and electronic equipment
CN114296873B (en) A virtual machine image protection method, related devices, chips and electronic equipment
WO2025118798A1 (en) Transparent encryption and decryption computing system based on heterogeneous computing, and method, device and medium
CN117632811A (en) Direct storage access request processing method, device and related equipment
CN113704041A (en) Secure debugging of FPGA designs
CN112416526B (en) Direct storage access method, device and related equipment
CN111158853B (en) Virtual machine memory data migration method, CPU chip and server
WO2024098594A1 (en) Code protection system and method, virtual system architecture, chip and electronic device
CN111124599B (en) Virtual machine memory data migration method and device, electronic equipment and storage medium
US20240073013A1 (en) High performance secure io
CN116048716A (en) Direct storage access method and device and related equipment
CN116346316A (en) Process object key update during process creation in secret-state computing
CN118133326B (en) Data encryption transmission system based on chip
CN111290830B (en) Virtual machine migration method, processor and electronic equipment
US20230267214A1 (en) Virtual trusted platform module implementation method and related apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 300450 Tianjin Binhai New Area Huayuan Industrial Zone Haitai West Road 18 North 2-204 Industrial Incubation-3-8

Applicant after: Haiguang Information Technology Co., Ltd

Address before: 1809-1810, block B, blue talent port, No.1, Intelligent Island Road, high tech Zone, Qingdao, Shandong Province

Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载