CN107085535A - A kind of information processing method and electronic equipment - Google Patents

A kind of information processing method and electronic equipment Download PDF

Info

Publication number
CN107085535A
CN107085535A CN201710203551.1A CN201710203551A CN107085535A CN 107085535 A CN107085535 A CN 107085535A CN 201710203551 A CN201710203551 A CN 201710203551A CN 107085535 A CN107085535 A CN 107085535A
Authority
CN
China
Prior art keywords
virtual machine
task
identification information
memory
page table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710203551.1A
Other languages
Chinese (zh)
Other versions
CN107085535B (en
Inventor
刘峰
杨立中
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201710203551.1A priority Critical patent/CN107085535B/en
Publication of CN107085535A publication Critical patent/CN107085535A/en
Application granted granted Critical
Publication of CN107085535B publication Critical patent/CN107085535B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Memory System Of A Hierarchy Structure (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of information processing method and electronic equipment, wherein, method includes:The memory access request for the first task of the first virtual machine at least one virtual machine is got, wherein, memory virtual address is included in the memory access request;At least obtain the identification information of first virtual machine;Memory access request based on the first task determines corresponding page table entry, and the identification information of the corresponding target virtual machine in the memory virtual address is at least obtained from the page table entry;Judge whether the identification information of the target virtual machine is identical with the identification information of first virtual machine and obtain judged result, determine whether that the first task carries out internal storage access according to the judged result.

Description

A kind of information processing method and electronic equipment
Technical field
The present invention relates to Virtual Machine Manager technology, and in particular to it is a kind of be applied to electronic equipment in information processing method and A kind of electronic equipment.
Background technology
At present, container virtualization technology is more and more used, but some containers have been run very in container virtual machine Important task, this container will possess high authority, and we term it high right container virtual machine.If this container is virtual Application program in machine knows the physical address (PA) used of other virtual machines, it is possible to by the page table for changing own process Way access to other virtual machines address space;Similarly, if the application program in this container virtual machine knows HOST The physical address (PA) that main frame is used, it is possible to by change own process page table way access to the address of HOST main frames Space, causes unsafe access so that HOST main frames are fallen into enemy hands.Same reason, if this kind of container virtual machine knows other Address after the mapping of container virtual machine facility, it is possible to access the equipment content of other container virtual machines, such as read other virtual Transmitting-receiving message of machine network interface card etc..
The content of the invention
It is a primary object of the present invention to propose a kind of information processing method and electronic equipment, it is intended to solve in the prior art The above mentioned problem of presence.
To achieve the above object, the present invention provides a kind of information processing method, applied to electronic equipment, including:
The memory access request for the first task of the first virtual machine at least one virtual machine is got, wherein, institute State and include memory virtual address in memory access request;
At least obtain the identification information of first virtual machine;
Memory access request based on the first task determines corresponding page table entry, is at least obtained from the page table entry The identification information of the corresponding target virtual machine in the memory virtual address;
Judge whether the identification information of the target virtual machine is identical with the identification information of first virtual machine to be sentenced Disconnected result, determines whether that the first task carries out internal storage access according to the judged result.
The present invention provides a kind of electronic equipment, and the electronic equipment includes:
Acquisition request unit, the internal memory of the first task of the first virtual machine at least one virtual machine is directed to for getting Access request, wherein, memory virtual address is included in the memory access request;
Information extraction unit, the identification information at least obtaining first virtual machine;Based on the first task Memory access request determines corresponding page table entry, and the corresponding target in the memory virtual address is at least obtained from the page table entry The identification information of virtual machine;
Identifying unit, for judging that the identification information of identification information and first virtual machine of the target virtual machine is It is no it is identical obtain judged result, determine whether that the first task carries out internal storage access according to the judged result.
Information processing method and electronic equipment that the present embodiment is provided, can be based on the first task for the first virtual machine Access request get the identification information of its target virtual machine to be accessed, then the mark of the target virtual machine is believed again The identification information ceased with the first virtual machine is contrasted, so as to determine whether that the access request obtains internal memory.In this way, with regard to energy Enough pass through increased virtual machine identification information domain so that even if even if high right container virtual machine knows specific physical address, Can not transboundary it be accessed by way of mapping page table, so as to improve the security of virtual machine.
Brief description of the drawings
Fig. 1 is the implementation process schematic diagram 1 of information processing method in the embodiment of the present invention;
Fig. 2 is the implementation process schematic diagram 2 of information processing method in the embodiment of the present invention;
Fig. 3 is the implementation process schematic diagram 3 of information processing method in the embodiment of the present invention;
Fig. 4 is the implementation process schematic diagram 4 of information processing method in the embodiment of the present invention;
Fig. 5 is the processing block schematic illustration of information processing method in the embodiment of the present invention;
Fig. 6 is the processing schematic diagram of information processing method in the embodiment of the present invention;
Fig. 7 is electronic equipment composition structural representation in the embodiment of the present invention.
Embodiment
The present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings.
Embodiment one,
The embodiment of the present invention provides a kind of information processing method, as shown in figure 1, including:
Step 101:The memory access request for the first task of the first virtual machine at least one virtual machine is got, Wherein, memory virtual address is included in the memory access request;
Step 102:At least obtain the identification information of first virtual machine;
Step 103:Memory access request based on the first task determines corresponding page table entry, from the page table entry At least obtain the identification information of the corresponding target virtual machine in the memory virtual address;
Step 104:Judge the identification information of the target virtual machine and first virtual machine identification information whether phase With judged result is obtained, determine whether that the first task carries out internal storage access according to the judged result.
The present embodiment applies the electronic equipment with least one virtual machine can be supported to run.
, it is necessary to which to preserve each virtual machine by extended register corresponding before each step of the embodiment of the present invention is performed Identification information;The corresponding identification information of the virtual machine can be Namespace ID (NID).
In addition, when the record of physical address of different task is carried out, equally adding the word on identification information Section, the field is used for the identification information for recording the virtual machine corresponding to being preserved in physical memory for task.
The above-mentioned memory access request for being directed to the first task of the first virtual machine at least one virtual machine, can be by container Virtual machine is initiated;Wherein, the memory virtual address included in memory access request can be sent to MMU first, that is, manage Unit, by MMU based on the corresponding list item of memory virtual address search in memory access request.
In addition, the mode of the identification information of the above-mentioned virtual machine of acquisition first can be, searched from NIDR extended registers The corresponding identification information of first virtual machine;The mode of lookup can be based on being looked into the content in the foregoing register prestored Look for.
Further, the identification information at least obtaining first virtual machine, in addition to:
Obtain the corresponding page table base address of first task of first virtual machine;
Accordingly, the memory access request based on the first task determines corresponding page table entry, including:
According to the corresponding page table base address of the first task of first virtual machine, and in the memory access request Memory virtual address, determines the corresponding page table entry of memory access request of the first task.Based in the first task Deposit access request and determine that the mode of corresponding page table entry can be, based on the memory virtual address in the memory access request, MMU finds the corresponding PTE in the memory virtual address by Page table index;The physical base address that is expanded is searched from PTE, so Afterwards based on the identification information that the targeted target virtual machine of memory access request is extracted in extension physical base address.
Wherein, page table base address is that every task is different, and a virtual machine can correspond to multiple tasks, and each task has A set of page table, often covers the different page table base address of page table correspondence;But, the page of the corresponding page table of all tasks in same virtual machine In list item, all there is the identification information of identical target virtual machine, it is category to be identified by the target virtual machine to distinguish task In which virtual machine.
Whether the identification information for judging the target virtual machine is identical with the identification information of first virtual machine to obtain To judged result, including:
Judge whether the identification information of the target virtual machine is identical with the identification information of first virtual machine;
If the identification information of the target virtual machine is identical with the identification information of first virtual machine, obtains first and sentence Disconnected result;Otherwise, the second judged result is obtained.
Accordingly, it is described to determine whether that the first task carries out internal storage access according to the judged result, including:
When judged result is the first judged result, the corresponding page table entry of memory access request based on the first task Target physical address is determined, the target physical address is sent to address bus, to be conducted interviews to physical memory;Work as judgement When being as a result the second judged result, refuse the first task and carry out internal storage access.
That is, when the mark letter of the virtual machine according to corresponding to memory access request determines its internal memory to be accessed Breath, the identification information of the virtual machine with being preserved in extended register is contrasted, if identical obtain the first judged result, if different Obtain the second judged result.First judged result, then access the specific physics corresponding to first task based on memory access request Address;Otherwise, denied access.
Finally, the memory access request based on the first task determines corresponding page table entry, in addition to:
Memory virtual address in memory access request based on the first task judges whether to find corresponding page List item;If not finding corresponding page table entry, processing of skipping leaf is carried out for the memory virtual address.
Wherein, the mode of the processing of skipping leaf can have, demand paging, distribute physical memory.
It can be seen that, by using such scheme, it becomes possible to which the access request based on the first task for the first virtual machine is obtained The identification information of its target virtual machine to be accessed is got, it is then again that the identification information of the target virtual machine and first is virtual The identification information of machine is contrasted, so as to determine whether that the access request obtains internal memory.So, it becomes possible to by increased Virtual machine identification information domain so that even if even if high right container virtual machine knows specific physical address, can not be by reflecting The mode for penetrating page table is transboundary accessed;Also, only it can just be sentenced by one layer of identification information when carrying out memory address Not, thus handle it is more efficient.
Embodiment two,
The embodiment of the present invention provides a kind of information processing method, as shown in figure 1, including:
Step 101:The memory access request for the first task of the first virtual machine at least one virtual machine is got, Wherein, memory virtual address is included in the memory access request;
Step 102:At least obtain the identification information of first virtual machine;
Step 103:Memory access request based on the first task determines corresponding page table entry, from the page table entry At least obtain the identification information of the corresponding target virtual machine in the memory virtual address;
Step 104:Judge the identification information of the target virtual machine and first virtual machine identification information whether phase With judged result is obtained, determine whether that the first task carries out internal storage access according to the judged result.
The present embodiment applies the electronic equipment with least one virtual machine can be supported to run.
, it is necessary to which to preserve each virtual machine by extended register corresponding before each step of the embodiment of the present invention is performed Identification information;The corresponding identification information of the virtual machine can be NID.
In addition, when the record of physical address of different task is carried out, equally adding the word on identification information Section, the field is used for the identification information for recording the virtual machine corresponding to being preserved in physical memory for task.
It may also be noted that extended register preserves the corresponding identification information of each virtual machine, can with as shown in Fig. 2 Including:
The NID of predecessor's business is read from NIDR, and is stored in task stack bottom;
Original task switching flow, preserves former task stack, then switches new task stack;
NID is read from the bottom of stack of new task, that is, corresponding list item is read from the bottom of stack of new task, from it Middle acquisition NID, the NID is loaded into NIDR;
Load the CR3 registers of new task;
The EIP (buffer status) of new task is loaded, then bring into operation new task.
In addition, in the present embodiment PTE establishment, i.e., comprising by NID insert extension physical base address NID domains in;Specifically Referring to Fig. 3, including:
Distribute real physics page frame, such as page fault processing (delayed allocation physical memory);
Real physics page frame is obtained by slab systems or buddy system systems (buddy system) distribution, and obtained The physical address PA of physics page frame;
Mapping page table is set up for PA and VA (virtual address);
From NIDR, the NID of current task is taken out;
NIDR content and physics page frame PA are together inserted as extension physical base address in PTE, wherein NIDR's is interior Appearance is inserted in NID domains.
The above-mentioned memory access request for being directed to the first task of the first virtual machine at least one virtual machine, can be by container Virtual machine is initiated;Wherein, the memory virtual address included in memory access request can be sent to MMU first, that is, manage Unit, by MMU based on the corresponding list item of memory virtual address search in memory access request.
In addition, the mode of the identification information of the above-mentioned virtual machine of acquisition first can be, searched from NIDR extended registers The corresponding identification information of first virtual machine;The mode of lookup can be based on being looked into the content in the foregoing register prestored Look for.
Further, the identification information at least obtaining first virtual machine, in addition to:
Obtain the corresponding page table base address of first task of first virtual machine;
Accordingly, the memory access request based on the first task determines corresponding page table entry, including:
According to the corresponding page table base address of the first task of first virtual machine, and in the memory access request Memory virtual address, determines the corresponding page table entry of memory access request of the first task.Based in the first task Deposit access request and determine that the mode of corresponding page table entry can be, based on the memory virtual address in the memory access request, MMU finds the corresponding PTE in the memory virtual address by Page table index;The physical base address that is expanded is searched from PTE, so Afterwards based on the identification information that the targeted target virtual machine of memory access request is extracted in extension physical base address.
Wherein, page table base address is that every task is different, and a virtual machine can correspond to multiple tasks, and each task has A set of page table, often covers the different page table base address of page table correspondence;But, the page of the corresponding page table of all tasks in same virtual machine In list item, all there is the identification information of identical target virtual machine, it is category to be identified by the target virtual machine to distinguish task In which virtual machine.
Whether the identification information for judging the target virtual machine is identical with the identification information of first virtual machine to obtain To judged result, including:
Judge whether the identification information of the target virtual machine is identical with the identification information of first virtual machine;
If the identification information of the target virtual machine is identical with the identification information of first virtual machine, obtains first and sentence Disconnected result;Otherwise, the second judged result is obtained.
Accordingly, it is described to determine whether that the first task carries out internal storage access according to the judged result, including:
When judged result is the first judged result, the corresponding page table entry of memory access request based on the first task Target physical address is determined, the target physical address is sent to address bus, to be conducted interviews to physical memory;
When judged result is the second judged result, refuses the first task and carry out internal storage access.
Specifically, Fig. 4 is may refer to, including:
User space task carry out internal storage access (namely for the first virtual machine first task content access request), Virtual address VA in the task address space is provided;Then MMU obtains process page table by CR3 content, travels through page table, leads to Cross VA and inquire about the corresponding PTE of the task;
Judge whether that PTE can be obtained from VA;If the corresponding PTE of VA can not can be inquired from page table, enter Page fault processing, now if it is determined that being then user feedback miscue information illegally to skip leaf;
If VA corresponding PTE, MMU can be inquired from page table obtains NID domains in extension physical base address from PTE Content, and be compared with the content in NDIR registers;
Judge whether NID and NIDR content is identical, if it is different, then determining that internal storage access is rejected, be then back to power Limit the prompt message of mistake;
If comparative result is identical, MMU automatically strips the content in NID domains in extension physical address, and plus offset (partially Shifting value) obtain physical address PA;
PA is sent to access of the address bus completion to physical memory.
Finally, the memory access request based on the first task determines corresponding page table entry, in addition to:
Memory virtual address in memory access request based on the first task judges whether to find corresponding page List item;If not finding corresponding page table entry, processing of skipping leaf is carried out for the memory virtual address.
Wherein, the mode of the processing of skipping leaf can have, demand paging, distribute physical memory.
The method that the present embodiment is provided, overall process framework, referring to Fig. 5, is added in chip (such as, can be CPU) One extended register NIDR, and addition NID domains are extended to the physical base address recorded in PTE.When container virtual machine When task carries out internal storage access, MMU is indexed lookup in page table using VA and obtains corresponding PTE.Obtain what is recorded in PTE The extension physical address included in PA physical address;The content that NID domains are obtained from PA (wherein, includes the task to be visited The identification information for the target virtual machine asked).MMU extracts the identification information of the first virtual machine from NIDR, by first in NIDR The identification information of the identification information of virtual machine and the target virtual machine in NID domains is compared, and comparative result difference is with regard to denied access; MMU just automatically strips extension physical address NID domains if comparative result is identical, and is added using this positive physical base address Offset obtains final physical address, and physical address is sent to data/address bus and has access to physical memory.
Further, the effect diagram that the present embodiment is handled is illustrated with reference to Fig. 6, when initiation is directed to the first virtual machine (VM1) during the memory access request of task 1, it is only possible to have access to the region of memory of VM1 (the first virtual machine), the present embodiment is carried The method of confession is the identification information based on the target virtual machine included in the memory access request initiated for task 1, with VM1 Identification information contrasted to confirm whether access request correct, when both are identical, it is allowed to access VM1 task 1 it is interior Deposit region;Otherwise, if the access request of the task 1 has pointed to the internal memory of other virtual machines, such as, shown in Fig. 6, point to VM2 internal memory, then the access request will be refused.
It can be seen that, by using such scheme, it becomes possible to which the access request based on the first task for the first virtual machine is obtained The identification information of its target virtual machine to be accessed is got, it is then again that the identification information of the target virtual machine and first is virtual The identification information of machine is contrasted, so as to determine whether that the access request obtains internal memory.So, it becomes possible to by increased Virtual machine identification information domain so that even if even if high right container virtual machine knows specific physical address, can not be by reflecting The mode for penetrating page table is transboundary accessed;Also, only it can just be sentenced by one layer of identification information when carrying out memory address Not, thus handle it is more efficient.
Embodiment three,
The embodiment of the present invention provides a kind of electronic equipment, as shown in fig. 7, comprises:
Acquisition request unit 71, is directed at least one virtual machine in the first task of the first virtual machine for getting Access request is deposited, wherein, memory virtual address is included in the memory access request;
Information extraction unit 72, the identification information at least obtaining first virtual machine;Based on the first task Memory access request determine corresponding page table entry, the corresponding mesh in the memory virtual address is at least obtained from the page table entry Mark the identification information of virtual machine;
Identifying unit 73, for judging the identification information of the target virtual machine and the identification information of first virtual machine Whether it is identical obtain judged result, determine whether that the first task carries out internal storage access according to the judged result.
The present embodiment applies the electronic equipment with least one virtual machine can be supported to run.
, it is necessary to which to preserve each virtual machine by extended register corresponding before each step of the embodiment of the present invention is performed Identification information;The corresponding identification information of the virtual machine can be NID.
In addition, when the record of physical address of different task is carried out, equally adding the word on identification information Section, the field is used for the identification information for recording the virtual machine corresponding to being preserved in physical memory for task.
It may also be noted that extended register preserves the corresponding identification information of each virtual machine, can with as shown in Fig. 2 Including:
The NID of predecessor's business is read from NIDR, and is stored in task stack bottom;
Original task switching flow, preserves former task stack, then switches new task stack;
NID is read from the bottom of stack of new task, that is, corresponding list item is read from the bottom of stack of new task, from it Middle acquisition NID, the NID is loaded into NIDR;
Load the CR3 registers of new task;
The EIP (buffer status) of new task is loaded, then bring into operation new task.
In addition, in the present embodiment PTE establishment, i.e., comprising by NID insert extension physical base address NID domains in;Specifically Referring to Fig. 3, including:
Distribute real physics page frame, such as page fault processing (delayed allocation physical memory);
Real physics page frame is obtained by slab systems or buddy system systems (buddy system) distribution, and obtained The physical address PA of physics page frame;
Mapping page table is set up for PA and VA (virtual address);
From NIDR, the NID of current task is taken out;
NIDR content and physics page frame PA are together inserted as extension physical base address in PTE, wherein NIDR's is interior Appearance is inserted in NID domains.
The above-mentioned memory access request for being directed to the first task of the first virtual machine at least one virtual machine, can be by container Virtual machine is initiated;Wherein, the memory virtual address included in memory access request can be sent to MMU first, that is, manage Unit, by MMU based on the corresponding list item of memory virtual address search in memory access request.
In addition, above-mentioned acquisition request unit 71, the mode of the identification information for obtaining the first virtual machine can be, from The corresponding identification information of the first virtual machine is searched in NIDR extended registers;The mode of lookup can be based on it is foregoing prestore post Searched in content in storage.
Further, the identification information at least obtaining first virtual machine, in addition to:
Obtain the corresponding page table base address of first task of first virtual machine;
Accordingly, the memory access request based on the first task determines corresponding page table entry, including:
According to the corresponding page table base address of the first task of first virtual machine, and in the memory access request Memory virtual address, determines the corresponding page table entry of memory access request of the first task.Based in the first task Deposit access request and determine that the mode of corresponding page table entry can be, based on the memory virtual address in the memory access request, MMU finds the corresponding PTE in the memory virtual address by Page table index;The physical base address that is expanded is searched from PTE, so Afterwards based on the identification information that the targeted target virtual machine of memory access request is extracted in extension physical base address.
Wherein, page table base address is that every task is different, and a virtual machine can correspond to multiple tasks, and each task has A set of page table, often covers the different page table base address of page table correspondence;But, the page of the corresponding page table of all tasks in same virtual machine In list item, all there is the identification information of identical target virtual machine, it is category to be identified by the target virtual machine to distinguish task In which virtual machine.
The identifying unit, for judging that the identification information of the target virtual machine is believed with the mark of first virtual machine Whether breath is identical;
If the identification information of the target virtual machine is identical with the identification information of first virtual machine, obtains first and sentence Disconnected result;Otherwise, the second judged result is obtained.
When judged result is the first judged result, the corresponding page table entry of memory access request based on the first task Target physical address is determined, the target physical address is sent to address bus, to be conducted interviews to physical memory;
When judged result is the second judged result, refuses the first task and carry out internal storage access.
Specifically, Fig. 4 is may refer to, including:
User space task carry out internal storage access (namely for the first virtual machine first task content access request), Virtual address VA in the task address space is provided;Then MMU obtains process page table by CR3 content, travels through page table, leads to Cross VA and inquire about the corresponding PTE of the task;
Judge whether that PTE can be obtained from VA;If the corresponding PTE of VA can not can be inquired from page table, enter Page fault processing, now if it is determined that being then user feedback miscue information illegally to skip leaf;
If VA corresponding PTE, MMU can be inquired from page table obtains NID domains in extension physical base address from PTE Content, and be compared with the content in NDIR registers;
Judge whether NID and NIDR content is identical, if it is different, then determining that internal storage access is rejected, be then back to power Limit the prompt message of mistake;
If comparative result is identical, MMU automatically strips the content in NID domains in extension physical address, and plus offset (partially Shifting value) obtain physical address PA;
PA is sent to access of the address bus completion to physical memory.
Finally, described information extraction unit, for the memory virtual in the memory access request based on the first task Address judges whether to find corresponding page table entry;If not finding corresponding page table entry, for the memory virtual address Progress is skipped leaf processing.
Wherein, the mode of the processing of skipping leaf can have, demand paging, distribute physical memory.
The method that the present embodiment is provided, overall process framework, referring to Fig. 5, is added in chip (such as, can be CPU) One extended register NIDR, and addition NID domains are extended to the physical base address recorded in PTE.When container virtual machine When task carries out internal storage access, MMU is indexed lookup in page table using VA and obtains corresponding PTE.Obtain what is recorded in PTE The extension physical address included in PA physical address;The content that NID domains are obtained from PA (wherein, includes the task to be visited The identification information for the target virtual machine asked).MMU extracts the identification information of the first virtual machine from NIDR, by first in NIDR The identification information of the identification information of virtual machine and the target virtual machine in NID domains is compared, and comparative result difference is with regard to denied access; MMU just automatically strips extension physical address NID domains if comparative result is identical, and is added using this positive physical base address Offset obtains final physical address, and physical address is sent to data/address bus and has access to physical memory.
Further, the effect diagram that the present embodiment is handled is illustrated with reference to Fig. 6, when initiation is directed to the first virtual machine (VM1) during the memory access request of task 1, it is only possible to have access to the region of memory of VM1 (the first virtual machine), the present embodiment is carried The method of confession is the identification information based on the target virtual machine included in the memory access request initiated for task 1, with VM1 Identification information contrasted to confirm whether access request correct, when both are identical, it is allowed to access VM1 task 1 it is interior Deposit region;Otherwise, if the access request of the task 1 has pointed to the internal memory of other virtual machines, such as, shown in Fig. 6, point to VM2 internal memory, then the access request will be refused.
It can be seen that, by using such scheme, it becomes possible to which the access request based on the first task for the first virtual machine is obtained The identification information of its target virtual machine to be accessed is got, it is then again that the identification information of the target virtual machine and first is virtual The identification information of machine is contrasted, so as to determine whether that the access request obtains internal memory.So, it becomes possible to by increased Virtual machine identification information domain so that even if even if high right container virtual machine knows specific physical address, can not be by reflecting The mode for penetrating page table is transboundary accessed;Also, only it can just be sentenced by one layer of identification information when carrying out memory address Not, thus handle it is more efficient.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through Programmed instruction related hardware is completed, and foregoing program can be stored in a computer read/write memory medium, the program Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:It is movable storage device, read-only Memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or Person's CD etc. is various can be with the medium of store program codes.
Or, if the above-mentioned integrated unit of the present invention is realized using in the form of software function module and is used as independent product Sale in use, can also be stored in a computer read/write memory medium.Understood based on such, the present invention is implemented The part that the technical scheme of example substantially contributes to prior art in other words can be embodied in the form of software product, The computer software product is stored in a storage medium, including some instructions are to cause a computer equipment (can be with It is personal computer, server or network equipment etc.) perform all or part of each of the invention embodiment methods described. And foregoing storage medium includes:Movable storage device, ROM, RAM, magnetic disc or CD etc. are various can be with store program codes Medium.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (12)

1. a kind of information processing method, methods described includes:
The memory access request for the first task of the first virtual machine at least one virtual machine is got, wherein, it is described interior Deposit and include memory virtual address in access request;
At least obtain the identification information of first virtual machine;
Memory access request based on the first task determines corresponding page table entry, at least obtains described from the page table entry The identification information of the corresponding target virtual machine in memory virtual address;
Judge whether the identification information of the target virtual machine is identical with the identification information of first virtual machine to obtain judging knot Really, determine whether that the first task carries out internal storage access according to the judged result.
2. according to the method described in claim 1, it is characterised in that the mark letter at least obtaining first virtual machine Breath, in addition to:
Obtain the corresponding page table base address of first task of first virtual machine;
Accordingly, the memory access request based on the first task determines corresponding page table entry, including:
According to the corresponding page table base address of the first task of first virtual machine, and the internal memory in the memory access request Virtual address, determines the corresponding page table entry of memory access request of the first task.
3. according to the method described in claim 1, it is characterised in that the identification information for judging the target virtual machine and institute State the first virtual machine identification information it is whether identical obtain judged result, including:
Judge whether the identification information of the target virtual machine is identical with the identification information of first virtual machine;
If the identification information of the target virtual machine is identical with the identification information of first virtual machine, the first judgement knot is obtained Really;Otherwise, the second judged result is obtained.
4. method according to claim 3, it is characterised in that described according to being determined whether the judged result First task carries out internal storage access, including:
When judged result is the first judged result, the corresponding page table entry of memory access request based on the first task is determined Target physical address, address bus is sent to by the target physical address, to be conducted interviews to physical memory;
When judged result is the second judged result, refuses the first task and carry out internal storage access.
5. method according to claim 4, it is characterised in that the memory access request pair based on the first task The page table entry answered determines target physical address, including:
Extracted from the corresponding page table entry of the memory access request of the first task and obtain physical base address, based on the physics Base address determines target physical address.
6. according to the method described in claim 1, it is characterised in that the memory access request based on the first task is true Fixed corresponding page table entry, in addition to:
Memory virtual address in memory access request based on the first task judges whether to find corresponding page table entry;
If not finding corresponding page table entry, processing of skipping leaf is carried out for the memory virtual address.
7. a kind of electronic equipment, it is characterised in that the electronic equipment includes:
Acquisition request unit, the internal storage access of the first task of the first virtual machine at least one virtual machine is directed to for getting Request, wherein, memory virtual address is included in the memory access request;
Information extraction unit, the identification information at least obtaining first virtual machine;Internal memory based on the first task Access request determines corresponding page table entry, and the corresponding destination virtual in the memory virtual address is at least obtained from the page table entry The identification information of machine;
Identifying unit, for judge the identification information of the target virtual machine and first virtual machine identification information whether phase With judged result is obtained, determine whether that the first task carries out internal storage access according to the judged result.
8. electronic equipment according to claim 7, it is characterised in that described information extraction unit, for obtaining described The corresponding page table base address of first task of one virtual machine;According to the corresponding page table base of the first task of first virtual machine Memory virtual address in location, and the memory access request, determines that the memory access request of the first task is corresponding Page table entry.
9. electronic equipment according to claim 7, it is characterised in that the identifying unit, for judging that the target is empty Whether the identification information of plan machine is identical with the identification information of first virtual machine;If the identification information of the target virtual machine with The identification information of first virtual machine is identical, then obtains the first judged result;Otherwise, the second judged result is obtained.
10. electronic equipment according to claim 9, it is characterised in that the identifying unit, for being the when judged result During one judged result, the corresponding page table entry of memory access request based on the first task determines target physical address, by institute State target physical address and be sent to address bus, to be conducted interviews to physical memory;When judged result is the second judged result, Refuse the first task and carry out internal storage access.
11. electronic equipment according to claim 10, it is characterised in that the identifying unit, for from described first Extracted in the corresponding page table entry of memory access request of business and obtain physical base address, object is determined based on the physical base address Manage address.
12. electronic equipment according to claim 7, it is characterised in that described information extraction unit, for based on described Memory virtual address in the memory access request of one task judges whether to find corresponding page table entry;If not finding correspondence Page table entry, then carry out skipping leaf processing for the memory virtual address.
CN201710203551.1A 2017-03-30 2017-03-30 Information processing method and electronic equipment Active CN107085535B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710203551.1A CN107085535B (en) 2017-03-30 2017-03-30 Information processing method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710203551.1A CN107085535B (en) 2017-03-30 2017-03-30 Information processing method and electronic equipment

Publications (2)

Publication Number Publication Date
CN107085535A true CN107085535A (en) 2017-08-22
CN107085535B CN107085535B (en) 2020-10-27

Family

ID=59615121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710203551.1A Active CN107085535B (en) 2017-03-30 2017-03-30 Information processing method and electronic equipment

Country Status (1)

Country Link
CN (1) CN107085535B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108491249A (en) * 2018-03-16 2018-09-04 中国人民解放军战略支援部队信息工程大学 A kind of kernel module partition method and system based on module powers and functions
CN109766165A (en) * 2018-11-22 2019-05-17 海光信息技术有限公司 A kind of memory access control method, device, Memory Controller Hub and computer system
CN110008692A (en) * 2019-03-22 2019-07-12 联想(北京)有限公司 A kind of information processing method, device and storage medium
CN110442425A (en) * 2019-07-19 2019-11-12 南京芯驰半导体科技有限公司 A kind of virtualization address space shielding system and method
CN110928646A (en) * 2019-11-22 2020-03-27 海光信息技术有限公司 Method, device, processor and computer system for accessing shared memory
CN111400096A (en) * 2020-03-16 2020-07-10 杭州涂鸦信息技术有限公司 Memory mirroring method based on linux page missing mechanism and system and device thereof
CN112817756A (en) * 2021-01-25 2021-05-18 上海壁仞智能科技有限公司 Computer readable storage medium, and virtualization method and device of memory management unit
CN113391881A (en) * 2021-06-28 2021-09-14 元心信息科技集团有限公司 Interrupt management method and device, electronic equipment and computer storage medium
WO2022193768A1 (en) * 2021-03-16 2022-09-22 华为技术有限公司 Method for executing memory read-write instruction, and computing device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571698A (en) * 2010-12-17 2012-07-11 ***通信集团公司 Access authority control method, system and device for virtual machine
US20130067135A1 (en) * 2008-06-11 2013-03-14 Vmware, Inc. System and method for improving memory locality of virtual machines
CN103530167A (en) * 2013-09-30 2014-01-22 华为技术有限公司 Virtual machine memory data migration method and relevant device and cluster system
CN104978283A (en) * 2014-04-10 2015-10-14 华为技术有限公司 Memory access control method and device
CN106445628A (en) * 2015-08-11 2017-02-22 华为技术有限公司 Virtualization method, apparatus and system
CN107783913A (en) * 2016-08-31 2018-03-09 华为技术有限公司 A kind of resource access method and computer applied to computer

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130067135A1 (en) * 2008-06-11 2013-03-14 Vmware, Inc. System and method for improving memory locality of virtual machines
CN102571698A (en) * 2010-12-17 2012-07-11 ***通信集团公司 Access authority control method, system and device for virtual machine
CN103530167A (en) * 2013-09-30 2014-01-22 华为技术有限公司 Virtual machine memory data migration method and relevant device and cluster system
CN104978283A (en) * 2014-04-10 2015-10-14 华为技术有限公司 Memory access control method and device
CN106445628A (en) * 2015-08-11 2017-02-22 华为技术有限公司 Virtualization method, apparatus and system
CN107783913A (en) * 2016-08-31 2018-03-09 华为技术有限公司 A kind of resource access method and computer applied to computer

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108491249A (en) * 2018-03-16 2018-09-04 中国人民解放军战略支援部队信息工程大学 A kind of kernel module partition method and system based on module powers and functions
CN109766165A (en) * 2018-11-22 2019-05-17 海光信息技术有限公司 A kind of memory access control method, device, Memory Controller Hub and computer system
CN110008692B (en) * 2019-03-22 2021-08-17 联想(北京)有限公司 Information processing method and device and storage medium
CN110008692A (en) * 2019-03-22 2019-07-12 联想(北京)有限公司 A kind of information processing method, device and storage medium
CN110442425B (en) * 2019-07-19 2022-04-08 南京芯驰半导体科技有限公司 Virtualized address space isolation system and method
CN110442425A (en) * 2019-07-19 2019-11-12 南京芯驰半导体科技有限公司 A kind of virtualization address space shielding system and method
CN110928646A (en) * 2019-11-22 2020-03-27 海光信息技术有限公司 Method, device, processor and computer system for accessing shared memory
CN110928646B (en) * 2019-11-22 2023-02-17 海光信息技术股份有限公司 Method, device, processor and computer system for accessing shared memory
CN111400096A (en) * 2020-03-16 2020-07-10 杭州涂鸦信息技术有限公司 Memory mirroring method based on linux page missing mechanism and system and device thereof
CN111400096B (en) * 2020-03-16 2023-05-02 杭州涂鸦信息技术有限公司 Memory mirroring method based on linux page-missing mechanism and system and device thereof
CN112817756A (en) * 2021-01-25 2021-05-18 上海壁仞智能科技有限公司 Computer readable storage medium, and virtualization method and device of memory management unit
CN112817756B (en) * 2021-01-25 2022-05-27 上海壁仞智能科技有限公司 Computer readable storage medium, and virtualization method and device of memory management unit
WO2022193768A1 (en) * 2021-03-16 2022-09-22 华为技术有限公司 Method for executing memory read-write instruction, and computing device
CN113391881A (en) * 2021-06-28 2021-09-14 元心信息科技集团有限公司 Interrupt management method and device, electronic equipment and computer storage medium
CN113391881B (en) * 2021-06-28 2023-07-14 元心信息科技集团有限公司 Interrupt management method and device, electronic equipment and computer storage medium

Also Published As

Publication number Publication date
CN107085535B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN107085535A (en) A kind of information processing method and electronic equipment
CN103902878B (en) License authentication methods and device under a kind of virtual environment
TWI616762B (en) Dynamic data masking method and data library system
EP0860763A1 (en) Information registration method and document information processing apparatus
CN104239438B (en) File information storage method and fileinfo reading/writing method based on separation storage
KR20130001240A (en) Storing secure mode page table data in secure and non-secure regions of memory
US10425787B2 (en) Tracking a mobile unit in a housing facility for mobile units
CN104011698B (en) Supplementary data is accessed based on the identifier derived from corresponding primary application program data
CN106033461A (en) Sensitive information query method and apparatus
CN102034036A (en) Permission management method and equipment
CN109344572A (en) The Licensing Methods and system of distributed objects
CN106547791A (en) A kind of data access method and system
CN108681866A (en) Processing method, system, equipment and the storage medium of waybill
CN107181624A (en) A kind of method for connecting network, electronic equipment and computer-readable storage medium
CN107329836A (en) Multi-system memory management method and device and mobile terminal
CN106203754A (en) A kind of electronic surface list risk control method, device and electronic equipment
CN105955671A (en) Disc management method and device
CN106682504A (en) Method and device for preventing file from being maliciously edited and electronic equipment
JP2002149651A (en) Data management system
CN109324867A (en) A kind of virtual machine temporary storage method, restoration methods and device
CN106559385A (en) A kind of data authentication method and apparatus
CN103514052A (en) Multi-application mutually-accessing method and smart card
CN106611109A (en) Software operating method on storage device
Glazer et al. Conflict and governance
CN104951550B (en) Date storage method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant