CN109901911B - Information setting method, control method, device and related equipment - Google Patents

Information setting method, control method, device and related equipment Download PDF

Info

Publication number
CN109901911B
CN109901911B CN201910060502.6A CN201910060502A CN109901911B CN 109901911 B CN109901911 B CN 109901911B CN 201910060502 A CN201910060502 A CN 201910060502A CN 109901911 B CN109901911 B CN 109901911B
Authority
CN
China
Prior art keywords
virtual machine
secure
information
control
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910060502.6A
Other languages
Chinese (zh)
Other versions
CN109901911A (en
Inventor
杜朝晖
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Publication of CN109901911A publication Critical patent/CN109901911A/en
Application granted granted Critical
Publication of CN109901911B publication Critical patent/CN109901911B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides an information setting method, a control method, a device and related equipment, wherein the information setting method comprises the following steps: defining a security code control information structure for a security virtual machine, wherein the security code control information structure describes the overall initial state of the security virtual machine; the virtual machine control block of the secure virtual machine is reserved with an address field, and is used for storing the starting address of the secure code control information structure of the secure virtual machine. The embodiment of the invention can ensure the integrity of the initial state of the secure virtual machine by defining the secure code control information structure for the secure virtual machine.

Description

Information setting method, control method, device and related equipment
Technical Field
The embodiment of the invention relates to the technical field of virtual machines, in particular to an information setting method, a control method, a device and related equipment.
Background
Through Virtualization technology (Virtualization), a host Machine can virtualize a plurality of Virtual Machines (VMs), so that hardware resources of the host Machine are utilized to the maximum extent; each virtualized virtual machine may be allocated memory (space), and the memory allocated for the virtual machine may be referred to as virtual machine memory, which is mainly used for task consumption and supporting virtualization.
In the virtualization technology, the virtual machine control block is an information structure for describing the state of a virtual processor corresponding to a virtual machine, however, the virtual machine control block can only describe the state of one virtual processor independently, lacks description of the overall state of the virtual machine, and cannot guarantee the integrity of the initial state of the virtual machine.
Disclosure of Invention
In view of this, the embodiments of the present invention provide an information setting method, a control method, a device and related equipment, so as to ensure the integrity of the initial state of the virtual machine.
In order to achieve the above object, the embodiment of the present invention provides the following technical solutions:
an information setting method, comprising:
defining a security code control information structure for a security virtual machine, wherein the security code control information structure describes the overall initial state of the security virtual machine;
the virtual machine control block of the secure virtual machine is reserved with an address field, and is used for storing the starting address of the secure code control information structure of the secure virtual machine.
The embodiment of the invention also provides a control method, which comprises the following steps:
when target information of a virtual machine control block of a secure virtual machine needs to be modified, acquiring a secure code control information structure defined for the secure virtual machine; wherein the secure code control information structure describes an overall initial state of the secure virtual machine and modification attributes of information in a virtual machine control block defining the secure virtual machine, the modification attributes including modifiable and non-modifiable; the virtual machine control block of the secure virtual machine and the secure code control information structure are stored in a secure memory;
Determining modification attributes of the target information according to the security code control information structure;
if the modification attribute of the target information is modifiable, allowing modification of the target information;
and if the modification attribute of the target information is non-modifiable, refusing to modify the target information.
The embodiment of the invention also provides an information setting device, which comprises:
the definition module is used for defining a security code control information structure for the security virtual machine, wherein the security code control information structure describes the overall initial state of the security virtual machine;
the virtual machine control block of the secure virtual machine is reserved with an address field, and is used for storing the starting address of the secure code control information structure of the secure virtual machine.
The embodiment of the invention also provides a control device, which comprises:
the system comprises a security code control information structure acquisition module, a security code control information structure acquisition module and a security code control information processing module, wherein the security code control information structure acquisition module is used for acquiring a security code control information structure defined for a security virtual machine when target information of a virtual machine control block of the security virtual machine is required to be modified; wherein the secure code control information structure describes an overall initial state of the secure virtual machine and modification attributes of information in a virtual machine control block defining the secure virtual machine, the modification attributes including modifiable and non-modifiable; the virtual machine control block of the secure virtual machine and the secure code control information structure are stored in a secure memory;
The modification attribute determining module is used for determining modification attributes of the target information according to the security code control information structure;
a modification permission module, configured to allow modification of the target information if the modification attribute of the target information is modifiable;
and the refusing modification module is used for refusing to modify the target information if the modification attribute of the target information is non-modifiable.
The embodiment of the invention also provides a CPU core comprising the control device.
The embodiment of the invention also provides a chip comprising the safety processor and the CPU core.
The embodiment of the invention also provides electronic equipment comprising the chip.
In the embodiment of the invention, the security processor or the main virtual machine can define a security code control information structure for the security virtual machine; the security code control information structure can describe the whole initial state of the security virtual machine, thereby better ensuring the integrity of the initial state of the security virtual machine.
On the other hand, in the control method provided by the embodiment of the invention, a security code control information structure can be defined for the security virtual machine, the security code control information structure describes the whole initial state of the security virtual machine, and the modification attribute of the information of the virtual machine control block of the security virtual machine is defined, wherein the security code control information structure of the security virtual machine and the virtual machine control block are stored in a security memory; therefore, when the target information of the virtual machine control block of the secure virtual machine needs to be modified, the embodiment of the invention can acquire the modification attribute of the target information defined in the secure code control information structure, and further considers the target information as modifiable information in the virtual machine control block when the modification attribute is modifiable, thereby allowing the modification of the target information, and considers the target information as non-modifiable information in the virtual machine control block when the modification attribute is non-modifiable, thereby rejecting the modification of the target information, so as to realize modification control of the information in the virtual machine control block of the secure virtual machine, prevent the information of the virtual machine control block of the secure virtual machine from being maliciously tampered, and improve the security of virtual machine data.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a system architecture diagram of a virtualized environment;
FIG. 2 is another system architecture diagram of a virtualized environment;
FIG. 3 is a schematic diagram of a microarchitecture of a secure virtualization technique;
FIG. 4 is a schematic diagram of a physical memory including secure memory and normal memory;
FIG. 5 is a flowchart of a control method according to an embodiment of the present invention;
FIG. 6 is a flow chart of a method of determining a virtual processor to which a virtual machine control block belongs;
FIG. 7 is a schematic diagram of determining a virtual processor to which a virtual machine control block belongs;
FIG. 8 is a schematic diagram of an architecture with SMCR according to an embodiment of the present invention;
FIG. 9 is a block diagram of a control device according to an embodiment of the present invention;
FIG. 10 is another block diagram of a control device according to an embodiment of the present invention;
fig. 11 is a further block diagram of a control device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As an alternative example, fig. 1 shows a system architecture schematic diagram of a virtualized environment, as shown in fig. 1, the system architecture of the virtualized environment may include: a CPU (Central Processing Unit ) core 1, a memory controller 2, a memory 3;
the CPU core may configure the virtual machine manager 11 in a software manner, and virtualize a plurality of virtual machines 12 through a virtualization technology, where the plurality of virtual machines 12 may be managed by the virtual machine manager 11, for example, the virtual machine manager 11 manages the virtual machine memory of the virtual machines 12;
the memory controller 2 is a hardware that controls the memory 3 and makes the memory 3 exchange data with the CPU core, and part or all of the memory 3 may be used as a virtual machine memory to allocate a memory space for the virtual machine; in a typical computer system, the memory controller 2 is responsible for processing a memory access request, and for the memory access request, the memory controller 2 may detect whether the cache records an address corresponding to the memory access request, if so, read the data corresponding to the address from the cache, otherwise, traverse the page table of the memory to find the address and read the data corresponding to the address.
The system architecture shown in fig. 1 may be implemented based on a conventional virtualization technology, which does not perform security protection on the virtual machine memory, so that security of virtual machine data in the virtual machine memory is threatened, and in order to improve security of virtual machine data in the virtual machine memory, a security virtualization technology different from the conventional virtualization technology is generated;
the secure virtualization technology is a virtualization technology capable of performing secure protection on the virtual machine memory, for example, may perform secure protection such as encryption on the virtual machine memory, and of course, the secure virtualization technology may also perform secure protection such as isolation on the virtual machine memory;
in an example secure virtualization technology, part or all of virtual machine memories of a virtual machine can be encrypted by the secure virtualization technology, and different virtual machine memories are encrypted by different keys, so that a virtual machine manager cannot access the keys, and access and tampering of a physical host and the virtual machine manager to virtual machine data in the virtual machine memories are prevented, and the security of the virtual machine data is improved;
as an alternative example, based on the secure virtualization technology, fig. 2 shows another system architecture schematic diagram of the virtualized environment, and in conjunction with fig. 1 and fig. 2, the system architecture shown in fig. 2 may further include, compared to the system architecture shown in fig. 1: a security processor 4;
The secure processor 4 is a specially configured processor responsible for processing operations related to security of the virtual machine, for example, the secure processor 4 may perform operations such as encryption and decryption on the memory of the virtual machine; in the embodiment of the invention, the virtual machine manager 11 can configure an API interface which is communicated with the secure processor 4, so that the data interaction between the virtual machine manager 11 and the secure processor 4 is realized;
in the embodiment of the present invention, the memory controller 2 may configure the encryption engine 21, and the encryption engine 21 may store the key;
the secure processor 4 may encrypt some or all of the virtual machine memory with a key stored by the encryption engine 21, and different virtual machine memories with different keys; optionally, to better prevent replay attacks, different physical addresses in the virtual machine memory may use different encryption parameters; it should be noted that Replay Attacks (Replay Attacks) are also called Replay Attacks and Replay Attacks, and refer to that an attacker sends a packet received by a destination host to achieve the purpose of spoofing a system, and the correctness of authentication is destroyed mainly in an identity authentication scene.
For example, fig. 3 shows a schematic micro-architecture diagram of a secure virtualization technology, as shown in fig. 3, the secure processor is a processor in an SoC (System on Chip) for processing memory encryption and decryption of a virtual machine and starting the virtual machine, the secure processor 4 may interact with the CPU core 1 through an API interface, and the secure processor 4 interacts with the memory controller (memory controller) 2 through a bus and runs a program;
The components involved in the SoC are a CPU core 1, a security processor 4, and a memory controller 2; the SOC is externally designed with a memory 3 (e.g., dynamic random access memory DRAM, etc.); optionally, the data outside the SOC may be encrypted ciphertext, and the SOC is plaintext;
in fig. 3, a plurality of VEKs (Virtualization Encrypted Key, virtual machine encryption keys) are used for different virtual machines, so that each different virtual machine (or host) can have its own independent key, and it is ensured that the different virtual machines and hosts cannot read the correct data of other virtual machines or hosts.
Alternatively, in the System architecture shown in fig. 2 and 3, the CPU core, the memory controller, and the security processor may be integrated on an SOC (System on Chip); it should be apparent that SOC is only an alternative form of computer architecture, and embodiments of the present invention may support other forms of computer architecture, such as a computer architecture in which a processor and a south bridge are coupled, a computer architecture in which a south bridge and a north bridge are separately configured, etc., where a CPU core, a memory controller, a memory, and a secure processor may be deployed accordingly, which is not further described herein.
The secure virtualization technology enables different virtual machines or hosts to not correctly read the memory data of each other by using different keys through different virtual machines, so that the protection requirement of confidentiality of the memory data is met, but the hosts are authorized to modify the memory data of the virtual machines and are not found, and the protection of integrity of the memory data is lacked;
Based on this, the memory 3 in the embodiment of the present invention may include a secure memory (space) and a normal memory (space), and in general, the security of the secure memory is higher than that of the normal memory, for example, the secure memory may adopt a secure protection mechanism;
for example, fig. 4 shows a schematic diagram of a physical memory that may include a secure memory and a normal memory, and as an alternative implementation, the embodiments of the present invention may mark a plurality of memory areas (where the plurality of memory areas may be part of a memory or may be all of a memory) in the memory as the secure memory; for example, the address range of the memory area of the secure memory is recorded through a physical register, so that the secure memory is marked through hardware and protected by adopting a secure protection mechanism (for example, the secure memory can be protected by using encryption, isolation and other mechanisms); the non-secure memory in the memory can be called a common memory, and the common memory is not generally protected by a security protection mechanism; the safety of the safe memory can be higher than that of the common memory;
as an optional example, the size of the secure memory may be larger than the normal memory, and of course, the embodiment of the present invention may also support that the size of the secure memory may be smaller than the normal memory; it should be noted that, in the example shown in fig. 4, the secure memory is a partial memory area of the memory, and the embodiment of the present invention may also support the secure memory as an entire memory area of the memory;
Alternatively, a virtual machine using a security protection mechanism may be referred to as a secure virtual machine, for example, a virtual machine using secure memory may be referred to as a secure virtual machine, a virtual machine not using a security protection mechanism may be referred to as a general virtual machine, for example, a virtual machine using general memory may be referred to as a general virtual machine, and generally, the security of the secure virtual machine may be higher than that of the general virtual machine.
Alternatively, if management of the virtual machine memory is handed over by the virtual machine manager to be implemented by the secure processor, the secure processor will become a performance bottleneck (the secure processor typically has weaker performance than the general purpose processor), although the security of the virtual machine memory can be improved; therefore, in order to perform memory management on the virtual machine, both safety and performance are considered, the embodiment of the invention can design a special virtual machine to manage the memory used by other virtual machines, wherein the special virtual machine can be called a master virtual machine, and other virtual machines except the master virtual machine can be called slave virtual machines. Optionally, the code of the master virtual machine may be set in advance in a software form, and the security processor is responsible for configuring the master virtual machine, and grants memory management authority to the slave virtual machine to the master virtual machine in the process of configuring the master virtual machine, so that the master virtual machine realizes memory management work to the slave virtual machine.
After isolating the exclusive secure memory from the secure virtual machine, access to the secure memory of the secure virtual machine may be performed by the memory controller by configuring access rights for the secure memory of the secure virtual machine (the configuration of access rights may be performed by the secure processor or the host virtual machine), such that an access request to the secure memory of the secure virtual machine (which may be issued by the host or the virtual machine) is allowed to be performed only if the configured access rights for the secure memory are satisfied.
In the secure virtualization technology, a virtual machine control block can describe the state of a virtual processor corresponding to a virtual machine, but the virtual machine control block can only describe the state (such as an initial state) of one virtual processor independently, and lacks description of the overall state of the virtual machine; meanwhile, only the data of each memory page of the virtual machine are protected when the virtual machine is initialized, but the address information of the data is not protected, so that a malicious virtual machine manager can randomly exchange the distribution of the initial data of the virtual machine in the memory when the virtual machine is started;
based on this, the inventors of the present invention propose to improve the secure virtualization technique: in the embodiment of the invention, besides using the virtual machine control blocks to respectively and independently describe the states of the single virtual processor, the secure processor or the main virtual machine can also define a secure code control information structure (SCCS) for the secure virtual machine; the security code control information structure of the security virtual machine is used to describe the overall initial state of the security virtual machine, including but not limited to: the distribution condition in the virtual address space of the safe virtual machine, the address distribution of all data in the initial state of the safe virtual machine, the number of virtual processors used by the safe virtual machine, the initial state of each virtual processor and other information; the embodiment of the invention can better ensure the integrity of the initial state of the secure virtual machine through the secure code control information structure.
It should be noted that, the virtual machine control block according to the embodiment of the present invention does not refer to a certain virtualization technology, but is applicable to all possible virtualization technologies; in different virtualization technologies, the naming of the virtual machine control blocks may not be uniform, and may be, for example, a virtual machine control structure.
As an optional implementation of the embodiment of the present invention, in addition to using the secure code control information structure to describe the overall initial state of the secure virtual machine, the embodiment of the present invention may define a modification attribute (the modification attribute may be divided into modifiable and non-modifiable) of information in a virtual machine control block of the secure virtual machine through the secure code control information structure, so that when the host modifies the information in the virtual machine control block of the secure virtual machine, the modification attribute defined by the secure code control information may be detected, so that when the modification attribute of the information is modifiable, the host may modify the information in the virtual machine control block, so as to prevent the host from maliciously modifying the information in the virtual machine control block.
Optionally, fig. 5 shows an optional flow of a control method provided by an embodiment of the present invention, where the method may be executed by a CPU core in the form of micro instructions, or by a secure processor, and referring to fig. 5, the flow may include:
Step S10, obtaining an information modification application to a virtual machine control block of a secure virtual machine, wherein the information modification application comprises: target information of a virtual machine control block of the secure virtual machine to which modification is applied.
Alternatively, a host (e.g., virtual machine manager) may apply to modify information in a virtual machine control block of a secure virtual machine.
The embodiment of the invention can optionally execute the step S10 when the target information of the virtual machine control block of the secure virtual machine needs to be modified.
Step S11, a security code control information structure defined for the security virtual machine is obtained, wherein the security code control information structure describes the whole initial state of the security virtual machine and the modification attribute of information in a virtual machine control block defined with the security virtual machine.
Optionally, the embodiment of the invention may define a security code control information structure for the security virtual machine, and the virtual machine control block and the security code control information structure of the security virtual machine may be stored in a security memory of the security virtual machine; thus, the whole initial state of the secure virtual machine and the modification attribute of the information in the virtual machine control block of the secure virtual machine can be defined through the secure code control information structure; the modification attributes may include: modifiable and non-modifiable.
Optionally, the virtual machine control block of the secure virtual machine may have a plurality of field information, and the embodiment of the present invention may define modification attributes of each field information of the virtual machine control block of the secure virtual machine in the secure code control information structure.
And step S12, determining the modification attribute of the target information according to the security code control information structure.
After the security code control information structure is obtained, the embodiment of the invention can obtain the modification attribute of the target information from the security code control information structure.
Step S13, if the modification attribute of the target information is modifiable, the target information is allowed to be modified.
Step S14, if the modification attribute of the target information is non-modifiable, refusing to modify the target information.
In the control method provided by the embodiment of the invention, a safety code control information structure can be defined for the safety virtual machine, the safety code control information structure describes the whole initial state of the safety virtual machine, and the modification attribute of the information of the virtual machine control block of the safety virtual machine is defined, wherein the safety code control information structure of the safety virtual machine and the virtual machine control block are stored in a safety memory; therefore, when the target information of the virtual machine control block of the secure virtual machine needs to be modified, the embodiment of the invention can acquire the modification attribute of the target information defined in the secure code control information structure, and further considers the target information as modifiable information in the virtual machine control block when the modification attribute is modifiable, thereby allowing the modification of the target information, and considers the target information as non-modifiable information in the virtual machine control block when the modification attribute is non-modifiable, thereby rejecting the modification of the target information, so as to realize modification control of the information in the virtual machine control block of the secure virtual machine, prevent the information of the virtual machine control block of the secure virtual machine from being maliciously tampered, and improve the security of virtual machine data.
Optionally, the above procedure of modifying the target information of the virtual machine control block of the secure virtual machine may be executed by the CPU core or the secure processor; for example, the CPU core may execute the above procedure through a special instruction, and for example, the host may modify the information in the virtual machine control block through the secure processor, where the secure processor may determine whether the information in the virtual machine control block may be modified by querying the secure code control information structure.
Optionally, the virtual machine control block of the secure virtual machine may include: control Area (Control Area) information and State Save Area (State Save Area) information; the control region information may include a plurality of control information of a virtual machine control block of the secure virtual machine, and the state save region information may include a plurality of state information of the virtual machine control block of the secure virtual machine;
the embodiment of the invention can define the modification attribute for each control information of the control area information in the security code control information structure of the security virtual machine and define the modification attribute for each state information of the state save area information, thereby realizing the modification attribute of the information of the virtual machine control block of the defined security virtual machine.
Alternatively, the modification attribute may be set flag information, the flag information may be represented by a bit value, for example, the flag information of the bit value of the first value may represent a modifiable modification attribute, the flag information of the bit value of the second value may represent an unmodified modification attribute, the first value and the second value may be logically opposite, for example, the first value may be 1, and the second value may be 0.
In an optional setting, the embodiment of the invention may set that the state information in the state save area information is not modifiable, for example, the modification attribute of the state information in the state save area information may be represented by a bit value of 0; and the control information in the control area information may be set to be modifiable or non-modifiable, and the control information in the control area information, the modification attribute of which is represented by a bit value of 1, and the control information in the control area information, the modification attribute of which is represented by a bit value of 0, may be defined according to actual requirements.
As an optional implementation of the disclosure of the embodiment of the present invention, optionally, a security code control information structure of the security virtual machine may be defined by a security processor or a host virtual machine through software, and stored in a security memory of the security virtual machine; preferably, each virtual machine control block of the secure virtual machine may reserve an address field (located in the secure memory) that may be used to hold a starting address of the secure code control information structure, thereby implementing the secure code control information structure of the secure virtual machine by way of virtual machine control block pointing of the secure virtual machine;
optionally, the virtual machine control block generally corresponds to a physical page in the memory and may be divided into a plurality of fields, for example, each field may be several bytes or one bit; the embodiment of the invention can use the unused Reserve field in the virtual machine control block of the secure virtual machine as the address field, for example, 8 aligned consecutive bytes can be arbitrarily selected from the Reserve field as the address field, so as to save the starting address of the secure code control information structure of the secure virtual machine.
Further, the address field (starting address) in the virtual machine control block of the same secure virtual machine may be initialized to the same value (e.g., initialized by the secure processor or the host virtual machine); the embodiment of the invention uses the security code control information structure to describe the whole initial state of the security virtual machine, can provide a security virtual machine environment, and prevents hackers controlling the management codes of the virtual machine from stealing the content of the security virtual machine; under the condition that the security code control information structure is not set to uniformly describe the whole initial state of the security virtual machine, for different virtual processors of the same security virtual machine, hardware is difficult to identify whether the different virtual processors are from the same security virtual machine, at the moment, if an attacker creates one virtual processor and then accesses the resource of the other virtual processor through the virtual processor, as the hardware cannot identify whether the two virtual processors belong to the same security virtual machine, whether the access is illegal or not cannot be judged, so that illegal access cannot be prevented;
by setting the security code control information structure, the embodiment of the invention can enable the virtual processors of different security virtual machines to have different security code control information structures, thereby rejecting illegal access among the virtual processors not belonging to the same security virtual machine and protecting the data security of the security virtual machine.
As an optional implementation, the hardware (such as a CPU core) may determine and verify whether different virtual machine control blocks belong to different virtual processors of the same secure virtual machine by detecting whether SCCS pointed to by the different virtual machine control blocks are the same, that is, when SCCS pointed to by the different virtual machine control blocks are the same, the embodiment of the present invention considers that the different virtual machine control blocks belong to different virtual processors of the same secure virtual machine, and one virtual machine control block of the secure virtual machine may correspond to one virtual processor of the secure virtual machine;
alternatively, fig. 6 shows a method flow of determining a virtual processor to which a virtual machine control block belongs, where the method shown in fig. 6 may be executed by a CPU core in the form of microinstructions, and referring to fig. 6, the method flow may include:
step S20, determining at least two virtual machine control blocks.
The at least two virtual machine control blocks may belong to the same secure virtual machine or may belong to different secure virtual machines.
Step S21, determining the same virtual machine control block of the pointed SCCS.
The address field of the virtual machine control block indicates the starting address of the pointed SCCS, and the embodiment of the invention can determine the pointed SCCS of the virtual machine control block through the address field of the virtual machine control block, if the address fields of the virtual machine control block are the same, the pointed SCCS of the virtual machine control block is the same, so that the pointed SCCS of the same virtual machine control block can be determined.
In step S22, the virtual machine control blocks with the same pointed SCCS are determined to belong to a secure virtual machine, and the virtual machine control blocks with the same pointed SCCS belong to a virtual processor of the secure virtual machine.
By way of example, as shown in FIG. 7, address fields of virtual machine control block 1 point to SCCS1, address fields of virtual machine control block 2 point to SCCS1, and address fields of virtual machine control block 3 point to SCCS2; it may be determined that the virtual machine control block 1 and the virtual machine control block 2 point to the same SCCS, that the virtual machine control block 1 and the virtual machine control block 2 belong to different virtual processors of the same secure virtual machine, e.g., that the virtual machine control block 1 belongs to the virtual processor 11 of the secure virtual machine 1, and that the virtual machine control block 2 belongs to the virtual processor 12 of the secure virtual machine 1; whereas, since the SCCS to which the virtual machine control block 3 points is different from the virtual machine control block 1 and the virtual machine control block 2, the virtual machine control block 3 and the virtual machine control block 1 and the virtual machine control block 2 belong to different secure virtual machines, for example, the virtual machine control block 3 belongs to the virtual processor 21 of the secure virtual machine 2.
Optionally, for virtual processors that do not belong to the same secure virtual machine, the embodiment of the invention can reject access between virtual processors that do not belong to the same secure virtual machine, thereby further protecting the data security of the secure virtual machine; while allowing access between virtual processors belonging to the same secure virtual machine.
The embodiment of the invention can limit the virtual machine control block and SCCS of the secure virtual machine to be in the secure memory, so that the virtual machine manager can not modify various control information and state information about the secure virtual machine in the virtual control block; as an alternative implementation, embodiments of the present invention may also support that some of the information in the virtual machine control block may be modified by the host, e.g., information in the SCCS that allows the virtual machine control block to be modified by the host may be defined.
Alternatively, table 1 below shows an illustration of various fields and field descriptions of an example SCCS, to which reference may be made.
Figure BDA0001953984110000131
Figure BDA0001953984110000141
TABLE 1
Optionally, further, the embodiment of the present invention may further isolate a secure control memory area (Secure Memory Control Region, SMCR) in the secure memory of the secure virtual machine, where the secure control memory area stores a virtual machine control block of the secure virtual machine, so that the SMCR is inaccessible to neither the virtual machine nor a host (e.g., a virtual machine manager), and is accessed by the secure processor or the host virtual machine;
optionally, in the case where the memory includes a normal memory and a secure memory, and an exclusive secure memory is isolated for the secure virtual machine, fig. 8 shows an architecture schematic with an SMCR, as shown in fig. 8, a virtual machine control block of the secure virtual machine is not maintained by a virtual manager of the host, but an SMCR is further isolated in the secure memory of the secure virtual machine, the virtual machine control block of the secure virtual machine is stored by the SMCR, and a virtual machine control block and a page table for managing the secure virtual machine are implemented by the secure processor or the host virtual machine;
Meanwhile, the page table of the secure virtual machine is stored in the secure memory of the secure virtual machine, the control register of the virtual machine control block stored in the SMCR points to the page table of the secure virtual machine, and the mapping of the physical address of the secure memory can be managed through the secure page table, so that the mapping from the physical address of the virtual machine of the secure virtual machine to the physical address of the host (host machine) is realized.
In the embodiment of the invention, the page table of the secure virtual machine can be protected by the secure memory (for example, the page table can be a mapping page table from a virtual machine physical address to a host physical address), that is, the secure memory should store at least the page table of the secure virtual machine, and of course, can also store the data of the secure virtual machine; the page table protected by the secure memory according to the embodiment of the present invention may be referred to as a secure page table.
It should be noted that, the page table referred to in the embodiments of the present invention may be, for example, a mapping page table from a virtual machine physical address to a host physical address, and is not specific to a certain virtualization technology, but may be adapted to all possible virtualization technologies; in one possible virtualization technique, the page table referred to by the embodiments of the present invention may be a nested page table, and accordingly, the page table protected by the secure memory may be referred to as a secure nested page table;
The memory is generally in units of memory pages and is managed by using a multi-level page table; the last-stage page table stores the mapping from virtual address to physical address, called page table item; in other page tables than the last page table, the upper page table holds a mapping of virtual addresses to lower page tables, called page directories.
It can be seen that, in the embodiment of the present invention, the virtual machine control block of the secure virtual machine is located in the secure control memory area, and the starting address of the page table of the secure virtual machine is located in the secure memory; for the normal virtual machine, the virtual machine control block of the normal virtual machine is not located in the secure memory (and therefore is not located in the SMCR), and the starting address of the page table of the normal virtual machine is not located in the secure memory.
As an alternative implementation, on the basis that the address range of the secure memory area is indicated by a physical register, the embodiment of the present invention may set a specific physical register with a specific flag bit to indicate the address range of the secure control memory area, for example, a pair of specific physical registers with specific flag bits may indicate the address range of the secure control memory area, where a specific physical register with a specific flag bit indicates the start address of the secure control memory area, and a specific physical register with another specific flag bit indicates the size of the secure control memory area.
It can be seen that, in the embodiment of the present invention, the secure virtual machine may be allocated with a secure memory protected by using a secure protection mechanism, that is, the secure memory may include a plurality of secure memory areas; at least one secure memory area of the plurality of secure memory areas may be isolated as a secure control memory area for storing virtual machine control blocks of the secure virtual machine, a non-secure control memory area of the plurality of secure memory areas may be used for storing at least page tables and secure code control information structures of the secure virtual machine, and the secure virtual machine control blocks of the secure virtual machine stored in the secure control memory area may point to page tables of the secure virtual machine stored in the non-secure control memory area.
As an alternative implementation, the secure memory area may be indicated by a physical register for an address range, and a particular physical register for the address range for the secure control memory area has a particular flag bit.
When the address field (starting address) in the virtual machine control block of the same secure virtual machine is initialized to the same value (e.g., initialized by the secure processor or the host virtual machine), since in the embodiment of the present invention, the virtual machine control block of the secure virtual machine is stored in the SMCR, no device other than the secure processor (or the host virtual machine) can access the SMCR, and therefore, by setting the management code of the secure processor or the host virtual machine to not modify the data of the address field in the secure virtual machine lifecycle, it can be ensured that after the address field in the virtual machine control block of the same secure virtual machine is initialized to the same value, no change is made in the whole secure virtual machine lifecycle, so that the secure code control information structure pointed by the virtual machine control block of the same secure virtual machine can be the same no matter how the virtual machine control block of the same secure virtual machine is adjusted and changed.
The foregoing describes several embodiments of the present invention, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible embodiments, all of which are considered to be embodiments of the present invention disclosed and disclosed.
The information setting device provided by the embodiment of the present invention is described below, and the information setting device described below may be considered as a functional device that needs to be set by a security processor or a host virtual machine to implement defining a security code control information structure. The contents of the information setting apparatus described below may be referred to in correspondence with the above description.
The information setting device provided by the embodiment of the invention can comprise:
a definition module (not shown) for defining a security code control information structure for a security virtual machine, the security code control information structure describing an overall initial state of the security virtual machine;
the virtual machine control block of the secure virtual machine is reserved with an address field, and is used for storing the starting address of the secure code control information structure of the secure virtual machine.
Optionally, the virtual machine control blocks with the same directional security code control information structure belong to the same security virtual machine, and the virtual machine control blocks with the same directional security code control information structure belong to a virtual processor of the security virtual machine.
Optionally, the secure code control information structure further defines modification attributes of information in a virtual machine control block of the secure virtual machine, the modification attributes including modifiable and non-modifiable.
The control device provided by the embodiment of the present invention is described below, and the control device described below may be regarded as a functional device that is required to be set by the CPU core to implement the control method provided by the embodiment of the present invention. The contents of the control device described below may be referred to in correspondence with the above description.
Fig. 9 is a block diagram of a control device according to an embodiment of the present invention, and referring to fig. 9, the control device may include:
a secure code control information structure obtaining module 100, configured to obtain a secure code control information structure defined for a secure virtual machine when target information of a virtual machine control block of the secure virtual machine needs to be modified; wherein the secure code control information structure describes an overall initial state of the secure virtual machine and modification attributes of information in a virtual machine control block defining the secure virtual machine, the modification attributes including modifiable and non-modifiable; the virtual machine control block of the secure virtual machine and the secure code control information structure are stored in a secure memory;
A modification attribute determining module 110, configured to determine a modification attribute of the target information according to the security code control information structure;
a modification permission module 120, configured to allow modification of the target information if the modification attribute of the target information is modifiable;
and the reject modification module 130 is configured to reject modification of the target information if the modification attribute of the target information is non-modifiable.
Alternatively, the security code control information structure may define modification attributes of each field information of a virtual machine control block of the secure virtual machine.
Optionally, the virtual machine control block may include: control zone information and state save zone information; the control area information comprises a plurality of pieces of control information of the virtual machine control block, and the state save area information comprises a plurality of pieces of state information of the virtual machine control block;
thus, the security code control information structure may be defined with modification attributes defined for each control information of the control area information and modification attributes defined for each status information of the status save area information.
Alternatively, the modification attribute of the control information of the control area information may include modifiable and non-modifiable; the modification attribute of the state save area information may be non-modifiable.
Alternatively, the modifiable modification attribute may be represented by a first value of the tag information and the non-modifiable modification attribute may be represented by a second value of the tag information, the first and second values being logically opposite.
Alternatively, the flag information may be represented by a bit value.
Optionally, fig. 10 shows another block diagram of a control device provided by an embodiment of the present invention, and in combination with fig. 9 and fig. 10, the control device may further include:
the detection module 140 is configured to detect whether the security code control information structures pointed by the at least two virtual machine control blocks are the same; the virtual machine control block of the secure virtual machine is reserved with an address field, and the address field is used for storing a starting address of a secure code control information structure of the secure virtual machine; address fields in virtual machine control blocks of the same secure virtual machine are initialized to the same value, so that secure code control information structures pointed by different virtual machine control blocks of the same secure virtual machine are the same;
and the determining module 150 is configured to determine that the virtual processors corresponding to the at least two virtual machine control blocks belong to the same secure virtual machine if the secure code control information structures pointed by the at least two virtual machine control blocks are the same.
Optionally, fig. 11 shows a further block diagram of a control device according to an embodiment of the present invention, and in combination with fig. 10 and fig. 11, the control device may further include:
an access permission module 160, configured to allow access between virtual processors corresponding to the at least two virtual machine control blocks if the security code control information structures pointed to by the at least two virtual machine control blocks are the same;
and the access rejection module 170 is configured to reject access between virtual processors corresponding to the at least two virtual machine control blocks if the security code control information structures pointed to by the at least two virtual machine control blocks are different.
Optionally, the embodiment of the invention further provides a CPU core, which includes the control device.
Optionally, the embodiment of the present invention further provides a chip, for example, an SoC chip, which may include the secure processor and the CPU core described above.
Optionally, the embodiment of the invention further provides an electronic device, which may include the chip. The electronic device may be a terminal device or a server device.
Although the embodiments of the present invention are disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention should be assessed accordingly to that of the appended claims.

Claims (16)

1. An information setting method, characterized by comprising:
defining a security code control information structure for a security virtual machine, wherein the security code control information structure describes the overall initial state of the security virtual machine, and the security virtual machine is a virtual machine adopting a security protection mechanism;
the virtual machine control block of the secure virtual machine is reserved with an address field, and is used for saving the starting address of the secure code control information structure of the secure virtual machine; the secure code control information structure also defines modification attributes of information in a virtual machine control block of the secure virtual machine, the modification attributes including modifiable and non-modifiable.
2. The information setting method according to claim 1, wherein different virtual machine control blocks having the same structure of the directed security code control information belong to the same security virtual machine, and different virtual machine control blocks having the same structure of the directed security code control information belong to different virtual processors of the same security virtual machine.
3. A control method, characterized by controlling an information structure based on a security code defined by the information setting method according to any one of claims 1 to 2, the control method comprising:
When target information of a virtual machine control block of a secure virtual machine needs to be modified, acquiring a secure code control information structure defined for the secure virtual machine; the virtual machine control block of the secure virtual machine and the secure code control information structure are stored in a secure memory, wherein the secure memory is a memory adopting a secure protection mechanism;
determining modification attributes of the target information according to the security code control information structure;
if the modification attribute of the target information is modifiable, allowing modification of the target information;
and if the modification attribute of the target information is non-modifiable, refusing to modify the target information.
4. A control method according to claim 3, wherein the secure code control information structure defines modification attributes of information in a virtual machine control block of the secure virtual machine comprising:
the secure code control information structure defines modification attributes of each field information of a virtual machine control block of the secure virtual machine.
5. The control method of claim 4, wherein the virtual machine control block comprises: control zone information and state save zone information; the control area information comprises a plurality of pieces of control information of the virtual machine control block, and the state save area information comprises a plurality of pieces of state information of the virtual machine control block;
The modification attribute of each field information of the virtual machine control block of the secure virtual machine defined in the secure code control information structure comprises:
the security code control information structure defines modification attributes defined for each control information of the control area information and modification attributes defined for each status information of the status save area information.
6. The control method according to claim 5, wherein the modification attribute of the control information of the control area information includes modifiable and non-modifiable; the modification attribute of the state information of the state save area information is non-modifiable.
7. A control method according to claim 3, characterized in that the modifiable modification property is represented by a first value of the marking information and the non-modifiable modification property is represented by a second value of the marking information, said first and second values being logically opposite.
8. The control method according to claim 7, characterized in that the flag information of the first value and the flag information of the second value are represented by bit values.
9. A control method according to claim 3, characterized by further comprising:
detecting whether the security code control information structures pointed by at least two virtual machine control blocks are the same; the address fields in the virtual machine control blocks of the same secure virtual machine are initialized to the same value, so that the secure code control information structures pointed by different virtual machine control blocks of the same secure virtual machine are the same;
And if the security code control information structures pointed by the at least two virtual machine control blocks are the same, determining that the virtual processors corresponding to the at least two virtual machine control blocks belong to the same security virtual machine.
10. The control method according to claim 9, characterized by further comprising:
if the security code control information structures pointed by the at least two virtual machine control blocks are the same, allowing access between virtual processors corresponding to the at least two virtual machine control blocks;
and if the security code control information structures pointed by the at least two virtual machine control blocks are different, refusing the access among the virtual processors corresponding to the at least two virtual machine control blocks.
11. The control method according to claim 3 or 9, wherein the secure memory further isolates a secure control memory area to store a virtual machine control block of the secure virtual machine; the non-secure control memory area of the secure memory stores at least a page table of the secure virtual machine and the secure code control information structure; and a virtual machine control block of the secure virtual machine points to a page table of the secure virtual machine.
12. An information setting apparatus, characterized by comprising:
The definition module is used for defining a safety code control information structure for the safety virtual machine, wherein the safety code control information structure describes the integral initial state of the safety virtual machine, and the safety virtual machine is a virtual machine adopting a safety protection mechanism;
the virtual machine control block of the secure virtual machine is reserved with an address field, and is used for saving the starting address of the secure code control information structure of the secure virtual machine; the secure code control information structure also defines modification attributes of information in a virtual machine control block of the secure virtual machine, the modification attributes including modifiable and non-modifiable.
13. A control apparatus, characterized by comprising:
the system comprises a security code control information structure acquisition module, a security code control information structure acquisition module and a security code control information processing module, wherein the security code control information structure acquisition module is used for acquiring a security code control information structure defined for a security virtual machine when target information of a virtual machine control block of the security virtual machine is required to be modified; wherein the secure code control information structure describes an overall initial state of the secure virtual machine and modification attributes of information in a virtual machine control block defining the secure virtual machine, the modification attributes including modifiable and non-modifiable; the virtual machine control block of the secure virtual machine and the secure code control information structure are stored in a secure memory, the secure virtual machine is a virtual machine adopting a secure protection mechanism, and the secure memory is a memory adopting the secure protection mechanism;
The modification attribute determining module is used for determining modification attributes of the target information according to the security code control information structure;
a modification permission module, configured to allow modification of the target information if the modification attribute of the target information is modifiable;
and the refusing modification module is used for refusing to modify the target information if the modification attribute of the target information is non-modifiable.
14. A CPU core comprising the control apparatus of claim 13.
15. A chip comprising a secure processor and the CPU core of claim 14.
16. An electronic device comprising the chip of claim 15.
CN201910060502.6A 2018-11-22 2019-01-22 Information setting method, control method, device and related equipment Active CN109901911B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811401839 2018-11-22
CN2018114018390 2018-11-22

Publications (2)

Publication Number Publication Date
CN109901911A CN109901911A (en) 2019-06-18
CN109901911B true CN109901911B (en) 2023-07-07

Family

ID=66861836

Family Applications (3)

Application Number Title Priority Date Filing Date
CN201910060502.6A Active CN109901911B (en) 2018-11-22 2019-01-22 Information setting method, control method, device and related equipment
CN201910060494.5A Active CN109858265B (en) 2018-11-22 2019-01-22 Encryption method, device and related equipment
CN201910059800.3A Active CN109828827B (en) 2018-11-22 2019-01-22 Detection method, detection device and related equipment

Family Applications After (2)

Application Number Title Priority Date Filing Date
CN201910060494.5A Active CN109858265B (en) 2018-11-22 2019-01-22 Encryption method, device and related equipment
CN201910059800.3A Active CN109828827B (en) 2018-11-22 2019-01-22 Detection method, detection device and related equipment

Country Status (1)

Country Link
CN (3) CN109901911B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110348204B (en) * 2019-06-17 2023-05-16 海光信息技术股份有限公司 Code protection system, authentication method, authentication device, chip and electronic equipment
CN110380854A (en) * 2019-08-12 2019-10-25 南京芯驰半导体科技有限公司 For root key generation, partition method and the root key module of multiple systems
CN111045605B (en) * 2019-12-12 2023-10-20 海光信息技术股份有限公司 Technical scheme for improving system security by utilizing processor cache and security processor
CN111143900B (en) * 2019-12-24 2023-09-26 海光信息技术(苏州)有限公司 Data processing and access control method, system, device, equipment and storage medium
US11604671B2 (en) 2020-03-19 2023-03-14 Red Hat, Inc. Secure virtual machine and peripheral device communication
CN111984374B (en) * 2020-08-20 2021-07-23 海光信息技术股份有限公司 Method for managing secure memory, system, apparatus and storage medium therefor
CN111949376B (en) * 2020-08-24 2021-12-17 海光信息技术股份有限公司 Virtual machine system and method for virtual machine system
CN111949995B (en) * 2020-08-25 2021-07-16 海光信息技术股份有限公司 Host CPU architecture system and method for safely managing hardware resources
CN112363797B (en) * 2020-10-19 2022-04-05 海光信息技术股份有限公司 Virtual machine safe operation method, electronic equipment and storage medium
CN112363800B (en) * 2020-11-10 2023-03-07 海光信息技术股份有限公司 Network card memory access method, security processor, network card and electronic equipment
CN112363801B (en) * 2020-11-10 2022-10-21 海光信息技术股份有限公司 Virtual machine migration method, processing method, system, device, chip and medium
CN112433817B (en) * 2020-11-27 2022-11-25 海光信息技术股份有限公司 Information configuration method, direct storage access method and related device
CN112540833B (en) * 2020-12-28 2022-11-11 海光信息技术股份有限公司 Process running method and device, processor, storage medium and electronic equipment
CN112748984B (en) * 2020-12-28 2022-12-06 海光信息技术股份有限公司 Virtual machine data processing method, virtual machine data control method, processor, chip, device and medium
CN113485785B (en) * 2021-06-28 2023-10-27 海光信息技术股份有限公司 Virtual trusted platform module realization method, secure processor and storage medium
CN113342735B (en) * 2021-06-28 2024-04-16 海光信息技术股份有限公司 Processor chip and electronic equipment
CN114564724A (en) * 2021-12-30 2022-05-31 海光信息技术股份有限公司 Method and device for protecting memory integrity of virtual machine, electronic equipment and storage medium

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050204357A1 (en) * 2004-03-15 2005-09-15 Ajay Garg Mechanism to protect extensible firmware interface runtime services utilizing virtualization technology
CN101006433B (en) * 2004-08-25 2012-01-11 日本电气株式会社 Information communication device, and program execution environment control method
CN101719825A (en) * 2009-04-30 2010-06-02 中兴通讯股份有限公司 Method and system for realizing safe bifurcation call session in IP multimedia subsystem
CN102752301A (en) * 2012-07-04 2012-10-24 深圳市京华科讯科技有限公司 Data transmission system and data transmission method applied to virtualized environment
EP2876593B1 (en) * 2013-11-21 2018-09-26 Nxp B.V. Method of generating a structure and corresponding structure
JP6324127B2 (en) * 2014-03-14 2018-05-16 三菱電機株式会社 Information processing apparatus, information processing method, and program
FR3020160B1 (en) * 2014-04-16 2017-08-11 Commissariat Energie Atomique SYSTEM FOR EXECUTING A CODE WITH BLIND HYPERVISION MECHANISM
US9454497B2 (en) * 2014-08-15 2016-09-27 Intel Corporation Technologies for secure inter-virtual-machine shared memory communication
CN104572488B (en) * 2015-02-13 2017-11-17 西安酷派软件科技有限公司 EMS memory management process, memory management device and terminal
CN106295267B (en) * 2015-06-09 2019-04-19 阿里巴巴集团控股有限公司 It is a kind of access electronic equipment physical memory in private data method and apparatus
CN106445628A (en) * 2015-08-11 2017-02-22 华为技术有限公司 Virtualization method, apparatus and system
CN105718794B (en) * 2016-01-27 2018-06-05 华为技术有限公司 The method and system of safeguard protection are carried out to virtual machine based on VTPM
CN107038128B (en) * 2016-02-03 2020-07-28 华为技术有限公司 Virtualization of execution environment, and access method and device of virtual execution environment
US10536274B2 (en) * 2016-03-31 2020-01-14 Intel Corporation Cryptographic protection for trusted operating systems
CN106293873B (en) * 2016-07-29 2019-11-05 北京北信源软件股份有限公司 A method of it is accurate to obtain critical data position in virtual machine control block (VMCS)
US10303899B2 (en) * 2016-08-11 2019-05-28 Intel Corporation Secure public cloud with protected guest-verified host control
CN106970823B (en) * 2017-02-24 2021-02-12 上海交通大学 Efficient nested virtualization-based virtual machine security protection method and system
CN107341115B (en) * 2017-06-30 2021-07-16 联想(北京)有限公司 Virtual machine memory access method and system and electronic equipment
CN107450962B (en) * 2017-07-03 2020-04-24 北京东土科技股份有限公司 Exception handling method, device and system in virtualized operation environment
CN107368354B (en) * 2017-08-03 2021-02-02 海光信息技术股份有限公司 Virtual machine security isolation method
CN107562515B (en) * 2017-08-04 2021-09-07 海光信息技术股份有限公司 Method for managing memory in virtualization technology
CN108599930B (en) * 2018-04-02 2021-05-14 湖南国科微电子股份有限公司 Firmware encryption and decryption system and method
CN108804203B (en) * 2018-06-15 2019-06-21 四川大学 VTPM private information guard method based on label

Also Published As

Publication number Publication date
CN109828827A (en) 2019-05-31
CN109828827B (en) 2023-10-27
CN109901911A (en) 2019-06-18
CN109858265A (en) 2019-06-07
CN109858265B (en) 2022-01-28

Similar Documents

Publication Publication Date Title
CN109901911B (en) Information setting method, control method, device and related equipment
CN109766164B (en) Access control method, memory management method and related device
CN109766165B (en) Memory access control method and device, memory controller and computer system
KR101477080B1 (en) Memory access security management
CN110928646B (en) Method, device, processor and computer system for accessing shared memory
CN110348204B (en) Code protection system, authentication method, authentication device, chip and electronic equipment
Jin et al. Architectural support for secure virtualization under a vulnerable hypervisor
CN109800050B (en) Memory management method, device, related equipment and system of virtual machine
US9898624B2 (en) Multi-core processor based key protection method and system
KR100491991B1 (en) Tamper resistant processor of internal memory type and method for protecting secret
US8826391B2 (en) Virtualized trusted descriptors
KR101052400B1 (en) Methods for Delegating Access, Machine-readable Storage Media, Devices, and Processing Systems
CN112417470B (en) Method, device, electronic equipment and storage medium for realizing GPU data security access
TWI608378B (en) An interface between a device and a secure processing environment
US11748493B2 (en) Secure asset management system
AU2020287873B2 (en) Systems and methods for processor virtualization
CN107562514B (en) Physical memory access control and isolation method
JP4375980B2 (en) Multitask execution system and multitask execution method
CN116126463A (en) Memory access method, configuration method, computer system and related devices
CN112241308B (en) Virtual machine identifier processing method and device and related equipment
Heo et al. Hardware-assisted trusted memory disaggregation for secure far memory
JP2007264679A (en) Access controller and access control method
CN116860666A (en) GPU memory protection method and device, chip and electronic equipment
KR20230164733A (en) Apparatus and method for handling hidden transactions
CN116644483A (en) Confidential computation with device memory isolation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin

Applicant after: Haiguang Information Technology Co.,Ltd.

Address before: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin

Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant