WO2023103697A1

WO2023103697A1 - Communication method in computer system, and related product

Info

Publication number: WO2023103697A1
Application number: PCT/CN2022/130846
Authority: WO
Inventors: 朱少峰; 章庆隆
Original assignee: 华为技术有限公司
Priority date: 2021-12-10
Filing date: 2022-11-09
Publication date: 2023-06-15
Also published as: CN116257368A

Abstract

A communication method in a computer system and a related product, capable of reducing loss caused by processes, running in different enclaves of the system, during communication. Specifically, the method above comprises the following steps: receiving a communication request from a first process (S101); and then creating a shared memory space according to the communication request (S102), wherein the first process and a second process have permissions to access the shared memory space, the first process is a process running in a first enclave, and the second process is a process running in a second enclave. The first process and the second process can access the shared memory space, so that the first process and the second process can perform read and write operations on the shared memory space, and thus can implement communication on the basis of the shared memory space. When communication is implemented on the basis of the shared memory space, data copying and data encryption are not needed in the procedure, and thus, the procedure will cause less loss.

Description

一种计算机***中的通信方法及相关产品A communication method in a computer system and related products

本申请要求于2021年12月10日提交中国专利局、申请号为202111507637.6、申请名称为“一种计算机***中的通信方法及相关产品”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application with application number 202111507637.6 and application title "A communication method in a computer system and related products" filed with the China Patent Office on December 10, 2021, the entire contents of which are incorporated by reference in this application.

技术领域technical field

本申请实施例涉及数据安全领域，尤其涉及一种计算机***中的通信方法及相关产品。The embodiments of the present application relate to the field of data security, and in particular to a communication method in a computer system and related products.

背景技术Background technique

近年来，为了提高计算平台上数据的安全性，计算平台上一般部署有可信执行环境(trusted execution environment,TEE)***。用户通过将需要保护的程序以飞地(enclave)的形式部署在TEE***上，可以保证上述程序的完整性和相关数据的机密性。在实际应用中，用户可以在TEE***中部署多个enclave，并且运行在不同enclave上的进程之间可能存在通信的需求。In recent years, in order to improve the security of data on computing platforms, trusted execution environment (TEE) systems are generally deployed on computing platforms. By deploying the program to be protected on the TEE system in the form of an enclave, the user can ensure the integrity of the above program and the confidentiality of related data. In practical applications, users can deploy multiple enclaves in the TEE system, and there may be a need for communication between processes running on different enclaves.

目前，不同enclave在通信时，通常需要利用不可信进程(如部署在不可信环境中的应用程序和操作***(operating system,OS))进行数据的转发，以运行在enclave A上的进程A向运行在enclave B上的进程B发送数据为例：进程A先将数据发送至不可信进程，再由不可信进程将数据转发至进程B。这一过程涉及到了数据的拷贝。而且，由于数据经由了不可信进程的转发，这可能导致数据的泄漏，因此为了保证数据的安全性，进程A在将数据发送至不可信进程之前，还需对数据进行加密，相应地，进程B在接收到不可信进程转发的数据后，还需对数据进行解密。也就是说，上述通信过程会带来较大的资源损耗。At present, when different enclaves communicate, it is usually necessary to use untrusted processes (such as applications and operating systems (operating system, OS) deployed in untrusted environments) to forward data, so that process A running on enclave A can communicate with Take process B running on enclave B sending data as an example: process A first sends data to an untrusted process, and then the untrusted process forwards the data to process B. This process involves copying of data. Moreover, because the data is forwarded by an untrusted process, this may lead to data leakage. Therefore, in order to ensure the security of the data, process A needs to encrypt the data before sending the data to the untrusted process. Correspondingly, the process After B receives the data forwarded by the untrusted process, it needs to decrypt the data. That is to say, the above-mentioned communication process will bring relatively large resource consumption.

因此，如何减少运行在不同enclave上的进程在通信时带来的损耗，仍然是数据安全领域中的一个急需解决的问题。Therefore, how to reduce the communication loss caused by processes running on different enclaves is still an urgent problem in the field of data security.

发明内容Contents of the invention

本申请实施例提供了一种计算机***中的通信方法及相关产品，能够创建出一个共享内存空间，该共享内存空间支持运行在不同enclave上的多个可信进程访问，这样，基于共享内存空间可以使得上述多个可信进程间的通信无需拷贝、且无需加密，从而减少上述多个可信进程在通信时带来的损耗。Embodiments of the present application provide a communication method in a computer system and related products, which can create a shared memory space that supports access by multiple trusted processes running on different enclaves. In this way, based on the shared memory space The communication between the above multiple trusted processes can be made without copying and without encryption, thereby reducing the loss caused by the above multiple trusted processes during communication.

第一方面，本申请实施例提供了一种计算机***中的通信方法，该***包括第一enclave和第二enclave，该方法包括如下步骤：接收来自第一进程的通信请求，然后根据上述通信请求创建共享内存空间，其中，第一进程和第二进程具有访问上述共享内存空间的权限，第一进程是第一enclave中运行的进程，第二进程是第二enclave中运行的进程。由于第一进程和第二进程可以访问共享内存空间，因此第一进程和第二进程可以对共享内存空间进行读写操作，也就可以基于共享内存空间实现通信。在基于共享内存空间实现通信时，由于这一过程无需数据拷贝，也无需数据加密，因此这一过程会带来更少的损耗。In the first aspect, the embodiment of the present application provides a communication method in a computer system, the system includes a first enclave and a second enclave, the method includes the following steps: receiving a communication request from the first process, and then according to the communication request A shared memory space is created, wherein the first process and the second process have permission to access the shared memory space, the first process is a process running in the first enclave, and the second process is a process running in the second enclave. Since the first process and the second process can access the shared memory space, the first process and the second process can perform read and write operations on the shared memory space, and thus can realize communication based on the shared memory space. When communication is implemented based on the shared memory space, since this process does not require data copying or data encryption, this process will cause less loss.

在第一方面的一种可能的实现方式中，上述通信请求携带了多个进程的标识，上述多个进程具有访问共享内存空间的权限，其中，上述多个进程包括第一进程和第二进程。如此，可以保证共享内存空间的安全性，从而提高第一进程和第二进程之间的通信的安全性。In a possible implementation of the first aspect, the communication request carries identifiers of multiple processes, and the multiple processes have permission to access the shared memory space, wherein the multiple processes include the first process and the second process . In this way, the security of the shared memory space can be guaranteed, thereby improving the security of the communication between the first process and the second process.

在第一方面的一种可能的实现方式中，不可信进程不具有访问共享内存空间的权限。其中，不可信进程包括运行在不可信执行环境中的进程、以及通信请求中未指明的进程中的至少一个进程。由上述实现方式可知，通信请求写到了多个进程的标识，因此，通信请求中未指明的进程是指除上述多个进程之外的进程。如此，也可以保证共享内存空间的安全性，从而提高第一进程和第二进程之间的通信的安全性。In a possible implementation manner of the first aspect, the untrusted process does not have permission to access the shared memory space. Wherein, the untrusted process includes a process running in an untrusted execution environment and at least one process among processes not specified in the communication request. It can be seen from the above implementation manner that the communication request writes identifiers of multiple processes, therefore, the unspecified process in the communication request refers to processes other than the above multiple processes. In this way, the security of the shared memory space can also be guaranteed, thereby improving the security of communication between the first process and the second process.

在第一方面的一种可能的实现方式中，上述通信请求包括共享内存空间的大小，共享内存空间为计算机***的内存中一段满足上述大小要求的内存空间。如此，可以使得共享内存空间的创建更加灵活，更能有效的利用计算机***中的内存资源。In a possible implementation manner of the first aspect, the above communication request includes the size of the shared memory space, and the shared memory space is a section of memory space in the memory of the computer system that meets the above size requirement. In this way, the creation of the shared memory space can be made more flexible, and the memory resources in the computer system can be used more effectively.

在第一方面的一种可能的实现方式中，在根据通信请求创建共享内存空间之后，上述方法还包括：配置访问控制表，其中，访问控制表用于指示第一进程和第二进程具有访问共享内存空间的权限。In a possible implementation of the first aspect, after the shared memory space is created according to the communication request, the above method further includes: configuring an access control table, where the access control table is used to indicate that the first process and the second process have access Permissions for shared memory space.

在第一方面的一种可能的实现方式中，上述方法还包括：接收来自第一进程的写数据请求，其中，写数据请求包括待写入的数据和目标地址，共享内存空间包括目标地址指示的内存空间。然后，根据访问控制表确定第一进程具有访问目标地址指示的内存空间的权限，之后，允许数据写入目标地址指示的内存空间。然后，向第二进程发送通知消息，其中，通知消息包括上述目标地址，通信消息用于指示第二进程从目标地址指示的内存空间中读取上述数据。In a possible implementation of the first aspect, the above method further includes: receiving a write data request from the first process, where the write data request includes data to be written and a target address, and the shared memory space includes a target address indication memory space. Then, it is determined according to the access control table that the first process has the right to access the memory space indicated by the target address, and then data is allowed to be written into the memory space indicated by the target address. Then, a notification message is sent to the second process, wherein the notification message includes the above-mentioned target address, and the communication message is used to instruct the second process to read the above-mentioned data from the memory space indicated by the target address.

在第一方面的一种可能的实现方式中，在向第二进程发送通知消息之后，上述方法还包括：接收来自第二进程的读数据请求，其中，读数据请求包括上述目标地址。然后，根据所述访问控制表确定第二进程具有访问目标地址指示的内存空间的权限，之后，允许第二进程从目标地址指示的内存空间中读取数据。In a possible implementation manner of the first aspect, after sending the notification message to the second process, the above method further includes: receiving a data read request from the second process, where the data read request includes the above target address. Then, according to the access control table, it is determined that the second process has the right to access the memory space indicated by the target address, and then, the second process is allowed to read data from the memory space indicated by the target address.

上述实现方式中，基于访问控制表可以确定具有访问共享内存空间权限的进程，以及不具有访问共享内存空间权限的进程，只有具有访问共享内存空间权限的进程才能够向共享内存空间进行读写操作，从而保证了共享内存空间的安全性，提高了第一进程和第二进程之间的通信的安全性。In the above implementation, based on the access control table, it is possible to determine the processes that have the permission to access the shared memory space, and the processes that do not have the permission to access the shared memory space. Only the processes that have the permission to access the shared memory space can perform read and write operations on the shared memory space. , thereby ensuring the security of the shared memory space and improving the security of communication between the first process and the second process.

第二方面，本申请实施例提供了一种安全访问控制装置，该装置应用于计算机***，该***包括第一enclave和第二enclave。该装置包括通信管理模块和内存管理模块。其中，通信管理模块用于接收来自第一进程的通信请求，第一进程是第一enclave中运行的进程。内存管理模块用于根据上述通信请求创建共享内存空间，其中，第二进程是第二enclave中运行的进程，第一进程和第二进程具有访问上述共享内存空间的权限。In a second aspect, the embodiment of the present application provides a security access control device, which is applied to a computer system, and the system includes a first enclave and a second enclave. The device includes a communication management module and a memory management module. Wherein, the communication management module is used for receiving a communication request from a first process, and the first process is a process running in the first enclave. The memory management module is used to create a shared memory space according to the above communication request, wherein the second process is a process running in the second enclave, and the first process and the second process have permission to access the above shared memory space.

在第二方面的一种可能的实现方式中，上述通信请求携带了多个进程的标识，上述多个进程具有访问共享内存空间的权限，其中，上述多个进程包括第一进程和第二进程。In a possible implementation of the second aspect, the communication request carries identifiers of multiple processes, and the multiple processes have permission to access the shared memory space, wherein the multiple processes include the first process and the second process .

在第二方面的一种可能的实现方式中，不可信进程不具有访问共享内存空间的权限。其中，不可信进程包括运行在不可信执行环境中的进程、以及通信请求中未指明的进程中的至少一个进程。由上述实现方式可知，通信请求写到了多个进程的标识，因此，通信请求中未指明的进程是指除上述多个进程之外的进程。In a possible implementation manner of the second aspect, the untrusted process does not have permission to access the shared memory space. Wherein, the untrusted process includes a process running in an untrusted execution environment and at least one process among processes not specified in the communication request. It can be seen from the above implementation manner that the communication request writes identifiers of multiple processes, therefore, the unspecified process in the communication request refers to processes other than the above multiple processes.

在第二方面的一种可能的实现方式中，上述通信请求包括共享内存空间的大小，共享内存空间为计算机***的内存中一段满足上述大小要求的内存空间。In a possible implementation manner of the second aspect, the above-mentioned communication request includes the size of the shared memory space, and the shared memory space is a section of memory space in the memory of the computer system that meets the above-mentioned size requirement.

在第二方面的一种可能的实现方式中，上述装置还包括访问控制模块，访问控制模块用于配置访问控制表，其中，访问控制表用于指示第一进程和第二进程具有访问共享内存空间的权限。In a possible implementation manner of the second aspect, the above-mentioned device further includes an access control module, and the access control module is configured to configure an access control table, wherein the access control table is used to indicate that the first process and the second process have access to the shared memory Space permissions.

在第二方面的一种可能的实现方式中，上述通信管理模块还用于接收来自第一进程的写数据请求，其中，写数据请求包括待写入的数据和目标地址，共享内存空间包括目标地址指示的内存空间。上述访问控制模块用于根据访问控制表确定第一进程具有访问目标地址指示的内存空间的权限，并允许数据写入目标地址指示的内存空间。上述通信管理模块还用于向第二进程发送通知消息，其中，通知消息包括上述目标地址，通信消息用于指示第二进程从目标地址指示的内存空间中读取上述数据。In a possible implementation of the second aspect, the communication management module is further configured to receive a write data request from the first process, wherein the write data request includes the data to be written and the target address, and the shared memory space includes the target The memory space indicated by the address. The above access control module is used to determine according to the access control table that the first process has the right to access the memory space indicated by the target address, and allow data to be written into the memory space indicated by the target address. The above-mentioned communication management module is further configured to send a notification message to the second process, wherein the notification message includes the above-mentioned target address, and the communication message is used to instruct the second process to read the above-mentioned data from the memory space indicated by the target address.

在第二方面的一种可能的实现方式中，上述通信管理模块还用于接收来自第二进程的读数据请求，其中，读数据请求包括上述目标地址。上述访问控制模块用于根据所述访问控制表确定第二进程具有访问目标地址指示的内存空间的权限，并允许第二进程从目标地址指示的内存空间中读取数据。In a possible implementation manner of the second aspect, the above communication management module is further configured to receive a data read request from the second process, where the read data request includes the above target address. The above access control module is configured to determine according to the access control table that the second process has the right to access the memory space indicated by the target address, and allow the second process to read data from the memory space indicated by the target address.

第三方面，本申请实施例提供了一种计算设备，该设备应用于计算机***，该***包括第一enclave和第二enclave。该设备包括处理器和访问控制器。处理器用于接收来自第一进程的通信请求，并根据上述通信请求创建共享内存空间，其中，第一进程是第一enclave中运行的进程，第二进程是第二enclave中运行的进程，第一进程和第二进程具有访问上述共享内存空间的权限。处理器还用于配置访问控制表到访问控制器。访问控制器用于根据访问控制表确定第一进程和第二进程具有访问共享内存空间的权限，以使第一进程和第二进程基于共享内存空间实现通信。In a third aspect, an embodiment of the present application provides a computing device, which is applied to a computer system, and the system includes a first enclave and a second enclave. The device includes a processor and an access controller. The processor is configured to receive a communication request from the first process, and create a shared memory space according to the above communication request, wherein the first process is a process running in the first enclave, the second process is a process running in the second enclave, and the first process is a process running in the second enclave. The process and the second process have permission to access the above-mentioned shared memory space. The processor is also used to configure the access control list to the access controller. The access controller is used to determine according to the access control table that the first process and the second process have permission to access the shared memory space, so that the first process and the second process can communicate based on the shared memory space.

在第三方面的一种可能的实现方式中，上述通信请求携带了多个进程的标识，上述多个进程具有访问共享内存空间的权限，其中，上述多个进程包括第一进程和第二进程。In a possible implementation of the third aspect, the communication request carries identifiers of multiple processes, and the multiple processes have permission to access the shared memory space, wherein the multiple processes include the first process and the second process .

在第三方面的一种可能的实现方式中，不可信进程不具有访问共享内存空间的权限。其中，不可信进程包括运行在不可信执行环境中的进程、以及通信请求中未指明的进程中的至少一个进程。由上述实现方式可知，通信请求写到了多个进程的标识，因此，通信请求中未指明的进程是指除上述多个进程之外的进程。In a possible implementation of the third aspect, the untrusted process does not have permission to access the shared memory space. Wherein, the untrusted process includes a process running in an untrusted execution environment and at least one process among processes not specified in the communication request. It can be seen from the above implementation manner that the communication request writes identifiers of multiple processes, therefore, the unspecified process in the communication request refers to processes other than the above multiple processes.

在第三方面的一种可能的实现方式中，上述通信请求包括共享内存空间的大小，共享内存空间为计算机***的内存中一段满足上述大小要求的内存空间。In a possible implementation manner of the third aspect, the above communication request includes the size of the shared memory space, and the shared memory space is a section of memory space in the memory of the computer system that meets the above size requirement.

在第三方面的一种可能的实现方式中，上述处理器还用于接收来自第一进程的写数据请求，其中，写数据请求包括待写入的数据和目标地址，共享内存空间包括目标地址指示的内存空间。上述访问控制器用于根据访问控制表确定第一进程具有访问目标地址指示的内存空间的权限，并允许数据写入目标地址指示的内存空间。上述处理器还用于向第二进程发送通知消息，其中，通知消息包括上述目标地址，通信消息用于指示第二进程从目标地址指示的内存空间中读取上述数据。In a possible implementation of the third aspect, the above-mentioned processor is further configured to receive a write data request from the first process, where the write data request includes data to be written and a target address, and the shared memory space includes the target address The indicated memory space. The above-mentioned access controller is used to determine according to the access control table that the first process has the right to access the memory space indicated by the target address, and allow data to be written into the memory space indicated by the target address. The above-mentioned processor is further configured to send a notification message to the second process, wherein the notification message includes the above-mentioned target address, and the communication message is used to instruct the second process to read the above-mentioned data from the memory space indicated by the target address.

在第三方面的一种可能的实现方式中，上述处理器还用于接收来自第二进程的读数据请求，其中，读数据请求包括上述目标地址。上述访问控制器用于根据所述访问控制表确定第二进程具有访问目标地址指示的内存空间的权限，并允许第二进程从目标地址指示的内存空间中读取数据。In a possible implementation manner of the third aspect, the above processor is further configured to receive a data read request from the second process, where the data read request includes the above target address. The above access controller is configured to determine according to the access control table that the second process has the right to access the memory space indicated by the target address, and allow the second process to read data from the memory space indicated by the target address.

第四方面，本申请实施例提供了一种计算机可读存储介质，该计算机可读存储介质存储有计算机指令，当计算机指令被计算设备执行时，计算设备执行前述第一方面或第一方面的任意一种实现方式所描述的方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores computer instructions, and when the computer instructions are executed by a computing device, the computing device executes the aforementioned first aspect or the first aspect. Any one of the methods described in the implementation.

附图说明Description of drawings

图1是本申请实施例提供的一种TEE***的结构示意图；FIG. 1 is a schematic structural diagram of a TEE system provided by an embodiment of the present application;

图2是本申请实施例提供的一种内存隔离机制的示意图；FIG. 2 is a schematic diagram of a memory isolation mechanism provided by an embodiment of the present application;

图3是本申请实施例提供的一种计算***的结构示意图；FIG. 3 is a schematic structural diagram of a computing system provided by an embodiment of the present application;

图4是本申请实施例提供的一种通信方法的流程示意图；FIG. 4 is a schematic flowchart of a communication method provided in an embodiment of the present application;

图5是本申请实施例提供的一种安全访问控制装置的结构示意图；FIG. 5 is a schematic structural diagram of a security access control device provided by an embodiment of the present application;

图6是本申请实施例提供的一种计算设备的结构示意图；FIG. 6 is a schematic structural diagram of a computing device provided by an embodiment of the present application;

图7是本申请实施例提供的一种访问控制器的部署示意图；FIG. 7 is a schematic diagram of deployment of an access controller provided by an embodiment of the present application;

图8是本申请实施例提供的另一种访问控制器的部署示意图；Fig. 8 is a schematic diagram of deployment of another access controller provided by the embodiment of the present application;

图9是本申请实施例提供的又一种访问控制器的部署示意图；FIG. 9 is a schematic diagram of deployment of another access controller provided by the embodiment of the present application;

图10是本申请实施例提供的另一种访问控制器的部署示意图。Fig. 10 is a schematic diagram of deployment of another access controller provided by the embodiment of the present application.

具体实施方式Detailed ways

为了使本申请实施例的方案更清晰，在具体描述本申请实施例的方案之前，首先对本申请实施例涉及到的相关术语进行解释。In order to make the solution of the embodiment of the present application clearer, before describing the solution of the embodiment of the present application in detail, the relevant terms involved in the embodiment of the present application are explained first.

在大数据和人工智能的时代，人们能够更方便并且更高效地获取到各种数据。但与此同时，人们访问数据的行为也被记录、被学习以及被使用。如果在这一过程中不注重隐私保护，个人信息就可能被泄漏。为此，对用户数据进行保护是至关重要的。In the era of big data and artificial intelligence, people can obtain various data more conveniently and efficiently. But at the same time, the behavior of people accessing data is also recorded, learned and used. If privacy protection is not paid attention to during this process, personal information may be leaked. For this reason, the protection of user data is crucial.

近年来，在智能终端、边缘计算、云计算等领域，计算平台通常采用TEE***来提高用户数据的安全性。图1示例性的展示了TEE***的结构示意图。如图1所示，TEE***100包括不可信应用程序110、不可信操作***(operating system,OS)120、enclave 130、可信计算基(trusted computing base,TCB)140和***资源150。下面简要描述TEE***的各个部分。In recent years, in the fields of smart terminals, edge computing, and cloud computing, computing platforms usually use TEE systems to improve the security of user data. Fig. 1 exemplarily shows a schematic structural diagram of a TEE system. As shown in FIG. 1 , the TEE system 100 includes an untrusted application program 110 , an untrusted operating system (operating system, OS) 120 , an enclave 130 , a trusted computing base (trusted computing base, TCB) 140 and system resources 150 . The various parts of the TEE system are briefly described below.

不可信应用程序110：是指用户部署的普通应用程序，这里的普通应用程序是指用户部署的、不需要受到额外的安全性保护的程序，区别于enclave 130中的程序。不可信应用程序110具体可以包括主机应用程序(host application)。Untrusted application program 110: refers to the ordinary application program deployed by the user, where the ordinary application program refers to the program deployed by the user and does not need additional security protection, which is different from the program in the enclave 130. The untrusted application program 110 may specifically include a host application program (host application).

不可信OS 120：通常由服务提供商部署，用于为不可信应用程序110提供运行环境和相关服务。不可信操作***可以包括富操作***(rich operating system,Rich OS)。Untrusted OS 120: usually deployed by a service provider to provide an operating environment and related services for the untrusted application program 110. The untrusted operating system may include a rich operating system (Rich OS).

enclave 130：是运行在计算设备中、具有独立资源(包括内存资源、网络资源以及计算资源等)的一个安全可信的执行环境，能够保证运行在其中的程序的完整性，以及上述程序在运行过程产生的数据的机密性。本申请实施例中，enclave 130包括程序和一段内存空间，其中，enclave 130中的程序是指用户部署的、需要受到保护的程序，具体可以包括应用程序、应用程序和可信操作***、虚拟机(virtual machine,VM)、容器(container)或沙盒(sandbox)等。需要说明的是，上述可信操作***为用户部署的、用于为enclave 130中的应用程序提供运行环境和相关服务。enclave 130中的内存空间(以下称为enclave内存空间)是TEE***100拥有的内存中的一段连续的内存空间，用于存储enclave 130中的程序以及该程序在运行过程中产生的数据(以下称为运行态数据)。enclave 130: It is a safe and trusted execution environment running on computing devices with independent resources (including memory resources, network resources and computing resources, etc.), which can guarantee the integrity of the programs running in it, and the above programs are running Confidentiality of data produced by the process. In the embodiment of the present application, the enclave 130 includes a program and a section of memory space, wherein the program in the enclave 130 refers to a program deployed by a user and needs to be protected, and specifically may include an application program, an application program and a trusted operating system, and a virtual machine (virtual machine, VM), container (container) or sandbox (sandbox), etc. It should be noted that the above-mentioned trusted operating system is deployed by the user to provide an operating environment and related services for applications in the enclave 130 . The memory space in the enclave 130 (hereinafter referred to as the enclave memory space) is a continuous memory space in the memory owned by the TEE system 100, and is used to store the program in the enclave 130 and the data generated by the program during operation (hereinafter referred to as for running data).

TCB 140：对于TEE***100来说，TCB 140是实现***内数据安全的所有安全保护机制(如内存隔离机制、数字签名机制、远程证明机制等)的集合，用于保证enclave 130中的程序的完整性以及运行态数据的机密性，防止其受到不可信进程的篡改或非法访问。其中，不可信进程包括不可信应用程序110和不可信OS 120等可以主动攻击enclave 130或作为攻击enclave 130的跳板的进程。TCB 140: For TEE system 100, TCB 140 is a collection of all security protection mechanisms (such as memory isolation mechanism, digital signature mechanism, remote certification mechanism, etc.) Integrity and confidentiality of running state data to prevent it from being tampered with or illegally accessed by untrusted processes. Wherein, untrusted process comprises untrusted application program 110 and untrusted OS 120 etc. can attack enclave 130 actively or process as the springboard of attacking enclave 130.

本申请实施例中，TCB 140包括可信硬件141和TCB高特权级软件142。其中，可信硬件141是由计算平台提供者部署的硬件资源，用于为enclave 130的创建、管理(如中断管理)以及保护(如内存保护)等提供硬件支持。可信硬件141可以包括中央处理器(central processing unit,CPU)内核、硬件可信根(如符合可信赖平台模块(trusted platform module,TPM)标准的安全芯片、eFuse)以及其他硬件特性(如内存总线)。TCB高特权级软件142是由计算平台提供者部署的、运行在可信硬件141上的软件资源，用于为enclave 130的创建、管理以及保护等提供功能支持。In the embodiment of this application, TCB 140 includes trusted hardware 141 and TCB high-privileged software 142. Wherein, the trusted hardware 141 is a hardware resource deployed by a computing platform provider, and is used to provide hardware support for the creation, management (such as interrupt management) and protection (such as memory protection) of the enclave 130 . The trusted hardware 141 may include a central processing unit (central processing unit, CPU) core, a hardware root of trust (such as a security chip conforming to the trusted platform module (trusted platform module, TPM) standard, eFuse), and other hardware features (such as memory bus). The TCB high-privilege software 142 is a software resource deployed by a computing platform provider and running on trusted hardware 141, and is used to provide functional support for the creation, management and protection of the enclave 130.

值得注意的是，上述术语“TCB高特权级软件”可以具有不同的名称，例如，不同标准、同一标准的不同版本、不同厂商对术语“TCB高特权级软件”可以具有不同的称呼，例如，“TCB软件”、“安全监视器”、“security monitor”等。It is worth noting that the above-mentioned term "TCB high-privilege software" may have different names, for example, different standards, different versions of the same standard, and different manufacturers may have different names for the term "TCB high-privilege software", for example, "TCB software", "security monitor", "security monitor", etc.

***资源150：包括内存资源和外设资源。内存资源包括与TEE***100中的处理器(如运行不可信应用程序110、不可信OS 120的处理器，以及运行enclave 130中的程序的处理器)直接交换数据的内部存储器，可用于随时读写数据，而且读写数据的速度很快。内存资源可以包括多种存储器，例如，只读存储器(read only memory,ROM)、随机存取存储器(random access memory,RAM)。外设资源是指连接在计算设备主机之外的硬件设备，用于传输和存储数据，例如，硬盘(solid state drive,SSD)、网卡。System resources 150: including memory resources and peripheral resources. Memory resources include internal memory that directly exchanges data with processors in the TEE system 100 (such as processors running untrusted application programs 110, untrusted OS 120, and processors running programs in the enclave 130), which can be used for reading at any time. Write data, and the speed of reading and writing data is very fast. The memory resource may include various types of memory, for example, read only memory (read only memory, ROM) and random access memory (random access memory, RAM). Peripheral resources refer to hardware devices connected outside the computing device host to transmit and store data, for example, hard disk (solid state drive, SSD) and network card.

还需说明的是，上述关于TEE***100的介绍中涉及到“用户”、“服务提供商”和“计算平台提供者”，下面对上述几种概念进行区分：“计算平台提供者”是指部署基础设施，即部署计算资源(如服务器)、部署存储资源(如存储器)以及部署网络资源(如网卡)，从而搭建出计算平台的厂商；“服务提供商”是指利用上述计算平台给“用户”提供服务的厂商，例如，允许用户在计算平台上部署和运行软件、允许用户访问运行在计算平台上的应用程序等；“用户”是指上述服务的使用者。It should also be noted that the above-mentioned introduction to the TEE system 100 involves "users", "service providers" and "computing platform providers", and the above-mentioned concepts are distinguished below: "computing platform provider" is Refers to the deployment of infrastructure, that is, the deployment of computing resources (such as servers), deployment of storage resources (such as memory) and deployment of network resources (such as network cards), thereby building a computing platform; "service provider" refers to the use of the above computing platform to provide "User" is a vendor that provides services, for example, allowing users to deploy and run software on computing platforms, allowing users to access applications running on computing platforms, etc.; "user" refers to users of the above services.

从图1可以看出，TEE***100中形成了两个互相隔离的环境：一个是可信环境(也称安全环境，即secure world)，一个是不可信环境(也称非安全环境，即non-secure world)。其中，不可信应用程序110、不可信OS 120以及一部分***资源150属于不可信环境，enclave 130、TCB 140以及一部分***资源150属于可信环境。As can be seen from FIG. 1, two mutually isolated environments are formed in the TEE system 100: one is a trusted environment (also called a secure environment, i.e. secure world), and the other is an untrusted environment (also called a non-secure environment, i.e. non -secure world). Wherein, the untrusted application program 110, the untrusted OS 120 and a part of the system resources 150 belong to the untrusted environment, and the enclave 130, the TCB 140 and a part of the system resources 150 belong to the trusted environment.

TEE***100支持内存隔离机制，内存隔离机制使得运行在不可信环境中的进程无法访问可信环境中的内存空间，以及可信环境中的enclave内存空间仅能被运行在该enclave中的进程访问，不能被运行在其他enclave中的进程访问，从而达到保护enclave内存空间中程序以及运行态数据的目的。图2示例性的展示了内存隔离机制，如图2所示，运行在不可信环境中的进程包括不可信应用程序110和不可信OS 120，运行在可信环境中的进程包括运行在enclave A中的进程和运行在enclave B中的进程，可信环境中的内存空间包括enclave A中的内存空间和enclave B中的内存空间。基于内存隔离机制，enclave A中的内存空间能够被运行在enclave A中的进程访问，但不能被不可信应用程序110、不可信OS 120以及运行在enclave B中的进程访问；enclave B中的内存空间能够被运行在enclave B中的进程访问，但不能被不可信应用程序110、不可信OS 120以及运行在enclave A中的进程访问。The TEE system 100 supports a memory isolation mechanism, which prevents processes running in an untrusted environment from accessing memory space in a trusted environment, and the enclave memory space in a trusted environment can only be accessed by processes running in the enclave , cannot be accessed by processes running in other enclaves, so as to achieve the purpose of protecting programs and running data in the enclave memory space. Figure 2 exemplarily shows the memory isolation mechanism, as shown in Figure 2, the process running in the untrusted environment includes untrusted application program 110 and untrusted OS 120, and the process running in the trusted environment includes running in enclave A The process in enclave B and the process running in enclave B, the memory space in the trusted environment includes the memory space in enclave A and the memory space in enclave B. Based on the memory isolation mechanism, the memory space in enclave A can be accessed by processes running in enclave A, but cannot be accessed by untrusted applications 110, untrusted OS 120, and processes running in enclave B; memory in enclave B The space can be accessed by processes running in enclave B, but not by untrusted applications 110, untrusted OS 120, and processes running in enclave A.

下面结合图2介绍内存隔离机制的实现原理，以enclave A中的内存空间为例：The following describes the implementation principle of the memory isolation mechanism in combination with Figure 2, taking the memory space in enclave A as an example:

首先，enclave A中的内存空间的创建过程如下：将enclave A中的程序加载至TEE***100，之后，enclave A中的程序调用不可信OS 120来为其分配一段连续的内存空间A，并根据内存空间A来配置对应的页表。然后，不可信OS 120调用TCB高特权级软件142检查上述页表，判断内存空间A是否可用。在内存空间A可用的情况下，将内存空间A作为enclave A中的内存空间，之后再记录内存空间A的地址范围，以用于确定仅有运行在enclave A中的进程能够访问内存空间A，从而完成enclave A的创建。First, the creation process of the memory space in enclave A is as follows: the program in enclave A is loaded into the TEE system 100, after that, the program in enclave A invokes the untrusted OS 120 to allocate a continuous memory space A for it, and according to Memory space A is used to configure the corresponding page table. Then, the untrustworthy OS 120 calls the TCB high-privileged software 142 to check the above-mentioned page table, and judges whether the memory space A is available. When memory space A is available, use memory space A as the memory space in enclave A, and then record the address range of memory space A to determine that only processes running in enclave A can access memory space A. Thus, the creation of enclave A is completed.

接下来，当TEE***100中的某个进程向内存空间A发起访问时，TCB高特权级软件142首先判断该进程是否具有访问内存空间A的权限，如果有，则允许该进程访问内存空间A；如果没有，则不允许该进程访问内存空间A。不难理解，在上述不可信应用程序110、不可信OS 120、运行在enclave A中的进程以及运行在enclave B中的进程中，只有运行在enclave A中的进程能够访问内存空间A，而不可信应用程序110、不可信OS 120以及运行在enclave B中的进程均不能够访问内存空间A，因此实现了内存空间A中程序以及运行态数据的安全性。Next, when a certain process in the TEE system 100 initiates access to the memory space A, the TCB high-privilege software 142 first judges whether the process has the right to access the memory space A, and if so, allows the process to access the memory space A ; If not, the process is not allowed to access memory space A. It is not difficult to understand that among the above-mentioned untrusted application program 110, untrusted OS 120, process running in enclave A, and process running in enclave B, only the process running in enclave A can access memory space A, but not The trusted application program 110, the untrusted OS 120, and the processes running in the enclave B cannot access the memory space A, so the security of the program and the running data in the memory space A is realized.

应理解，在实际应用中，TEE***100中可能部署有多个enclave，运行在不同enclave中的进程之间可能存在通信的需求。仍以图2为例，假设TEE***100可以实现人脸识别模型的训练，其中，enclave A包括实现样本数据(如人脸图像)的收集以及对收集到的样本数据进行预处理的程序，enclave B包括获取上述预处理后的样本数据，并根据这些样品数据进行人脸识别模型的训练的程序。因此，运行在enclave A中的进程与运行在enclave B中的进程之间需要进行通信。但内存隔离机制的存在使得运行在enclave B中的进程无法直接从enclave A中的内存空间中读取上述预处理后的样本数据，运行在enclave A中的进程也无法直接向enclave B中的内存空间中写入上述预处理后的样本数据。不仅如此，上述预处理后的样品数据还涉及到隐私安全问题，也就是说，还要保证运行在enclave A中的进程与运行在enclave B中的进程之间的通信是安全的。It should be understood that in practical applications, multiple enclaves may be deployed in the TEE system 100, and there may be a need for communication between processes running in different enclaves. Still taking FIG. 2 as an example, assume that the TEE system 100 can realize the training of the face recognition model, wherein, enclave A includes a program for realizing the collection of sample data (such as face images) and preprocessing the collected sample data, enclave A B includes the procedure of obtaining the above-mentioned preprocessed sample data, and performing face recognition model training based on these sample data. Therefore, a process running in enclave A needs to communicate with a process running in enclave B. However, the existence of the memory isolation mechanism prevents the process running in enclave B from directly reading the above preprocessed sample data from the memory space in enclave A, and the process running in enclave A cannot directly read the data from the memory in enclave B. Write the above preprocessed sample data in the space. Not only that, the above preprocessed sample data also involves privacy and security issues, that is, it is also necessary to ensure that the communication between the process running in enclave A and the process running in enclave B is safe.

针对上述问题，本申请实施例提供了一种通信方法，不仅能够使得运行在不同enclave中的进程相互通信，还能够保证整个通信过程的安全性。该方法可以应用于计算机***，该***可以是前文描述的TEE***，图3示例性的展示了本申请实施例提供的一种可能的计算机***的结构示意图。如图3所示，计算机***200包括第一进程210、第二进程220、内存230以及安全访问控制装置240。下面对计算机***200中的各个部分进行简单描述。In view of the above problems, the embodiment of the present application provides a communication method, which not only enables processes running in different enclaves to communicate with each other, but also ensures the security of the entire communication process. The method can be applied to a computer system, and the system can be the TEE system described above. FIG. 3 exemplarily shows a schematic structural diagram of a possible computer system provided by the embodiment of the present application. As shown in FIG. 3 , the computer system 200 includes a first process 210 , a second process 220 , a memory 230 and a security access control device 240 . Each part of the computer system 200 is briefly described below.

第一进程210是运行在第一enclave中的进程，第二进程220是运行在第二enclave中的进程，第一enclave和第二enclave是不同的enclave。其中，第一enclave包括第一程序和第一内存空间，第一程序运行于第一enclave中，第一程序的运行过程即为第一进程210，第一内存空间是内存230上的一段连续的内存空间，用于存储第一程序以及第一程序运行过程中产生的数据；第二enclave包括第二程序和第二内存空间，第二程序运行于第二enclave中，第二程序的运行过程即为第二进程220，第二内存空间是内存230上的一段连续的、与第一内存空间不重叠的内存空间，用于存储第二程序以及第二程序运行过程中产生的数据。需要说明的是，第一enclave和第二enclave的详细说明可参见图1中关于enclave 130的描述，为了简便，此处不再展开额外的叙述。The first process 210 is a process running in the first enclave, the second process 220 is a process running in the second enclave, and the first enclave and the second enclave are different enclaves. Wherein, the first enclave includes the first program and the first memory space, the first program runs in the first enclave, the running process of the first program is the first process 210, and the first memory space is a continuous segment on the memory 230 The memory space is used to store the first program and the data generated during the running of the first program; the second enclave includes the second program and the second memory space, the second program runs in the second enclave, and the running process of the second program is For the second process 220, the second memory space is a continuous memory space on the memory 230 that does not overlap with the first memory space, and is used to store the second program and the data generated during the running of the second program. It should be noted that, for detailed descriptions of the first enclave and the second enclave, refer to the description of the enclave 130 in FIG. 1 , and for the sake of simplicity, no additional description is given here.

内存230包括上述第一内存空间、第二内存空间以及共享内存空间231。可选的，计算机***200还可以包括运行在不可信环境中的进程，例如，不可信OS、不可信应用程序对应的进程，因此，内存230还可以包括相应的内存空间，例如，不可信OS对应的进程能够访问的内存空间，以及不可信应用程序对应的进程能够访问的内存空间。而且，除了第一enclave和第二enclave，计算机***200还可以包括其他的enclave，因此，内存230还可以包括其他enclave中的内存空间。The memory 230 includes the first memory space, the second memory space and the shared memory space 231 mentioned above. Optionally, the computer system 200 may also include processes running in an untrusted environment, for example, processes corresponding to an untrusted OS and an untrusted application program, therefore, the memory 230 may also include corresponding memory spaces, for example, an untrusted OS The memory space that the corresponding process can access, and the memory space that the process corresponding to the untrusted application can access. Moreover, in addition to the first enclave and the second enclave, the computer system 200 may also include other enclaves, therefore, the memory 230 may also include memory spaces in other enclaves.

安全访问控制装置240用于创建共享内存空间231，其中，共享内存空间231是内存230中的一段连续的内存空间，支持第一进程210和第二进程220访问，换句话说，第一进程210和第二进程220具有访问共享内存空间231的权限，本申请实施例中，上述第一进程210和第二进程220具有访问共享内存空间231的权限是指：第一进程210和第二进程220可以向向共享内存空间231读写数据，那么第一进程210和第二进程220也就可以基于共享内存空间231实现通信。在一些实施例中，为了提高第一进程210和第二进程220之间的通信的安全性，共享内存空间231可以仅支持可信进程访问，其中，可信进程包括第一进程210和第二进程220。这样，第一进程210和第二进程220之间的通信就可以无需经由不可信进程对数据进行转发，也就无需拷贝数据以及加密数据，从而减小通信过程中的损耗。The security access control device 240 is used to create a shared memory space 231, wherein the shared memory space 231 is a continuous memory space in the memory 230, which supports access by the first process 210 and the second process 220, in other words, the first process 210 and the second process 220 have the authority to access the shared memory space 231. In the embodiment of the present application, the above-mentioned first process 210 and the second process 220 have the authority to access the shared memory space 231 means: the first process 210 and the second process 220 Data can be read and written to the shared memory space 231 , so the first process 210 and the second process 220 can communicate based on the shared memory space 231 . In some embodiments, in order to improve the security of the communication between the first process 210 and the second process 220, the shared memory space 231 can only support trusted process access, wherein the trusted process includes the first process 210 and the second process 210 Process 220. In this way, the communication between the first process 210 and the second process 220 does not need to forward data through an untrusted process, and also does not need to copy data and encrypt data, thereby reducing loss in the communication process.

可选的，安全访问控制装置240还用于配置访问控制表，其中，访问控制表用于表明具有访问共享内存空间231权限的进程(包括第一进程210和第二进程220)。这样，安全访问控制装置240便可以基于访问控制表确定第一进程210和第二进程220能够访问共享内存空间231，从而允许第一进程210和第二进程220向共享内存空间231写入数据，或从共享内存空间231中读取数据，进而实现第一进程210和第二进程220之间的通信。Optionally, the secure access control device 240 is further configured to configure an access control table, wherein the access control table is used to indicate processes (including the first process 210 and the second process 220 ) that have permission to access the shared memory space 231 . In this way, the security access control device 240 can determine based on the access control table that the first process 210 and the second process 220 can access the shared memory space 231, thereby allowing the first process 210 and the second process 220 to write data to the shared memory space 231, Or read data from the shared memory space 231 , so as to realize the communication between the first process 210 and the second process 220 .

下面以第一进程210向第二进程220发送数据为例，描述本申请实施例提供的通信方法，该方法由安全访问控制装置240执行，也就是说通过下文还可以进一步描述安全访问控制装置240的功能。如图4所示，整个通信过程可以分为两个阶段：第一阶段是共享内存空间231的创建阶段(S101-S104)，第二阶段是通信阶段(S105-S113)。The following takes the first process 210 sending data to the second process 220 as an example to describe the communication method provided by the embodiment of the present application, which is executed by the security access control device 240, that is to say, the security access control device 240 can be further described below function. As shown in FIG. 4 , the entire communication process can be divided into two stages: the first stage is the creation stage of the shared memory space 231 (S101-S104), and the second stage is the communication stage (S105-S113).

S101：安全访问控制装置240接收来自第一进程210的通信请求。S101: The security access control device 240 receives a communication request from the first process 210 .

其中，通信请求包括共享内存空间231的大小和多个进程220的标识。多个进程220包括第一进程210和第二进程220，可选的，第一进程210的标识可以是第一进程210的ID、第一enclave的ID、或存储有第一程序的内存空间的物理地址等，类似的，第二进程220的标识可以是第二进程220的ID、第二enclave的ID、或存储有第二程序的内存空间的物理地址等，本申请实施例不作限定。Wherein, the communication request includes the size of the shared memory space 231 and the identifiers of multiple processes 220 . Multiple processes 220 include a first process 210 and a second process 220. Optionally, the identifier of the first process 210 may be the ID of the first process 210, the ID of the first enclave, or the memory space in which the first program is stored. Physical address, etc. Similarly, the identifier of the second process 220 may be the ID of the second process 220, the ID of the second enclave, or the physical address of the memory space storing the second program, etc., which is not limited in this embodiment of the present application.

应理解，当第一进程210想要向第二进程220发送数据时，第一进程210可以确定自身的标识、第二进程220的标识以及待发送数据的大小。因此，第一进程210可以根据待发送数据的大小确定共享内存空间231的大小，从而得到上述通信请求，并向安全访问控制装置240发送上述通信请求。It should be understood that when the first process 210 wants to send data to the second process 220, the first process 210 may determine its own identity, the identity of the second process 220, and the size of the data to be sent. Therefore, the first process 210 can determine the size of the shared memory space 231 according to the size of the data to be sent, so as to obtain the above communication request, and send the above communication request to the security access control device 240 .

S102：安全访问控制装置240根据上述通信请求创建共享内存空间231。S102: The security access control device 240 creates the shared memory space 231 according to the communication request.

其中，共享内存空间231是内存230中一段满足上述大小要求的内存空间。具体地，安全访问控制装置240接收到上述通信请求后，对通信请求进行解析，获得共享内存空间231的大小，然后，根据共享内存空间231的大小，从内存230中选取一段连续的、满足上述大小要求的内存空间。之后，安全访问控制装置240判断上述选取的内存空间是否可用，当上述选取的内存空间可用时，将上述选取的内存空间作为共享内存空间231；当上述选取的内存空间不可用时，安全访问控制装置240重复上述从内存230中选取内存空间的步骤，直至选取到可用的内存空间。Wherein, the shared memory space 231 is a section of memory space in the memory 230 that meets the above-mentioned size requirements. Specifically, after receiving the above-mentioned communication request, the security access control device 240 analyzes the communication request to obtain the size of the shared memory space 231, and then, according to the size of the shared memory space 231, selects a continuous segment from the memory 230 that satisfies the above-mentioned The memory space required by the size. Afterwards, the security access control device 240 judges whether the above-mentioned selected memory space is available, and when the above-mentioned selected memory space is available, the above-mentioned selected memory space is used as the shared memory space 231; when the above-mentioned selected memory space is not available, the security access control device 240 repeats the above steps of selecting a memory space from the memory 230 until an available memory space is selected.

在一种可能的实现方式中，安全访问控制装置240判断上述选取的内存空间是否可用，包括如下步骤：安全访问控制装置240记录上述选取的内存空间的地址范围，然后根据记录的地址范围确定这一段内存空间与内存230中已使用的内存空间(包括第一内存空间和第二内存空间)是否重叠。当上述选取的内存空间的地址范围与上述已使用的内存空间的地址范围不重叠时，确定上述选取的内存空间可用，相反的，当上述选取的内存空间的地址范围与上述已使用的内存空间的地址范围有重叠时，确定上述选取的内存空间不可用。In a possible implementation manner, the security access control device 240 determines whether the above-mentioned selected memory space is available, including the following steps: the security access control device 240 records the address range of the above-mentioned selected memory space, and then determines the address range according to the recorded address range. Whether a section of memory space overlaps with the used memory space (including the first memory space and the second memory space) in the memory 230 . When the address range of the above-mentioned selected memory space does not overlap with the address range of the above-mentioned used memory space, it is determined that the above-mentioned selected memory space is available; When the address ranges of , it is determined that the memory space selected above is not available.

S103：安全访问控制装置240配置访问控制表。S103: The security access control device 240 configures an access control table.

其中，访问控制表用于表明具有访问共享内存空间231权限的进程，包括第一进程210和第二进程220。Wherein, the access control table is used to indicate the processes having the right to access the shared memory space 231 , including the first process 210 and the second process 220 .

可选的，为了保证第一进程210和第二进程220之间通信的安全性，访问控制表可以配置为：可信进程具有访问共享内存空间231的权限，此处的可信进程可以包括通信请求指定的进程，即，通信请求中包括的多个进程的标识所对应的多个进程是可信进程。另外，考虑到计算机***200中可能还包括多个比第一进程210和第二进程220的权限更高的进程，这一部分进程也可以是可信进程。Optionally, in order to ensure the security of communication between the first process 210 and the second process 220, the access control list can be configured as follows: the trusted process has the authority to access the shared memory space 231, and the trusted process here can include communication The processes specified by the request, that is, the multiple processes corresponding to the multiple process identifiers included in the communication request are trusted processes. In addition, considering that the computer system 200 may also include multiple processes with higher authority than the first process 210 and the second process 220, these processes may also be trusted processes.

可选的，访问控制表还可以配置为：不可信进程不具有访问共享内存空间231的权限，此处的不可信进程包括运行在不可信执行环境中的进程，其中，不可信环境的描述可参见上述图1的相关叙述。Optionally, the access control list can also be configured as: an untrusted process does not have the right to access the shared memory space 231, where the untrusted process includes a process running in an untrusted execution environment, wherein the description of the untrusted environment can be See the relevant description of the above-mentioned FIG. 1 .

在一些实施例中，访问控制表包括多个标识以及共享内存空间231的地址范围，其中，多个标识中的每个标识对应一个进程，多个标识包括第一进程210的标识和第二进程220的标识。访问控制表用于指示多个标识对应的多个进程具有访问共享内存空间231的权限。共享内存空间231的地址范围可以通过共享内存空间231的基地址以及偏移量，或者共享内存空间231的基地址以及末地址等多种方式来表示，此处不作具体限定。In some embodiments, the access control table includes multiple identifiers and the address range of the shared memory space 231, wherein each identifier in the multiple identifiers corresponds to a process, and the multiple identifiers include the identifier of the first process 210 and the identifier of the second process 220 logo. The access control list is used to indicate that multiple processes corresponding to multiple identifiers have permission to access the shared memory space 231 . The address range of the shared memory space 231 can be represented by the base address and offset of the shared memory space 231, or the base address and the end address of the shared memory space 231, etc., which are not specifically limited here.

S104：安全访问控制装置240分别向第一进程210和第二进程220发送第一消息，以告知第一进程210和第二进程220已完成共享内存空间231的创建。S104: The security access control device 240 sends a first message to the first process 210 and the second process 220 respectively, to inform the first process 210 and the second process 220 that the creation of the shared memory space 231 has been completed.

其中，第一消息包括共享内存空间231的地址范围。具体地，安全访问控制装置240根据访问控制表获得第一进程210的标识、第二进程220的标识以及共享内存空间231的地址范围，然后，根据共享内存空间231的地址范围得到第一消息，根据第一进程210的标识向第一进程210发送第一消息，根据第二进程220的标识向第二进程220发送第一消息。Wherein, the first message includes the address range of the shared memory space 231 . Specifically, the security access control device 240 obtains the identifier of the first process 210, the identifier of the second process 220, and the address range of the shared memory space 231 according to the access control table, and then obtains the first message according to the address range of the shared memory space 231, The first message is sent to the first process 210 according to the identifier of the first process 210 , and the first message is sent to the second process 220 according to the identifier of the second process 220 .

S105：安全访问控制装置240接收来自第一进程210的写数据请求。S105: The security access control device 240 receives a data write request from the first process 210 .

其中，写数据请求包括第一进程210的标识、待写入的数据以及目标地址，共享内存空间231包括上述目标地址指示的内存空间。具体地，第一进程210接收到第一消息后，通过解析第一消息获得共享内存空间231的地址范围，然后根据共享内存空间231的地址范围确定目标地址，从而得到写数据请求，并向安全访问控制装置240发送上述写数据请求。Wherein, the write data request includes the identifier of the first process 210, the data to be written and the target address, and the shared memory space 231 includes the memory space indicated by the above target address. Specifically, after receiving the first message, the first process 210 obtains the address range of the shared memory space 231 by parsing the first message, and then determines the target address according to the address range of the shared memory space 231, thereby obtaining the write data request, and submits the request to the security The access control device 240 sends the above-mentioned write data request.

S106：安全访问控制装置240根据访问控制表确定第一进程210是否具有访问目标地址指示的内存空间的权限。如果第一进程210不具有访问目标地址指示的内存空间的权限，则执行S107；如果第一进程210具有访问目标地址指示的内存空间的权限，则执行S108-S113。S106: The security access control device 240 determines whether the first process 210 has the right to access the memory space indicated by the target address according to the access control table. If the first process 210 does not have the right to access the memory space indicated by the target address, execute S107; if the first process 210 has the right to access the memory space indicated by the target address, execute S108-S113.

具体地，安全访问控制装置240接收到上述写数据请求后，通过解析写数据请求获得第一进程210的标识，然后将第一进程210的标识与访问控制表中的多个标识进行匹配。如果第一进程210的标识与访问控制表中的所有标识均不同，则确定第一进程210不具有访问共享内存空间231的权限，安全访问控制装置240将执行S107；如果第一进程210的标识与访问控制表中的任一个标识相同，则确定第一进程210具有访问共享内存空间231的权限，安全访问控制装置240将执行S108-S113。Specifically, after receiving the write data request, the security access control device 240 obtains the identifier of the first process 210 by analyzing the write data request, and then matches the identifier of the first process 210 with multiple identifiers in the access control table. If the identification of the first process 210 is different from all identifications in the access control table, it is determined that the first process 210 does not have the authority to access the shared memory space 231, and the security access control device 240 will perform S107; if the identification of the first process 210 If it is the same as any identifier in the access control table, it is determined that the first process 210 has the right to access the shared memory space 231, and the security access control device 240 will execute S108-S113.

为了进一步提高共享内存空间231的安全性，可选的，安全访问控制装置240在确定第一进程210的标识与访问控制表中的某一个标识相同后，还执行以下步骤：判断目标地址是否在共享内存空间231的地址范围内，如果不在，则执行S107；如果在，则执行S108-S113。In order to further improve the security of the shared memory space 231, optionally, after determining that the identifier of the first process 210 is the same as a certain identifier in the access control table, the security access control device 240 further performs the following steps: determine whether the target address is in If it is not within the address range of the shared memory space 231, execute S107; if it is, execute S108-S113.

S107：安全访问控制装置240不允许上述数据写入目标地址指示的内存空间。S107: The security access control device 240 does not allow the above data to be written into the memory space indicated by the target address.

可选的，安全访问控制装置240还可以发出告警信息，以用于说明此时共享内存空间231的访问出现异常。应理解，当出现这种内存访问异常的情况时，意味着此时的共享内存空间231可能出现异常，因此，可选的，安全访问控制装置240还可以执行以下一个或多个步骤：(1)清空共享内存空间231；(2)释放共享内存空间231；(3)删除访问控制表。如此，不仅可以节省计算机***200中的内存资源，还可以保证第一进程210和第二进程220之间的通信的准确性。Optionally, the security access control device 240 may also issue an alarm message to explain that the access to the shared memory space 231 is abnormal at this time. It should be understood that when such a memory access exception occurs, it means that an exception may occur in the shared memory space 231 at this time. Therefore, optionally, the security access control device 240 may also perform one or more of the following steps: (1 ) clear the shared memory space 231; (2) release the shared memory space 231; (3) delete the access control table. In this way, not only the memory resources in the computer system 200 can be saved, but also the accuracy of the communication between the first process 210 and the second process 220 can be guaranteed.

S108：安全访问控制装置240允许上述数据写入目标地址指示的内存空间。S108: The security access control device 240 allows the above data to be written into the memory space indicated by the target address.

S109：安全访问控制装置240向第二进程220发送第二消息，以告知第二进程220从目标地址指示的内存空间中读取数据。S109: The security access control device 240 sends a second message to the second process 220 to inform the second process 220 to read data from the memory space indicated by the target address.

具体地，安全访问控制装置240根据访问控制表获得第二进程220的标识，然后根据第二进程220的标识向第二进程220发送第二消息。其中，第二消息包括目标地址。Specifically, the security access control device 240 obtains the identifier of the second process 220 according to the access control table, and then sends the second message to the second process 220 according to the identifier of the second process 220 . Wherein, the second message includes the target address.

S110：安全访问控制装置240接收来自第二进程220的读数据请求。S110: The security access control device 240 receives a data read request from the second process 220 .

其中，读数据请求包括第二进程220的标识和目标地址。具体地，第二进程220接收到上述第二消息后，通过解析第二消息获得目标地址，从而得到读数据请求，并向安全访问控制装置240发送上述读数据请求。Wherein, the read data request includes the identifier of the second process 220 and the target address. Specifically, after receiving the above-mentioned second message, the second process 220 obtains the target address by parsing the second message, thereby obtaining the read data request, and sends the above-mentioned read data request to the security access control device 240 .

S111：安全访问控制装置240根据访问控制表确定第二进程220是否具有访问目标地址指示的内存空间的权限。如果第二进程220不具有访问目标地址指示的内存空间的权限，则执行S112；如果第二进程220具有访问目标地址指示的内存空间的权限，则执行S113。S111: The security access control device 240 determines whether the second process 220 has the right to access the memory space indicated by the target address according to the access control table. If the second process 220 does not have the right to access the memory space indicated by the target address, execute S112; if the second process 220 has the right to access the memory space indicated by the target address, execute S113.

具体地，安全访问控制装置240接收到上述读数据请求后，通过解析读数据请求获得第二进程220的标识，然后将第二进程220的标识与访问控制表中的多个进程的标识进行匹配。如果第二进程220的标识与访问控制表中的所有标识均不同，则确定第二进程220不具有访问共享内存空间231的权限，安全访问控制装置240将执行S112；如果第二进程220的标识与访问控制表中的任一个标识相同，则确定第二进程220具有访问共享内存空间231的权限，安全访问控制装置240将执行S113。Specifically, after receiving the above-mentioned read data request, the secure access control device 240 obtains the identifier of the second process 220 by parsing the read data request, and then matches the identifier of the second process 220 with the identifiers of multiple processes in the access control table . If the identification of the second process 220 is different from all the identifications in the access control table, it is determined that the second process 220 does not have the authority to access the shared memory space 231, and the security access control device 240 will perform S112; if the identification of the second process 220 If it is the same as any identifier in the access control table, it is determined that the second process 220 has the right to access the shared memory space 231, and the security access control device 240 will execute S113.

与上述S106类似的，为了进一步提高共享内存空间231的安全性，可选的，安全访问控制装置240在确定第二进程220的标识与访问控制表中的某一个标识相同后，还执行以下步骤：判断目标地址是否在共享内存空间231的地址范围内，如果不在，则执行S112；如果在，则执行S113。Similar to the above S106, in order to further improve the security of the shared memory space 231, optionally, the secure access control device 240 further performs the following steps after determining that the identifier of the second process 220 is the same as a certain identifier in the access control table: : judging whether the target address is within the address range of the shared memory space 231, if not, execute S112; if yes, execute S113.

S112：安全访问控制装置240不允许第二进程220从目标地址指示的内存空间中读取第一进程210写入的数据。S112: The security access control device 240 does not allow the second process 220 to read the data written by the first process 210 from the memory space indicated by the target address.

S113：安全访问控制装置240允许第二进程220从目标地址指示的内存空间中读取第一进程210写入的数据。S113: The security access control device 240 allows the second process 220 to read the data written by the first process 210 from the memory space indicated by the target address.

可选的，第二进程220从目标地址指示的内存空间中读取到上述数据后，安全访问控制装置240还可以执行以下一个或多个步骤：(1)清空共享内存空间231；(2)释放共享内存空间231；(3)删除访问控制表。如此，可以节省计算机***200的内存资源。Optionally, after the second process 220 reads the above data from the memory space indicated by the target address, the security access control device 240 may also perform one or more of the following steps: (1) Clear the shared memory space 231; (2) Release the shared memory space 231; (3) delete the access control table. In this way, memory resources of the computer system 200 can be saved.

上述实施例仅仅描述了第一进程210向第二进程220发送数据的过程，应理解，第二进程220向第一进程210发送数据的过程与上述实施例描述的过程类似，为了简便，本申请中不再展开描述。还应理解，在实际应用中，第一进程210可以向运行在不同enclave中的多个进程发送数据，例如：第一进程210想要向第二进程220以及运行在第三enclave中的第三进程发送数据，在这种情况下，安全访问控制装置240仍然可以基于上述实施例的构思实现第一进程210与第二进程220以及第三进程的通信。具体实现中，与上述实施例不同的是：通信请求除了包括第一进程210的标识和第二进程220的标识，还包括第三进程的标识；访问控制表中除了包括第一进程210的标识和第二进程220的标识，还包括第三进程的标识。这样，第二进程220和第三进程均可以从共享内存空间231中读取到第一进程210写入的数据。The above embodiment only describes the process of the first process 210 sending data to the second process 220. It should be understood that the process of the second process 220 sending data to the first process 210 is similar to the process described in the above embodiment. For simplicity, this application The description is no longer described. It should also be understood that in practical applications, the first process 210 can send data to multiple processes running in different enclaves, for example: the first process 210 wants to send data to the second process 220 and the third process running in the third enclave The process sends data. In this case, the security access control device 240 can still realize the communication between the first process 210, the second process 220 and the third process based on the idea of the above embodiment. In the specific implementation, the difference from the above-mentioned embodiment is that: the communication request includes not only the identifier of the first process 210 and the identifier of the second process 220, but also the identifier of the third process; the access control table includes not only the identifier of the first process 210 and the identifier of the second process 220, further including the identifier of the third process. In this way, both the second process 220 and the third process can read the data written by the first process 210 from the shared memory space 231 .

总的来说，通过实施本申请实施例提供的通信方法，可以实现运行在不同enclave中的进程之间的安全通信，而且由于上述通信过程无需拷贝数据，也无需加密数据，因此还可以减少整个通信过程带来的损耗。In general, by implementing the communication method provided by the embodiment of this application, secure communication between processes running in different enclaves can be realized, and since the above communication process does not need to copy data or encrypt data, it can also reduce the entire The loss caused by the communication process.

上文结合图1-图4，详细描述了本申请实施例提供的通信方法，接下来将结合图5-图7，描述能够执行上述方法的安全访问控制装置240以及计算设备。The communication method provided by the embodiment of the present application is described in detail above with reference to FIG. 1-FIG. 4 . Next, the secure access control apparatus 240 and the computing device capable of executing the above method will be described with reference to FIG. 5-FIG. 7 .

请参见图5，图5示出了本申请实施例提供的一种安全访问控制装置240的结构示意图。如图5所示，安全访问控制装置240包括通信管理模块241、内存管理模块242以及访问控制模块243。通信管理模块241、内存管理模块242以及访问控制模块243协同工作，以实现上述方法实施例中安全访问控制装置240执行的步骤。具体地，通信管理模块241用于执行上述S101、S104-S105、S109-S110；内存管理模块242用于执行上述S102；访问控制模块243用于执行上述S103、S106-S108、S111-S113。在第二进程220从目标地址指示的内存空间中读取到第一进程210写入的数据后，或者出现如上述S107或S112所述的共享内存空间231的访问异常时，可选的，内存管理模块242还可以执行清空共享内存空间231，以及释放共享内存空间231的步骤；访问控制模块243还可以执行删除访问控制表的步骤。Please refer to FIG. 5 , which shows a schematic structural diagram of a security access control device 240 provided by an embodiment of the present application. As shown in FIG. 5 , the security access control device 240 includes a communication management module 241 , a memory management module 242 and an access control module 243 . The communication management module 241 , the memory management module 242 and the access control module 243 work together to implement the steps performed by the security access control device 240 in the above method embodiments. Specifically, the communication management module 241 is used to execute the above S101, S104-S105, S109-S110; the memory management module 242 is used to execute the above S102; the access control module 243 is used to execute the above S103, S106-S108, S111-S113. After the second process 220 reads the data written by the first process 210 from the memory space indicated by the target address, or when an access exception to the shared memory space 231 as described in S107 or S112 above occurs, optionally, the memory The management module 242 may also execute the steps of clearing the shared memory space 231 and releasing the shared memory space 231; the access control module 243 may also execute the step of deleting the access control table.

应理解，图5所示的仅仅是根据功能对上述安全访问控制装置240的一种示例性的结构划分方式，本申请实施例并不对安全访问控制装置240的结构的具体划分方式进行限定。还应理解，安全访问控制装置240内部的各个模块可以是软件模块，也可以是硬件模块，也可以部分是软件模块部分是硬件模块。例如，通信管理模块241和内存管理模块242是软件模块，访问控制模块243是硬件模块。It should be understood that what is shown in FIG. 5 is only an exemplary structural division of the security access control device 240 according to functions, and the embodiment of the present application does not limit the specific structural division of the security access control device 240 . It should also be understood that each module inside the security access control device 240 may be a software module, may also be a hardware module, or may be partly a software module and partly a hardware module. For example, the communication management module 241 and the memory management module 242 are software modules, and the access control module 243 is a hardware module.

请参见图6，图6是本申请实施例提供的一种计算设备的结构示意图。该电子设备可以是上文中的安全访问控制装置240。如图6所示，计算设备300包括存储器310、处理器320、访问控制器330、通信接口340以及总线350。其中，存储器310、处理器320、访问控制器330、通信接口340通过总线350实现彼此之间的通信连接。Please refer to FIG. 6, which is a schematic structural diagram of a computing device provided by an embodiment of the present application. The electronic device may be the security access control device 240 mentioned above. As shown in FIG. 6 , the computing device 300 includes a memory 310 , a processor 320 , an access controller 330 , a communication interface 340 and a bus 350 . Wherein, the memory 310 , the processor 320 , the access controller 330 , and the communication interface 340 are connected to each other through the bus 350 .

存储器310可以是只读存储器(read only memory,ROM)、静态存储设备、动态存储设备或者随机存取存储器(random access memory,RAM)等。存储器310可以存储计算机指令，例如，通信管理模块241中的计算机指令、内存管理模块242中的计算机指令以及访问控制模块243的计算机指令等。存储器310中存储的计算机指令可以被处理器320以及访问控制器330执行，当处理器320以及访问控制器330执行上述计算机指令时，可以实现安全访问控制装置240的部分或全部功能。存储器310还可以存储数据，例如：处理器320和访问控制器330在执行上述计算机指令时产生的中间数据和结果数据，例如，共享内存空间231的地址范围、第一进程210的标识、第二进程220的标识等。The memory 310 may be a read only memory (read only memory, ROM), a static storage device, a dynamic storage device, or a random access memory (random access memory, RAM), etc. The memory 310 may store computer instructions, for example, computer instructions in the communication management module 241 , computer instructions in the memory management module 242 , computer instructions in the access control module 243 , and the like. The computer instructions stored in the memory 310 can be executed by the processor 320 and the access controller 330. When the processor 320 and the access controller 330 execute the above computer instructions, some or all functions of the security access control device 240 can be realized. The memory 310 can also store data, for example: intermediate data and result data generated by the processor 320 and the access controller 330 when executing the above computer instructions, for example, the address range of the shared memory space 231, the identifier of the first process 210, the second The identification of the process 220, etc.

处理器320可以采用CPU、微处理器(如片上***(system on chip,SoC))、专用集成电路(application specific integrated circuit,ASIC)、图形处理器(graphics processing unit,GPU)或者一个或多个集成电路。处理器320还可以是一种集成电路芯片，具有信号的处理能力，在实现过程中，上述安全访问控制装置240的部分功能，即通信管理模块241以及内存管理模块242的部分或全部功能，可通过处理器320中的硬件的集成逻辑电路或者软件形式的指令完成。处理器320还可以是通用处理器、数据信号处理器(digital signal process,DSP)、现场可编程逻辑门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件，分立门或者晶体管逻辑器件，分立硬件组件。通用处理器可以是微处理器，也可以是任何常规的处理器，结合本申请实施例所公开的方法的步骤(例如上述S101-S105、S109-S110等)可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器、闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器310，处理器320读取存储器310中的信息，结合其硬件完成上述安全访问控制装置240中的通信管理模块241以及内存管理模块242的部分或全部功能。The processor 320 may be a CPU, a microprocessor (such as a system on chip (SoC)), an application specific integrated circuit (ASIC), a graphics processing unit (GPU), or one or more integrated circuit. The processor 320 can also be an integrated circuit chip with signal processing capabilities. During the implementation process, part of the functions of the above-mentioned security access control device 240, that is, part or all of the functions of the communication management module 241 and the memory management module 242, can be This is accomplished by integrated logic circuits in hardware in processor 320 or by instructions in software. The processor 320 can also be a general-purpose processor, a data signal processor (digital signal process, DSP), a field programmable logic gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The general-purpose processor can be a microprocessor, or any conventional processor, and the steps of the method disclosed in the embodiments of the present application (such as the above-mentioned S101-S105, S109-S110, etc.) can be directly embodied as a hardware decoding processor The execution is completed, or the combination of hardware and software modules in the decoding processor is used to complete the execution. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 310 , and the processor 320 reads the information in the memory 310 , and combines its hardware to complete part or all of the functions of the communication management module 241 and the memory management module 242 in the security access control device 240 .

在一些实施例中，处理器320可以执行上述S101-S105、S109-S110、以及清空共享内存空间231、释放共享内存空间231、删除访问控制表中的部分或全部步骤，当处理器320执行上述步骤时，可以实现上述安全访问控制装置240中的通信管理模块241和内存管理模块242的部分或全部功能。In some embodiments, the processor 320 may execute some or all of the steps in the above S101-S105, S109-S110, clearing the shared memory space 231, releasing the shared memory space 231, and deleting the access control table. When the processor 320 executes the above step, some or all of the functions of the communication management module 241 and the memory management module 242 in the above-mentioned security access control device 240 may be realized.

访问控制器330可以包括至少一个寄存器，至少一个寄存器包括位图(bitmap)寄存器，位图寄存器用于存储具有访问共享内存空间231权限的进程的信息。具体实现中，假设位图寄存器的位数为N(N为大于0的整数)，那么位图寄存器可以通过以下方式来存储具有访问共享内存空间231权限的进程的信息：位图寄存器的每一个位对应一个进程，当位图寄存器的第M位为1时，表明该进程具有访问共享内存空间231的权限，相反的，当位图寄存器的第M位为0时，表明该进程不具有访问共享内存空间231的权限。其中，选用的位图寄存器可以由计算机***200中、运行在不同enclave中的进程的个数确定，例如，计算机***200中通常会运行10个进程，这10个进程分别运行在10个enclave中，那么可以选择位数为10的位图寄存器。The access controller 330 may include at least one register, and the at least one register includes a bitmap (bitmap) register, and the bitmap register is used for storing information of processes having access rights to the shared memory space 231 . In the specific implementation, assuming that the number of bits of the bitmap register is N (N is an integer greater than 0), the bitmap register can store the information of the process with access to the shared memory space 231 in the following manner: each bitmap register The bit corresponds to a process. When the Mth bit of the bitmap register is 1, it indicates that the process has access to the shared memory space 231. On the contrary, when the Mth bit of the bitmap register is 0, it indicates that the process does not have access The permission of the shared memory space 231 . Wherein, the selected bitmap register can be determined by the number of processes running in different enclaves in the computer system 200. For example, the computer system 200 usually runs 10 processes, and these 10 processes run in 10 enclaves respectively. , then you can choose a bitmap register with 10 bits.

可选的，上述至少一个寄存器还包括地址寄存器，用于存储共享内存空间的地址范围，其中，地址寄存器的个数可以是两个，如图6示出的地址寄存器1和地址寄存器2。其中，地址寄存器1用于存储共享内存空间231的基地址，地址寄存器2用于存储共享内存空间231的偏移量。Optionally, the above at least one register further includes an address register for storing the address range of the shared memory space, wherein the number of address registers may be two, such as address register 1 and address register 2 shown in FIG. 6 . Wherein, the address register 1 is used for storing the base address of the shared memory space 231 , and the address register 2 is used for storing the offset of the shared memory space 231 .

需要说明的是，上述位图寄存器、地址寄存器1以及地址寄存器2所起的作用相当于上述方法实施例中的访问控制表，那么，处理器320执行配置访问控制表的操作(即S103)相当于处理器320配置上述位图寄存器、地址寄存器1以及地址寄存器2，从而将访问控制表配置到访问控制器330中。It should be noted that the functions of the above-mentioned bitmap register, address register 1 and address register 2 are equivalent to the access control table in the above-mentioned method embodiment, then, the processor 320 performs the operation of configuring the access control table (ie S103) is equivalent to The above-mentioned bitmap register, address register 1 and address register 2 are configured in the processor 320 , so that the access control table is configured in the access controller 330 .

在一些实施例中，访问控制器330可以执行上述S106-S108、S111-S113所描述的部分或全部步骤，当访问控制器330执行上述步骤时，可以实现上述安全访问控制装置240中的访问控制模块243的部分或全部功能。In some embodiments, the access controller 330 may perform some or all of the steps described in S106-S108 and S111-S113 above. When the access controller 330 performs the above steps, the access control in the above-mentioned secure access control device 240 may be implemented. Some or all of the functions of module 243.

通信接口340使用例如但不限于收发器一类的收发模块，来实现计算设备300与其他设备或通信网络之间的通信。The communication interface 340 implements communication between the computing device 300 and other devices or communication networks using a transceiver module such as but not limited to a transceiver.

总线350可以包括在计算设备300中的各个部件(例如，存储器310、处理器320、访问控制器330、通信接口340)之间传送信息的通路。Bus 350 may include pathways for communicating information between various components in computing device 300 (eg, memory 310 , processor 320 , access controller 330 , communication interface 340 ).

示例性地，上述方法实施例中的第一enclave和第二enclave部署在计算设备300上，存储器310还包括上述共享内存空间231，处理器320还用于运行上述第一进程210和第二进程220，在这种场景下，访问控制器330的部署是灵活的，具体可以部署在处理器320(即第一进程210和第二进程220)访问共享内存空间231时对应的访问路径上，该条路径可以是：处理器320→内存总线→内存总线端口→内存仲裁器→内存控制器→共享内存空间231，其中，内存仲裁器和内存控制器可以是存储器310中的部件。在一些实施例中，处理器320(如SoC)中集成有内存仲裁器和内存控制器，在这种情况下，上述访问路径可以是：CPU→内存总线→内存总线端口→内存仲裁器→内存控制器→共享内存空间231。因此，访问控制器330可以部署在内存总线、内存总线端口、内存仲裁器以及内存控制器上。Exemplarily, the first enclave and the second enclave in the above method embodiment are deployed on the computing device 300, the memory 310 also includes the above-mentioned shared memory space 231, and the processor 320 is also used to run the above-mentioned first process 210 and the second process 220. In this scenario, the deployment of the access controller 330 is flexible, specifically, it can be deployed on the corresponding access path when the processor 320 (that is, the first process 210 and the second process 220) accesses the shared memory space 231, the The path may be: processor 320→memory bus→memory bus port→memory arbiter→memory controller→shared memory space 231, wherein the memory arbiter and memory controller may be components in the memory 310. In some embodiments, a memory arbiter and a memory controller are integrated in the processor 320 (such as SoC), in this case, the above-mentioned access path may be: CPU→memory bus→memory bus port→memory arbiter→memory Controller → shared memory space 231 . Therefore, the access controller 330 can be deployed on the memory bus, memory bus port, memory arbiter, and memory controller.

图7和图8示出了访问控制器330部署在内存控制器上的情况，其中，图7示出的是访问控制器330部署在存储器310中的内存控制器上的示意图，图8示出的是访问控制器330部署在处理器320中的内存控制器上的示意图。当访问控制器330部署在内存控制器上，如果访问控制器330确定第一进程210具有访问共享内存空间231的权限，则直接将数据写入目标地址指示的内存空间；如果访问控制器330确定第一进程210不具有访问共享内存空间231的权限，则丢弃数据。类似的，如果访问控制器330确定第二进程220具有访问共享内存空间231的权限，则直接从目标地址指示的内存空间中读取数据，并将读取到的数据返回给第二进程220；如果访问控制器330确定第二进程220不具有访问共享内存空间231的权限，则不会从目标地址指示的共享内存空间231中读取数据。7 and 8 show the situation that the access controller 330 is deployed on the memory controller, wherein, FIG. 7 shows a schematic diagram of the access controller 330 deployed on the memory controller in the memory 310, and FIG. 8 shows is a schematic diagram of the access controller 330 deployed on the memory controller in the processor 320 . When the access controller 330 is deployed on the memory controller, if the access controller 330 determines that the first process 210 has the authority to access the shared memory space 231, then directly write data into the memory space indicated by the target address; if the access controller 330 determines The first process 210 does not have the permission to access the shared memory space 231, so the data is discarded. Similarly, if the access controller 330 determines that the second process 220 has the authority to access the shared memory space 231, then directly read data from the memory space indicated by the target address, and return the read data to the second process 220; If the access controller 330 determines that the second process 220 does not have the right to access the shared memory space 231, it will not read data from the shared memory space 231 indicated by the target address.

图9和图10示出了访问控制器330部署在内存仲裁器上的情况，其中，图9示出的是访问控制器330部署在存储器310中的内存仲裁器上的示意图，图10示出的是访问控制器330部署在处理器320中的内存仲裁器上的示意图。当访问控制器330部署在内存仲裁器上时，如果访问控制器330确定第一进程210具有访问共享内存空间231的权限，则将第一进程210发送的写数据请求转发给内存控制器，从而使得第一进程210能够将数据写入目标地址指示的内存空间；如果访问控制器330确定第一进程210不具有访问共享内存空间231的权限，则不会将上述写数据请求转发给内存控制器，那么第一进程210也不能将数据写入目标地址指示的内存空间。类似的，如果访问控制器330确定第二进程220具有访问共享内存空间231的权限，则将第二进程220发送的读数据请求转发给内存控制器，从而使得第二进程220能够从目标地址指示的内存空间中读取到数据；如果访问控制器330确定第二进程220不具有访问共享内存空间231的权限，则不会将上述读数据请求转发给内存控制器，那么第二进程220也不会从目标地址指示的共享内存空间231中读取到数据。9 and 10 show the situation where the access controller 330 is deployed on the memory arbiter, wherein, FIG. 9 shows a schematic diagram of the access controller 330 deployed on the memory arbiter in the memory 310, and FIG. 10 shows is a schematic diagram of the access controller 330 deployed on the memory arbiter in the processor 320 . When the access controller 330 is deployed on the memory arbiter, if the access controller 330 determines that the first process 210 has the authority to access the shared memory space 231, then the write data request sent by the first process 210 is forwarded to the memory controller, thereby Make the first process 210 able to write data into the memory space indicated by the target address; if the access controller 330 determines that the first process 210 does not have the authority to access the shared memory space 231, then the above-mentioned write data request will not be forwarded to the memory controller , then the first process 210 cannot write data into the memory space indicated by the target address. Similarly, if the access controller 330 determines that the second process 220 has the authority to access the shared memory space 231, then the read data request sent by the second process 220 is forwarded to the memory controller, so that the second process 220 can indicate from the target address If the access controller 330 determines that the second process 220 does not have the authority to access the shared memory space 231, then the above-mentioned read data request will not be forwarded to the memory controller, and the second process 220 will not Data will be read from the shared memory space 231 indicated by the target address.

应理解，访问控制器330还可以部署内存总线或内存总线端口等处，当访问控制器330部署内存总线或内存总线端口处时，访问控制器330执行的步骤与上述访问控制器330部署在内存仲裁器上时执行的步骤的思路是一致的，为了简便，本申请实施例不再展开叙述。It should be understood that the access controller 330 can also be deployed on a memory bus or a memory bus port, etc., when the access controller 330 is deployed on a memory bus or a memory bus port, the steps performed by the access controller 330 are the same as those deployed by the access controller 330 on the memory The idea of the steps executed when the arbitrator is on is the same, and for the sake of brevity, the embodiment of the present application will not describe it again.

还应理解，上述实施例仅描述了安全访问控制装置240部署在一个计算设备(如计算设备300)上的场景，在实际应用中，安全访问控制装置240的各个模块还可以分别部署在不同计算设备中，例如，通信管理模块241和内存管理模块242部署在一个计算设备上，访问控制模块243部署在另一个计算设备上，本申请实施例对此并不限定。It should also be understood that the above embodiment only describes the scenario where the security access control device 240 is deployed on one computing device (such as the computing device 300). In the device, for example, the communication management module 241 and the memory management module 242 are deployed on one computing device, and the access control module 243 is deployed on another computing device, which is not limited in this embodiment of the present application.

上述各个附图对应的流程的描述各有侧重，某个流程中没有详细描述的部分，可以参见其他流程的相关描述。The descriptions of the processes corresponding to each of the above-mentioned drawings have their own emphasis. For the parts that are not described in detail in a certain process, you can refer to the relevant descriptions of other processes.

在上述实施例中，可以全部或部分地通过软件、硬件或者其组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现，其中，该计算机程序产品包括一个或多个由上述安全访问控制装置240执行的计算机指令，在计算设备上加载和执行这些计算机指令时，可以全部或部分地实现本申请实施例所述的流程或功能。In the above-mentioned embodiments, all or part may be implemented by software, hardware or a combination thereof. When implemented by software, it may be implemented in whole or in part in the form of a computer program product, wherein the computer program product includes one or more computer instructions executed by the above-mentioned security access control device 240, and these instructions are loaded and executed on a computing device. When computer instructions are used, the processes or functions described in the embodiments of the present application may be implemented in whole or in part.

上述计算设备可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。上述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，上述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如，同轴电缆、光纤、双绞线或无线(例如，红外、无线、微波)等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。上述计算机可读存储介质存储有一个或多个由上述安全访问控制装置240执行的计算机指令。该计算机可读存储介质可以是计算设备能够存取的任何可用介质或者是包含一个或多个介质集成的服务器、数据中心等数据存储设备。上述可用介质可以是磁性介质(例如，软盘、硬盘、磁带)、光介质(例如，光盘)、或者半导体介质(例如，固态硬盘(solid state disk,SSD))。The aforementioned computing devices may be general purpose computers, special purpose computers, computer networks, or other programmable devices. The above-mentioned computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. (eg, coaxial cable, optical fiber, twisted pair, or wireless (eg, infrared, wireless, microwave), etc.) to another website site, computer, server, or data center. The above-mentioned computer-readable storage medium stores one or more computer instructions executed by the above-mentioned security access control device 240 . The computer-readable storage medium may be any available medium that can be accessed by a computing device, or a data storage device including a server, a data center, and the like integrated with one or more media. The above-mentioned usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, an optical disk), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)).

Claims

一种计算机***中的通信方法，其特征在于，所述计算机***包括第一飞地enclave和第二enclave，所述方法包括：A communication method in a computer system, wherein the computer system includes a first enclave and a second enclave, and the method includes:

接收来自第一进程的通信请求，其中，所述第一进程是所述第一enclave中运行的进程；receiving a communication request from a first process, wherein the first process is a process running in the first enclave;

根据所述通信请求创建共享内存空间，其中，所述第一进程和第二进程具有访问所述共享内存空间的权限，所述第二进程是所述第二enclave中运行的进程。A shared memory space is created according to the communication request, wherein the first process and the second process have permission to access the shared memory space, and the second process is a process running in the second enclave.
根据权利要求1所述的方法，其特征在于，所述通信请求携带了多个进程的标识，所述多个进程具有访问所述共享内存空间的权限，其中，所述多个进程包括所述第一进程和所述第二进程。The method according to claim 1, wherein the communication request carries identifiers of multiple processes, and the multiple processes have permission to access the shared memory space, wherein the multiple processes include the the first process and the second process.
根据权利要求1或2所述的方法，其特征在于，所述通信请求包括所述共享内存空间的大小，所述共享内存空间为所述计算机***的内存中一段满足所述大小要求的内存空间。The method according to claim 1 or 2, wherein the communication request includes the size of the shared memory space, and the shared memory space is a memory space in the memory of the computer system that meets the size requirement .
根据权利要求3所述的方法，其特征在于，在所述根据所述通信请求创建共享内存空间之后，所述方法还包括：The method according to claim 3, wherein after said creating a shared memory space according to said communication request, said method further comprises:

配置访问控制表，其中，所述访问控制表用于指示所述第一进程和所述第二进程具有访问所述共享内存空间的权限。Configuring an access control list, where the access control list is used to indicate that the first process and the second process have permission to access the shared memory space.
根据权利要求4所述的方法，其特征在于，所述方法还包括：The method according to claim 4, characterized in that the method further comprises:

接收来自所述第一进程的写数据请求，其中，所述写数据请求包括待写入的数据和目标地址，所述共享内存空间包括所述目标地址指示的内存空间；receiving a write data request from the first process, wherein the write data request includes data to be written and a target address, and the shared memory space includes a memory space indicated by the target address;

根据所述访问控制表确定所述第一进程具有访问所述目标地址指示的内存空间的权限，允许所述数据写入所述目标地址指示的内存空间；determining, according to the access control table, that the first process has permission to access the memory space indicated by the target address, and allowing the data to be written into the memory space indicated by the target address;

向所述第二进程发送通知消息，其中，所述通知消息包括所述目标地址，所述通信消息用于指示所述第二进程从所述目标地址指示的内存空间中读取所述数据。sending a notification message to the second process, where the notification message includes the target address, and the communication message is used to instruct the second process to read the data from the memory space indicated by the target address.
根据权利要求5所述的方法，其特征在于，在所述向所述第二进程发送通知消息之后，所述方法还包括：The method according to claim 5, characterized in that, after sending the notification message to the second process, the method further comprises:

接收来自所述第二进程的读数据请求，其中，所述读数据请求包括所述目标地址；receiving a read data request from the second process, wherein the read data request includes the target address;

根据所述访问控制表确定所述第二进程具有访问所述目标地址指示的内存空间的权限，允许所述第二进程从所述目标地址指示的内存空间中读取所述数据。It is determined according to the access control table that the second process has the right to access the memory space indicated by the target address, and the second process is allowed to read the data from the memory space indicated by the target address.
一种安全访问控制装置，其特征在于，应用于计算机***，所述计算机***包括第一飞地enclave和第二enclave，所述装置包括：A security access control device is characterized in that it is applied to a computer system, and the computer system includes a first enclave and a second enclave, and the device includes:

通信管理模块，用于接收来自第一进程的通信请求，其中，所述第一进程是所述第一enclave中运行的进程；A communication management module, configured to receive a communication request from a first process, wherein the first process is a process running in the first enclave;

内存管理模块，用于根据所述通信请求创建共享内存空间，其中，所述第一进程和第二进程具有访问所述共享内存空间的权限，所述第二进程是所述第二enclave中运行的进程。A memory management module, configured to create a shared memory space according to the communication request, wherein the first process and the second process have permission to access the shared memory space, and the second process runs in the second enclave process.
根据权利要求7所述的装置，其特征在于，所述通信请求携带了多个进程的标识，所述多个进程具有访问所述共享内存空间的权限，其中，所述多个进程包括所述第一进程和所述第二进程。The device according to claim 7, wherein the communication request carries identifiers of multiple processes, and the multiple processes have permission to access the shared memory space, wherein the multiple processes include the the first process and the second process.
根据权利要求7或8所述的装置，其特征在于，所述通信请求包括所述共享内存空间的大小，所述共享内存空间为所述计算机***的内存中一段满足所述大小要求的内存空间。The device according to claim 7 or 8, wherein the communication request includes the size of the shared memory space, and the shared memory space is a memory space in the memory of the computer system that meets the size requirement .
根据权利要求9所述的装置，其特征在于，所述装置还包括访问控制模块，The device according to claim 9, further comprising an access control module,

所述访问控制模块，用于配置访问控制表，其中，所述访问控制表用于指示所述第一进程和所述第二进程具有访问所述共享内存空间的权限。The access control module is configured to configure an access control table, wherein the access control table is used to indicate that the first process and the second process have permission to access the shared memory space.
根据权利要求10所述的装置，其特征在于，The device according to claim 10, characterized in that,

所述通信管理模块，还用于接收来自所述第一进程的写数据请求，其中，所述写数据请求包括待写入的数据和目标地址，所述共享内存空间包括所述目标地址指示的内存空间；The communication management module is further configured to receive a write data request from the first process, wherein the write data request includes data to be written and a target address, and the shared memory space includes the address indicated by the target address memory space;

所述访问控制模块，用于根据所述访问控制表确定所述第一进程具有访问所述目标地址指示的内存空间的权限，允许所述数据写入所述目标地址指示的内存空间；The access control module is configured to determine, according to the access control table, that the first process has the right to access the memory space indicated by the target address, and allow the data to be written into the memory space indicated by the target address;

所述通信管理模块，还用于向所述第二进程发送通知消息，其中，所述通知消息包括所述目标地址，所述通信消息用于指示所述第二进程从所述目标地址指示的内存空间中读取所述数据。The communication management module is further configured to send a notification message to the second process, wherein the notification message includes the target address, and the communication message is used to indicate the second process from the target address Read the data in the memory space.
根据权利要求11所述的装置，其特征在于，The device according to claim 11, characterized in that,

所述通信管理模块，还用于接收来自所述第二进程的读数据请求，其中，所述读数据请求包括所述目标地址；The communication management module is further configured to receive a read data request from the second process, wherein the read data request includes the target address;

所述访问控制模块，用于根据所述访问控制表确定所述第二进程具有访问所述目标地址指示的内存空间的权限，允许所述第二进程从所述目标地址指示的内存空间中读取所述数据。The access control module is configured to determine, according to the access control table, that the second process has the right to access the memory space indicated by the target address, and allow the second process to read from the memory space indicated by the target address Get the data.
一种计算设备，其特征在于，应用于计算机***，所述计算机***包括第一飞地enclave和第二enclave，所述设备包括：A computing device, characterized in that it is applied to a computer system, the computer system includes a first enclave and a second enclave, and the device includes:

处理器，用于接收来自第一进程的通信请求，并根据所述通信请求创建共享内存空间，其中，所述第一进程是所述第一enclave中运行的进程，所述第二进程是所述第二enclave中运行的进程，所述第一进程和所述第二进程具有访问所述共享内存空间的权限；配置访问控制表到访问控制器；A processor, configured to receive a communication request from a first process, and create a shared memory space according to the communication request, wherein the first process is a process running in the first enclave, and the second process is the Describe the process running in the second enclave, the first process and the second process have permission to access the shared memory space; configure the access control table to the access controller;

所述访问控制器，用于根据所述访问控制表确定所述第一进程和所述第二进程具有访问所述共享内存空间的权限，以使所述第一进程和所述第二进程基于所述共享内存空间实现通信。The access controller is configured to determine, according to the access control table, that the first process and the second process have permission to access the shared memory space, so that the first process and the second process are based on The shared memory space implements communication.
根据权利要求13所述的设备，其特征在于，所述通信请求携带了多个进程的标识，所述多个进程具有访问所述共享内存空间的权限，其中，所述多个进程包括所述第一进程和所述第二进程。The device according to claim 13, wherein the communication request carries identifiers of multiple processes, and the multiple processes have permission to access the shared memory space, wherein the multiple processes include the the first process and the second process.
根据权利要求13或14所述的设备，其特征在于，所述通信请求包括所述共享内存空间的大小，所述共享内存空间为所述计算机***的内存中一段满足所述大小要求的内存空间。The device according to claim 13 or 14, wherein the communication request includes the size of the shared memory space, and the shared memory space is a memory space in the memory of the computer system that meets the size requirement .
根据权利要求15所述的设备，其特征在于，The apparatus according to claim 15, characterized in that,

所述处理器，还用于接收来自所述第一进程的写数据请求，其中，所述写数据请求包括待写入的数据和目标地址，所述共享内存空间包括所述目标地址指示的内存空间；The processor is further configured to receive a write data request from the first process, wherein the write data request includes data to be written and a target address, and the shared memory space includes a memory indicated by the target address space;

所述访问控制器，用于根据所述访问控制表确定所述第一进程具有访问所述目标地址指示的内存空间的权限，允许所述数据写入所述目标地址指示的内存空间；The access controller is configured to determine, according to the access control table, that the first process has the right to access the memory space indicated by the target address, and allow the data to be written into the memory space indicated by the target address;

所述处理器，还用于向所述第二进程发送通知消息，其中，所述通知消息包括所述目标地址，所述通信消息用于指示所述第二进程从所述目标地址指示的内存空间中读取所述数据。The processor is further configured to send a notification message to the second process, where the notification message includes the target address, and the communication message is used to indicate the second process from the memory indicated by the target address Read the data in the space.
根据权利要求16所述的设备，其特征在于，The apparatus according to claim 16, characterized in that,

所述处理器，还用于接收来自所述第二进程的读数据请求，其中，所述读数据请求包括所述目标地址；The processor is further configured to receive a read data request from the second process, wherein the read data request includes the target address;

所述访问控制器，用于根据所述访问控制表确定所述第二进程具有访问所述目标地址指示的内存空间的权限，允许所述第二进程从所述目标地址指示的内存空间中读取所述数据。The access controller is configured to determine, according to the access control table, that the second process has the right to access the memory space indicated by the target address, and allow the second process to read from the memory space indicated by the target address Get the data.
一种计算机可读存储介质，其特征在于，存储有计算机指令，当所述计算机指令被计算设备执行时，所述计算设备执行前述权利要求1-6任一项所述的方法。A computer-readable storage medium, characterized by storing computer instructions, and when the computer instructions are executed by a computing device, the computing device executes the method described in any one of claims 1-6.