CN111666579A - Computer device, access control method thereof, and computer-readable medium - Google Patents
Computer device, access control method thereof, and computer-readable medium Download PDFInfo
- Publication number
- CN111666579A CN111666579A CN202010558828.4A CN202010558828A CN111666579A CN 111666579 A CN111666579 A CN 111666579A CN 202010558828 A CN202010558828 A CN 202010558828A CN 111666579 A CN111666579 A CN 111666579A
- Authority
- CN
- China
- Prior art keywords
- access
- hardware
- resource
- virtual machine
- execution environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000015654 memory Effects 0.000 claims abstract description 91
- 238000010586 diagram Methods 0.000 description 17
- 238000004891 communication Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of computer systems, and discloses a method for controlling access of computer equipment, the computer equipment and a computer readable medium thereof. The access control method of the invention comprises the following steps: a hardware access controller of computer equipment acquires a direct memory access request initiated by a first execution environment of the computer equipment to a second resource of the computer equipment through the first hardware equipment of the computer equipment, wherein the first execution environment has an initial access right to the first resource on the first hardware equipment, and the second execution environment has an initial access right to the second resource; after the hardware access controller judges that the first execution environment does not have the access right to the second resource; the hardware access controller intercepts direct memory access of the first execution environment to the second resource through the first hardware device. The method can intercept the direct memory access request initiated by the execution environment to the resource of the computer equipment without the access authority, and can avoid the safety problem.
Description
Technical Field
The present invention relates to the field of computer systems, and more particularly, to a computer device, an access control method thereof, and a computer readable medium.
Background
Generally, a Central Processing Unit (CPU) controls access between hardware devices, and executes access among the CPU, a memory, and the hardware devices by running a program, thereby realizing data transfer between the hardware devices. The CPU is in communication connection with the hardware device through the bus, and allocates an address space to the resource of the hardware device based on the bus, wherein the address space is a physical address area of the hardware device on the bus, and the hardware device allocated with the physical address area can be accessed by the CPU or other hardware devices.
A hardware device that can gain control of the bus may be referred to herein as a master device, and a device that is accessed by the master device via physical address addressing, which is the issuing of an access request to a physical address, is referred to herein as a slave device. The master device may exchange data with the slave device addressed by the master device through the bus, for example, after the Execution Environment (EE) drives the master device to preempt the control right of the bus by means of DMA (Direct Memory Access), the master device accesses the slave device.
The execution environment here is an emulated computer device and has hardware executable units, volatile and non-volatile storage, which can run a hierarchy of independent software stacks. The most typical execution environment is a virtual machine, and in the case that a plurality of virtual machines access a hardware device simultaneously, if one of the virtual machines accessing the host device preempts the control right of the bus, the virtual machine can access other resources by means of physical address addressing, that is, one virtual machine can read/write resources that are not allocated to it, which is called virtual machine overflow.
For example, the system includes a first execution environment and a second execution environment, the first execution environment using a GPU. Here, the GPU accessed by the first execution environment is the master. If the first execution environment makes a DMA access to a memory region used by the second execution environment through the host GPU, the memory region being used by the second execution environment may be accessed.
Disclosure of Invention
The invention aims to provide a computer device, an access control method thereof and a computer readable medium, which can judge whether a physical address contained in direct memory access sent by an execution environment through a hardware device belongs to a physical address area with access authority of the execution environment, allow the execution environment to perform direct memory access on the physical address under the condition that the execution environment is judged to have the access authority, and avoid the safety problem.
A first aspect of the present invention provides a computer device, comprising first and second execution environments, a first hardware device, a first hardware access controller, and a bus; the first execution environment has initial access authority to a first resource on the first hardware device, and the second execution environment has initial access authority to a second resource; the first hardware access controller is respectively connected with the first hardware device and the bus, and the first hardware access controller can acquire a direct memory access request sent by the first execution environment to the second resource through the first hardware device, and intercept direct memory access of the first execution environment to the second resource through the first hardware device under the condition that the first execution environment is judged not to have access authority to the second resource.
That is, in this scheme, the first execution environment is assigned to access the first resource of the first hardware device, that is, the first execution environment has the right to access the physical address region corresponding to the first resource. The first hardware access controller is arranged between the first hardware equipment and the bus and can monitor data or instructions sent by the first hardware equipment through the bus. Under the condition that the first execution environment sends a direct memory access request to the second resource through the first hardware device, the first hardware access controller directly verifies the physical address, that is, after the first hardware access controller obtains the physical address in the direct memory access request sent by the first execution environment, the first hardware access controller judges whether the physical address belongs to a physical address area of which the first execution environment has access authority, and under the condition that the first execution environment is judged to have the access authority, the first execution environment is allowed to directly access the physical address. And under the condition that the first execution environment is judged not to have the access right, the direct memory access is prevented from passing through the first hardware access controller, namely the first hardware access controller intercepts the direct memory access.
In a possible implementation of the first aspect, the method further includes a second hardware device, and the second resource is located on the second hardware device.
That is, in this scheme, the second execution environment is assigned to access the second resource of the second hardware device, that is, the second execution environment has the right to access the physical address region corresponding to the second resource.
In a possible implementation of the first aspect, the system further includes a second hardware access controller, where the second hardware access controller is connected to the second hardware device and the bus, and is capable of acquiring a direct memory access request initiated by the second execution environment to the first resource through the second hardware device, and intercepting a direct memory access of the second execution environment to the first resource through the second hardware device when it is determined that the second execution environment does not have an access right to the first resource.
In other words, in this embodiment, the second hardware access controller is disposed between the second hardware device and the bus, and is capable of monitoring data or instructions sent by the second hardware device via the bus. In the case that the second execution environment sends the direct memory access request to the first resource through the second hardware device, the second hardware access controller directly verifies the physical address, that is, after the second hardware access controller obtains the physical address in the direct memory access request sent by the second execution environment, the second hardware access controller determines whether the physical address belongs to a physical address area where the second execution environment has an access right, and in the case that the second execution environment has the access right, the second execution environment is allowed to perform direct memory access on the physical address. And under the condition that the second execution environment is judged not to have the access right, the direct memory access is prevented from passing through the second hardware access controller, namely the second hardware access controller intercepts the direct memory access.
In a possible implementation of the first aspect, the apparatus further includes a memory, and the second resource is a resource stored in the memory.
In this embodiment, the second execution environment is not allocated to access the second hardware device after being started, that is, the second execution environment occupies a memory.
In one possible implementation of the first aspect, the first hardware access controller has a first access control table stored thereon, and the first access control table has a physical address of a resource to which the first execution environment has access rights stored thereon.
In a possible implementation of the first aspect, the first hardware access controller determines that the first execution environment has access right to the second resource when determining that the first access control table includes a physical address of the second resource; and,
and the first hardware access controller judges that the first execution environment does not have access authority to the second resource under the condition that the first access control table does not comprise the physical address of the second resource, and intercepts the direct memory access of the first execution environment to the second resource through the first hardware equipment.
In the scheme, after acquiring a physical address in a direct memory access request sent by a first execution environment, a first hardware access controller queries whether the physical address exists in a first access control table, and if so, allows the first execution environment to perform direct memory access on a second resource. If not, the first execution environment is prevented from performing direct memory access on the second resource, namely the first hardware access controller intercepts the direct memory access.
In a possible implementation of the first aspect described above, the first execution environment is a virtual machine.
In a possible implementation of the first aspect, the virtual machine monitor is further configured to set a first access control table for the first execution environment.
In one possible implementation of the first aspect described above, the first hardware access controller is a micro-control unit.
In a possible implementation of the first aspect, the first hardware device is a GPU, and the second hardware device is a VPU.
A second aspect of the present invention provides an access control method for a computer device, including:
a hardware access controller of computer equipment acquires a direct memory access request initiated by a first execution environment of the computer equipment to a second resource of the computer equipment through the first hardware equipment of the computer equipment, wherein the first execution environment has an initial access right to the first resource on the first hardware equipment, and the second execution environment has an initial access right to the second resource;
the hardware access controller judges that the first execution environment does not have access authority to the second resource;
the hardware access controller intercepts direct memory access of the first execution environment to the second resource through the first hardware device.
In one possible implementation of the above second aspect, the computer device further comprises a second hardware device, and the second resource is located on the second hardware device.
In a possible implementation of the second aspect, the computer device further includes a memory, and the second resource is a resource stored on the memory.
That is, in this scheme, the first execution environment is assigned to access the first resource of the first hardware device, that is, the first execution environment has the right to access the physical address region corresponding to the first resource. The second execution environment is assigned access to a second resource of the second hardware device, i.e. the second execution environment has access to a physical address region corresponding to the second resource. The first hardware access controller is arranged between the first hardware equipment and the bus and can monitor data or instructions sent by the first hardware equipment through the bus. Under the condition that the first execution environment does not have access authority to the second resource and the first execution environment sends direct memory access to the second resource, the first hardware access controller acquires a physical address in a direct memory access request sent by the first execution environment, judges whether the physical address belongs to a physical address area with the access authority of the first execution environment, and under the condition that the first execution environment does not have the access authority, prevents the direct memory access from passing through the first hardware access controller, namely the first hardware access controller intercepts the direct memory access.
In one possible implementation of the second aspect, the first hardware access controller is stored with a first access control table, and the first access control table is stored with a physical address of a resource to which the first execution environment has access rights, wherein the first access control table does not include the physical address of the second resource.
In one possible implementation of the second aspect described above, the first execution environment is a virtual machine.
In one possible implementation of the second aspect described above, the computer device further comprises a virtual machine monitor for setting the first access control table for the first execution environment.
In one possible implementation of the above second aspect, the first hardware access controller is a micro control unit.
In a possible implementation of the second aspect, the first hardware device is a GPU, and the second hardware device is a VPU.
A third aspect of the invention provides a machine-readable medium having stored thereon instructions which, when executed by a machine, cause the machine to perform a method as provided in the second aspect.
The scheme of the invention is different from the scheme of using a Memory Management Unit (MMU), the conversion between a virtual address and a physical address is not needed, namely the virtual address is not needed to be mapped into a corresponding physical address through the MMU, but the physical address, such as the physical address in a direct Memory access request sent to an execution environment, is directly verified.
Drawings
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:
FIGS. 1a, 1b illustrate an architecture diagram in an access control system, according to some embodiments of the invention;
FIG. 2 illustrates a block diagram of a hardware access controller, according to some embodiments of the invention;
FIG. 3 illustrates a scenario diagram of access control, according to some embodiments of the invention;
FIG. 4 illustrates a flow diagram of a method of access control, according to some embodiments of the invention;
FIG. 5 illustrates a block diagram of a method for issuing hints information in an access control methodology, in accordance with some embodiments of the present invention;
FIG. 6 illustrates a scenario diagram of access control, according to some embodiments of the invention;
FIGS. 7a, 7b illustrate a scenario diagram of access control, according to some embodiments of the present invention;
FIG. 8 illustrates a scenario diagram of access control, according to some embodiments of the invention;
FIG. 9 illustrates a flow diagram for configuring an access control table in a hardware access controller, according to some embodiments of the invention;
FIG. 10 illustrates a block diagram of a system, according to some embodiments of the invention;
FIG. 11 illustrates a block diagram of a system on a chip (SoC), according to some embodiments of the invention.
FIG. 12 illustrates a block diagram of another system on a chip (SoC), according to some embodiments of the invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
Illustrative embodiments of the invention include, but are not limited to, a method of access control for a computer device, and a computer-readable medium thereof.
It is to be appreciated that as used herein, the term module may refer to or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and/or memory that executes one or more software or firmware programs, a combinational logic circuit, and/or other suitable hardware components that provide the described functionality, or may be part of such hardware components.
In the embodiments of the present invention, the description will be given taking an example in which the execution environment is a virtual machine. It is to be understood that a virtual machine is one type of execution environment, and embodiments of the invention do not exclude other types of execution environments, such as: TrustZone (a method for access control of TrustZone, which divides software and hardware of a system into a secure area and a normal area, wherein the software or hardware in the normal area cannot access the software or hardware in the secure area), virtualizes a physical CPU into two virtual CPUs, wherein the two virtual CPUs respectively run in the secure area and the normal area in a time slice-based manner, occupy the physical CPUs in real time as required, and can be switched with each other. Here, the time slice is a period of time in which each virtual CPU can occupy the physical CPU, and each of the two virtual CPUs is configured with a respective operating system and executes a respective program.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
The invention configures a hardware access controller for a hardware device which is allocated to a virtual machine by a virtual machine monitor and can initiate DMA access, namely, the hardware device which obtains the control right of a bus through a virtual machine driver configures a hardware access controller. Meanwhile, the virtual machine monitor pre-configures an access control table for the virtual machine accessing the hardware device, where the access control table corresponds to a virtual machine identifier (e.g., hostld (virtual machine ID)) of the virtual machine, and the access control table records a physical address area accessible by the virtual machine, where the physical address area of the hardware device accessible by the virtual machine may be all or a part of the physical address area of the hardware device. When a virtual machine sends a DMA access request through hardware equipment, a hardware access controller monitors and acquires a virtual machine identifier and a physical address contained in the DMA access request, finds a corresponding access control table according to the virtual machine identifier, allows the virtual machine to access if the physical address is in a physical address area which can be accessed in the access control table corresponding to the virtual machine, and rejects the access request of the virtual machine if the physical address is not in the physical address area which can be accessed in the access control table corresponding to the virtual machine. It is understood that the access control table may record the physical address area by way of a white list or a black list. Under the condition of the white list, a physical address area contained in the access control table is an area which the virtual machine has authority to access; in the case of the blacklist, the physical address area contained in the access control table is an area that the virtual machine has no authority to access.
In an embodiment of the present invention, the number of hardware access controllers and the number of configured execution environments, i.e., the masters of the virtual machines, may be the same.
Compared with the traditional equipment based on virtual address isolation, the embodiment of the invention provides an access control method of computer equipment directly based on physical address isolation, which can be applied to the execution environment of physical address addressing. By the implementation method, the virtual machine can be detected and refused to access the resources of other virtual machines through the hardware equipment, and the safety problems of the resources, such as data tampering and data leakage, are avoided.
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the embodiment of the present invention, for example, the shared GPU is used as a master device and the memory is used as a slave device, and other hardware devices that can be used as a master device and a slave device also belong to the protection scope of the present invention.
In order to facilitate the understanding of the description of the embodiments of the present invention, some concepts related to the present invention will be described below.
And DMA access, wherein the execution environment sends out a DMA request for accessing the slave device through the accessing hardware device, namely the master device, and the execution environment realizes access operation with the slave device through a bus.
Specifically, the access control method of the computer device of the present invention is described below by taking the system 100 as an example, and the following description is given by taking the execution environment as a virtual machine as an example. According to an embodiment of the invention. Fig. 1a and 1b show a schematic structural diagram of an access control system 100. As shown in fig. 1a, the system 100 includes: virtual machine 200 (e.g., including virtual machines 200-1 through 200-3), hardware device 300 (e.g., including Graphics Processing Unit (GPU), Video Processing Unit (VPU), etc.), virtual machine monitor 400 for managing virtual machines, as shown in fig. 1b, system 100 further includes hardware access controller 500 (e.g., including hardware access controller 500-1, hardware access controller 500-2), and Central Processing Unit (CPU) 600, and bus 700.
With continued reference to fig. 1a, a Virtual Machine (VM) 200, which is an execution environment, may be a Virtual device disposed in the system. The virtual machine may be a complete computer system with complete hardware system functionality that can be emulated by software and run on the operating system of system 100. The virtual machine 200 may be installed with an Operating System (OS) and other application programs.
In embodiments of the present invention, Hardware device (Hardware, abbreviated HW)300 may be any computer Hardware device. In addition, for the hardware device 300 to which at least one virtual machine is assigned, when the hardware device 300 accesses another hardware device by the DMA method, the hardware device 300 is referred to as a master device.
It is to be understood that although only 2 hardware devices and 3 virtual machines are shown in fig. 1a and 1b, the number and types of hardware devices and virtual machines are merely exemplary, and not limiting, the system 100 may include any type and number of virtual machines and hardware devices.
A Virtual Machine Monitor (VMM) 400 is used to create and manage Virtual machines. In an embodiment of the present invention, virtual machine monitor 400 may allocate at least one virtual machine 200 to hardware device 300, that is, virtual machine monitor 400 allocates some or all of the resources of hardware device 300 to at least one virtual machine 200 for use. The virtual machine monitor may also be referred to as Hypervisor.
The hardware access controller 500 is disposed between the hardware device 300 and the bus 700, and is configured to monitor data or instructions sent by the hardware device 300 through the bus 700, and when detecting that a DMA access request is sent by a virtual machine through the accessing hardware device 300, the hardware access controller 500 verifies whether the virtual machine sending the DMA access request has an access right, and allows the access request with the access right to access a corresponding physical address through the hardware access controller 500. In the present invention, the hardware access controller 500 is configured for a hardware device, i.e., a master device, which is configured with a virtual machine and can initiate DMA access and obtain control of a bus. For example, where the System 100 is a System On Chip (SOC), the hardware access controller 500 may be an integral part of the System on Chip.
CPU600 for running virtual machine monitor 400 and virtual machine 200 in system 100.
Fig. 2 shows a schematic diagram of a hardware access controller 500. As shown in fig. 2, the hardware access controller 500 includes: an access control table module 501, a register module 502, and an access control module 503.
The access control table module 501 is configured to store an access control table corresponding to a virtual machine identifier (e.g., hostId of a virtual machine) of the virtual machine, where an access control entry including a physical address area is recorded in the access control table. In an embodiment of the present invention, the access control table module 501 may be other storage areas in the hardware access controller 900, such as a static random access memory.
The register module 502 is configured to receive an instruction from the vm monitor 400, where the instruction is used to configure an access control table in the access control table module 501, for example, the vm monitor 400 sends an add-on instruction to the register module 502, and adds an access control table corresponding to a vm identifier of a vm in the access control table module 501. It is understood that the register module 502 may also be used to obtain the status of the hardware access controller 500. For example, in the case where an error occurs when an access control table is newly added to the access control table module 501, the register module 502 may read the error information and return the error information to the virtual machine monitor 400. Here, virtual machine monitor 400 may send instructions to register module 502 via CPU600 based on the APB bus.
An access control module 503, where the access control module 503 is configured to monitor that a virtual machine sends a DMA access request through a hardware device, obtain a hostId and a physical address contained in the DMA access request, find a corresponding access control table according to the hostId, allow the virtual machine to access if the physical address is in a physical address area that can be accessed in the access control table corresponding to the virtual machine, and otherwise, reject the access request of the virtual machine.
The following describes an access control scheme according to the present invention with reference to specific scenarios. FIG. 3 illustrates a scenario in which a DMA access request issued by one virtual machine to a resource to which another virtual machine belongs is intercepted by a hardware access controller. Specifically, in the scenario shown in fig. 3, after virtual machine monitor 400 allocates virtual machine 200-1 and virtual machine 200-2 to access resource 1 of GPU300-1 and resource 2 of VPU300-2, respectively, virtual machine 200-1 and virtual machine 200-2 are configured with respective access control tables, where neither virtual machine 200-1 nor virtual machine 200-2 has the right to access the resource to which the other party belongs. That is, virtual machine 200-1 does not have access to resource 2 to which virtual machine 200-2 belongs, and virtual machine 200-2 does not have access to resource 1 of virtual machine 200-1.
As shown in fig. 3, the specific process of the virtual machine 200-1 performing DMA access to the resource 2 to which the virtual machine 200-2 belongs is as follows:
1) after virtual machine monitor 400 allocates virtual machines 200-1 and 200-2 to access GPU300-1 and VPU300-2, respectively, virtual machine monitor 400 obtains virtual machine identifications of virtual machines 200-1 and 200-2. Here, the GPUs 300-1 and 300-2 are connected to a bus 700, respectively, and a hardware access controller 500-1 and a hardware access controller 500-2 are provided between the GPUs 300-1 and 300-2 and the bus 700.
Here, each of the virtual machines 200-1 and 200-2 has a virtual machine identifier, which may be a hostld (host ID) of the virtual machine, and the hostld is a unique identifier of one virtual machine and may be represented by a binary value, and in an embodiment of the present invention, the hostld may be represented by a binary value of sixteen bits, for example: the hostId for virtual machine 200-1 may be 0000000000000001.
2) The virtual machine monitor 400 configures an access control table for the virtual machine 200-1 in the hardware access controller 500-1, configures an access control table for the virtual machine 200-2 in the hardware access controller 500-2, and records physical address areas to which the virtual machine 200-1 and the virtual machine 200-2 have authority to access in the access control tables of the virtual machine 200-1 and the virtual machine 200-2, respectively. Hardware access controller 500-1 and hardware access controller 500-2 may check whether the physical addresses contained in the DMA access requests issued by virtual machine 200-1 and virtual machine 200-2 are contained in the access control tables of virtual machine 200-1 and virtual machine 200-2 based on the physical address areas in the access control tables, and if so, allow the DMA access requests, otherwise deny the DMA access requests.
In the embodiment of the present invention, the access control table uses the virtual machine identifier (hostId) as an index, so that the access control table corresponds to the virtual machine identifier (hostId) of the virtual machine one to one, that is, one access control table is maintained for each virtual machine that can access the hardware device. The virtual machine 200-1 recorded in the access control entry of the access control table has a physical address area to which access is granted or not granted. For example, for the sake of illustration, table 1 shows an access control table of the virtual machine 200-1, in which the physical address area to which the virtual machine 200-1 has authority to access is stored. The access control table may include a plurality of access control entries, each access control entry including: physical address, length, etc. The physical address here is the physical address of the hardware device on the bus 700; the length refers to the range on the bus 700 of the system 100 from the physical address. The access control table shown in table 1 includes: physical address 0x00001000, length 0x1000, represents the physical address area (0x00001000 ~ 0x00001FFF), that is, the physical address area that virtual machine monitor 400 assigns to virtual machine 200-1 to have access right is (0x00001000 ~ 0x00001FFF) on bus 700 of system 100. It is to be understood that the contents and form of the actual access control table may be different from those shown in the following table, for illustrative purposes only.
Physical address | Length of |
0x00001000 | 0x1000 |
Table 1(hostId:0000000000000001)
The Access control table may be stored in the hardware Access controller 500-1, for example, the Access control table may be stored in the Access control table module 501 of the hardware Access controller 500-1, and further, for example, the Access control table may also be stored in a storage area of the hardware Access controller 500-1, such as a Static Random-Access Memory (SRAM) of the hardware Access controller 500-1.
In some embodiments of the present invention, multiple access control entries may be included in one access control table, for example, for ease of illustration, table 2 shows the contents and form of another access control table, including: physical address 0x00001000, length 0x1000, representing a physical address area (0x00001000 ~ 0x00001FFF), and physical address 0x00004000, length 0x2000, representing a physical address area (0x00004000 ~ 0x00005FFF), that is, the physical address areas on the bus 700 allocated to the virtual machine 200-1 to be accessible are (0x00001000 ~ 0x00001FFF) and (0x00004000 ~ 0x00005 FFF). It is to be understood that the contents and form of the actual access control table may be different from those shown in the following table, for illustrative purposes only.
Physical address | Length of |
0x00001000 | 0x1000 |
0x00004000 | 0x2000 |
Table 2(hostId:0000000000000001)
After the virtual machine monitor 400 has allocated a virtual machine and has configured an access control table, a scenario will be described in which a DMA access request issued by one virtual machine 200-1 to which a hardware device is allocated to a resource 2 to which another virtual machine 200-2 belongs is intercepted by the hardware access controller 500-1.
First, virtual machine monitor 400 allocates virtual machines 200-1 and 200-2 to access GPU300-1 and VPU300-2, respectively, and virtual machine 200-1 and virtual machine 200-2 to access resource 1 and resource 2 of GPU300-1 and VPU300-2, respectively, where resource 1 and resource 2 are data or instructions stored in the physical address areas to which GPU300-1 and VPU300-2 belong, respectively.
For example, the physical address area of resource 1 allocated to virtual machine 200-1 is (0x00002000 ~ 0x00002 FFF); the physical address area of resource 2 allocated to virtual machine 200-2 by virtual machine monitor 400 is (0x00005000 ~ 0x00005 FFF). Resource 1 here may be part of the physical address area of GPU 300-1. For illustrative purposes, Table 3 shows that resource 1 and resource 2 allocated by VM monitor 400 to VMs 200-1 through 200-2 have physical address areas on bus 700 of system 100 of (0x 00001000-0 x00002FFF) and (0x 00005000-0 x00005FFF), respectively. Here resource 1 and resource 2 may comprise data or instructions stored in physical address areas. It is to be understood that the contents and forms of the physical address regions of the actual resources 1 and 2 may be different from those shown in the following table, for illustrative purposes only.
Physical address area | |
Resource 1 | 0x00001000~0x00002FFF |
Resource 2 | 0x00005000~0x00005FFF |
TABLE 3
Secondly, when the virtual machine 200-1 sends a DMA access request to the resource 2 to which the virtual machine 200-2 belongs through the GPU300-1 which is accessing, whether the virtual machine 200-1 has the authority to access the resource 2 to which the virtual machine 200-2 belongs can be verified through the hardware access controller 500-1, and under the condition that the virtual machine 200-1 does not have the access authority, the hardware access controller 500-1 intercepts the DMA access request sent by the virtual machine 200-1.
Specifically, as shown in fig. 4, the method includes:
s41, virtual machine 200-1 sends a DMA access request to resource 2 to which virtual machine 200-2 belongs through GPU300-1 being accessed.
In the embodiment of the present invention, virtual machine 200-1 sends a DMA access request to resource 2 to which virtual machine 200-2 belongs by way of DMA access through GPU300-1, that is, virtual machine 200-1 accesses data or instructions stored in a physical address area of resource 2. The access request includes the hostId of the requesting virtual machine 200-1 and the physical address of the resource 2 requesting access, for example: 0x 00005001. Specifically, the virtual machine 200-1 sending the DMA access request to the resource 2 to which the virtual machine 200-2 belongs means that the virtual machine 200-1 can drive the GPU300-1 to preempt the control right of the bus 700, and then directly acquire the resource 2 to which the virtual machine 200-2 belongs in a DMA access manner.
S42 the hardware access controller 500-1 snoops and gets the DMA access request.
In an embodiment of the present invention, a hardware access controller 500-1 is provided between the GPU300-1 and the bus 700, which listens for data or instructions from the GPU300-1 via the bus 700. When the hardware access controller 500-1 detects the DMA access request, the hardware access controller 500-1 may obtain the hostId of the virtual machine 200-1 from the DMA access request, for example, the hostId may be 0000000000000001, and then the hardware access controller 500-1 queries the access control table corresponding to the hostId of the virtual machine 200-1 stored by the hardware access controller. After the access control table corresponding to the virtual machine 200-1 is acquired, the hardware access controller 500-1 acquires the address information of the physical address included in the access request.
S43, the hardware access controller 500-1 judges whether the virtual machine 200-1 has the access right according to the hostId and the physical address in the DMA access request.
In an embodiment of the present invention, hardware access controller 500-1 queries the access control table corresponding to the hostId of virtual machine 200-1 for an access control entry containing the physical address in the DMA access request. For example, when the physical address in the DMA access request is 0x00005001, the access control table corresponding to the hostId of the virtual machine 200-1 is searched for whether or not there is an access control entry including the physical address. For convenience of illustration, table 4 shows an access control table of the virtual machine 200-1, where the physical address area in the access control table including the virtual machine 200-1 authorized to access is 0x00001000 to 0x00001FFF, and the physical address 0x00005001 included in the DMA access request is not in the range. Thus, hardware access controller 500-1 may determine that virtual machine 200-1 does not have DMA access through GPU300-1 to access resource 2 to which virtual machine 200-2 belongs and deny the access request of virtual machine 200-1.
Physical address | Length of |
0x00001000 | 0x1000 |
TABLE 4
It is understood that the method for the virtual machine 200-2 to issue a DMA access request to the resource 1 to which the virtual machine 200-1 belongs, and the method for the hardware access controller 500-2 to monitor the DMA access request and determine whether the virtual machine 200-2 has an access right is similar to the method shown in fig. 4, and is not described herein again.
For the access request rejected by virtual machine 200-1, hardware access controller 500-1 may return to virtual machine 200-1 that virtual machine 200-1 does not have access right by way of a hint message, where the contents of the hint message may include the virtual machine identifier of virtual machine 200-1, such as hostId, and the operation performed by virtual machine 200-1, such as sending a DMA access request. As shown in fig. 5, the hardware access controller 500 may record the content of the hint information in the log of the running of the virtual machine 200-1. The operation status information recorded in the operation log may include, for example: the startup/shutdown times of virtual machines 200-1 and 200-2, the hardware devices accessed by virtual machines 200-1 and 200-2, etc., obtain hints by querying the contents of the execution log in some embodiments, hardware access controller 500-1 may also send the contents of the hints to virtual machine monitor 400.
FIG. 6 illustrates a scenario in which one virtual machine 200-1 to which a hardware device is assigned has the right to issue a DMA access request to a resource 3 to which another virtual machine 200-3 belongs. Between the GPUs 300-1 and 300-3 and the bus 700, there are provided a hardware access controller 500-1 and a hardware access controller 500-3.
First, the procedure of configuring the access control table for the virtual machine 200-1 and the virtual machine 200-2 by the virtual machine monitor 400 is the same as that described in fig. 3, and for convenience of explanation, table 5 shows a part of the contents in the access control table of the virtual machine 200-1. It is to be understood that the contents and form of the actual access control table may be different from those shown in the following table, for illustrative purposes only.
Physical address | Length of |
0x00001000 | 0x5000 |
Table 5(hostId: 0000000000000001)
Next, virtual machine monitor 400 allocates virtual machines 200-1 and 200-3 to access GPU300-1 and VPU300-3, respectively, and virtual machine 200-1 and virtual machine 200-3 to access resource 1 and resource 3 of GPU300-1 and VPU300-3, respectively, and for ease of illustration, Table 6 shows the physical address areas of resource 1 and resource 3. It is to be understood that the contents and forms of the physical address areas of the actual resources 1 and 3 may be different from those shown in the following table, for illustrative purposes only.
Physical address area | |
Resource 1 | 0x00002000~0x00002FFF |
Resource 3 | 0x00004000~0x00004FFF |
TABLE 6
Finally, when the virtual machine 200-1 issues a DMA access request to the resource 3 to which another virtual machine 200-3 belongs via the GPU300-1 being accessed, the hardware access controller 500-1 connected to the GPU300-1 verifies whether or not the virtual machine 200-1 has the right to access the resource 3 to which the virtual machine 200-3 belongs, in which the verification step is the same as that described in fig. 3, and in the case where the physical address in the DMA access request issued by the virtual machine 200-1 is 0x00004001, the access control entry in the access control table corresponding to the hostld of the virtual machine 200-1 contains the physical address. Thus, virtual machine 200-1 may access resource 3 to which virtual machine 200-3 belongs by way of DMA access through GPU 300-1.
FIGS. 7a-7b illustrate scenarios in which a DMA access request issued by one of two virtual machines 200-1 and 200-4 assigned the same hardware device to a resource to which the other virtual machine belongs is intercepted by a hardware access controller.
Virtual machine monitor 400 allocates virtual machine 200-1 and virtual machine 200-4 to access GPU300-1 simultaneously, and GPU300-1 is connected to hardware access controller 500-1. For convenience of illustration, Table 7 shows that the physical address area of resource 1 allocated to virtual machine 200-1 by virtual machine monitor 400 is (0x 00002000-0 x00002FFF), and the physical address area of resource 4 allocated to virtual machine 200-2 by virtual machine monitor 400 is (0x 00006000-0 x00006 FFF). It is to be understood that the contents and forms of the physical address areas of the actual resources 1 and 4 may be different from those shown in the following table, for illustrative purposes only. Here, resource 1 and resource 4 are data or instructions, respectively, stored in the physical address area to which GPU300-1 belongs. The hostIds for virtual machine 200-1 and virtual machine 200-4 are 0000000000000001 and 0000000000000010, respectively.
TABLE 7
Virtual machine monitor 400 configures the access control tables for virtual machine 200-1 and virtual machine 200-4 at hardware access controller 500-1, and for ease of illustration, tables 8 and 9 show the access control tables for virtual machine 200-1 and virtual machine 200-4. It is to be understood that the contents and form of the actual access control table may be different from those shown in the following table, for illustrative purposes only.
Physical address | Length of |
0x00002000 | 0x1000 |
Table 8(hostId: 0000000000000001)
Physical address | Length of |
0x00006000 | 0x1000 |
Table 9(hostId: 0000000000000010)
As shown in fig. 7a, virtual machine 200-1 sends an access request to resource 4 to which virtual machine 200-4 belongs in a DMA access manner through GPU300-1, where the access request includes the hostId of requesting virtual machine 200-1 and the physical address of resource 4 requesting access, for example: 0x 00006001. The hardware access controller 500-1 searches whether or not there is an access control entry containing the physical address based on the access control table corresponding to the hostId of the virtual machine 200-1. As shown in Table 8, the physical address area of the access control table where the virtual machine 200-1 is authorized to access is 0x 00002000-0 x00002FFF, and the physical address 0x00006001 included in the access request is not within this range. Thus, hardware access controller 500-1 may determine that virtual machine 200-1 does not have DMA access through GPU300-1 to access resource 4 to which virtual machine 200-4 belongs and deny the access request of virtual machine 200-1.
As shown in fig. 7b, virtual machine 200-4 sends an access request to resource 1 to which virtual machine 200-1 belongs in a DMA access manner through GPU300-1, where the access request includes the hostId of the requesting virtual machine 200-4 and the physical address of the resource 1 requesting access, for example: 0x 00002001. Here, the hardware access controller 500-1 looks up whether there is an access control entry containing the above physical address in the access control table corresponding to the hostId of the virtual machine 200-4 in a similar manner to that in fig. 7 a. As shown in Table 9, the physical address range of the access control table where the virtual machine 200-1 is authorized to access is 0x00006000 to 0x00006FFF, and the physical address 0x00002001 included in the access request is not in this range. Thus, hardware access controller 500-1 may determine that virtual machine 200-1 does not have DMA access through GPU300-1 to access resource 4 to which virtual machine 200-4 belongs and deny the access request of virtual machine 200-1.
FIG. 8 shows a scenario where a DMA access request issued by one virtual machine 200-1 to a resource to which another virtual machine 200-5 belongs is intercepted by a hardware access controller, where the virtual machine monitor 400 allocates the virtual machine 200-1 to access the GPU300-1, allocates the virtual machine 200-5 to access the hard disk 300-5, and a hardware access controller 500-1 is provided between the GPU300-1 and VPU300-2 and the bus 700. The hard disk 300-5 is not a hardware device capable of obtaining control of the bus, the virtual machine 200-5 cannot issue a DMA access request by driving the hard disk 300-5, and no hardware access controller is provided between the hard disk 300-5 and the bus 700.
First, the hypervisor 400 configures an access control table for the virtual machine 200-1, wherein the configuration process is the same as that described in fig. 3, and is not described herein again. For ease of illustration, table 10 shows an access control table for virtual machine 200-1. It is to be understood that the contents and form of the actual access control table may be different from those shown in the following table, for illustrative purposes only.
Physical address | Length of |
0x00003000 | 0x1000 |
Table 10(hostId: 0000000000000001)
Second, virtual machine monitor 400 allocates virtual machines 200-1 and 200-5 to access GPU300-1 and hard disk 300-5, respectively, and virtual machine 200-1 and virtual machine 200-5 to access resource 1 and resource 5 of GPU300-1 and hard disk 300-5, respectively. For ease of illustration, Table 11 shows the physical address regions of resource 1 and resource 5. It is to be understood that the contents and forms of the physical address areas of the actual resources 1 and 5 may be different from those shown in the following table, for illustrative purposes only.
Physical address area | |
Resource 1 | 0x00003000~0x00003FFF |
Resource 5 | 0x00007000~0x00007FFF |
TABLE 11
Finally, when the virtual machine 200-1 issues a DMA access request to the resource 5 to which another virtual machine 200-3 belongs via the GPU300-1 being accessed, the hardware access controller 500-1 verifies whether the virtual machine 200-1 has the right to access the resource 5 to which the virtual machine 200-3 belongs, where the verification step is the same as that described in fig. 3, and in the case where the physical address in the DMA access request issued by the virtual machine 200-1 is 0x00007001, the access control entry in the access control table corresponding to the hostId of the virtual machine 200-1 does not contain the physical address. Thus, hardware access controller 500-1 denies virtual machine 200-1 DMA access through GPU300-1 to resource 5 to which virtual machine 200-3 belongs.
In some embodiments, after virtual machine monitor 400 allocates virtual machine 200-1 access to GPU300-1, virtual machine 200-1 is also configured with an access control table in hardware access controller 500. Virtual machine monitor 400 does not assign virtual machine 200-6 access to a hardware device, and thus occupies a physical address region of the memory of system 100 after virtual machine 200-6 is started and running on system 100. When the hardware access controller 500 detects that the virtual machine 200-1 sends a DMA access request to the physical address area of the memory occupied by the virtual machine 200-6 through the GPU300-1, the hardware access controller 500 may determine whether the virtual machine 200-1 has an access right according to the hostld and the physical address of the virtual machine 200-1 in the DMA access request in the same manner as described in fig. 3, deny the virtual machine 200-1 from accessing the physical address area of the memory occupied by the virtual machine 200-6 in a case where the virtual machine 200-1 has no access right, and allow the virtual machine 200-1 to access the physical address area of the memory occupied by the virtual machine 200-6 in a case where the virtual machine 200-1 has access right.
In other embodiments, after virtual machine monitor 400 allocates virtual machine 200-1 access to GPU300-1 and configures the access control table for virtual machine 200-1 in hardware access controller 500, virtual machine 200-1 may also issue a DMA access request through GPU300-1 to a physical address region of virtual machine monitor 400 on bus 700 of system 100. Virtual machine monitor 400 is used to create and manage virtual machine 200-1, virtual machine monitor 400 has a higher privilege than virtual machine 200-1, and in order to avoid virtual machine 200-1 issuing DMA accesses to the physical address region to which virtual machine monitor 400 belongs, the physical address region to which virtual machine monitor 400 belongs may be stored in a memory region of system 100 after virtual machine monitor 400 is started. At this time, hardware access controller 500 may determine whether or not virtual machine 200-1 attempts to access the physical address region to which virtual machine monitor 400 belongs, based on the hostId and the physical address of virtual machine 200-1 in the DMA access request, in the same manner as described in FIG. 3, and in the case where it is confirmed that virtual machine 200-1 issues the DMA access request to the physical address region to which virtual machine monitor 400 belongs, access to virtual machine 200-1 is denied by hardware access controller 500.
The flow of virtual machine monitor 400 configuring access control tables for virtual machines 200-1 and 200-2, both at startup and at run time, is described below.
In one embodiment of the present invention, as shown in FIG. 9, before virtual machines 200-1 and 200-2 are started, virtual machine monitor 400 allocates hardware devices 300-1 and 300-2 to which virtual machines 200-1 and 200-2 respectively access, and adds the physical address area to which virtual machines 200-1 to 200-2 have authority to access to the access control table.
S91 virtual machine monitor 400 reads the record in the access control configuration information.
In some embodiments, the configuration information may be in the form of a configuration file, the virtual machine monitor 400 may add, by reading the configuration file, the physical address area that the virtual machines 200-1 to 200-2 have access to before the virtual machines 200-1 to 200-2 are started, to the access control table, where the configuration file may be stored in a memory included in the system 100, and after the virtual machine monitor 400 loads the configuration file from the memory, read each record in the configuration file and obtain a corresponding value in the record, where, for convenience of description, table 12 shows the content and form of one configuration file. It is to be understood that the contents and form of the actual configuration file may be different from those shown in the following table, for illustrative purposes only.
TABLE 12
S92, the virtual machine monitor 400 modifies the access control table according to the record in the access control configuration information.
After virtual machine monitor 400 reads three records in the configuration file, wherein two access control tables are created based on the hostId of virtual machines 200-1 to 200-2 and indexed by the hostId, virtual machine monitor 400 adds the three records as access control items to the access control tables corresponding to virtual machines 200-1 to 200-2. For convenience of explanation, tables 13 and 14 show access control tables corresponding to the virtual machines 200-1 to 200-2. It is to be understood that the contents and form of the actual access control table may be different from those shown in the following table, for illustrative purposes only.
Physical address | Length of |
0x00002000 | 0x1000 |
0x00003000 | 0x2000 |
Table 13 (index 0000000000000001)
Physical address | Length of |
0x00005000 | 0x1000 |
Table 14 (index 0000000000000010)
The configuration file may be configured in the system 100 by a user managing the virtual machine monitor 400 before the virtual machines 200-1 to 200-2 are started, or may be acquired by the system 100 after the virtual machines 200-1 to 200-2 are downloaded from a cloud. Wherein the hostIds contained in all records in the configuration file may correspond one-to-one to the hostIds of the virtual machines provided on the system 100. The hypervisor 400 may modify the access control table and the access control entries contained therein in different ways, such as add, update, and delete. For example, the virtual machine monitor 400 updates a different record to an access control table by comparing an access control entry contained in an existing access control table with a record contained in a configuration file when the record contained in the configuration file is different from the access control entry contained in the access control table. As another example, when hypervisor 400 deletes virtual machine 200-1, the access control table corresponding to virtual machine 200-1 may be deleted at the same time.
Here, the virtual machine monitor 400 may maintain the access control table by means of a device tree (device tree) or configuration information such as hard coding, in addition to the access control table by means of a configuration file. The hard-coded method is to directly write data corresponding to the access control table in which the virtual machine is set in the program code of the virtual machine monitor 400, and to set the access control table of the virtual machine by executing the program code when the virtual machine monitor 400 is started. The device tree method is a method in which the access control table of each virtual machine is stored as a node in a device tree having a tree structure, the device tree stores the information of the access control table of the virtual machine included in the device tree in the memory included in the system 100, and the virtual machine monitor 400 loads the information of the access control table of the virtual machine included in the device tree when the virtual machine monitor 400 is started.
In another embodiment of the present invention, after virtual machine 200-1 is started, that is, in the running state of virtual machine 200-1, virtual machine 200-1 sends a registration request for DMA access to virtual machine monitor 400, where the registration request includes the virtual machine identifier of virtual machine 200-1 that sent the registration request and the physical address area that virtual machine 200-1 requested access, virtual machine monitor 400 queries whether there is an access control table corresponding to virtual machine 200-1, that is, virtual machine monitor 400 can perform permission determination on the request, if so, virtual machine monitor 400 newly creates an access control table corresponding to virtual machine 200-1, and adds an access control item including the physical address area to the access control table corresponding to virtual machine 200-1.
Furthermore, it is to be appreciated that while the above-described embodiments illustrate aspects of access control for a computer device of the present invention in terms of system 100, aspects of the present invention are applicable to a variety of terminal devices, including but not limited to, cell phones, tablets, laptops, car navigators, desktop computers, wearable devices, head-mounted displays, mobile email devices, portable games, portable music players, reader devices, personal digital assistants, virtual reality or augmented reality devices, various servers having one or more processors embedded or coupled therein, desktop computers, supercomputers, and other electronic devices.
Referring now to FIG. 10, shown is a block diagram of a system 1000 in accordance with one embodiment of the present invention. Fig. 10 schematically illustrates an example system 1000 in accordance with various embodiments. In one embodiment, the system 1000 may include one or more processors 1004, system control logic 1008 coupled to at least one of the processors 1004, system memory 1012 coupled to the system control logic 1008, non-volatile memory (NVM)1016 coupled to the system control logic 1008, and a network interface 1020 coupled to the system control logic 1008.
In some embodiments, processor 1004 may include one or more single-core or multi-core processors. In some embodiments, the processor 1004 may include any combination of general-purpose processors and special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). The processor 1004 may be configured to perform various consistent embodiments, such as one or more of the various embodiments shown in fig. 1-9.
In an embodiment of the invention, the processor 1004 may be configured to verify whether the access request sent by the virtual machine to the hardware device is a DMA access request.
In some embodiments, system control logic 1008 may include any suitable interface controllers to provide any suitable interface to at least one of processors 1004 and/or any suitable device or component in communication with system control logic 1008.
In some embodiments, system control logic 1008 may include one or more memory controllers to provide an interface to system memory 1012. System memory 1012 may be used to load and store data and/or instructions. Memory 1012 of system 1000 may include any suitable volatile memory, such as suitable Dynamic Random Access Memory (DRAM), in some embodiments.
NVM/memory 1016 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, the NVM/memory 1016 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as at least one of a HDD (Hard Disk Drive), CD (Compact Disc) Drive, DVD (Digital Versatile Disc) Drive.
The NVM/memory 1016 may comprise a portion of a storage resource on the device on which the system 1000 is installed, or it may be accessible by, but not necessarily a part of, a device. For example, the NVM/storage 1016 may be accessed over a network via the network interface 1020.
In particular, system memory 1011 and NVM/storage 1016 may include: a temporary copy and a permanent copy of instructions 1024. The instructions 1024 may include: instructions that when executed by at least one of the processors 1004 cause the system 1000 to perform the functions as shown in fig. 1-9. In some embodiments, the instructions 1024, hardware, firmware, and/or software components thereof may additionally/alternatively be disposed in the system control logic 1008, the network interface 1020, and/or the processor 1004.
The network interface 1020 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 1020 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
In one embodiment, at least one of the processors 1004 may be packaged together with logic for one or more controllers of system control logic 1008 to form a System In Package (SiP). In one embodiment, at least one of the processors 1004 may be integrated on the same die with logic for one or more controllers of system control logic 1008 to form a system on a chip (SoC).
The system 1000 may further comprise: input/output (I/O) devices 1032. I/O devices 1032 may include a user interface to enable a user to interact with system 1000; the design of the peripheral component interface enables peripheral components to also interact with the system 1000. In some embodiments, the system 1000 further comprises a sensor for determining at least one of environmental conditions and location information associated with the system 1000.
Fig. 11 is a block diagram of an SoC (System on Chip) 1100 suitable for ARM products according to an embodiment of the present invention. In fig. 11, like parts have the same reference numerals. In fig. 11, the SoC1100 includes: an AHB bus unit 1102 for connection between units (e.g., processor 1101, DMA, etc.) in the SoC1100, coupled to the application processor 1101, for controlling access to hardware devices connected to the SoC 1100; a read only memory unit 1103 for storing fixed and unchangeable contents; a default slave 1104; a random memory unit 1105 for storing contents that can be randomly accessed; a general I/O port unit 1106, configured to implement connection and data exchange between the processor 1001 and a hardware device and a memory; and an AHB2APB bus unit 1107 connected to the AHB bus unit 1102, configured to connect hardware devices with low bandwidth, where the hardware access controller 500 of the present invention may be disposed between the AHB2APB bus unit 1107 and the hardware device 300, and configured to detect a direct memory access initiated by the execution environment 200 through the hardware device 300, and intercept the direct memory access initiated by the execution environment 300 through the hardware device 300 when it is determined that the execution environment 300 does not have an access right. AHB2APB bus unit 1107 is coupled with single timing unit 1108, dual timing unit 1109, which are used to clock SoC 1100; an alarm timing unit 1110 for resetting the SoC1100 when a software failure occurs in the SoC1100, and a UART unit 1111(Universal Asynchronous Receiver/Transmitter) for converting data transmitted between units and hardware devices in the SoC1100 between serial communication and parallel communication.
Fig. 12 shows a block diagram of a general SoC (System on Chip) 1200, according to an embodiment of the invention. In fig. 12, like parts have the same reference numerals. In addition, the dashed box is an optional feature of more advanced socs. In fig. 12, the SoC 1200 includes: an interconnect unit 1250 coupled to the application processor 1215; a system agent unit 1270; a bus controller unit 1280; an integrated memory controller unit 1240; a set or one or more coprocessors 1220 which may include integrated graphics logic, an image processor, an audio processor, and a video processor; a Static Random Access Memory (SRAM) unit 1230; a Direct Memory Access (DMA) unit 1260. In one embodiment, coprocessor 1220 comprises a special-purpose processor, such as a network or communication processor, compression engine, GPU, a high-throughput MIC processor, embedded processor, or the like.
Embodiments of the disclosed mechanisms may be implemented in hardware, software, firmware, or a combination of these implementations. Embodiments of the invention may be implemented as computer programs or program code executing on programmable systems comprising at least one processor, a storage system (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device.
Program code may be applied to input instructions to perform the functions described in this disclosure and to generate output information. The output information may be applied to one or more output devices in a known manner. For purposes of the present invention, a processing system includes any system having a processor such as, for example, a Digital Signal Processor (DSP), a microcontroller, an Application Specific Integrated Circuit (ASIC), or a microprocessor.
The program code may be implemented in a high level procedural or object oriented programming language to facilitate processing system communications. The program code can also be implemented in assembly or machine language, if desired. Indeed, the mechanisms described in this disclosure are not limited in scope to any particular programming language. In any case, the language may be a compiled or interpreted language.
In some cases, the disclosed embodiments may be implemented in hardware, firmware, software, or any combination thereof. The disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors. For example, the instructions may be distributed via a network or via other computer readable media. Thus, a machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer), including, but not limited to, floppy diskettes, optical disks, read-only memories (CD-ROMs), magneto-optical disks, read-only memories (ROMs), Random Access Memories (RAMs), erasable programmable read-only memories (EPROMs), electrically erasable programmable read-only memories (EEPROMs), magnetic or optical cards, flash memory, or a tangible machine-readable memory for transmitting information (e.g., carrier waves, infrared digital signals, etc.) using the internet in an electrical, optical, acoustical or other form of propagated signal. Thus, a machine-readable medium includes any type of machine-readable medium suitable for storing or transmitting electronic instructions or information in a form readable by a machine (e.g., a computer).
In the drawings, some features of the structures or methods may be shown in a particular arrangement and/or order. However, it is to be understood that such specific arrangement and/or ordering may not be required. Moreover, in some embodiments, the features may be arranged in a manner and/or order different from that shown in the illustrative figures. In addition, the inclusion of a structural or methodical feature in a particular figure is not meant to imply that such feature is required in all embodiments, and in some embodiments, may not be included or may be combined with other features.
It should be noted that, in each device embodiment of the present invention, each unit/module is a logical unit/module, and physically, one logical unit/module may be one physical unit/module, or may be a part of one physical unit/module, and may also be implemented by a combination of multiple physical units/modules, where the physical implementation manner of the logical unit/module itself is not the most important, and the combination of the functions implemented by the logical unit/module is the key to solve the technical problem provided by the present invention. Furthermore, in order to highlight the innovative part of the present invention, the above-mentioned device embodiments of the present invention do not introduce units/modules which are not so closely related to solve the technical problems proposed by the present invention, which does not indicate that there are no other units/modules in the above-mentioned device embodiments.
It is noted that, in the examples and descriptions of this patent, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, resource item, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, resource item, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other identical elements in the process, method, resource item or device in which the element is included.
While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (19)
1. A computer device comprising first and second execution environments, a first hardware device, a first hardware access controller, and a bus; wherein,
the first execution environment has initial access to a first resource on a first hardware device, and the second execution environment has initial access to a second resource;
the first hardware access controller is respectively connected with the first hardware device and the bus, and the first hardware access controller can acquire a direct memory access request initiated by the first execution environment to the second resource through the first hardware device, and intercept direct memory access of the first execution environment to the second resource through the first hardware device under the condition that the first execution environment is judged not to have access authority to the second resource.
2. The computer device of claim 1, further comprising a second hardware device, and wherein the second resource is located on the second hardware device.
3. The computer device according to claim 2, further comprising a second hardware access controller, where the second hardware access controller is connected to the second hardware device and the bus, respectively, and is capable of acquiring a direct memory access request initiated by the second execution environment to the first resource through the second hardware device, and intercepting a direct memory access of the second execution environment to the first resource through the second hardware device when it is determined that the second execution environment does not have an access right to the first resource.
4. The computer device of claim 1, further comprising a memory, wherein the second resource is a resource stored on the memory.
5. The computer device of any of claims 1-4, wherein the first hardware access controller has a first access control table stored thereon, and wherein the first access control table has a physical address of a resource to which the first execution environment has access rights stored thereon.
6. The computer device of claim 5, wherein the first hardware access controller determines that the first execution environment has access to the second resource if it is determined that the first access control table includes a physical address of the second resource; and,
and the first hardware access controller judges that the first execution environment does not have access authority to the second resource under the condition that the first access control table does not comprise the physical address of the second resource, and intercepts the direct memory access of the first execution environment to the second resource through first hardware equipment.
7. The computer device of claim 5, wherein the first execution environment is a virtual machine.
8. The computer device of claim 7, further comprising a virtual machine monitor to set the first access control table for the first execution environment.
9. The computer device of claim 5, wherein the first hardware access controller is a micro-control unit.
10. The computer device of claim 2, wherein the first hardware device is a GPU and the second hardware device is a VPU.
11. An access control method of a computer device, comprising:
the method comprises the steps that a hardware access controller of the computer equipment obtains a direct memory access request which is initiated to a second resource of the computer equipment by a first execution environment of the computer equipment through the first hardware equipment of the computer equipment, wherein the first execution environment has an initial access authority to the first resource on the first hardware equipment, and the second execution environment has an initial access authority to the second resource;
the hardware access controller judges that the first execution environment does not have access right to the second resource;
and the hardware access controller intercepts the direct memory access of the first execution environment to the second resource through the first hardware equipment.
12. The method of claim 11, wherein the computer device further comprises a second hardware device, and wherein the second resource is located on the second hardware device.
13. The method of claim 11, wherein the computer device further comprises a memory, and wherein the second resource is a resource stored on the memory.
14. The method according to any of claims 11 to 13, wherein a first access control table is stored on the first hardware access controller, and wherein the first access control table has stored thereon the physical address of the resource to which the first execution environment has access rights, wherein the first access control table does not include the physical address of the second resource.
15. The method of claim 14, wherein the first execution environment is a virtual machine.
16. The method of claim 14, wherein the computer device further comprises a virtual machine monitor for setting the first access control table for the first execution environment.
17. The method of claim 14, wherein the first hardware access controller is a micro-control unit.
18. The method of claim 14, wherein the first hardware device is a GPU and the second hardware device is a VPU.
19. A computer-readable medium having stored thereon instructions that, when executed on a computer device, cause the computer device to perform the method of access control of the computer device of any one of claims 11 to 18.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010558828.4A CN111666579B (en) | 2020-06-18 | 2020-06-18 | Computer device, access control method thereof and computer readable medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010558828.4A CN111666579B (en) | 2020-06-18 | 2020-06-18 | Computer device, access control method thereof and computer readable medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111666579A true CN111666579A (en) | 2020-09-15 |
CN111666579B CN111666579B (en) | 2024-03-08 |
Family
ID=72388475
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010558828.4A Active CN111666579B (en) | 2020-06-18 | 2020-06-18 | Computer device, access control method thereof and computer readable medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111666579B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114363074A (en) * | 2022-01-07 | 2022-04-15 | 杭州安恒信息技术股份有限公司 | Access control implementation method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040236876A1 (en) * | 2003-05-21 | 2004-11-25 | Kondratiev Vladimir L. | Apparatus and method of memory access control for bus masters |
CN103645949A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Virtual machine dynamic migration security framework |
CN106445628A (en) * | 2015-08-11 | 2017-02-22 | 华为技术有限公司 | Virtualization method, apparatus and system |
CN107783913A (en) * | 2016-08-31 | 2018-03-09 | 华为技术有限公司 | A kind of resource access method and computer applied to computer |
CN109614204A (en) * | 2018-12-21 | 2019-04-12 | 成都海光集成电路设计有限公司 | Memory insulation blocking method, isolation check hardware, SOC chip and storage medium |
-
2020
- 2020-06-18 CN CN202010558828.4A patent/CN111666579B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040236876A1 (en) * | 2003-05-21 | 2004-11-25 | Kondratiev Vladimir L. | Apparatus and method of memory access control for bus masters |
CN103645949A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Virtual machine dynamic migration security framework |
CN106445628A (en) * | 2015-08-11 | 2017-02-22 | 华为技术有限公司 | Virtualization method, apparatus and system |
CN107783913A (en) * | 2016-08-31 | 2018-03-09 | 华为技术有限公司 | A kind of resource access method and computer applied to computer |
CN109614204A (en) * | 2018-12-21 | 2019-04-12 | 成都海光集成电路设计有限公司 | Memory insulation blocking method, isolation check hardware, SOC chip and storage medium |
Non-Patent Citations (1)
Title |
---|
赵福发;郭炜;魏继增;: "一种基于PowerPC的安全SoC设计" * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114363074A (en) * | 2022-01-07 | 2022-04-15 | 杭州安恒信息技术股份有限公司 | Access control implementation method, device, equipment and storage medium |
CN114363074B (en) * | 2022-01-07 | 2024-04-16 | 杭州安恒信息技术股份有限公司 | Access control implementation method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN111666579B (en) | 2024-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109918919B (en) | Management of authentication variables | |
US10255088B2 (en) | Modification of write-protected memory using code patching | |
US7606995B2 (en) | Allocating resources to partitions in a partitionable computer | |
CN108062242B (en) | Computing system for securely executing secure applications in rich execution environments | |
US20180285560A1 (en) | System, Apparatus And Method For Providing Locality Assertion Between A Security Processor And An Enclave | |
US20120036308A1 (en) | Supporting a secure readable memory region for pre-boot and secure mode operations | |
WO2020244369A1 (en) | Inter-process communication method and apparatus, and computer device | |
US20200409603A1 (en) | Data accessing method and apparatus, and medium | |
CN113094700A (en) | System for executing safety operation and method for executing safety operation by system | |
CN113312140B (en) | System, storage medium, and method for virtual trusted platform module | |
US20240264768A1 (en) | Request Processing Method, Apparatus, and System | |
CN115344507B (en) | Memory allocation method, device and system | |
CN114253749A (en) | Interaction method and device, electronic equipment and storage medium | |
CN116028455A (en) | Data processing method and device, storage medium and electronic equipment | |
WO2022228287A1 (en) | Memory data acquisition method and apparatus, and storage medium | |
US10936506B2 (en) | Method for tagging control information associated with a physical address, processing system and device | |
CN111666579B (en) | Computer device, access control method thereof and computer readable medium | |
US20240356886A1 (en) | Network Node Configuration Method and Apparatus, and Access Request Processing Method and Apparatus | |
KR101535792B1 (en) | Apparatus for configuring operating system and method thereof | |
US9176781B2 (en) | Virtual machine system, memory management method, memory management program, recording medium, and integrated circuit | |
CN116881987A (en) | Method and device for enabling PCIE equipment to pass through virtual machine and related equipment | |
US20190163657A1 (en) | Technologies for stable secure channel identifier mapping for static and dynamic devices | |
CN117271105A (en) | Chip, chip control method and related device | |
CN115705236B (en) | Data processing method and device, electronic equipment and storage medium | |
US20230350815A1 (en) | Trust domains for peripheral devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |