CN-114943102-B - Storage system

Abstract

One embodiment provides a storage system capable of enhancing security for access to storage. According to an embodiment, a storage system includes a nonvolatile memory and a controller. The controller validates a first access right given to the first user identification information to a first storage area, which is a storage area of at least a part of the nonvolatile memory, and sets a first period until the first access right becomes invalid. The controller invalidates the first access right in response to the current time exceeding the first deadline.

Inventors

• Earth truth

Assignees

• 铠侠股份有限公司
• 铠侠股份有限公司

Dates

Publication Date

20260421

Application Date

20210813

Priority Date

20210215

Claims (10)

1. 1. A storage system connectable to a host, comprising: nonvolatile memory, and A controller including an access control section, The access control section is configured to, Controlling access to the non-volatile memory, At least one section obtained by logically dividing a storage area of the nonvolatile memory is managed, Managing a temporary rights table and first authentication information corresponding to first user identification information, the temporary rights table including information related to an access right to at least one section among the at least one section, The access control section is further configured to, Receiving, from the host, a first access deadline setting command issued by an administrator authority, the first access deadline setting command requesting to validate a first access right assigned to the first user identification information and requesting to set information related to the first access right in the temporary authority table, and including information indicating the first user identification information, a first section among the sections, and a first deadline of an access period during which the first access right to be accessed to the first section is validated; Setting the first user identification information, information indicating that the access to the first section is valid, and the first deadline in the temporary authority table according to the received first access deadline setting command; acquiring a first current moment; validating the first access right if the first current time does not exceed the first period set in the temporary permission table; When the first current time exceeds the first period set in the temporary authority table, the first access right is invalidated, the temporary authority table is updated to indicate invalidation of access to the first section, and the first authentication information corresponding to the first user identification information is changed.
2. 2. The storage system of claim 1, The access control section is further configured to, Receiving an access request associated with the first user identification information from a host for accessing the first section, In the case where the first access right is valid, performing processing related to access to the first section according to the access request, When the first access right is invalid, an error is notified to the host without executing processing related to access to the first section according to the access request.
3. 3. The storage system according to claim 2, The access control section is further configured to, Receiving a first authentication request from the host containing second authentication information associated with the first user identification information, In the case where the first access right is valid, performing authentication processing of the first user identification information using the second authentication information, When the first access right is invalid, an error is notified to the host without performing authentication processing of the first user identification information using the second authentication information.
4. 4. A storage system according to claim 3, The access control section is further configured to, In the case where the first access right is valid and the authentication process performed is successful, performing a process related to access to the first section according to the access request, If the first access right is valid but the authentication process performed fails, the host is notified of an error without performing a process related to access to the first section according to the access request.
5. 5. The storage system of claim 1, The access control section is further configured to, Encrypting data written to the non-volatile memory using a first encryption key, decrypting data read from the non-volatile memory using the first encryption key, Receiving a read request from a host for reading data from the first section in association with the first user identification information, When the first access right is valid, reading out first data according to the read-out request from the first section, decrypting the read-out first data using the first encryption key, transmitting the decrypted first data to the host, When the first access right is invalid, the first data is not read out from the first section, and an error is notified to the host.
6. 6. The storage system of claim 5, The access control section is further configured to, Obtaining a third encryption key by encrypting the first encryption key with a second encryption key, the second encryption key being associated with first authentication information corresponding to the first user identification information, When the first access right is valid, the second encryption key is acquired using the first authentication information, the third encryption key is decrypted using the acquired second encryption key, the first encryption key is acquired, and the read first data is decrypted using the first encryption key.
7. 7. The storage system of claim 6, The access control section is further configured to, In response to the first access rights becoming invalid, the first encryption key is not discarded, and the third encryption key is discarded.
8. 8. The storage system of claim 7, The access control section is further configured to, Obtaining a fifth encryption key by encrypting the first encryption key with a fourth encryption key, the fourth encryption key being associated with second authentication information different from the first authentication information, And obtaining the fourth encryption key using the second authentication information, decrypting the fifth encryption key using the obtained fourth encryption key, thereby obtaining the first encryption key, and decrypting the read first data using the first encryption key.
9. 9. The storage system according to any one of claim 1 to 8, The device further comprises: real time clock, and A power storage device capable of supplying power to the real-time clock, The access control unit is configured to acquire the first current time from the real-time clock.
10. 10. The storage system of claim 1, The access control section is configured to, Receiving a second authentication request from the host in association with the identification information of the administrator, Performing authentication processing of the administrator using third authentication information included in the second authentication request, When the authentication process of the administrator is successfully performed, the first user identification information, information indicating that the access to the first section is valid, and the first period are set in the temporary authority table according to the first access period setting command.

Description

Storage system Related application The present application enjoys priority of Japanese patent application No. 2021-21773 (application date: 15 of 2 nd year of 2021). The present application includes the entire content of the basic application by referring to the basic application. Technical Field Embodiments of the present invention relate to a technique for controlling a storage system including a nonvolatile memory. Background In recent years, a memory system including a nonvolatile memory has been widely used. As one of such storage systems, a Solid State Drive (SSD) including a NAND-type flash memory is known. SSDs are used as the primary storage for various computing devices. In order to prevent data leakage, a storage system sometimes has a self-encryption function of automatically encrypting data at the time of writing. The storage system with the self-encrypting function is also called a self-encrypting drive (SELF ENCRYPTING DRIVE: SED). As one of the security standards that SED should follow, there is a standard of trusted computing group (TCG, trusted Computing Group). In the standard of TCG, for example, data encryption, access control of each partial area of the storage is specified. Disclosure of Invention One embodiment provides a storage system capable of enhancing security for access to storage. According to an embodiment, a storage system includes a nonvolatile memory and a controller. The controller validates a first access right given to the first user identification information to a first storage area that is a storage area of at least a part of the nonvolatile memory, and sets a first period until the first access right becomes invalid. The controller invalidates the first access right in correspondence with the current time exceeding the first deadline. Drawings Fig. 1 is a block diagram showing a configuration example of an information processing system including a storage system of the first embodiment. Fig. 2 is a diagram showing an example of operations for validating and invalidating access rights given to user identification information (user ID) in the storage system according to the first embodiment. Fig. 3 is a diagram showing an example of a storage area in which access rights are controlled in the storage system of the first embodiment. Fig. 4 is a diagram showing an example of the structure of a temporary right (Temporary Authority) table used in the storage system according to the first embodiment. Fig. 5 is a diagram showing an example of a relationship between a data encryption key (data encryption key: DEK) and authentication information for encrypting and decrypting data in the storage system according to the first embodiment. Fig. 6 is a diagram showing an example of a read operation according to whether or not the access right corresponding to the user ID is valid in the storage system according to the first embodiment. Fig. 7 is a diagram showing an example of a writing operation according to whether or not the access right corresponding to the user ID is valid in the storage system according to the first embodiment. Fig. 8 is a diagram showing an example of access control in the case where 1 user ID is used by a plurality of users in the storage system of the first embodiment. Fig. 9 is a flowchart showing an example of the procedure of the authority setting process executed in the storage system of the first embodiment. Fig. 10 is a flowchart showing an example of the procedure of the authority invalidation process executed in the storage system of the first embodiment. Fig. 11 is a flowchart showing an example of the order of user authentication processing performed in the storage system of the first embodiment. Fig. 12 is a flowchart showing an example of the order of the read instruction processing executed in the memory system of the first embodiment. Fig. 13 is a flowchart showing an example of the procedure of the write instruction processing executed in the storage system of the first embodiment. Fig. 14 is a block diagram showing a configuration example of an information processing system including the storage system of the second embodiment. Detailed Description Hereinafter, embodiments will be described with reference to the drawings. (First embodiment) First, the configuration of an information processing system 1 according to a first embodiment will be described with reference to fig. 1. The information processing system 1 includes a host device 2 (hereinafter referred to as host 2) and a storage system 3. The host 2 is an information processing apparatus. The host 2 may be a storage server that stores a large amount of various data in the storage system 3, or may be a personal computer. The storage system 3 is a semiconductor storage device configured to write data to a nonvolatile memory 6 such as a NAND flash memory and read data from the nonvolatile memory 6, and is also referred to as a storage device. The storage system 3 may be implemented as,