Search

CN-121349598-B - Method, device, equipment and medium for secure direct connection of client PCIE equipment

CN121349598BCN 121349598 BCN121349598 BCN 121349598BCN-121349598-B

Abstract

The invention discloses a method, a device, equipment and a medium for a client secure direct connection PCIE device, belonging to the field of virtual machines, comprising the steps of adding a direct memory access region setting of PCIE devices in a device tree file of the client, adding PCIE bus description nodes, referencing regions in the nodes, removing IOMMU attributes and DMA consistency attributes of the nodes, adding memory region description in a configuration file of the client Jailhouse, defining a range of a memory address pool in the memory region, adding a mark for the address pool, acquiring pointer addresses of a pci_dev device information structure through the configuration file when PCIE devices are added for the client in Jailhouse drive, determining the IOMMU domain bound by the PCIE devices by the pointer addresses, scanning all the memory regions of the client to be used with the PCIE devices, determining the memory address pool region by the mark, and establishing mapping between PCIE device virtual addresses and physical addresses of the memory address pool in the IOMMU domain.

Inventors

  • ZHANG LIGUANG
  • HUANG LEI
  • ZHANG YANG
  • TANG KUN
  • CHEN YANGPING
  • XU BIN
  • Dan Jianqun

Assignees

  • 麒麟软件有限公司

Dates

Publication Date
20260505
Application Date
20251216

Claims (11)

  1. 1. A method for securely connecting a client to a PCIE device, comprising: Adding the region setting of PCIE equipment direct memory access in an equipment tree file of a client of the PCIE equipment to be used; Adding PCIE bus description nodes in a device tree file of a client of PCIE devices to be used, referencing a set direct memory access area in the nodes, and removing IOMMU attributes and DMA consistency attributes of the description nodes; adding a direct memory access area description in a configuration file of a client Jailhouse of a PCIE device to be used, defining a memory address pool range in the direct memory access area, and adding a specific mark for the memory address pool; When PCIE equipment is added to a client in Jailhouse driving, acquiring a pointer address of a pci_dev equipment information structure through a client configuration file, and determining an IOMMU domain bound by the PCIE equipment by using the pointer address; scanning all memory areas of a client of PCIE equipment to be used, determining a memory address pool area by utilizing the specific mark, and establishing mapping between virtual addresses and physical addresses of the PCIE equipment in the memory address pool in an IOMMU domain; Adding a PCIE bus description node to a device tree file of a client of a PCIE device to be used, referencing a set direct memory access area in the node, and removing an IOMMU attribute and a DMA consistency attribute of the description node, including: copying PCIE bus description nodes from the device tree file of the host to the client device tree file, and removing the dma-parent attribute and iommu-map attribute in the description nodes.
  2. 2. The method according to claim 1, wherein the method further comprises: Defining physical addresses and virtual addresses of memory areas of the ITS in a configuration file of the client, correspondingly adding memory marks of the ITS for the defined memory areas of the ITS, and canceling JAILHOUSE _MEM_ ROOTSHARED configuration; and creating a mapping relation of ITS addresses for the IOMMU domain through IOMMU _map.
  3. 3. The method of claim 1, wherein adding the zone setting for PCIE device direct memory access in the device tree file of the client of the PCIE device to be used comprises: and adding a reserved memory under the device tree root node of the client machine of the PCIE device to be used, and defining the address range of the reserved memory.
  4. 4. The method of claim 1, wherein adding a direct memory access region description to the configuration file of the client Jailhouse of the PCIE device to be used defines a range of a memory address pool in the direct memory access region, comprising: Defining a physical address and a virtual address of the memory address pool; adding a readable and writable, I/O memory characteristic and a DMA operation support mark to the memory of the memory address pool.
  5. 5. The method of claim 1, wherein the obtaining, by the client configuration file, a pointer address of the pci_dev device information structure when adding the PCIE device to the client in the Jailhouse driver, and determining the IOMMU domain to which the PCIE device is bound using the pointer address comprises: Determining the bus equipment by using the bdf number in the PCIE resource description in the Jailhouse client configuration file, and finding the pointer address of the pci_dev equipment information structure by using slot; The pointer address is used to determine the corresponding IOMMU domain via Linux provided standard interface IOMMU _get_domain_for_dev.
  6. 6. The method according to claim 2, wherein the method further comprises: And unbinding the PCIE equipment and the corresponding drive on the host, and binding the PCIE equipment to Jailhouse-pcb-driver when the use intx is interrupted.
  7. 7. The method of claim 5, wherein the method further comprises: and unbinding the PCIE equipment and a corresponding driver on the host, binding the PCIE equipment to a vfio-pci driver when the use msix is interrupted, and enabling DMA transmission of the PCIE equipment through a pci_set_master provided by Linux.
  8. 8. The method of claim 1, wherein when adding a PCIE device to a client in the Jailhouse driver, obtaining a pointer address of a pci_dev device information structure through a client configuration file, determining an IOMMU domain to which the PCIE device is bound using the pointer address, further comprising: storing the drive name of the PCIE equipment bound to the host; correspondingly, the method further comprises the steps of: binding PCIE devices to host drives is accomplished by rewriting bdf into sysfs virtual file systems using user mode program call usermodehelper when the client is shut down.
  9. 9. A secure direct PCIE device apparatus for a client, comprising: An adding module, configured to add an area setting of direct memory access of a PCIE device in a device tree file of a client of the PCIE device to be used; The reference module is used for adding PCIE bus description nodes in the equipment tree file of the client of the PCIE equipment to be used, and referencing the set direct memory access area in the nodes to remove the IOMMU attribute and the DMA consistency attribute of the description nodes; The definition module is used for adding the direct memory access area description in the configuration file of the client Jailhouse of the PCIE equipment to be used, defining the memory address pool range in the direct memory access area, and adding a specific mark for the address pool; The determining module is used for acquiring a pointer address of the PCI_dev equipment information structure through a client configuration file when PCIE equipment is added to the client in Jailhouse driving, and determining an IOMMU domain bound by the PCIE equipment by using the pointer address; The scanning module is used for scanning all memory areas of the client of the PCIE equipment to be used, determining a memory address pool area by utilizing the specific mark, and establishing mapping between virtual addresses and physical addresses of the PCIE equipment in the memory address pool in the IOMMU domain; The reference module comprises: And the copying unit is used for copying the PCIE bus description node from the device tree file of the host to the client device tree file and removing the dma-parent attribute and iommu-map attribute in the description node.
  10. 10. An apparatus for secure express PCIE of a client, comprising: One or more processors; storage means for storing one or more programs, The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the client secure express PCIE device method of any one of claims 1-8.
  11. 11. A storage medium containing computer executable instructions, which when executed by a computer processor are for performing the client secure express PCIE device method of any of claims 1-8.

Description

Method, device, equipment and medium for secure direct connection of client PCIE equipment Technical Field The present invention relates to the field of virtual machines, and in particular, to a method, an apparatus, a device, and a medium for secure direct connection of a client to a PCIE device. Background Jailhouse is a lightweight virtualization platform that is commonly used in embedded systems, especially in environments where high performance and low overhead are required. Jailhouse is designed to co-operate a Host operating system Host (typically Linux) with multiple virtualized isolated Guest domains (e.g., running RTOS or bare metal applications). In a virtualized scenario, guests typically utilize a device pass-through (DEVICE PASS-through) technique to enable access to an entity device. Device pass-through is a technology of directly distributing physical hardware devices (such as GPU, network card, FPGA, etc.) to clients (guests), bypassing the operating system and Hypervisor layers of the host, so that the clients obtain exclusive access rights to the devices. Although Jailhouse supports direct use of PCIE devices based on intx interrupts to a guest client, this approach does not perform isolation management on the memory access range and resource permissions of the devices, which may cause the guest side to override access to the memory space of a Host or other clients through the devices, thereby causing security risks such as data leakage and system tampering. If an IOMMU (Input/Output Memory Management Unit) isolation scheme is used to improve security, the IOMMU function of the Host system needs to be turned off, and then the initialization and management authority of the IOMMU is handed over to Jailhouse hypervisor, while disabling the Host IOMMU must be implemented by modifying the Host device tree, which belongs to an invasive operation, and when Jailhouse is turned off, the PCIE device of the Host system is still in a state where DMA translation using the IOMMU is prohibited, which is inconvenient for automatic recovery. Not only is the complexity high, but also the safety of the system is affected. Disclosure of Invention The embodiment of the invention provides a method, a device, equipment and a medium for safely and directly connecting PCIE equipment of a client, which are used for solving the technical problem that the system configuration is complex caused by adopting equipment direct connection technology to safely and directly connect PCIE equipment of the client in the prior art. In a first aspect, an embodiment of the present invention provides a method for securely connecting a PCIE device to a client, including: Adding the region setting of PCIE equipment direct memory access in an equipment tree file of a client of the PCIE equipment to be used; Adding PCIE bus description nodes in a device tree file of a client of PCIE devices to be used, referencing a set direct memory access area in the nodes, and removing IOMMU attributes and DMA consistency attributes of the description nodes; adding a direct memory access area description in a configuration file of a client Jailhouse of the PCIE equipment to be used, defining the range of a memory address pool in the direct memory access area, and adding a specific mark for the address pool; When PCIE equipment is added to a client in Jailhouse driving, acquiring a pointer address of a pci_dev equipment information structure through a client configuration file, and determining an IOMMU domain bound by the PCIE equipment by using the pointer address; And scanning all memory areas of the PCIE equipment client to be used, determining a memory address pool area by utilizing the specific mark, and establishing mapping between virtual addresses and physical addresses of the PCIE equipment in the memory address pool in the IOMMU area. In a second aspect, an embodiment of the present invention further provides a device for secure direct connection of a client to a PCIE device, including An adding module, configured to add an area setting of direct memory access of a PCIE device in a device tree file of a client of the PCIE device to be used; The reference module is used for adding PCIE bus description nodes in the equipment tree file of the client of the PCIE equipment to be used, and referencing the set direct memory access area in the nodes to remove the IOMMU attribute and the DMA consistency attribute of the description nodes; The definition module is used for adding the direct memory access area description in the configuration file of the client Jailhouse of the PCIE equipment to be used, defining the range of a memory address pool in the direct memory access area, and adding a specific mark for the address pool; The determining module is used for acquiring a pointer address of the PCI_dev equipment information structure through a client configuration file when PCIE equipment is added to the client in Jailhouse driving, and determinin