CN-121619095-B - High-performance password service system and method operating in kernel mode

Abstract

The invention relates to a high-performance password service system and method running in a kernel mode, belongs to the technical field of information encryption, and solves the problems of huge performance overhead and high delay caused by the fact that password service runs in a user mode in the prior art. The method comprises the steps of creating a plurality of monitoring sockets by a network module, building a connection Socket, copying request data to a data buffer area corresponding to a connection instance of the connection Socket after a packaging task is sent to a thread pool module, taking response data out of the data buffer area, creating the connection instance of the connection Socket by a connection management module, distributing the data buffer area, calling a protocol analysis module when the request data are complete, distributing a working thread to execute the task by the thread pool module, and calling a kernel state password card to drive and execute password operation by the protocol analysis module, and packaging operation results into the response data to be written into the data buffer area. The improvement of the password service performance is realized.

Inventors

• ZHANG GUODONG
• Fu Chaolun
• Sha Guining
• WANG YUFENG

Assignees

• 北京凝思软件股份有限公司

Dates

Publication Date

20260512

Application Date

20251211

Claims (10)

1. 1. A high performance cryptographic service system operating in kernel mode, the system deployed in an operating system kernel comprising: The network module is used for creating a plurality of monitoring sockets, receiving connection by the corresponding monitoring sockets and establishing the connection Socket when receiving a new connection request, copying request data to a data buffer area corresponding to a connection instance of the connection Socket after the packaging task is sent to the thread pool module when receiving a password service request, and taking out response data from the data buffer area; the connection management module is used for creating a connection instance of the connection Socket and managing the state of the connection instance, distributing a data buffer area and calling the protocol analysis module when the completion of the request data is detected; The thread pool module is used for distributing the working threads to execute the tasks in the task queue and triggering the connection management module to detect the data buffer area; And the protocol analysis module is used for analyzing the request data in the data buffer area, calling the kernel state password card to drive and execute password operation, and packaging the operation result into response data and writing the response data into the data buffer area.
2. 2. The high performance cryptographic service system operating in kernel mode of claim 1, wherein the network module further comprises an I/O multiplexing component comprising an interest red-black tree for storing and indexing all interest instances including socket instances and network events of interest, a timer red-black tree for storing and managing timeout timers associated with all connection instances, and a ready queue for temporarily storing socket instances triggered to be ready by network events of interest and waiting for event main loop processing.
3. 3. The high-performance cryptographic service system running in kernel mode according to claim 2, wherein the network module invokes a connection management module to generate a listening instance for a listening Socket; when a snoop instance or connection instance is generated, the I/O multiplexing component performs the following operations: Packaging a monitoring instance or a connection instance as a socket instance, setting a corresponding interesting network event, creating an interesting instance, and registering the interesting instance into an interesting red-black tree; and packaging the created interest instance and the I/O multiplexing component callback function as waiting items, and registering the waiting items into corresponding waiting queues of the monitoring Socket or the connecting Socket.
4. 4. The high performance cryptographic service system operating in kernel mode as in claim 3, wherein the network module performs the following steps when receiving a new connection request: The method comprises the steps that an operating system kernel selects a corresponding monitoring Socket, triggers a waiting item registered by an I/O multiplexing component in a waiting queue of the monitoring Socket, and executes an I/O multiplexing component callback function in the waiting item, wherein the I/O multiplexing component callback function identifies that a new connection request exists in an interested network event in a corresponding interested instance, adds a Socket instance in the interested instance into a ready queue, and wakes up an event main loop; the event main loop takes out a Socket instance from the ready queue and converts the Socket instance into a monitoring instance, calls an accept connection interface of an operating system kernel, and establishes a connection Socket; and calling the connection management module to create a connection instance for the connection Socket.
5. 5. The high performance cryptographic service system operating in kernel mode as in claim 2, wherein the network module performs the following steps when receiving a cryptographic service request: the kernel of the operating system selects a corresponding connection Socket, triggers a waiting item registered by an I/O multiplexing component in a waiting queue thereof, and executes an I/O multiplexing component callback function in the waiting item; and the event main loop takes out the socket instance from the ready queue and converts the socket instance into a connection instance, and encapsulates the task into a task queue of the thread pool module.
6. 6. The system of claim 4, wherein the connection management module, when creating a connection instance for a connection Socket, initializes the connection instance to a connected state, creates a corresponding timer according to a timeout time of the connection instance, and registers the timer in a timer mangrove of the I/O multiplexing component, wherein the timeout time of the timer is updated by calculating a new timeout time according to a current time after the network module copies the request data to the data buffer or after the response data is fetched from the data buffer and written into the core transmission buffer.
7. 7. The high performance cryptographic service system operating in kernel mode of claim 2, wherein the network module further performs connection timeout processing through the I/O multiplexing component, comprising: Before the main cycle of the event enters the next blocking waiting time, acquiring a timer closest to the current time from the timer red black tree, and setting the timeout time of the timer to be the maximum waiting time of the blocking of the event; When the event main cycle wakes up due to the overtime of the timer, acquiring and removing all overtime timers from the timer red black tree, closing the associated connection Socket, removing and releasing the associated interest instance from the interest red black tree, and informing the connection management module to destroy the corresponding connection instance.
8. 8. The high performance cryptographic service system according to claim 1, wherein the connection management module detects whether the request data of the data buffer is complete, updates the state of the connection instance to "waiting data" if the request data is incomplete, and updates the state of the connection instance to "ready for receipt" if the request data is complete.
9. 9. The system of claim 8, wherein the protocol parser module updates the state of the connection instance to "ready to send" after writing the response data into the data buffer, and wherein the network module retrieves the response data from the data buffer and writes the response data into the kernel send buffer when detecting that the state of the connection instance is "ready to send".
10. 10. A high performance cryptographic service method operating in kernel mode, comprising the steps of: Creating a plurality of monitoring sockets in an operating system kernel; When receiving a new connection request, the corresponding monitoring Socket receives connection and establishes a connection Socket; when a password service request is received, encapsulating a task into a task queue; When executing the task in the task queue, copying the request data from the kernel receiving buffer area to a data buffer area corresponding to a connection instance of the connection Socket, if the request data in the data buffer area is detected to be complete, analyzing the request data, calling the kernel state password card to drive and execute password operation, and packaging an operation result into response data to be written into the data buffer area; And the response data is taken out from the data buffer area and written into the kernel transmission buffer area, and the operating system kernel transmits the response data to the client through the network card.

Description

High-performance password service system and method operating in kernel mode Technical Field The invention relates to the technical field of information encryption, in particular to a high-performance password service system and method running in a kernel mode. Background In recent years, with the rapid development of computer and network technologies, network space information security faces an increasingly serious threat. To enhance the information protection capabilities, more and more computer systems are beginning to employ special cryptographic techniques to secure communications and data. Cryptographic techniques build fundamental security barriers for digital assets and communication processes through key capabilities such as confidentiality, identity authentication, data integrity, and non-repudiation. Currently, integrated HSM (Hardware Security Module, hardware cryptographic module) is a common scheme for mainstream systems to obtain cryptographic security capabilities. In this architecture, the cryptographic service, which is the core function of the HSM, is the main carrier for providing cryptographic operation capability to the outside, and operates in a network listening mode, and responds to requests using a dedicated message interface. The service needs to efficiently process a large number of concurrent network accesses, and realizes quick response while guaranteeing high throughput. In HSM application scenarios that rely on dedicated cryptographic computing hardware (a type of computer peripheral device) to provide, the cryptographic computing hardware is typically connected to the host computer via a PCIe interface. The hardware device is firstly controlled and scheduled at the bottom layer by a kernel mode driver, and then is further packaged into a user mode driver, so that a unified driving interface is provided for upper-layer application. Thus, in conventional user-mode cryptographic service implementations, the data processing flow typically involves multiple redundant copies that cross privilege boundaries, resulting in significant performance overhead. The cryptographic service firstly calls a user mode network interface, copies network data from a kernel mode buffer zone to a user mode buffer zone by an operating system kernel, then carries out protocol analysis and cryptographic calling, and further accesses user mode driving of cryptographic hardware. The driver usually needs to copy the data from the kernel mode back to the kernel mode again, and the kernel mode driver executes the password operation, and after the operation is completed, the operation result needs to be copied back to the user mode again from the kernel mode and returned to the service layer through the user mode driver. Finally, the cryptographic service also needs to encapsulate the operation result into a response message, call the user state network interface, copy the data from the user state to the kernel state by the kernel, and finally send the data through the network card driver. The frequent data copying between the kernel mode and the user mode in the flow not only increases the data processing time delay, but also greatly improves the CPU load, and becomes a main bottleneck for restricting the password service performance. Disclosure of Invention In view of the above analysis, the embodiments of the present invention aim to provide a high-performance cryptographic service system and method operating in kernel mode, so as to solve the problems of huge performance overhead and high delay caused by frequent data copying between kernel mode and user mode due to the fact that cryptographic service is operated in user mode. In one aspect, an embodiment of the present invention provides a high performance cryptographic service system operating in kernel mode, where the system is deployed in an operating system kernel, including: The network module is used for creating a plurality of monitoring sockets, receiving connection by the corresponding monitoring sockets and establishing the connection Socket when receiving a new connection request, copying request data to a data buffer area corresponding to a connection instance of the connection Socket after the packaging task is sent to the thread pool module when receiving a password service request, and taking out response data from the data buffer area; the connection management module is used for creating a connection instance of the connection Socket and managing the state of the connection instance, distributing a data buffer area and calling the protocol analysis module when the completion of the request data is detected; The thread pool module is used for distributing the working threads to execute the tasks in the task queue and triggering the connection management module to detect the data buffer area; And the protocol analysis module is used for analyzing the request data in the data buffer area, calling the kernel state password card to drive and