Search

CN-121996436-A - User state encryption and decryption file system unloading system, method and medium supporting in-line mode

CN121996436ACN 121996436 ACN121996436 ACN 121996436ACN-121996436-A

Abstract

The invention discloses a user mode encryption and decryption file system unloading system, a method and a medium supporting an in-line mode, and relates to the technical field of data processing and storage. The system comprises a host end, an FPGA hardware module and a TIPU end. The host end is provided with an fs-Client driving module, intercepts a file operation request and packages the file operation request into an encryption request or a direct request according to a custom protocol to be sent to the FPGA hardware module, the FPGA hardware module integrates a data packet analysis and encryption and decryption module, extracts encryption and decryption parameters aiming at the direct request and carries out in-line type real-time encryption and decryption on file data, and the TIPU end receives the processed data or the direct request through a SPDK frame and an fs-Server service module which run in a user state, manages encryption meta information and interacts with the back end storage to complete reading and writing. The invention realizes the deep fusion of encryption and decryption and IO paths, eliminates the multiple copy loss of data, releases the calculation power of a CPU of a host computer, and remarkably improves the throughput and the data security of the system.

Inventors

  • LI DAICHAO
  • WU HUAIGU
  • ZHANG NANXIN
  • ZHA MING
  • ZHANG YE

Assignees

  • 天府绛溪实验室

Dates

Publication Date
20260508
Application Date
20260410

Claims (10)

  1. 1. The utility model provides a support in-line mode's user mode encryption and decryption file system uninstallation system which characterized in that includes: The system comprises a host end, an FPGA hardware module and a TIPU end; The host side is configured with an fs-Client driving module, the fs-Client driving module is used for receiving a file operation request initiated by a user application program, classifying the file operation request, packaging the file operation request into an encryption request or a direct request according to a preset custom protocol, and sending the encryption request or the direct request to the FPGA hardware module by utilizing the direct memory access capability between the FPGA hardware module; The FPGA hardware module is respectively connected with the host end and the TIPU end through a bus interface, and is internally integrated with a data packet analysis module and an encryption and decryption module, wherein the data packet analysis module is used for identifying the type of a received data packet, namely directly transmitting the received data packet to the TIPU end if the received data packet is the direct request, analyzing and extracting encryption and decryption parameters and data in the encryption request if the received data packet is the encryption request, calling the encryption and decryption module to carry out in-line encryption and decryption processing on the data according to the encryption and decryption parameters, and transmitting the processed data to the TIPU end or the host end; The TIPU end is configured with a SPDK framework running in a user mode, an fs-Server service module and a back-end storage access module, the SPDK framework directly accesses a memory area of the FPGA hardware module through memory mapping, the fs-Server service module is used for receiving an encryption request or encrypted and decrypted data from the FPGA hardware module, managing encryption meta information of a corresponding file, and calling the back-end storage access module to interact with back-end storage execution to complete file system operation and data reading and writing.
  2. 2. The system for unloading a user-state encrypted and decrypted file system supporting an in-line mode according to claim 1, wherein when the fs-Client driver encapsulates the file operation request as the encryption request or the pass-through request, the following custom data interaction protocol is followed: The direct request is used for transmitting an operation type instruction without file data content, and the data packet format comprises a request header, an operation header and optional operation data; The encryption request is used for transmitting a read-write instruction carrying file data content, and the data packet format comprises a request header, an operation header, extension data and file data described in a hash-aggregation list SGL format, wherein the extension data comprises parameters required for executing encryption and decryption, and the parameters comprise an encryption algorithm type, a grouping mode, an initial vector and a secret key.
  3. 3. The system for unloading a user-state encryption and decryption file system supporting an in-line mode according to claim 2, wherein the FPGA hardware module is internally solidified with data packet analysis logic and encryption and decryption logic: When the data packet analysis module identifies that the data packet is the encryption request, extracting the encryption algorithm type, the grouping mode, the initial vector and the secret key from the extension data, and reading corresponding memory data according to an SGL format; And calling the encryption and decryption module, and carrying out real-time encryption and decryption calculation on the read memory data according to the extracted parameters without carrying out additional data copying between a host end and a TIPU end.
  4. 4. The user state encryption and decryption file system unloading system supporting an in-line mode according to claim 1, wherein the fs-Server service module is specifically configured to: receiving a file operation request for an encrypted file, and managing encryption meta information of the file when the file is created or opened, wherein the encryption meta information comprises an algorithm type, an initial vector, an original content size, a filling content and a block size; When encryption request data transmitted through the FPGA hardware module in an encryption mode is received, updating the filling content in the encryption meta information, and calling a writing interface of the back-end storage access module to write the encrypted data into the back-end storage.
  5. 5. The system for unloading a user-state encryption and decryption file system supporting an in-line mode according to claim 2, wherein, for a write request with file data content, the fs-Client driver module generates the request by the following alignment processing mechanism: Inquiring encryption meta information of a target file, acquiring a preset block size, and judging whether a start address and an end address of data to be written are aligned with the start address and the end address of a block corresponding to the block size; if the write requests are aligned, the write requests are directly packaged into the encryption requests and put into a sending queue; if the data to be written is not aligned, generating a read request in an encryption request format, reading original encryption data corresponding to the block through the FPGA hardware module, decrypting and returning the original encryption data, and combining the decrypted original data with the data to be written according to the offset by the fs-Client driving module so as to adjust the starting address and the ending address of the written data to an aligned state; If the adjusted initial address is still not aligned with the initial vector length, a request for acquiring the initial vector, namely a write-get-iv request, is generated, and the encrypted data with the previous initial vector length is read as the initial vector of the current encryption.
  6. 6. The system for unloading a user-state encryption and decryption file system supporting an in-line mode according to claim 2, wherein for a read request with file data content, the processing flow of the system comprises: The fs-Client driving module inquires encryption meta information of the target file, acquires a preset block size and a corresponding start address of the block, and generates a request for reading the encrypted data of the previous initial vector length if the start address of the request is not aligned with the start address of the block after being aligned downwards according to the initial vector length, and decrypts the request by the FPGA hardware module to serve as an initial vector of the read request; The fs-Client driving module packages the read operation containing the adjusted address and encryption and decryption parameters into the encryption request and sends the encryption request to the TIPU end; After the fs-Server service module obtains the encrypted data of the corresponding interval, the fs-Server service module and the encrypted and decrypted parameters are packaged according to the encryption request format and sent to the FPGA hardware module; The FPGA hardware module analyzes the encryption request and calls the encryption and decryption module to decrypt, and the decrypted plaintext data is transmitted to the fs-Client driving module.
  7. 7. A method for unloading a user mode encryption and decryption file system supporting an in-line mode, which is applied to a system as claimed in any one of claims 1 to 6, and is characterized in that the method comprises the following steps: Step S1, a host intercepts a file operation request initiated by a user application program, packages the request into a direct request containing a control instruction or a decryption request containing file data and encryption and decryption parameters according to an operation type and a preset custom protocol, and sends the direct request to an FPGA hardware module through direct memory access; Step S2, the FPGA hardware module identifies the received data packet, if the received data packet is a direct connection request, the received data packet is directly transmitted to a TIPU end, if the received data packet is an encryption request, encryption and decryption parameters are extracted, in-line encryption and decryption are carried out on file data on a bus transmission path, and then the processed data is sent to the TIPU end or the host end; and step S3, the TIPU end receives the encrypted request or the encrypted and decrypted data, updates the encrypted meta information of the file, and calls the back-end storage access module to interact with the back-end storage execution so as to finish the storage access operation of the target data.
  8. 8. The method for unloading a user-state encryption and decryption file system supporting an in-line mode according to claim 7, wherein the custom protocol in step S1 is specifically: The size of the data packet of the direct request is fixed, and the data packet consists of a request head and an operation head; The data packet of the encryption request is variable in size and consists of a request header, an operation header, extension data carrying encryption algorithm types and initial vectors and data segments in a hash-aggregation list SGL format.
  9. 9. The method for unloading a user-state encrypted file system supporting an in-line mode according to claim 7, wherein in step S1, when a non-aligned write request operation is processed, an encrypted partition is divided according to a preset partition size for target data, and the method comprises the following compensation sub-steps: The original encrypted data of the misaligned encrypted block is read from the rear end storage and decrypted to the host end through the FPGA hardware module; The host end combines the plaintext data to be written in this time and the decrypted original plaintext data in the memory according to the offset, so that the boundary of the spliced data is aligned with the boundary of the encrypted block; and packaging the spliced aligned plaintext data and the encryption parameters into an encryption request, and triggering an in-line encryption flow of the FPGA hardware module.
  10. 10. A computer readable storage medium for storing instructions that, when executed, cause the method of any one of claims 7-9 to be implemented.

Description

User state encryption and decryption file system unloading system, method and medium supporting in-line mode Technical Field The invention relates to the technical field of data processing and storage, in particular to a system, a method and a medium for unloading a user state encryption and decryption file system supporting an in-line mode, which are suitable for trusted data space and data center scenes requiring high performance, high security and separated storage and calculation. Background The statements in this section merely provide background information related to the present disclosure and may not constitute prior art. With the continuous rise of data central computing power and storage pressure, the demands of trusted data space scenarios on "host CPU offload," "separate storage computing," and "data security encryption" are becoming increasingly stringent. In order to release the host CPU resource, the existing partial offloading scheme attempts to offload the kernel operation of the user-mode file system to a data processing unit (such as a TIPU), and the data processing unit undertakes file access, protocol processing and encryption and decryption tasks so as to guarantee the security of data storage. However, the unloading scheme adopting the side-mounted encryption and decryption engine has the following key defects, so that the further improvement of the system performance is limited: 1. In the scheme, the data processing unit side needs to receive the file data first and then forward the file data to the plug-in encryption and decryption engine for encryption or decryption. In the process, multiple data copies are generated between the operating system and the encryption and decryption engine, so that system resources are additionally consumed, and the data processing efficiency is reduced; 2. And the encryption and decryption engine is separated from an input/output (IO) path by adopting bypass deployment. Data need to be transmitted back and forth between the IO link and the engine, so that data transmission delay is increased, the data is limited by communication bandwidth between the engine and the data processing unit, and transmission potential of the IO path cannot be fully exerted; 3. the encryption and decryption and IO paths are not coordinated enough, namely, in the scheme, the data processing unit receives plaintext data, the plaintext data is written into the back end for storage after being encrypted by an engine, and the synchronous completion of data transmission and encryption and decryption cannot be realized. This results in the IO link being serially executed with the encryption and decryption operations, severely affecting the overall throughput of the system. At present, the traditional scheme either depends on a host CPU to encrypt and decrypt so as to occupy a large amount of calculation power, or adopts the bypass engine to have the problems of data copying and delay, and the user file system unloading scheme of integrating an encryption and decryption module in an IO critical path to realize in-line encryption and decryption is not yet presented, so that the core requirements of low delay, high throughput and data security cannot be met. Disclosure of Invention Aiming at the problems that the existing user state file system unloading scheme adopts a bypass encryption and decryption engine to cause multiple data copy loss, performance bottleneck caused by separation of an input/output (IO) path and encryption and decryption, and the like, and the problems that low delay, high throughput, data safety and the like cannot be considered, the invention provides a user state encryption and decryption file system unloading system, a method and a medium supporting an in-line mode. On the basis of keeping the advantage that the data processing unit unloads the file system operation to release the computing power of the CPU of the host, the copy loss of data between the operating system and the bypass engine is thoroughly eliminated, and the synchronous execution of encryption and decryption operation and data transmission is realized, so that the overall throughput and the data processing efficiency of the system are greatly improved. The technical scheme of the invention is as follows: a user mode encryption and decryption file system unloading system supporting an in-line mode comprises: The system comprises a host end, an FPGA hardware module and a TIPU end; The host side is configured with an fs-Client driving module, the fs-Client driving module is used for receiving a file operation request initiated by a user application program, classifying the file operation request, packaging the file operation request into an encryption request or a direct request according to a preset custom protocol, and sending the encryption request or the direct request to the FPGA hardware module by utilizing the direct memory access capability between the FPGA hardware module; The FPGA ha