Search

CN-121996591-A - DMA access method and apparatus, electronic device, storage medium and program product

CN121996591ACN 121996591 ACN121996591 ACN 121996591ACN-121996591-A

Abstract

The invention provides a DMA access method and device, electronic equipment, a storage medium and a program product, and relates to the technical field of computers. The method comprises the steps of receiving a DMA request, matching a target security filter register according to identity information when the DMA request is an unreliable DMA request, allowing access to a preset memory by the unreliable DMA request with a target address within a preset memory range only when the DMA request is the unreliable DMA request, remapping the unreliable DMA request to an unsafe memory range aiming at the unreliable DMA request with the target address within the preset memory range, and remapping the DMA request to the unsafe memory range aiming at the unreliable DMA request with the target address within the preset memory range when the DMA request is the unreliable DMA request with the target address within the preset memory range only when the DMA request is the unreliable DMA request with the target address within the preset memory range. The invention improves the safety of memory access.

Inventors

  • WANG BAOJUN
  • WANG HUANDONG

Assignees

  • 龙芯中科技术股份有限公司

Dates

Publication Date
20260508
Application Date
20251225

Claims (15)

  1. 1. A method of DMA access, the method comprising: the method comprises the steps of receiving a DMA request, wherein the DMA request comprises the identity information of equipment and a target address to be accessed; If the DMA request is an unreliable DMA request, matching a target security filter register according to the identity information, wherein the target security filter register designates a section of preset memory in a memory, and the target security filter register stores security attributes of the preset memory, wherein the security attributes comprise security or non-security; Allowing only the access of the target address to the preset memory by the unreliable DMA request in the preset memory range, and remapping the unreliable DMA request to the unsafe memory range aiming at the unreliable DMA request of the target address not in the preset memory range; and under the condition that the security attribute is secure, only allowing access of the unreliable DMA request of which the target address is not in the preset memory range, and remapping the DMA request to the unsafe memory range aiming at the unreliable DMA request of which the target address is in the preset memory range.
  2. 2. The DMA access method according to claim 1, wherein, in case the DMA request is an untrusted DMA request, before matching a target security filter register according to the identity information, the method further comprises: And under the condition that the identity information corresponding to the DMA request is positioned outside the security mapping table, determining the DMA request as an untrusted DMA request.
  3. 3. The DMA access method according to claim 2, further comprising, before said matching the target security filter register according to the identity information: In the case that the mapping of the domain exists in the untrusted DMA request and the untrusted DMA request is mapped into an untrusted mapping domain based on an input-output virtualized address mapping table, performing address translation on the untrusted DMA request in the untrusted mapping domain; And in the case that the mapping of the domain exists in the untrusted DMA request and the untrusted DMA request is mapped into the mapping domain of the confidential virtual machine based on the input-output virtualized address mapping table, forcedly modifying the mapping result of the untrusted DMA request into a reserved domain, and performing address translation on the untrusted DMA request in the reserved domain, wherein the reserved domain comprises a mapping domain outside the mapping domain of the confidential virtual machine.
  4. 4. The DMA access method according to claim 2, wherein the determining the DMA request as an untrusted DMA request in a case where the identity information corresponding to the DMA request is located outside a security mapping table, comprises: when the identity information corresponding to the DMA request is located outside a security mapping table, mapping a domain exists in the DMA request, and the DMA request is mapped into an untrusted mapping domain based on an input-output virtualized address mapping table, performing address translation on the DMA request in the untrusted mapping domain, and determining and marking the DMA request as an untrusted DMA request; When the identity information corresponding to the DMA request is located outside a security mapping table, mapping a domain exists in the DMA request, and the DMA request is mapped into a mapping domain of a confidential virtual machine based on an input-output virtualized address mapping table, forcedly modifying a mapping result of the DMA request into a reserved domain, performing address translation on the DMA request in the reserved domain, and determining and marking the DMA request as an untrusted DMA request; And determining and marking the DMA request as an untrusted DMA request under the condition that the identity information corresponding to the DMA request is positioned outside a security mapping table and the DMA request does not have the mapping of a domain.
  5. 5. The DMA access method according to claim 2, characterized in that the method further comprises: Mapping the DMA request into a mapping domain of the confidential virtual machine bound by the sending device based on the security mapping table under the condition that the identity information corresponding to the DMA request is located in the security mapping table; And in the mapping domain of the confidential virtual machine, performing address translation on the DMA request, and accessing the memory domain of the confidential virtual machine.
  6. 6. The DMA access method of claim 5, further comprising: Setting the address of a first-level directory table of a mapping domain of the confidential virtual machine to be positioned in a memory protected by a trusted computing base and binding the address with the confidential virtual machine; The address modification rights of the first level directory table of the mapping domain of the confidential virtual machine are set to only allow modification by the trusted computing base.
  7. 7. The DMA access method of claim 5, further comprising: Setting a traversal configuration of each level of page tables in a mapping domain of the confidential virtual machine to only allow modification by a trusted computing base; The modification rights of the translation look-aside buffer in the mapping domain of the confidential virtual machine are set to allow only hardware modifications.
  8. 8. The DMA access method according to any of claims 2 to 7, characterized in that the method further comprises: dividing the devices into trusted devices and untrusted devices; Binding the trusted device with at least one confidential virtual machine; storing the corresponding relation among the trusted device, the confidential virtual machine bound with the trusted device and the mapping domain of the confidential virtual machine bound with the trusted device in the security mapping table.
  9. 9. The DMA access method of claim 8, wherein storing in the secure mapping table the correspondence of the trusted device, the confidential virtual machine to which the trusted device is bound, and the mapping domain of the confidential virtual machine to which the trusted device is bound, comprises: and storing the corresponding relation among the trusted device, the confidential virtual machine bound with the trusted device and the mapping domain of the confidential virtual machine bound with the trusted device in the security mapping table by a trusted computing base.
  10. 10. A DMA access method according to any one of claims 1 to 7, The target security filter register is configured by a trusted computing base.
  11. 11. A DMA access method according to any one of claims 1 to 7, Under the condition that the security attribute is secure, the preset memory comprises a memory domain of a confidential virtual machine; the non-secure memory range includes a memory range outside of the memory domain of the confidential virtual machine.
  12. 12. A DMA access device, the device comprising: The receiving module is used for receiving a DMA request, wherein the DMA request comprises identity information of equipment and a target address to be accessed; the system comprises a DMA request module, a matching module, a target security filter register, a memory, a storage module and a storage module, wherein the DMA request is an unreliable DMA request, and is used for matching the target security filter register according to the identity information; A DMA first access module, configured to allow only an untrusted DMA request of the target address within the preset memory range to access the preset memory, and remap the untrusted DMA request to an unsecure memory range for an untrusted DMA request of the target address not within the preset memory range, if the security attribute is unsecure; And the DMA second access module is used for only allowing the access of the unreliable DMA request of which the target address is not in the preset memory range under the condition that the security attribute is secure, and remapping the DMA request to the unsafe memory range aiming at the unreliable DMA request of which the target address is in the preset memory range.
  13. 13. An electronic device, comprising: Processor, memory and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the DMA access method according to any of the claims 1 to 11 when the program is executed by the processor.
  14. 14. A readable storage medium, characterized in that instructions in said storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the steps of the DMA access method of any of claims 1 to 11.
  15. 15. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the DMA access method according to any of claims 1 to 11.

Description

DMA access method and apparatus, electronic device, storage medium and program product Technical Field The present invention relates to the field of computer technology, and in particular, to a DMA access method, a DMA access apparatus, an electronic device, a storage medium, and a computer program product. Background DMA (Direct Memory Access) technology allows any external device to directly read from or write to the physical memory of the computer system, which speeds up data transfer efficiency. However, malicious software may indirectly gain access to any memory by configuring the target address of the DMA, resulting in security issues. Disclosure of Invention In view of the foregoing, embodiments of the present invention are provided to provide a DMA access method for overcoming the foregoing problems or at least partially solving the foregoing problems, so as to improve the security of memory access. In a first aspect, the present invention provides a DMA access method, the method comprising: the method comprises the steps of receiving a DMA request, wherein the DMA request comprises the identity information of equipment and a target address to be accessed; If the DMA request is an unreliable DMA request, matching a target security filter register according to the identity information, wherein the target security filter register designates a section of preset memory in a memory, and the target security filter register stores security attributes of the preset memory, wherein the security attributes comprise security or non-security; Allowing only the access of the target address to the preset memory by the unreliable DMA request in the preset memory range, and remapping the unreliable DMA request to the unsafe memory range aiming at the unreliable DMA request of the target address not in the preset memory range; and under the condition that the security attribute is secure, only allowing access of the unreliable DMA request of which the target address is not in the preset memory range, and remapping the DMA request to the unsafe memory range aiming at the unreliable DMA request of which the target address is in the preset memory range. In a second aspect, the present invention provides a DMA access apparatus comprising: The receiving module is used for receiving a DMA request, wherein the DMA request comprises identity information of equipment and a target address to be accessed; the system comprises a DMA request module, a matching module, a target security filter register, a memory, a storage module and a storage module, wherein the DMA request is an unreliable DMA request, and is used for matching the target security filter register according to the identity information; A DMA first access module, configured to allow only an untrusted DMA request of the target address within the preset memory range to access the preset memory, and remap the untrusted DMA request to an unsecure memory range for an untrusted DMA request of the target address not within the preset memory range, if the security attribute is unsecure; And the DMA second access module is used for only allowing the access of the unreliable DMA request of which the target address is not in the preset memory range under the condition that the security attribute is secure, and remapping the DMA request to the unsafe memory range aiming at the unreliable DMA request of which the target address is in the preset memory range. In a third aspect, the invention provides an electronic device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the processor implementing the above-mentioned DMA access method when executing the program. In a fourth aspect, the present invention provides a readable storage medium, which when executed by a processor of an electronic device, enables the electronic device to perform the above-described DMA access method. In a fifth aspect, the invention provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the above described DMA access method. The invention has the following advantages: In the application, a security filter register is arranged, after receiving an unreliable DMA request, the unreliable DMA request is not directly allowed to access the physical memory of the computer system, and the target security filter register is matched according to the identity information of the sending equipment included in the unreliable DMA request. The target security filter register designates a section of preset memory in the memory, and the target security filter register stores the security attribute of the preset memory. If the security attribute of the preset memory is unsafe, the preset memory is not a memory needing to be protected, only the unreliable DMA request of the target address to be accessed in the preset memory range is allowed to access the preset memory, and if the unreliable DMA