Search

CN-122020694-A - Page table encryption and integrity protection method and system for input/output memory management unit

CN122020694ACN 122020694 ACN122020694 ACN 122020694ACN-122020694-A

Abstract

The application provides a page table encryption and integrity protection method and system for an input/output memory management unit, and relates to the technical fields of computer technology and data processing. The method comprises the steps of distributing page table pages for a new secure domain input/output address space identifier IOASID and generating a basic page table entry plaintext, determining a corresponding page table protection key according to a secure domain IOASID and obtaining a monotonic secure version number maintained by hardware, obtaining an encryption result and a message authentication code through encryption and integrity calculation of a secure enhanced input/output memory management unit IOMMU hardware according to the page table protection key, IOASID and the monotonic secure version number, packaging the encryption result, the message authentication code and the monotonic secure version number into an enhanced encryption page table entry, and writing the enhanced encryption page table entry into a system memory. The application protects confidentiality and integrity of the IOMMU page table in a trusted execution environment, and performs low-latency page table decryption and integrity verification under the condition of not depending on software participation, thereby defending malicious attacks.

Inventors

  • PAN MINQIANG

Assignees

  • 北京微核芯科技有限公司

Dates

Publication Date
20260512
Application Date
20260414

Claims (13)

  1. 1. The page table encryption and integrity protection method for the input/output memory management unit is characterized by comprising the following steps: Allocating a page table page for a new secure domain input/output address space identifier IOASID and generating a base page table entry plaintext; determining a corresponding page table protection key according to the security domain IOASID, and acquiring a monotonic security version number maintained by hardware, wherein IOASID binds independently derived page table protection keys; According to the page table protection key, IOASID and the monotonic security version number, obtaining an encryption result and a message authentication code through hardware encryption and integrity calculation of a security enhanced input-output memory management unit (IOMMU); And packaging the encryption result, the message authentication code and the monotonic security version number into an enhanced encryption page table entry, and writing the enhanced encryption page table entry into a system memory, wherein the message authentication code at least comprises the encryption result, the IOASID and the monotonic security version number.
  2. 2. The method of claim 1, wherein the obtaining the encryption result and the message authentication code by security enhanced IOMMU hardware encryption and integrity calculation based on the page table protection key, IOASID, and the monotonic security version number comprises: encrypting fields in a page table entry according to the page table protection key, IOASID and the monotonic security version number to obtain the encryption result; and calculating a message authentication code according to the encryption result, the page table protection key, IOASID, the monotonic security version number and the control field, and generating the message authentication code.
  3. 3. The method of claim 1 or 2, wherein prior to allocating a page table page for the new security domain IOASID, further comprising: acquiring a root key from a hardware trusted root, anchoring the root key at a system start stage, and acquiring a boot random number; Acquiring a device identifier, performing key derivation operation according to the root key, the device identifier and the boot random number, and acquiring an input-output memory management unit master key IMK; injecting the IMK to a secure key storage module via an on-chip secure bus or interconnect, the secure key storage module comprising an unreadable secure register array; For each security context, performing a key derivation operation based on a context identification of the security context and the IMK in the security key storage module, and obtaining the page table protection key, wherein the context identification includes a virtual machine identification, IOASID, or security environment information.
  4. 4. A method according to claim 3, further comprising: binding the page table protection key to a corresponding direct memory access request context index; And in response to detecting the security context switching event, performing hardware instant nulling operation on the page table protection key, and deleting the page table protection key.
  5. 5. The method as recited in claim 1, further comprising: In response to receiving a direct memory access request sent by an external device, extracting a context field from the direct memory access request, wherein the context field comprises IOASID; Searching a page table protection key index according to IOASID in a context field, loading a hardware key handle of the searched page table protection key into a working register through on-chip security interconnection, and loading a latest historical monotonic security version number threshold value of the context binding into a version number comparator for freshness checking; Reading an enhanced encryption entry corresponding to a target page table item through a memory interface, performing format analysis on an internal field of the enhanced encryption entry, and extracting page table entry contents, wherein the page table entry contents at least comprise an encrypted physical address field, a message authentication code, a monotonic security version number and a control field; In the IOMMU address translation pipeline, at least one of integrity check and target address decryption is performed on the read page table entry content in a hardware mode, and atomic security check is performed through a hardware comparator, and if the security verification is passed, the decrypted page table entry is written into a security cache.
  6. 6. The method as recited in claim 5, further comprising: The decrypted physical address field is sent to the back-end memory subsystem and the DMA request is continued to be processed, and/or, Hardware-enforced zeroing is performed on the hardware key handle and decryption intermediate states in the working registers after translation is completed.
  7. 7. The method of claim 5 or 6, wherein the hardware performing at least one of an integrity check and a target address decryption on the read page table entry contents comprises: Calculating the encrypted physical address field, control field and monotonic security version number in the page table entry content using the loaded page table protection key, obtaining an integrity authentication code, and/or, Decrypting the encrypted physical address field in the page table entry content by using the loaded page table protection key, and obtaining the decrypted physical address field.
  8. 8. The method of claim 7, wherein the performing atomic security check by a hardware comparator comprises: and responding to the completeness authentication code being the same as the message authentication code in the page table entry content, wherein the monotonic security version number in the page table entry content meets monotonically increasing constraint, and the enhanced encryption entry is generated by encrypting the same IOASID-bound page table protection key as the direct memory access request, so that the security verification is confirmed to be passed.
  9. 9. The method as recited in claim 8, further comprising: Determining that the security verification is not passed in response to the integrity authentication code being different from the message authentication code in the contents of the page table entry, or the monotonic security version number in the contents of the page table entry not satisfying the monotonic increasing constraint, or the enhanced encryption entry being generated by encrypting a page table protection key bound to the same IOASID as the direct memory access request; triggering the security violation exception of the non-maskable direct memory access, and atomically terminating the current direct memory access translation pipeline to block the access of the external device.
  10. 10. An input/output memory management unit page table encryption and integrity protection system, comprising: the trust root and key management unit is used for executing hardware security loading, binding and management of the page table protection key in a system starting stage and a security context switching stage; The safety enhancement type input/output memory management unit comprises a safety key storage module, a page table encryption and decryption module and a page table integrity detection module, and is used for safety key storage, page table encryption and decryption, page table integrity detection and safety caching of page table entry contents; A software component unit for constructing an encrypted page table; Wherein the input-output memory management unit page table encryption and integrity protection system is further configured to implement the method of any one of claims 1-9.
  11. 11. An electronic device, comprising: A processor; A memory for storing executable instructions of the processor; Wherein the processor is configured to execute the instructions to implement the method of any of claims 1-9.
  12. 12. A computer readable storage medium, characterized in that instructions in the computer readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the method of any one of claims 1-9.
  13. 13. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method according to any one of claims 1-9.

Description

Page table encryption and integrity protection method and system for input/output memory management unit Technical Field The application relates to the technical fields of computer technology and data processing, in particular to a page table encryption and integrity protection method and system for an input/output memory management unit. Background In the related art, an IOMMU page table is stored in a system memory in a plaintext form, is easy to read back and steal by malicious VMM (Hypervisor), attacked drive or software vulnerability, causes sensitive information such as a DMA target physical address and the like to seriously threaten confidentiality of data, cannot verify the integrity of page table contents in a hardware level, enables an attacker to bypass access control of the IOMMU by constructing a fake mapping entry or maliciously replaying an old version page table, and realizes illegal redirection and tampering of TEE or virtual machine data, and can cause the problems of security and integrity defects of core data. The IOMMU mechanism is used for loading a page table by depending on an untrusted VMM or an operating system, lacks key derivation, loading and authentication capabilities combined with hardware RoT, cannot independently verify the credibility of a creator and a source of the page table, protects a key of the IOMMU page table, is easy to suffer from a right-of-lifting attack or a side channel attack if being maintained by depending on software (such as common kernel or TEE software), lacks a hardware security key storage module and a protection mechanism, is difficult to ensure the controllability and confidentiality of the life cycle of the key, lacks an efficient and fine-grained hardware mechanism to ensure that page table protection keys of different security domains (such as different VMs or TEE instances) are completely isolated in a scenario involving virtualization and multi-tenancy, has key cross-domain access and page table playback risks among the security domains, and can cause trust root deletion and key management defects. Even if the page table is encrypted or signed by software, the operation of decryption and integrity check can bring huge performance cost, so that the requirement of high-speed DMA equipment (such as a network and a storage accelerator) on low-delay address translation is difficult to meet, the IOMMU security mechanism focuses on address translation control, the coping capability of complex attack vectors including DMA bypass, illegal I/O memory read-write and the like is insufficient, and an integral security protection covering the whole link of an I/O subsystem cannot be constructed, and the performance bottleneck and the security framework are possibly insufficient. Therefore, how to protect confidentiality and integrity of IOMMU page tables in a trusted execution environment, and to perform low-latency page table decryption and integrity verification without depending on software participation, and to defend against cooperative attack of a malicious operating system, a malicious VMM, and a DMA device has become an important research direction. Disclosure of Invention The present application aims to solve at least one of the technical problems in the related art to some extent. The technical scheme of the present disclosure is as follows: an embodiment of a first aspect of the present application provides a method for encrypting and protecting integrity of a page table of an input/output memory management unit, including: Allocating a page table page for a new secure domain input/output address space identifier IOASID and generating a base page table entry plaintext; determining a corresponding page table protection key according to the security domain IOASID, and acquiring a monotonic security version number maintained by hardware, wherein IOASID binds independently derived page table protection keys; according to the page table protection key, IOASID and the monotonic security version number, the encryption result and the message authentication code are obtained through the hardware encryption and the integrity calculation of the secure enhanced input-output memory management unit IOMMU; And packaging the encryption result, the message authentication code and the monotonic security version number into an enhanced encryption page table entry, and writing the enhanced encryption page table entry into a system memory, wherein the message authentication code at least comprises the encryption result, IOASID and the monotonic security version number. In some embodiments, obtaining the encryption result and the message authentication code from the page table protection key, IOASID, and monotonically secure version number through security enhanced IOMMU hardware encryption and integrity computation, comprises: Encrypting fields in page table entries according to the page table protection key, IOASID and the monotonic security version number to obtain