Search

CN-122020742-A - Memory access method and related equipment

CN122020742ACN 122020742 ACN122020742 ACN 122020742ACN-122020742-A

Abstract

The embodiment of the application provides a memory access method and related equipment, wherein the method applied to a processor comprises the steps of generating a memory access request according to a virtual memory access request, judging whether a host physical address is in a preset host physical address range, setting a memory access type as a write-back type and judging whether the memory access request is in cache hit or not if the host physical address is in the preset host physical address range, sending the memory access request to a memory controller if the memory access request is in cache miss, enabling the memory controller to determine return data returned to the processor and third safety attribute information, modifying the return data, taking the modified return data as data to be written, and sending the third safety attribute information, virtual machine identification and the data to be written to a safety memory isolation management unit so that the safety memory isolation management unit can determine whether the memory access request is executed or not. The embodiment of the application can improve the protection of the encrypted memory of the secure virtual machine.

Inventors

  • LI LU

Assignees

  • 海光云芯集成电路设计(上海)有限公司

Dates

Publication Date
20260512
Application Date
20251218

Claims (17)

  1. 1. A memory access method, applied to a processor, comprising: Generating a memory access request according to a virtual memory access request, wherein the memory access request comprises a host physical address, a virtual machine identifier and first security attribute information, and the first security attribute information is used for indicating the security attribute of a main body initiating the virtual memory access request; judging whether the host physical address is in a preset host physical address range or not, wherein the preset host physical address range is used for indicating that the memory access type in the range is a write-back type; If the host physical address is in the preset host physical address range, setting the memory access type of the memory access request as a write-back type, and judging whether the memory access request is in cache hit or not; If the cache is not hit, the memory access request is sent to a memory controller, so that the memory controller reads target data corresponding to the memory access request and second security attribute information from a memory, and further determines return data returned to a processor and third security attribute information based on the first security attribute information and the second security attribute information, wherein the second security attribute information is security attribute information corresponding to the target data in the memory; and modifying the returned data, taking the modified returned data as data to be written, and sending the third security attribute information, the virtual machine identification and the data to be written to a secure memory isolation management unit so that the secure memory isolation management unit determines whether to execute the memory access request.
  2. 2. The memory access method of claim 1, wherein generating a memory access request from a virtual memory access request comprises: obtaining a virtual memory access request, wherein the virtual memory access request comprises a virtual physical address; converting the virtual physical address to a host physical address based on a nested page table; And generating a memory access request based on the host physical address, the virtual machine identifier and the first security attribute information.
  3. 3. The memory access method of claim 1, further comprising: and if the cache hits, the returned data corresponding to the memory access request and the third security attribute information are read from the cache.
  4. 4. A memory access method, applied to a secure memory isolation management unit, comprising: Receiving third security attribute information, virtual machine identification and data to be written, wherein the third security attribute information is determined by a memory controller based on the first security attribute information and the second security attribute information, and the data to be written is obtained by modifying return data returned by the memory controller by a processor; determining whether to execute a memory access request based on third security attribute information and virtual machine identification, wherein the memory access request is generated by a processor according to the virtual memory access request, the memory access request comprises a host physical address, the virtual machine identification and first security attribute information, and the first security attribute information is used for indicating security attributes of a main body initiating the virtual memory access request.
  5. 5. The memory access method of claim 4, wherein determining whether to perform the memory access request based on the third security attribute information and the virtual machine identification comprises: Judging whether the third security attribute information is a preset value or not, and judging whether the virtual machine identifier is a virtual machine identifier of a security virtual machine or not; If the third security attribute information is a preset value and the virtual machine identifier is the virtual machine identifier of the secure virtual machine, the third security attribute information, the virtual machine identifier and the data to be written are sent to the memory controller so that the memory controller can continuously execute the memory access request; If the third security attribute information is a preset value and the virtual machine identifier is not the virtual machine identifier of the secure virtual machine, ending executing the memory access request; and if the third security attribute information is not the preset value, sending the third security attribute information, the virtual machine identifier and the data to be written to the memory controller so that the memory controller can continuously execute the memory access request.
  6. 6. A memory access method, applied to a memory controller, comprising: Receiving a memory access request, and reading target data corresponding to the memory access request and second security attribute information from a memory according to the memory access request, wherein the memory access request comprises a host physical address, a virtual machine identifier and first security attribute information, and the first security attribute information is used for indicating the security attribute of a main body initiating the virtual memory access request; and determining return data returned to the processor and third security attribute information based on the first security attribute information and the second security attribute information, wherein the first security attribute information is used for indicating the security attribute of the main body initiating the virtual memory access request.
  7. 7. The memory access method of claim 6, wherein the determining return data to return to the processor based on the first security attribute information and the second security attribute information, and third security attribute information, comprises: performing a first operation on the first security attribute information and the second security attribute information, and determining return data returned to the processor based on a result of the first operation; and performing a second operation on the first security attribute information and the second security attribute information, and determining third security attribute information based on a result of the second operation.
  8. 8. The memory access method according to claim 7, wherein the first operation is performed on the first security attribute information and the second security attribute information, and return data returned to the processor is determined based on a result of the first operation, specifically: performing exclusive-or operation on the first security attribute information and the second security attribute information; if the result of the exclusive or operation is 1, returning invalid target data; if the result of the exclusive or operation is 0, the correct target data is returned.
  9. 9. The memory access method according to claim 7, wherein the performing a second operation on the first security attribute information and the second security attribute information determines third security attribute information based on a result of the second operation, specifically: performing or operation on the first security attribute information and the second security attribute information; If the result of the OR operation is 1, the third security attribute information is 1; if the result of the or operation is 0, the third security attribute information is 0.
  10. 10. The memory access method of claim 6, further comprising: And receiving third security attribute information, virtual machine identification and data to be written, and continuing to execute the memory access request.
  11. 11. The memory access method of claim 10, wherein the continuing to execute the memory access request comprises: writing the data to be written into the memory, and setting the second security attribute information as the third security attribute information.
  12. 12. A memory access device, for use with a processor, comprising: the memory access request generation unit is used for generating a memory access request according to the virtual memory access request, wherein the memory access request comprises a host physical address, a virtual machine identifier and first security attribute information, and the first security attribute information is used for indicating the security attribute of a main body initiating the virtual memory access request; the first judging unit is used for judging whether the host physical address is in a preset host physical address range or not, wherein the preset host physical address range is used for indicating that the memory access type in the range is a write-back type; the second judging unit is used for setting the memory access type of the memory access request as a write-back type when the host physical address is in a preset host physical address range, and judging whether the memory access request is in cache hit or not; The first sending unit is used for sending the memory access request to the memory controller when the cache is not hit, so that the memory controller reads target data corresponding to the memory access request and second security attribute information from a memory, and further determines return data returned to the processor and third security attribute information based on the first security attribute information and the second security attribute information, wherein the second security attribute information is security attribute information corresponding to the target data in the memory; the second sending unit is configured to modify the returned data, send the modified returned data to the secure memory isolation management unit with the third security attribute information, the virtual machine identifier, and the data to be written as data to be written, so that the secure memory isolation management unit decides whether to execute the memory access request.
  13. 13. A memory access device, for use in a secure memory isolation management unit, comprising: The memory controller comprises a first receiving unit, a second receiving unit and a first processing unit, wherein the first receiving unit is used for receiving third security attribute information, a virtual machine identifier and data to be written, the third security attribute information is determined by the memory controller based on the first security attribute information and the second security attribute information, and the data to be written is obtained by modifying return data returned by the memory controller by the processor; The determining unit is used for determining whether to execute the memory access request based on the third security attribute information and the virtual machine identifier, wherein the memory access request is generated by the processor according to the virtual memory access request, the memory access request comprises a host physical address, the virtual machine identifier and first security attribute information, and the first security attribute information is used for indicating the security attribute of a main body initiating the virtual memory access request.
  14. 14. A memory access device, for use in a memory controller, comprising: The system comprises a first receiving unit, a second receiving unit and a first receiving unit, wherein the first receiving unit is used for receiving a memory access request, reading target data corresponding to the memory access request from a memory according to the memory access request, and second security attribute information, the memory access request comprises a host physical address, a virtual machine identifier and first security attribute information, and the first security attribute information is used for indicating the security attribute of a main body initiating the virtual memory access request; and the determining unit is used for determining the return data returned to the processor and the third security attribute information based on the first security attribute information and the second security attribute information, wherein the first security attribute information is used for indicating the security attribute of the main body initiating the virtual memory access request.
  15. 15. A computer system comprising a processor configured to perform the memory access method of any one of claims 1-3, a secure memory isolation management unit configured to perform the memory access method of any one of claims 4-5, and a memory controller configured to perform the memory access method of any one of claims 6-11.
  16. 16. The computer system of claim 15, further comprising a memory controlled by the memory controller.
  17. 17. A chip comprising the computer system of claim 15 or claim 16.

Description

Memory access method and related equipment Technical Field The embodiment of the application relates to the technical field of computers, in particular to a memory access method and related equipment. Background Through the virtualization technology (Virtualization), the host can virtualize a plurality of Virtual Machines (VMs), thereby efficiently utilizing hardware resources of the host. In a virtualized environment, a virtual machine monitor (Virtual Machine Monitor, VMM) is responsible for managing and scheduling virtual machines. And the memory controller judges whether the access is initiated by the secure virtual machine or not for protecting the encrypted memory of the secure virtual machine, if the access is initiated by the secure virtual machine, the memory controller returns correct data, and if the access is not initiated by the secure virtual machine, the memory controller returns invalid data. However, protection of the encrypted memory of the secure virtual machine is still to be improved. Disclosure of Invention In view of this, the embodiments of the present application provide a memory access method and related devices to improve the protection of the encrypted memory of the secure virtual machine. In order to achieve the above purpose, the embodiment of the present application provides the following technical solutions. In a first aspect, an embodiment of the present application provides a memory access method, applied to a processor, including: Generating a memory access request according to a virtual memory access request, wherein the memory access request comprises a host physical address, a virtual machine identifier and first security attribute information, and the first security attribute information is used for indicating the security attribute of a main body initiating the virtual memory access request; judging whether the host physical address is in a preset host physical address range or not, wherein the preset host physical address range is used for indicating that the memory access type in the range is a write-back type; If the host physical address is in the preset host physical address range, setting the memory access type of the memory access request as a write-back type, and judging whether the memory access request is in cache hit or not; If the cache is not hit, the memory access request is sent to a memory controller, so that the memory controller reads target data corresponding to the memory access request and second security attribute information from a memory, and further determines return data returned to a processor and third security attribute information based on the first security attribute information and the second security attribute information, wherein the second security attribute information is security attribute information corresponding to the target data in the memory; and modifying the returned data, taking the modified returned data as data to be written, and sending the third security attribute information, the virtual machine identification and the data to be written to a secure memory isolation management unit so that the secure memory isolation management unit determines whether to execute the memory access request. Optionally, the generating a memory access request according to the virtual memory access request includes: obtaining a virtual memory access request, wherein the virtual memory access request comprises a virtual physical address; converting the virtual physical address to a host physical address based on a nested page table; And generating a memory access request based on the host physical address, the virtual machine identifier and the first security attribute information. Optionally, the method further comprises: and if the cache hits, the returned data corresponding to the memory access request and the third security attribute information are read from the cache. In a second aspect, an embodiment of the present application provides a memory access method, applied to a secure memory isolation management unit, including: Receiving third security attribute information, virtual machine identification and data to be written, wherein the third security attribute information is determined by a memory controller based on the first security attribute information and the second security attribute information, and the data to be written is obtained by modifying return data returned by the memory controller by a processor; determining whether to execute a memory access request based on third security attribute information and virtual machine identification, wherein the memory access request is generated by a processor according to the virtual memory access request, the memory access request comprises a host physical address, the virtual machine identification and first security attribute information, and the first security attribute information is used for indicating security attributes of a main body initiating the virtual memory access requ