Search

EP-4738173-A2 - STORAGE DEVICE AND COMPUTING DEVICE INCLUDING THE SAME

EP4738173A2EP 4738173 A2EP4738173 A2EP 4738173A2EP-4738173-A2

Abstract

A storage device includes a non-volatile memory, and a storage controller configured to read a non-encrypted command from a memory outside the storage device. The storage controller is also configured to transmit encrypted data to the non-volatile memory or the memory based on the non-encrypted command, and transmit a non-encrypted completion to the memory. The non-encrypted completion indicates a result of executing the non-encrypted command.

Inventors

  • LEE, HANJU

Assignees

  • Samsung Electronics Co., Ltd.

Dates

Publication Date
20260506
Application Date
20231220

Claims (15)

  1. A processor (100) including a plurality of virtual machines (120) comprising: a memory management unit, MMU, (130) configured to identify an encrypted area (210) and a non-encrypted area (220) of a memory (200) external to the processor (100); and a memory controller (140) configured to: receive original data and a write command; generate (S610) encrypted data by encrypting the original data; write (S620) the encrypted data into the memory (200); and write (S630) the write command into the memory (200) without encrypting the write command.
  2. The processor (100) of claim 1, wherein at least one of the virtual machines (120_1) is configured to transmit the original data and the write command to the memory controller (140) through the MMU (130).
  3. The processor (100) of claim 1 or claim 2, wherein the memory controller (140) is further configured to write (S620) the encrypted data into the encrypted area (210) of the memory (200).
  4. The processor (100) of any preceding claim, wherein the memory controller (140) is further configured to write (S630) the non-encrypted write command into the non-encrypted area (220) of the memory (200).
  5. The processor (100) of any preceding claim, wherein the memory controller (140) is further configured to generate (S610) the encrypted data by using a dedicated encryption key used inside the processor (100).
  6. The processor (100) of claim 5, wherein the dedicated encryption key is not transmitted to an outside of the processor (100) and is not shared with a device outside the processor (100).
  7. The processor (100) of any preceding claim, wherein the memory controller (140) is further configured to read (S680) a non-encrypted completion from the non-encrypted area (220) of the memory (200).
  8. The processor (100) of claim 7, wherein the memory controller (140) is further configured to identify a result of executing the non-encrypted write command based on the non-encrypted completion.
  9. An operating method of processor (100) including a plurality of virtual machines (120) comprising: identifying, by a memory management unit, MMU, (130), an encrypted area (210) and a non-encrypted area (220) of a memory (200); receiving, by a memory controller (140), a read command; writing (S710), by the memory controller (140), the read command into the memory (200) without encrypting the read command; reading (S760), by the memory controller (140), a non-encrypted completion from the memory (200); identifying, by the memory controller (140), a result of executing the non-encrypted read command based on the non-encrypted completion; reading (S770), by the memory controller (140), an encrypted data from the memory (200); and generating, by the memory controller (140), original data by decrypting (S780) the encrypted data.
  10. The operating method of claim 9, further comprises: transmitting, by at least one of the virtual machines (120_1), the read command to the memory controller (140) through the MMU (130).
  11. The operating method of claim 9 or claim 10, writing (S710) the read command comprises: writing (S710), by the memory controller (140), the non-encrypted read command into a non-encrypted area (220) of the memory (200).
  12. The operating method of any of claim 9 to claim 11, reading (S760) the non-encrypted completion comprises: reading (S760), by the memory controller (140), the non-encrypted completion from the non-encrypted area (220) of the memory (200).
  13. The operating method of any of claim 9 to claim 12, reading (S770) the encrypted data comprises: reading (S770), by the memory controller (140), the encrypted data from the encrypted area (210) of the memory (200).
  14. The operating method of any of claim 9 to claim 13, generating the original data comprises: generating, by the memory controller (140), the original data by using a dedicated encryption key used inside the processor (100).
  15. The operating method of claim 14, wherein the dedicated encryption key is not transmitted to an outside of the processor (100) and is not shared with a device outside the processor (100).

Description

BACKGROUND The present disclosure relates to a storage device having enhanced data security performance and a computing device including the same. The storage device is a device for storing data and may include a device storing data in a hard disk drive (HDD), a solid state drive (SSD), and a memory card, in particular, a non-volatile memory. The storage device may store various types of data under control by a processor within a computing device. In this case, the storage device may store data that should not be leaked out, such as personal information and a password of a user. When a computing device of the related art is to store data in an internal storage device, an internal processor of the computing device scrambles unencrypted original data and stores the same in a memory such as dynamic random access memory (DRAM), and the internal storage device of the computing device may store data stored in the memory as it is. With recent technological development, the computing device may encrypt data using the internal processor of the computing device and store the same in an internal memory and storage device. In this case, when the processor encrypts all pieces of data and stores in the memory and storage device, the storage device should decrypt a command written by the processor to perform an accurate operation based on the command of the processor. However, when the storage device receives a shared key used for encryption from the processor to decrypt the command, there is a risk of exposure of the key shared with the storage device. Accordingly, even when encrypted data is stored in the storage device, there is a risk of leakage of the data by a malicious user. SUMMARY Example embodiments provide a storage device capable of preventing leakage of data due to extortion of an encrypted key, and a computing device including the storage device. According to some embodiments, there is provided a storage device including a non-volatile memory, and a storage controller configured to read a non-encrypted command from a memory outside the storage device, transmit encrypted data to the non-volatile memory or the memory based on the non-encrypted command, and transmit a non-encrypted completion to the memory, the non-encrypted completion indicating a result of executing the non-encrypted command. According to an aspect of an example embodiment, there is provided a computing device including a memory, a processor configured to generate encrypted data by encrypting data, write the encrypted data into the memory, and write a non-encrypted write command into the memory, and a storage device including a non-volatile memory and a storage controller, wherein the storage controller is configured to read the non-encrypted write command from the memory, transmit the encrypted data to the non-volatile memory based on the non-encrypted write command, and transmit a non-encrypted completion to the memory, the non-encrypted completion indicating a result of executing the non-encrypted write command. According to an aspect of an example embodiment, there is provided a computing device including a memory, a processor configured to generate encrypted data by encrypting data by using a first encryption key, write the encrypted data into the memory, generate an encrypted write command by encrypting a write command by using a second encryption key, and write the encrypted write command into the memory, and a storage device including a non-volatile memory and a storage controller, wherein the storage controller is configured to read the encrypted write command from the memory, generate the write command by decrypting the encrypted write command by using the second encryption key, transmit the encrypted data to the non-volatile memory based on the write command, and transmit an encrypted completion to the memory, the encrypted completion indicating a result of executing the write command. At least some of the above and other features of the invention are set out in the claims. BRIEF DESCRIPTION OF THE DRAWINGS Embodiments will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which: FIG. 1 is a block diagram of a computing device according to an embodiment;FIG. 2 is a block diagram illustrating in more detail a processor and a memory of a computing device, according to an embodiment;FIG. 3 is a block diagram illustrating in more detail a memory and a storage device of a computing device, according to an embodiment;FIG. 4 is a flowchart illustrating an operating method of a storage device according to an embodiment;FIG. 5 is a flowchart illustrating in more detail a method, performed by a storage device, of transmitting encrypted data, according to an embodiment;FIG. 6 is a flowchart illustrating an operation of writing encrypted data into a storage device in a computing device, according to an embodiment;FIG. 7 is a flowchart illustrating an operation of reading