Search

US-12619554-B2 - Non-intrusive rekeying for memory encryption

US12619554B2US 12619554 B2US12619554 B2US 12619554B2US-12619554-B2

Abstract

Rekeying operations can be performed without significantly impacting the execution of software that relies on those keys. In one embodiment, a hardware-based solution connects to a memory controller in a way that hides the rekeying from the software, where the hardware keeps track of which memory addresses in a memory space correspond to new keys. Rekeying can be performed for memory addresses in order, such as from bottom to top addresses in a region table, and a rekeying address can be used to keep track the rekeying process, such that addresses below the rekeying address in the table are to use the new keys and addresses above the rekeying address are to use the current or old key, with the address corresponding to the rekeying address using the prior key for reads and the new key for writes. Keys can then be updated frequently without significant downtime or software modifications.

Inventors

  • Ahmad Atamli
  • Barry Spinney
  • Yonatan COHEN
  • Hillel Chapman

Assignees

  • MELLANOX TECHNOLOGIES, LTD.

Dates

Publication Date
20260505
Application Date
20240409

Claims (20)

  1. 1 . A method, comprising: identifying a plurality of address spaces in computer memory for which new encryption keys are to be assigned; starting from a first address space in a memory table for the computer memory, and moving to a last address space in the memory table, assigning respective new encryption keys to the plurality of address spaces and indicating the respective new encryption keys in the memory table; and updating, during the assigning, a rekeying address indicating a current address space, of the plurality of address spaces, for which a respective new encryption key is to be assigned, wherein an operation to be performed involving a specified address space in the computer memory is to determine whether to use the respective new encryption key based, at least in part, upon a location of the specified address space in the memory table being before or after the rekeying address.
  2. 2 . The method of claim 1 , further comprising: using a respective new encryption key for the operation if the location of the specified address space is prior to the rekeying address in the memory table.
  3. 3 . The method of claim 1 , further comprising: using a current encryption key for the operation if the location of the specified address space is subsequent to the rekeying address in the memory table.
  4. 4 . The method of claim 1 , further comprising: using a respective new encryption key for the operation if the operation is a read operation, and using a current encryption key for the operation if the operation is a write operation, when the location of the specified address space is equal to the rekeying address in the memory table.
  5. 5 . The method of claim 1 , wherein the method is initiated by firmware and the updating is performed in hardware.
  6. 6 . The method of claim 1 , further comprising: re-encrypting data stored to the plurality of address spaces in response to the respective new encryption keys being assigned to the plurality of address spaces.
  7. 7 . The method of claim 1 , further comprising: selecting values for the respective new encryption keys using a random or pseudo-random selection process; and verifying a uniqueness of each of the respective new encryption keys.
  8. 8 . A system, comprising: one or more processors; and memory including instructions that, when performed by the one or more processors, cause the system to: perform an assigning of a new encryption key to a plurality of address spaces indicated in a memory table for a computer memory, starting from a first address space and moving to a last address space indicated in the memory table, and store the new encryption key for the plurality of address spaces in the memory table; and update, during the assigning, a rekeying address indicating a current address space, of the plurality of address spaces, for which the new encryption key is being applied to data stored in the computer memory, wherein an operation to be performed involving a specified address space in the computer memory is to determine whether to use the new encryption key or a prior key for the specified address space based, at least in part, upon a location of the specified address space in the memory table being before or after the rekeying address.
  9. 9 . The system of claim 8 , wherein the instructions, when performed, further cause the system to: use the new encryption key for the operation if the location of the specified address space is prior to the rekeying address in the memory table.
  10. 10 . The system of claim 8 , wherein the instructions, when performed, further cause the system to: use a prior encryption key for the operation if the location of the specified address space is subsequent to the rekeying address in the memory table.
  11. 11 . The system of claim 10 , wherein the instructions, when performed, further cause the system to: use the new encryption key for the operation if the operation is a read operation, and use the prior encryption key for the operation if the operation is a write operation, when the location of the specified address space is equal to the rekeying address in the memory table.
  12. 12 . The system of claim 8 , wherein the assigning is initiated by firmware and the updating is performed in hardware.
  13. 13 . The system of claim 8 , wherein the instructions, when performed, further cause the system to: re-encrypt data stored to the plurality of address spaces in response to the new encryption key being assigned to the plurality of address spaces.
  14. 14 . The system of claim 8 , wherein the instructions, when performed, further cause the system to: select a value for the new encryption key using a random or pseudo-random selection process; and verify a uniqueness of the new encryption key before performing the assigning of the new encryption key to the plurality of address spaces.
  15. 15 . A system-on-chip, comprising: a memory controller to interface with at least one memory device; a region table to store keying data for the at least one memory device; and a memory encryption controller to instruct performance of a rekeying operation for the at least one memory device, at least in part, by: assigning a new encryption key to a plurality of address spaces indicated in a memory table for a computer memory, starting from a first address space and moving to a last address space indicated in the memory table, and storing the new encryption key for the plurality of address spaces in the memory table; and updating, during the assigning, a rekeying address indicating a current address space, of the plurality of address spaces, for which the new encryption key is being assigned, wherein an operation to be performed involving a specified address space in the computer memory is to determine whether to use the new encryption key or a prior key for the specified address space based, at least in part, upon a location of the specified address space in the memory table being before or after the rekeying address.
  16. 16 . The system-on-chip of claim 15 , wherein the memory encryption controller is further to instruct performance of the rekeying operation by: using the new encryption key for the operation if the location of the specified address space is prior to the rekeying address in the memory table.
  17. 17 . The system-on-chip of claim 15 , wherein the memory encryption controller is further to instruct performance of the rekeying operation by: using a prior encryption key for the operation if the location of the specified address space is subsequent to the rekeying address in the memory table.
  18. 18 . The system-on-chip of claim 17 , wherein the memory encryption controller is further to instruct performance of the rekeying operation by: using the new encryption key for the operation if the operation is a read operation, and use the prior encryption key for the operation if the operation is a write operation, when the location of the specified address space is equal to the rekeying address in the memory table.
  19. 19 . The system-on-chip of claim 15 , wherein the memory encryption controller is further to instruct performance of the rekeying operation by: re-encrypting data stored to the plurality of address spaces in response to the new encryption key being assigned to the plurality of address spaces.
  20. 20 . The system-on-chip of claim 15 , wherein the system-on-chip is comprised in at least one of: a system for performing simulation operations; a system for performing simulation operations to test or validate autonomous machine applications; a system for rendering graphical output; a system for performing deep learning operations; a system implemented using an edge device; a system for generating or presenting virtual reality (VR) content; a system for generating or presenting augmented reality (AR) content; a system for generating or presenting mixed reality (MR) content; a system incorporating one or more Virtual Machines (VMs); a system implemented at least partially in a data center; a system for performing hardware testing using simulation; a system for synthetic data generation; a collaborative content creation platform for 3D assets; or a system implemented at least partially using cloud computing resources.

Description

BACKGROUND In many situations there will be data stored in a computerized environment that is sensitive, confidential, or otherwise to be protected against unauthorized access. Oftentimes, this data will be encrypted using a security mechanism or token, such as a cryptographic key. Unfortunately, the keys themselves are susceptible to being compromised, and the risk of compromise increases over the lifetime of the key. Accordingly, various key rotation or “rekeying” processes can be performed that will update, change, or rotate the keys used over time, such that if a key becomes compromised the risk of unauthorized access to data encrypted using that key will only last as long as that key is used for encryption for that data, or a task or communication using that data. Unfortunately, existing approaches often result in significant downtime or unavailability of the data during a rekeying process, which is undesirable for many users and data storage systems, and impact an availability and latency of operations performed using that data. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments in accordance with the present disclosure will be described with reference to the drawings, in which: FIG. 1 illustrates an example computing system in which rekeying can be performed, in accordance with various embodiments; FIGS. 2A, 2B, and 2C illustrate example region tables and a rekeying register that can be used with a rekeying process, in accordance with various embodiments; FIG. 3 illustrates an example process to use to determine a key to use for a request during a rekeying operation, in accordance with various embodiments; FIG. 4 illustrates an example process for performing a rekeying operation for a region, in accordance with various embodiments; FIG. 5 illustrates an example process for rekeying an address region using a new key, according to at least one embodiment; FIG. 6 illustrates an example network-based system in which aspects of at least one embodiment can be implemented; FIG. 7 illustrates an example data center system, according to at least one embodiment; FIG. 8 is a block diagram illustrating a computer system, according to at least one embodiment; FIG. 9 is a block diagram illustrating a computer system, according to at least one embodiment; FIG. 10 illustrates a computer system, according to at least one embodiment; FIG. 11 illustrates a computer system, according to at least one embodiment; FIG. 12A illustrates a computer system, according to at least one embodiment; FIG. 12B illustrates a computer system, according to at least one embodiment; FIG. 12C illustrates a computer system, according to at least one embodiment; FIG. 12D illustrates a computer system, according to at least one embodiment; FIGS. 12E and 12F illustrate a shared programming model, according to at least one embodiment; FIG. 13 illustrates exemplary integrated circuits and associated graphics processors, according to at least one embodiment; FIGS. 14A-14B illustrate exemplary integrated circuits and associated graphics processors, according to at least one embodiment; FIGS. 15A-15B illustrate additional exemplary graphics processor logic according to at least one embodiment; FIG. 16 illustrates a computer system, according to at least one embodiment; FIG. 17A illustrates a parallel processor, according to at least one embodiment; FIG. 17B illustrates a partition unit, according to at least one embodiment; FIG. 17C illustrates a processing cluster, according to at least one embodiment; FIG. 17D illustrates a graphics multiprocessor, according to at least one embodiment; FIG. 18 illustrates a multi-graphics processing unit (GPU) system, according to at least one embodiment; FIG. 19 illustrates a graphics processor, according to at least one embodiment; FIG. 20 illustrates at least portions of a graphics processor, according to one or more embodiments; FIG. 21 illustrates at least portions of a graphics processor, according to one or more embodiments; FIG. 22 illustrates a parallel processing unit (“PPU”), according to at least one embodiment; FIG. 23 illustrates a general processing cluster (“GPC”), according to at least one embodiment; FIG. 24 illustrates a streaming multi-processor, according to at least one embodiment. DETAILED DESCRIPTION In the following description, various embodiments will be described. For purposes of explanation, specific configurations and details are set forth in order to provide a thorough understanding of the embodiments. However, it will also be apparent to one skilled in the art that the embodiments may be practiced without the specific details. Furthermore, well-known features may be omitted or simplified in order not to obscure the embodiment being described. Approaches in accordance with various illustrative embodiments provide for the management of security, including secure tokens, in a computerized environment. In particular, rekeying operations can be performed for stored data without signi