A data transmission method and a storage system

By configuring an encrypted register group in the storage system and negotiating encryption and decryption with the host during initialization to generate a data transmission key, the security issue of data transmission between the SSD and the host is resolved, achieving both security and flexibility in data transmission.

CN114969850BActive Publication Date: 2026-06-26YANGTZE MEMORY TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
YANGTZE MEMORY TECH CO LTD
Filing Date
2022-06-13
Publication Date
2026-06-26

Smart Images

  • Figure CN114969850B_ABST
    Figure CN114969850B_ABST
Patent Text Reader

Abstract

The application discloses a data transmission method and a storage system. The method comprises the following steps: configuring an encryption register group related to a communication protocol supported by the storage system; during the initialization process of the storage system, performing data encryption and decryption negotiation with a host coupled to the storage system based on the encryption register group, so that the host obtains a data transmission key; and performing data interaction with the host based on the data transmission key.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data transmission security technology, and in particular to a data transmission method and storage system. Background Technology

[0002] Information security is becoming increasingly important. From national secrets to personal information, any vulnerability can lead to information leakage. Information is susceptible to eavesdropping, tampering, and forgery during storage, processing, and transmission. With the advent of the big data era, the demands on data storage are rising. Hard drives, as one of the media for data storage, have received widespread attention in the industry, especially solid-state drives (SSDs). SSDs utilize the Trusted Computing Group (TCG) Storage Opal specification to achieve encrypted data storage, making data storage relatively secure and thus gaining wider attention. However, the risk of data leakage still exists during the transfer between SSDs and the host. Therefore, how to ensure the security of data interaction between the host and SSD is a problem that professionals in this field need to solve. Summary of the Invention

[0003] In view of this, the present invention provides a data transmission method and a storage system, which adds an encrypted register group to the communication protocol layer supported by the storage system. During the initialization process of the storage system, encryption and decryption negotiation is performed with the host to obtain the data transmission key used when interacting with the host, so as to perform data interaction with the host in encrypted form, thereby ensuring the security of transmitted data.

[0004] To achieve the above objectives, the technical solution of the present invention is implemented as follows:

[0005] In a first aspect, embodiments of the present invention provide a data transmission method applied to a storage system, the method comprising:

[0006] Configure an encrypted register set in the storage system that is associated with the communication protocols supported by the storage system;

[0007] During the initialization process of the storage system, data encryption and decryption negotiation is performed with the host coupled to the storage system based on the encrypted register group, so that the host can obtain the data transmission key;

[0008] Data interaction is performed with the host based on the data transmission key.

[0009] Secondly, embodiments of the present invention provide a data transmission method applied to a host coupled to a storage system, the method comprising:

[0010] Data encryption and decryption negotiation is conducted with the storage system based on the encrypted register set to obtain the data transmission key; the encrypted register set is a set of encryption and decryption related registers configured in the storage system and related to the communication protocols supported by the storage system.

[0011] Data interaction is performed with the storage system based on the data transmission key.

[0012] Thirdly, embodiments of the present invention also provide a storage system, the storage system comprising: a memory; and a memory controller coupled to the memory and used for controlling the memory, wherein;

[0013] The memory controller is configured to: configure an encrypted register set related to the communication protocol supported by the storage system; during the initialization of the storage system, negotiate data encryption and decryption with a host coupled to the storage system based on the encrypted register set, so that the host obtains a data transmission key; and interact with the host based on the data transmission key.

[0014] This invention provides a data transmission method and a storage system. The method applied to the storage system includes: configuring an encrypted register group related to a communication protocol supported by the storage system; during the storage system initialization process, negotiating data encryption / decryption with a host coupled to the storage system based on the encrypted register group, enabling the host to obtain a data transmission key; and interacting with the host based on the data transmission key. The data transmission method and storage system provided by this invention add an encrypted register group to the communication protocol layer supported by the storage system. This allows for encryption / decryption negotiation with the host during storage system initialization to obtain a data transmission key used for data interaction with the host, ensuring encrypted data interaction and thus guaranteeing data security. Furthermore, this configuration allows for flexible setting of the encryption method and can be configured only during initialization, saving subsequent data transmission time. Attached Figure Description

[0015] Figure 1 This is a schematic diagram of data transmission in a storage system in related technologies;

[0016] Figure 2 To adopt Figure 1 A diagram illustrating the problems with data transmission methods in China;

[0017] Figure 3 A schematic diagram of a data transmission method on the storage system side provided in an embodiment of the present invention;

[0018] Figure 4 This is a schematic diagram of the structure of the encryption register group provided in an embodiment of the present invention;

[0019] Figure 5 and Figure 6 A schematic diagram comparing the initialization processes of the storage system and host before and after the improvement, provided for embodiments of the present invention;

[0020] Figure 7 A flowchart illustrating the data encryption / decryption negotiation process on the storage system side, provided in an embodiment of the present invention;

[0021] Figure 8 This is a schematic diagram of the data encryption and transmission process after data encryption and decryption negotiation, provided in an embodiment of the present invention.

[0022] Figure 9 A schematic diagram of the data transmission method on the host side provided in an embodiment of the present invention;

[0023] Figure 10 This is a schematic diagram illustrating the data encryption / decryption negotiation process between the host and the storage system provided in an embodiment of the present invention.

[0024] Figure 11 This is a schematic diagram illustrating the workflow of the storage system and the host during data writing, provided in an embodiment of the present invention.

[0025] Figure 12 This is a schematic diagram illustrating the workflow of the storage system and the host during data reading, provided in an embodiment of the present invention.

[0026] Figure 13 This is a schematic diagram of the structure of a storage system provided in an embodiment of the present invention;

[0027] Figure 14 A schematic diagram of an exemplary memory card having a memory, representing some aspects of embodiments of the present invention;

[0028] Figure 15 A schematic diagram of an exemplary solid-state drive (SSD) with memory, representing some aspects of embodiments of the present invention;

[0029] Figure 16 This is a schematic diagram of the structure of a memory provided in an embodiment of the present invention;

[0030] Figure 17 This is a schematic diagram of the structure of a memory array provided in an embodiment of the present invention. Detailed Implementation

[0031] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the protection scope of this invention. Unless otherwise specified, the embodiments and features in the embodiments of this invention can be arbitrarily combined with each other. The flowcharts in the accompanying drawings show a logical order, but in some cases, the steps shown or described may be performed in a different order than that shown herein.

[0032] In storage devices (or storage systems), SSDs typically use TCG Storage Pallets to store data in encrypted form. However, data transfer between the SSD and the coupled host is still in plaintext on the transmission bus, posing a potential for eavesdropping and a significant risk of data leakage. Specifically, for example... Figure 1 and Figure 2 As shown in the diagram. Here, Host represents the host computer; within the host, Application represents the application software, or simply APP; Operation System represents the operating system, such as Linux; NVMe indicates that the host supports the NVMe communication protocol; SATA / PCIe / Fabric represents the interfaces supported by the host for communication with SSDs; plaintext represents plain text, pure file archives, that is, unencrypted data documents, meaning that data transmitted between components within the host is in plaintext. Storage Device represents a storage device or storage system, such as an SSD; within the storage device, MDIA represents the storage medium, the physical medium used to store data, which can be arranged in an array to form a memory array; Flash Translation Layer (FTL) & BE are used to translate logical addresses in the host into corresponding physical addresses in the storage device, so that the host can read data from or write data to MDIA; Enable Opal ciphertext enables trusted computer organization storage specifications to store data in ciphertext in MDIA or read data from MDIA in ciphertext; within the storage device, data transmission in other parts remains in plaintext. In this data transmission method, the data is transmitted in plaintext during the data-in-flight process between the NVMe-enabled storage device and the host, such as... Figure 2As shown, if an unauthorized user embeds a protocol monitoring device beforehand, they can listen to the data communication process without the user's knowledge. Then, through the pre-embedded protocol analysis device, they can steal the user's important data. Currently, there is a lack of an encryption method suitable for data transmission of storage devices that support the NVMe protocol to ensure the communication security between the host and the storage device.

[0033] Based on this, such as Figure 3 As shown, this embodiment of the invention provides a data transmission method, which is applied to the storage system side. The method may include:

[0034] S301: Configure an encrypted register group related to the communication protocol supported by the storage system in the storage system;

[0035] S302: During the initialization of the storage system, data encryption and decryption negotiation is performed with the host coupled to the storage system based on the encryption register group, so that the host obtains the data transmission key;

[0036] S303: Perform data interaction with the host based on the data transmission key.

[0037] It should be noted that the communication protocol supported by the storage system mentioned here can be the Non-Volatile Memory Express (NVMe) protocol, or a communication protocol used by other storage systems. The following explanation uses NVMe as an example; that is, unless otherwise specified, the communication protocol mentioned below refers to the NVMe protocol.

[0038] In practical applications, configuring an encryption register set related to the communication protocols supported by the storage system involves adding a set of encryption / decryption related registers to the NVMe controller (part of the memory controller) included in the storage system. Specifically, as follows... Figure 4 As shown. In Figure 4 In this configuration, the encryption register set can include registers for displaying encryption capabilities, resetting encryption functions, configuring encryption functions, configuring encryption range, and negotiating configuration. The functions of each register will be explained in detail later and will not be repeated here. It should be understood that the more registers defined in the encryption register set, the more functions it can perform, thus giving the storage system flexible configuration attributes.

[0039] It is understood that, in this embodiment of the invention, the data encryption negotiation between the storage system and the coupled host is set during the initialization process of the storage system's memory controller. Specifically, it can be as follows: Figure 5 and Figure 6 As shown, where, Figure 5 The original initialization process of the memory controller in the storage system provided in the embodiments of the present invention; Figure 6 This invention provides an initialization process that adds data encryption negotiation between the storage system and the coupled host to the original initialization process. It should be noted that in actual operation, this can also be considered as the host coupled to the storage system using the storage system's initialization process. Specifically, as shown... Figure 5 As shown, the original initialization process can include: the host waiting for the memory controller to prepare for initialization, at which point CSTS.RDY = 0; initialization of memory controller related functions; and the final step is waiting for the memory controller initialization to complete, at which point CSTS.RDY = 1, indicating that initialization is complete. Figure 6 As shown, in this embodiment of the invention, after the memory controller's related functions are initialized, data encryption negotiation is performed between the storage system and the coupled host, and then the system waits for the memory controller initialization to complete. This configuration allows data encryption negotiation to be performed only during memory controller initialization to obtain a data transmission key. Subsequent data transmission between the storage system and the host can then be encrypted using this key. Furthermore, for data security, the encryption strategy, encryption transmission key, and, as described later, the data encryption scope can be flexibly changed each time the storage system is initialized.

[0040] Based on this, how to conduct encryption negotiation between the storage system and the coupled host data? Specifically, in some embodiments, the encryption register group may include at least: a configuration encryption function register and a negotiation configuration register.

[0041] It should be noted that the encryption function register, as the name suggests, allows the host to configure encryption policies for the storage system. The encryption policy can refer to any encryption policy supported by the storage system. The negotiation configuration register is used to store specific data to enable interaction between the host and the storage system for that specific data. For example, the specific data could be the data transfer key (described later) or the public key (described later).

[0042] Based on the aforementioned configuration encryption function register and negotiation configuration register, in some embodiments, such as Figure 7 As shown, during the initialization process of the storage system, the data encryption / decryption negotiation between the encrypted register set and the host coupled to the storage system, so that the host obtains the data transmission key, may include:

[0043] S701: Obtain the encryption policy written by the host to the configuration encryption function register; the encryption policy is configured by the host for the storage system;

[0044] S702: Obtain the public key written by the host to the negotiation configuration register; the public key is generated by the host based on the encryption strategy;

[0045] S703: Generate data transmission key;

[0046] S704: Encrypt the data transmission key using the encryption strategy and the public key to obtain the encrypted data transmission key;

[0047] S705: Write the encrypted data transmission key into the negotiation configuration register, so that the host obtains the data transmission key based on the negotiation configuration register.

[0048] It should be noted that the above Figure 7 The described process is the data encryption negotiation process between the storage system and the coupled host, specifically on the storage system side. The encryption strategy is supported by the storage system. The storage system obtains the encryption strategy configured by the host based on the configuration encryption function register; and obtains the public key written by the host based on the negotiation configuration register. That is, the encryption strategy can be an asymmetric encryption strategy, which requires two keys: a public key and a private key. The public and private keys are a pair; if data is encrypted using the public key, it can only be decrypted using the corresponding private key. If data is encrypted using the private key, it can only be decrypted using the corresponding public key. Because encryption and decryption use different keys, it is called asymmetric encryption. Various asymmetric encryption strategies can be used, such as RSA, Elgamal, knapsack algorithm, Rabin, DH, ECC (Elliptic Curve Cryptography), etc. This embodiment of the invention does not limit the algorithm used for the asymmetric encryption strategy; any algorithm supported by the storage system is acceptable.

[0049] In some embodiments, the encryption strategy includes at least: encryption method and key length, wherein the key length includes the number of bits in the public key.

[0050] It should be noted that the encryption method can be one of the aforementioned encryption algorithms. The key length can be set according to actual needs; the more key lengths, the more difficult it is to brute-force attack, meaning that more key lengths result in greater security. The key length can include the number of bits in the public key and the private key.

[0051] Subsequently, the storage system generates a data transmission key. There are several ways for the storage system to generate the data transmission key. One feasible method is to generate the data transmission key by: generating a random number; and generating the data transmission key based on the random number.

[0052] The random number can be a dynamic random number, which is a completely random sequence without statistical bias. It can be generated by hardware devices configured in the storage system that generate cryptographically random numbers. Random numbers are unpredictable and unrepeatable, making them arguably the best way to generate data transmission keys because they are difficult for others to predict. It should be noted that this data transmission key can be a symmetric encryption key.

[0053] Subsequently, the storage system encrypts the data transmission key using the encryption policy configured by the host and the obtained public key to obtain an encrypted data transmission key. This encrypted data transmission key is then placed in the negotiation configuration register, enabling the host to obtain the data transmission key based on the negotiation configuration register. The host can obtain the encrypted data transmission key by reading the negotiation configuration register, and then decrypt the encrypted data transmission key using its stored private key to obtain the data transmission key.

[0054] In some embodiments, when configuring an encryption range register, the encryption strategy further includes an encryption range; correspondingly, the method further includes:

[0055] Obtain the encryption range written by the host to the configuration encryption range register; the encryption range is used to indicate the range of physical addresses to which the data to be encrypted and transmitted in the storage system belongs.

[0056] It should be noted that the encryption range mentioned here reflects the flexible configuration of data transmission security in this embodiment of the invention. That is, the encryption range limits the data that needs to be encrypted during transmission between the host and the storage system. For data transmissions that do not require encryption, a data transmission key can be omitted to save data transmission time between the host and the storage system. The encryption range can refer to the range of physical addresses of the data to be encrypted during transmission in the storage system. It should be understood that the physical addresses in the storage system and the logical addresses in the host can be mapped using an L2P table. In other words, the encryption range can also reflect the range of physical addresses of the data to be encrypted during transmission in the storage system through the logical addresses of the host. In other words, the encryption range can also be the range of logical addresses stored on the host, indicating the range of physical addresses in the storage system.

[0057] In some embodiments, the encryption register group further includes: displaying an encryption capability register, and the method further includes:

[0058] Before obtaining the encryption policy written by the host to the configuration encryption function register, the host obtains the various encryption policies supported by the storage system based on the explicit encryption capability register.

[0059] It should be noted that the explicit encryption capability register set here is used to inform the host of the encryption policies supported by the storage system. The host can learn about the encryption policies supported by the storage system by reading the explicit encryption capability register.

[0060] In some embodiments, the encryption register group further includes: resetting the encryption function register, and the method further includes:

[0061] The host restores the encryption policy in the storage system to factory settings by resetting the encryption function register.

[0062] It should be noted that the reset encryption function register set here is used to enable the host to restore the encryption policies and other functions currently being used by the storage system to the factory default configurable state.

[0063] After encryption / decryption negotiation, the transmission path between the storage system and the host can be transmitted in encrypted form, specifically as follows: Figure 8 As shown. The symbols appearing here are from the preceding... Figure 1 and Figure 2 The details have already been explained in detail, so I will not repeat them here.

[0064] This invention provides a data transmission method that adds an encrypted register group to the communication protocol layer supported by the storage system. During the storage system initialization process, encryption / decryption negotiation is performed with the host to obtain the data transmission key used for data interaction with the host. This ensures encrypted data interaction with the host, thereby guaranteeing the security of transmitted data. Furthermore, this configuration allows for flexible setting of the encryption method and can be configured only during initialization, saving subsequent data transmission time.

[0065] Based on the same inventive concept, such as Figure 9 As shown, this embodiment of the invention also provides a data transmission method, wherein the method is applied to the host side coupled to the storage system, and the specific process includes:

[0066] S901: Based on the encryption register group, negotiate data encryption and decryption with the storage system to obtain a data transmission key; the encryption register group is a set of encryption and decryption related registers configured in the storage system and related to the communication protocol supported by the storage system;

[0067] S902: Interact with the storage system based on the data transmission key.

[0068] In some embodiments, the encryption register group includes at least: a configuration encryption function register and a negotiation configuration register.

[0069] In some embodiments, the step of negotiating data encryption / decryption with the storage system based on the encrypted register set to obtain the data transmission key includes:

[0070] The encryption policy is written into the configuration encryption function register; the encryption policy is configured by the host for the storage system.

[0071] Generate asymmetric encryption public and private keys based on the encryption strategy;

[0072] The public key is written into the negotiation configuration register, enabling the storage system to obtain the public key based on the negotiation configuration register.

[0073] The encrypted data transmission key written to the negotiation configuration register by the storage system is read; the encrypted data transmission key is obtained by the storage system using the encryption policy obtained by the configuration encryption function register and the public key encrypted data transmission key; the data transmission key is generated by the storage system.

[0074] The encrypted data transmission key is decrypted using the private key to obtain the data transmission key.

[0075] In some embodiments, the encryption strategy includes at least: encryption method and key length, wherein the key length includes the number of bits in the public key and the number of bits in the private key.

[0076] In some embodiments, when the encryption register group further includes a configuration encryption range register, the encryption strategy further includes an encryption range; correspondingly, the method further includes writing the encryption range into the configuration encryption range register, wherein the encryption range is used to indicate the range of physical addresses to which the data to be encrypted and transmitted in the storage system belongs.

[0077] In some embodiments, the encryption register group further includes: displaying an encryption capability register, and the method further includes:

[0078] Before obtaining the encryption policy written by the host to the configuration encryption function register, the display encryption capability register is read to obtain the various encryption policies supported by the storage system.

[0079] In some embodiments, the encryption register group further includes: resetting the encryption function register, and the method further includes:

[0080] Write the reset command to the reset encryption function register to restore the encryption policy in the storage system to factory settings.

[0081] It should be noted that the data transmission method on the host side and the data transmission method on the storage system side provided in this embodiment of the invention are based on the same concept, but described on different sides. The terms appearing on the host side have been described in the foregoing description of the storage system side and have the same meaning. They can be understood based on the foregoing description and will not be repeated here.

[0082] The data transmission method provided in this invention adds an encrypted register group to the communication protocol layer supported by the storage system. During the storage system initialization process, encryption / decryption negotiation is performed with the host to obtain the data transmission key used for data interaction with the host. This ensures encrypted data interaction with the host, thereby guaranteeing the security of transmitted data. Furthermore, this configuration allows for flexible setting of the encryption method and can be configured only during initialization, saving subsequent data transmission time.

[0083] To understand the present invention, as Figure 10 As shown in the diagram, this embodiment of the invention also provides a flowchart illustrating a mechanism for negotiating data encryption and decryption between the host and the SSD at the NVMe protocol layer. It should be noted that the encryption register group involved in this flowchart includes: a display encryption capability register, a reset encryption function register, a configuration encryption function register, a configuration encryption range register, and a negotiation configuration register.

[0084] The specific process is as follows: Figure 10 As shown, the main steps involved on the host side are as follows:

[0085] Write to the storage system's reset encryption function register to restore the storage system's encryption operation unit to factory settings;

[0086] Read the storage system's explicit encryption capability register to obtain the encryption policies supported by the storage system;

[0087] The encryption policy of the storage system is set by configuring the encryption function register; the encryption policy includes the encryption method and the key length.

[0088] Set the data encryption scope of the storage system;

[0089] Generate an asymmetric encryption key (public key and private key), and write the public key into the negotiation configuration register so that the storage system can obtain the public key;

[0090] Read the updated negotiation configuration register to obtain the encrypted data transmission key;

[0091] The encrypted data transmission key is decrypted using the private key, yielding the same data transmission key as the one in the storage system.

[0092] It should be noted that the steps here correspond to the steps in the aforementioned host-side data transmission method, and their specific meanings are the same as those described above, so they will not be repeated here.

[0093] like Figure 10 As shown, the main steps involved on the storage system side are as follows:

[0094] The encryption unit is reset to factory settings by writing a command to the encryption function register on the host computer.

[0095] Reconfigure the encryption processing unit based on the encryption policy set by the host;

[0096] Use dynamic random numbers to generate the data transmission key;

[0097] Use the public key and the encryption policy configured on the host to encrypt the data transmission key;

[0098] The encrypted data transmission key is written into the negotiation configuration register so that the host can obtain the encrypted data transmission key and thus acquire the data transmission key.

[0099] It should be noted that the steps here correspond to the steps in the aforementioned data transmission method on the storage system side, and their specific meanings are the same as those described above, so they will not be repeated here.

[0100] Based on the data transmission method provided in the embodiments of the present invention, such as Figure 11 As shown, when the host writes user data to the storage system, the workflow between the storage system and the host can be as follows:

[0101] The first step is for the host user to initiate a write operation;

[0102] The second step is to check whether the NVMe data link encryption and decryption function is enabled on the host.

[0103] The third step is for the host to check whether the encryption range is hit;

[0104] Fourth step: If so, the host uses the data transmission key to encrypt the user data;

[0105] Fifth step: The host sends encrypted user data to the transmission bus;

[0106] Step 6: The storage system receives encrypted user data from the host.

[0107] Step 7: The storage system checks whether NVMe data link encryption / decryption is enabled;

[0108] Step 8: The storage system checks whether the decryption range has been hit;

[0109] Step 9: If so, the storage system uses the data transmission key to decrypt the encrypted user data;

[0110] Step 10: The storage system writes user data to the storage medium.

[0111] like Figure 12 As shown, when the host reads user data stored in the storage system, the workflow between the storage system and the host can be as follows:

[0112] The first step is for the host user to initiate a read data operation;

[0113] The second step is for the host to send a read data request to the storage system;

[0114] The third step is that the storage system receives a read data operation;

[0115] The fourth step is for the storage system to read user data from the storage medium;

[0116] Fifth, the storage system checks whether NVMe data link encryption / decryption is enabled;

[0117] Step 6: The storage system checks whether the encryption range is hit;

[0118] Step 7: If so, the storage system uses the data transmission key to encrypt the user data being read.

[0119] Step 8: The storage system writes the encrypted user data to the transmission bus;

[0120] Step 9: The host checks whether the NVMe data link encryption / decryption function is enabled;

[0121] Step 10: The host checks whether the encryption range is hit;

[0122] Step 11: If so, the host uses the data transmission key to decrypt the encrypted user data;

[0123] Step 12: The host obtains the user data.

[0124] It should be noted that, from Figure 11 The data writing process shown and Figure 12 As shown in the data reading process, before encrypting the transmitted data, both the host and storage system need to check whether NVMe data link encryption / decryption is enabled (i.e., whether NVMe data link encryption / decryption is supported). The NVMe protocol defines commands to view the NVMe controller and its supported features. Therefore, this embodiment of the invention can use these commands to check whether the host and storage system support NVMe data link encryption / decryption and its encryption range. Here, NVMe data link encryption / decryption refers to whether a data encryption / decryption negotiation process and encryption range were added during the host and storage system initialization process, as described above.

[0125] This invention also provides a storage system, such as... Figure 13 As shown, the storage system 130 includes: a memory 1301; and a memory controller 1302 coupled to the memory and used to control the memory, wherein;

[0126] The memory controller is configured to: configure an encrypted register set related to the communication protocol supported by the storage system; during the initialization of the storage system, negotiate data encryption and decryption with a host coupled to the storage system based on the encrypted register set, so that the host obtains a data transmission key; and interact with the host based on the data transmission key.

[0127] It should be noted that only the storage system structure relevant to the embodiments of the present invention is described herein. In practice, the storage system 130 may include a memory controller 1302 and one or more memories 1301. For example, in one embodiment, in... Figure 14 In one example shown, the memory controller 1302 and a single memory 1301 can be integrated into a memory card 140. The memory card 140 may include a PC card (PCMCIA, Personal Computer Memory Card International Association), a CF card, a Smart Media (SM) card, a memory stick, a multimedia card (MMC, RS-MMC, MMCmicro), an SD card (SD, miniSD, microSD, SDHC), UFS, etc. The memory card 140 may also include a memory card connector 1401 that couples the memory card 140 to a host computer. Figure 15 In another example shown, the memory controller 1302 and multiple memories 1301 may be integrated into the SSD 150. The SSD 150 may also include an SSD connector 1501 that couples the SSD 150 to the host. In some implementations, the storage capacity and / or operating speed of the SSD 150 is greater than the storage capacity and / or operating speed of the memory card 140.

[0128] In some embodiments, for a certain memory 1301, such as Figure 16 As shown, a memory array 1301-1 comprising multiple individual memory dies stacked together and a control circuit 1301-2 coupled to the periphery of the memory array 1301-1 are included. The memory array 1301-1 can be stacked in two or three dimensions (3D), such as a stack of two-dimensional or three-dimensional (3D) NAND dies.

[0129] It should be noted that the memory array 1301-1 in memory 1301 has multiple memory blocks, and its exemplary structure is as follows: Figure 17As shown, the memory array is divided into BLOCK1-BLOCKT, each containing multiple memory blocks, where T is a positive integer and is generally a large number. Each memory block contains a set of NAND strings, which are accessed via bit lines BL0-BLM-1 and a set of common word lines WL0-WLN-1, where M and N are both integers greater than 1. One terminal of the NAND string is connected to the corresponding bit line via the top select gate SGD (controlled by the top select gate line SGDL), and the other terminal is connected to the source line via the bottom select gate SGS (controlled by the bottom select gate line SGSL). Each memory block is divided into multiple pages. In some embodiments, memory blocks are conventional erase units, and pages are conventional programming units. In other embodiments, other units of erasure and programming may also be used. In an example, Figure 17 The physical structure of the memory cells in the illustrated memory array does not limit the scope of the invention.

[0130] In some embodiments, such as Figure 16 The memory array 1301, as shown, further includes read / write circuitry, a row decoder, and a column decoder. In some embodiments, various peripheral circuits access the memory array 1301-1 in a symmetrical manner on opposite sides of the memory array 1301-1 to reduce the density of access circuitry on each side by half. The read / write circuitry includes multiple sensing blocks SB for parallel reading or programming of pages in the memory array 1301-1. The memory array 1301-1 can be addressed via word lines through the row decoder and bit lines through the column decoder. In some embodiments, the memory array 1301-1, control circuitry 1301-2, read / write circuitry, row decoder, and column decoder can be fabricated on a chip, wherein... Figure 16 The dashed box can also represent a chip. And it transmits data between the memory controller and the chip via signal line 1301-3.

[0131] Control circuitry 1301-2 is configured to cooperate with read / write circuitry to perform memory operations on memory array 1301-1. The control circuitry includes a state machine, an on-chip address decoder, and a power control module. The state machine is configured to provide chip-level control for memory operations; the on-chip address decoder is configured to provide an address interface between the address used by the host or memory system controller and the hardware address used by the row and column decoders. The power control module is configured to control the power and voltage supplied to the word lines and bit lines during each memory operation.

[0132] In 3D architecture semiconductor memory technology, vertical structures are stacked for memory arrays, increasing the number of layers and physical pages, thereby increasing the density of the memory system. In one embodiment, the memory system can be a discrete memory or memory component of the host. In other embodiments, the memory system can also be part of an integrated circuit, such as a system-on-a-chip (SoC). In this case, the memory system is stacked or otherwise assembled with one or more components of the host.

[0133] The host coupled to the memory may include a host processor and host RAM, wherein the host RAM may include DRAM, SDRAM, or any other suitable volatile or non-volatile memory. The storage system may be provided with one or more communication interfaces for communicating with one or more components of the host. The one or more communication interfaces may be Serial Advanced Technology Attachment (SATA) interfaces, High-Speed ​​Peripheral Component Interconnect (PCIe) interfaces, PCI interfaces, PCI-X interfaces, Universal Serial Bus (USB) interfaces, Universal Flash Memory (UFS) interfaces, eMMC interfaces, etc. TM Interfaces, etc.

[0134] The data transmission system consisting of the host and the memory operates as follows: The memory controller receives instructions from the host and communicates with the memory 1301. For example, the memory controller transfers data to one or more memory cells, planes, sub-blocks, blocks, or pages in the memory 1301 by executing write or erase instructions; or the memory controller transfers data to the host by executing read instructions. In hardware, the memory controller may include one or more controller units, circuits, or components configured to control access across the memory 1301 and provide a translation layer between the host and the storage system. The memory controller may also include one or more input / output (I / O) circuits, lines, or interfaces to transfer data to or from the memory 1301.

[0135] The memory controller may further include a memory management unit and an array control unit. The memory management unit may include circuit hardware or firmware, such as multiple components or integrated circuits associated with various memory management functions. To describe the technical solution of the present invention, NAND memory is used as an example for contextual description of memory operation or management functions. Those skilled in the art should understand that other forms of non-volatile memory may have similar memory operation or management functions. The management functions of NAND memory may include wear leveling, such as garbage collection or recycling, error detection or correction, block retirement, or one or more other memory management functions. The memory management unit may process host instructions into commands recognizable by the storage system, for example, parsing or formatting instructions received from the host into commands related to the operation of the memory 1301; or the memory management unit may also generate device commands for the array control unit or one or more other components of the storage system, such as commands to implement various memory management functions.

[0136] The memory management unit can be configured to include a set of management tables for maintaining various information associated with one or more components of the storage system, such as information related to the memory array coupled to the memory controller, or one or more memory cells. For example, the management tables may include information such as block age, block erase count, error history, or one or more error counts for one or more blocks of memory cells coupled to the memory controller. Error counts may include operation error counts, read bit error counts, etc. In some embodiments, bit errors are considered uncorrectable bit errors if the detected error count exceeds a certain threshold. In some embodiments, the management tables may maintain counts of correctable or uncorrectable bit errors.

[0137] The management table may also contain one or more L2P tables, which contain one or more L2P pointers that associate logical addresses with physical addresses at the memory array of the memory 1301. In some embodiments, the management table may contain unencrypted L2P tables and / or encrypted L2P tables. Unencrypted L2P tables may include L2P pointers indicating unencrypted logical addresses and unencrypted physical addresses; encrypted L2P tables may contain encrypted L2P pointers indicating encrypted physical addresses and unencrypted logical addresses. In practical applications, the management table may be displayed at the memory management unit, i.e., the management table may be stored in the RAM of the memory controller. In other embodiments, the management table may also be stored in the memory array within the memory 1301. In use, the memory management unit may read part or all of the cached management table from the RAM of the memory controller; it may also read the management table from the memory array within the memory 1301.

[0138] The array control unit may include circuitry or components configured to control the following related memory operations: writing data to one or more memory cells coupled to the memory controller, reading data from the one or more memory cells, or erasing the one or more memory cells. The array control unit may receive commands sent by the host or host commands generated internally by the memory management unit; these host commands may be related to wear leveling, error detection, or correction.

[0139] The array control unit may also include an error correction code (ECC) component, which may contain an ECC engine or other circuitry for detecting or correcting errors associated with writing or reading data from one or more memory cells in a storage system coupled to the memory controller. The memory controller is configured to effectively detect and recover from various operational or data storage-related error events, such as bit errors, operational errors, etc., while maintaining the integrity of data transferred between the host and the storage system, or maintaining the integrity of stored data, for example, by using redundant RAID storage. Failed memory resources, such as memory cells, memory arrays, pages, blocks, etc., may be removed or decommissioned to prevent future errors.

[0140] In a data transmission system consisting of a host and a storage system, the memory controller further includes an encryption / decryption unit configured to perform cryptographic operations on the data. In some embodiments, the encryption / decryption unit may be implemented in hardware, software, or a combination of both. For example, the encryption / decryption unit may contain instructions that execute at the processor or similar hardware component of the memory controller. In some embodiments, the encryption / decryption unit may include transfer hardware for performing cryptographic operations.

[0141] The memory array in the memory 1301 may include, for example, a number of memory cells arranged in one or more devices, one or more planes, one or more sub-blocks, one or more blocks, one or more pages, etc. As an example, a 48GB TLC NAND storage system may include 18,592 bytes (B) of data per page (16,384 + 2,208 bytes), 1,536 pages per block, 548 blocks per plane, and four or more planes per device. As another example, a 32GB MLC storage system (storing two bits of data per cell (i.e., four programmable states)) may include 18,592 bytes (B) of data per page (16,384 + 2,208 bytes), 1,024 pages per block, 548 blocks per plane, and four planes per device, but requires half the write time and doubles the program / erase (P / E) cycles compared to the corresponding TLC storage system. Other examples may include other numbers or arrangements. In some instances, the storage system or a portion thereof may selectively operate in SLC mode or in the desired MLC mode (e.g., TLC, QLC, etc.).

[0142] The memory array in memory 1301 includes one or more physical address locations. A physical address location is a location on the memory array in memory 1301 that is uniquely associated with a physical address. In operation, data is typically written to or read from the memory system in units of pages and erased in units of blocks. However, one or more memory operations (e.g., read, write, erase, etc.) may be performed on larger or smaller groups of memory cells as needed. Therefore, in some instances, physical address locations may include more or fewer than one page. The data transfer size of the memory system is typically referred to as a page, while the data transfer size of the host is typically referred to as a sector.

[0143] While a page of data may include several bytes of user data (e.g., a data payload comprising several data sectors) and its corresponding metadata, the page size typically refers only to the number of bytes used to store the user data. As an example, a 4KB data page may include 4KB of user data (e.g., eight sectors with a presentation sector size of 512B) and several bytes of metadata corresponding to the user data (e.g., 32B, 54B, 224B, etc.), such as integrity data (e.g., error detection or correction code data), address data (e.g., logical address data, etc.), or other metadata associated with the user data. The physical address location used to store metadata, etc., may be referred to as the hyper-supply physical address location.

[0144] Different types of memory cells or the memory 1301 may provide different page sizes, or may require different amounts of metadata associated with them. For example, different memory system types may have different bit error rates, which can result in different amounts of metadata necessary to ensure the integrity of data pages (e.g., a memory system with a higher bit error rate may require more bytes of error correction code data than a memory system with a lower bit error rate). For example, a multi-level cell (MLC) NAND flash device may have a higher bit error rate than a corresponding single-level cell (SLC) NAND flash device. Therefore, an MLC device may require more bytes of metadata for error data than a corresponding SLC device.

[0145] The above description is merely a preferred embodiment of the present invention and is not intended to limit the scope of protection of the present invention.

Claims

1. A data transmission method, characterized in that, Applied to a storage system, the method includes: Configure an encrypted register set related to the communication protocol supported by the storage system in the storage system, the encrypted register set including at least a negotiation configuration register; During the initialization of the storage system, the public key written by the host to the negotiation configuration register is obtained; the public key is generated by the host based on an encryption strategy. Generate a data transmission key; The data transmission key is encrypted using the encryption strategy and the public key to obtain the encrypted data transmission key; The encrypted data transmission key is written into the negotiation configuration register, so that the host obtains the data transmission key based on the negotiation configuration register; Data interaction is performed with the host based on the data transmission key; The storage system includes: a memory; and a memory controller coupled to the memory and used to control the memory.

2. The method according to claim 1, characterized in that, The encryption register group includes at least: a configuration encryption function register.

3. The method according to claim 2, characterized in that: The encryption policy written by the host to the configuration encryption function register is obtained; the encryption policy is configured by the host for the storage system.

4. The method according to claim 3, characterized in that, The encryption strategy includes at least: encryption method and key length, wherein the key length includes the number of bits in the public key.

5. The method according to claim 4, characterized in that, When the encryption register group further includes a configuration encryption range register, the encryption strategy further includes: an encryption range; correspondingly, the method further includes: Obtain the encryption range written by the host to the configuration encryption range register; the encryption range is used to indicate the range of physical addresses to which the data to be encrypted and transmitted in the storage system belongs.

6. The method according to claim 2, characterized in that, The encryption register group further includes: a display encryption capability register, and the method further includes: Before obtaining the encryption policy written by the host to the configuration encryption function register, the host obtains the various encryption policies supported by the storage system based on the explicit encryption capability register.

7. The method according to claim 2, characterized in that, The encryption register group further includes: resetting the encryption function register, and the method further includes: The host restores the encryption policy in the storage system to factory settings by resetting the encryption function register.

8. The method according to claim 3, characterized in that, The process of generating the data transmission key includes: generating a random number; and generating the data transmission key based on the random number.

9. A data transmission method, characterized in that, Applied to a host coupled to a storage system, the method includes: Data encryption and decryption negotiation is performed with the storage system based on the encrypted register set to obtain a data transmission key; the encrypted register set is a set of encryption and decryption related registers configured in the storage system and related to the communication protocol supported by the storage system; the encrypted register set includes at least a negotiation configuration register; Data interaction is performed with the storage system based on the data transmission key; The process of negotiating data encryption and decryption based on the encrypted register set and the storage system to obtain the data transmission key includes: Generate public and private keys for asymmetric encryption based on encryption strategies; The public key is written into the negotiation configuration register, enabling the storage system to obtain the public key based on the negotiation configuration register. The encrypted data transmission key written to the negotiation configuration register by the storage system is read; the encrypted data transmission key is obtained by the storage system using the encryption strategy and the public key to encrypt the data transmission key; the data transmission key is generated by the storage system. The encrypted data transmission key is decrypted using the private key to obtain the data transmission key; The storage system includes: a memory; and a memory controller coupled to the memory and used to control the memory.

10. The method according to claim 9, characterized in that, The encryption register group includes at least: a configuration encryption function register.

11. The method according to claim 10, characterized in that: The encryption policy is written into the configuration encryption function register; the encryption policy is configured by the host for the storage system. The encrypted data transmission key is obtained by the storage system using the encryption strategy and the public key to encrypt the data transmission key, including: the encrypted data transmission key is obtained by the storage system using the encryption strategy obtained by the configuration encryption function register and the public key to encrypt the data transmission key.

12. The method according to claim 11, characterized in that, The encryption strategy includes at least: encryption method and key length, wherein the key length includes the number of bits in the public key and the number of bits in the private key.

13. The method according to claim 12, characterized in that, The encryption register group further includes: when configuring an encryption range register, the encryption strategy further includes: an encryption range; correspondingly, the method further includes: writing the encryption range into the configuration encryption range register, wherein the encryption range is used to indicate the range of physical addresses to which the data to be encrypted and transmitted in the storage system belongs.

14. The method according to claim 10, characterized in that, The encryption register group further includes: a display encryption capability register, and the method further includes: Before obtaining the encryption policy written by the host to the configuration encryption function register, the display encryption capability register is read to obtain the various encryption policies supported by the storage system.

15. The method according to claim 10, characterized in that, The encryption register group further includes: resetting the encryption function register, and the method further includes: Write the reset command to the reset encryption function register to restore the encryption policy in the storage system to factory settings.

16. A storage system, characterized in that, The storage system includes: a memory; and a memory controller coupled to the memory and used to control the memory, wherein; The memory controller is configured to: configure an encrypted register set related to the communication protocol supported by the storage system, the encrypted register set including at least a negotiation configuration register; and during the initialization of the storage system, obtain a public key written by the host to the negotiation configuration register; the public key is generated by the host based on an encryption policy; Generate a data transmission key; The data transmission key is encrypted using the encryption strategy and the public key to obtain the encrypted data transmission key; The encrypted data transmission key is written into the negotiation configuration register, so that the host obtains the data transmission key based on the negotiation configuration register; Data interaction is performed with the host based on the data transmission key.