Computer system and virtual machine memory data integrity protection method

By introducing a security processor and memory isolation device into the computer system and using an address-leaf mapping table to manage leaf nodes, the problem of low efficiency in protecting virtual machine memory data integrity in existing technologies is solved, and effective resistance to malicious attacks and improvement of data security are achieved.

CN116226935BActive Publication Date: 2026-06-05HYGON YUNXIN INTEGRATED CIRCUIT DESIGN (SHANGHAI) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HYGON YUNXIN INTEGRATED CIRCUIT DESIGN (SHANGHAI) CO LTD
Filing Date
2023-03-08
Publication Date
2026-06-05

Smart Images

  • Figure CN116226935B_ABST
    Figure CN116226935B_ABST
Patent Text Reader

Abstract

The embodiment of the present application discloses a computer system and a virtual machine memory data integrity protection method, relates to the technical field of computer security, and is favorable for improving the efficiency of virtual machine memory data integrity protection. The computer system comprises a processor core used for running a virtual machine; a security processor used for allocating memory space for each mapping relationship item in an address-leaf mapping table of the virtual machine as an address of a leaf node of an integrity protection tree; a memory isolation device used for determining whether a host physical address (hpa) accessed by a current virtual machine is a secure memory; and an integrity protection device used for, if the hpa accessed by the current virtual machine is the secure memory, determining a first leaf node corresponding to the hpa from the address-leaf mapping table according to the hpa. The present application is suitable for the integrity protection of virtual machine memory data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer technology, and in particular to a method for protecting the integrity of memory data in computer systems and virtual machines. Background Technology

[0002] In recent years, with the widespread application of big data, data security has become an increasingly important issue. Security solutions, such as confidential computing, have begun to be widely used to address data security concerns. Data encryption, resource isolation, and remote authentication technologies serve as the cornerstone, providing high-security technical support for confidential computing. Memory-isolated virtual machines are a common confidential computing solution. They isolate the virtual machine's memory at the hardware level, prohibiting unauthorized access to that memory, while simultaneously encrypting the virtual machine's memory data to prevent plaintext leakage.

[0003] However, memory encryption and isolation do not completely solve the data security problem and cannot prevent the injection of illegal data into the memory outside the central processing unit (CPU) through malicious direct storage access or bus attacks.

[0004] Merkle trees are a common type of message integrity protection tree that uses a tree structure to protect data layer by layer. In existing integrity protection trees, the leaf nodes are usually located in relatively fixed positions in memory, making it relatively easy to identify the corresponding leaf node when writing or reading data from memory. However, when the memory of an integrity protection tree is dynamically managed, it becomes more difficult to quickly identify the corresponding leaf node when writing or reading data from memory, thus affecting the efficiency of virtual machine memory data integrity protection. Summary of the Invention

[0005] In view of this, embodiments of the present invention provide a method for protecting the integrity of computer system and virtual machine memory data, which is beneficial to improving the efficiency of virtual machine memory data integrity protection.

[0006] In a first aspect, embodiments of the present invention provide a computer system, comprising: a processor core, a security processor, a memory isolation device, and an integrity protection device; wherein, the processor core is used to run a virtual machine; the security processor is used to allocate secure memory for the virtual machine and allocate memory space for each mapping entry in the address-leaf mapping table of the virtual machine as the address of a leaf node of an integrity protection tree; the memory isolation device is used to determine whether the host physical address (hpa) accessed by the current virtual machine is secure memory; the integrity protection device is used to, if the hpa accessed by the current virtual machine is secure memory, determine a first leaf node corresponding to the hpa from the address-leaf mapping table according to the hpa; update or verify the hash value of the first leaf node; and update or verify the hash values ​​of other tree nodes other than the first leaf node along the direction of the root node of the integrity protection tree from the first leaf node.

[0007] According to a specific implementation of an embodiment of the present invention, the integrity protection device includes: a key query module for querying the memory integrity key of the current virtual machine; and a leaf node query module for determining a first leaf node from the address-leaf mapping table based on the hpa accessed by the current virtual machine.

[0008] The integrity control module is used to update or verify the hash value of the first leaf node based on the memory integrity key and the first leaf node; and to update or verify the hash values ​​of other tree nodes other than the first leaf node along the direction from the first leaf node toward the root node of the integrity protection tree.

[0009] According to a specific implementation of an embodiment of the present invention, the leaf node query module is specifically used for: determining a mapping relationship entry in the address-leaf mapping table based on the hpa currently accessed by the virtual machine; and determining the first leaf node based on the address recorded in the mapping relationship entry.

[0010] According to a specific implementation of an embodiment of the present invention, when the current virtual machine writes data to the hpa, the integrity control module is specifically configured to: increment the count value of the first leaf node by 1; calculate the latest hash value of the first leaf node based on the memory integrity key and a preset hash value calculation rule; update the hash value of the first leaf node using the latest hash value; and update the hash values ​​of other tree nodes besides the first leaf node along the direction from the first leaf node toward the root node of the integrity protection tree.

[0011] According to a specific implementation of an embodiment of the present invention, when the current virtual machine reads data from the hpa, the integrity control module is specifically used to: calculate the current hash value of the first leaf node, compare the current hash value with the hash value stored in the first leaf node, and if the two are consistent, then sequentially verify the hash values ​​of each tree node along the direction from the first leaf node toward the root node.

[0012] According to a specific implementation of an embodiment of the present invention, the security processor is further configured to traverse the tree nodes along the direction from the leaf nodes to the root node, and if the tree node does not exist, allocate secure memory for the tree node.

[0013] According to a specific implementation of an embodiment of the present invention, the security processor is further configured to, after the virtual machine is shut down, traverse the address-leaf mapping table, find each leaf node, and release the security memory occupied by the tree nodes of the virtual machine's integrity protection tree along the leaf nodes to the root node.

[0014] Secondly, embodiments of this application provide a method for protecting the integrity of virtual machine memory data, including:

[0015] Based on the first HPA (Hypertext Protection Table) for which the current virtual machine is writing data, determine the first leaf node corresponding to the first HPA from the address-leaf mapping table of the virtual machine; wherein, the address-leaf mapping table stores the address of the leaf node corresponding to the HPA that the virtual machine wants to access; update the hash value of the first leaf node; along the first leaf node, towards the root node of the integrity protection tree, update the hash values ​​of other tree nodes except the first leaf node.

[0016] According to a specific implementation of an embodiment of the present invention, determining the first leaf node corresponding to the first hpa from the address-leaf mapping table of the virtual machine based on the first hpa of the data currently written by the virtual machine includes: determining a mapping relationship entry in the address-leaf mapping table based on the first hpa of the data currently written by the virtual machine; and determining the first leaf node based on the address recorded in the mapping relationship entry.

[0017] According to a specific implementation of an embodiment of the present invention, updating the hash value of the first leaf node includes: incrementing the counter value of the first leaf node by 1; calculating the latest hash value of the first leaf node based on the memory integrity key of the virtual machine and a preset hash value calculation rule; and updating the hash value of the first leaf node using the latest hash value.

[0018] According to a specific implementation of an embodiment of the present invention, updating the hash values ​​of other tree nodes besides the first leaf node along the direction of the root node of the integrity protection tree, along the direction of the first leaf node, includes: updating the hash values ​​of other tree nodes besides the first leaf node along the direction of the root node of the integrity protection tree, based on the address of the parent node recorded in each non-root node.

[0019] According to a specific implementation of an embodiment of the present invention, after updating the hash values ​​of other tree nodes besides the first leaf node along the direction of the first leaf node toward the root node of the integrity protection tree, the method further includes: when the virtual machine reads data from the second hpa, determining the second leaf node of the integrity protection tree corresponding to the second hpa according to the second hpa and the address-leaf mapping table; verifying the hash value of the second leaf node, and after successful verification, sequentially verifying the hash values ​​of each tree node along the direction of the second leaf node toward the root node.

[0020] According to a specific implementation of an embodiment of the present invention, before determining the first leaf node corresponding to the first hpa from the address-leaf mapping table of the virtual machine based on the first hpa of the data currently written by the virtual machine, the method includes: allocating secure memory for the virtual machine; initializing the address-leaf mapping table in a designated area of ​​the secure memory; and allocating memory space for each mapping relationship item in the address-leaf mapping table as the address of the leaf node of the integrity protection tree.

[0021] According to a specific implementation of an embodiment of the present invention, after allocating memory space for each mapping item in the address-leaf mapping table as the address of the leaf node of the integrity protection tree, the method further includes: traversing the tree nodes along the direction from the leaf node to the root node, and if the tree node does not exist, allocating safe memory for the tree node.

[0022] According to a specific implementation of an embodiment of the present invention, after the virtual machine is shut down, the method further includes: traversing the address-leaf mapping table to find each leaf node; and releasing the security memory occupied by the tree nodes of the virtual machine's integrity protection tree along the leaf nodes to the root node.

[0023] This invention provides a method for protecting the integrity of computer system and virtual machine memory data. A security processor allocates secure memory to the virtual machine and manages the relationship between leaf nodes and the HPA accessed by the virtual machine through an address-leaf mapping table. When the HPA accessed by the virtual machine is secure memory, the leaf node corresponding to the HPA accessed by the virtual machine can be quickly queried through the address-leaf mapping table, so as to quickly complete the hash value update or verification of the nodes of the integrity protection tree, which helps to improve the efficiency of virtual machine memory data integrity protection. Attached Figure Description

[0024] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0025] Figure 1 This is a schematic diagram of the integrity protection tree structure in one embodiment;

[0026] Figure 2 A schematic diagram of a computer system architecture is provided for an embodiment of this application;

[0027] Figure 3 This is a schematic diagram of a secure memory storage structure in an embodiment of the present invention;

[0028] Figure 4 This is a schematic diagram of the address-leaf mapping table structure in one embodiment of this application;

[0029] Figure 5 This is a schematic diagram of the integrity protection tree structure in one embodiment of this application;

[0030] Figure 6 This is a schematic diagram of the storage structure of three adjacent tree nodes in one embodiment of this application;

[0031] Figure 7 This is a schematic diagram of the structure for protecting the integrity of virtual machine memory data by combining an address-leaf mapping table with an integrity protection tree in one embodiment of this application;

[0032] Figure 8 This is a schematic diagram of the structure of an embodiment of the integrity protection device in this application;

[0033] Figure 9a This is a schematic diagram illustrating the process of updating each tree node when the current virtual machine writes data into memory in one embodiment of this application;

[0034] Figure 9bThis is a schematic diagram illustrating the process of verifying each tree node when the current virtual machine reads data from memory in one embodiment of this application;

[0035] Figure 10 This is a schematic diagram illustrating the interaction process between the security processor and the processor core during the virtual machine's startup, operation, and destruction in one embodiment of this application.

[0036] Figure 11 This is a schematic flowchart of a virtual machine memory data integrity protection method provided in an embodiment of this application. Detailed Implementation

[0037] The embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be understood that the described embodiments are merely some, not all, of the embodiments of the present invention. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort are within the scope of protection of the present invention.

[0038] Memory-isolated virtual machines typically add a memory isolation device within the memory controller. This device is responsible for providing access control permissions for the protected isolated memory, meaning that only the memory-isolated virtual machine to which the isolated memory belongs can access it; other entities, including the host operating system, applications, ordinary virtual machines, and virtual machine managers, cannot access the isolated memory, thus ensuring the memory data security of memory-isolated virtual machines from a hardware perspective.

[0039] The memory of a memory-isolated virtual machine is managed by a secure processor. The secure processor is a trusted device that cannot be modified by software on the x86 processor core. When a nested page fault occurs in a memory-isolated virtual machine, the secure processor allocates memory from isolated memory and writes the virtual machine identifier (vmid) to the memory isolation device of the memory controller. The memory isolation device maintains an attribute table containing the vmid and the memory allocated by the secure processor from the isolated memory. The private memory of a memory-isolated virtual machine cannot be accessed by other software on the x86 processor core, but memory-isolated virtual machines are not immune to physical attacks such as data replay.

[0040] Merkle trees are a common type of message integrity protection tree that uses a tree structure to protect data layer by layer.

[0041] In various embodiments of this application, the nodes of the integrity protection tree (also referred to as tree nodes) include root nodes and non-root nodes.

[0042] The root node is the node at the top of the integrity protection tree.

[0043] Non-root nodes can include leaf nodes and intermediate nodes. Leaf nodes are the nodes at the end of the integrity protection tree, and nodes between leaf nodes and the root node are called intermediate nodes. Intermediate nodes can be single-level or multi-level.

[0044] For a non-root node, its parent node (the adjacent node in the direction towards the root node) can be called the parent node of the non-root node, and its child node (the adjacent node in the direction towards the leaf node) can be called the child node of the non-root node. Parent node and child node are relative terms. A parent node can be the child node of its parent node; a child node can be the parent node of its child node.

[0045] Using a Merkle tree, the root node of the integrity protection tree can be stored in on-chip RAM (Random Access Memory) within the System-on-a-Chip (SoC), while non-root nodes remain in DRAM (Dynamic Random Access Memory). Non-root nodes in DRAM can be physically modified, but those in on-chip memory are immutable. The root node stored in on-chip memory allows for hash verification of data in DRAM and non-root nodes to detect data tampering.

[0046] Figure 1 This is a schematic diagram of the integrity protection tree structure in one embodiment. See below. Figure 1 The data is typically 512 bits, the length of a cache line. To defend against replay attacks, a version is added to the integrity protection tree. Each time data is written, a different version is set (usually the count value of a counter).

[0047] For each set of data, its hash value = hash(data, version, address, vm key), where data is the memory data, version is the data version information, address is the memory address, and vm key is the virtual machine key.

[0048] Figure 1In the integrity protection tree shown, the leaf nodes can be located in relatively fixed positions in memory. This makes it relatively easy to determine the corresponding leaf node when writing or reading data from memory. However, when both virtual machine data memory and integrity protection tree memory are dynamically managed, it becomes more difficult to quickly determine the corresponding leaf node when writing or reading data from memory. Therefore, this application provides a method for protecting the integrity of computer system and virtual machine memory data, facilitating the rapid determination of leaf nodes in the integrity protection tree and improving the efficiency of virtual machine memory data integrity protection.

[0049] Figure 2 A schematic diagram of a computer system architecture is provided for an embodiment of this application. See also: Figure 2 The computer system 10 provided in this application embodiment includes: a processor core 11, a security processor 12, a memory isolation device 13, and an integrity protection device 14;

[0050] Processor core 11 is used to run virtual machines;

[0051] Security processor 12 is used to allocate secure memory for the virtual machine, initialize the address-leaf map of the virtual machine in the secure memory, and allocate memory space for each mapping entry in the address-leaf map as the address of the leaf node of the integrity protection tree;

[0052] The memory isolation device 13 is used to determine whether the host physical address hpa (host physical address) accessed by the current virtual machine is safe memory;

[0053] The integrity protection device 14 is used to determine the first leaf node corresponding to the HPA from the address-leaf mapping table if the HPA currently accessed by the virtual machine is secure memory; update or verify the hash value of the first leaf node; and update or verify the hash values ​​of other tree nodes other than the first leaf node along the direction of the root node of the integrity protection tree from the first leaf node.

[0054] In this embodiment, the security processor allocates secure memory to the virtual machine and manages the relationship between leaf nodes and the HPA accessed by the virtual machine through an address-leaf mapping table. When the HPA accessed by the virtual machine is secure memory, the leaf node corresponding to the HPA accessed by the virtual machine can be quickly queried through the address-leaf mapping table, so as to quickly complete the hash value update or verification of the nodes of the integrity protection tree, which is beneficial to improving the efficiency of virtual machine memory data integrity protection.

[0055] A virtual machine is a computer system with full hardware system functionality simulated by software.

[0056] The virtual machine in the above embodiments can be called a memory-isolated virtual machine. By adding a memory isolation device to the computer system, the memory isolation device is responsible for providing access control permissions for the protected isolated memory. That is, only the memory-isolated virtual machine to which the isolated memory belongs can access it; other things, including the operating system on the processor core, applications, ordinary virtual machines, and the Virtual Machine Manager (VMM), cannot access the isolated memory, thus ensuring the memory data security of the memory-isolated virtual machine from a hardware perspective.

[0057] Furthermore, the virtual machine (i.e., a memory-isolated virtual machine) in the above embodiments can be an encrypted virtual machine. Data written by the encrypted virtual machine to secure memory is encrypted. The operating system on the processor core and other components cannot read the memory data of the encrypted virtual machine, thereby further ensuring the confidentiality of the virtual machine data.

[0058] See Figure 2 The computer system 10 in this embodiment also includes a memory controller 15, an encryption / decryption engine 16, and a memory 17. The memory controller 15 is used to read and write data from the memory 20. The encryption / decryption engine 16 is used to encrypt the data written to the memory 20 by the memory controller 15 and to decrypt the data read from the memory 20.

[0059] The processor core 11, security processor 12, memory isolation device 13, integrity protection device 14, memory controller 15, and encryption / decryption engine 16 can be integrated into a system-on-a-chip (SoC), which can contain a complete system and all embedded software. The memory isolation device 13, integrity protection device 14, and encryption / decryption engine 16 can be located in the memory controller 15.

[0060] Processor core 11 can be an x86 processor core. The memory encryption key is stored inside the SOC.

[0061] The security processor 12 refers to a dedicated processor, other than a general-purpose processor, specifically designed for managing security policies and having its own RAM 18.

[0062] In this embodiment, the security processor 12 can be used to allocate secure memory for the virtual machine.

[0063] During system startup, the user configures the required safe memory size. In subsequent startup processes, the system writes the safe memory range to the PROTECT_BASE (protected base address) register and the PROTECT_HIGH (protected high address) register. The PROTECT_BASE and PROTECT_HIGH registers store the safe memory base address and safe memory high address, respectively, indicating the address range of the safe memory.

[0064] See Figure 3 Based on the safe memory range, a suitable safe memory area is allocated from the lower end, and a PROTECT_LOW (protected low address) register is set to store the low address of the safe memory. The address range from the PROTECT_BASE register to the PROTECT_LOW register is used to store the virtual machine's address-leaf map, and the address range from the PROTECT_LOW register to the PROTECT_HIGH register is used for storing virtual machine memory and non-root node data.

[0065] The address-leaf mapping table stores the mapping relationship between the HPA accessed by the virtual machine and the leaf nodes of the integrity protection tree. Each mapping entry (also called an entry) in the address-leaf mapping table stores the virtual machine ID (vmid) and the leaf node address (leaf hpa). Each mapping entry can have its own identifier (ID) or index number. The corresponding mapping entry can be located based on the identifier (ID).

[0066] Figure 4 This is a schematic diagram of the address-leaf mapping table structure in one embodiment of this application. Figure 4 The arrows in the table point to one of the mapping entries. In one example, a mapping entry in the address-leaf mapping table is 64 bits, where the address of the leaf node occupies 48 bits and the virtual machine ID number occupies 16 bits.

[0067] Both virtual machine data memory and integrity protection tree memory adopt a unified dynamic management method. In this embodiment, the relationship between leaf nodes and data addresses is managed through an address-leaf mapping table, which facilitates the system to quickly query the leaf node corresponding to the hpa accessed by the virtual machine.

[0068] In this embodiment of the application, the integrity protection of virtual machine memory data is achieved by combining an address-leaf mapping table with an integrity protection tree.

[0069] Figure 5 This is a schematic diagram of the integrity protection tree structure in one embodiment of this application. See also: Figure 5Each non-root node (leaf / node) in the integrity protection tree stores the data's hash value, counter, and the address of its parent node, hpa.

[0070] Figure 6 This is a schematic diagram of the storage structure of three adjacent tree nodes in one embodiment of this application. Typically, memory read / write operations are performed in 512-bit units; see [reference]. Figure 6 Each tree node can be 512 bits in size, and the hash value and counter cnt of the data are both 56 bits. Each tree node can store 4 sets of hash values ​​and counter cnt.

[0071] Figure 7 This is a schematic diagram of the structure for protecting the integrity of virtual machine memory data by combining an address-leaf mapping table with an integrity protection tree in one embodiment of this application.

[0072] See Figure 7 Based on the HPA accessed by the virtual machine, the address of the leaf node corresponding to the HPA accessed by the virtual machine can be quickly determined through the address-leaf mapping table. Figure 7 The leaf hpa, node hpa, ..., root in the code enable fast traversal of the tree from leaf nodes to the root node. The root node is stored in the on-chip RAM 18 of the SOC, while other data is stored in secure memory.

[0073] Figure 8 This is a schematic diagram of the structure of an embodiment of the integrity protection device in this application. (See attached diagram.) Figure 8 In some embodiments, the integrity protection device 14 may include: a key query module 141, a leaf node query module 142, and an integrity control module 143. The key query module 141 is used to query the memory integrity key vm-key of the current virtual machine; the leaf node query module 142 is used to determine a first leaf node, denoted as leaf(hpa), from the address-leaf mapping table based on the hpa accessed by the current virtual machine; the integrity control module 143 is used to update or verify the hash value of the first leaf node based on the memory integrity key vm-key of the current virtual machine and the first leaf node; and to update or verify the hash values ​​of other tree nodes besides the first leaf node along the direction from the first leaf node toward the root node of the integrity protection tree.

[0074] In this embodiment, after the memory isolation device 13 determines that the hpa is a safe memory address of a legitimate virtual machine based on the hpa and the virtual machine identifier vmid transmitted from the internal address bus, the integrity protection device 14 queries the leaf node of the hpa in the integrity protection tree through the address-leaf mapping table of the current virtual machine.

[0075] In some embodiments, the leaf node query module 142 is specifically used to: determine a mapping relationship entry in the address-leaf mapping table based on the hpa currently accessed by the virtual machine; and determine the first leaf node based on the address recorded in the mapping relationship entry.

[0076] In some embodiments, the address-leaf mapping table may store the correspondence between the HPA accessed by the current virtual machine and the corresponding leaf node. By traversing the correspondence based on the HPA accessed by the current virtual machine, the address of the corresponding leaf node can be found.

[0077] To improve the speed of querying the address of the leaf node corresponding to the HPA accessed by the current virtual machine, in some embodiments, a mapping relationship entry in the address-leaf mapping table can be determined first based on the HPA accessed by the current virtual machine. Based on the address of the leaf node recorded in the mapping relationship entry, the leaf node corresponding to the HPA accessed by the current virtual machine can be determined.

[0078] Specifically, the ID of a mapping entry in the leaf mapping table corresponding to the address of the HPA currently accessed by the virtual machine can be determined using the following formula:

[0079] id = (hpa - PROTECT_BASE) / M, (Formula 1)

[0080] Where hpa is the safe memory address currently accessed by the virtual machine;

[0081] PROTECT_BASE is the safe memory base address;

[0082] M is the number of bytes in each mapping item; when each mapping item is 64 bits, M is 8; when each mapping item is 32 bits, M is 4.

[0083] Based on the id determined by Formula 1, the corresponding mapping entry can be found in the address-leaf mapping table. Based on the address of the leaf node recorded in the mapping entry, the leaf node corresponding to the hpa currently accessed by the virtual machine can be determined.

[0084] It should be understood that after the security processor initializes the address-leaf mapping table memory area within the security memory area, it can obtain the mapping relationship items corresponding to each HPA of the virtual machine according to Formula 1 above, and allocate corresponding security memory as the address of the leaf node for each mapping relationship item.

[0085] In some embodiments, when the current virtual machine writes data to the hpa, the integrity control module 143 is specifically configured to: increment the counter value of the first leaf node by 1; calculate the latest hash value of the first leaf node based on the memory integrity key and a preset hash value calculation rule; update the hash value of the first leaf node using the latest hash value; and update the hash values ​​of other tree nodes besides the first leaf node along the direction of the root node of the integrity protection tree from the first leaf node. Each non-root node records the address of its parent node, thereby allowing the hash values ​​of other tree nodes besides the first leaf node to be updated along the direction of the root node of the integrity protection tree from the first leaf node based on the parent node addresses recorded in each non-root node.

[0086] In some embodiments, the written data (data), the memory address (hpa) where the data was written, the identifier (vmid) of the current virtual machine, the memory integrity key (vm-key) of the current virtual machine, and the version counter (cnt) of the current data of the first leaf node can be used as parameters for hash value calculation. A predetermined algorithm is then used to calculate the hash value of the first leaf node. Specifically, the latest hash value of the first leaf node can be calculated using the following formula:

[0087] hash value = hash(data, hpa, vmid, vm-key, cnt), (Formula 2)

[0088] Where data is the data being written, hpa is the memory address where the data is written, vmid is the identifier of the current virtual machine, vm-key is the memory integrity key of the current virtual machine, and cnt is the version counter value of the current data.

[0089] After updating the hash value of the first leaf node, the hash values ​​of the corresponding nodes are updated sequentially along the path from the first leaf node to the root node, according to Formula 2. The hash calculation can be performed by an encryption / decryption engine.

[0090] When calculating the hash value of a node along the path from the leaf node to the root node using Formula 2, the `data` in Formula 2 can be the data in the child nodes of that node, specifically the 512-bit data stored in the child nodes. The above describes the hash value update process for each node in the integrity protection tree.

[0091] In some embodiments, when the current virtual machine reads data from the HPA, the integrity control module 143 is specifically configured to: calculate the current hash value of the first leaf node, compare the current hash value with the hash value stored in the first leaf node, and if they match, sequentially verify the hash values ​​of each tree node along the direction from the first leaf node toward the root node. Each non-root node records the address of its parent node, thereby allowing the hash values ​​of each tree node to be verified sequentially along the direction from the first leaf node toward the root node based on the parent node addresses recorded in each non-root node.

[0092] The current hash value of the first leaf node can be calculated using the formula (2) above. The above describes the verification process for each node of the integrity protection tree.

[0093] Figure 9a This is a schematic diagram illustrating the process of updating each tree node when the current virtual machine writes data to memory in one embodiment of this application. See also... Figure 9a After the current virtual machine writes data into memory, the integrity protection device queries the memory integrity key vm-key of the current virtual machine based on the identifier vmid of the current virtual machine, and queries the corresponding leaf node based on the address hpa of the written data. After incrementing the counter cnt of the leaf node by 1, the hash value of the leaf node is updated. Then, along the direction from the leaf node to the root node, the counter cnt of other tree nodes is incremented by 1 and the hash value of other tree nodes is updated.

[0094] Figure 9b This is a schematic diagram illustrating the process of verifying each tree node when the current virtual machine reads data from memory in one embodiment of this application. See also... Figure 9b When the current virtual machine reads data from the memory DRAM (hpa), the integrity protection device queries the current virtual machine's memory integrity key (vm-key) based on the virtual machine's identifier (vmid), and then queries the corresponding leaf node based on the data address (hpa). It retrieves the counter (cnt) and hash value (hash1) of the leaf node, calculates a new hash value (hash2) for the leaf node, and compares hash2 with hash1. If they are not equal, an exception is triggered and the virtual machine is notified. If they are equal, the process continues along the path from the leaf node to the root node, verifying the hash values ​​sequentially according to formula 2, until the root node is reached. The data is considered complete only if the root node's hash matches the calculated hash. Otherwise, an exception is triggered and the virtual machine is notified.

[0095] To enable dynamic management of the integrity protection tree memory, in some embodiments, the security processor 12 is further configured to traverse the tree nodes along the direction from the leaf nodes to the root node, and if a tree node does not exist, allocate secure memory for that tree node. Furthermore, the security processor 12 can also be configured to, after the virtual machine is shut down, traverse the address-leaf mapping table, find each leaf node, and release the secure memory occupied by the tree nodes of the virtual machine's integrity protection tree along the path from the leaf nodes to the root node.

[0096] Figure 10 This is a schematic diagram illustrating the interaction process between the security processor and the processor core during the virtual machine's startup, operation, and destruction in one embodiment of this application. See also... Figure 10 When the user powers on, the security processor configures the memory isolation device according to the user's configured security memory. Based on the size of the security memory, it configures the PROTECT_BASE register, PROTECT_LOW register, and PROTECT_HIGH register, and initializes the addr-leaf map memory (the security memory from the PROTECT_BASE register to the PROTECT_LOW register), the contents of which are all F (marked as invalid addresses).

[0097] The user starts the virtual machine, the security processor configures the memory encryption key and memory integrity key, measures the initial image, and performs encryption on the initial image, etc. The memory integrity key (vm-key) participates in the hash calculation in this embodiment to distinguish different virtual machines; that is, each virtual machine has a unique vm-key. After successful measurement verification, the virtual machine runs normally. During operation, it accesses memory, resulting in a nested page fault (NPF).

[0098] The NPF is sent to the security processor, which allocates safe memory hpa for the page fault address gpa (guest physical address) and updates the NPT (nested page table) so that the page fault address gpa is mapped to the allocated safe memory hpa.

[0099] The secure processor obtains the entries of the addr-leaf map of hpa according to Formula 1. If the entry is all F's at this time, it indicates that there are no leaf nodes. In this case, secure memory hpa_leaf is allocated as a leaf node, and hpa_leaf is updated to the entry. If the entry is valid, hpa_leaf is directly retrieved. Traverse from the leaf node of hpa_leaf to the root node. If the tree node does not exist, secure memory is allocated and the hpa of the tree node is initialized, cnt is set to 0, and the hash of the tree node is calculated. If the tree node exists, the hash and cnt of the tree node are directly updated.

[0100] When a virtual machine shuts down, the x86 processor core sends a destroy command to the security processor. The security processor releases the virtual machine's secure memory and clears the current virtual machine identifier (vmid) from the memory isolation device. It then traverses the addr-leafmap, finds the leaf nodes of the current vmid, and traverses from the leaf nodes to the root node, releasing the secure memory occupied by the tree nodes.

[0101] As can be seen from the above process, whether it is the memory of the integrity protection tree node or the memory of the virtual machine, the security processor adopts a unified security memory management mechanism, which makes it convenient and flexible to manage security memory.

[0102] Figure 11 This is a schematic flowchart of a virtual machine memory data integrity protection method provided in an embodiment of this application. (See attached diagram.) Figure 11 The virtual machine memory data integrity protection method in this embodiment includes:

[0103] S10. Based on the first hpa of the data currently written by the virtual machine, determine the first leaf node from the address-leaf mapping table of the virtual machine; wherein, the address-leaf mapping table stores the address of the leaf node corresponding to the hpa to be accessed by the virtual machine.

[0104] S12. Update the hash value and count value of the first leaf node;

[0105] S14. Along the first leaf node, towards the root node of the integrity protection tree, update the hash value and count value of the other tree nodes besides the first leaf node.

[0106] The virtual machine memory data integrity protection method of this embodiment can conveniently and quickly query the leaf node corresponding to the hpa accessed by the virtual machine from the address-leaf mapping table of the virtual machine based on the hpa of the data currently written by the virtual machine. This allows for rapid updating of the hash value of the nodes in the integrity protection tree, which is beneficial to improving the efficiency of virtual machine memory data integrity protection.

[0107] The virtual machine memory data integrity protection method of this embodiment can be applied to the above-mentioned computer system to protect the integrity of virtual machine memory data.

[0108] In some embodiments, determining the first leaf node from the address-leaf mapping table of the virtual machine based on the first hpa of the data currently written by the virtual machine (step S10) includes: determining a mapping relationship entry in the address-leaf mapping table based on the first hpa of the data currently written by the virtual machine; and determining the first leaf node of the integrity protection tree corresponding to the first hpa based on the address recorded in the mapping relationship entry.

[0109] In this embodiment, the process of determining a mapping relationship entry in the address-leaf mapping table based on the first hpa of the data currently written by the virtual machine, and determining the first leaf node of the integrity protection tree corresponding to the first hpa based on the address recorded in the mapping relationship entry, can be referred to the relevant description in the foregoing computer system embodiment, and will not be repeated here.

[0110] In some embodiments, updating the hash value and count value of the first leaf node includes: incrementing the count value of the first leaf node by 1; querying the virtual machine's memory integrity key based on the virtual machine's ID; calculating the latest hash value of the first leaf node based on the memory integrity key and a preset hash value calculation rule (the first hpa, the data written in the first hpa, the virtual machine's ID, and the count value of the first leaf node, using a preset encryption algorithm); and updating the hash value of the first leaf node using the latest hash value.

[0111] In some embodiments, after updating the hash values ​​and count values ​​of other tree nodes besides the first leaf node along the direction of the root node of the integrity protection tree, the method further includes: determining the second leaf node of the integrity protection tree corresponding to the second hpa based on the second hpa from which the virtual machine needs to read memory data and the address-leaf mapping table; verifying the hash value of the second leaf node; and after successful verification, verifying the hash values ​​of each tree node sequentially along the direction of the second leaf node towards the root node.

[0112] In some embodiments, before determining the first leaf node from the address-leaf mapping table of the virtual machine based on the first hpa of the currently written data of the virtual machine, the method includes: allocating secure memory for the virtual machine; initializing the address-leaf mapping table in a specified region of the secure memory; and allocating secure memory as the address of the leaf node for each entry in the address-leaf mapping table.

[0113] To enable dynamic management of the integrity protection tree memory, in some embodiments, after allocating secure memory as the address of the leaf node for each entry in the address-leaf mapping table, the method further includes: traversing the tree nodes along the direction from the leaf node to the root node, and if the node does not exist, allocating secure memory for the node.

[0114] Furthermore, after the virtual machine is shut down, the method further includes: traversing the address-leaf mapping table to determine each leaf node; and based on each leaf node, releasing the security memory occupied by each tree node of the virtual machine's integrity protection tree along the direction from the leaf node to the root node.

[0115] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0116] The various embodiments in this specification are described in a related manner. The same or similar parts between the various embodiments can be referred to each other. Each embodiment focuses on describing the differences from other embodiments.

[0117] In particular, the device embodiment is basically similar to the method embodiment, so the description is relatively simple. For relevant details, please refer to the description of the method embodiment.

[0118] For ease of description, the above apparatus is described by dividing it into various functional units / modules. Of course, in implementing this invention, the functions of each unit / module can be implemented in one or more software and / or hardware.

[0119] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), or random access memory (RAM), etc.

[0120] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. A computer system, characterized in that, include: Processor core, security processor, memory isolation device, and integrity protection device; among which, The processor core is used to run virtual machines; The security processor is used to allocate secure memory for the virtual machine and to allocate memory space for each mapping entry in the address-leaf mapping table of the virtual machine. The memory space is used to store the address-leaf mapping table, and each mapping entry in the address-leaf mapping table is used to store the correspondence between the virtual machine identifier and the address of the leaf node. The virtual machine identifier is determined based on the host physical address hpa accessed by the virtual machine. The memory isolation device is used to determine whether the host physical address hpa currently accessed by the virtual machine is safe memory; The integrity protection device is configured to, if the current virtual machine accesses a secure memory (hpa), determine the address of the first leaf node corresponding to the hpa from the address-leaf mapping table based on the hpa; update or verify the hash value of the first leaf node; and update or verify the hash values ​​of other tree nodes besides the first leaf node along the direction from the first leaf node toward the root node of the integrity protection tree.

2. The computer system according to claim 1, characterized in that, The integrity protection device includes: The key query module is used to query the memory integrity key of the current virtual machine; The leaf node query module is used to determine the address of the first leaf node from the address-leaf mapping table based on the hpa currently accessed by the virtual machine. The integrity control module is used to obtain the latest hash value or current hash value of the first leaf node based on the memory integrity key and the address of the first leaf node; update the hash value of the first leaf node based on the latest hash value or verify the hash value of the first leaf node based on the current hash value; update or verify the hash values ​​of other tree nodes besides the first leaf node along the direction of the root node of the integrity protection tree from the first leaf node; the memory integrity key is the calculation parameter of the latest hash value or the current hash value.

3. The computer system according to claim 2, characterized in that, The leaf node query module is specifically used for: Based on the hpa currently accessed by the virtual machine, determine a mapping entry in the address-leaf mapping table; The address of the first leaf node is determined based on the address recorded in the mapping relationship item.

4. The computer system according to claim 2, characterized in that, When the current virtual machine writes data to the hpa, the integrity control module is specifically used for: Increment the count value of the first leaf node by 1 to obtain the current count value; calculate the latest hash value of the first leaf node based on the memory integrity key, the current count value, the address of the first leaf node, and the preset hash value calculation rule; The hash value of the first leaf node is updated using the latest hash value; Along the first leaf node, towards the root node of the integrity protection tree, update the hash values ​​of all tree nodes except the first leaf node.

5. The computer system according to claim 2, characterized in that, When the current virtual machine reads data from the HPA, the integrity control module is specifically used for: Calculate the current hash value of the first leaf node, compare the current hash value with the hash value stored in the first leaf node, and if they match, check the hash values ​​of each tree node in turn along the direction from the first leaf node toward the root node.

6. The computer system according to claim 3, characterized in that, The security processor is further configured to, after the leaf node query module determines the address of the first leaf node based on the address recorded in the mapping relationship item, traverse the tree nodes along the direction from the leaf node to the root node, and if the tree node does not exist, allocate secure memory for the tree node.

7. The computer system according to claim 1, characterized in that, The security processor is also configured to, after the virtual machine is shut down, traverse the address-leaf mapping table, find each leaf node, and, along the leaf nodes to the root node, release the security memory occupied by the tree nodes of the virtual machine's integrity protection tree.

8. A method for protecting the integrity of virtual machine memory data, characterized in that, include: Based on the first hpa of the data currently written by the virtual machine, the address of the first leaf node corresponding to the first hpa is determined from the address-leaf mapping table of the virtual machine; wherein, each mapping entry of the address-leaf mapping table is used to store the correspondence between the virtual machine identifier and the address of the leaf node; the virtual machine identifier is determined based on the host physical address hpa accessed by the virtual machine; Update the hash value of the first leaf node; Along the first leaf node, towards the root node of the integrity protection tree, update the hash values ​​of all tree nodes except the first leaf node.

9. The virtual machine memory data integrity protection method according to claim 8, characterized in that, The step of determining the first leaf node corresponding to the first hpa from the address-leaf mapping table of the virtual machine based on the first hpa of the currently written data of the virtual machine includes: Based on the first hpa of the data currently written by the virtual machine, determine a mapping entry in the address-leaf mapping table; The first leaf node is determined based on the address recorded in the mapping relationship item.

10. The virtual machine memory data integrity protection method according to claim 8, characterized in that, Updating the hash value of the first leaf node includes: Increment the count value of the first leaf node by 1 to obtain the current count value; The latest hash value of the first leaf node is calculated based on the virtual machine's memory integrity key, the current count value, the address of the first leaf node, and a preset hash value calculation rule; the memory integrity key is the calculation parameter for the latest hash value. The hash value of the first leaf node is updated using the latest hash value.

11. The virtual machine memory data integrity protection method according to claim 8, characterized in that, The step of updating the hash values ​​of all tree nodes other than the first leaf node along the direction from the first leaf node toward the root node of the integrity protection tree includes: Based on the addresses of the parent nodes recorded in each non-root node, the hash values ​​of the other tree nodes, excluding the first leaf node, are updated along the first leaf node toward the root node of the integrity protection tree.

12. The virtual machine memory data integrity protection method according to claim 8, characterized in that, After updating the hash values ​​of all tree nodes except the first leaf node along the direction from the first leaf node toward the root node of the integrity protection tree, the method further includes: When the virtual machine reads data from the second HPA, the second leaf node of the integrity protection tree corresponding to the second HPA is determined according to the second HPA and the address-leaf mapping table; The hash value of the second leaf node is verified. If the verification is successful, the hash values ​​of each tree node are verified sequentially along the direction from the second leaf node toward the root node.

13. The virtual machine memory data integrity protection method according to claim 8, characterized in that, Before determining the first leaf node corresponding to the first hpa from the address-leaf mapping table of the virtual machine based on the first hpa of the currently written data of the virtual machine, the method includes: Allocate safe memory for the virtual machine; In a designated region of the secure memory, initialize the address-leaf mapping table; Memory space is allocated for each mapping entry in the address-leaf mapping table, and the memory space is used to store the address-leaf mapping table.

14. The virtual machine memory data integrity protection method according to claim 13, characterized in that, After allocating memory space for each mapping entry in the address-leaf mapping table, the method further includes: Traverse the tree nodes along the direction from the leaf nodes toward the root node. If a tree node does not exist, allocate safe memory for that tree node.

15. The virtual machine memory data integrity protection method according to claim 8, characterized in that, After the virtual machine is shut down, the method further includes: Traverse the address-leaf mapping table to find each leaf node; Along the leaf nodes to the root node, release the secure memory occupied by the tree nodes of the virtual machine's integrity protection tree.