Secure cross-address space bridging

By introducing memory domains and cross-PCIe domain MKEYs into network devices, combined with cross-security domain MKEYs, the problems of high processing overhead and poor scalability in cross-address space bridging are solved, achieving efficient and secure cross-address space bridging and improving system scalability and performance.

CN122173422APending Publication Date: 2026-06-09MELLANOX TECHNOLOGIES LTD(IL)

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
MELLANOX TECHNOLOGIES LTD(IL)
Filing Date
2025-12-09
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies suffer from high processing overhead and poor scalability in cross-address space bridging, especially when network devices need to frequently access multiple sub-regions of memory. This requires defining a separate cross-domain key for each sub-region, resulting in excessive resource consumption and processing burden.

Method used

A cross-address space bridging mechanism is adopted, using two common keys: memory domain MKEY and cross-PCIe domain MKEY, combined with cross-security domain MKEY. Cross-security domain MKEY is defined only for specific memory sub-regions, reducing the need for separate definitions for each sub-region, and security policies are managed through a policy manager.

Benefits of technology

It achieves efficient, scalable, and secure cross-address space bridging, reducing management overhead and improving system flexibility and performance.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122173422A_ABST
    Figure CN122173422A_ABST
Patent Text Reader

Abstract

A network device includes a bus interface and one or more circuits. The bus interface communicates with a memory using a first bus domain and communicates with a user application using a second bus domain. The one or more circuits perform a first bus function to access a region of the memory using a memory domain MKEY in the first bus domain; perform a second bus function to communicate with the user application using the second bus domain and to transmit a packet for the user application over a network, wherein processing of the packet includes accessing the region of the memory via a cross-domain MKEY pointing to the memory domain MKEY in the first bus function; and defining, in response to authorization to access a sub-region in the region of the memory, a cross-security domain MKEY pointing to the cross-domain MKEY, which in turn points to the memory domain MKEY, for the sub-region.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates generally to network communications, and more particularly to cross-address space bridging in network devices. Background Technology

[0002] Network devices, such as network interface controllers (NICs), host channel adapters (HCAs), and data processing units (DPUs), are typically used to provide network services to user applications. In an example configuration, the user application runs on a suitable processor, and the network device communicates with the processor via a peripheral bus. Examples of peripheral buses include Peripheral Component Interconnect High Speed ​​(PCIe), NVLink, and Compute Fast Link (CXL). Summary of the Invention

[0003] One embodiment described herein provides a network device including one or more ports, a bus interface, and one or more circuits. The one or more ports are used for connection to a network. The bus interface is used for: (i) communicating with memory using a first bus domain of a peripheral bus; and (ii) communicating with one or more user applications using a second bus domain of the peripheral bus. The one or more circuits are used to perform a first bus function, namely, accessing a region of memory using a memory domain memory key (MKEY) defined in the first bus domain; and performing a second bus function, namely, communicating with user applications using the second bus domain and transmitting packets for user applications over the network, wherein processing of the packets includes: accessing a region of memory via a cross-bus domain MKEY pointing to a memory domain MKEY in the first bus function; and, in response to an authorized user application accessing a sub-region within the memory region, defining a corresponding cross-security domain MKEY pointing to the cross-bus domain MKEY for that sub-region, which in turn points to the memory domain MKEY.

[0004] In one embodiment, in response to authorizing one or more user applications to access one or more additional sub-regions of the memory region, one or more circuits define one or more additional cross-security domain MKEYs for the one or more additional sub-regions, the one or more additional cross-security domain MKEYs pointing to the cross-bus domain MKEY.

[0005] In the disclosed embodiments, the first bus function receives a cross-security domain MKEY from a policyr that authorizes user applications to access sub-regions within a memory region and defines a corresponding cross-security domain MKEY for the sub-region.

[0006] In one exemplary embodiment, in response to a memory access command from a user application for a specified virtual address VA, one or more circuits are configured to translate VA into a physical address PA in a sub-region according to the address mapping defined in the memory domain MKEY, and access PA in memory.

[0007] In one embodiment, a first bus function is used to communicate with a graphics processing unit (GPU), and the memory is located inside the GPU; a second bus function is used to communicate with one or more hosts, and the user application runs on said one or more hosts. In another embodiment, the network device is a data processing unit (DPU) including a CPU and one or more processor cores; a first bus function is used to communicate with the CPU, and the memory is located inside the CPU; a second bus function is used to communicate with one or more processor cores, and the user application runs on said one or more processor cores.

[0008] In one exemplary embodiment, the cross-security domain MKEY includes a first MKEY that modifies the protection domain PD of a sub-region and a second MKEY that maps the address of the sub-region.

[0009] Furthermore, according to the embodiments described herein, a method in a network device is also additionally provided. The method includes: a network device communicating with memory using a first bus domain of a peripheral bus, and communicating with one or more user applications using a second bus domain of the peripheral bus. A first bus function is executed in the network device, the first bus function accessing a region of the memory using a memory domain memory key (MKEY) defined in the first bus domain. A second bus function is executed in the network device, the second bus function communicating with the user applications using the second bus domain, and transmitting packets for the user applications over a network, wherein processing of the packets includes accessing the region of the memory via a cross-bus domain MKEY pointing to the memory domain MKEY in the first bus function. In response to authorizing a user application to access a sub-region within the region of the memory, a corresponding cross-security domain MKEY is defined for the sub-region. The cross-security domain MKEY points to the cross-bus domain MKEY, and the cross-bus domain MKEY in turn points to the memory domain MKEY.

[0010] According to the embodiments described herein, a data center is also provided, comprising one or more network devices. At least one of the network devices includes one or more ports, a bus interface, and one or more circuits. The one or more ports are used for connection to a network. The bus interface is used for: (i) communicating with memory using a first bus domain of a peripheral bus; and (ii) communicating with one or more user applications using a second bus domain of the peripheral bus. The one or more circuits are used for: performing a first bus function, namely, accessing a region of the memory using a memory domain memory key MKEY defined in the first bus domain; performing a second bus function, namely, communicating with user applications using a second bus domain and transmitting packets for user applications over the network, wherein packet processing includes: accessing a region of the memory via a cross-bus domain MKEY pointing to the memory domain MKEY in the first bus function; and, in response to an authorized user application accessing a sub-region in the region of the memory, defining a corresponding cross-security domain MKEY pointing to the cross-bus domain MKEY for the sub-region, wherein the cross-bus domain MKEY in turn points to the memory domain MKEY. Attached Figure Description

[0011] This disclosure will be more fully understood through the following detailed description of embodiments in conjunction with the accompanying drawings, in which:

[0012] Figure 1 and Figure 2 A block diagram of a computing and communication system using low-overhead secure cross-address space bridging according to embodiments described herein is illustrated schematically.

[0013] Figure 3 and Figure 4 A chain of memory keys (MKEY, memory key) for implementing cross-address space bridging according to embodiments described herein is illustrated schematically.

[0014] Figure 5 A flowchart illustrating a method for packet transmission using cross-address space bridging according to embodiments described herein is shown schematically; and

[0015] Figure 6 A block diagram of a computing system including network devices that use low-overhead secure cross-address space bridging is schematically shown according to embodiments described herein. Detailed Implementation

[0016] Overview

[0017] The embodiments described herein provide improved network devices (e.g., NICs, HCAs, or DPUs) and related methods. In the disclosed embodiments, the network device sends and receives packets to and from a network, thereby providing network communication to user applications running on a processor. In the embodiments described herein, the network device communicates over the network using a Remote Direct Memory Access (RDMA) protocol. Alternatively, any other suitable protocol may be used.

[0018] Network devices connect to the processor using one domain of the peripheral bus and to memory via a separate domain of the peripheral bus. The memory stores relevant information, such as packet data. Network devices perform two bus functions: a first bus function, communicating with memory via the first domain of the peripheral bus; and a second bus function, communicating with the processor via the second domain of the peripheral bus. These two bus functions can be implemented in hardware and / or firmware.

[0019] The embodiments described herein primarily relate to the PCIe bus by way of example. The terms “peripheral bus,” “bus,” and “PCIe bus” are used interchangeably herein, as are the terms “bus domain” and “PCIe domain,” and “bus function” and “PCIe function.” In alternative embodiments, the disclosed techniques can be used in a similar manner for any other suitable peripheral bus, such as the Compute Express Link (CXL).

[0020] The first PCIe function in a network device is responsible for accessing memory. The second PCIe function in a network device is responsible for communicating with user applications and sending and receiving packets over the network.

[0021] To send a packet, the first PCIe function needs to read packet data from memory. The packet data then needs to be passed to the second PCIe function to generate the packet. Upon receiving a packet, the second PCIe function needs to pass the packet data back to the first PCIe function for storage in memory. Because these two PCIe functions use two different address spaces to address the target data, exchanging data between the first and second PCIe functions is not straightforward.

[0022] The first PCIe function typically uses a specific memory key (MKEY) to access packet data in memory, which specifies the translation between a virtual address (VA) and its corresponding physical address (PA) in memory. On the other hand, the user application specifies the address of the data based on a different MKEY. Data exchange between the first and second PCIe functions requires bridging between different address spaces defined in two different PCIe domains. Certain aspects of cross-address space bridging are described in U.S. Patent 11,940,933, the disclosure of which is incorporated herein by reference.

[0023] In one possible approach, the network supports a mechanism that allows a PCIe function in one PCIe domain to access the address space of other PCIe functions in different PCIe domains. In this approach, the network device defines a "cross-domain MKEY" for each request from a user application to send or receive data between the network and memory. The cross-domain MKEY translates the VA (Version Object) in the address space used by the user application (and by the second PCIe function) to the corresponding VA in the address space used by the first PCIe function.

[0024] However, the above approach may not be optimal in many practical applications. For example, consider a scenario where network devices need to send and / or receive large data buffers corresponding to large quantum regions of memory. When using the above approach, the network device needs to define a separate cross-domain MKEY for each sub-region of memory (i.e., each data buffer to be sent or received). This solution incurs considerable processing overhead and memory footprint, and has poor scalability. The processing overhead is particularly high when each cross-domain MKEY must be validated against a security policy before deployment.

[0025] In the embodiments described herein, the network device provides a highly scalable and secure cross-address space mechanism that does not require a separate cross-domain MKEY for each data buffer (i.e., for each accessed memory sub-region). Instead, the network device defines two generic MKEYs that are not specific to any particular user application, buffer, or memory sub-region:

[0026] ■ "Memory Domain MKEY": An MKEY defined in the first PCIe domain and used by the first PCIe function. This MKEY translates the entire virtual address space of the first PCIe domain into the corresponding physical address in memory.

[0027] ■ "Cross-PCIe Domain MKEY" (or "Cross-Bus Domain MKEY"): An MKEY defined in the second PCIe domain and used by the second PCIe functionality. This MKEY translates the entire virtual address space of the second PCIe domain into the virtual address space of the first PCIe domain.

[0028] Applying the cross-PCIe domain MKEY to the VA in the address space of the second PCIe domain yields the corresponding VA in the address space of the first PCIe domain. Applying the memory domain MKEY to this result (i.e., the VA in the address space of the first PCIe domain) yields the corresponding PA in memory. These transformations can be performed on any subregion of memory.

[0029] To access a specific sub-region storing a particular data buffer, a network device defines a specific MKEY, called a "cross-security-domain MKEY". The cross-security-domain MKEY is defined in the second PCIe domain and points to the cross-PCIe domain MKEY (also located in the second PCIe domain). The cross-security-domain MKEY maps to the VA of the specific data buffer (memory sub-region), not the entire address space of the second PCIe domain.

[0030] As the name suggests, in some embodiments, cross-security-domain MKEYs are also used to enforce security policies. In some embodiments, the system (e.g., a host) runs a policy builder that approves or denies requests from user applications to send and receive data buffers. When the policy builder approves a request, it defines the corresponding cross-security-domain MKEY.

[0031] Therefore, when requested to send and / or receive multiple data buffers corresponding to multiple memory sub-regions, the policy builder and network device only need to set a corresponding cross-security domain MKEY for each sub-region. These multiple cross-security domain MKEYs all point to a cross-PCIe domain MKEY, which in turn points to a memory domain MKEY. Cross-security domain MKEYs typically do not perform any address translation, and are therefore relatively small and simple. Defining cross-security domain MKEYs for sub-regions is an operation with very low overhead in terms of memory and computing power. Therefore, the disclosed cross-address space bridging mechanism is efficient, scalable, and secure.

[0032] System Description

[0033] Figure 1 A block diagram of a computing and communication system 20 employing low-overhead secure cross-address space bridging according to embodiments described herein is illustrated schematically. System 20 includes a network device, in this example a NIC 24, which connects a host 28 (also referred to as a server or processor) to a network 32. System 20 also includes a graphics processing unit (GPU) 36 connected to NIC 24.

[0034] For example, system 20 can be used as a node in a data center. Such a node can contain multiple NICs, multiple hosts, and / or multiple GPUs. For clarity, this example only shows a single NIC, a single host, and a single GPU. More complex system use cases can be found below. Figure 6 .

[0035] NIC 24 includes one or more ports for connecting to network 32, and a bus interface for connecting to host 28. For clarity, the ports and bus interface are omitted from the diagram. GPU 36 includes memory 44, such as random access memory (RAM). NIC 24 is connected to GPU 36 via its bus interface.

[0036] exist Figure 1 In this embodiment, NIC 24 communicates with host 28 and GPU 36 using PCIe. NIC 24 uses one PCIe domain (referred to herein as "domain 1") to communicate with GPU 36 and a separate PCIe domain (referred to herein as "domain 2") to communicate with host 28. In alternative embodiments, any other suitable peripheral bus may be used.

[0037] Host 28 runs one or more user applications 40, in this example two applications, labeled 40A and 40B. User applications 40 use NIC 24 to send and receive packets over network 32. In some embodiments, NIC 24 uses RDMA to send and receive packets with a peer NIC. In this implementation, packet data (e.g., data to be sent in output packets and / or data received in input packets) is stored in a suitable area of ​​memory 44 of GPU 36.

[0038] To send a packet to a remote NIC, NIC 24 directly reads the corresponding memory buffer from memory 44 without the involvement of host 28, generates a packet carrying data, and sends the packet through network 32. Similarly, upon receiving a packet, NIC 24 directly writes packet data to the memory buffer in memory 44 without the involvement of host 28.

[0039] exist Figure 1In the example, memory buffers for user applications 40A and 40B are stored in three memory sub-regions 48 within the memory 44 of the GPU 36. The terms "memory buffer" and "memory sub-region" are used interchangeably herein. User application 40A handles two independent communication connections via network 32. Packet data for these two connections is stored in two corresponding memory sub-regions 48, labeled "1" and "2". User application 40B handles one communication connection via the network. Packet data for this connection is stored in memory sub-region 48, labeled "3".

[0040] NIC 24 performs two PCIe functions, typically implemented in hardware: DMA engine function 56 is associated with PCIe domain 1 and is responsible for accessing GPU memory 44. NIC function 52 is associated with PCIe domain 2 and is responsible for communicating with host 28 and sending and receiving packets over network 32. Therefore, in some embodiments, NIC 24 includes: (i) one or more ports for communicating with network 32; (ii) a bus interface for communicating with host 28 (e.g., with user application 40) and GPU 36 (e.g., with memory 44); and (iii) one or more circuits, including at least PCIe functions 52 and 56.

[0041] As described above, both packet transmission and packet reception involve transferring data between memory region 48 and network 32. Therefore, both packet transmission and packet reception require bridging between the address spaces of PCIe domain 1 and PCIe domain 2.

[0042] In some embodiments, the NIC 24 sends and receives packets by applying a chain of three types of memory keys (MKEYs). This scheme provides cross-address space bridging with a high level of scalability, high security, and low management overhead.

[0043] The first type of MKEY is called "Memory Domain MKEY" 60. Memory Domain MKEY 60 is defined in PCIe domain 1 and used by DMA engine function 56. Memory Domain MKEY 60 translates the entire virtual address space of PCIe domain 1 into corresponding physical addresses in memory 44. Memory Domain MKEY 60 is generic because it is not specific to any user application 40 or memory subregion 48.

[0044] The second type of MKEY is called a "Cross-PCIe Domain MKEY" 64 (or Cross-Bus Domain MKEY). The Cross-PCIe Domain MKEY 64 is defined in PCIe Domain 2 and used by NIC function 52. The Cross-PCIe Domain MKEY 64 translates the entire virtual address space of PCIe Domain 2 into the virtual address space of PCIe Domain 1. The Cross-PCIe Domain MKEY 64 is also generic, meaning it is not specific to any user application 40 or memory subregion 48. MKEY 64 points to MKEY 60.

[0045] The third type of MKEY is called a "cross-security-domain MKEY" 68. This type of MKEY is not generic. The difference is that a corresponding instance of the cross-security-domain MKEY 68 is defined to access a specific memory sub-region 48. Figure 1 In the example, three cross-security-domain MKEYs 68, labeled M1, M2, and M3, are defined to access three memory subregions 48 labeled "1", "2", and "3", respectively. M1 and M2 are defined for user application 40A, and M3 is defined for user application 40B. The cross-security-domain MKEYs 68 are defined in PCIe domain 2 and all point to the cross-PCIe domain MKEY 64. A given cross-security-domain MKEY 68 maps to a VA for a specific data buffer (memory subregion 48).

[0046] The given cross-security-domain MKEY 68 can be viewed as having a dual function—(i) modifying the protection domain (PD) of subregion 48, and (ii) mapping the address of the subregion. See below for reference. Figure 4 Another implementation is described, in which MKEY 68 is replaced by two MKEYs that perform these two functions respectively.

[0047] In some embodiments, system 20 also includes a policymaker 66 responsible for enforcing security policies. Policymaker 66 may, in other tasks, authorize requests from user application 40 to access sub-region 48 in memory 44. Upon authorization of the request, policymaker 66 defines a corresponding cross-security domain MKEY 68 and provides this MKEY 68 to the requesting user application. Because this MKEY 68 only maps the address of a specific sub-region 48, the user application cannot access other sub-regions 48. This mechanism allows policymaker 66 to ensure that applicable security policies are not violated. In the default example, policymaker 66 is implemented as a software module that runs (with high privileges) on host 28. Alternatively, policymaker 66 can run on any other suitable system element, such as in the firmware of NIC 24.

[0048] Figure 2A block diagram of a computing and communication system 70 employing low-overhead secure cross-address space bridging, according to another embodiment described herein, is illustrated schematically. This embodiment is related to... Figure 1 The difference in this embodiment is that the user application, NIC, and memory are all integrated into the data processing unit (DPU) 74, sometimes referred to as a "smart NIC". System 70 can also be used as a node, for example, in a data center. Such a node may contain one or more DPUs 74.

[0049] The DPU 74 includes one or more processor cores, in this case ARM core 78, which run user applications 40, in this case user applications 40A and 40B. The DPU 74 also includes one or more central processing units (CPUs), in this case x86 CPU 86, also known as the host. The CPU 86 includes memory 90, such as RAM, in which regional storage sub-regions 48 are located.

[0050] The DPU 74 also includes the NIC 82. Figure 1 Similar to NIC 24, NIC 82 includes one or more ports (not shown in the figure) for communicating with network 32, and a bus interface (also not shown in the figure) for communicating with ARM core 78 and CPU 86. NIC 82 also includes one or more circuits that at least include NIC function 52 and storage function 94.

[0051] Storage function 94 is associated with PCIe domain 1 and is responsible for accessing memory 90. NIC function 52 is associated with PCIe domain 2 and is responsible for communicating with user application 40 and communicating over network 32 (similar to...). Figure 1 NIC function 52).

[0052] In this example, ARM core 78 also runs strategyr 66. Alternatively, strategyr 66 can run in firmware such as DPU NIC82. The cross-address space bridging scheme in DPU 74 is similar to... Figure 1 The scheme is similar—using memory domain MKEY 60, cross-PCIe domain MKEY 64, and one or more cross-security domain MKEY 68.

[0053] like Figure 1 and Figure 2 As shown, the configurations of systems 20 and 70 include NICs 24 and 82, host 28, DPU 74, and other system components. This is an example configuration chosen purely for clarity of concept. In alternative embodiments, any other suitable configuration may be used.

[0054] The disclosed network devices, such as NIC 24 and DPU 74, can be implemented using suitable hardware, such as in one or more application-specific integrated circuits (ASICs) or field-programmable gate arrays (FPGAs); implemented in software, in hardware, or a combination of hardware and software elements. Memory 44 and 90 can be implemented using any suitable memory, such as random access memory (RAM). For clarity, elements not essential for understanding the disclosed technology are omitted from the figures.

[0055] Certain elements of the disclosed network device may be implemented using one or more general-purpose processors, which are programmed by software to perform the functions described herein. This software may be downloaded, for example, electronically over a network to one or more processors, or it may be provided and / or stored, alternatively or additionally, on a non-transitory tangible medium, such as magnetic memory, optical memory, or electronic memory.

[0056] Chained MKEYs for cross-address space bridging

[0057] Figure 3 A schematic diagram illustrates a chain of MKEYs used to implement cross-address space bridging according to embodiments described herein. As described above for... Figure 1 and Figure 2 The MKEY chain used to access a given memory subregion 48 includes the following:

[0058] ■ Memory domain MKEY 60 translates the virtual address space of PCIe domain 1 into the corresponding physical address in memory.

[0059] ■ Cross PCIe domain MKEY 64, point to memory domain MKEY60, and convert the virtual address space of PCIe domain 2 to the virtual address space of PCIe domain 1.

[0060] ■ Cross-security domain MKEY 68 points to cross-PCIe domain MKEY 64 and maps to the VA of memory subregion 48. MKEY 68 is defined by policyr 66 for a specific subregion 48.

[0061] Figure 4 A schematic diagram illustrates a chain of MKEYs for implementing cross-address space bridging according to an alternative embodiment described herein. In this embodiment, the cross-security domain MKEY 68 is replaced by a chain of two MKEYs—a cross-security domain MKEY 97 and a sub-region MKEY 98. MKEY 97 performs the security functions of MKEY 68 (i.e., modifies the protection domain (PD) of the sub-region). MKEY 98 performs the sub-region mapping functions of MKEY 68 (i.e., maps the addresses of the sub-regions).

[0062] Figure 3 and Figure 4 The MKEY chain shown is merely an example chain, depicted purely for conceptual clarity. In alternative embodiments, the disclosed cross-address space bridging technique can be implemented using any other suitable MKEY chain of appropriate type. In this context, the phrase "MKEY X points to MKEY Y" includes both cases where MKEY X points directly to MKEY Y and cases where MKEY X points to MKEY Y via one or more intermediate MKEYs.

[0063] Example method description

[0064] Figure 5 A flowchart illustrating a method for packet transmission using cross-address space bridging according to embodiments described herein is shown schematically. This method involves, for example, using... Figure 1 The NIC 24 transport packet. A similar procedure can be used with any suitable network device (e.g., Figure 2 The DPU 74) is used for sending and receiving packets.

[0065] The method begins with initialization phase 100, in which NIC 24 initializes memory domain MKEY 60 and cross-PCIe domain MKEY 64. At some point, in instruction phase 104, user application 40 instructs NIC 24 to send packets to network 32.

[0066] In the access request phase 104, the user application 40 requests the strategist 66 to access a sub-region 48 in the memory 44 that stores the package data.

[0067] In the authorization check phase 108, the policy maker 66 checks whether the requested access to sub-region 48 complies with the applicable security policy. If it does not comply, the method terminates in the termination phase 112.

[0068] If access is authorized, in MKEY definition phase 116, policyr 66 defines a cross-security domain MKEY 68 for subregion 48 (or an equivalent pair of (i) cross-security domain MKEY 97 and (ii) subregion MKEY 98). Cross-security domain MKEY 68 points to cross-PCIe domain MKEY 64, which in turn points to memory domain MKEY 60. In MKEY provision phase 120, policyr 66 provides cross-security domain MKEY 68 to user application 40.

[0069] In the transmission request phase 124, user application 40 requests NIC 24 to send the target packet. In the packet data retrieval phase 128, NIC 24 retrieves packet data from sub-area 48 using a chained MKEY. This phase typically involves the following operations:

[0070] ■NIC function 52 uses the cross-security domain MKEY 68 defined for the subzone (or uses the cross-security domain MKEY 97 and subzone MKEY 98) to access the cross-PCIe domain MKEY 64.

[0071] ■ Using cross-PCIe domain MKEY 64, NIC function 52 will transfer the VA of the requested data buffer from the address space of PCIe domain 2 to the address space of PCIe domain 1.

[0072] ■ Using memory domain MKEY 60, DMA engine function 56 translates the VA of the requested data buffer (in the address space of PCIe domain 1) to the PA of the data buffer in memory 44.

[0073] ■DMA Engine Function 56 retrieves packet data from the generated PA.

[0074] In packet generation and transmission operation 132, NIC function 52 generates a packet containing packet data and sends the packet to network 32.

[0075] Example System Use Cases

[0076] Figure 6 A block diagram of a computing system 1000 (e.g., a data center or high-performance computing (HPC) cluster) according to embodiments described herein is illustrated schematically. According to at least one embodiment, system 1000 includes multiple subsystems, such as multiple mutually coupled processing devices, multiple network devices, and multiple networks. The computing system 1000 is designed with multiple integrated circuits (referred to as processing devices), each of which may contain one or more CPUs and GPUs, thereby forming a powerful and flexible architecture.

[0077] Various processing devices are interconnected via NVLink or other high-speed interconnects to enable high-speed communication between subsystems, and are also connected via NICs or DPUs to ensure efficient data transmission within computing system 1000 and with one or more external networks 1030, 1036. In this example, system 1000 includes: packet switch 1048, which connects NIC / DPU 1028 to network 1030; and packet switch 1050, which connects NIC / DPU 1032 to network 1036.

[0078] NVLink coupling enables seamless data exchange and parallel processing, thereby improving overall computing performance. Processing devices connect to multiple networks via one or more Network Interface Cards (NICs) or Data Processing Units (DPUs), allowing the system to handle complex multi-network tasks with high bandwidth and low latency. This configuration is ideal for processing-intensive applications such as artificial intelligence (AI), machine learning (ML), and data-intensive computing, while ensuring robust connectivity and scalability in various networked environments. The integrated circuits of the Computing System 1000 can contain one or more CPUs and one or more GPUs.

[0079] Figure 6 An example architecture of a multi-GPU architecture is also demonstrated. As shown in the figure, computing system 1000 includes a processing device 1002 employing a multi-GPU architecture. Specifically, processing device 1002 may be a system-on-a-chip (SoC) and includes multiple subsystems such as CPU 1006, GPU 1008, and GPU 1010. CPU 1006 may be coupled to GPU 1008 via die-to-die (D2D) or chip-to-chip (C2C) interconnects 1012 (such as ground reference signal interconnects (GRS interconnects)). CPU 1006 may be coupled to GPU 1010 via D2D or C2C interconnects 1014. CPU 1006 may also be coupled to GPU 1008 and GPU 1010 via PCIe interconnects.

[0080] The CPU 1006 can be coupled to one or more NICs or DPUs, which are coupled to one or more networks. For example, as Figure 6 As shown, CPU 1006 is coupled to a first NIC / DPU 1026, which is coupled to network 1030. CPU 1006 is also coupled to a second NIC / DPU 1028, which is coupled to network 1030 via switch 1048. NIC / DPU 1026 and NIC / DPU 1028 can be coupled to network 1030 via, for example, Ethernet (ETH), NVLINK, or InfiniBand (IB) connections.

[0081] The computing system 1000 also includes a processing device 1004 employing a multi-GPU architecture. Specifically, the processing device 1004 includes multiple subsystems, including a CPU 1016, a GPU 1018, and a GPU 1020. The CPU 1016 may be coupled to the GPU 1018 via a D2D or C2C interconnect 1022. The CPU 1016 may be coupled to the GPU 1020 via a D2D or C2C interconnect 1024. The CPU 1016 may also be coupled to the GPU 1018 and GPU 1020 via a PCIe interconnect. The CPU 1016 may be coupled to one or more NICs or DPUs, which are coupled to one or more networks. For example, as... Figure 6 As shown, CPU 1016 is coupled to a first NIC / DPU 1034, which is coupled to network 1036. CPU 1016 is also coupled to a second NIC / DPU 1032, which is coupled to network 1036 via switch 1050. NIC / DPU 1032 and NIC / DPU 1034 can be coupled to network 1036 via Ethernet (ETH), NVLINK, or InfiniBand (IB) connections.

[0082] In at least one embodiment, processing device 1002 and processing device 1004 can communicate with each other via NIC / DPU 1038, for example, via PCIe interconnect. Processing device 1002 and processing device 1004 can also communicate with each other via high-bandwidth communication interconnect 1040, such as NVLink interconnect or other high-speed interconnect.

[0083] In various embodiments, any network device of system 1000, such as any of NIC / DPU 1026, 1028, 1032, 1034 and 1038, can use cross-address space bridging in accordance with the techniques described herein. Figure 6 The packet switch in the diagram could include, for example, an Nvidia Quantum-2 switch. The NIC / DPU in the diagram could include, for example, an Nvidia Bluefield DPU.

[0084] It should be understood that the embodiments described above are cited by way of example, and the present invention is not limited to the specific contents shown and described above. In contrast, the scope of the present invention includes combinations and sub-combinations of the various features described above, as well as variations and modifications not disclosed in the prior art that can be conceived by those skilled in the art after reading the foregoing specification. Documents incorporated herein by reference should be considered an integral part of this application, and if any terminology defined in these incorporated documents conflicts with the definitions expressly or implicitly made in this specification, only the definitions in this specification should be considered.

Claims

1. A network device, the network device comprising: One or more ports, said one or more ports being used to connect to a network; A bus interface, the bus interface being used to (i) communicate with memory using a first bus domain of the peripheral bus, and (ii) communicate with one or more user applications using a second bus domain of the peripheral bus; as well as One or more circuits, said one or more circuits being used for: The first bus function is executed, which uses the memory domain memory key MKEY defined in the first bus domain to access the region of the memory; The second bus function is executed, which uses the second bus domain to communicate with the user application and transmits packets for the user application over the network, wherein processing of the packets includes accessing the area of ​​the memory via a cross-bus domain memory key MKEY pointing to the memory domain memory key MKEY in the first bus function; as well as In response to an authorized user application accessing a sub-region within the region of the memory, a corresponding cross-security domain memory key MKEY is defined for the sub-region, pointing to the cross-bus domain memory key MKEY, which in turn points to the memory domain memory key MKEY.

2. The network device according to claim 1, wherein, In response to authorizing one or more user applications to access one or more additional sub-regions of the memory, the one or more circuits are configured to define one or more additional cross-security domain memory keys MKEY for the one or more additional sub-regions, the one or more additional cross-security domain memory keys MKEY pointing to the cross-bus domain memory key MKEY.

3. The network device according to claim 1, wherein, The first bus function is used to receive the cross-security domain memory key MKEY from the policyr, which authorizes requests from the user application to access a sub-region of the memory in the region, and defines a corresponding cross-security domain memory key MKEY for the sub-region.

4. The network device according to claim 1, wherein, In response to a memory access command from the user application for a specified virtual address VA, the one or more circuits are configured to convert the virtual address VA into a physical address PA in the sub-region according to the address mapping defined in the memory domain memory key MKEY, and to access the physical address PA in the memory.

5. The network device according to claim 1, in, The first bus function is used to communicate with the graphics processing unit (GPU), and the memory is located inside the GPU. as well as The second bus function is used to communicate with one or more hosts, and the user application runs on one or more hosts.

6. The network device according to claim 1, in, The network device is a data processing unit (DPU), which includes a CPU and one or more processor cores. Wherein, the first bus function is used for communication with the CPU, and the memory is located inside the CPU; and The second bus function is used to communicate with the one or more processor cores, and the user application runs on the one or more processor cores.

7. The network device according to claim 1, wherein, The cross-security domain memory key MKEY includes a first memory key MKEY that modifies the protection domain PD of the sub-region and a second memory key MKEY that maps the address of the sub-region.

8. A method in a network device, the method comprising: The network device communicates with the memory using a first bus domain of the peripheral bus and with one or more user applications using a second bus domain of the peripheral bus. The network device performs a first bus function, which uses a memory domain memory key MKEY defined in the first bus domain to access a region of the memory. A second bus function is executed in the network device. The second bus function communicates with the user application using the second bus domain and transmits packets for the user application over the network. The processing of the packets includes accessing the area of ​​the memory via a cross-bus domain memory key MKEY pointing to the memory domain memory key MKEY in the first bus function. as well as In response to an authorized user application accessing a sub-region within the region of the memory, a corresponding cross-security domain memory key MKEY is defined for the sub-region, pointing to the cross-bus domain memory key MKEY, which in turn points to the memory domain memory key MKEY.

9. The method of claim 8, comprising: In response to authorizing one or more user applications to access one or more additional sub-regions of the memory, one or more additional cross-security domain memory keys MKEY are defined for the one or more additional sub-regions, the one or more additional cross-security domain memory keys MKEY pointing to the cross-bus domain memory key MKEY.

10. The method according to claim 8, wherein, Performing the first bus function includes receiving the cross-security domain memory key MKEY from a policyr, the policyr authorizing a request from the user application to access a sub-region of the memory in the region, and defining a corresponding cross-security domain memory key MKEY for the sub-region.

11. The method of claim 8, comprising: In response to a memory access command from the user application for a specified virtual address VA, the virtual address VA is translated into a physical address PA in the sub-region according to the address mapping defined in the memory domain memory key MKEY, and the physical address PA in the memory is accessed.

12. The method according to claim 8, in, Performing the first bus function includes communicating with the graphics processing unit (GPU); The memory is located inside the graphics processing unit (GPU); Performing the second bus function includes communicating with one or more hosts; and The user application runs on one or more of the hosts.

13. The method according to claim 8, in, The network device is a data processing unit (DPU) that includes a CPU and one or more processor cores; Executing the first bus function includes communicating with the CPU; The memory is located inside the CPU; Performing the second bus function includes communicating with the one or more processor cores; and The user application runs on one or more processor cores.

14. The method according to claim 8, wherein, Defining the cross-security domain memory key MKEY includes: defining a first memory key MKEY that modifies the protection domain PD of the sub-region; and defining a second memory key MKEY that maps the address of the sub-region.

15. A data center comprising one or more network devices, at least one of the network devices comprising: One or more ports, said one or more ports being used to connect to a network; A bus interface, the bus interface being used to (i) communicate with memory using a first bus domain of the peripheral bus, and (ii) communicate with one or more user applications using a second bus domain of the peripheral bus; as well as One or more circuits are used for: The first bus function is executed, which uses the memory domain memory key MKEY defined in the first bus domain to access the region of the memory; The second bus function is executed, which uses the second bus domain to communicate with the user application and transmits packets for the user application over the network, wherein processing of the packets includes accessing the area of ​​the memory via a cross-bus domain memory key MKEY pointing to the memory domain memory key MKEY in the first bus function; as well as In response to an authorized user application accessing a sub-region within the region of the memory, a corresponding cross-security domain memory key MKEY is defined for the sub-region, pointing to the cross-bus domain memory key MKEY, which in turn points to the memory domain memory key MKEY.

16. The data center according to claim 15, wherein, In response to authorizing one or more user applications to access one or more additional sub-regions of the memory, the one or more circuits are configured to define one or more additional cross-security domain memory keys MKEY for the one or more additional sub-regions, the one or more additional cross-security domain memory keys MKEY pointing to the cross-bus domain memory key MKEY.

17. The data center according to claim 15, wherein, The first bus function is used to receive the cross-security domain memory key MKEY from the policyr, which authorizes requests from the user application to access a sub-region of the memory in the region, and defines a corresponding cross-security domain memory key MKEY for the sub-region.

18. The data center according to claim 15, wherein, In response to a memory access command from the user application for a specified virtual address VA, the one or more circuits are configured to convert the virtual address VA into a physical address PA in the sub-region according to the address mapping defined in the memory domain memory key MKEY, and access the physical address PA in the memory.

19. The data center according to claim 15, in, The first bus function is used to communicate with the graphics processing unit (GPU), and the memory is located inside the GPU. as well as The second bus function is used to communicate with one or more hosts, and the user application runs on one or more hosts.

20. The data center according to claim 15, in, The network device is a data processing unit (DPU) that includes a CPU and one or more processor cores; Wherein, the first bus function is used for communication with the CPU, and the memory is located inside the CPU; and The second bus function is used to communicate with the one or more processor cores, and the user application runs on the one or more processor cores.