Communication method and apparatus
By partitioning memory space and implementing encryption measures in a heterogeneous computing system, the security of confidential data in a multi-user environment is solved, ensuring the security of data transmission and storage, and improving resource utilization efficiency and computing performance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2024-12-31
- Publication Date
- 2026-06-30
AI Technical Summary
In heterogeneous computing systems, confidential data is at risk of being accessed and leaked without authorization in a multi-user shared environment, especially when the CPU accesses unencrypted confidential data, which may lead to data leakage.
In heterogeneous computing systems, processor memory is divided into secure memory space and insecure memory space. Access to encrypted confidential data is only permitted. Plaintext confidential data is encrypted by the first processor, and physical isolation and encryption measures are implemented during data transmission to ensure the security of confidential data.
It effectively protects confidential data from unauthorized access, reduces the risk of data leakage, and improves resource utilization efficiency and computing performance.
Smart Images

Figure CN122310554A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and more particularly to communication methods and apparatus. Background Technology
[0002] Heterogeneous computing systems integrate processors with multiple instruction sets and architectures. By cleverly combining different types of processors, they can significantly improve the execution efficiency of computing tasks, thereby enhancing system performance and energy efficiency. For example, heterogeneous computing systems can flexibly integrate various processors such as central processing units (CPUs), artificial intelligence (AI) accelerators, xprocessing units (XPUs), graphics processing units (GPUs), data processing units (DPUs), baseband processors or neural network processing units (NPUs), digital signal processors (DSPs), switch chips, application processors (APs), image signal processors (ISPs), application-specific integrated circuits (ASICs), and field-programmable gate arrays (FPGAs). In real-world applications, heterogeneous computing systems have been widely applied in fields such as autonomous driving, deep learning, big data processing, and model training. These applications often require extremely high computing performance and low energy consumption, which heterogeneous computing systems can precisely meet.
[0003] Some users utilize heterogeneous computing systems to process highly confidential data; however, given that heterogeneous computing systems are typically shared by multiple users, confidential data faces potential security risks in such systems.
[0004] Taking a CPU in a heterogeneous computing system as an example, since it typically serves multiple users, confidential data processed by one user on the CPU could be accessed by other users, leading to data leakage. Therefore, in a heterogeneous computing system, the CPU does not have the same level of trust as other processors. Summary of the Invention
[0005] This application provides a communication method and apparatus for ensuring the security of confidential data in heterogeneous computing systems. To achieve the above objective, this application adopts the following technical solution:
[0006] In a first aspect, embodiments of this application provide a communication method applied to a heterogeneous computing system. The heterogeneous computing system includes a first processor and a second processor. The first processor includes a secure memory space and a non-secure memory space. The secure memory space is used to store confidential data, and the non-secure memory space is used to store non-confidential data. The confidential data is divided into encrypted confidential data and plaintext confidential data. The method includes: the first processor decrypting the first encrypted confidential data to obtain first plaintext confidential data; the first processor encrypting the second plaintext confidential data to obtain second encrypted confidential data; when the data to be read in a data read request received by the first processor is encrypted confidential data, the first processor sends the second encrypted confidential data to the second processor; when the data to be read in a data read request received by the first processor is plaintext confidential data, the first processor refuses to respond to the data read request. The first encrypted confidential data originates from the second processor, the second plaintext data is obtained by calculation, training, or inference on the first plaintext confidential data, and the data read request originates from the second processor.
[0007] In existing heterogeneous computing system architectures, different types of processors have already achieved the ability to access and process data from each other. Specifically, confidential data stored in a first processor (GPU) may be accessed by a second processor (such as a CPU). However, given that the second processor may serve multiple different users simultaneously, this introduces a potential security risk: when the second processor reads this unencrypted confidential data, this data may be intercepted by other unauthorized users, leading to the leakage of confidential data. To address this problem, this application proposes an innovative solution. In this solution, the first processor is configured to only allow the second processor to access confidential data that has been encrypted. Therefore, when the second processor attempts to read unencrypted plaintext confidential data, the first processor automatically rejects its access request. In this way, we can effectively ensure the security of confidential data in heterogeneous computing systems and reduce the risk of confidential data leakage.
[0008] In this embodiment, the memory of the first processor is divided into secure memory space and insecure memory space to accommodate different users' varying data security needs. For users with high data security requirements, the data they input into the heterogeneous computing system is considered confidential data. In this case, the first processor stores this confidential data in the secure memory space to ensure its security. For users with less stringent data security requirements, the data they input is non-confidential, and the first processor stores this data in the insecure memory space, thereby ensuring efficient and convenient data transmission.
[0009] It is evident from the fact that the second plaintext data is obtained by computation, training, or inference from the first plaintext confidential data that the method described in this application has broad application potential, especially in scenarios involving computation, training, or inference of confidential data. This method is not limited to specific fields or industries and can be widely adopted and implemented to ensure security and privacy protection when processing confidential data. By employing the method of this embodiment, necessary computational operations can be performed effectively while protecting data confidentiality, which is particularly important for situations with strict data security requirements. Furthermore, the application scenarios of this method are not limited to single computational tasks but can be extended to multiple fields such as machine learning, data analysis, and artificial intelligence, providing these fields with a new and secure data processing approach.
[0010] In one possible implementation, the capacity of the aforementioned secure space is dynamically adjusted based on the amount of confidential data within the aforementioned first processor.
[0011] In this embodiment, the first processor also has the ability to dynamically adjust the capacity of its secure memory space based on the amount of confidential data stored therein. The purpose of this mechanism is to ensure that the secure memory space is large enough to avoid situations where it cannot fully accommodate all confidential data, thereby preventing the storage of confidential data in insecure memory space, which could increase the risk of data leakage. Furthermore, by dynamically adjusting, we can also avoid the secure memory space becoming too large, which not only wastes valuable resources but also reduces the efficiency of memory space utilization. Therefore, this dynamic adjustment mechanism both ensures data security and improves resource utilization efficiency.
[0012] In one possible implementation, if the first processor fails to decrypt the first encrypted confidential data, it sends an error message to the second processor, the error message indicating that the decryption of the first encrypted confidential data has failed.
[0013] Understandably, when an attempt to decrypt encrypted confidential data fails, it usually means that the confidential data was either not encrypted correctly or that a problem occurred during the encryption process. In this situation, to ensure the security and integrity of the confidential data, the first processor should take appropriate measures. Specifically, the second processor can send an error message to the first processor, informing it that an obstacle was encountered during the decryption process. Once the first processor receives this error message, it can re-encrypt the confidential data to ensure its security and prevent leakage due to unencrypted or failed encryption. Furthermore, this error message mechanism can help identify and locate the source of the problem, whether it's a flaw in the encryption algorithm, improper key management, or interference during the transmission of confidential data.
[0014] In one possible implementation, the first processor and the second processor are processors of different types.
[0015] Understandably, given that different processors employ different instruction sets and architectures, their capabilities vary when processing different types of data. Therefore, to improve performance and efficiency, processors can adopt a division of labor strategy. Specifically, each processor can focus on processing the data types it excels at, while delegating the processing of data types it is less adept at to other types of processors. This strategy fully leverages the unique strengths of each processor, thereby improving the overall data processing efficiency of the system.
[0016] In one possible implementation, the first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
[0017] In model training scenarios, it's clear that the CPU plays a crucial role, responsible for transmitting the necessary data for model training to the AI accelerator. After receiving this data, the AI accelerator performs a series of calculations, ultimately producing the results, which are then transmitted back to the CPU. In this application, we propose an innovative solution that ensures the CPU cannot access plaintext confidential data within the AI accelerator. This confidential data includes, but is not limited to, data required for model training and the calculated results. This approach effectively enhances the security of model-related confidential data, ensuring confidentiality during transmission and processing.
[0018] Furthermore, this approach also applies to preventing the CPU from reading plaintext confidential data from other processors, such as GPUs, NPUs, DPUs, or switch chips. This protection is particularly important in heterogeneous computing systems because it not only protects the data security of individual processors but also enhances the security of confidential data throughout the entire system. Through this mechanism, we can ensure that plaintext confidential data is not accessed by the CPU in a multi-processor collaborative environment, thereby significantly strengthening the confidential data protection capabilities of the entire heterogeneous computing system.
[0019] In one possible implementation, the aforementioned first plaintext confidential data includes at least one of model structure, model parameters, training data, or inference data.
[0020] It is evident that the solution proposed in this application can ensure the security of confidential data such as model structure, model parameters, training data, and inference data. Furthermore, this solution is also applicable to protecting other confidential data, such as user privacy information and trade secrets, which must also be rigorously protected during processing. This solution effectively prevents unauthorized access or leakage of plaintext confidential data, thereby building a more secure heterogeneous computing system for users and enterprises.
[0021] Secondly, embodiments of this application provide a communication method applied to a heterogeneous computing system. The heterogeneous computing system includes a first processor and a second processor. The first processor includes a secure memory space and a non-secure memory space. The secure memory space is used to store confidential data, and the non-secure memory space is used to store non-confidential data. The confidential data is divided into encrypted confidential data and plaintext confidential data. The method includes: the second processor sending first encrypted confidential data to the first processor, the first encrypted confidential data being obtained by encrypting first plaintext confidential data; the second processor sending a data read request to the first processor; and the second processor receiving second encrypted confidential data sent by the first processor, the second encrypted confidential data being obtained by encrypting second plaintext confidential data, the second plaintext data being obtained by calculating, training, or inferring from the first plaintext confidential data.
[0022] In one possible implementation, the second processor receives an error message sent by the first processor, the error message indicating that the decryption of the first encrypted confidential data has failed.
[0023] In one possible implementation, the capacity of the aforementioned secure space is dynamically adjusted based on the amount of confidential data within the aforementioned first processor.
[0024] In one possible implementation, the first processor and the second processor are processors of different types.
[0025] In one possible implementation, the first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
[0026] In one possible implementation, the aforementioned first plaintext confidential data includes at least one of model structure, model parameters, training data, or inference data.
[0027] In one possible implementation, the second processor includes a secure memory space and a non-secure memory space, wherein the secure memory space of the second processor is used to store confidential data, and the non-secure memory space of the second processor is used to store non-confidential data.
[0028] In one possible implementation, the capacity of the security space of the second processor is dynamically adjusted according to the amount of confidential data within the second processor.
[0029] Thirdly, embodiments of this application provide a communication device applied to a heterogeneous computing system. The heterogeneous computing system includes a first processor and a second processor. The first processor includes a secure memory space and a non-secure memory space. The secure memory space is used to store confidential data, and the non-secure memory space is used to store non-confidential data. The capacity of the secure memory space varies with the size of the confidential data in the first processor. The device may be the first processor, or a module (such as a chip or chip system) applied to the first processor, or a logical node, logical module, or software that can implement all or part of the functions of the first processor. The device includes a transceiver unit and a processing unit.
[0030] The processing unit is used to decrypt the first encrypted confidential data to obtain the first plaintext confidential data, wherein the first encrypted confidential data comes from the second processor.
[0031] The processing unit is also used to encrypt the second plaintext confidential data to obtain second encrypted confidential data, wherein the second plaintext data is obtained by calculation, training or reasoning on the first plaintext confidential data.
[0032] The transceiver unit is used to send the second encrypted confidential data to the second processor when the data to be read in the received data read request is encrypted confidential data.
[0033] The transceiver unit is also configured to refuse to respond to the data read request if the data to be read in the received data read request is plaintext confidential data.
[0034] The aforementioned data read request originates from the aforementioned second processor.
[0035] In one possible implementation, the capacity of the aforementioned secure space is dynamically adjusted based on the amount of confidential data within the aforementioned first processor.
[0036] In one possible implementation, the first processor and the second processor are processors of different types.
[0037] In one possible implementation, the first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
[0038] In one possible implementation, the aforementioned first plaintext confidential data includes at least one of model structure, model parameters, training data, or inference data.
[0039] Fourthly, embodiments of this application provide a communication device applied to a heterogeneous computing system. The heterogeneous computing system includes a first processor and a second processor. The first processor includes a secure memory space and a non-secure memory space. The secure memory space is used to store confidential data, and the non-secure memory space is used to store non-confidential data. The confidential data is divided into encrypted confidential data and plaintext confidential data. The device may be the second processor, or a module (such as a chip or chip system) applied to the second processor, or a logical node, logical module, or software capable of implementing all or part of the processor's functions. The device includes a transceiver unit and a processing unit.
[0040] The transceiver unit is used to send first encrypted confidential data to the first processor, wherein the first encrypted confidential data is obtained by encrypting the first plaintext confidential data.
[0041] The transceiver unit is also used to send data read requests to the aforementioned first processor.
[0042] The transceiver unit is also used to receive second encrypted confidential data sent by the first processor. The second encrypted confidential data is obtained by encrypting second plaintext confidential data. The second plaintext data is obtained by calculating, training, or inferring the first plaintext confidential data.
[0043] In one possible implementation, the capacity of the aforementioned secure space is dynamically adjusted based on the amount of confidential data within the aforementioned first processor.
[0044] In one possible implementation, the first processor and the second processor are processors of different types.
[0045] In one possible implementation, the first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
[0046] In one possible implementation, the aforementioned first plaintext confidential data includes at least one of model structure, model parameters, training data, or inference data.
[0047] In one possible implementation, the second processor includes a secure memory space and a non-secure memory space, wherein the secure memory space of the second processor is used to store confidential data, and the non-secure memory space of the second processor is used to store non-confidential data.
[0048] In one possible implementation, the capacity of the security space of the second processor is dynamically adjusted according to the amount of confidential data within the second processor.
[0049] Fifthly, embodiments of this application also provide a heterogeneous computing system, which includes a first processor and a second processor.
[0050] A first processor is configured to execute the methods described in the first aspect above or any possible implementation thereof.
[0051] The second processor is used to execute the methods in the second aspect above or any possible implementation thereof.
[0052] or;
[0053] The first processor is a communication device as described in the third aspect above or any possible implementation thereof.
[0054] The second processor is a communication device as described in the fourth aspect above or any possible implementation thereof.
[0055] Sixthly, embodiments of this application also provide a communication system, the device comprising: at least one processor, which, when the at least one processor executes program code or instructions, implements the methods in the first aspect, the second aspect, or any possible implementation thereof described above.
[0056] Optionally, the system may also include at least one memory for storing the program code or instructions.
[0057] In a seventh aspect, embodiments of this application also provide a chip, including: an input interface, an output interface, at least one processor, and at least one memory. The at least one processor is used to execute code in the at least one memory, and when the at least one processor executes the code, the chip implements the methods in the first aspect, the second aspect, or any possible implementation thereof described above.
[0058] Alternatively, the chip described above can also be an integrated circuit.
[0059] Eighthly, embodiments of this application also provide a computer-readable storage medium for storing a computer program, the computer program including methods for implementing the first aspect, the second aspect, or any possible implementation thereof described above.
[0060] In one possible implementation, the computer-readable storage medium is a non-transitory computer-readable storage medium.
[0061] Ninthly, embodiments of this application also provide a computer program product containing instructions that, when run on a computer, cause the computer to implement the methods of the first aspect, the second aspect, or any possible implementation thereof.
[0062] The communication device, computer storage medium, computer program product, and chip provided in this embodiment are all used to execute the communication method provided above. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the communication method provided above, and will not be repeated here. Attached Figure Description
[0063] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0064] Figure 1 This is a schematic diagram of the structure of a heterogeneous computing system provided in an embodiment of this application;
[0065] Figure 2 This is a schematic diagram of another heterogeneous computing system provided in an embodiment of this application;
[0066] Figure 3 A flowchart illustrating a communication method provided in an embodiment of this application;
[0067] Figure 4 A schematic diagram of a data processing flow provided in an embodiment of this application;
[0068] Figure 5 A schematic diagram illustrating another data processing flow provided in an embodiment of this application;
[0069] Figure 6 A schematic diagram illustrating yet another data processing flow provided in an embodiment of this application;
[0070] Figure 7 A flowchart illustrating another communication method provided in an embodiment of this application;
[0071] Figure 8A schematic diagram of a data interaction process provided in an embodiment of this application;
[0072] Figure 9 This is a schematic diagram of the computing framework of a heterogeneous computing system provided in an embodiment of this application;
[0073] Figure 10 This is a schematic diagram of the computing framework of a heterogeneous computing system provided in an embodiment of this application;
[0074] Figure 11 This is a schematic diagram of the computing framework of a heterogeneous computing system provided in an embodiment of this application;
[0075] Figure 12 A flowchart illustrating yet another communication method provided in an embodiment of this application;
[0076] Figure 13 A schematic diagram illustrating the data write request processing flow provided in this application embodiment;
[0077] Figure 14 A schematic diagram illustrating the data read request processing flow provided in this application embodiment;
[0078] Figure 15 This is a schematic diagram of the structure of a communication device provided in an embodiment of this application;
[0079] Figure 16 This is a schematic diagram of the structure of a chip provided in an embodiment of this application;
[0080] Figure 17 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0081] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the protection scope of the embodiments of this application.
[0082] In this article, the term "and / or" is merely a description of the relationship between related objects, indicating that there can be three relationships. For example, A and / or B can represent three situations: A exists alone, A and B exist simultaneously, and B exists alone.
[0083] The terms "first" and "second," etc., in the specification and drawings of the embodiments of this application are used to distinguish different objects or to distinguish different treatments of the same object, rather than to describe a specific order of objects.
[0084] Furthermore, the terms "comprising" and "having," and any variations thereof, used in the description of the embodiments of this application are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the steps or units listed, but may optionally include other steps or units not listed, or may optionally include other steps or units inherent to these processes, methods, products, or devices.
[0085] It should be noted that in the description of the embodiments of this application, the words "exemplarily" or "for example" are used to indicate examples, illustrations, or explanations. Any embodiment or design scheme described as "exemplarily" or "for example" in the embodiments of this application should not be construed as being more preferred or advantageous than other embodiments or design schemes. Specifically, the use of the words "exemplarily" or "for example" is intended to present the relevant concepts in a specific manner.
[0086] In existing heterogeneous computing system architectures, different types of processors have already achieved the ability to access and process data from each other. Specifically, confidential data stored in a first processor (GPU) may be accessed by a second processor (such as a CPU). However, given that the second processor may serve multiple different users simultaneously, this introduces a potential security risk: when the second processor reads this unencrypted confidential data, this data may be intercepted by other unauthorized users, leading to the leakage of confidential data. To address this problem, embodiments of this application propose an innovative solution to ensure the security of confidential data in heterogeneous computing systems.
[0087] The technical solutions provided in this application can be applied to heterogeneous computing systems.
[0088] Figure 1 A schematic diagram of a possible, non-limiting heterogeneous computing system described above is shown. Figure 1 As shown, the heterogeneous computing system 10 includes at least one first processor 100 and at least one second processor 200.
[0089] Heterogeneous computing systems are used to execute various task requests initiated by users through their user devices. These tasks may include, but are not limited to, computational tasks, logical reasoning tasks, and machine learning model training tasks. Once a task is successfully received, the system will process it and accurately return the result to the user device upon completion.
[0090] For example, heterogeneous computing systems can handle task requests from a variety of devices, including but not limited to servers, desktop computers, laptop computers, smartphones, tablets, mice, remote controls, styluses, set-top boxes, routers, webcams, monitors, smart displays, wireless data cards, personal digital assistants (PDAs), smartwatches, smart bracelets, wireless headphones, electronic whiteboards, virtual reality (VR) devices, augmented reality (AR) devices, smart home devices (such as refrigerators, televisions, air conditioners, washing machines, rice cookers, table lamps, smart meters, etc.), smart robots, robotic arms, factory equipment, and other user terminal devices.
[0091] Heterogeneous computing systems can execute various task requests issued by users through a first processor (GPU, NPU, DPU, or switch chip) and a second processor (such as CPU).
[0092] Specifically, the second processor is responsible for task allocation, assigning tasks within the heterogeneous computing system to the first processor. The first processor, in turn, executes the tasks assigned by the second processor and returns the results to it.
[0093] Due to varying data security requirements among users, data entered into heterogeneous computing systems by users with high data security needs is considered confidential. Conversely, data entered by users with less stringent data security requirements is considered non-confidential.
[0094] In one possible implementation, heterogeneous computing systems have the ability to distinguish between confidential and non-confidential data, which can be achieved by using different data tag bits.
[0095] For example, for confidential data, we can embed a unique flag within the data itself. This flag explicitly indicates that the data is confidential. When confidential data is transmitted or stored in the system, relevant security measures can be triggered to ensure that the confidential data is properly protected. Conversely, for non-confidential data, we can choose not to add any flag, or add a different flag to explicitly indicate that the data is non-confidential. This approach helps heterogeneous computing systems distinguish between different types of data and allows for the implementation of appropriate security strategies for different levels of data, thereby managing data security more effectively.
[0096] The aforementioned confidential data can be divided into two categories: encrypted confidential data and plaintext confidential data.
[0097] Plaintext confidential data, as the name suggests, refers to confidential information that has not been encrypted. Due to the lack of encryption protection, this data is more vulnerable to unauthorized access during transmission or storage. Therefore, additional security measures must be implemented to ensure its security, such as physical isolation through secure memory spaces, as mentioned below, and encryption of plaintext confidential data.
[0098] In contrast, encrypted confidential data refers to confidential data that has been converted into ciphertext using encryption algorithms. Even if this confidential data is intercepted by an unauthorized third party, they will not be able to decipher its content without the corresponding decryption key. This type of confidential data offers higher security during transmission and storage.
[0099] like Figure 1 As shown, the memory of the first processor consists of secure memory space and insecure memory space. Dividing the first processor's memory into secure and insecure memory spaces accommodates the different data security needs of various users. For users with high data security requirements, the data they input into the heterogeneous computing system is considered confidential. In this case, the first processor stores this confidential data in the secure memory space to ensure its security. Conversely, for users with less stringent data security requirements, the data they input is non-confidential, and the first processor stores this data in the insecure memory space, thus ensuring efficient and convenient data transmission.
[0100] Specifically, the first processor also has the ability to dynamically adjust the capacity of its secure memory space based on the amount of confidential data stored within it. This mechanism is designed to ensure that the secure memory space is large enough to avoid situations where it cannot fully accommodate all confidential data, thus preventing the storage of confidential data in insecure memory space, which could increase the risk of data leakage. Furthermore, by dynamically adjusting, we can also avoid the secure memory space becoming too large, which not only wastes valuable resources but also leads to reduced memory utilization efficiency. Therefore, this dynamic adjustment mechanism both ensures data security and improves resource utilization efficiency.
[0101] For example, the first processor has a memory capacity of 1024 megabytes (MB). The first processor can allocate 256MB as secure memory space and the remaining 768MB as insecure memory space. Suppose the first processor needs to store 512MB of confidential data. Since the current secure memory space is insufficient, 256MB of the 768MB insecure memory space can be reallocated to the secure memory space. In other words, based on the actual size of the confidential data, the secure memory space capacity is dynamically adjusted from 256MB to 512MB.
[0102] In one possible implementation, the memory of the second processor can also be divided into secure memory space and insecure memory space.
[0103] In addition, the second processor may also have the ability to dynamically adjust its secure memory space based on the amount of confidential data stored.
[0104] like Figure 2 As shown in the embodiment of this application, when the first processor is responsible for executing the task assigned by the second processor, it performs encryption and decryption operations on the confidential data involved in the task. Therefore, in addition to having a computing unit for executing tasks, the first processor is also equipped with an encryption / decryption engine for encrypting and decrypting confidential data. This design ensures enhanced data security when processing confidential data, because the encryption and decryption process is completed within the first processor, reducing the security risks that may be encountered when data is transmitted between different processors. Furthermore, this design also improves processing efficiency, because encryption and decryption operations can be performed in parallel with task execution, thus not significantly impacting overall performance.
[0105] Understandable, Figure 1 and Figure 2 The structures shown do not constitute a specific limitation on heterogeneous computing systems. In other embodiments of this application, the electronic device may include more or fewer components than illustrated, or combine some components, or split some components, or have different component arrangements. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
[0106] Figure 3 This application illustrates a communication method provided by an embodiment of the present application. This method can be executed by a first processor and a second processor in the aforementioned heterogeneous computing system, such as... Figure 3 As shown, the method includes:
[0107] S301, the second processor sends the first encrypted confidential data to the first processor.
[0108] Accordingly, the first processor receives the first encrypted confidential data sent by the second processor.
[0109] Specifically, the second processor can send the first encrypted confidential data to the first processor through inter-processor communication.
[0110] Accordingly, the first processor can receive the first encrypted confidential data sent by the second processor through inter-processor communication.
[0111] The inter-processor communication methods mentioned here cover a variety of different technologies, including but not limited to the high-speed serial computer expansion bus standard (peripheral component interconnect express, PCIe); the widely used Ethernet technology; and high-speed interconnect technology (NVLink); in addition, there is infinite bandwidth technology (IB) used in the field of high-performance computing.
[0112] For example, a large model training framework running on a CPU can read first encrypted confidential data from storage devices (such as hard drives or memory) of a heterogeneous computing system and load this data into the CPU memory. The CPU memory can then send PCIe messages carrying the first encrypted confidential data to the AI accelerator.
[0113] Accordingly, the AI accelerator can receive PCIe messages sent by the CPU memory that carry first encrypted confidential data.
[0114] It should be noted that the aforementioned first encrypted confidential data refers to the first plaintext confidential data that has already been encrypted.
[0115] like Figure 4 As shown, the first plaintext confidential data is obtained by encrypting the first plaintext confidential data.
[0116] In this application embodiment, no specific restrictions are set regarding the encryption method for the first plaintext confidential data. This means that any encryption technology well-known to those skilled in the art can be freely chosen to implement encryption. For example, symmetric encryption algorithms can be used, including but not limited to the National Cryptography 4 (SM4), Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard (TDES), Blowfish, RC2, RC4, RC5, International Data Encryption Algorithm (IDEA), and Skipjack. In addition, asymmetric encryption algorithms such as RSA, Elgamal, Knapsack Algorithm, Rabin, Diffie-Hellman Key Exchange (DH), and Elliptic Curve Cryptography (ECC) can also be used. Hash function encryption algorithms are also optional, including Message-Digest Algorithm Version 5 (MD5), Secure Hashalgorithm 1 (SHA1), SHA256, and SHA512. By applying any of the above algorithms, the first plaintext confidential data can be effectively encrypted to obtain the first encrypted confidential data.
[0117] It should be noted that the aforementioned first plaintext confidential data may include at least one of the following: model structure, model parameters, training data, or inference data.
[0118] For example, assuming the first plaintext confidential data covers the model structure, model parameters, training data, or inference data, then the first encrypted confidential data will include the encrypted model structure, the encrypted model training data, and the encrypted model parameters.
[0119] It is evident that the solution proposed in this application can ensure the security of confidential data such as model structure, model parameters, training data, and inference data. Furthermore, this solution is also applicable to protecting other confidential data, such as user privacy information and trade secrets, which must also be rigorously protected during processing. This solution effectively prevents unauthorized access or leakage of plaintext confidential data, thereby building a more secure heterogeneous computing system for users and enterprises.
[0120] For model inference scenarios, such as those of large language models (LLMs), the above-mentioned first plaintext confidential data may include the model structure, model parameters, and inference data of the LLM. Specifically, the inference data of the LLM model refers to the input sequence of the model, which is usually composed of multiple tokens. For example, the above-mentioned first plaintext confidential data can be the input sequence "Which super first-tier cities are there in China", which consists of 10 tokens, namely: 中, 国, 有, 哪, 些, 超, 一, 线, 城, 市.
[0121] It can be understood that the embodiments of this application only take the LLM model as an example to illustrate the process of model inference and do not constitute any limitation. In actual applications, other models can also be used, such as deep learning models, convolutional neural networks (CNNs), or recurrent neural networks (RNNs), etc. These models also have the ability to perform complex inference tasks and generate corresponding confidential data. For example, deep learning models are suitable for image recognition, CNNs are good at processing visual data, and RNNs perform well in processing sequence data, such as in the fields of speech recognition or natural language processing. In these models, the first plaintext confidential data may include the model structure, model parameters, and inference data. Therefore, the embodiments of this application are not limited to the LLM model but can be widely applied to various machine learning and deep learning models to ensure the security and privacy of data processing.
[0122] For model training scenarios, the above-mentioned first plaintext confidential data may cover key information at multiple levels. These information includes but is not limited to the model structure, which is an essential core element when constructing the model. In addition, model parameters are also crucial, as they determine the behavior and performance of the model when processing data. Besides the model architecture and parameters, the training data itself also belongs to the category of confidential data because these data are the basis for the model to learn and optimize, and their confidentiality is crucial for protecting intellectual property rights and avoiding data leakage.
[0123] For example, for the training scenario of the Transformer model, the first plaintext confidential data may include the model structure of the Transformer model (such as the number of encoders and decoders), model parameters (such as weight matrices, embedding vectors, and context vectors), and training data.
[0124] Specifically, in the Transformer model, the model parameters include the parameters of the self-attention mechanism network within the encoder (or decoder), the parameters of the feedforward neural network, and the parameters of the positional encoding. The self-attention mechanism network is a deep learning model that allows the model to focus more on key parts of the input data by assigning adaptive attention weights to each element within the network. The feedforward neural network, also known as a forward propagation neural network, is the foundation of neural network architecture. In this network, information flows unidirectionally, starting from the input layer, passing through one or more hidden layers, and finally reaching the output layer. Neurons in each layer are only connected to neurons in the next layer; there are no feedback or recurrent connections, hence the name feedforward. Positional encoding is the technique used in the Transformer model to represent the positional information of words in a sentence. Because the Transformer model does not rely on the sequential structure of recurrent neural networks (RNNs) or convolutional neural networks (CNNs), a method is needed to distinguish words at different positions in a sequence. Positional encoding is achieved by appending a position-related vector to each word, enabling the model to understand the sequential information of words. These positional encodings are typically added to the word embedding vectors to form the final input representation. Positional encodings can be fixed or learnable. In practical applications, positional encoding is typically generated using different frequencies of sine and cosine functions to ensure that the model can handle sequences of arbitrary length.
[0125] For Transformer models performing machine translation tasks, their training datasets typically contain a large number of source texts and their translation pairs. Models trained in this way can master the mapping relationships between different languages. During the training phase, the model deeply analyzes these bilingual texts, identifying and extracting vocabulary, phrases, and syntactic structures from the source texts, and then converting them into appropriate expressions in the target language. This training mechanism endows Transformer models with superior translation capabilities, enabling them to produce fluent and accurate translation results. By continuously optimizing model parameters and utilizing the training dataset, the model can achieve optimal translation performance. Through continuous iteration and improvement, the model's translation errors gradually decrease, and the translation quality is significantly improved. Ultimately, a fully trained model can be deployed in real-world applications, providing users with fast and accurate language conversion services.
[0126] For the Transformer model, designed to answer questions, its training dataset consists of a large number of questions and corresponding answers. This training enables the model to grasp the logical connections between questions and answers. During training, the model analyzes numerous question-answer pairs, understands the intent and context of the questions, and generates appropriate answers accordingly. This training method ensures the Transformer model's efficient performance in question-answering tasks, providing accurate and relevant answers. By optimizing the model's training dataset, the model parameters are tuned to achieve optimal question-answering performance. Through continuous iteration and optimization, the model's accuracy and relevance in answering questions are continuously improved. Ultimately, a fully trained model can be applied to practical question-answering systems, providing users with fast and accurate information retrieval services.
[0127] It is understood that the embodiments of this application only use the Transformer model as an example to illustrate the model training process. However, in practical applications, other models can also be used, such as attention models, CNN models, RNN models, and their variants, such as Long Short-Term Memory (LSTM) networks and Gated Recurrent Units (GRUs). Each model has its specific model structure and model parameter settings, and these details also need to be kept confidential to ensure the model's uniqueness and competitiveness. For example, in the CNN model training scenario, the first plaintext confidential data may include model parameters such as the configuration of convolutional layers, kernel size, and stride, as well as the image training dataset used for training. In the RNN or its variant model training scenario, the first plaintext confidential data may include model parameters such as the special model structure for sequence processing, time step, and dimension of hidden states, as well as the corresponding sequence training data. The confidentiality of this data and information is crucial for maintaining technological advantages and preventing competitors from copying the model.
[0128] In data computing scenarios, the previously mentioned first plaintext confidential data may include data that needs to be processed. For example, when floating-point operations, such as addition, are involved, the first plaintext confidential data refers to the floating-point numbers that will be added.
[0129] It is understood that the embodiments of this application only use floating-point calculation as an example to illustrate data calculation scenarios. However, in practical applications, it can be extended to other calculation scenarios, including but not limited to matrix calculation, linear algebra calculation, finite element analysis (FEA) calculation, deoxyribonucleic acid (DNA) calculation, computer-aided design (CAD) calculation, computational fluid dynamics (CFD) calculation, quantum computing, neural network calculation, image processing calculation, and signal processing calculation. These calculation scenarios play a crucial role in many fields such as science, engineering, finance, medicine, bioinformatics, and artificial intelligence. For example, in large-scale scientific simulations and engineering designs, finite element analysis (FEA) calculations can help engineers predict the performance of products in the real world, thereby optimizing the design. In the field of bioinformatics, DNA calculations can be used for gene sequence analysis and comparison, providing support for disease diagnosis and treatment. Furthermore, with the development of artificial intelligence technology, neural network calculations are increasingly widely used in image recognition, speech recognition, and natural language processing. Therefore, the technology involved in this application is not limited to floating-point calculation, and its practical application scope is very wide.
[0130] like Figure 5 As demonstrated, after the first processor receives the first encrypted confidential data sent by the second processor, it must take necessary measures to protect the confidential data in order to ensure its security. Specifically, the first processor needs to store the encrypted confidential data in a dedicated secure memory space within itself.
[0131] In one possible implementation, the second processor is capable of transmitting the first encrypted confidential data to the first processor.
[0132] Specifically, the second processor is able to write the first encrypted confidential data into the memory of the first processor.
[0133] For example, the CPU can write the first encrypted confidential data into the secure memory space of the AI accelerator.
[0134] S302, The first processor decrypts the first encrypted confidential data to obtain the first plaintext confidential data.
[0135] like Figure 4 As shown, the first plaintext confidential data is obtained by decrypting the first encrypted confidential data.
[0136] like Figure 5As demonstrated, the encryption / decryption engine of the first processor can read first encrypted confidential data from the secure memory space and decrypt it to obtain first plaintext confidential data. Subsequently, it rewrites the decrypted first plaintext confidential data back into the secure memory space to ensure the security of the first plaintext confidential data.
[0137] In one possible implementation, the first processor can use a decryption algorithm corresponding to the encryption algorithm of the first plaintext confidential data to decrypt the first encrypted confidential data, thereby recovering the first plaintext confidential data.
[0138] For example, if the first encrypted confidential data is encrypted using a symmetric encryption algorithm, then the AI accelerator can apply the corresponding symmetric decryption algorithm to decrypt the first encrypted confidential data to obtain the first plaintext confidential data.
[0139] For example, if the first encrypted confidential data is encrypted using an asymmetric encryption algorithm, the AI accelerator can use the corresponding asymmetric decryption algorithm to decrypt the first encrypted confidential data and thus obtain the first plaintext confidential data.
[0140] Additionally, if the first encrypted confidential data is encrypted using a hash function encryption algorithm, the AI accelerator will be able to use a hash function decryption algorithm to decrypt the first encrypted confidential data and recover the first plaintext confidential data.
[0141] In one possible implementation, the first processor sends an error message to the second processor if the first encrypted confidential data fails to be decrypted.
[0142] The error message indicates that the decryption of the first encrypted confidential data failed.
[0143] For example, when the first processor fails to decrypt the first plaintext confidential data, it can send an error message to the second processor through inter-process communication.
[0144] Correspondingly, the second processor can receive error messages from the first processor via processor communication, indicating that the decryption of the first encrypted confidential data failed.
[0145] For example, an AI accelerator can send a PCIe message containing error information to the CPU.
[0146] Correspondingly, the CPU can receive PCIe messages containing error information sent by the AI accelerator.
[0147] Understandably, when an attempt to decrypt encrypted confidential data fails, it usually means that the confidential data was either not encrypted correctly or that a problem occurred during the encryption process. In this situation, to ensure the security and integrity of the confidential data, the first processor should take appropriate measures. Specifically, the second processor can send an error message to the first processor, informing it that an obstacle was encountered during the decryption process. Once the first processor receives this error message, it can re-encrypt the confidential data to ensure its security and prevent leakage due to unencrypted or failed encryption. Furthermore, this error message mechanism can help identify and locate the source of the problem, whether it's a flaw in the encryption algorithm, improper key management, or interference during the transmission of confidential data.
[0148] In one possible implementation, when the second processor receives an error message, it can resend the signal containing the first encrypted confidential data.
[0149] For example, the CPU can resend a PCIe message containing the first encrypted confidential data to the AI accelerator.
[0150] Alternatively, the CPU can re-encrypt the first plaintext confidential data to generate a new first encrypted confidential data, and then send this re-encrypted first encrypted confidential data to the AI accelerator via PCIe message.
[0151] S303, The first processor encrypts the second plaintext confidential data to obtain the second encrypted confidential data.
[0152] For example, the first processor may use a symmetric encryption algorithm to encrypt the second plaintext confidential data, thereby generating the second encrypted confidential data.
[0153] For example, an AI accelerator can use the AES algorithm to encrypt a second plaintext confidential data to produce a second encrypted confidential data.
[0154] As another example, the first processor may also use an asymmetric encryption algorithm to encrypt the second plaintext confidential data, thereby obtaining the second encrypted confidential data.
[0155] For example, an AI accelerator can use the RSA algorithm to encrypt a second plaintext confidential data to obtain a second encrypted confidential data.
[0156] Furthermore, the first processor can also use a hash function encryption algorithm to encrypt the second plaintext confidential data, thereby generating the second encrypted confidential data.
[0157] For example, an AI accelerator can use the MD5 algorithm to encrypt the second plaintext confidential data to obtain the second encrypted confidential data.
[0158] It should be noted that the above-mentioned second plaintext confidential data is obtained by performing calculations, training, or inference on the above-mentioned first plaintext confidential data.
[0159] As Figure 4 shown, calculations, inference, or training can be performed based on the first plaintext confidential data to obtain the second plaintext confidential data, and the second plaintext confidential data is encrypted to obtain the second encrypted confidential data.
[0160] As Figure 5 shown, the computing unit of the first processor can read the first plaintext confidential data from its secure memory space, and then perform calculations, inference, or training based on these data to obtain the second plaintext confidential data. Then, the computing unit writes the second plaintext confidential data into the secure memory space of the first processor. After that, the encryption / decryption engine of the first processor reads the second plaintext confidential data from the secure memory space and performs encryption processing on it, finally generating the second encrypted confidential data, which is also written into the secure memory space of the first processor.
[0161] It should be clear that Figure 5 only a schematic description of a data transmission process is provided, which does not constitute any limitation. In actual applications, other data transmission processes can be completely selected. For example, after the computing unit obtains the second plaintext confidential data, it can also directly send these data to the encryption / decryption engine, which performs the encryption operation, generates the second encrypted confidential data, and writes it into the secure memory of the first processor.
[0162] For the model inference scenario, such as the LLM model inference scenario, the above-mentioned first plaintext confidential data may include the model structure, model parameters, and inference data of the LLM. Specifically, the inference data of the LLM model refers to the input sequence of the model, which usually consists of multiple tokens. For example, the above-mentioned first plaintext confidential data can be the input sequence "Which super first-tier cities are there in China", and this input sequence consists of 10 tokens, which are: 中, 国, 有, 哪, 些, 超, 一, 线, 城, 市 in sequence.
[0163] Correspondingly, the second plaintext confidential data obtained by performing inference through this first plaintext confidential data may be the inference result of the LLM. Specifically, the inference result of the LLM refers to the output sequence of the model, which usually consists of multiple tokens. For example, the above-mentioned second plaintext confidential data can be the output sequence "Shanghai, Beijing, Guangzhou, and Shenzhen", and this output sequence consists of 9 tokens, which are: 上, 海, 北, 京, 广, 州, 和, 深, 圳 in sequence.
[0164] For model training scenarios, such as Transformer model training scenarios, the aforementioned first plaintext confidential data may include the Transformer model structure, Transformer model parameters, and Transformer model training data.
[0165] Accordingly, the second plaintext confidential data obtained by reasoning from the first plaintext confidential data may include Transformer model parameters, specifically the Transformer model parameters optimized through the training process.
[0166] In data computing scenarios, the previously mentioned first plaintext confidential data may include data that needs to be processed. For example, when floating-point operations, such as addition, are involved, the first plaintext confidential data refers to the floating-point numbers that will be added.
[0167] Correspondingly, the second plaintext confidential data includes the output results of those computational operations. Taking floating-point arithmetic, such as addition, as an example, the second plaintext confidential data refers to the result of these floating-point addition operations.
[0168] Understandably, heterogeneous computing systems typically handle complex tasks, so many tasks cannot directly derive second plaintext confidential data from first plaintext confidential data. Instead, they need to first generate one or more intermediate data from the first plaintext confidential data, and then use this intermediate data to deduce the second plaintext confidential data.
[0169] Intermediate data of confidential data is also confidential data. Therefore, intermediate data generated from the first plaintext confidential data should also be placed in the secure memory space of the first processor to prevent intermediate data leakage.
[0170] like Figure 6 As shown, the computing unit of the first processor can store intermediate data in a secure memory space. Then, when it is necessary to use the intermediate data to compute the second plaintext confidential data, the intermediate data is read from the secure memory space.
[0171] Taking the inference scenario of LLM as an example, the intermediate data mentioned above may include the query vector, key vector, value vector, and attention score generated for each token in the output sequence. Among them, the attention score reflects the degree of correlation between different input tokens, while the query, key, and value vectors participate in the calculation process of the attention mechanism and jointly determine how the model weights the input information.
[0172] During the training of a Transformer model, intermediate data may include Transformer model parameters, especially those that have been optimized during training but have not yet met the output criteria. For example, if the output criteria are set to 1000 training iterations, then the intermediate data may include Transformer model parameters obtained from the 1st to the 999th training iteration.
[0173] The number of training iterations refers to the number of times a dataset is input into a model and trained iteratively within a deep learning framework. Each iteration updates the model's weights and biases, thereby continuously improving the model's performance. The determination of the number of training iterations is influenced by various factors, including the algorithm used, the size and quality of the dataset, the processing power of the hardware, the training objectives, and the required accuracy standards.
[0174] For data computation scenarios, such as floating-point addition, the intermediate data mentioned above may include the alignment result of floating-point numbers, the mantissa operation of floating-point numbers, the normalization result of floating-point numbers, the rounding result of floating-point numbers, and the overflow / underflow detection result of floating-point numbers.
[0175] In floating-point arithmetic, the alignment process involves adjusting the exponents of two floating-point numbers to the same value. This requires shifting the mantissa of the number with the smaller exponent to the right by the corresponding number of bits and increasing its exponent accordingly to ensure that the exponents of the two numbers are the same.
[0176] Mantissa operations specifically refer to addition or subtraction operations performed on the mantissa portion of a floating-point number.
[0177] The normalization step involves checking whether the calculation result conforms to the normalized format (i.e., the highest bit of the mantissa should be 1). If the result does not conform, it is necessary to restore its normalized state through a shift operation and adjust the exponent value accordingly.
[0178] Rounding refers to rounding the result of an operation to ensure that the number of significant digits in the mantissa of the resulting floating-point number reaches the preset precision standard.
[0179] Overflow / underflow detection refers to determining whether the final result exceeds the maximum or minimum value range that the system can represent. If it exceeds the range, appropriate measures must be taken, such as setting a special flag or returning a specific error message.
[0180] S304, the second processor sends a data read request to the first processor.
[0181] Accordingly, the first processor receives the data read request sent by the second processor.
[0182] The aforementioned data read request may include detailed information about the data to be read, such as data type, data volume, data source, and read permission level (e.g., whether it is confidential data). When the first processor receives such a request, it will perform verification and processing based on the information provided in the request. If the request is confirmed to be valid and meets the permission conditions, the first processor will read the data and ensure that the data is securely transmitted to the second processor.
[0183] S305. When the data to be read in the data read request received by the first processor is encrypted confidential data, the second encrypted confidential data is sent to the second processor.
[0184] Accordingly, the second processor receives the encrypted confidential data sent by the first processor.
[0185] For example, after receiving a data read request, the first processor determines whether the data to be read is encrypted confidential data. If the data to be read is encrypted confidential data, the first processor can transmit the second encrypted confidential data to the second processor through an inter-processor communication mechanism.
[0186] Accordingly, the second processor can receive the second encrypted confidential data transmitted by the first processor through an inter-processor communication mechanism.
[0187] For example, after receiving a data read request, the AI accelerator will determine whether the data to be read is encrypted confidential data. If the data to be read is encrypted confidential data, it will send a PCIe message containing a second encrypted confidential data to the CPU.
[0188] Accordingly, the CPU is able to receive PCIe messages containing second encrypted confidential data sent by the AI accelerator.
[0189] The specific implementation of determining whether the data to be read is encrypted confidential data can be any method that can be conceived by those skilled in the art, and the embodiments of this application do not specifically limit it.
[0190] For example, after encrypting confidential data, a unique identifier can be attached to it. This identifier could be a specific encryption flag indicating that the confidential data has been encrypted. Thus, when data needs to be read, it is only necessary to check whether the confidential data to be read contains this specific encryption flag to determine whether the confidential data has been encrypted.
[0191] For example, the data to be read can be decrypted. If the data is successfully decrypted, it can be determined that the confidential data is encrypted confidential data; if the decryption fails, it can be determined that the confidential data is plaintext confidential data.
[0192] In addition, a table can be created to record the encryption status of each piece of confidential data. In this way, when it is necessary to read this data, one can quickly check the table to immediately determine whether the data to be read is encrypted confidential data.
[0193] S306. If the data to be read in the data read request received by the first processor is plaintext confidential data, the data read request shall be rejected.
[0194] In one possible implementation, the first processor can also identify and mark requests to read unencrypted confidential data as abnormal read requests, then save and report these anomalies. In this way, administrators of heterogeneous computing systems can promptly learn of the occurrence of abnormal read requests and take appropriate action against the entities initiating these requests.
[0195] As mentioned above, the solutions provided in this application are applicable to various scenarios such as model inference, model training, and computation.
[0196] In the model inference scenario, once the second processor receives a model inference request, it forwards the relevant encrypted confidential data (i.e., the previously mentioned first encrypted confidential data) to the first processor. After obtaining the first encrypted confidential data, the first processor performs a decryption operation and stores the decrypted first plaintext confidential data in a secure memory space specifically designed for storing confidential data. When the first processor needs to perform model inference, it can extract the first plaintext confidential data from the secure memory space, generate second plaintext data through the inference process, and then encrypt the second plaintext data to generate second encrypted confidential data. Upon receiving a request for the model inference result, the second processor sends a data read request to the first processor to obtain the encrypted model inference result (i.e., the aforementioned second encrypted confidential data). Correspondingly, upon receiving the data read request, the first processor determines whether the data to be read in the request is encrypted confidential data. If the data to be read is encrypted confidential data, the first processor sends the second encrypted confidential data to the second processor; if the data to be read is not encrypted confidential data, it refuses to respond to the data read request. After receiving the second encrypted confidential data, the second processor can output it, thus completing the entire model inference process.
[0197] In the model training scenario, upon receiving a model training request, the second processor can forward the relevant encrypted confidential data (i.e., the previously mentioned first encrypted confidential data) to the first processor. After obtaining the first encrypted confidential data, the first processor will perform a decryption operation and store the decrypted first plaintext confidential data in a secure memory space specifically designed for storing confidential data. When the first processor needs to perform model training, it can extract the first plaintext confidential data from the secure memory space, generate second plaintext data through inference, and then encrypt the second plaintext data to generate the second encrypted confidential data. Upon receiving a request for model training results, the second processor will send a data read request to the first processor to obtain the encrypted model training results (i.e., the aforementioned second encrypted confidential data). Correspondingly, upon receiving a data read request, the first processor will determine whether the data to be read in the request is encrypted confidential data. If the data to be read is encrypted confidential data, the first processor will send the second encrypted confidential data to the second processor; if the data to be read is not encrypted confidential data, it will refuse to respond to the data read request. After receiving the second encrypted confidential data, the second processor can output it, thus completing the entire model training process.
[0198] In a computational scenario, upon receiving a computation request, the second processor forwards the relevant encrypted confidential data (i.e., the previously mentioned first encrypted confidential data) to the first processor. After obtaining the first encrypted confidential data, the first processor performs a decryption operation and stores the decrypted first plaintext confidential data in a secure memory space specifically designed for storing confidential data. When the first processor needs to perform computation, it can extract the first plaintext confidential data from the secure memory space, generate second plaintext data through a reasoning process, and then encrypt the second plaintext data to generate the second encrypted confidential data. Upon receiving a request for the computation result, the second processor sends a data read request to the first processor to obtain the encrypted computation result (i.e., the aforementioned second encrypted confidential data). Correspondingly, upon receiving the data read request, the first processor determines whether the data to be read in the request is encrypted confidential data. If the data to be read is encrypted confidential data, the first processor sends the second encrypted confidential data to the second processor; if the data to be read is not encrypted confidential data, it refuses to respond to the data read request. After receiving the second encrypted confidential data, the second processor can output it, thus completing the entire computation process.
[0199] It is evident that in the solution proposed in this application, confidential data involved in model inference, model training, and computation is always encrypted during inter-processor transmission, which significantly improves the security of confidential data during transmission. Furthermore, by setting up a secure memory space to achieve physical isolation of confidential data, the storage security of the data is further enhanced. In summary, the embodiments of this application effectively improve the overall security of confidential data in model inference, model training, and computation scenarios, particularly in terms of storage and transmission.
[0200] As can be seen from S301 to S306 above, in the solution provided by this application embodiment, the first processor is configured to only allow the second processor to access confidential data that has been encrypted. Therefore, when the second processor attempts to read unencrypted confidential data, the first processor automatically rejects its access request. In this way, we can effectively ensure the security of confidential data in heterogeneous computing systems and reduce the risk of confidential data leakage.
[0201] Figure 7 This application illustrates a communication method provided by an embodiment of the present application. This method can be executed by a user device and a heterogeneous computing system (including a first processor and a second processor), such as... Figure 7 As shown, the method includes:
[0202] S701, The user equipment sends the first encrypted confidential data to the second processor.
[0203] Accordingly, the second processor receives the first encrypted confidential data sent by the user equipment.
[0204] For example, in a model training scenario, the user equipment of the model provider can send first encrypted confidential data, which carries encrypted model structure and encrypted training data, to the CPU in a heterogeneous computing system.
[0205] Accordingly, the CPU in the heterogeneous computing system can receive first encrypted confidential data sent by the user equipment of the model provider, which carries encrypted model structure and encrypted training data.
[0206] For example, in a model fine-tuning scenario, the model provider can send a first encrypted confidential data containing the encrypted model structure, encrypted model parameters, and encrypted fine-tuning data to the CPU in a heterogeneous computing system.
[0207] Accordingly, the CPU in the heterogeneous computing system can receive first encrypted confidential data sent by the user equipment of the model provider, which carries encrypted model structure, encrypted model parameters and encrypted fine-tuning data.
[0208] In one possible implementation, the first encrypted confidential data can originate from multiple user devices.
[0209] For example, in a model training scenario, the first encrypted confidential data typically includes the encrypted model structure and parameters provided by the model provider's user device, and the encrypted training data provided by the data provider's user device. This data transmission method ensures the security of confidential information while allowing all parties to participate in the model training and optimization process without directly sharing the original data.
[0210] like Figure 8 As demonstrated, taking a user device including both the model provider's user device and the data provider's user device as an example, sending first encrypted confidential data from the user device to the second processor may include:
[0211] The user equipment of the model provider sends the encrypted model structure and encrypted model parameters to the second processor;
[0212] The user equipment of the data provider sends encrypted training data to the second processor.
[0213] S702, the second processor sends the first encrypted confidential data to the first processor.
[0214] Accordingly, the first processor receives the first encrypted confidential data sent by the second processor.
[0215] S703, the first processor decrypts the first encrypted confidential data to obtain the first plaintext confidential data.
[0216] S704, the first processor encrypts the second plaintext confidential data to obtain the second encrypted confidential data.
[0217] It is worth noting that the aforementioned second plaintext confidential data is obtained by calculating, training, or reasoning from the aforementioned first plaintext confidential data.
[0218] S705, the second processor sends a data read request to the first processor.
[0219] Accordingly, the first processor receives the data read request sent by the second processor.
[0220] S706. When the data to be read in the data read request received by the first processor is encrypted confidential data, the second encrypted confidential data is sent to the second processor.
[0221] Accordingly, the second processor receives the encrypted confidential data sent by the first processor.
[0222] S707: If the data to be read in the data read request received by the first processor is plaintext confidential data, the data read request shall be rejected.
[0223] For the specific implementation methods of S702 to S707, please refer to the detailed description of S301 to S306. The embodiments of this application will not be described in detail here.
[0224] S708, the second processor sends the second encrypted confidential data to the user equipment.
[0225] Accordingly, the user equipment receives the second encrypted confidential data sent by the second processor.
[0226] In one possible implementation, the second processor has the capability to send second encrypted confidential data to multiple user devices. For example, in a model training scenario, the second processor can send the second encrypted confidential data to the user devices of both the model provider and the data provider. This data transmission method ensures the security of confidential information while allowing all parties to participate in the model training and optimization process without directly sharing the original data.
[0227] This application also provides a computing framework for a heterogeneous computing system, such as... Figure 9 As shown, the heterogeneous node includes a CPU and an AI accelerator.
[0228] like Figure 9 As shown, the CPU runs N processes and the CPU operating system (CPUHost).
[0229] Through these processes, the CPU can communicate with user devices to obtain the necessary encrypted confidential data.
[0230] The CPU Host is the main operating system responsible for managing CPU resources. It schedules processes on the CPU, ensuring their efficient operation and handling requests from user devices. The CPU Host interacts with the AI accelerator through kernel-level drivers, enabling encrypted data transmission and processing. Furthermore, the CPU Host maintains system security, preventing unauthorized access and data leaks. In heterogeneous computing systems, the CPU Host is a crucial component connecting the CPU and AI accelerator, allowing the system to fully leverage the advantages of different hardware for more efficient computing tasks.
[0231] like Figure 9 As shown, the CPU also includes a large model training framework, an AI operator library, an AI accelerator driver, and CPU memory.
[0232] The CPU memory is used to store the first encrypted confidential data and the second encrypted confidential data mentioned above.
[0233] In one possible implementation, CPU memory consists of secure and insecure memory spaces. Dividing CPU memory into secure and insecure memory spaces accommodates the different data security needs of various users. For users with high data security requirements, the data they input into the heterogeneous computing system is considered confidential. In this case, the CPU stores this confidential data in the secure memory space to ensure its security. Conversely, for users with less stringent data security requirements, the data they input is non-confidential, and the CPU stores this data in the insecure memory space, thus ensuring efficient and convenient data transfer.
[0234] In heterogeneous computing systems, large model training frameworks running on CPUs play a crucial role. They effectively launch one or more AI computing services, each corresponding to an independent process. When executing computational tasks, these AI computing services intelligently invoke the appropriate AI operator libraries based on the different operation types involved, such as addition, subtraction, multiplication, and division. These operator libraries contain operators specifically optimized for AI accelerators, such as addition, subtraction, multiplication, and division operators that AI accelerators execute. In this way, complex AI model training tasks can be efficiently decomposed and distributed to AI accelerators for execution, thereby significantly improving computational efficiency.
[0235] During the execution of AI computing services, to ensure data security and task independence, different AI computing services (processes) are allocated to different memory regions on the AI accelerator through a memory isolation engine. These memory regions are isolated from each other, ensuring that one service cannot access data stored in the AI accelerator's memory by another service. This memory isolation mechanism not only improves system security but also enhances task execution stability, as errors or anomalies in one service will not affect the normal operation of other services. Furthermore, this isolation allows different AI computing services to run in parallel, fully utilizing hardware resources and improving overall computing performance.
[0236] like Figure 9 As shown, an AI accelerator is a highly integrated hardware device that integrates multiple key components that work together to provide powerful computing capabilities. These key components include AI accelerator memory, AI accelerator computing unit, memory management unit, process management, memory isolation engine, and encryption / decryption engine.
[0237] The AI accelerator memory is responsible for storing critical data, such as first encrypted confidential data and second encrypted confidential data, as well as first plaintext confidential data and second plaintext confidential data.
[0238] The computing units in AI accelerators are primarily dedicated to performing various computational tasks, excelling in data processing. For example, these units can utilize first plaintext confidential data and, through a series of complex algorithms and computational processes, ultimately calculate second plaintext confidential data. This process not only requires computing units to possess high computational power but also to ensure data security and privacy, preventing confidential data from being leaked during the computation process.
[0239] The Memory Management Unit (MMU) plays a crucial role, responsible for translating virtual addresses into physical addresses. For example, in modern computer systems, when the Central Processing Unit (CPU) attempts to access the memory of a specific hardware component, such as an AI accelerator, via a virtual address, the MMU efficiently translates these virtual addresses into corresponding physical addresses. This process ensures that the CPU can correctly locate and access data in physical memory, thereby making the entire system operate more efficiently and stably.
[0240] The process management module plays a crucial role, primarily responsible for the effective management and coordination of computing processes within the AI accelerator.
[0241] The encryption / decryption engine plays a crucial role in the data processing flow, primarily responsible for encrypting and decrypting the data input to and output to the AI accelerator. Specifically, the encryption / decryption engine can perform various secure transformations; for example, it can decrypt first encrypted confidential data into first plaintext confidential data, or encrypt second plaintext confidential data into second encrypted confidential data.
[0242] The memory isolation engine manages and controls the CPU's access permissions to the AI accelerator's memory, ensuring data security and processing efficiency. This engine is independently controlled by the AI accelerator itself, autonomously deciding when and how to allow the CPU to access its memory resources, thus maintaining system stability and security while ensuring performance.
[0243] Reference Figure 9 ,like Figure 10 As shown, in one possible implementation, the memory isolation engine may include a first interface and a second interface.
[0244] The first interface is responsible for authorizing address access to memory, enabling other processors (such as CPUs) to access encrypted confidential data within the AI accelerator.
[0245] The second interface is used to revoke memory access permissions for addresses, preventing other processors (such as the CPU) from accessing unencrypted confidential data within the AI accelerator.
[0246] In this embodiment, the methods for revoking address access permissions can be diverse, covering any approach conceived by those skilled in the art, and this application does not impose specific limitations. For example, the method of deleting the physical address corresponding to the AI accelerator's virtual address can be used, or the address access permission can be revoked by checking the physical address access flag. Furthermore, other technical means can be employed, such as modifying access control lists (ACLs), using a permission management module for permission revocation, or implementing control over specific address access permissions through software-level configuration. These methods can be applied individually or in combination to achieve the goal of revoking address access permissions.
[0247] Understandably, a memory isolation engine and corresponding access control interfaces can effectively prevent the CPU from accessing unencrypted confidential data in heterogeneous computing systems, allowing access only to encrypted confidential data. This mechanism ensures data security because confidential data will not be easily leaked even if the system is compromised by malware or unauthorized users. Furthermore, this approach enables fine-grained control over sensitive data, ensuring that only properly authorized processes can read or modify this data, thereby significantly enhancing the security of the entire computing environment.
[0248] Reference Figure 9 ,like Figure 11 As shown, in one possible implementation, the AI accelerator memory consists of secure and insecure memory spaces. Dividing the AI accelerator memory into secure and insecure memory spaces accommodates the different data security needs of various users. For users with high data security requirements, the data they input into the heterogeneous computing system is considered confidential. In this case, the AI accelerator stores this confidential data in the secure memory space to ensure its security. Conversely, for users with less stringent data security requirements, the data they input is non-confidential, and the AI accelerator stores this data in the insecure memory space, thus ensuring efficient and convenient data transmission.
[0249] For example, the secure memory space of the AI accelerator can store the aforementioned types of confidential data, including first encrypted confidential data, second encrypted confidential data, first plaintext confidential data, and second plaintext confidential data.
[0250] The following is combined Figures 9 to 11 The computing framework shown illustrates the communication method provided in the embodiments of this application, such as... Figure 12 As shown, the method includes:
[0251] S1201, The CPU writes the first encrypted confidential data into the AI accelerator.
[0252] For example, the CPU can send a first encrypted confidential data write request to the AI accelerator.
[0253] Accordingly, the AI accelerator receives the first encrypted confidential data write request sent by the CPU and allows the CPU to write the first encrypted confidential data.
[0254] When the CPU attempts to write first encrypted confidential data with a starting address of addr_in and a size of size_in to the AI accelerator, the AI accelerator calls a first interface to open the memory address channel corresponding to the first encrypted confidential data, allowing the CPU to write size_in of the first encrypted confidential data to the AI accelerator's memory address addr_in. After the first encrypted confidential data is written, the AI accelerator calls a second interface to close the input channel, preventing the CPU from writing data to any address in the AI accelerator's memory.
[0255] S1202, the AI accelerator decrypts the first encrypted confidential data to obtain the first plaintext confidential data.
[0256] For example, the encryption / decryption engine of the AI accelerator can decrypt the first encrypted confidential data to obtain the first plaintext confidential data.
[0257] For example, the encryption / decryption engine of an AI accelerator can read the first encrypted confidential data with the starting address addr_in and the size size_in from the memory of the AI accelerator and decrypt the first encrypted confidential data to obtain the first plaintext confidential data.
[0258] S1203, the AI accelerator encrypts the second plaintext confidential data to obtain the second encrypted confidential data.
[0259] For example, the AI accelerator can obtain second plaintext confidential data based on first plaintext confidential data, and encrypt the second plaintext confidential data to obtain second encrypted confidential data.
[0260] For example, the computing unit of the AI accelerator can process the first plaintext confidential data, calculate the result (i.e., the second plaintext confidential data), and store this data in the AI accelerator's secure memory space, with its starting address being addr_out and a size of size_out. Subsequently, the AI accelerator's encryption / decryption engine reads this second plaintext confidential data from the secure memory space, encrypts it, generates second encrypted confidential data, and finally stores the encrypted data back into the AI accelerator's memory.
[0261] For example, the computing unit of the AI accelerator can perform inference analysis on the first plaintext confidential data to obtain the inference result (i.e., the second plaintext confidential data), and store this data in the AI accelerator's secure memory space, with its starting address being addr_out and its size being size_out. Next, the AI accelerator's encryption / decryption engine reads this second plaintext confidential data from the secure memory space, encrypts it, generates second encrypted confidential data, and finally stores the encrypted data back into the AI accelerator's memory.
[0262] S1204, the CPU reads the second encrypted confidential data in the AI accelerator.
[0263] For example, the CPU can send a data read request to the AI accelerator. The AI accelerator receives the second encrypted confidential data read request from the CPU and calls a first interface to open an output channel, allowing the CPU to read second encrypted confidential data of size `size_out` from the AI accelerator's memory address `addr_out`. After the CPU reads the second encrypted confidential data, the AI accelerator calls a second interface to prevent the CPU from reading data from any memory address in the AI accelerator's memory.
[0264] Understandably, dynamically isolating memory based on the input and output size of the computation task eliminates the need to statically allocate isolated memory for each task, thus avoiding memory utilization issues.
[0265] like Figure 13 As shown, the AI accelerator can receive data write requests sent by the CPU. Upon receiving a data write request, the AI accelerator can allow the CPU to write the data to be written and call the first interface to grant the CPU write permission. After the CPU has finished writing the data, the AI accelerator can call the second interface to revoke the CPU write permission.
[0266] In one possible implementation, a data read request can be received. If the data to be read is encrypted confidential data, reading the data is permitted. If the data to be read is plaintext confidential data, reading the data is denied.
[0267] like Figure 14 As shown, the AI accelerator can receive data read requests sent by the CPU. When the data to be read is encrypted and confidential, the AI accelerator can allow the CPU to read the data and call the first interface to grant the CPU read permission. After the data to be read is read, the AI accelerator can call the second interface to revoke the CPU read permission.
[0268] For example, the AI accelerator can receive a data read request for second encrypted confidential data sent by the CPU. The AI accelerator can allow the CPU to read the second encrypted confidential data and call a first interface to grant the CPU read permission. After the second encrypted confidential data is read, the AI accelerator can call a second interface to revoke the CPU read permission.
[0269] like Figure 14 As shown, the AI accelerator can receive data read requests sent by the CPU. If the data to be read is plaintext confidential data, the AI accelerator can refuse to read the data and call the second interface to revoke the CPU's read permission.
[0270] For example, an AI accelerator can receive a data read request from the CPU for second plaintext confidential data. The AI accelerator can also refuse the CPU's request to read the second plaintext confidential data and call a second interface to revoke the CPU's read permission.
[0271] The following describes a communication device used to perform the above communication method.
[0272] It is understood that, in order to achieve the above-mentioned functions, the communication device includes hardware and / or software modules that perform the respective functions. The functions, algorithms, or steps described in conjunction with the embodiments disclosed herein can be implemented in hardware or a combination of hardware and computer software. Whether a function is implemented in hardware or by computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application in conjunction with the embodiments, but such implementations should not be considered beyond the scope of the embodiments of this application.
[0273] This application embodiment can divide the communication device into functional modules according to the above method example. For example, each function can be divided into its own functional modules, or two or more functions can be integrated into one processing module. The integrated modules can be implemented in hardware. It should be noted that the module division in this embodiment is illustrative and only represents one logical functional division. In actual implementation, there may be other division methods.
[0274] When dividing each function into modules according to its corresponding function. Figure 15The diagram illustrates a possible configuration of the communication device involved in the above embodiments, applied to a heterogeneous computing system. The heterogeneous computing system includes a first processor and a second processor. The first processor includes a secure memory space and a non-secure memory space. The secure memory space is used to store confidential data, and the non-secure memory space is used to store non-confidential data. The capacity of the secure memory space varies with the size of the confidential data in the first processor. The communication device can be a processor, a module applied to the processor (e.g., a chip or chip system), or a logic node, logic module, or software that can implement all or part of the processor's functions.
[0275] like Figure 15 As shown, the communication device 1500 may include a transceiver unit 1501 and a processing unit 1502.
[0276] In the case where the communication device 1500 is a first processor, a module (e.g., a chip or chip system) applied to the first processor, or a logic node, logic module, or software that implements all or part of the functions of the first processor:
[0277] The processing unit 1502 is used to decrypt the first encrypted confidential data to obtain the first plaintext confidential data, wherein the first encrypted confidential data comes from the second processor.
[0278] The processing unit 1502 is further configured to encrypt the second plaintext confidential data to obtain second encrypted confidential data, wherein the second plaintext data is obtained by calculation, training or reasoning on the first plaintext confidential data.
[0279] The transceiver unit 1501 is used to send the second encrypted confidential data to the second processor when the data to be read in the received data read request is encrypted confidential data.
[0280] The transceiver unit 1501 is also configured to refuse to respond to the data read request if the data to be read in the received data read request is plaintext confidential data.
[0281] The aforementioned data read request originates from the aforementioned second processor.
[0282] In one possible implementation, the capacity of the aforementioned secure space is dynamically adjusted based on the amount of confidential data within the aforementioned first processor.
[0283] In one possible implementation, the first processor and the second processor are processors of different types.
[0284] In one possible implementation, the first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
[0285] In one possible implementation, the aforementioned first plaintext confidential data includes at least one of model structure, model parameters, training data, or inference data.
[0286] In the case where the communication device 1500 is a second processor, a module (e.g., a chip or chip system) applied to the second processor, or a logic node, logic module, or software that implements all or part of the functions of the second processor:
[0287] The transceiver unit 1501 is used to send first encrypted confidential data to the first processor, wherein the first encrypted confidential data is obtained by encrypting the first plaintext confidential data.
[0288] The transceiver unit 1501 is also used to send a data read request to the first processor.
[0289] The transceiver unit 1501 is also used to receive second encrypted confidential data sent by the first processor. The second encrypted confidential data is obtained by encrypting second plaintext confidential data. The second plaintext data is obtained by calculating, training or reasoning on the first plaintext confidential data.
[0290] In one possible implementation, the capacity of the aforementioned secure space is dynamically adjusted based on the amount of confidential data within the aforementioned first processor.
[0291] In one possible implementation, the first processor and the second processor are processors of different types.
[0292] In one possible implementation, the first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
[0293] In one possible implementation, the aforementioned first plaintext confidential data includes at least one of model structure, model parameters, training data, or inference data.
[0294] In one possible implementation, the second processor includes a secure memory space and a non-secure memory space, wherein the secure memory space of the second processor is used to store confidential data, and the non-secure memory space of the second processor is used to store non-confidential data.
[0295] In one possible implementation, the capacity of the security space of the second processor is dynamically adjusted according to the amount of confidential data within the second processor.
[0296] This application also provides a chip, which can be the chip of the above-mentioned communication device. Figure 16 A schematic diagram of a chip 1600 is shown. The chip 1600 includes one or more processors 1601 and interface circuits 1602.
[0297] Optionally, the chip 1600 may also include a bus 1603.
[0298] Processor 1601 may be an integrated circuit chip with signal processing capabilities. In implementation, each step of the above data transmission method can be completed through integrated logic circuits in the hardware of processor 1601 or through software instructions.
[0299] Optionally, the processor 1601 described above may be a general-purpose processor, a digital signal processing (DSP) processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods and steps disclosed in the embodiments of this application. The general-purpose processor may be a microprocessor or any conventional processor.
[0300] The interface circuit 1602 can be used to send or receive data, instructions or information. The processor 1601 can use the data, instructions or other information received by the interface circuit 1602 to process the data, instructions or other information, and can send the processed information out through the interface circuit 1602.
[0301] Optionally, the chip may also include memory, which may include read-only memory and random access memory, providing operation instructions and data to the processor. A portion of the memory may also include non-volatile random access memory (NVRAM).
[0302] Optionally, the memory stores executable software modules or data structures, and the processor 1601 can execute corresponding operations by calling operation instructions stored in the memory (which can be stored in the operating system).
[0303] For example, processor 1601 can execute one or more steps in S301 to S306 in the above embodiments by calling operation instructions stored in memory.
[0304] For the specific implementation of one or more steps S301 to S306 in the above embodiments, please refer to the description of S301 to S306 in the above embodiments, which will not be repeated here.
[0305] Optionally, the chip can be used in the communication device or communication device involved in the embodiments of this application. Optionally, the interface circuit 1602 can be used to output the execution result of the processor 1601. For the data transmission methods provided by one or more embodiments of the present application, please refer to the foregoing embodiments, which will not be repeated here.
[0306] It should be noted that the functions of the processor 1601 and the interface circuit 1602 can be implemented through hardware design, software design, or a combination of hardware and software; no restrictions are imposed here.
[0307] Figure 17 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. This electronic device can be used in the aforementioned heterogeneous computing system. Figure 17 As shown, the electronic device 1700 includes a processor 1701, a processor 1702, a transceiver 1703, and a communication line 1704.
[0308] The processors 1701 and 1702 are used to execute any step of the communication method provided in the embodiments of this application, and during the execution of any step of the communication method provided in the embodiments of this application, the transceiver 1703 and the communication line 1704 may be called to complete the corresponding operation.
[0309] For example, processor 1701 may be the first processor in the above embodiments, and processor 1702 may be the second processor in the above embodiments.
[0310] Furthermore, the electronic device 1700 may also include a memory 1705. The processor 1701, the memory 1705, and the transceiver 1703 can be connected via a communication line 1704.
[0311] The processor 1701 can be a CPU, AI accelerator, XPU, GPU, DPU, NPU, DSP, switch chip, AP, ISP, ASIC, FPGA, or any combination thereof. The processor 1701 can also be other devices with processing capabilities, such as circuits, devices, or software modules, without limitation.
[0312] Processor 1702 may be a CPU, AI accelerator, XPU, GPU, DPU, NPU, DSP, switch chip, AP, ISP, ASIC, FPGA, or any combination thereof. Processor 1701 may also be other devices with processing capabilities, such as circuits, devices, or software modules, without limitation.
[0313] Transceiver 1703 is used to communicate with other devices or other communication networks, such as Ethernet, radio access network (RAN), wireless local area network (WLAN), etc. Transceiver 1703 can be a module, circuit, transceiver, or any device capable of enabling communication.
[0314] The transceiver 1703 is mainly used for sending and receiving commands and information, and may include a transmitter and a receiver to send and receive commands and information, respectively; operations other than sending and receiving commands and information are implemented by the processor.
[0315] Communication line 1704 is used to transmit information between the various components included in electronic device 1700.
[0316] In one design, the processor can be viewed as a logic circuit, and the transceiver as an interface circuit.
[0317] Memory 1705 is used to store instructions. These instructions can be computer programs.
[0318] For example, processor 1701 or processor 1702 can execute one or more steps of S301 to S306 in the above embodiments by calling operation instructions stored in memory.
[0319] For the specific implementation of one or more steps S301 to S306 in the above embodiments by processor 1701 or processor 1702, please refer to the description of S301 to S306 in the above embodiments, which will not be repeated here.
[0320] The memory in this embodiment, including memory 1705, can be a non-transitory memory. This non-transitory memory can be volatile memory or non-volatile memory, or it can include both. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which serves as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM). Memory 1705 can also be compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed discs, laser discs, optical discs, digital universal discs, Blu-ray discs, etc.), magnetic disk storage media, or other magnetic storage devices. It should be noted that the memory in the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.
[0321] It should be noted that the memory 1705 can exist independently of the processor 1701, or it can be integrated with the processor 1701. The memory 1705 can be used to store instructions, program code, or some data, etc. The memory 1705 can be located inside or outside the electronic device 1700, without limitation. The processor 1701 is used to execute the instructions stored in the memory 1705 to implement the methods provided in the above embodiments of this application.
[0322] In one possible implementation, the processor 1701 can be designed to include one or more processor cores, which can be in a single-core or multi-core configuration. For example, in Figure 17 As shown in the document, the processor 1701 includes at least two processor cores, specifically processor core 0 and processor core 1, which work together to perform various computing tasks.
[0323] In another possible implementation, the processor 1702 can also be designed to include one or more processor cores, which can be in a single-core or multi-core configuration. For example, in Figure 17 As shown in the document, the processor 1702 also includes at least two processor cores, specifically processor core 0 and processor core 1, which work together to perform various computing tasks.
[0324] As an optional implementation, the electronic device 1700 may also include more processors, for example, in addition to Figure 17 In addition to processor 1701, electronic device 1700 may also include processor 1708.
[0325] As an optional implementation, the electronic device 1700 also includes an output device 1706 and an input device 1707. For example, the input device 1707 is a device such as a keyboard, mouse, microphone, or joystick, and the output device 1706 is a device such as a display screen or speaker.
[0326] It should be noted that the electronic device 1700 can be a chip system or... Figure 17 Devices with similar structures. The chip system can be composed of chips or include chips and other discrete components. Actions, terminology, etc., involved in the various embodiments of this application can be referenced interchangeably without limitation. The message names or parameter names in the messages used for interaction between devices in the embodiments of this application are merely examples; other names can be used in specific implementations without limitation. Furthermore, Figure 17 The structural composition shown does not constitute a limitation on the electronic device 1700, except... Figure 17 In addition to the components shown, the electronic device 1700 may include more than Figure 17 This may indicate more or fewer components, or combinations of certain components, or different component arrangements.
[0327] The processor and transceiver described in this application can be implemented on integrated circuits (ICs), analog ICs, radio frequency integrated circuits, mixed-signal ICs, application-specific integrated circuits (ASICs), printed circuit boards (PCBs), electronic devices, etc. The processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal-oxide semiconductors (CMOS), n-metal-oxide-semiconductor (NMOS), positive-channel metal-oxide semiconductors (PMOS), bipolar junction transistors (BJTs), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
[0328] This application also provides a communication system, the device including: at least one processor, which, when the at least one processor executes program code or instructions, implements the above-mentioned related method steps to implement the communication method in the above embodiments.
[0329] Optionally, the device may further include at least one memory for storing the program code or instructions.
[0330] This application also provides a computer storage medium storing computer instructions. When the computer instructions are executed on a communication system, the communication system performs the aforementioned related method steps to implement the communication method in the above embodiments.
[0331] This application also provides a computer program product that, when run on a computer, causes the computer to perform the aforementioned steps to implement the communication method described in the above embodiments.
[0332] It should be understood that in various embodiments of this application, the sequence number of each process does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of this application.
[0333] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of the embodiments of this application.
[0334] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the above method embodiments, and will not be repeated here.
[0335] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of the units described above is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.
[0336] The units described above as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0337] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0338] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of this application, essentially, or the parts that contribute to the prior art, or parts of the technical solutions, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0339] The above description is merely a specific implementation of the embodiments of this application, but the protection scope of the embodiments of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the embodiments of this application should be included within the protection scope of the embodiments of this application. Therefore, the protection scope of the embodiments of this application should be determined by the protection scope of the claims.
Claims
1. A communication method applied to a heterogeneous computing system, the heterogeneous computing system comprising a first processor and a second processor, the first processor comprising a secure memory space and a non-secure memory space, the secure memory space being used to store confidential data, the non-secure memory space being used to store non-confidential data, the confidential data being divided into encrypted confidential data and plaintext confidential data, characterized in that... include: The first processor decrypts the first encrypted confidential data to obtain the first plaintext confidential data, and the first encrypted confidential data comes from the second processor; The first processor encrypts the second plaintext confidential data to obtain the second encrypted confidential data, and the second plaintext data is obtained by calculating, training or reasoning from the first plaintext confidential data; When the data to be read in the data read request received by the first processor is encrypted confidential data, the second encrypted confidential data is sent to the second processor. If the data to be read in the data read request received by the first processor is plaintext confidential data, the data read request will be rejected. The data read request originates from the second processor.
2. The method according to claim 1, characterized in that, The capacity of the secure space is dynamically adjusted based on the amount of confidential data within the first processor.
3. The method according to claim 1 or 2, characterized in that, The first processor and the second processor are processors of different types; The first processor is an artificial intelligence AI accelerator, a graphics processing unit (GPU), a neural network processor (NPU), a data processing unit (DPU), or a switch chip, and the second processor is a central processing unit (CPU).
4. The method according to any one of claims 1 to 3, characterized in that, The first plaintext confidential data includes at least one of the following: model structure, model parameters, training data, or inference data.
5. A communication method applied to a heterogeneous computing system, the heterogeneous computing system comprising a first processor and a second processor, the first processor comprising a secure memory space and a non-secure memory space, the secure memory space being used to store confidential data, the non-secure memory space being used to store non-confidential data, the confidential data being divided into encrypted confidential data and plaintext confidential data, characterized in that... include: The second processor sends first encrypted confidential data to the first processor, the first encrypted confidential data being obtained by encrypting the first plaintext confidential data; The second processor sends a data read request to the first processor; The second processor receives second encrypted confidential data sent by the first processor. The second encrypted confidential data is obtained by encrypting second plaintext confidential data. The second plaintext data is obtained by calculating, training, or reasoning about the first plaintext confidential data.
6. The method according to claim 5, characterized in that, The capacity of the secure space is dynamically adjusted based on the amount of confidential data within the first processor.
7. The method according to claim 5 or 6, characterized in that, The first processor and the second processor are processors of different types; The first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
8. The method according to any one of claims 5 to 7, characterized in that, The first plaintext confidential data includes at least one of the following: model structure, model parameters, training data, or inference data.
9. The method according to any one of claims 5 to 8, characterized in that, The second processor includes a secure memory space and a non-secure memory space. The secure memory space of the second processor is used to store confidential data, and the non-secure memory space of the second processor is used to store non-confidential data.
10. The method according to claim 9, characterized in that, The capacity of the secure space of the second processor is dynamically adjusted according to the amount of confidential data within the second processor.
11. A communication device applied to a heterogeneous computing system, the heterogeneous computing system comprising a first processor and a second processor, the first processor comprising a secure memory space and a non-secure memory space, the secure memory space being used to store confidential data, the non-secure memory space being used to store non-confidential data, the confidential data being divided into encrypted confidential data and plaintext confidential data, characterized in that... include: Transceiver unit and processing unit; The processing unit is used to decrypt the first encrypted confidential data to obtain the first plaintext confidential data, wherein the first encrypted confidential data comes from the second processor; The processing unit is further configured to encrypt the second plaintext confidential data to obtain second encrypted confidential data, wherein the second plaintext data is obtained by calculating, training or reasoning on the first plaintext confidential data; The transceiver unit is configured to send the second encrypted confidential data to the second processor when the data to be read in the received data read request is encrypted confidential data; The transceiver unit is further configured to refuse to respond to the data read request if the data to be read in the received data read request is plaintext confidential data; The data read request originates from the second processor.
12. The apparatus according to claim 11, characterized in that, The capacity of the secure space is dynamically adjusted based on the amount of confidential data within the first processor.
13. The apparatus according to claim 11 or 12, characterized in that, The first processor and the second processor are processors of different types; The first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
14. The apparatus according to any one of claims 11 to 13, characterized in that, The first plaintext confidential data includes at least one of the following: model structure, model parameters, training data, or inference data.
15. A communication device applied to a heterogeneous computing system, the heterogeneous computing system comprising a first processor and a second processor, the first processor comprising a secure memory space and a non-secure memory space, the secure memory space being used to store confidential data, the non-secure memory space being used to store non-confidential data, the confidential data being divided into encrypted confidential data and plaintext confidential data, characterized in that... include: Transceiver unit and processing unit; The transceiver unit is used to send first encrypted confidential data to the first processor, wherein the first encrypted confidential data is obtained by encrypting the first plaintext confidential data. The transceiver unit is also used to send a data read request to the first processor; The transceiver unit is further configured to receive second encrypted confidential data sent by the first processor. The second encrypted confidential data is obtained by encrypting second plaintext confidential data. The second plaintext data is obtained by calculating, training, or inferring from the first plaintext confidential data.
16. The apparatus according to claim 15, characterized in that, The capacity of the secure space is dynamically adjusted based on the amount of confidential data within the first processor.
17. The apparatus according to claim 15 or 16, characterized in that, The first processor and the second processor are processors of different types; The first processor is an AI accelerator, GPU, NPU, DPU, or switch chip, and the second processor is a CPU.
18. The apparatus according to any one of claims 15 to 17, characterized in that, The first plaintext confidential data includes at least one of the following: model structure, model parameters, training data, or inference data.
19. The apparatus according to any one of claims 15 to 18, characterized in that, The second processor includes a secure memory space and a non-secure memory space. The secure memory space of the second processor is used to store confidential data, and the non-secure memory space of the second processor is used to store non-confidential data.
20. The apparatus according to claim 19, characterized in that, The capacity of the secure space of the second processor is dynamically adjusted according to the amount of confidential data within the second processor.
21. A heterogeneous computing system, characterized in that, Including the first processor and the second processor; The first processor is configured to execute the method according to any one of claims 1 to 4; The second processor is configured to execute the method described in any one of claims 5 to 10. or; The first processor is the communication device according to any one of claims 11 to 14; The second processor is the communication device according to any one of claims 15 to 20.
22. A communication system comprising at least one processor and a memory, characterized in that, The at least one processor executes a program or instructions stored in a memory to cause the communication system to implement the method of any one of claims 1 to 4 or 5 to 10.
23. A computer-readable storage medium for storing a computer program, characterized in that, When the computer program is run on a computer or processor, it causes the computer or processor to perform the method of any one of claims 1 to 4 or 5 to 10.
24. A computer program product, the computer program product comprising instructions, characterized in that, When the instructions are executed on a computer or processor, the computer or processor performs the method of any one of claims 1 to 4 or 5 to 10.