[go: up one dir, main page]

CN119473989A - Remote memory direct access communication method, device and program product based on DPU - Google Patents

Remote memory direct access communication method, device and program product based on DPU Download PDF

Info

Publication number
CN119473989A
CN119473989A CN202411362353.6A CN202411362353A CN119473989A CN 119473989 A CN119473989 A CN 119473989A CN 202411362353 A CN202411362353 A CN 202411362353A CN 119473989 A CN119473989 A CN 119473989A
Authority
CN
China
Prior art keywords
symmetric key
data
queue
direct access
queue pair
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411362353.6A
Other languages
Chinese (zh)
Inventor
于震江
黄明亮
孙旭
鄢贵海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yusur Technology Co ltd
Original Assignee
Yusur Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yusur Technology Co ltd filed Critical Yusur Technology Co ltd
Priority to CN202411362353.6A priority Critical patent/CN119473989A/en
Publication of CN119473989A publication Critical patent/CN119473989A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • G06F15/163Interprocessor communication
    • G06F15/173Interprocessor communication using an interconnection network, e.g. matrix, shuffle, pyramid, star, snowflake
    • G06F15/17306Intercommunication techniques
    • G06F15/17331Distributed shared memory [DSM], e.g. remote direct memory access [RDMA]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/546Message passing systems or structures, e.g. queues
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/548Queue

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种基于DPU的远程内存直接访问通信方法、设备及程序产品,涉及数据传输技术领域;所述方法包括:确定出目标队列对;目标队列对包括用于发送数据的发送队列;通过查询队列对属性表,获取对称密钥索引;在对称密钥索引有效的情况下,通过内存直接访问引擎,基于对称密钥索引,在对称密钥表中检索得到对称密钥条目;不同队列对对应的对称密钥索引相同或不同;不同对称密钥索引对应的对称密钥条目不同;通过内存直接访问引擎,从对称密钥条目中取出对称密钥,并使用对称密钥对待发送数据进行加密,得到加密数据;通过PCIe模块和发送队列,将加密数据发送至第二终端;本发明能够能够解决静态配置的密钥难以适应各种用户应用场景的问题。

The present invention provides a remote memory direct access communication method, device and program product based on DPU, and relates to the technical field of data transmission; the method comprises: determining a target queue pair; the target queue pair comprises a sending queue for sending data; obtaining a symmetric key index by querying a queue pair attribute table; when the symmetric key index is valid, retrieving a symmetric key entry in a symmetric key table based on the symmetric key index through a memory direct access engine; the symmetric key indexes corresponding to different queue pairs are the same or different; the symmetric key entries corresponding to different symmetric key indexes are different; taking out a symmetric key from the symmetric key entry through a memory direct access engine, and encrypting data to be sent using the symmetric key to obtain encrypted data; sending the encrypted data to a second terminal through a PCIe module and a sending queue; the present invention can solve the problem that statically configured keys are difficult to adapt to various user application scenarios.

Description

Remote memory direct access communication method, device and program product based on DPU
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a remote memory direct access communication method, device, and program product based on a DPU.
Background
Remote direct memory access (RDMA, remote Direct Memory Access) is a networking technology that allows a computer to read and write data directly from the memory of a remote system without intervention by the operating system. The technique can improve the efficiency of data transmission, reduce delay, and is particularly suitable for high-performance computing and data-intensive application. However, while RDMA provides efficient data transfer, it also introduces a potential security risk, since RDMA allows direct memory access, data may be intercepted or tampered with by an unauthorized third party when transferred over the network, and thus in order to prevent the data from being tampered with or damaged during transfer, ensuring that the received data is consistent with the transmitted data, encrypted transfer is required during communication for remote memory direct access.
The traditional remote memory direct access communication encryption method comprises the steps of manually setting and managing keys in a system configuration stage, and encrypting by two communication parties by using a pre-shared static key.
However, the encryption key with static configuration cannot flexibly configure different keys for different queue pairs, and this fixed key configuration mode may not only bring challenges to key management, but also may not be able to adapt to dynamically changing environments or security policies, thereby limiting flexibility and scalability of the system, and having a problem that it is difficult to adapt to various user application scenarios.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention provide a remote memory direct access communication method, apparatus and program product based on a DPU, which obviate or mitigate one or more disadvantages in the prior art.
The invention provides a remote memory direct access communication method based on a DPU, which is applied to a first terminal provided with a data processing unit, wherein a memory direct access engine and a PCIe module are also arranged in the first terminal, and the method comprises the following steps:
determining a target queue pair from the currently available queue pair, wherein the target queue pair comprises a sending queue for sending data and a receiving queue for receiving data;
Under the condition of sending data, a symmetrical key index corresponding to a target queue pair is obtained by inquiring a pre-stored queue pair attribute table;
under the condition that the symmetric key indexes are effective, retrieving symmetric key entries corresponding to the symmetric key indexes from a pre-stored symmetric key table based on the symmetric key indexes through a memory direct access engine;
The method comprises the steps that a symmetric key is taken out from a symmetric key entry through a memory direct access engine, and data to be transmitted are encrypted by using the symmetric key to obtain encrypted data;
And sending the encrypted data to the second terminal through the PCIe module and the sending queue.
In some embodiments of the present invention, the symmetric key entry further comprises a symmetric key index bit and a symmetric key bit, wherein the symmetric key index bit comprises a control bit and a symmetric key index, and the control bit is used for indicating whether the symmetric key entry is valid or not;
The queue pair attribute table comprises a queue pair attribute bit and a symmetric key attribute bit, wherein the symmetric key attribute bit comprises an encryption identifier and a symmetric key index, and the encryption identifier is used for indicating whether the queue pair attribute table is valid or not.
In some embodiments of the present invention, the symmetric key index further includes a symmetric key type, wherein the symmetric key type includes an advanced encryption standard AES type or a national encryption algorithm SM4 type.
In some embodiments of the present invention, the data to be sent is sent to the second terminal through the PCIe module and the target queue pair in the case where the queue pair key attribute table is not valid.
In some embodiments of the present invention, the method further includes, before encrypting the data to be transmitted by using the symmetric key to obtain the encrypted data:
And accessing the memory address space of the first terminal through the PCIe bus, and reading data to be transmitted from a memory block of the memory address space through the PCIe bus by a memory direct access engine.
In some embodiments of the invention, in the case of receiving data, the method further comprises:
Receiving data through a receiving queue, and carrying out data packaging on the received data to obtain a data packet to be decrypted;
acquiring a symmetric key index through a queue pair attribute table;
Retrieving, by the memory direct access engine, a symmetric key entry corresponding to the symmetric key index from the symmetric key table based on the symmetric key index;
The symmetric key is taken out from the symmetric key entry through the memory direct access engine, and the data packet to be decrypted is decrypted by using the symmetric key to obtain target data;
and writing the target data into the memory block through the memory direct access engine.
In some embodiments of the present invention, before the obtaining of the symmetric key index corresponding to the target queue pair by querying the pre-stored queue pair attribute table, the method further includes exchanging the pre-established symmetric key with the second terminal during the direct access link establishment process of the remote memory.
Another aspect of the present invention provides a remote memory direct access communication device based on a DPU, including a DPU or a network card, where the DPU or the network card is used to implement the foregoing remote memory direct access communication method based on the DPU.
Another aspect of the invention provides a computer readable storage medium having stored thereon a computer program/instruction which when executed by a processor implements the steps of the aforementioned DPU-based remote memory direct access communication method.
Another aspect of the invention provides a computer program product comprising computer programs/instructions which when executed by a processor implement the steps of the aforementioned DPU-based remote memory direct access communication method.
The remote memory direct access communication method, the device and the program product based on the DPU determine a target queue pair in a currently available queue pair, wherein the target queue pair comprises a sending queue used for sending data and a receiving queue used for receiving data, under the condition of sending the data, a symmetric key index corresponding to the target queue pair is obtained by inquiring a pre-stored queue pair attribute table, under the condition that the symmetric key index is effective, a symmetric key entry corresponding to the symmetric key index is obtained by searching in the pre-stored symmetric key table through a memory direct access engine based on the symmetric key index, symmetric key indexes corresponding to different queue pairs are the same or different, symmetric key entries corresponding to different symmetric key indexes are different, a symmetric key is taken out from the symmetric key entries through a memory direct access engine, the symmetric key is encrypted by using the symmetric key to be sent to obtain encrypted data, the encrypted data is sent to a second terminal through a PCIe module and the sending queue, the problem that a static configuration key is difficult to adapt to various user application scenes can be solved, for different queue pairs, the symmetric key index can be set to be the same value or can be set to be different values, and the symmetric key can be configured to be different values, and each of the symmetric key can be configured to be mapped to different queue pairs. The method can dynamically configure and manage the secret key according to the requirement, can solve the problem of insufficient flexibility of static secret key configuration, is suitable for different application scenes and safety requirements, meets different user requirements, improves adaptability to various application scenes, and simultaneously can correspond to different symmetric secret keys by setting different symmetric secret key indexes, thereby reducing the risk of guessing or attacking the symmetric secret key, increasing the randomness and safety of the system, and enhancing the concealment and randomness.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the above-described specific ones, and that the above and other objects that can be achieved with the present invention will be more clearly understood from the following detailed description.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate and together with the description serve to explain the application. In the drawings:
Fig. 1 is a schematic structural diagram of encrypted communication between a first terminal and a second terminal according to an embodiment of the present invention.
Fig. 2 is a flowchart of a remote memory direct access communication method based on a DPU according to an embodiment of the present invention.
FIG. 3 is a schematic diagram of a queue pair attribute table and a symmetric key table according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following embodiments and the accompanying drawings, in order to make the objects, technical solutions and advantages of the present invention more apparent. The exemplary embodiments of the present invention and the descriptions thereof are used herein to explain the present invention, but are not intended to limit the invention.
It should be noted here that, in order to avoid obscuring the present invention due to unnecessary details, only structures and/or processing steps closely related to the solution according to the present invention are shown in the drawings, while other details not greatly related to the present invention are omitted.
It should be emphasized that the term "comprises/comprising" when used herein is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
It is also noted herein that the term "coupled" may refer to not only a direct connection, but also an indirect connection in which an intermediate is present, unless otherwise specified.
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.
The following explains some names related to the present invention:
Advanced encryption standard (Advanced Encryption Standard, AES) is a symmetric encryption algorithm that uses the same key for encryption and decryption, also known as Rijndael encryption, which supports three lengths of keys 128 bits, 192 bits, 256 bits. AES has the advantages of wide application range, short latency, relatively easy concealment, high throughput, etc.
The SM4 cryptographic algorithm is a block cipher algorithm which is mainly used for data encryption, and the block length and the key length are 128 bits. The SM4 encryption algorithm adopts a 32-round nonlinear iterative structure, and comprises an encryption algorithm and a key expansion algorithm which both adopt the structure. In the encryption process, a fixed S box is used for byte substitution and other operations. The SM4 algorithm is simple in design, safe and efficient, is suitable for environments with limited resources, and can realize efficient encryption and decryption operations on hardware and software.
Queue Pair (Queue Pair) refers to the receiving Queue (Send Queue) and the sending Queue (Receive Queue) respectively, and the receiving and sending ends in the communication process.
The following describes a communication encryption method based on remote memory direct access:
The invention provides a remote memory direct access communication method based on a DPU, which is applied to a first terminal provided with a data processing unit. The data processing unit (Data Processing Unit, DPU) is a hardware accelerator for accelerating data processing, and in the process of processing remote direct memory access (Remote Direct Memory Access, RDMA) communication, the data processing unit accelerates remote direct memory access operations through hardware to improve the speed and efficiency of data transmission, and simultaneously, the remote direct memory access operations are accelerated through parallel processing and optimization algorithms to reduce delay and increase throughput.
As shown in fig. 1, a memory direct access (Direct Memory Access, DMA) engine and a PCIe (Peripheral Component Interconnect Express) module are installed in the first terminal.
The memory direct access engine comprises an address Register (ADDRESS REGISTER), a counting Register (CountRegister), a Control Register (Control Register), a Status Register (Status Register), a data buffer (DataBuffer), DMA Control logic (DMAController), an interrupt controller (Interrupt Controller) and the like.
PCIe modules refer to expansion cards or integrated circuits (e.g., graphics cards, memory controllers, network interface cards, etc.) installed in a first terminal for communicating and data transfer with a motherboard or other device over a PCIe bus.
The first terminal refers to a terminal that performs encrypted communication with other devices through a memory direct access engine and a PCIe module, and may be a computer (including a desktop computer and a notebook computer), a mobile phone, a tablet computer, or the like, or may be a server, and the embodiment does not limit a device type of the first terminal.
Fig. 2 is a flow chart of a communication encryption method based on remote memory direct access according to an embodiment of the invention. As shown in fig. 2, the communication encryption based on remote memory direct access at least includes the following steps S201 to S205:
In step S201, a target queue pair is determined from the currently available queue pair.
In the case that the first terminal needs to perform data transmission with other devices, it is necessary to first determine a target Queue pair, where the target Queue pair includes a Send Queue (SQ) for sending data and a Receive Queue (RQ) for receiving data.
The transmit queue is a buffer or queue for storing data to be transmitted to other devices, and when the first terminal is to transmit data, the data to be transmitted is typically first placed in the transmit queue to wait for transmission. The receive queue is a buffer or queue for storing data packets (or segments) received from the network and is first placed in the receive queue for processing when the data arrives at the first terminal.
In some embodiments of the present invention, the target queue pair may be determined by a network protocol and configuration, for example, a queue available for transmitting or receiving data in a currently available queue may be determined according to a network protocol (such as TCP, UDP, etc.) and a network configuration (such as a router, a switch setting), or the target queue pair may be determined according to queue information input by a user, the first terminal may provide an API or a configuration option to the user through an operating system and an application program, receive configuration information specifying the user or an administrator, specify and manage a transmission queue or a reception queue through the target queue information indicated by the configuration information, or determine the target queue pair according to a current network state and a load, for example, select a most suitable transmission queue or a reception queue according to a current network state (such as a bandwidth utilization or a network congestion condition) to ensure timely transmission and reception of data.
In step S202, when data is transmitted, a symmetric key index corresponding to the target queue pair is obtained by querying a pre-stored queue pair attribute table.
In some embodiments of the invention, a queue pair attribute table is used to define and configure queue pairs. The queue pair attribute table comprises at least one queue pair entry, and each queue pair entry is used for configuring the attribute of the queue pair and the corresponding symmetric key index. In particular, referring to FIG. 3, the column pair attribute table includes a queue pair attribute bit and a symmetric key attribute bit. Wherein the queue pair attribute bit is used to store configuration information related to the transmit queue and the receive queue, including but not limited to queue size, queue depth, queue location, or optimization parameters, etc.
The queue size refers to the buffer area size of each sending queue and each receiving queue, which determines the data amount that can be buffered, the queue depth refers to the maximum depth of the sending queue and the receiving queue, i.e. the number of unprocessed data packets that can be simultaneously accommodated by the sending queue and the receiving queue, the queue position refers to the position of the queue in the memory or other relevant physical or virtual address information, and the optimization parameters comprise Fast Path (Fast Path) or zero copy and other optimization technologies.
The symmetric key attribute bit is used to store a symmetric key index that points to the actual symmetric key to uniquely identify a particular symmetric key. The symmetric key index may be a number, a character, or a combination of a number and a character, which is not limited in the implementation manner of the symmetric key index in this embodiment.
In some embodiments of the present invention, when data needs to be sent, the memory direct access engine first looks up the queue pair attribute table, and takes out the corresponding symmetric key index.
In step S203, when the symmetric key index is valid, the symmetric key entry corresponding to the symmetric key index is retrieved from the pre-stored symmetric key table based on the symmetric key index by the memory direct access engine.
In remote memory direct access applications, separate service processes are created for different users, different numbers of queue pairs are allocated in the service processes, and the number of queue pairs is determined by the users, so there is a possibility that a single or multiple queue pair needs need to be used. For each queue pair, it is considered an independent resource. The same application may use the same key, or multiple keys may exist, so that the flexible configuration can meet the requirements of the user. However, in the conventional remote memory direct access communication encryption method, the key is generally statically configured, and this limitation makes it impossible to flexibly configure the key for the queue pair, and it is difficult to adapt to various user application scenarios (such as website security, email, file transfer, etc.). Meanwhile, the static configuration key cannot support the secure socket layer (Secure Sockets Layer, SSL)/transport layer security (Transport Layer Security, TLS) protocol, IPSec (Internet Protocol Security) protocol, and the like.
In other words, the symmetric key index may be selectively set to the same value or may be set to different values for different queue pairs. Meanwhile, the symmetric key entries corresponding to different symmetric key indexes are different, namely, different symmetric key indexes are mapped to different symmetric key entries.
Each queue pair can be independently configured with a symmetric key, a plurality of queue pairs can be configured to correspond to one symmetric key entry, and one queue pair can be configured to correspond to one symmetric key entry. Therefore, the keys can be dynamically configured and managed according to the needs, so that the problem of insufficient flexibility of static key configuration can be solved, different application scenes and safety requirements can be met, different user requirements can be met, and the adaptability to various application scenes is improved. Meanwhile, different symmetric keys can be corresponding to different symmetric keys through setting different symmetric key indexes, so that the risk of guessing or attacking the symmetric keys is reduced, the randomness and the safety of the system can be increased, and the concealment and the randomness are enhanced.
For example, in the same communication process, a plurality of queue pairs are used, each queue pair uses the same symmetric key entry, or each queue pair uses different symmetric key entries, or in a plurality of queue pairs, part of queue pairs use the same symmetric key entry, and the rest of queue pairs use different symmetric key entries.
And under the condition that the queue queried by the memory direct access engine is effective to the key attribute table, the data to be sent is required to be encrypted, and the corresponding symmetric key is taken out through the symmetric key index stored in the queue key attribute table obtained through retrieval.
Specifically, in some embodiments of the present invention, the symmetric key attribute bits include an encryption flag and a symmetric key index, wherein the encryption flag is used to indicate whether the queue pair key attribute table is valid. For example, the attribute bit of the symmetric key is 15 bits, the 0 th bit position is an encryption identification bit, the encryption identification bit is 1, the encryption identification bit indicates that the data to be transmitted needs to be encrypted, the control bit is 0, the encryption identification bit indicates that the data to be transmitted does not need to be encrypted, the 1 st to 3 rd bits are reserved bits, and the 4 th to 15 th bits are indicated as symmetric key indexes.
And when the queue pair key attribute table is invalid, the data to be sent is sent to the second terminal provided with the data processing unit through the PCIe module and the target queue pair.
As shown in fig. 1, the second terminal also has a memory direct access (Direct Memory Access, DMA) engine and PCIe (Peripheral Component Interconnect Express) module installed therein.
The memory direct access engine comprises an address Register (ADDRESS REGISTER), a counting Register (CountRegister), a Control Register (Control Register), a Status Register (Status Register), a data buffer (DataBuffer), DMA Control logic (DMAController), an interrupt controller (Interrupt Controller) and the like.
PCIe modules refer to expansion cards or integrated circuits (e.g., graphics cards, memory controllers, network interface cards, etc.) installed in a second terminal for communicating and data transfer with a motherboard or other device over a PCIe bus.
The second terminal refers to a terminal that performs encrypted communication with other devices through the memory direct access engine and the PCIe module, and may be a computer (including a desktop computer and a notebook computer), a mobile phone, a tablet computer, or the like, or may be a server, and the embodiment does not limit a device type of the second terminal.
In addition, in practical application, the symmetric key is generally randomly generated by a requester and is rapidly disabled after communication is finished, so that the symmetric key has short-term validity, however, the static configuration key cannot realize encryption shortness, so that the problems of low security and low expansibility are caused. Based on this, in order to achieve the encryption shortness, in some embodiments of the present invention, the symmetric key is randomly generated in advance by the first terminal, and the generated corresponding symmetric key entry is stored in the symmetric key table, and the generated corresponding queue pair entry is stored in the queue pair key attribute table. And then exchanging the symmetric key in the process of directly accessing the remote memory by the first terminal and the second terminal for establishing the link.
Specifically, before the symmetric key index corresponding to the target queue pair is obtained by querying the pre-stored queue pair attribute table, the method further comprises the step of exchanging the pre-established symmetric key with the second terminal in the remote memory direct access chaining process.
In the process of directly accessing the remote memory to build a link, the first terminal and the second terminal define corresponding key areas in the private data areas to store the exchanged symmetric keys.
The first terminal generates a symmetric key, encrypts the generated symmetric key by using the public key of the second terminal and sends the encrypted symmetric key to the second terminal, and the second terminal decrypts by using the private key to obtain the symmetric key.
In addition, in actual implementation, the first terminal and the second terminal may complete key exchange through a privacy definition contract in the interaction process, for example. The present embodiment does not limit the implementation of the privacy definition contract between the first terminal and the second terminal.
In some embodiments of the present invention, after the first terminal generates the symmetric key, the generated corresponding symmetric key entry is stored in the symmetric key table. The symmetric key entry further comprises a symmetric key index bit and a symmetric key bit, wherein the symmetric key index bit comprises a control bit and a symmetric key index, and the control bit is used for indicating whether the symmetric key entry is valid or not.
In addition, in some embodiments of the present invention, a symmetric key type is also included in the symmetric key index, and the symmetric key type includes an advanced encryption standard AES type or a national encryption algorithm SM4 type. For example, the symmetric key index is 15 bits, the 0 th bit position is a control bit, the symmetric key entry is valid when the control bit is 1, the symmetric key entry is invalid when the control bit is 0, the 1 st to 3 rd bits represent the type of symmetric key (for example, 000-SM4128bit, 001-AES128bit, 010-AES192bit, 011-AES256bit, or the like), and the 4 th to 15 th bits represent the symmetric key index.
Step S204, the symmetric key is taken out from the symmetric key entry through the memory direct access engine, and the data to be transmitted is encrypted by using the symmetric key, so as to obtain encrypted data.
The data to be sent are stored in the memory address space of the first terminal in advance. As shown in fig. 1, before sending data, the first terminal accesses the host memory address space through the PCIe bus, and the direct memory access engine reads the data in the memory block of the first terminal through the PCIe bus, as the data to be sent.
The method specifically comprises the steps of accessing a memory address space of a first terminal through a PCIe bus, and reading data to be transmitted from a memory block of the memory address space through the PCIe bus by a memory direct access engine before encrypting the data to be transmitted by using a symmetric key to obtain encrypted data.
In step S205, the encrypted data is sent to the second terminal through the PCIe module and the send queue.
In some embodiments of the present invention, as shown in fig. 1, after receiving encrypted data through a receiving queue, a second terminal first performs data packaging on the received encrypted data to obtain a data packet to be decrypted, then performs data packet processing on the data packet to be decrypted, obtains a symmetric key index through a queue pair attribute table corresponding to the receiving queue, obtains a symmetric key based on the obtained symmetric key index through a memory direct access engine, decrypts the data packet to be decrypted by using the symmetric key, and writes the decrypted target data into a memory block of the second terminal through the memory direct access engine.
In addition, the first terminal receives data through a receiving queue in the target queue pair under the condition of receiving the data, obtains a symmetric key according to the symmetric key index, decrypts the received data to obtain decrypted data, and stores the decrypted data into a memory block in a memory address space through a PCIe bus by a memory direct access engine.
The method comprises the steps of receiving data through a receiving queue, carrying out data package on the received data to obtain a data packet to be decrypted, obtaining a symmetric key index through a queue pair attribute table, obtaining a symmetric key entry corresponding to the symmetric key index through a memory direct access engine based on the symmetric key index in the symmetric key table, taking out the symmetric key from the symmetric key entry through the memory direct access engine, decrypting the data packet to be decrypted through the symmetric key to obtain target data, and writing the target data into a memory block through the memory direct access engine.
In summary, the remote memory direct access communication method based on the DPU provided by the invention determines a target queue pair in a currently available queue pair, wherein the target queue pair comprises a sending queue used for sending data and a receiving queue used for receiving data, under the condition of sending the data, a symmetric key index corresponding to the target queue pair is obtained by inquiring a pre-stored queue pair attribute table, under the condition that the symmetric key index is effective, a symmetric key entry corresponding to the symmetric key index is obtained by searching in the pre-stored symmetric key table based on the symmetric key index through a memory direct access engine, symmetric key indexes corresponding to different queue pairs are the same or different, symmetric key entries corresponding to different symmetric key indexes are different, a symmetric key is taken out from the symmetric key entries through a memory direct access engine, and the symmetric key is used for encrypting data to be sent to obtain encrypted data, and the encrypted data is sent to a second terminal through a PCIe module and the sending queue, the problem that the static configuration key is difficult to adapt to various user application scenes can be solved, for different queue pairs, the symmetric key index can be set to be the same value or can be set to be different values, and simultaneously, the symmetric key can be mapped to one symmetric key can be configured to different queue pairs and can be configured to one symmetric key corresponding to different queue indexes. The method can dynamically configure and manage the secret key according to the requirement, can solve the problem of insufficient flexibility of static secret key configuration, is suitable for different application scenes and safety requirements, meets different user requirements, improves adaptability to various application scenes, and simultaneously can correspond to different symmetric secret keys by setting different symmetric secret key indexes, thereby reducing the risk of guessing or attacking the symmetric secret key, increasing the randomness and safety of the system, and enhancing the concealment and randomness.
Correspondingly, the invention also provides a remote direct memory access communication device based on the DPU, which comprises the DPU or the network card, wherein the DPU or the network card is used for realizing the remote direct memory access communication method based on the DPU.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, is configured to implement the steps of the remote memory direct access communication method based on the DPU. The computer readable storage medium may be a tangible storage medium such as Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, floppy disks, hard disk, a removable memory disk, a CD-ROM, or any other form of storage medium known in the art.
The embodiments of the present invention also provide a computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the aforementioned DPU-based remote memory direct access communication method.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein can be implemented as hardware, software, or a combination of both. The particular implementation is hardware or software dependent on the specific application of the solution and the design constraints. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave.
It should be understood that the invention is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. The method processes of the present invention are not limited to the specific steps described and shown, but various changes, modifications and additions, or the order between steps may be made by those skilled in the art after appreciating the spirit of the present invention.
In this disclosure, features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1.一种基于DPU的远程内存直接访问通信方法,其特征在于,应用于设置有数据处理单元的第一终端中,所述第一终端中还安装有内存直接访问引擎和PCIe模块;所述方法包括以下步骤:1. A remote memory direct access communication method based on DPU, characterized in that it is applied to a first terminal provided with a data processing unit, wherein the first terminal is also equipped with a memory direct access engine and a PCIe module; the method comprises the following steps: 在当前可用队列对中,确定出目标队列对;所述目标队列对包括用于发送数据的发送队列和用于接收数据的接收队列;Determine a target queue pair from among the currently available queue pairs; the target queue pair includes a sending queue for sending data and a receiving queue for receiving data; 在发送数据的情况下,通过查询预先存储的队列对属性表,获取所述目标队列对对应的对称密钥索引;In the case of sending data, the symmetric key index corresponding to the target queue pair is obtained by querying a pre-stored queue pair attribute table; 在所述对称密钥索引有效的情况下,通过所述内存直接访问引擎,基于所述对称密钥索引,在预先存储的对称密钥表中检索得到所述对称密钥索引对应的对称密钥条目;不同队列对对应的对称密钥索引相同或不同;不同对称密钥索引对应的对称密钥条目不同;When the symmetric key index is valid, the symmetric key entry corresponding to the symmetric key index is retrieved from a pre-stored symmetric key table based on the symmetric key index through the memory direct access engine; the symmetric key indexes corresponding to different queue pairs are the same or different; and the symmetric key entries corresponding to different symmetric key indexes are different; 通过所述内存直接访问引擎,从所述对称密钥条目中取出对称密钥,并使用所述对称密钥对待发送数据进行加密,得到加密数据;Retrieving a symmetric key from the symmetric key entry through the memory direct access engine, and using the symmetric key to encrypt the data to be sent to obtain encrypted data; 通过所述PCIe模块和所述发送队列,将所述加密数据发送至第二终端。The encrypted data is sent to the second terminal through the PCIe module and the sending queue. 2.根据权利要求1所述的方法,其特征在于,所述对称密钥条目还包括对称密钥索引位和对称密钥位;所述对称密钥索引位中包括控制位和所述对称密钥索引,其中,所述控制位用于指示所述对称密钥条目是否有效;2. The method according to claim 1, characterized in that the symmetric key entry further comprises a symmetric key index bit and a symmetric key bit; the symmetric key index bit comprises a control bit and the symmetric key index, wherein the control bit is used to indicate whether the symmetric key entry is valid; 所述队列对属性表包括队列对属性位和对称密钥属性位;所述对称密钥属性位中包括加密标识和所述对称密钥索引;所述加密标识用于指示所述队列对属性表是否有效。The queue pair attribute table includes queue pair attribute bits and symmetric key attribute bits; the symmetric key attribute bits include an encryption identifier and the symmetric key index; the encryption identifier is used to indicate whether the queue pair attribute table is valid. 3.根据权利要求2所述的方法,其特征在于,所述对称密钥索引中还包括对称密钥类型;所述对称密钥类型包括高级加密标准AES类型或者国密算法SM4类型。3. The method according to claim 2 is characterized in that the symmetric key index also includes a symmetric key type; the symmetric key type includes an Advanced Encryption Standard AES type or a National Secret Algorithm SM4 type. 4.根据权利要求2所述的方法,其特征在于,在所述队列对密钥属性表无效的情况下,通过所述PCIe模块和所述目标队列对,将所述待发送数据发送至第二终端。4. The method according to claim 2 is characterized in that, when the queue pair key attribute table is invalid, the data to be sent is sent to the second terminal through the PCIe module and the target queue pair. 5.根据权利要求1所述的方法,其特征在于,所述并使用所述对称密钥对待发送数据进行加密,得到加密数据之前,还包括:5. The method according to claim 1, characterized in that before encrypting the data to be sent using the symmetric key to obtain the encrypted data, it also includes: 通过PCIe总线访问所述第一终端的内存地址空间,由所述内存直接访问引擎通过所述PCIe总线从所述内存地址空间的内存块中读取所述待发送数据。The memory address space of the first terminal is accessed through the PCIe bus, and the memory direct access engine reads the data to be sent from the memory block of the memory address space through the PCIe bus. 6.根据权利要求5所述的方法,其特征在于,在接收数据的情况下,所述方法还包括:6. The method according to claim 5, characterized in that, in the case of receiving data, the method further comprises: 通过所述接收队列接收数据,将接收到的数据进行数据包装,得到待解密数据包;Receive data through the receiving queue, and package the received data to obtain a data packet to be decrypted; 通过所述队列对属性表,获取所述对称密钥索引;Obtaining the symmetric key index through the queue pair attribute table; 通过所述内存直接访问引擎,基于所述对称密钥索引,在所述对称密钥表中检索得到所述对称密钥索引对应的对称密钥条目;Retrieving, through the memory direct access engine, based on the symmetric key index, in the symmetric key table a symmetric key entry corresponding to the symmetric key index; 通过所述内存直接访问引擎,从所述对称密钥条目中取出所述对称密钥,并使用所述对称密钥对待解密数据包进行解密,得到目标数据;Retrieving the symmetric key from the symmetric key entry through the memory direct access engine, and using the symmetric key to decrypt the data packet to be decrypted to obtain target data; 通过所述内存直接访问引擎将所述目标数据写入到所述内存块中。The target data is written into the memory block through the memory direct access engine. 7.根据权利要求1所述的方法,其特征在于,所述通过查询预先存储的队列对属性表,获取所述目标队列对对应的对称密钥索引之前,还包括:在远程内存直接访问建链过程中,与所述第二终端交换预先建立的对称密钥。7. The method according to claim 1 is characterized in that before obtaining the symmetric key index corresponding to the target queue pair by querying the pre-stored queue pair attribute table, it also includes: exchanging the pre-established symmetric key with the second terminal during the remote memory direct access link establishment process. 8.一种基于DPU的远程内存直接访问通信装置,包括DPU或者网卡,其特征在于,所述DPU或者网卡用于实现如权利要求1至7中任一项所述方法的步骤。8. A DPU-based remote memory direct access communication device, comprising a DPU or a network card, wherein the DPU or the network card is used to implement the steps of the method as described in any one of claims 1 to 7. 9.一种计算机可读存储介质,其上存储有计算机程序/指令,其特征在于,该计算机程序/指令被处理器执行时实现如权利要求1至7中任一项所述方法的步骤。9. A computer-readable storage medium having a computer program/instruction stored thereon, wherein the computer program/instruction, when executed by a processor, implements the steps of the method as claimed in any one of claims 1 to 7. 10.一种计算机程序产品,包括计算机程序/指令,其特征在于,该计算机程序/指令被处理器执行时实现权利要求1至7中任一项所述方法的步骤。10. A computer program product, comprising a computer program/instruction, characterized in that when the computer program/instruction is executed by a processor, the steps of the method according to any one of claims 1 to 7 are implemented.
CN202411362353.6A 2024-09-27 2024-09-27 Remote memory direct access communication method, device and program product based on DPU Pending CN119473989A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411362353.6A CN119473989A (en) 2024-09-27 2024-09-27 Remote memory direct access communication method, device and program product based on DPU

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411362353.6A CN119473989A (en) 2024-09-27 2024-09-27 Remote memory direct access communication method, device and program product based on DPU

Publications (1)

Publication Number Publication Date
CN119473989A true CN119473989A (en) 2025-02-18

Family

ID=94566864

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411362353.6A Pending CN119473989A (en) 2024-09-27 2024-09-27 Remote memory direct access communication method, device and program product based on DPU

Country Status (1)

Country Link
CN (1) CN119473989A (en)

Similar Documents

Publication Publication Date Title
US11841985B2 (en) Method and system for implementing security operations in an input/output device
CN108475237B (en) Encryption of memory operations
US9954826B2 (en) Scalable and secure key management for cryptographic data processing
WO2021114891A1 (en) Key encryption method and decryption method, and, data encryption method and decryption method
JP4929398B2 (en) Transparent recognition data conversion at the file system level
KR20210076007A (en) peripherals
CN109274647B (en) Distributed trusted memory exchange method and system
CN107257974A (en) System, method and apparatus for providing private information retrieval
US20240146728A1 (en) Access control method, access control system, and related device
CN200994141Y (en) Network encryption card with PCI interface
US20230071723A1 (en) Technologies for establishing secure channel between i/o subsystem and trusted application for secure i/o data transfer
CN115225269A (en) Key management method, device and system for distributed cryptographic card
CN113094718A (en) File encryption method and related device
KR20220013898A (en) Systems, methods, and devices for key per input/output security
WO2020007308A1 (en) Message processing method and receiving-end server
JP2021090151A (en) Storage system and data protection method thereof
CN115152181B (en) Encrypted overlay network for physical attack resistance
US11997192B2 (en) Technologies for establishing device locality
CN116614266A (en) Data transmission method, device, equipment and storage medium
CN110378128A (en) Data ciphering method, device and terminal device
CN114553411B (en) Used for distributed memory encryption device and used for distributed memory decryption device
CN116070239A (en) File encryption and decryption method, device, equipment and storage medium
US20210312091A1 (en) Multi-master security circuit
CN115017089B (en) A remote memory access system and method
CN119473989A (en) Remote memory direct access communication method, device and program product based on DPU

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination