PROTECTING STORAGE FROM UNAUTHORIZED ACCESS

摘要

Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.

主权项

1. A method of protecting contents of storage in a computer system from unauthorized access, the computer system comprising a plurality of processing units sharing the storage, the plurality of processing units each having at least one processor cache, wherein a hypervisor is executed by the computer system, the method comprising:
assigning an area of the storage to a protected section; generating, by one processing unit of the plurality of processing units, a protected section key, the protected section key being a random protected section key, and distributing the protected section key to other processing units of the plurality of processing units before starting execution of the hypervisor; encrypting or decrypting, by each processing unit respectively, with the protected section key, data transferred between its processor cache and the storage, when the data relates to the protected section used by the hypervisor, by encrypting the data on or before leaving the processor cache and decrypting the data on or after receiving the data in the processor cache; before executing a virtual machine, generating, by the hypervisor, a virtual machine key, the virtual machine key being a random virtual machine key, storing the virtual machine key in the protected section and using a processor instruction to register the virtual machine key for use by the plurality of processing units; and encrypting or decrypting, by each processing unit respectively, with the corresponding virtual machine key, data transferred between its processor cache and the storage, when the data relates to storage areas used by a virtual machine, by encrypting the data on or before leaving the processor cache and decrypting the data on or after receiving the data in the processor cache.