PROTECTING CONTENTS OF STORAGE

摘要

Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.

主权项

1. A method of protecting contents of storage in a computer system from unauthorized access, the computer system comprising a plurality of processing units sharing the storage, each processing unit having at least one processor cache and at least one chip cache, wherein a hypervisor is executed by the computer system, the method comprising:
assigning an area of the storage to a protected section; generating, by one processing unit of the plurality of processing units, a protected section key, the protected section key being a random protected section key, and distributing the protected section key to other processing units of the plurality of processing units, wherein the protected section key is stored in the at least one chip cache, before starting execution of the hypervisor; encrypting or decrypting, by each processing unit respectively, with the protected section key in the at least one chip cache, data transferred between a chip cache and the storage, when the data relates to the protected section used by the hypervisor, by encrypting the data on or before leaving the chip cache and decrypting the data on or after receiving the data in the chip cache; assigning remaining areas of the storage, which are not assigned to the protected section, to segments of equal size each; generating, for each segment, a corresponding random segment key and storing it in the protected section; and encrypting or decrypting, by each processing unit respectively, with the corresponding random segment key, data transferred between the chip cache and the storage, when data relates to a specific segment, by encrypting the data on or before leaving the chip cache and decrypting the data on or after receiving the data in the chip cache.