Buffer memory protection unit

摘要

Embodiments described herein include systems and methods for managing security of a storage subsystem. Certain of these embodiments involve the use of a buffer protection module configured to intelligently police requests for access to the subsystem buffer memory.

主权项

1. A storage apparatus in communication with a host computing system and configured to enforce a security policy for data stored in a buffer of the storage apparatus, the storage apparatus comprising a housing that encloses a plurality of hardware elements, the plurality of hardware elements comprising:
a buffer located within the storage apparatus, the buffer comprising addressable memory and configured to store data associated with commands received from a host computing system; at least one non-volatile memory device located within the storage apparatus; an encryption module comprising a plurality of gates, the encryption module in communication with the buffer and located between the buffer and the at least one non-volatile memory device in a hardware datapath within the storage apparatus, the encryption module configured to apply an encryption scheme to data received from the buffer so that encrypted data is stored in the at least one non-volatile memory device; a plurality of buffer clients in communication with the buffer and configured to request access to unencrypted data stored in the buffer, the plurality of buffer clients comprising a plurality of hardware processors located within the storage apparatus; and a buffer protection module within the storage apparatus and in communication with the plurality of buffer clients and the buffer and configured to manage access to the unencrypted data stored in the buffer by the plurality of buffer clients, the buffer protection module distinct from the plurality of buffer clients, the buffer protection module further configured to:
assign security criteria to portions of the buffer, each portion corresponding to at least one storage location in the buffer and at least some of the portions being assigned different security criteria;in response to a request from a buffer client from the plurality of buffer clients to access the unencrypted data stored in a particular portion of the buffer, associate a security level with the request;determine whether the security level satisfies the security criteria assigned to the particular portion of the buffer;when the security level associated with the request satisfies the security criteria assigned to the particular portion of the buffer, permit the requested access to stored unencrypted data; andwhen the security level associated with the request does not satisfy the security criteria assigned to the particular portion of the buffer, deny the requested access to stored unencrypted data,wherein a portion of the buffer having a first assigned security criteria is directly accessible by a first buffer client of the plurality of buffer clients and indirectly accessible by a second buffer client of the plurality of buffer clients, wherein indirectly accessing comprises the second buffer client requesting the first buffer client to perform a buffer operation on the portion of the buffer having the first assigned security criteria.