WO2013035235A1 - 計算機システム、計算機システム制御方法、計算機システム制御プログラム、及び集積回路 - Google Patents
計算機システム、計算機システム制御方法、計算機システム制御プログラム、及び集積回路 Download PDFInfo
- Publication number
- WO2013035235A1 WO2013035235A1 PCT/JP2012/004625 JP2012004625W WO2013035235A1 WO 2013035235 A1 WO2013035235 A1 WO 2013035235A1 JP 2012004625 W JP2012004625 W JP 2012004625W WO 2013035235 A1 WO2013035235 A1 WO 2013035235A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- unit
- processor
- computer system
- execution
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/3004—Arrangements for executing specific machine instructions to perform operations on memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
- G06F9/4881—Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
- G06F12/1441—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/48—Indexing scheme relating to G06F9/48
- G06F2209/483—Multiproc
Definitions
- the present invention relates to a computer system including a plurality of processors.
- the information to be concealed is a program other than a specific program that can be trusted (hereinafter referred to as “secure program”) (hereinafter referred to as “non-secure program”). It is desired to be protected from being accessed (read or written) by.
- a predetermined access permission setting is made for access to a specific storage area (hereinafter referred to as “secure area”) that stores information to be kept secret among the storage areas of the memory.
- secure area a specific storage area
- an access control device is provided that permits access only when the secure program is executed, and access permission is set in the access control device only during a period during which the secure program is executed.
- An object is to provide a computer system.
- a computer system is a computer system comprising a memory having a secure storage area, and first and second processors using the memory, wherein the first processor and the first processor A plurality of programs to be executed by the first processor and the second processor as functional components realized by at least one of the two processors executing the program stored in the memory
- An access to the secure storage area is started by an execution control unit that performs execution control of the execution unit and an access-permitted type program execution unit that is permitted to access the secure storage area by the first processor.
- a start notification receiving unit that receives an access start notification indicating that, the execution control unit Performing the execution control so that a program execution unit executed by the second processor is limited to the access permission type program execution unit when the access start notification is received by the start notification receiving unit. It is characterized by.
- execution control is performed during a period until access to the secure storage area is started from an access-permitted type program execution unit that is permitted to access the secure storage area.
- the unit performs execution control of a plurality of program execution units. Therefore, even if there is no program to be executed in one program execution unit for one processor during this period, the processor can execute a program in another program execution unit.
- this computer system has at least a secure program for a computer system in which a program execution unit including a non-secure program is not an execution target during a period when the program execution unit including the secure program accesses the secure storage area.
- the possibility that the processor utilization efficiency is improved is higher than the conventional computer system in which the scheduling of each processor is performed by the gang scheduling method. be able to.
- Block diagram showing the main hardware configuration of the computer system 100 Data configuration diagram of control register group 131 Schematic diagram of module group 300 Data structure diagram of secure area management table 400 Data structure diagram of OSID management table 500 Access start processing flowchart Rescheduling process flowchart Secure area setting process flowchart Flow chart of access end processing Flow chart of access control processing Timing chart of each CPU Schematic diagram of module group 1200 Data configuration diagram of modified OSID management table 1300 Flow chart of first modified access start process Flow chart of first modified rescheduling process Flowchart of first modified secure area setting process Flowchart of first modified access end process
- the parallel computer system includes the above-described access control device and the access control device performs access permission setting during a period when the secure program is executed in one processor. If a non-secure program is executed in another processor during that period, there is a possibility that information to be kept secret may be accessed by the non-secure program.
- each processor is synchronized with each other in a predetermined manner so that all processors can execute the same type of program execution unit in terms of secure and non-secure at any time.
- FIG. 30 is an example of a timing chart of each processor when scheduling of each processor is performed by the gang scheduling method in a conventional parallel computer system including three processors of CPUA 3001, CPUB 3002, and CPUC 3003.
- CPUA 3001, CPUB 3002, and CPU 3003 synchronize with each other and switch the program execution unit to be executed at each of time qa3041, time qb3042, time qc3043, and time qd3044.
- each processor has a first program execution unit consisting of a secure program as an execution target during the period of the (N-1) th quantum 3011 and a second program execution unit including a non-secure program during the period of the Nth quantum 3012. And the first program execution unit is set as the execution target again during the (N + 1) th quantum 3013 period.
- a secure area access period 3031 and a secure area access period 3032 indicate periods during which the secure program is accessing the secure storage area, and a broken line portion indicates that the corresponding processor is in an idle state. Show.
- the scheduling of each processor is performed by the gang scheduling method
- the period during which the secure program accesses the secure storage area (secure area access period 3031 in the figure, secure area access). It is possible to prevent the non-secure program from being executed during the period 3032).
- the utilization efficiency of a processor be improved in a computer system.
- the inventor has found that the configuration based on the above-described prior art has the following problems regarding the utilization efficiency of the processor. Specifically, in a computer system in which scheduling of each processor is performed by a gang scheduling method, even if there is a processor in which there is no program to be executed in a program execution unit to be executed in one quantum period. The processor cannot execute the program of the program execution unit to be executed in another quantum period. As a result, during one quantum period in which one program execution unit is executed, some processors may be in an idle state during at least a part of the period. There is a problem.
- a plurality of operating systems are executed independently of each other by executing a hypervisor that controls execution of a plurality of operating systems.
- the operating system to be executed includes an operating system (hereinafter referred to as “secure operating system”) that controls execution only for the secure program.
- secure operating system an operating system that controls execution only for the secure program.
- the hypervisor controls the execution of the operating system so that the operating system to be executed is limited to the secure operating system only during the period when the secure program accesses the secure area. Then, the access control apparatus is controlled so that access to the secure area by the processor is permitted only during the period when the secure program accesses the secure area.
- FIG. 1 is a block diagram showing a main hardware configuration of the computer system 100.
- the computer system 100 is a computer device as hardware, and includes an integrated circuit 110, an input device 191, an output device 192, and a hard disk device 193.
- the integrated circuit 110 includes an MPU (Multi Processor Unit) 120, an access control device 130, a memory 140, a bus 150, a first interface 160, a second interface 170, and a third interface 180.
- the MPU 120 includes a CPU (Central (Processing Unit) A121, a CPUB122, a CPUC123, a CPUD124, and an interrupt controller 125.
- CPU Central (Processing Unit) A121
- CPUB122 Central (Processing Unit)
- CPUC123 CPUC123
- CPUD124 interrupt controller
- the memory 140 includes a ROM (Read Only Memory) and a RAM (Random Access Memory).
- the memory 140 is connected to the access control device 130 and includes a program for defining the operation of the CPUA 121 to CPUD 124 and data used by the CPUA 121 to CPUD 124.
- a part of the storage area of the memory 140 is defined as a secure area 141 for storing data to be kept secret.
- an encryption key for decrypting content for example, an address book including personal information, and the like are conceivable.
- the access control device 130 is connected to the memory 140, the bus 150, and the interrupt controller 125, has a control register group 131, and has the following three functions.
- Access prohibition function a function that prohibits access to the secure area 141 by the CPUA 121 to CPUD124 when a predetermined value is not set in the control register group 131.
- prohibiting access means not performing access.
- Access restriction function When a predetermined value is set in the control register group 131, the CPUA 121 to CPUD 124 allow access to the storage area defined by the set value in the secure area 141, and the CPU A 121 to CPUD 124. The function of prohibiting access to a storage area other than the storage area defined by the set value in the secure area.
- permitting access means performing access.
- FIG. 2 is a data configuration diagram showing an example of the data configuration of the control register group 131.
- control register group 131 includes N registers (for example, 16 registers) each including a register number 210, a start address 220, an end address 230, and an access right 240.
- the register number 210 is an area for storing an identification number for identifying the corresponding register.
- the register number 210 has a predetermined value for each corresponding register and cannot be rewritten.
- the start address 220 and the end address 230 are areas for storing a start address and an end address, respectively, for one continuous storage area included in the secure area.
- the access right 240 is an area for storing access form information indicating an access permission form to a continuous storage area specified by the corresponding start address 220 and end address 230.
- the access mode information indicates that both reading and writing are permitted when the logical value is “1”, and only reading is permitted when the logical value is “2”. When the logical value is “3”, only writing is permitted. When the logical value is “0”, both reading and writing are not permitted.
- start address 220, the end address 230, and the access right 240 are set so that the initial logical value “0” is written in the initial state, and are also transmitted by the CPUA 121 to CPUD 124 via the bus 150. The value can be rewritten.
- Exception interrupt notification function a memory access exception interrupt indicating that access to the memory 140 is prohibited when the access control device 130 prohibits access to the memory 140 by any of the CPUA 121 to CPUD 124 A function for sending a request signal to the interrupt controller 125.
- the memory access exception interrupt request signal includes information for identifying the CPU that has attempted the prohibited memory access.
- the interrupt controller 125 is connected to the access control device 130, the CPUA 121, the CPUB 122, the CPUC 123, and the CPUD 124, receives an interrupt request signal from these connection destination devices, and sends an appropriate interrupt according to the received interrupt request signal.
- the CPU has a function to be performed at an appropriate timing.
- the bus 150 is connected to the access control device 130, the CPUA 121, the CPUB 122, the CPUC 123, the CPUD 124, the first interface 160, the second interface 170, and the third interface 180, and has a function of transmitting a signal between the connected devices.
- the input device 191 includes a keyboard, a mouse, and the like, is connected to the first interface 160, is controlled by the CPUA 121 to CPUD 124 that executes a program, and has a function of receiving an operation command from a user through the keyboard, a mouse, and the like.
- the output device 192 includes a display, a speaker, and the like, is connected to the second interface 170, is controlled by the CPUA 121 to CPUD 124 that executes a program, and outputs a character string, an image, a sound, and the like using the display, the speaker, etc.
- the first interface 160, the second interface 170, and the third interface 180 are connected to the bus 150, respectively, and function to mediate exchange of signals between the bus 150 and the input device 191, respectively, and the bus 150 and the output device 192. And a function for mediating signal exchange between the bus 150 and the hard disk device 193.
- CPUA 121, CPUB 122, CPUC 123, and CPUD 124 are processors having the same functions. Therefore, below, CPUA121 is demonstrated on behalf of these CPUs.
- the CPU A 121 is connected to the interrupt controller 125 and the bus 150 and executes a program stored in the memory 140, so that the CPU A 121 cooperates with other CPUs to access the access control device 130, the memory 140, the input device 191, and the output device.
- the computer system 100 has a function of controlling the computer system 192 and the hard disk device 193 to function as a computer device.
- the CPU A 121 controls the computer system 100 by executing a program stored in the memory 140 and causes the computer system 100 to perform an access start process, a rescheduling process, and a secure area. It has a function for realizing a setting process, an access end process, and an access control process.
- the access start process, rescheduling process, secure area setting process, access end process, and access control process will be described in detail later with reference to flowcharts.
- the CPUA 121 has a user mode, a first privilege mode, and a second privilege mode higher than the first privilege mode as its operation modes.
- FIG. 3 is a schematic diagram schematically showing a group 300 of program modules (hereinafter simply referred to as “modules”) to be executed on the CPUA 121 to CPUD 124.
- modules program modules
- the module group 300 to be executed on the CPUA 121 to CPUD 124 includes the process A 311 to process P 312, the process Q 313 to process Z 314 executed in the user mode 310, and the first privileged mode 320.
- OS Operating System
- OSb350 Hypervisor 360 executed in the second privileged mode 330 are included.
- the hypervisor 360 is a hypervisor module having a function of executing and controlling the OSa 340 and the OSb 350, and includes an access flag update unit 361, an OSID management table storage unit 362, a secure area management table storage unit 363, an access control operation unit 364, and a scheduler 365. And an inter-CPU communication control unit 367.
- the OSa 340 is an operating system module having a function of controlling execution of the processes A 311 to P 312, and includes a secure area start instruction unit 341 and a secure area end instruction unit 342. Note that the OSa 340 causes a system including the OSa 340 that is its own OS and the process that is being executed to function as a single virtual machine.
- the OSb 350 is an operating system module having a function of controlling execution of the processes Q313 to Z314, and includes a secure area start instruction unit 351 and a secure area end instruction unit 352. Note that the OSb 350 causes a system including the OSb 350, which is the own OS, and a process under execution control to function as one virtual computer.
- Process A 311 to Process P 312 are tasks generated when any of CPU A 121 to CPU D 124 executes a specific application program that is reliable (hereinafter referred to as “secure application program”). It has been confirmed in advance that these processes A 311 to P 312 do not inappropriately use the data stored in the secure area 141.
- Examples of secure application programs include a content decryption program that decrypts content using an encryption key and a mailer that uses an address book.
- process A 311 to the process P 312 may be referred to as a secure process.
- Processes Q313 to Z314 are tasks generated by any one of the CPUA 121 to CPUD124 executing an application program (hereinafter referred to as “non-secure application program”) other than a specific application program that can be trusted. is there. It has not been previously confirmed that these processes Q313 to P312 do not inappropriately use the data stored in the secure area 141.
- processes Q313 to Z314 may be referred to as non-secure processes.
- the secure area start instructing unit 341 detects that access to the secure area 141 is started by a process whose execution is controlled by the OS including the module (OSa 340 in this case), and the secure area 141 is accessed. It has a function of sending an access start signal indicating start to the access flag update unit 361.
- the access start signal includes an OSID that is an identifier for identifying the OS that transmits the own signal.
- the secure area end instructing unit 342 detects that access to the secure area 141 is terminated by a process whose execution is controlled by the OS including the own module (OSa 340 in this case), and the secure area 141 is accessed. It has a function of sending an access end signal indicating completion to the access flag update unit 361.
- the access end signal includes an OSID that is an identifier for identifying the OS that transmits the own signal.
- the secure area start instruction unit 351 and the secure area end instruction unit 352 have functions equivalent to the secure area start instruction unit 341 and the secure area end instruction unit 342, respectively. Therefore, the description is omitted here.
- the secure area management table storage unit 363 has a function of storing the secure area management table 400.
- FIG. 4 is a data configuration diagram showing an example of the data configuration of the secure area management table 400.
- the secure area management table 400 includes an OSID 410, a start address 420, an end address 430, and an access right 440 associated with each other.
- the OS ID 410 is an identifier for identifying the OS. When the logical value is “1”, the OS ID is OSa 340. When the logical value is “2”, the identified OS is OSb 350. Indicates that there is.
- the start address 420 and the end address 430 are a start address and an end address for one continuous storage area included in the secure area, respectively.
- the access right 440 is access form information indicating an access permission form from the OS identified by the corresponding OSID 410 for the continuous storage areas specified by the corresponding start address 420 and end address 430.
- This access form information is the same as the access form information in the access right 240. Therefore, the description is omitted.
- the secure area management table 400 is a predetermined table at the time of system development, and its contents cannot be updated.
- the OSID management table storage unit 362 has a function of storing the OSID management table 500.
- FIG. 5 is a data configuration diagram showing an example of the data configuration of the OSID management table 500.
- the OSID management table 500 includes an OSID 510, a priority 520, and an access flag 530 associated with each other.
- the OSID 510 is an identifier for identifying an OS, similar to the OSID 410, and indicates that the OS to be identified is OSa340 when the logical value is “1”, and is identified when the logical value is “2”.
- the OS is OSb350.
- the priority 520 is the execution priority of the OS identified by the corresponding OS ID 510 when the hypervisor 360 performs the execution control of the OS.
- the priority 520 takes any integer value from 0 to 99, and the larger the value, the higher the priority. Note that OS execution control by the hypervisor 360 using the priority 520 will be described later in the description of the scheduler 365.
- the access flag 530 is a flag indicating whether or not the secure area 141 is being accessed by the OS identified by the corresponding OSID 510.
- the access flag 530 indicates that the secure area 141 is accessed when the logical value is “1”, and the secure area 141 is not accessed when the logical value is “0”. It shows that.
- the access flag update unit 361 has the following three functions.
- Access flag 1 update function When an access start signal is received from the secure area start instructing unit 341 or the secure area start instructing unit 351, the OS that has transmitted the access start signal is stored in the secure area management table storage unit 363.
- the OS ID management table 500 stored in the OSID management table storage unit 362 is associated with the OSID 510 for identifying the transmission source OS when the OS is included in the OS identified by the OSID 410 of the secure area management table 400.
- Access flag 0 update function When an access end signal is received from the secure area end instructing unit 342 or the secure area end instructing unit 352, the OS from which the access start signal is transmitted is stored in the secure area management table storage unit 363. When the OS is included in the OS identified by the OSID 410 of the secure area management table 400, the OSID management table 500 stored in the OSID management table storage unit 362 is associated with the OSID 510 that identifies the transmission source OS. A function of updating the access flag 530 to a logical value “0”.
- Rescheduling request function A function that requests the scheduler 365 to perform a new scheduling based on the updated OSID management table 500 when the access flag 530 of the OSID management table 500 stored in the OSID management table storage unit 362 is updated.
- the scheduler 365 has the following two functions.
- Normal scheduling function When the logical values of the access flags 530 of the OSID management table 500 stored in the OSID management table storage unit 362 are all “0”, for each CPU, the ratio of each execution time of each OS to be executed is A function for performing execution scheduling of each OS in each CPU so as to have a priority 520 ratio corresponding to each OS.
- the OS to be executed by all CPUs is A function for performing execution scheduling of each OS in each CPU so as to be limited to the OS identified by the OSID 510 corresponding to the access flag 530 whose logical value is “1”.
- the execution control unit 366 has a function of performing OS execution control for each CPU based on the execution schedule scheduled by the scheduler 365.
- the execution control unit 366 temporarily interrupts execution control for all the OSs while the scheduler 365 performs scheduling.
- the inter-CPU communication control unit 367 has a function of generating an appropriate interrupt request signal and sending it to the interrupt controller 125 when an interrupt notification from one CPU to another CPU is required, and an interrupt controller When an interrupt is made from 125, it has a function of accepting the interrupt.
- the access control operation unit 364 has the following two functions.
- Secure area setting function When the logical value of the access flag 530 of the OSID management table 500 stored in the OSID management table storage unit 362 is updated to “1”, the same identifier as the OSID 510 corresponding to the access flag 530 is displayed.
- the start address 420, the end address 430, and the access right 440 corresponding to the OSID 410 are read out, and the control register A function of writing the start address 220, the end address 230, and the access right 240 into one register in which an initial value is written among the registers included in the group 131.
- Secure area release function When the logical value of the access flag 530 of the OSID management table 500 stored in the OSID management table storage unit 362 is updated to “0”, the same identifier as the OSID 510 corresponding to the access flag 530 is displayed.
- the values of the start address 420, end address 430, and access right 440 corresponding to the OSID 410 are written.
- the access start process is performed mainly by the hypervisor 360.
- the access start process is executed based on the notification. This is processing for rescheduling and setting the control register group 131.
- FIG. 6 is a flowchart of the access start process.
- the secure area start instruction unit 341 of the OSa 340 or the secure area start instruction unit 351 of the OSb 350 starts to access the secure area 141 by a process whose execution is controlled by the OS including its own module. This is started by detecting and sending an access start signal to the access flag updating unit 361.
- the access flag update unit 361 receives the sent access start signal (step S600).
- the access flag update unit 361 acquires the OSID included in the received access start signal (step S610). Then, by checking whether or not the same identifier as the acquired OSID is included in the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363, the OS identified by the acquired OSID is It is checked whether or not an access right to one continuous storage area included in the secure area 141 is set (step S620).
- step S620 when the access right is set (step S620: Yes), that is, the same identifier as the acquired OSID is stored in the secure area management table storage unit 363, the OSID 410 of the secure area management table 400
- the access flag update unit 361 includes the access flag 530 associated with the OSID 510 having the same identifier as the acquired OSID in the OSID management table 500 stored in the OSID management table storage unit 362.
- the logical value is updated to “1” (step S630).
- the scheduler 365 is requested to perform rescheduling (step S640).
- the scheduler 365 identifies the OS executed by each CPU by the OSID 510 corresponding to the access flag 530 whose logical value is “1” by performing the rescheduling process described later. Execution scheduling of each OS in each CPU is performed so as to be limited to the OS.
- the execution control unit 366 temporarily interrupts OS execution control for all CPUs.
- the access control operation unit 364 waits until the scheduler 365 completes scheduling for all the CPUs (step S650: repeats No) (step S650: Yes), and then executes secure area setting processing described later.
- the start address 420, the end address 430, and the access right 440 corresponding to the OSID acquired by the access flag update unit 361 are stored in one of the registers included in the control register group 131 in which the initial value is written. Writing is performed (step S660).
- the access control operation unit 364 notifies the execution control unit 366 that the register writing has been completed. Then, the execution control unit 366 resumes the OS execution control for all the CPUs that have been temporarily interrupted (step S670).
- step S620 when the access right is not set (step S620: No), that is, the OSID 410 of the secure area management table 400 in which the same identifier as the acquired OSID is stored in the secure area management table storage unit 363. If not included, or when the process of step S670 is completed, the hypervisor 360 ends the access start process.
- the rescheduling process is a process performed by the scheduler 365, and when rescheduling is requested, the OSID management table 500 stored in the OSID management table storage unit 362 is referred to schedule each OS in each CPU. This is the process to be performed.
- FIG. 7 is a flowchart of the rescheduling process.
- the rescheduling process is started when the access flag update unit 361 requests rescheduling.
- the scheduler 365 checks whether there is an access flag 530 having a logical value of “1” in the OSID management table 500 stored in the OSID management table storage unit 362 (step). S700).
- step S700: Yes When there is an access flag 530 whose logical value is “1” in the process of step S700 (step S700: Yes), the scheduler 365 associates the OS to be executed with the access flag 530 in all the CPUs.
- the execution scheduling of each OS in each CPU is performed so as to be limited to the OS identified by the assigned OSID 510 (step S710).
- step S700 when the access flag 530 whose logical value is “1” does not exist (step S700: No), the scheduler 365 sets the ratio of each execution time of each OS to be executed for each CPU. Execution scheduling of each OS in each CPU is performed so that the priority ratio 520 corresponding to the OS is obtained (step S720).
- step S710 When the process of step S710 is completed, or when the process of step S720 is completed, the scheduler 365 ends the rescheduling process.
- the secure area setting process is a process performed by the access control operation unit 364 and is included in the control register group 131 when the access flag 530 of the OSID management table 500 stored in the OSID management table storage unit 362 is updated. This is a process for updating a register.
- FIG. 8 is a flowchart of the secure area setting process.
- the secure area setting process is started when the access flag 530 of the OSID management table 500 stored in the OSID management table storage unit 362 is updated.
- the access control operation unit 364 refers to the secure area management table 400 stored in the secure area management table storage unit 363, and is the same as the OSID 510 corresponding to the updated access flag 530.
- the start address 420, end address 430, and access right 440 corresponding to the identifier OSID 410 are read (step S800). Then, it is checked whether or not the logical value of the updated access flag 530 is “1” (step S810).
- step S810 When the logical value is “1” in the process of step S810 (step S810: Yes), the access control operation unit 364 stores the initial value of the registers included in the control register group 131. The start address 220, the end address 230, and the access right 240 are written into the register (step S820).
- step S810 When the logical value is “0” in the process of step S810 (step S810: No), the access control operation unit 364 starts the address corresponding to the OSID 410 having the same identifier as the OSID 510 corresponding to the updated access flag 530.
- the values of the start address 220, end address 230, and access right 240 of the register are initial values. The logical value is rewritten to “0” (step S830).
- step S820 When the process of step S820 is completed, or when the process of step S830 is completed, the access control operation unit 364 ends the secure area setting process.
- the access termination process is a process performed mainly by the hypervisor 360.
- the access termination process is executed based on the notification. This is processing for rescheduling and setting the control register group 131.
- FIG. 9 is a flowchart of the access end process.
- the secure area end instruction unit 342 of the OSa 340 or the secure area end instruction unit 352 of the OSb 350 detects that the access to the secure area 141 by the process whose execution is controlled by the OS including the own module is ended. Then, it is started by sending an access end signal to the access flag update unit 361.
- the access flag update unit 361 receives the sent access end signal (step S900).
- the access flag updating unit 361 acquires the OSID included in the received access end signal (step S910). Then, by checking whether or not the same identifier as the acquired OSID is included in the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363, the OS identified by the acquired OSID is It is checked whether or not an access right to one continuous storage area included in the secure area is set (step S920).
- step S920 when the access right is set (step S920: Yes), that is, the same identifier as the acquired OSID is stored in the secure area management table storage unit 363, the OSID 410 of the secure area management table 400.
- the access flag update unit 361 includes the access flag 530 associated with the OSID 510 having the same identifier as the acquired OSID in the OSID management table 500 stored in the OSID management table storage unit 362.
- the logical value is updated to “0” (step S930). Then, the scheduler 365 is requested to perform rescheduling (step S940).
- the scheduler 365 When the rescheduling is requested, the scheduler 365 performs the above-described rescheduling process, so that the ratio of each execution time of each OS to be executed for each CPU becomes the ratio of the priority 520 corresponding to each OS. Thus, execution scheduling of each OS in each CPU is performed.
- the execution control unit 366 temporarily interrupts OS execution control for all CPUs.
- the access control operation unit 364 waits until the scheduler 365 completes scheduling for all the CPUs (step S950: repeats No) (step S950: Yes), and then executes the secure area setting process described above.
- the registers included in the control register group 131 in which the values of the start address 420, the end address 430, and the access right 440 corresponding to the OSID 410 having the same identifier as the OSID 510 corresponding to the updated access flag 530 are written
- the values of the register start address 220, the end address 230, and the access right 240 are rewritten to the logical value “0” that is the initial value (step S960).
- step S960 When the process of step S960 is completed, the access control operation unit 364 notifies the execution control unit 366 that the register writing is completed. Then, the execution control unit 366 resumes the OS execution control for all the CPUs that have been temporarily interrupted (step S970).
- step S920 When the access right is not set in the process of step S920 (step S920: No), that is, the same identifier as the acquired OSID is stored in the secure area management table storage unit 363 OSID 410 of the secure area management table 400. If not included, or when the process of step S970 ends, the hypervisor 360 ends the access end process.
- the access control process is a process performed by the access control device 130, and when any of the CPUA 121 to CPUD 124 requests access to the memory 140, a process for prohibiting the access when a predetermined condition is satisfied. It is.
- FIG. 10 is a flowchart of the access control process.
- the access control process is started when an access to the memory 140 is requested from any of the CPUA 121 to CPUD124.
- the access control device 130 determines whether or not the access request to the memory 140 is an access to an area other than the secure area 141 (hereinafter referred to as “non-secure area”). Check (step S1000).
- step S1000 determines that the access area is the start address 220 in any of the registers in the control register group 131. And whether it is included in the area indicated by the end address 230 (step S1010).
- step S1010 if the access area is included in the area indicated by the start address 220 and the end address 230 in any of the registers in the control register group 131 (step S1010: Yes), the step In the process of S1000, when the access is to the non-secure area (step S1000: Yes), the access control device 130 does not prohibit the access (step S1020).
- step S1010 if the access area is not included in the area indicated by the start address 220 and the end address 230 in any of the registers in the control register group 131 (step S1010: No), The access is prohibited and a memory access exception interrupt request signal is transmitted to the interrupt controller 125 (step S1030).
- step S1020 When the process of step S1020 is completed, or when the process of step S1030 is completed, the access control device 130 ends the access control process.
- FIG. 11 is an example of a timing chart of each CPU in the computer system 100 configured as described above.
- each rectangle described as OSa indicates that the OS being executed in the corresponding CPU is OSa 340
- each rectangle described as OSb is the OS being executed in the corresponding CPU.
- the first period 1110 indicates a period in which the secure area 141 is accessed by the secure process executed by the CPUC 123
- the second period 1120 indicates that the secure process 141 is executed by the secure process executed by the CPUB 122. Indicates the period of access.
- a period for example, the first period 1110 and the first period in which the secure area 141 is accessed by a secure process executed by any of the CPUs. 2 period 1120.
- this period is referred to as “secure area access period”), and the OSb 350 is not executed by any CPU. Therefore, the non-secure process is not executed in the secure area access period.
- both the OSa 340 and the OSb 350 can be executed in a period other than the secure area access period. Therefore, both the secure process and the non-secure process can be executed in a period other than the secure area access period.
- the first modified computer system has the same hardware configuration as the computer system 100 according to the first embodiment, but a part of the program stored in the memory 140 is the computer system according to the first embodiment. It is different from 100.
- the computer system 100 according to the first embodiment is an example of a configuration in which the logical value of the access flag 530 (see FIG. 5) is “1” during the period in which the secure area 141 is accessed by the secure process. It was.
- the execution priority of the OS by the hypervisor is a predetermined value (maximum value) during the period when the secure area 141 is accessed by the secure process. This is an example of the configuration.
- the hardware configuration of the first modified computer system is the same as that of the computer system 100 according to the first embodiment. Therefore, the description is omitted here.
- a part of the program stored in the memory 140 is modified from the computer system 100 according to the first embodiment.
- a part of the module group to be executed on the CPUA 121 to CPUD 124 is deformed.
- FIG. 12 is a schematic diagram schematically showing a module group 1200 to be executed on the CPUA 121 to CPUD 124 in the first modified computer system.
- the access flag update unit 361 is transformed into the OS priority update unit 1261 from the module group 300 according to the first embodiment, and the OSID management table storage unit 362 produces the modified OSID management.
- the table storage unit 1262 is transformed, the scheduler 365 is transformed into a transformed scheduler 1265, and the access control operation unit 364 is transformed into a modified access control operation unit 1264.
- the hypervisor 360 is deformed to the hypervisor 1260.
- the modified OSID management table storage unit 1262 has a function of storing the modified OSID management table 1300.
- FIG. 13 is a data configuration diagram showing an example of the data configuration of the modified OSID management table 1300.
- the modified OSID management table 1300 includes an OSID 1310 and a priority 1320 that are associated with each other.
- OSID 1310 is an identifier for identifying the OS, similar to OSID 510.
- the priority 1320 is the execution priority of the OS identified by the corresponding OS ID 510 when the hypervisor 360 performs OS execution control.
- the priority 1320 takes any integer value from 0 to 100, and the larger the value, the higher the priority.
- the priority 1320 takes the maximum priority value “100” only when a predetermined condition is satisfied, and takes any integer value from 0 to 99 when the predetermined condition is not satisfied.
- the OS execution control by the hypervisor 1260 using the priority 1320 will be described later in the description of the modified scheduler 1265.
- the OS priority update unit 1261 has the following three functions.
- Maximum priority update function When an access start signal is received from the secure area start instructing unit 341 or the secure area start instructing unit 351, the OS that has transmitted the access start signal is stored in the secure area management table storage unit 363. When the OS is included in the OS identified by the OSID 410 of the secure area management table 400, it is associated with the OSID 1310 indicating the transmission source OS in the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262. A function of temporarily storing the priority 1320 and updating it to the maximum priority value “100”.
- Non-maximum priority update function When an access end signal is received from the secure area end instruction unit 342 or the secure area end instruction unit 352, the OS that has transmitted the access start signal is stored in the secure area management table storage unit 363. When included in the OS identified by the OSID 410 of the secure area management table 400, the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 is associated with the OSID 1310 indicating the transmission source OS. A function to update the priority level that has been temporarily stored to the value stored temporarily.
- Modified rescheduling request function When the priority 1320 of the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 is updated, a new scheduling based on the updated modified OSID management table 1300 is sent to the modified scheduler 1265. A function to make a request.
- the modified scheduler 1265 has the following two functions.
- First modified normal scheduling function Executed for each CPU when none of the priorities 1320 of the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 has a value of “100”
- First modified limited scheduling function executed in all CPUs when the priority 1320 of the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 has a value of “100”.
- a function that performs execution scheduling of each OS in each CPU so that the OS to be executed is limited to the OS identified by the OSID 1310 corresponding to the priority 1320 having a value of “100”.
- the modified access control operation unit 1264 has the following two functions.
- First modified secure area setting function When the value of the priority 1320 of the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 is updated to “100”, the OSID 1310 corresponding to the priority 1320 Are included in the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363, the start address 420, the end address 430, and the access right 440 corresponding to the OSID 410 are read. Thus, the function of writing the start address 220, the end address 230, and the access right 240 into one register in which the initial value is written among the registers included in the control register group 131.
- First modified secure area release function when the priority 1320 value of the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 is updated from “100” to other than “100”, the priority When the same identifier as the OSID 1310 corresponding to 1320 is included in the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363, the start address 420 and the end address 430 corresponding to the OSID 410 are accessed. For the register included in the control register group 131 in which the value of the right 440 is written, the values of the start address 220, end address 230, and access right 240 of the register are rewritten to the logical value “0” that is the initial value. function.
- the first modified access start process, the first modified rescheduling process, the first modified secure area setting process, and the first modified access end process which are characteristic operations among the operations performed by the first modified computer system, Will be described.
- the first modified access start process is a process in which a part of the access start process (see FIG. 6 and the like) in the first embodiment is modified, and is performed mainly by the hypervisor 1260, and is performed by the OSa 340 or the OSb 350.
- the OS is rescheduled and the control register group 131 is set based on the notification.
- FIG. 14 is a flowchart of the first modified access start process.
- access to the secure area 141 is started by a process in which the secure area start instructing section 341 of the OSa 340 or the secure area start instructing section 351 of the OSb 350 is controlled by the OS including its own module. This is started by sending an access start signal to the OS priority update unit 1261.
- the OS priority update unit 1261 receives the sent access start signal (step S1400).
- the OS priority update unit 1261 acquires the OSID included in the received access start signal (step S1410). Then, by checking whether or not the same identifier as the acquired OSID is included in the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363, the OS identified by the acquired OSID is It is checked whether or not an access right to one continuous storage area included in the secure area is set (step S1420).
- step S1420 when the access right is set (step S1420: Yes), that is, the OSID 410 of the secure area management table 400 in which the same identifier as the acquired OSID is stored in the secure area management table storage unit 363.
- the OS priority update unit 1261 includes the priority associated with the OSID 1310 having the same identifier as the acquired OSID in the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262. 1320 is temporarily stored (step S1425) and updated to the maximum priority value “100” (step S1430). Then, the rescheduling scheduler 1265 is requested to perform rescheduling (step S1440).
- the modified scheduler 1265 When requested to reschedule, the modified scheduler 1265 identifies the OS executed by each CPU by the OSID 1310 corresponding to the priority 1320 having a value of “100” by performing a first modified rescheduling process described later. The execution scheduling of each OS in each CPU is performed so as to be limited to the OS to be executed.
- the execution control unit 366 temporarily interrupts OS execution control for all CPUs.
- the modified access control operation unit 1264 waits until the modified scheduler 1265 completes scheduling for all the CPUs (step S1450: No is repeated) (step S1450: Yes), and the first modified secure area setting process described later is performed. Is executed, and the initial value of the registers included in the control register group 131 is written in the start address 420, the end address 430, and the access right 440 corresponding to the OSID acquired by the OS priority update unit 1261. Is written in the one register (step S1460).
- step S1470 is the same process as the process of step S670 in the first embodiment (see FIG. 6 and the like). Therefore, the description is omitted here.
- step S1420 When the access right is not set in the process of step S620 (step S1420: No), that is, the OSID 410 of the secure area management table 400 in which the same identifier as the acquired OSID is stored in the secure area management table storage unit 363 is stored. Is not included, or when the process of step S1470 ends, the hypervisor 1260 ends the access start process.
- the first modified rescheduling process is a process obtained by modifying a part of the rescheduling process (see FIG. 7 and the like) in the first embodiment, and is one of the rescheduling processes (see FIG. 7 and the like) in the first embodiment.
- the rescheduling is requested and the rescheduling is requested, refer to the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262. This is a process for scheduling each OS in each CPU.
- FIG. 15 is a flowchart of the first modified rescheduling process.
- the first modified rescheduling process is started when rescheduling is requested from the OS priority update unit 1261.
- the modified scheduler 1265 determines whether or not the priority 1320 having a value “100” exists in the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262. (Step S1500).
- step S1500 when there is a priority 1320 having a value of “100” (step S1500: Yes), the modified scheduler 1265 indicates that the OS to be executed is “100” in all the CPUs.
- the execution scheduling of each OS in each CPU is performed so as to be limited to the OS identified by the OSID 1310 corresponding to the priority 1320 (step S1510).
- step S1500 when there is a priority 1320 having a value of “100” (step S1500: No), the modified scheduler 1265 displays the ratio of each execution time of each OS to be executed for each CPU. The execution scheduling of each OS in each CPU is performed so that the ratio of the priority 1320 corresponding to the OS is obtained (step S1520).
- step S1510 ends, or when the process of step S1520 ends, the modified scheduler 1265 ends the first modified rescheduling process.
- the first modified secure area setting process is a process in which a part of the secure area setting process (see FIG. 8 and the like) in the first embodiment is modified, and is performed by the modified access control operation unit 1264. This is processing for updating the registers included in the control register group 131 when the priority 1320 of the modified OSID management table 1300 stored in the OSID management table storage unit 1262 is updated.
- FIG. 16 is a flowchart of the first modified secure area setting process.
- the value of the priority 1320 of the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262 is updated to “100” or “100” to other than “100”. It is started by being updated.
- the access control operation unit 364 refers to the secure area management table 400 stored in the secure area management table storage unit 363 and is the same as the OSID 1310 corresponding to the updated priority 1320.
- the start address 420, end address 430, and access right 440 corresponding to the identifier OSID 410 are read (step S1600). Then, it is checked whether or not the value of the updated priority 1320 is “100” (step S1610).
- step S1610 when the updated value of the priority 1320 is “100” (step S1610: Yes), the modified access control operation unit 1264 selects an initial value among the registers included in the control register group 131.
- the start address 220, the end address 230, and the access right 240 are written in the one register in which the value is written (step S1620).
- step S1610 If the value of the updated priority 1320 is not “100” in the process of step S1610 (step S1610: No), the modified access control operation unit 1264 has the same identifier as the OSID 1310 corresponding to the updated priority 1320.
- the start address 220, end address 230, and access right 240 of the register The value is rewritten to the logical value “0” which is an initial value (step S1630).
- step S1620 When the process of step S1620 is completed or when the process of step S1630 is completed, the modified access control operation unit 1264 ends the first modified secure area setting process.
- the first modified access start process is a process in which a part of the access end process (see FIG. 9 or the like) in the first embodiment is modified, and is performed mainly by the hypervisor 1260, and is performed by the OSa 340 or the OSb 350. From this, upon receiving a notification that the access to the secure area 141 is terminated, the OS reschedules and sets the control register group 131 based on the notification.
- FIG. 17 is a flowchart of the first modified access end process.
- the secure area end instructing unit 342 of the OSa 340 or the secure area end instructing unit 352 of the OSb 350 is controlled by the OS including its own module is ended. This is started by sending an access end signal to the OS priority update unit 1261.
- the OS priority update unit 1261 receives the transmitted access termination signal (step S1700).
- the OS priority update unit 1261 acquires the OSID included in the received access start signal (step S1710). Then, by checking whether or not the same identifier as the acquired OSID is included in the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363, the OS identified by the acquired OSID is It is checked whether or not an access right to one continuous storage area included in the secure area is set (step S1720).
- step S1720 when the access right is set (step S1720: Yes), that is, the OSID 410 of the secure area management table 400 in which the same identifier as the acquired OSID is stored in the secure area management table storage unit 363.
- the OS priority update unit 1261 includes the priority associated with the OSID 1310 having the same identifier as the acquired OSID in the modified OSID management table 1300 stored in the modified OSID management table storage unit 1262. 1320 is updated to the temporarily stored value (step S1730). Then, the rescheduling scheduler 1265 is requested to perform rescheduling (step S1740).
- the modified scheduler 1265 When the rescheduling is requested, the modified scheduler 1265 performs the first modified rescheduling process described above so that the execution time ratio of each OS to be executed is the priority 1320 corresponding to each OS. The execution scheduling of each OS in each CPU is performed so that the ratio becomes.
- the execution control unit 366 temporarily interrupts OS execution control for all CPUs.
- the modified access control operation unit 1264 waits until the modified scheduler 1265 completes scheduling for all the CPUs (step S1750: repeats No) (step S1750: Yes), and then the first modified secure area setting process described above. Is included in the control register group 131 in which values of the start address 420, the end address 430, and the access right 440 corresponding to the OSID 410 having the same identifier as the OSID 1310 corresponding to the updated priority 1320 are written. For the register to be registered, the values of the start address 220, end address 230 and access right 240 of the register are rewritten to the logical value “0” which is the initial value (step S1760).
- step S1770 is the same process as the process of step S970 in the first embodiment (see FIG. 9 and the like). Therefore, the description is omitted here.
- step S920 when the access right is not set (step S1720: No), that is, the same identifier as the acquired OSID is stored in the secure area management table storage unit 363, the OSID 410 of the secure area management table 400. If not included, or when the process of step S1770 ends, the hypervisor 360 ends the access end process.
- step S1720: No the access right is not set
- the hypervisor 360 ends the access end process.
- the computer system 1800 has a hardware configuration partially modified from the computer system 100 according to the first embodiment, and a part of a program that can be stored in the memory 140 is a computer system according to the first embodiment. Partly modified from 100.
- the computer system 100 according to the first embodiment is an example of a configuration in which the secure area start instruction unit 341 or the secure area start instruction unit 351 included in the OS detects that access to the secure area 141 is started.
- the hypervisor detects that access to the secure area 141 is started based on the memory access exception interrupt request signal sent from the access control device 130. It is an example of the structure to perform.
- FIG. 18 is a block diagram showing the main hardware configuration of the computer system 1800.
- a timer 1705 is added to the computer system 100 (see FIG. 1) according to the first embodiment, and the interrupt controller 125 is transformed into an interrupt controller 1825. Yes.
- the MPU 120 is transformed into the MPU 1820 in accordance with the transformation of the interrupt controller 1825.
- the timer 1705 is connected to the bus 150 and is controlled by the CPUA 121 to CPUD 124 to measure the time designated by the CPUA 121 to CPUD 124. When the designated time elapses, a timer interrupt request signal is sent to the interrupt controller 1825. The function to send to.
- the timer interrupt request signal includes information for specifying the CPU that specified the time measurement.
- the interrupt controller 1825 is connected to the access control device 130, the CPUA 121, the CPUB 122, the CPUC 123, and the CPUD 124, and has the following two functions.
- Memory access exception notification function When a memory access exception interrupt request signal is received from the access control device 130, a CPU (hereinafter referred to as an “access CPU”) that has attempted a memory access to be prohibited is specified. A function of performing a memory access exception interrupt that can be specified by the access CPU to the specified access CPU.
- Timer interrupt notification function When a timer interrupt request signal is received from the timer 1705, the CPU that specified the time measurement is specified, and the CPU is able to specify the specified CPU, and the timer measurement has ended. A function to perform the timer interrupt.
- FIG. 19 is a diagram schematically showing a module group 1900 to be executed on the CPUA 121 to CPUD 124 in the computer system 1800.
- the OSa 340 is deleted from the module group 300 (see FIG. 2, etc.) according to the first embodiment, and the secure area start instruction unit 341 and the secure area end instruction unit 342 are deleted.
- OSb 1940 is transformed into OSb 1950
- OSb 350 is transformed into OSb 1950 by deleting secure area start instruction unit 351 and secure area end instruction unit 352
- access flag update unit 361 is transformed into modified access flag update unit 1961.
- An interrupt processing unit 1970 is added.
- the hypervisor 360 is deformed to a hypervisor 1960.
- the interrupt processing unit 1970 has the following three functions.
- Memory access exception notification function Detects a memory access exception interrupt made from one of the CPUA 121 to CPUD 124 from the interrupt controller 1825, identifies the OS executed by the CPU that has made the memory access exception interrupt, A function of sending a memory access exception notification signal including information indicating the specified OS to the modified access flag update unit 1961.
- Timer end notification function Detects a timer interrupt made to any of CPUA 121 to CPUD 124 from interrupt controller 1825, identifies the OS executed by the CPU that made the timer interrupt, and indicates the identified OS A function of sending a timer end notification signal including information to the modified access flag update unit 1961.
- Memory access exception processing function When a memory access exception interrupt made from any of the interrupt controllers 1825 to any of CPUA 121 to CPUD 124 is detected, a predetermined memory access is prohibited when a predetermined condition is satisfied. Function to perform memory access prohibition processing to be performed in case.
- the modified access flag update unit 1961 has the following two functions in addition to the rescheduling request function of the access flag update unit 361 according to the first embodiment.
- First modified access flag 1 update function When a memory access exception notification signal is received from the interrupt processing unit 1970, the OS specified by the memory access exception notification signal is stored in the secure area management table storage unit 363.
- the access associated with the OSID 510 for identifying the transmission source OS in the OSID management table 500 stored in the OSID management table storage unit 362 when included in the OS identified by the OSID 410 in the secure area management table 400 A function of updating the flag 530 to a logical value “1”.
- First modified access flag 0 update function When a timer end notification signal is received from the interrupt processing unit 1970, the OS specified by the timer end notification signal is stored in the secure area management table storage unit 363. When included in the OS identified by the OSID 410 of the management table 400, the access flag 530 associated with the OSID 510 identifying the transmission source OS in the OSID management table 500 stored in the OSID management table storage unit 362. For updating the value to the logical value “0”.
- the second modified access start process is a process in which a part of the access start process (see FIG. 6 and the like) in the first embodiment is modified and is performed mainly by the hypervisor 1960, and is an interrupt process.
- the unit 1970 detects a memory access exception interrupt from the interrupt controller 1825 to any of the CPUA 121 to CPUD 124, the OS rescheduling to be executed and the control register group 131 are set based on the memory access exception interrupt. It is the processing which performs.
- FIG. 20 is a flowchart of the second modified access start process.
- the interrupt processing unit 1970 detects a memory access exception interrupt made to any of the CPUA 121 to CPUD 124 from the interrupt controller 1825, and is performed by the CPU that has made the memory access exception interrupt. This is started by specifying the OS being executed and sending a memory access exception notification signal including information indicating the specified OS to the modified access flag update unit 1961.
- the modified access flag update unit 1961 receives the sent memory access exception notification signal (step S2000).
- the modified access flag update unit 1961 specifies the OS specified by the received memory access exception notification signal (step S2010). Then, the specified OS is checked by checking whether or not the specified OS is included in the OS identified by the OSID 410 in the secure area management table 400 (see FIG. 4) stored in the secure area management table storage unit 363. Then, it is checked whether or not an access right to one continuous storage area included in the secure area 141 is set (step S2020).
- step S2020 when the access right is set (step S2020: Yes), that is, the specified OS is identified by the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363.
- the modified access flag update unit 1961 includes the access flag associated with the OSID 510 having the same identifier as the acquired OSID in the OSID management table 500 stored in the OSID management table storage unit 362. 530 is updated to the logical value “1” (step S2030).
- step S2040 to the processing of step S2070 is the same as the processing of step S640 to the processing of step S670 of the access start processing in the first embodiment, except that the access flag update unit 361 is replaced with the modified access flag update unit 1961. It is the same processing. Therefore, description of these processes is omitted here.
- the access control operation unit 364 causes the timer 1705 to start measuring a predetermined time T1 (for example, 1 ⁇ s) (step S2080).
- step S2020 when the access right is not set (step S2020: No), that is, the specified OS is identified by the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363. If it is not included in the OS, the interrupt processing unit 1970 performs a memory access prohibition process (step S2090).
- step S2080 ends, or when the process of step S2090 ends, the hypervisor 1960 ends the second modified access start process.
- the second modified access end process is a process in which a part of the access end process (see FIG. 9 and the like) in the first embodiment is modified and is performed mainly by the hypervisor 1960, and is an interrupt process.
- the unit 1970 detects a timer interrupt from the timer 1705 to any of the CPUA 121 to CPUD 124, it is a process of performing rescheduling of the OS to be executed and setting of the control register group 131 based on the timer interrupt. .
- FIG. 21 is a flowchart of the second modified access end process.
- the second modified access end process is executed by the CPU in which the interrupt processing unit 1970 detects a timer interrupt made to any of the CPUA 121 to CPUD 124 from the interrupt controller 1825 and the timer interrupt is made. This is started by specifying an OS and sending a timer end notification signal including information indicating the specified OS to the modified access flag update unit 1961.
- the modified access flag update unit 1961 receives the transmitted timer end notification signal (step S2100).
- the modified access flag update unit 1961 specifies the OS specified by the received timer end notification signal (step S2110). Then, the specified OS is checked by checking whether or not the specified OS is included in the OS identified by the OSID 410 in the secure area management table 400 (see FIG. 4) stored in the secure area management table storage unit 363. Then, it is checked whether or not an access right to one continuous storage area included in the secure area 141 is set (step S2120).
- step S2020 when the access right is set (step S2120: Yes), that is, the identified OS is identified by the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363.
- the modified access flag update unit 1961 includes the access flag associated with the OSID 510 having the same identifier as the acquired OSID in the OSID management table 500 stored in the OSID management table storage unit 362. 530 is updated to a logical value “0” (step S2130).
- step S2140 to the processing of step S2170 is the same as the processing of step S940 to the processing of step S970 of the access end processing in the first embodiment, except that the access flag update unit 361 is replaced with the modified access flag update unit 1961. It is the same processing. Therefore, description of these processes is omitted here.
- step S2120 when the access right is not set (step S2120: No), that is, the specified OS is identified by the OSID 410 of the secure area management table 400 stored in the secure area management table storage unit 363.
- the hypervisor 1960 terminates the second modified access termination process when it is not included in the operating system or when the process of step S2170 is terminated.
- the second modified computer system has the same hardware configuration as that of the computer system 100 according to the first embodiment, but a part of the program stored in the memory 140 is the computer system according to the first embodiment. It is different from 100.
- the computer system 100 according to the first embodiment is an example of a configuration including an OS that performs process execution control and a hypervisor that performs OS execution control.
- the second modified computer system according to the fourth embodiment is an example of a configuration including an OS that does not include a hypervisor but performs process execution control in units of process groups including one or more processes.
- a part of the program stored in the memory 140 is modified from the computer system 100 according to the first embodiment.
- a part of the module group to be executed on the CPUA 121 to CPUD 124 is deformed.
- FIG. 22 is a schematic diagram schematically showing a module group 2200 to be executed on the CPUA 121 to CPUD 124 in the second modified computer system.
- the module group 2200 includes a process A 2240 to a process Z 2250 executed in the user mode 310, and an OS 2260 executed in the first privileged mode 320.
- the OS 2260 is an operating system having a function of executing and controlling the processes A 2240 to Z 2250 in units of one or more processes, and includes an access flag update unit 2261, a PG (Process Group) ID management table storage unit 2262, and a secure An area management table storage unit 2263, an access control operation unit 2264, a scheduler 2265, an execution control unit 2266, and an inter-CPU communication control unit 2267 are included.
- the OS 2260 performs process execution control so that each CPU has one process group as an execution target at an arbitrary time.
- Process A 2240 to process Z 2250 are tasks generated when one of CPUA 121 to CPUD 124 executes an application program, respectively, and includes a secure area start instruction unit (secure area start instruction unit 2241 and secure area start instruction unit 2251). Etc.) and a secure area end instruction section (secure area end instruction section 2242, secure area end instruction section, etc.).
- the secure area start instructing unit 2241 detects that access to the secure area 141 is started by a process including its own module, and accesses a modified access start signal indicating that access to the secure area 141 is started. It has a function of sending to the flag update unit 2261.
- the modified access start signal includes a PGID that is an identifier for identifying a process group including a process that transmits the own signal.
- the secure area end instructing unit 2242 detects that access to the secure area 141 by the process including its own module is ended, and sends a modified access end signal indicating that access to the secure area 141 is ended to an access flag. It has a function to send to the update unit 361.
- the modified access end signal includes a PGID that is an identifier for identifying a process group including a process that transmits the own signal.
- the secure region start instruction unit 2251 and the secure region end instruction unit 2252 have functions equivalent to the secure region start instruction unit 2241 and the secure region end instruction unit 2242, respectively. Therefore, the description is omitted here.
- the secure area management table storage unit 2263 has a function of storing the modified secure area management table 2300.
- FIG. 23 is a data configuration diagram showing an example of the data configuration of the modified secure area management table 2300.
- the modified secure area management table 2300 is configured by associating a PGID 2310, a start address 2320, an end address 2330, and an access right 2340.
- PGID 2310 is an identifier for identifying a process group.
- process groups identified by PGID 2310 as “1”, “2”, and “9” are secure process groups each including a process generated by executing a secure application program, and PGID 2310 is “1”.
- Process groups other than the process groups identified by “,” “2”, and “9” are non-secure process groups each including a process generated by executing a non-secure application program.
- the start address 2320 and the end address 2330 are a start address and an end address for one continuous storage area included in the secure area, respectively.
- the access right 2340 is access form information indicating a permission form of access from a process included in the process group identified by the corresponding PGID 2310 in a continuous storage area specified by the corresponding start address 2320 and end address 2330. is there.
- This access form information is the same as the access form information in the access right 240 in the first embodiment. Therefore, the description is omitted.
- the modified secure area management table 2300 is a table that is determined in advance at the time of system development, and its contents cannot be updated.
- the PGID management table storage unit 2262 has a function of storing the PGID management table 2400.
- FIG. 24 is a data configuration diagram showing an example of the data configuration of the PGID management table 2400.
- the PGID management table 2400 is configured by associating a PGID 2410, a priority 2420, a PID 2430, and an access flag 2440.
- PGID 2410 is an identifier for identifying a process group, similar to PGID 2310.
- the priority 2420 is an execution priority of the process group identified by the corresponding PGID 2410 when the OS 2260 performs process execution control.
- the priority 2420 takes any integer value from 0 to 99, and the larger the value, the higher the priority. Note that process execution control by the OS 2260 using the priority 2420 will be described later in the description of the scheduler 2265.
- P (Process) ID 2430 is an identifier for identifying a process included in the process group identified by the corresponding PGID 2410.
- the access flag 2440 is a flag indicating whether or not the secure area 141 is accessed by a process included in the process group identified by the corresponding PGID 2410.
- the access flag 2440 indicates that the secure area 141 is accessed when the logical value is “1”, and the secure area 141 is not accessed when the logical value is “0”. It shows that.
- the access flag update unit 2261 has the following three functions.
- Second modified access flag 1 update function when a modified access start signal is received from a secure area start instructing section (secure area start instructing section 2241, secure area start instructing section 2251, etc.),
- Second modified access flag 0 update function when a modified access end signal is received from a secure area end instructing section (secure area end instructing section 2242, secure area end instructing section 2252, etc.), the process of the source of the access start signal Is a process included in the process group identified by the PGID 2310 of the modified secure area management table 2300 stored in the secure area management table storage unit 2263, the PGID management table 2400 stored in the PGID management table storage unit 2262 The function of updating the access flag 2440 associated with the PID 2430 for identifying the transmission source process to the logical value “0”.
- Modified rescheduling request function When the access flag 2440 of the PGID management table 2400 stored in the PGID management table storage unit 2262 is updated, the scheduler 2265 requests a new scheduling based on the updated PGID management table 2400. .
- the scheduler 2265 has the following two functions.
- Second modified normal scheduling function When the logical values of the access flags 2440 of the PGID management table 2400 stored in the PGID management table storage unit 2262 are all “0”, for each CPU, the process belonging to each process group to be executed A function of performing execution scheduling of each process in each CPU so that the ratio of each execution time becomes the ratio of the priority 2420 corresponding to each process group.
- Second modified limited scheduling function a process to be executed in all CPUs when there is a logical value “1” in the access flag 2440 of the PGID management table 2400 stored in the PGID management table storage unit 2262 Is a function of scheduling execution of each process in each CPU so that it is limited to processes belonging to the process group identified by the PGID 2410 corresponding to the access flag 2440 whose logical value is “1”.
- the execution control unit 2266 has a function of performing process execution control for each CPU based on the execution schedule scheduled by the scheduler 2265.
- the execution control unit 2266 temporarily interrupts execution control for all processes while the scheduler 2265 performs scheduling.
- the inter-CPU communication control unit 2267 has the same function as the inter-CPU communication control unit 367 in the first embodiment. Therefore, the description is omitted here.
- the access control operation unit 2264 has the following two functions.
- Second modified secure area setting function When the logical value of the access flag 2440 of the PGID management table 2400 stored in the PGID management table storage unit 2262 is updated to “1”, the PGID 2410 corresponding to the access flag 2440 When the same identifier is included in the PGID 2310 of the modified secure area management table 2300 stored in the secure area management table storage unit 2263, the start address 2320, the end address 2330, and the access right 2340 corresponding to the PGID 2310 are read. Thus, the function of writing the start address 220, the end address 230, and the access right 240 into one register in which the initial value is written among the registers included in the control register group 131.
- Second modified secure area release function When the logical value of the access flag 2440 of the PGID management table 2400 stored in the PGID management table storage unit 2262 is updated to “0”, the PGID 2410 corresponding to the access flag 2440 When the same identifier is included in the PGID 2310 of the modified secure area management table 2300 stored in the secure area management table storage unit 2263, the values of the start address 2320, the end address 2330, and the access right 2340 corresponding to the PGID 2310 Is a function of rewriting the values of the start address 220, the end address 230, and the access right 240 of the register to the logical value “0” that is the initial value.
- the third modified access start process is a process in which a part of the access start process (see FIG. 6 and the like) in the first embodiment is modified and is performed mainly by the OS 2260.
- processing for rescheduling a process to be executed and setting the control register group 131 is performed based on the notification.
- FIG. 25 is a flowchart of the third modified access start process.
- the secure area start instructing section (secure area start instructing section 2241, secure area start instructing section 2251, etc.) starts to access the secure area 141 by the process including its own module. It is started by detecting and sending a modified access start signal to the access flag update unit 2261.
- the access flag update unit 2261 receives the transmitted modified access start signal (step S2500).
- the access flag update unit 2261 acquires the PGID included in the received modified access start signal (step S2510). Then, by checking whether the same identifier as the acquired PGID is included in the PGID 2310 of the modified secure area management table 2300 stored in the secure area management table storage unit 2263, the process group identified by the acquired PGID Then, it is checked whether or not an access right to one continuous storage area included in the secure area 141 is set (step S2520).
- step S2520 when the access right is set (step S2520: Yes), that is, the same identifier as the acquired PGID is stored in the secure area management table storage unit 2263.
- the access flag update unit 2261 sets the access flag 2440 associated with the PGID 2410 having the same identifier as the acquired PGID in the PGID management table 2400 stored in the PGID management table storage unit 2262.
- the logical value is updated to “1” (step S2530).
- the scheduler 2265 is requested to perform rescheduling (step S2540).
- the scheduler 2265 When the rescheduling is requested, the scheduler 2265 performs a second modified rescheduling process, which will be described later, so that the process executed by each CPU is performed by the PGID 2410 corresponding to the access flag 2440 whose logical value is “1”.
- the execution scheduling of each process in each CPU is performed so as to be limited to processes belonging to the identified process group.
- the execution control unit 2266 temporarily interrupts process execution control for all CPUs.
- the access control operation unit 2264 waits until the scheduler 2265 completes scheduling for all the CPUs (step S2550: repeats No) (step S2550: Yes), and executes the second modified secure area setting process described later. As a result, the start address 2320, the end address 2330, and the access right 2340 corresponding to the PGID acquired by the access flag update unit 2261 are written in the initial values of the registers included in the control register group 131. Is written into the register (step S2560).
- the access control operation unit 2264 notifies the execution control unit 2266 that the writing of the register is completed. Then, the execution control unit 2266 resumes process execution control for all the CPUs that have been temporarily interrupted (step S2570).
- step S2520 when the access right is not set (step S2520: No), that is, the same identifier as the acquired PGID is stored in the secure area management table storage unit 2263 in the modified secure area management table 2300.
- the OS 2260 ends the third modified access start process.
- the rescheduling process is a process obtained by modifying a part of the rescheduling process (see FIG. 7 and the like) in the first embodiment, and is performed by the scheduler 365.
- the OSID This process refers to the OSID management table 500 stored in the management table storage unit 362 and performs scheduling of each OS in each CPU.
- FIG. 26 is a flowchart of the second modified rescheduling process.
- the second rescheduling process is started when the access flag update unit 2261 requests rescheduling.
- the scheduler 2265 checks whether or not an access flag 2440 having a logical value “1” exists in the PGID management table 2400 stored in the PGID management table storage unit 2262 (Step S2). S2600).
- step S2600 If there is an access flag 2440 whose logical value is “1” in the processing of step S2600 (step S2600: Yes), the scheduler 2265 associates the process to be executed with the access flag 2440 in all the CPUs.
- the execution scheduling of each process in each CPU is performed so as to be limited to the processes belonging to the process group identified by the assigned PGID 2410 (step S2610).
- step S2600 when there is no access flag 2440 whose logical value is “1” (step S2600: No), the scheduler 2265 displays the execution time of each process belonging to each process group to be executed for each CPU. Execution scheduling of each process in each CPU is performed so that the ratio becomes the ratio of the priority 2420 corresponding to each process group (step S2620).
- step S2610 When the process of step S2610 is completed or when the process of step S2620 is completed, the scheduler 2265 ends the second modified rescheduling process.
- the second modified secure area setting process is a process in which a part of the secure area setting process (see FIG. 8 or the like) in the first embodiment is modified, and is a process performed by the access control operation unit 2264, and includes PGID management. This is processing for updating the registers included in the control register group 131 when the access flag 2440 of the PGID management table 2400 stored in the table storage unit 2262 is updated.
- FIG. 27 is a flowchart of the second modified secure area setting process.
- the second modified secure area setting process is started when the access flag 2440 of the PGID management table 2400 stored in the PGID management table storage unit 2262 is updated.
- the access control operation unit 2264 refers to the modified secure area management table 2300 stored in the secure area management table storage unit 2263 and corresponds to the updated access flag 2440.
- the start address 2320, end address 2330, and access right 2340 corresponding to the PGID 2210 having the same identifier as the PGID 2410 to be read are read (step S2700). Then, it is checked whether or not the logical value of the updated access flag 2440 is “1” (step S2710).
- step S2710 When the logical value is “1” in the process of step S2710 (step S2710: Yes), the access control operation unit 2264 stores the initial value of the registers included in the control register group 131. The start address 220, the end address 230, and the access right 240 are written into the register (step S2720).
- step S2710 When the logical value is “0” in the process of step S2710 (step S2710: No), the access control operation unit 2264 starts the address corresponding to the PGID 2310 having the same identifier as the PGID 2410 corresponding to the updated access flag 2440.
- the values of the start address 220, end address 230, and access right 240 of the register are initial values. The logical value is rewritten to “0” (step S2730).
- step S2720 ends, or when the process of step S2730 ends, the access control operation unit 2264 ends the second modified secure area setting process.
- the third modified access end process is a process in which a part of the access end process (see FIG. 9 and the like) in the first embodiment is modified and is performed mainly by the OS 2260.
- processing for rescheduling a process to be executed and setting the control register group 131 is performed based on the notification.
- FIG. 28 is a flowchart of the third modified access end process.
- the secure area end instructing section terminates access to the secure area 141 by the process including its own module. This is started by detecting and sending a modified access end signal to the access flag update unit 2261.
- the access flag update unit 2261 receives the transmitted modified access end signal (step S2800).
- the access flag update unit 2261 Upon receipt of the modified access end signal, the access flag update unit 2261 acquires the PGID included in the received modified access end signal (step S2810). Then, by checking whether the same identifier as the acquired PGID is included in the PGID 2310 of the modified secure area management table 2300 stored in the secure area management table storage unit 2263, the process group identified by the acquired PGID Then, it is checked whether or not an access right to one continuous storage area included in the secure area is set (step S2820).
- step S2820 when the access right is set (step S2820: Yes), that is, the same identifier as the acquired PGID is stored in the secure area management table storage unit 2263.
- the access flag update unit 2261 sets the access flag 2440 associated with the PGID 2410 having the same identifier as the acquired PGID in the PGID management table 2400 stored in the PGID management table storage unit 2262.
- the logical value is updated to “0” (step S2830).
- the scheduler 2265 requests rescheduling (step S2840).
- the scheduler 2265 When the rescheduling is requested, the scheduler 2265 performs the second modified rescheduling process described above so that the ratio of the execution times of the processes belonging to each process group to be executed corresponds to each process group for each CPU.
- the execution scheduling of each process in each CPU is performed so that the ratio of the priority 2420 is the same.
- the execution control unit 2266 temporarily interrupts process execution control for all CPUs.
- the access control operation unit 2264 waits until the scheduler 2265 completes scheduling for all the CPUs (step S2850: No is repeated) (step S2850: Yes), and then executes the second modified secure area setting process described above.
- the registers included in the control register group 131 in which the values of the start address 2320, the end address 2330, and the access right 2340 corresponding to the PGID 2310 having the same identifier as the PGID 2410 corresponding to the updated access flag 2440 are written.
- the values of the start address 220, end address 230, and access right 240 of the register are rewritten to the logical value “0” that is the initial value (step S2860).
- step S2860 When the processing of step S2860 is completed, the access control operation unit 2264 notifies the execution control unit 2266 that the register writing has been completed. Then, the execution control unit 2266 resumes the process execution control for all the CPUs that have been temporarily interrupted (step S2870).
- step S2820 when the access right is not set (step S2820: No), that is, the same identifier as the acquired PGID is stored in the secure area management table storage unit 2263 in the modified secure area management table 2300.
- the OS 2260 ends the third modified access end process.
- FIG. 29 is an example of a timing chart of each CPU in the second modified computer system having the above configuration.
- each rectangle with a number indicates that the process being executed in the corresponding CPU is a process identified by the PID of the number, and the broken line portion indicates that the corresponding CPU is in an idle state.
- the first period 2910 indicates a period in which the secure area 141 is being accessed by the secure process identified by the PID 140 being executed by the CPUC 123, and the second period 2920 is executed by the CPUB 122. , The period during which the secure area 141 is accessed by the secure process identified by the PID of 100.
- a secure area access period during which access to the secure area 141 is performed by a secure process executed by any CPU for example, the first modified computer system
- No process other than the secure process group to which the secure process belongs for example, the secure process group in which the PGID is 1
- the non-secure process is not executed in the secure area access period.
- both the secure process belonging to the secure process group and the non-secure process belonging to the non-secure group can be executed.
- ⁇ Supplement> examples of four computer systems have been described in the first to fourth embodiments as an embodiment of the computer system according to the present invention. However, the present invention can be modified as follows. Of course, the computer system is not limited to that shown in the above-described embodiment.
- the configuration example in which the number of processors using the memory 140 is four has been described.
- the number of processors is not necessarily four as long as two or more programs can be executed in parallel.
- an example in which the number of processors is two can be considered.
- the configuration example including the access control device 130 between the memory 140 and the bus 150 has been described.
- the access control device 130 is not necessarily provided between the memory 140 and the bus 150 if access control similar to that of the access control device 130 can be realized for access to the memory 140 by the CPUA 121 to CPUD 124. Absent.
- a configuration in which the bus 150 has a function equivalent to that of the access control apparatus 130 can be considered.
- the access control apparatus 130 includes the control register group 131, and the example of the configuration in which the access control to the memory is performed based on the register value set in the control register group 131 has been described. However, if the same function as the access control device 130 can be realized, the access control device 130 does not necessarily need to include the control register group 131. As an example, a configuration in which the access control device 130 has a built-in controller, and the access to the memory is controlled by the built-in controller can be considered.
- the CPUA 121 to CPUD 124 have a user mode, a first privileged mode, and a second privileged mode as their operation modes, execute the OS in the first privileged mode, and execute the second privileged mode.
- the example of the configuration for executing the hypervisor has been described.
- the CPUA 121 to CPUD 124 may have a user mode and a privileged mode as operation modes, and execute an OS and a hypervisor in the privileged mode.
- the computer system 1800 has been described with respect to the configuration example including the timer 1705 controlled by the CPUA 121 to CPUD124.
- the configuration example including the timer 1705 controlled by the CPUA 121 to CPUD124.
- a configuration in which each CPU includes a timer that operates independently of each other can be considered.
- the MPU 120, the access control device 130, the memory 140, the bus 150, the first interface 160, the second interface 170, and the third interface 180 are integrated in one integrated circuit 110.
- An example was described. However, if a function equivalent to that of the integrated circuit 110 can be realized, these circuits are not necessarily integrated in one integrated circuit. As an example, a configuration in which each circuit is integrated in different integrated circuits can be considered.
- a computer system is a computer system including a memory having a secure storage area, and first and second processors using the memory, the first processor and the first processor A plurality of programs to be executed by the first processor and the second processor as functional components realized by at least one of the two processors executing the program stored in the memory
- An access to the secure storage area is started by an execution control unit that performs execution control of the execution unit and an access-permitted type program execution unit that is permitted to access the secure storage area by the first processor.
- a start notification receiving unit that receives an access start notification indicating that, the execution control unit, Performing the execution control so that a program execution unit executed by the second processor is limited to the access permission type program execution unit when the access start notification is received by the start notification receiving unit.
- this computer system has at least a secure program for a computer system in which a program execution unit including a non-secure program is not an execution target during a period when the program execution unit including the secure program accesses the secure storage area.
- the possibility that the processor utilization efficiency is improved is higher than the conventional computer system in which the scheduling of each processor is performed by the gang scheduling method. be able to.
- FIG. 31 is a schematic configuration diagram of a computer system 3100 in the above modification.
- the computer system 3100 includes a memory 3110, a first processor 3120, and a second processor 3130.
- the memory 3110 has a secure storage area. As an example, it is realized as the memory 140 in the first embodiment.
- the first processor 3120 uses the memory 3110. As an example, it is realized as the CPU A 121 in the first embodiment.
- the second processor 3130 uses the memory 3110. As an example, it is realized as the CPUB 122 in the first embodiment.
- the execution control unit 3140 is a functional component that is realized when at least one of the first processor 3120 and the second processor 3130 executes a program stored in the memory 3110. It has a function of performing execution control of a plurality of program execution units to be executed by the processor 3120 and the second processor 3130. As an example, it is realized as a functional block including an OSID management table storage unit 362, a secure area management table storage unit 363, a scheduler 365, and an execution control unit 366 in the first embodiment.
- the start notification receiving unit 3150 is a functional component realized by at least one of the first processor 3120 and the second processor 3130 executing a program stored in the memory 3110.
- One processor 3120 has a function of receiving an access start notification indicating that access to a secure storage area is started from an access-permitted program execution unit that is permitted to access the secure storage area.
- the access flag update unit 361 according to the first embodiment is realized.
- execution control unit 3140 is configured such that, when the access start notification is received by the start notification receiving unit 3150, the program execution unit executed by the second processor 3130 is limited to the access permission type program execution unit. It also has a function of performing execution control.
- an end notification receiving unit that receives an access end notification indicating that access to the secure storage area by the first processor is ended, and the execution control unit includes the limited execution control.
- the limitation may be released and the execution control may be performed.
- an execution control value management unit that manages an execution control value for each of the access permission type program execution units is provided, and the execution control value management unit receives the access start notification by the start notification reception unit.
- the execution control value for each of the access permission type program execution units is set to a predetermined value, and the execution control value for each of the access permission type program execution units is set to the predetermined value.
- the execution control value for each of the access permission type program execution units is set to a value other than the predetermined value, and the execution control unit Is the execution control value for each of the access permission type program execution units. Only during a period that is set to a value, the program execution unit to be executed by the second processor, by limiting the permissions species program execution unit may perform the execution control.
- the execution control unit can perform execution control using the execution control value managed by the execution control value management unit.
- Each of the program execution units includes an operating system and a program group that is controlled by the operating system, and each of the access-permitted program execution units includes an operating system that includes , Any of the access-permitted operating systems that are permitted to access the secure storage area.
- a virtual machine composed of one operating system and a group of programs that are controlled by the operating system can be set as an execution control target.
- Each of the access-permitted operating systems includes a start detection unit that detects the start of access to the secure storage area by the first processor that executes its own operating system, and the start detection unit includes the start detection unit When the start of access to the secure storage area is detected, access to the secure storage area by the start notification unit that notifies the start notification reception unit of the access start and the first processor that executes the own operating system An end detection unit that detects the end of the access, and an end notification unit that performs the access end notification to the end notification reception unit when the start detection unit detects the end of access to the secure storage area. Good.
- each of the access-permitted operating systems can perform an access start notification and an access end notification.
- a setting register is provided, and during the setting period in which a predetermined register value is set in the setting register, access to the secure storage area by the first processor and the secure storage by the second processor
- An access control device that permits access to an area and prohibits access to the secure storage area by the first processor and access to the secure storage area by the second processor during a period other than the set period
- the predetermined register value is set in the setting register, and the predetermined register value is set in the setting register,
- It may have a register setting unit for setting a register value other than the predetermined register value in the setting register.
- the access control apparatus can be allowed to permit access to the secure storage area only during the period from when the access start notification is received until the access end notification is received. .
- the access control device further starts the access to the start notification receiving unit when an access command to the secure storage area is issued by the first processor in a period other than the setting period. Notification may be performed.
- a computer system is a computer system including a memory having a secure storage area, and first and second processors that use the memory, the first processor and the first processor A plurality of programs to be executed by the first processor and the second processor as functional components realized by at least one of the two processors executing the program stored in the memory
- An execution control unit that performs execution control in units of execution; and an end notification receiving unit that receives an access end notification indicating that access to the secure storage area by the first processor is ended.
- the program execution unit executed by the second processor is the access permission type program execution unit. As it will be limited, in the case of performing the execution control, when the access completion notification by the completion notification reception unit is received, and performs the execution control to release the limitation.
- the execution control unit performs execution control of a plurality of program execution units. Therefore, even if there is no program to be executed in one program execution unit for one processor during this period, the processor can execute a program in another program execution unit.
- this computer system has at least a secure program for a computer system in which a program execution unit including a non-secure program is not an execution target during a period when the program execution unit including the secure program accesses the secure storage area.
- the possibility that the utilization efficiency of the processor is improved is higher than the conventional computer system in which the scheduling of each processor is performed by the gang scheduling method. be able to.
- the present invention can be widely used for computer systems having a plurality of processors.
Abstract
Description
本発明者は、前述した、特許文献1のような技術によりセキュアプログラムが実行される期間を制御し、その期間に限ってアクセス制御装置にアクセス許可設定を行う構成について詳細に検討した。
<実施の形態1>
<概要>
以下、本発明に係る計算機システムの一実施形態として、秘匿すべき情報を記憶するセキュア領域を有するメモリと、メモリを利用する4つのプロセッサと、プロセッサによるセキュア領域へのアクセスを制御するアクセス制御装置とを備える計算機システムについて説明する。
図1は、計算機システム100の主要なハードウエア構成を示すブロック図である。
ここでは、計算機システム100の行う動作のうち、特徴的な動作である、アクセス開始処理と再スケジューリング処理とセキュア領域設定処理とアクセス終了処理とアクセス制御処理とについて説明する。
アクセス開始処理は、ハイパバイザ360が主体となって行う処理であって、OSa340又はOSb350から、セキュア領域141へのアクセスが開始される旨の通知を受けると、その通知に基づいて、実行するOSの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
再スケジューリングを依頼されると、スケジューラ365は、後述の再スケジューリング処理を行うことで、各CPUの実行するOSが、その論理値が“1”となるアクセスフラグ530に対応するOSID510によって識別されるOSに限定されるように、各CPUにおける各OSの実行スケジューリングを行う。
再スケジューリング処理は、スケジューラ365が行う処理であって、再スケジューリングが依頼された場合に、OSID管理テーブル記憶部362に記憶されるOSID管理テーブル500を参照して、各CPUにおける各OSのスケジューリングを行う処理である。
セキュア領域設定処理は、アクセス制御操作部364が行う処理であって、OSID管理テーブル記憶部362に記憶されるOSID管理テーブル500のアクセスフラグ530が更新された場合に、制御レジスタ群131に含まれるレジスタを更新する処理である。
アクセス終了処理は、ハイパバイザ360が主体となって行う処理であって、OSa340又はOSb350から、セキュア領域141へのアクセスが終了される旨の通知を受けると、その通知に基づいて、実行するOSの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
アクセス制御処理は、アクセス制御装置130が行う処理であって、CPUA121~CPUD124のいずれかからメモリ140へのアクセスの要求がある場合において、所定の条件が満たされるときに、そのアクセスを禁止する処理である。
図11は、上記構成の計算機システム100における、各CPUのタイミングチャートの一例である。
<実施の形態2>
<概要>
以下、本発明に係る計算機システムの一実施形態として、実施の形態1に係る計算機システム100の一部を変形した第1変形計算機システムについて説明する。
第1変形計算機システムのハードウエア構成は、実施の形態1に係る計算機システム100と同一のものである。よって、ここではその説明を省略する。
ここでは、第1変形計算機システムの行う動作のうち、特徴的な動作である、第1変形アクセス開始処理と第1変形再スケジューリング処理と第1変形セキュア領域設定処理と第1変形アクセス終了処理とについて説明する。
第1変形アクセス開始処理は、実施の形態1におけるアクセス開始処理(図6等参照)の一部が変形された処理であって、ハイパバイザ1260が主体となって行う処理であって、OSa340又はOSb350から、セキュア領域141へのアクセスが開始される旨の通知を受けると、その通知に基づいて、実行するOSの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
再スケジューリングを依頼されると、変形スケジューラ1265は、後述の第1変形再スケジューリング処理を行うことで、各CPUの実行するOSが、値が“100”となる優先度1320に対応するOSID1310によって識別されるOSに限定されるように、各CPUにおける各OSの実行スケジューリングを行う。
第1変形再スケジューリング処理は、実施の形態1における再スケジューリング処理(図7等参照)の一部が変形された処理であって、実施の形態1における再スケジューリング処理(図7等参照)の一部が変形された処理であって、変形スケジューラ1265が行う処理であって、再スケジューリングが依頼された場合に、変形OSID管理テーブル記憶部1262に記憶される変形OSID管理テーブル1300を参照して、各CPUにおける各OSのスケジューリングを行う処理である。
第1変形セキュア領域設定処理は、実施の形態1におけるセキュア領域設定処理(図8等参照)の一部が変形された処理であって、変形アクセス制御操作部1264が行う処理であって、変形OSID管理テーブル記憶部1262に記憶される変形OSID管理テーブル1300の優先度1320が更新された場合に、制御レジスタ群131に含まれるレジスタを更新する処理である。
第1変形アクセス開始処理は、実施の形態1におけるアクセス終了処理(図9等参照)の一部が変形された処理であって、ハイパバイザ1260が主体となって行う処理であって、OSa340又はOSb350から、セキュア領域141へのアクセスが終了される旨の通知を受けると、その通知に基づいて、実行するOSの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
再スケジューリングを依頼されると、変形スケジューラ1265は、前述の第1変形再スケジューリング処理を行うことで、各CPUについて、実行する各OSの各実行時間の比率が、各OSに対応する優先度1320の比率となるように、各CPUにおける各OSの実行スケジューリングを行う。
<実施の形態3>
<概要>
以下、本発明に係る計算機システムの一実施形態として、実施の形態1に係る計算機システム100の一部を変形した計算機システム1800について説明する。
図18は、計算機システム1800の主要なハードウエア構成を示すブロック図である。
ここでは、計算機システム1800の行う動作のうち、特徴的な動作である、第2変形アクセス開始処理と第2変形アクセス終了処理とについて説明する。
第2変形アクセス開始処理は、実施の形態1におけるアクセス開始処理(図6等参照)の一部が変形された処理であって、ハイパバイザ1960が主体となって行う処理であって、割込処理部1970が、割込コントローラ1825からCPUA121~CPUD124のいずれかに対してなされたメモリアクセス例外割り込みを検知すると、そのメモリアクセス例外割り込みに基づいて、実行するOSの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
第2変形アクセス終了処理は、実施の形態1におけるアクセス終了処理(図9等参照)の一部が変形された処理であって、ハイパバイザ1960が主体となって行う処理であって、割込処理部1970が、タイマ1705からCPUA121~CPUD124のいずれかに対してなされたタイマ割り込みを検知すると、そのタイマ割り込みに基づいて、実行するOSの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
<実施の形態4>
<概要>
以下、本発明に係る計算機システムの一実施形態として、実施の形態1に係る計算機システム100の一部を変形した第2変形計算機システムについて説明する。
第2変形計算機システムのハードウエア構成は、実施の形態1に係る計算機システム100と同一のものである。よって、ここではその説明を省略する。
ここでは、計算機システム100の行う動作のうち、特徴的な動作である、第3変形アクセス開始処理と第2変形再スケジューリング処理と第2変形セキュア領域設定処理と第3変形アクセス終了処理とについて説明する。
第3変形アクセス開始処理は、実施の形態1におけるアクセス開始処理(図6等参照)の一部が変形された処理であって、OS2260が主体となって行う処理であって、プロセスから、セキュア領域141へのアクセスが開始される旨の通知を受けると、その通知に基づいて、実行するプロセスの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
再スケジューリングを依頼されると、スケジューラ2265は、後述の第2変形再スケジューリング処理を行うことで、各CPUの実行するプロセスが、その論理値が“1”となるアクセスフラグ2440に対応するPGID2410によって識別されるプロセスグループに属するプロセスに限定されるように、各CPUにおける各プロセスの実行スケジューリングを行う。
再スケジューリング処理は、実施の形態1における再スケジューリング処理(図7等参照)の一部が変形された処理であって、スケジューラ365が行う処理であって、再スケジューリングが依頼された場合に、OSID管理テーブル記憶部362に記憶されるOSID管理テーブル500を参照して、各CPUにおける各OSのスケジューリングを行う処理である。
第2変形セキュア領域設定処理は、実施の形態1におけるセキュア領域設定処理(図8等参照)の一部が変形された処理であって、アクセス制御操作部2264が行う処理であって、PGID管理テーブル記憶部2262に記憶されるPGID管理テーブル2400のアクセスフラグ2440が更新された場合に、制御レジスタ群131に含まれるレジスタを更新する処理である。
第3変形アクセス終了処理は、実施の形態1におけるアクセス終了処理(図9等参照)の一部が変形された処理であって、OS2260が主体となって行う処理であって、プロセスから、セキュア領域141へのアクセスが終了される旨の通知を受けると、その通知に基づいて、実行するプロセスの再スケジューリングと制御レジスタ群131の設定とを行う処理である。
図29は、上記構成の第2変形計算機システムにおける、各CPUのタイミングチャートの一例である。
<補足>
以上、本発明に係る計算機システムの一実施形態として、実施の形態1~実施の形態4において、4つの計算機システムの例について説明したが、以下のように変形することも可能であり、本発明は上述した実施の形態で示した通りの計算機システムに限られないことはもちろんである。
110 集積回路
121 CPUA
122 CPUB
123 CPUC
124 CPUD
125 割込コントローラ
130 アクセス制御装置
131 制御レジスタ群
130 メモリ
141 セキュア領域
340 OSa
341 セキュア領域開始指示部
342 セキュア領域終了指示部
350 OSb
351 セキュア領域開始指示部
352 セキュア領域終了指示部
360 ハイパバイザ
361 アクセスフラグ更新部
362 OSID管理テーブル記憶部
363 セキュア領域管理テーブル記憶部
364 アクセス制御操作部
365 スケジューラ
366 実行制御部
367 CPU間通信制御部
Claims (11)
- セキュア記憶領域を有するメモリと、当該メモリを利用する第1及び第2プロセッサとを備える計算機システムであって、
前記第1プロセッサと前記第2プロセッサとのうちの少なくとも一方が、前記メモリに格納されているプログラムを実行することにより実現される機能的な構成要素として、
前記第1プロセッサと前記第2プロセッサとで実行させる、複数のプログラム実行単位の実行制御を行う実行制御部と、
前記第1プロセッサによる、前記セキュア記憶領域へのアクセスが許可されているアクセス許可種プログラム実行単位からの、前記セキュア記憶領域へのアクセスが開始されることを示すアクセス開始通知を受け付ける開始通知受付部とを有し、
前記実行制御部は、前記開始通知受付部によって前記アクセス開始通知が受け付けられた場合に、前記第2プロセッサによって実行されるプログラム実行単位が、前記アクセス許可種プログラム実行単位に限定されるように、前記実行制御を行う
ことを特徴とする計算機システム。 - 前記第1プロセッサによる、前記セキュア記憶領域へのアクセスが終了されることを示すアクセス終了通知を受け付ける終了通知受付部を有し、
前記実行制御部は、前記限定的な実行制御を行っている場合において、前記終了通知受付部によって前記アクセス終了通知が受け付けられたときに、前記限定を解除して前記実行制御を行う
ことを特徴とする請求項1記載の計算機システム。 - 前記アクセス許可種プログラム実行単位それぞれについての実行制御値を管理する実行制御値管理部を有し、
前記実行制御値管理部は、前記開始通知受付部によって前記アクセス開始通知が受け付けられた場合に、前記アクセス許可種プログラム実行単位のそれぞれについての実行制御値を所定値に設定し、前記アクセス許可種プログラム実行単位のそれぞれについての実行制御値が前記所定値に設定されている場合において、前記終了通知受付部によって前記アクセス終了通知が受け付けられたときに、前記アクセス許可種プログラム実行単位のそれぞれについての実行制御値を前記所定値以外のそれぞれの値に設定し、
前記実行制御部は、前記アクセス許可種プログラム実行単位のそれぞれについての実行制御値が前記所定値に設定されている期間に限って、前記第2プロセッサに実行させるプログラム実行単位を、前記アクセス許可種プログラム実行単位に限定することで、前記実行制御を行う
ことを特徴とする請求項2記載の計算機システム。 - 前記プログラム実行単位のそれぞれは、一のオペレーティングシステムと、当該オペレーティングシステムによって実行制御されるプログラム群とを含み、
前記アクセス許可種プログラム実行単位のそれぞれは、含んでいるオペレーティングシステムが、前記セキュア記憶領域へのアクセスが許可されているアクセス許可種オペレーティングシステムのうちのいずれかである
ことを特徴とする請求項3記載の計算機システム。 - 前記アクセス許可種オペレーティングシステムのそれぞれは、
自オペレーティングシステムを実行する前記第1プロセッサによる、前記セキュア記憶領域へのアクセスの開始を検知する開始検知部と、
前記開始検知部が前記セキュア記憶領域へのアクセスの開始を検知した場合に、前記開始通知受付部に前記アクセス開始通知を行う開始通知部と、
自オペレーティングシステムを実行する前記第1プロセッサによる、前記セキュア記憶領域へのアクセスの終了を検知する終了検知部と、
前記開始検知部が前記セキュア記憶領域へのアクセスの終了を検知した場合に、前記終了通知受付部に前記アクセス終了通知を行う終了通知部とを有する
ことを特徴とする請求項4記載の計算機システム。 - 設定レジスタを有し、当該設定レジスタに所定のレジスタ値が設定されている設定期間に、前記第1プロセッサによる前記セキュア記憶領域へのアクセス、及び前記第2プロセッサによる前記セキュア記憶領域へのアクセスを許可し、前記設定期間以外の期間に、前記第1プロセッサによる前記セキュア記憶領域へのアクセス、及び前記第2プロセッサによる前記セキュア記憶領域へのアクセスを禁止するアクセス制御装置をさらに備え、
前記開始通知受付部によって前記アクセス開始通知が受け付けられた場合に、前記設定レジスタに前記所定のレジスタ値を設定し、前記設定レジスタに前記所定のレジスタ値が設定されている場合において、前記終了通知受付部によって前記アクセス終了通知が受け付けられたときに、前記設定レジスタに前記所定のレジスタ値以外のレジスタ値を設定するレジスタ設定部を有する
ことを特徴とする請求項3記載の計算機システム。 - 前記アクセス制御装置は、さらに、前記設定期間以外の期間において、前記第1プロセッサによる前記セキュア記憶領域へのアクセス命令が発行された場合に、前記開始通知受付部に前記アクセス開始通知を行う
ことを特徴とする請求項6記載の計算機システム。 - セキュア記憶領域を有するメモリと、当該メモリを利用する第1及び第2プロセッサとを備える計算機システムであって、
前記第1プロセッサと前記第2プロセッサとのうちの少なくとも一方が、前記メモリに格納されているプログラムを実行することにより実現される機能的な構成要素として、
前記第1プロセッサと前記第2プロセッサとで実行させる、複数のプログラム実行単位の実行制御を行う実行制御部と、
前記第1プロセッサによる、前記セキュア記憶領域へのアクセスが終了されることを示すアクセス終了通知を受け付ける終了通知受付部を有し、
前記実行制御部は、前記第2プロセッサによって実行されるプログラム実行単位が、前記アクセス許可種プログラム実行単位に限定されるように、前記実行制御を行う場合において、前記終了通知受付部によって前記アクセス終了通知が受け付けられたときに、前記限定を解除して前記実行制御を行う
ことを特徴とする計算機システム。 - セキュア記憶領域を有するメモリと、当該メモリを利用する第1及び第2プロセッサとを備える計算機システムを制御する計算機システム制御方法であって、
前記第1プロセッサと前記第2プロセッサとで実行させる、複数のプログラム実行単位の実行制御を行う実行制御ステップと、
前記第1プロセッサによる、前記セキュア記憶領域へのアクセスが許可されているアクセス許可種プログラム実行単位からの、前記セキュア記憶領域へのアクセスが開始されることを示すアクセス開始通知を受け付ける開始通知受付ステップとを有し、
前記実行制御ステップは、前記開始通知受付ステップによって前記アクセス開始通知が受け付けられた場合に、前記第2プロセッサによって実行されるプログラム実行単位が、前記アクセス許可種プログラム実行単位に限定されるように、前記実行制御を行う
ことを特徴とする計算機システム制御方法。 - セキュア記憶領域を有するメモリと、当該メモリを利用する第1及び第2プロセッサとを備える計算機システムを備える計算機システムに、自システムを制御する計算機システム制御処理を実行させるための計算機システム制御プログラムであって、
前記計算機システム制御処理は、
前記第1プロセッサと前記第2プロセッサとで実行させる、複数のプログラム実行単位の実行制御を行う実行制御ステップと、
前記第1プロセッサによる、前記セキュア記憶領域へのアクセスが許可されているアクセス許可種プログラム実行単位からの、前記セキュア記憶領域へのアクセスが開始されることを示すアクセス開始通知を受け付ける開始通知受付ステップとを有し、
前記実行制御ステップは、前記開始通知受付ステップによって前記アクセス開始通知が受け付けられた場合に、前記第2プロセッサによって実行されるプログラム実行単位が、前記アクセス許可種プログラム実行単位に限定されるように、前記実行制御を行う
ことを特徴とする計算機システム制御プログラム。 - セキュア記憶領域を有するメモリと、当該メモリを利用する第1及び第2プロセッサとを備える集積回路であって、
前記第1プロセッサと前記第2プロセッサとのうちの少なくとも一方が、前記メモリに格納されているプログラムを実行することにより実現される機能的な構成要素として、
前記第1プロセッサと前記第2プロセッサとで実行させる、複数のプログラム実行単位の実行制御を行う実行制御部と、
前記第1プロセッサによる、前記セキュア記憶領域へのアクセスが許可されているアクセス許可種プログラム実行単位からの、前記セキュア記憶領域へのアクセスが開始されることを示すアクセス開始通知を受け付ける開始通知受付部とを有し、
前記実行制御部は、前記開始通知受付部によって前記アクセス開始通知が受け付けられた場合に、前記第2プロセッサによって実行されるプログラム実行単位が、前記アクセス許可種プログラム実行単位に限定されるように、前記実行制御を行う
ことを特徴とする集積回路。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201280003604.0A CN103201750B (zh) | 2011-09-08 | 2012-07-20 | 计算机系统、计算机系统控制方法及集成电路 |
US13/876,963 US8881265B2 (en) | 2011-09-08 | 2012-07-20 | Computer system, computer system control method, computer system control program, and integrated circuit |
JP2013532409A JP5977243B2 (ja) | 2011-09-08 | 2012-07-20 | 計算機システム、計算機システム制御方法、計算機システム制御プログラム、及び集積回路 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011195822 | 2011-09-08 | ||
JP2011-195822 | 2011-09-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013035235A1 true WO2013035235A1 (ja) | 2013-03-14 |
Family
ID=47831716
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2012/004625 WO2013035235A1 (ja) | 2011-09-08 | 2012-07-20 | 計算機システム、計算機システム制御方法、計算機システム制御プログラム、及び集積回路 |
Country Status (4)
Country | Link |
---|---|
US (1) | US8881265B2 (ja) |
JP (1) | JP5977243B2 (ja) |
CN (1) | CN103201750B (ja) |
WO (1) | WO2013035235A1 (ja) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102012218363A1 (de) * | 2012-10-09 | 2014-04-10 | Continental Automotive Gmbh | Verfahren zur Steuerung eines getrennten Ablaufs von verknüpften Programmblöcken und Steuergerät |
TWM490202U (en) | 2014-08-06 | 2014-11-21 | Cheng-An Wang | Impact type sprinkler base |
JP2017037505A (ja) | 2015-08-11 | 2017-02-16 | ルネサスエレクトロニクス株式会社 | 半導体装置 |
US11237828B2 (en) * | 2016-04-26 | 2022-02-01 | Onnivation, LLC | Secure matrix space with partitions for concurrent use |
US10635831B1 (en) * | 2018-01-06 | 2020-04-28 | Ralph Crittenden Moore | Method to achieve better security using a memory protection unit |
US11886910B2 (en) * | 2019-12-27 | 2024-01-30 | Intel Corporation | Dynamic prioritization of system-on-chip interconnect traffic using information from an operating system and hardware |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007004661A (ja) * | 2005-06-27 | 2007-01-11 | Hitachi Ltd | 仮想計算機の制御方法及びプログラム |
JP2008176637A (ja) * | 2007-01-19 | 2008-07-31 | Toshiba Corp | 情報処理装置 |
JP2008250386A (ja) * | 2007-03-29 | 2008-10-16 | Toshiba Corp | アクセス制御装置及びコンピュータシステム |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7415725B2 (en) * | 2002-08-29 | 2008-08-19 | Power Measurement Ltd. | Multi-function intelligent electronic device with secure access |
JP2005234794A (ja) * | 2004-02-18 | 2005-09-02 | Matsushita Electric Ind Co Ltd | ファイルシステム制御装置 |
JP4601557B2 (ja) * | 2005-02-07 | 2010-12-22 | 株式会社ソニー・コンピュータエンタテインメント | マルチプロセッサシステムにおいてプロセッサのセキュアな連携を行う方法および装置 |
GB2445373B (en) * | 2007-01-03 | 2010-12-29 | Advanced Risc Mach Ltd | A data processing apparatus and method for managing access to a display buffer |
US8307426B2 (en) * | 2007-01-26 | 2012-11-06 | Mips Technologies, Inc. | Systems and methods for controlling the use of processing algorithms, and applications thereof |
JP5308629B2 (ja) * | 2007-03-26 | 2013-10-09 | ルネサスエレクトロニクス株式会社 | マルチプロセッサシステム及びマルチプロセッサシステムにおけるアクセス保護方法 |
US8255988B2 (en) * | 2007-03-28 | 2012-08-28 | Microsoft Corporation | Direct peripheral communication for restricted mode operation |
US8001592B2 (en) * | 2007-05-09 | 2011-08-16 | Sony Computer Entertainment Inc. | Methods and apparatus for accessing resources using a multiprocessor in a trusted mode |
GB2459097B (en) * | 2008-04-08 | 2012-03-28 | Advanced Risc Mach Ltd | A method and apparatus for processing and displaying secure and non-secure data |
CN102027544B (zh) * | 2008-07-16 | 2013-11-06 | 松下电器产业株式会社 | 再生装置、再生方法及程序 |
US8190839B2 (en) * | 2009-03-11 | 2012-05-29 | Applied Micro Circuits Corporation | Using domains for physical address management in a multiprocessor system |
US20120240220A1 (en) * | 2011-03-15 | 2012-09-20 | Raytheon Company | Method and system for controlling data access on user interfaces |
-
2012
- 2012-07-20 WO PCT/JP2012/004625 patent/WO2013035235A1/ja active Application Filing
- 2012-07-20 US US13/876,963 patent/US8881265B2/en not_active Expired - Fee Related
- 2012-07-20 JP JP2013532409A patent/JP5977243B2/ja not_active Expired - Fee Related
- 2012-07-20 CN CN201280003604.0A patent/CN103201750B/zh not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007004661A (ja) * | 2005-06-27 | 2007-01-11 | Hitachi Ltd | 仮想計算機の制御方法及びプログラム |
JP2008176637A (ja) * | 2007-01-19 | 2008-07-31 | Toshiba Corp | 情報処理装置 |
JP2008250386A (ja) * | 2007-03-29 | 2008-10-16 | Toshiba Corp | アクセス制御装置及びコンピュータシステム |
Also Published As
Publication number | Publication date |
---|---|
JP5977243B2 (ja) | 2016-08-24 |
CN103201750B (zh) | 2016-12-28 |
US20130191617A1 (en) | 2013-07-25 |
US8881265B2 (en) | 2014-11-04 |
JPWO2013035235A1 (ja) | 2015-03-23 |
CN103201750A (zh) | 2013-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5977243B2 (ja) | 計算機システム、計算機システム制御方法、計算機システム制御プログラム、及び集積回路 | |
JP5981845B2 (ja) | 仮想計算機システム、仮想計算機制御方法、仮想計算機制御プログラム、及び半導体集積回路 | |
JP4345630B2 (ja) | 情報処理装置、割り込み処理制御方法、並びにコンピュータ・プログラム | |
EP3201820B1 (en) | Protecting application secrets from operating system attacks | |
US7788669B2 (en) | System for isolating first computing environment from second execution environment while sharing resources by copying data from first portion to second portion of memory | |
JP5758914B2 (ja) | 仮想計算機システム及び仮想計算機システム制御方法 | |
JP3920818B2 (ja) | スケジューリング方法および情報処理システム | |
US8627112B2 (en) | Secure virtual machine memory | |
JP3882931B2 (ja) | 仮想計算機環境におけるディスパッチ機能の管理 | |
KR101288152B1 (ko) | 보안 임베디드 컨테이너의 실행을 위한 장치, 방법 및 컴퓨팅 시스템 | |
TWI512619B (zh) | 用於執行緒排程的方法以及系統 | |
TWI585612B (zh) | 管理具有隔離元件的現場可程式設計閘陣列的使用 | |
JP2006127461A (ja) | 情報処理装置、通信処理方法、並びにコンピュータ・プログラム | |
JP7428795B2 (ja) | コンピューティングデバイスの動作方法及び動作装置 | |
US20120324460A1 (en) | Thread Execution in a Computing Environment | |
KR101323858B1 (ko) | 가상화 시스템에서 메모리 접근을 제어하는 장치 및 방법 | |
JP2005018590A (ja) | スケジューリング方法およびリアルタイム処理システム | |
JP2003051819A (ja) | マイクロプロセッサ | |
CN107533615B (zh) | 用于利用安全飞地来强化数据加密的技术 | |
JP2007065846A (ja) | アプリケーションプログラムの制御方法およびその装置 | |
JP2007095066A (ja) | ネットワーク上におけるcellプロセッサ制御技術 | |
TW200834373A (en) | System and method for securely saving a program context to a shared memory | |
WO2014056425A1 (zh) | 应用程序整合方法及装置 | |
CN109783245B (zh) | 基于双系统共享内存的数据交互方法及系统 | |
JP2023508913A (ja) | コンピューティングデバイスの動作方法及び動作装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 13876963 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2013532409 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12829536 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12829536 Country of ref document: EP Kind code of ref document: A1 |