MULTI-TENANT DATA PROTECTION IN EDGE COMPUTING ENVIRONMENTS

US 20200134207A1
Filed: 12/20/2019
Published: 04/30/2020
Est. Priority Date: 09/28/2019
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

memory; and

processing circuitry coupled to the memory, the processing circuitry configured to;

obtain, from an orchestration provider, a workflow execution plan, the workflow execution plan including workload metadata defining a plurality of workloads associated with a plurality of edge service instances, the instances executing on one or more edge computing devices within an edge computing system;

translate the workload metadata to obtain workload configuration information for the plurality of workloads, the workload configuration information identifying a plurality of memory access configurations and service authorizations, the service authorizations identifying at least one edge service instance of the edge service instances authorized to access one or more of the plurality of memory access configurations;

partition the memory into a plurality of shared memory regions using the plurality of memory access configurations; and

process a memory access request for accessing at least one of the plurality of shared memory regions based on the service authorizations, the memory access request received from an edge service instance of the plurality of edge service instances.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various approaches for implementing multi-tenant data protection are described. In an edge computing system deployment, a system includes memory and processing circuitry coupled to the memory. The processing circuitry is configured to obtain a workflow execution plan that includes workload metadata defining a plurality of workloads associated with a plurality of edge service instances executing respectively on one or more edge computing devices. The workload metadata is translated to obtain workload configuration information for the plurality of workloads. The workload configuration information identifies a plurality of memory access configurations and service authorizations identifying at least one edge service instance authorized to access one or more of the memory access configurations. The memory is partitioned into a plurality of shared memory regions using the memory access configurations. A memory access request for accessing one of the shared memory regions is processed based on the service authorizations.

Citations

26 Claims

1. A system comprising:
- memory; and
  
  processing circuitry coupled to the memory, the processing circuitry configured to;
  
  obtain, from an orchestration provider, a workflow execution plan, the workflow execution plan including workload metadata defining a plurality of workloads associated with a plurality of edge service instances, the instances executing on one or more edge computing devices within an edge computing system;
  
  translate the workload metadata to obtain workload configuration information for the plurality of workloads, the workload configuration information identifying a plurality of memory access configurations and service authorizations, the service authorizations identifying at least one edge service instance of the edge service instances authorized to access one or more of the plurality of memory access configurations;
  
  partition the memory into a plurality of shared memory regions using the plurality of memory access configurations; and
  
  process a memory access request for accessing at least one of the plurality of shared memory regions based on the service authorizations, the memory access request received from an edge service instance of the plurality of edge service instances.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the processing circuitry is further configured to:
    - translate the workload metadata to obtain a plurality of functions scheduled for execution on the one or more edge computing devices.
  - 3. The system of claim 2, wherein the plurality of functions includes one or more of the following:
    - named function networking (NFN) functions; and
      
      Function-as-a-Service (FaaS) functions.
  - 4. The system of claim 2, wherein the plurality of functions includes a homomorphic function, and the processing circuitry is further configured to:
    - register a function identification and a function bitstream of the homomorphic function with a shared protected memory region of the plurality of shared memory regions.
  - 5. The system of claim 4, wherein the plurality of memory access configurations includes:
    - a memory range associated with the shared protected memory region, the memory range storing encrypted data;
      
      device identification information of respective devices of the one or more edge computing devices authorized to access the homomorphic function; and
      
      wherein the service authorizations identify a subset of the plurality of edge service instances authorized to access the memory range associated with the shared protected memory region.
  - 6. The system of claim 5, wherein the encrypted data stored in the memory range associated with the shared protected memory region is protected via homomorphic encryption using the function bitstream of the homomorphic function.
  - 7. The system of claim 6, wherein the memory access request identifies an edge service instance of the plurality of edge service instances requesting the memory access and an edge computing device of the one or more edge computing devices executing the requesting edge service instance.
  - 8. The system of claim 7, wherein the processing circuitry is further configured to:
    - perform one or more data transformations on the encrypted data to process the memory access request, when the device identification information identifies the edge computing device executing the requesting edge service instance.
  - 9. The system of claim 8, wherein the processing circuitry is further configured to:
    - offload performing of the one or more data transformations on the encrypted data to at least one edge computing device of the one or more edge computing devices authorized to access the homomorphic function.
  - 10. The system of claim 1, wherein the plurality of memory access configurations includes:
    - a memory range associated with a protected memory region of the plurality of shared memory regions, wherein a trusted execution environment (TEE) of the edge computing device is configured using the protected memory region.
  - 11. The system of claim 1, wherein the plurality of memory access configurations includes a plurality of secure keys for accessing respective memory regions of the plurality of shared memory regions.
  - 12. The system of claim 1, wherein the processing circuitry is further configured to:
    - configure a virtual memory space mapped to at least one of the plurality of shared memory regions and to a second virtual memory space in an edge computing device of the one or more edge computing devices, the edge computing device authorized to access the at least one of the plurality of shared memory regions.
  - 13. The system of claim 12, wherein the virtual memory space is mapped to the second virtual memory space in the edge computing device using a distributed lock manager (DLM) service.
  - 14. The system of claim 13, wherein the processing circuitry is further configured to:
    - update data stored in the at least one of the plurality of shared memory regions based on the memory access request; and
      
      map the updated data stored in the at least one of the plurality of shared memory regions to the virtual memory space and to the second virtual memory space in the edge computing device via the DLM service.
  - 15. The system of claim 1, wherein the edge computing system is an Edge-as-a-Service (EaaS) system, and wherein the edge computing device is an EaaS microservice node.

16. At least one non-transitory machine-readable storage medium comprising instructions, wherein the instructions, when executed by a processing circuitry of an edge computing device operable in an edge computing system, cause the processing circuitry to perform operations that:
- obtain, from an orchestration provider, a workflow execution plan, the workflow execution plan including workload metadata defining a plurality of workloads associated with a plurality of edge service instances, the instances executing respectively on one or more edge computing devices within the edge computing system;
  
  translate the workload metadata to obtain workload configuration information for the plurality of workloads, the workload configuration information identifying a plurality of memory access configurations and service authorizations, the service authorizations identifying at least one edge service instance of the edge service instances authorized to access one or more of the plurality of memory access configurations;
  
  partition memory of the edge computing device into a plurality of shared memory regions using the plurality of memory access configurations; and
  
  process a memory access request for accessing at least one of the plurality of shared memory regions based on the service authorizations, the memory access request received from an edge service instance of the plurality of edge service instances.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The machine-readable storage medium of claim 16, wherein the plurality of memory access configurations includes:
    - a memory range associated with a shared memory region of the plurality of shared memory regions; and
      
      device identification information of at least one edge computing device of the one or more edge computing devices authorized to share data stored in the shared memory region.
  - 18. The machine-readable storage medium of claim 17, wherein the service authorizations include process address space IDs (PASIDs) identifying a subset of the plurality of edge service instances authorized to access the memory range associated with the shared memory region.
  - 19. The machine-readable storage medium of claim 18, wherein the memory access request includes a PASID of an edge service instance of the plurality of edge service instances requesting the memory access and identifies at least a second edge computing device of the one or more edge computing devices executing the requesting edge service instance.
  - 20. The machine-readable storage medium of claim 19, wherein the instructions further cause the processing circuitry to perform operations that:
    - perform a memory read or a memory write operation on the data stored in the shared memory region to process the memory access request when the device identification information identifies the second edge computing device executing the requesting edge service instance and the PSAIDs within the service authorizations include the PSAID within the memory access request.

21. A method performed by an edge computing device operable in an edge computing system, comprising:
- obtaining, from an orchestration provider, a workflow execution plan, the workflow execution plan including workload metadata defining a plurality of workloads associated with a plurality of edge service instances, the instances executing respectively on one or more edge computing devices within an edge computing system;
  
  translating the workload metadata to obtain workload configuration information for the plurality of workloads, the workload configuration information identifying a plurality of memory access configurations and service authorizations, the service authorizations identifying at least one edge service instance of the edge service instances authorized to access one or more of the plurality of memory access configurations;
  
  partitioning memory of the edge computing device into a plurality of shared memory regions using the plurality of memory access configurations; and
  
  processing a memory access request for accessing at least one of the plurality of shared memory regions based on the service authorizations, the memory access request received from an edge service instance of the plurality of edge service instances.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, further comprising:
    - translating the workload metadata to obtain a plurality of functions scheduled for execution on the one or more edge computing devices.
  - 23. The method of claim 22, wherein the plurality of functions includes a homomorphic function, and the method further comprises:
    - registering a function identification and a function bitstream of the homomorphic function with a shared protected memory region of the plurality of shared memory regions.
  - 24. The method of claim 23, wherein the plurality of memory access configurations includes:
    - a memory range associated with the shared protected memory region, the memory range storing encrypted data;
      
      device identification information of respective devices of the one or more edge computing devices authorized to access the homomorphic function; and
      
      wherein the service authorizations identify a subset of the plurality of edge service instances authorized to access the memory range associated with the shared protected memory region.
  - 25. The method of claim 21, wherein the plurality of memory access configurations includes:
    - a memory range associated with a shared memory region of the plurality of shared memory regions; and
      
      device identification information of at least one edge computing device of the one or more edge computing devices authorized to share data stored in the shared memory region.

26-39. -39. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Doshi, Kshitij Arun, Smith, Ned M., Guim Bernat, Francesc, Verrall, Timothy

Granted Patent

US 11,669,368 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/3058   Monitoring arrangements for...

G06F 11/3433   for load management allocat...

G06F 12/1408   by using cryptography for d...

G06F 16/1865   Transactional file systems

G06F 16/2322   using timestamps

G06F 16/90339   by using parallel associati...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 2209/509   Offload

G06F 8/443   Optimisation

G06F 9/3836   Instruction issuing, e.g. d...

G06F 9/44594   Unloading

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/4881   Scheduling strategies for d...

G06F 9/5016   the resource being the memory

G06F 9/5038   considering the execution o...

G06F 9/505   considering the load

G06F 9/5072   Grid computing

G06F 9/5077   Logical partitioning of res...

G06F 9/544 : Buffers; Shared memory; Pipes

G16Y 40/10 : Detection; Monitoring

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/0895 : Configuration of virtualise...

H04L 41/0896 : Bandwidth or capacity manag...

H04L 41/142 : using statistical or mathem...

H04L 41/145 : involving simulating, desig...

H04L 41/5009 : Determining service level p...

H04L 41/5025 : by proactively reacting to ...

H04L 41/5051 : Service on demand, e.g. def...

H04L 43/08 : Monitoring or testing based...

H04L 47/822 : Collecting or measuring res...

H04L 63/0407 : wherein the identity of one...

H04L 63/0428 : wherein the data content is...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04L 67/1008 : based on parameters of serv...

H04L 67/12 : specially adapted for propr...

H04L 67/141 : Setup of application sessio...

H04L 9/008 : involving homomorphic encry...

H04L 9/0637 : Modes of operation, e.g. ci...

H04L 9/0822 : using key encryption key

H04L 9/0825 : using asymmetric-key encryp...

H04L 9/0866 : involving user or device id...

H04L 9/0894 : Escrow, recovery or storing...

H04L 9/3297 : involving time stamps, e.g....

Y02D 10/00 : Energy efficient computing,...

View All

MULTI-TENANT DATA PROTECTION IN EDGE COMPUTING ENVIRONMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-TENANT DATA PROTECTION IN EDGE COMPUTING ENVIRONMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links