Buffer memory protection unit
First Claim
Patent Images
1. A storage apparatus in communication with a host computing system and configured to enforce a security policy for data stored in a buffer of the storage apparatus, the storage apparatus comprising a housing that encloses a plurality of hardware elements, the plurality of hardware elements comprising:
- a buffer located within the storage apparatus, the buffer comprising addressable memory and configured to store data associated with commands received from a host computing system;
at least one non-volatile memory device located within the storage apparatus;
an encryption module comprising a plurality of gates, the encryption module in communication with the buffer and located between the buffer and the at least one non-volatile memory device in a hardware datapath within the storage apparatus, the encryption module configured to apply an encryption scheme to data received from the buffer so that encrypted data is stored in the at least one non-volatile memory device;
a plurality of buffer clients in communication with the buffer and configured to request access to unencrypted data stored in the buffer, the plurality of buffer clients comprising a plurality of hardware processors located within the storage apparatus; and
a buffer protection module within the storage apparatus and in communication with the plurality of buffer clients and the buffer and configured to manage access to the unencrypted data stored in the buffer by the plurality of buffer clients, the buffer protection module distinct from the plurality of buffer clients, the buffer protection module further configured to;
assign security criteria to portions of the buffer, each portion corresponding to at least one storage location in the buffer and at least some of the portions being assigned different security criteria;
in response to a request from a buffer client from the plurality of buffer clients to access the unencrypted data stored in a particular portion of the buffer, associate a security level with the request;
determine whether the security level satisfies the security criteria assigned to the particular portion of the buffer;
when the security level associated with the request satisfies the security criteria assigned to the particular portion of the buffer, permit the requested access to stored unencrypted data; and
when the security level associated with the request does not satisfy the security criteria assigned to the particular portion of the buffer, deny the requested access to stored unencrypted data,wherein a portion of the buffer having a first assigned security criteria is directly accessible by a first buffer client of the plurality of buffer clients and indirectly accessible by a second buffer client of the plurality of buffer clients, wherein indirectly accessing comprises the second buffer client requesting the first buffer client to perform a buffer operation on the portion of the buffer having the first assigned security criteria.
8 Assignments
0 Petitions
Accused Products
Abstract
Embodiments described herein include systems and methods for managing security of a storage subsystem. Certain of these embodiments involve the use of a buffer protection module configured to intelligently police requests for access to the subsystem buffer memory.
89 Citations
19 Claims
-
1. A storage apparatus in communication with a host computing system and configured to enforce a security policy for data stored in a buffer of the storage apparatus, the storage apparatus comprising a housing that encloses a plurality of hardware elements, the plurality of hardware elements comprising:
-
a buffer located within the storage apparatus, the buffer comprising addressable memory and configured to store data associated with commands received from a host computing system; at least one non-volatile memory device located within the storage apparatus; an encryption module comprising a plurality of gates, the encryption module in communication with the buffer and located between the buffer and the at least one non-volatile memory device in a hardware datapath within the storage apparatus, the encryption module configured to apply an encryption scheme to data received from the buffer so that encrypted data is stored in the at least one non-volatile memory device; a plurality of buffer clients in communication with the buffer and configured to request access to unencrypted data stored in the buffer, the plurality of buffer clients comprising a plurality of hardware processors located within the storage apparatus; and a buffer protection module within the storage apparatus and in communication with the plurality of buffer clients and the buffer and configured to manage access to the unencrypted data stored in the buffer by the plurality of buffer clients, the buffer protection module distinct from the plurality of buffer clients, the buffer protection module further configured to; assign security criteria to portions of the buffer, each portion corresponding to at least one storage location in the buffer and at least some of the portions being assigned different security criteria; in response to a request from a buffer client from the plurality of buffer clients to access the unencrypted data stored in a particular portion of the buffer, associate a security level with the request; determine whether the security level satisfies the security criteria assigned to the particular portion of the buffer; when the security level associated with the request satisfies the security criteria assigned to the particular portion of the buffer, permit the requested access to stored unencrypted data; and when the security level associated with the request does not satisfy the security criteria assigned to the particular portion of the buffer, deny the requested access to stored unencrypted data, wherein a portion of the buffer having a first assigned security criteria is directly accessible by a first buffer client of the plurality of buffer clients and indirectly accessible by a second buffer client of the plurality of buffer clients, wherein indirectly accessing comprises the second buffer client requesting the first buffer client to perform a buffer operation on the portion of the buffer having the first assigned security criteria. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of enforcing a security policy for data stored in a buffer of a storage apparatus that is in communication with a host computing system, the method comprising:
-
storing unencrypted data associated with commands received from the host computing system in a buffer located within a storage apparatus that encloses a plurality of hardware elements, the buffer comprising addressable memory; assigning security criteria to portions of the buffer, wherein at least some of the portions are assigned different security criteria; in response to a request from one or more buffer clients comprising one or more storage apparatus processors located within the storage apparatus to access a particular portion of the buffer that stores unencrypted data, associating a security level with the request; determining, using a buffer protection module included in the storage apparatus, whether the security level associated with the request satisfies the security criteria assigned to the particular portion of the buffer, wherein; when the security level associated with the request satisfies the security criteria assigned to the particular portion of the buffer, permitting the requested access to the unencrypted data; and when the security level associated with the request does not satisfy the security criteria assigned to the particular portion of the buffer, denying the requested access to the unencrypted data; receiving data from the buffer for storing in at least one non-volatile memory device of the storage apparatus; using an encryption module comprising a plurality of gates to apply an encryption scheme to the data received from the buffer, the encryption module included in the storage apparatus and located in a hardware datapath within the storage apparatus between the buffer and the at least one non-volatile memory device; and storing encrypted data in the at least one non-volatile memory device. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method of enforcing a security policy for a buffer memory in a storage apparatus comprising a housing that encloses a plurality of hardware elements, the method comprising:
-
storing unencrypted data associated with commands received from a host computing system in a buffer located within a storage apparatus, the buffer comprising addressable memory; accessing values stored in one or more programmable configuration registers of the storage apparatus; assigning security criteria to portions of the buffer based at least in part on the accessed values from the configuration registers, at least some of the portions of the buffer being assigned different security criteria; in response to a request from one of one or more buffer clients to access a particular portion of the buffer that stores unencrypted data, selectively permitting the request based on the assigned security criteria, wherein the one or more buffer clients comprise a plurality of hardware processors located within the storage apparatus; receiving data from the buffer for storing in at least one non-volatile memory device of the storage apparatus; and encrypting, using an encryption module comprising a plurality of gates and located within the storage apparatus between the buffer and the at least one non-volatile memory device, the received data and storing encrypted data in the at least one non-volatile memory device, wherein the steps of the method are performed by the storage apparatus.
-
-
19. A storage apparatus in communication with a host computing system and configured to enforce a security policy for data stored in a buffer of the storage apparatus, the storage apparatus comprising a housing that encloses a plurality of hardware elements, the plurality of housing elements comprising:
-
a buffer located within the storage apparatus, the buffer comprising addressable memory and configured to store data associated with commands received from a host computing system; at least one non-volatile memory device located within the storage apparatus; an encryption module comprising a plurality of gates, the encryption module in communication with the buffer and located between the buffer and the at least one non-volatile memory device in a datapath within the storage apparatus, the encryption module configured to apply an encryption scheme to data received from the buffer so that encrypted data is stored in the at least one non-volatile memory device; one or more buffer clients in communication with the buffer and configured to request access to unencrypted data stored in the buffer, the one or more buffer clients comprising one or more hardware processors located within the storage apparatus; and a buffer protection module within the storage apparatus and in communication with the one or more buffer clients and the buffer and configured to manage access to the unencrypted data stored in the buffer by the one or more buffer clients, the buffer protection module distinct from the one or more buffer clients, the buffer protection module further configured to; assign security criteria to portions of the buffer, each portion corresponding to at least one storage location in the buffer and at least some of the portions being assigned different security criteria; in response to a request from a buffer client to access the unencrypted data stored in a particular portion of the buffer, associate a security level with the request based at least in part on one or more buffer addresses of the request; determine whether the security level satisfies the security criteria assigned to the particular portion of the buffer; when the security level associated with the request satisfies the security criteria assigned to the particular portion of the buffer, permit the requested access to stored unencrypted data; and when the security level associated with the request does not satisfy the security criteria assigned to the particular portion of the buffer, deny the requested access to stored unencrypted data.
-
Specification