CN111290829B - Access control module, virtual machine monitor and access control method - Google Patents

Abstract

The access control module, the virtual machine monitor and the access control method, wherein the access control module comprises: the method comprises the steps that a first IO interface is used as a communication interface between an IO main device and a computer system, and the IO main device forms an IO virtual machine through establishing an association relation with a first virtual machine preset in the computer system; the first memory management unit is suitable for converting a virtual address of an access space contained in the data access request into a corresponding physical address when receiving the data access request from the first IO interface, and sending the data access request containing the physical address to the physical address routing unit; and the physical address routing unit is suitable for routing the data access request to the corresponding access space according to the physical address contained in the received data access request. By adopting the scheme, the load of a processor in the computer system can be reduced, and the data exchange efficiency of the IO main equipment and the computer system is improved.

Description

Translated fromChinese

访问控制模组、虚拟机监视器及访问控制方法Access control module, virtual machine monitor and access control method

技术领域technical field

本说明书实施例涉及计算机技术领域，尤其涉及一种访问控制模组、虚拟机监视器及访问控制方法。The embodiments of this specification relate to the field of computer technology, and in particular to an access control module, a virtual machine monitor, and an access control method.

背景技术Background technique

在现有输入输出虚拟化(Input/output virtualization，IOV)技术中，输入输出(Input/Output，IO)设备可以通过计算机系统的IO接口连接非透明桥(NTB，Non-Transparent Bridge)，进而作为IO主设备接入计算机系统。In the existing input/output virtualization (IOV) technology, the input/output (IO) device can be connected to the non-transparent bridge (NTB, Non-Transparent Bridge) through the IO interface of the computer system, and then used as The IO master device is connected to the computer system.

IO主设备和计算机系统属于两个操作系统，两者具有完全不同的地址域，因此，非透明桥进行IO主设备地址域的地址与计算机系统地址域对应的地址转换。The IO master device and the computer system belong to two operating systems, and they have completely different address domains. Therefore, the non-transparent bridge performs address conversion between the address of the IO master device address domain and the address domain of the computer system.

然而，通常非透明桥的地址转换空间有限，导致IO主设备仅可以使用部分计算机系统资源。对于不与所述非透明桥转换的计算机地址域对应的计算机资源，IO主设备无法直接使用，而是需要计算机系统中的处理器进行数据搬迁，增加了所述处理器的负荷，且降低了IO主设备与计算机系统的数据交换效率。However, usually the address translation space of the non-transparent bridge is limited, resulting in that the IO master can only use part of the computer system resources. For computer resources that do not correspond to the computer address domain converted by the non-transparent bridge, the IO master device cannot be directly used, but requires the processor in the computer system to perform data relocation, which increases the load on the processor and reduces the Data exchange efficiency between the IO master device and the computer system.

发明内容Contents of the invention

有鉴于此，本说明书实施例提供一种访问控制模组、虚拟机监视器及访问控制方法，可以减轻计算机系统中的处理器的负荷，提高IO主设备与计算机系统的数据交换效率。In view of this, the embodiment of this specification provides an access control module, a virtual machine monitor and an access control method, which can reduce the load on the processor in the computer system and improve the data exchange efficiency between the IO master device and the computer system.

本说明书实施例提供了一种访问控制模组，包括第一IO接口、第一内存管理单元和物理地址路由单元，其中：The embodiment of this specification provides an access control module, including a first IO interface, a first memory management unit and a physical address routing unit, wherein:

所述第一IO接口，作为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，形成IO虚拟机；The first IO interface is used as a communication interface between the IO master device and the computer system, and the IO master device forms an IO virtual machine by establishing an association relationship with a first virtual machine preset in the computer system;

所述第一内存管理单元，适于在接收到来自所述第一IO接口的数据访问请求时，将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元；其中，所述虚拟地址为所述IO虚拟机地址域的地址，所述物理地址为计算机系统地址域的地址；The first memory management unit is adapted to convert the virtual address of the access space contained in the data access request into a corresponding physical address when receiving the data access request from the first IO interface, and convert the virtual address containing The data access request of the physical address is sent to the physical address routing unit; wherein the virtual address is the address of the IO virtual machine address domain, and the physical address is the address of the computer system address domain;

所述物理地址路由单元，适于根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间。The physical address routing unit is adapted to route the data access request to a corresponding access space according to the physical address contained in the received data access request.

可选地，访问控制模组还包括：第二IO接口及虚拟地址路由单元，其中：Optionally, the access control module further includes: a second IO interface and a virtual address routing unit, wherein:

所述第二IO接口，作为IO从设备与所述计算机系统的通信接口；The second IO interface is used as a communication interface between the IO slave device and the computer system;

所述虚拟地址路由单元，适于在接收到来自所述第二IO接口的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，并在确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求路由至所述第一内存管理单元；The virtual address routing unit is adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from the second IO interface, and determine that the virtual address points to the When the IO virtual machine address field is used, the data access request is routed to the first memory management unit;

所述第一内存管理单元，还适于在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求发送至所述虚拟地址所指向的IO虚拟机，以对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作。The first memory management unit is further adapted to obtain the virtual address of the access space included in the data access request when receiving the data access request from the virtual address routing unit, and send the data access request to The IO virtual machine pointed to by the virtual address performs a data access operation on the access space corresponding to the virtual address in the IO virtual machine.

可选地，访问控制模组还包括：第二内存管理单元；Optionally, the access control module further includes: a second memory management unit;

所述虚拟地址路由单元，还适于在确定所述数据访问请求中包含的访问空间的虚拟地址指向所述计算机系统地址域时，将所述访问请求发送至所述第二内存管理单元；The virtual address routing unit is further adapted to send the access request to the second memory management unit when it is determined that the virtual address of the access space included in the data access request points to the computer system address domain;

所述第二内存管理单元，适于在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元。The second memory management unit is adapted to obtain the virtual address of the access space included in the data access request when receiving the data access request from the virtual address routing unit, and convert the virtual address into a corresponding the physical address, and send the data access request containing the physical address to the physical address routing unit.

可选地，所述第一内存管理单元还适于在将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址之前，根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，将所述数据访问请求发送至所述虚拟地址路由单元；Optionally, the first memory management unit is further adapted to, before converting the virtual address of the access space contained in the data access request into a corresponding physical address, according to the virtual address of the access space contained in the data access request address, when determining that the virtual address points to the IO slave address field, sending the data access request to the virtual address routing unit;

所述虚拟地址路由单元，还适于在接收到来自所述第一内存管理单元的数据访问请求时，根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作。The virtual address routing unit is further adapted to, when receiving a data access request from the first memory management unit, route the data access request to The IO slave device pointed to by the virtual address performs a data access operation on the access space corresponding to the virtual address in the IO slave device.

可选地，所述IO从设备通过预设的虚拟功能与所述虚拟功能指定的第二虚拟机建立关联关系，所述第二虚拟机适于设置所述虚拟地址路由单元中的地址映射关系。Optionally, the IO slave device establishes an association relationship with a second virtual machine specified by the virtual function through a preset virtual function, and the second virtual machine is suitable for setting the address mapping relationship in the virtual address routing unit .

可选地，所述第一内存管理单元，还适于确定接收到的数据访问请求的发送主体是否具有对应的访问权限，并根据判断结果执行相应的访问控制操作。Optionally, the first memory management unit is further adapted to determine whether the sender of the received data access request has corresponding access rights, and perform corresponding access control operations according to the judgment result.

本说明书实施例还提供了一种虚拟机监视器，包括第一内存管理单元和物理地址路由单元，其中：The embodiment of this specification also provides a virtual machine monitor, including a first memory management unit and a physical address routing unit, wherein:

第一内存管理单元，适于在接收到来自第一IO接口的数据访问请求时，将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元；The first memory management unit is adapted to convert the virtual address of the access space included in the data access request into a corresponding physical address when receiving a data access request from the first IO interface, and include the physical address sending the data access request to the physical address routing unit;

所述物理地址路由单元，适于根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间；The physical address routing unit is adapted to route the data access request to the corresponding access space according to the physical address contained in the received data access request;

其中，所述第一IO接口为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，形成IO虚拟机；所述虚拟地址为所述IO虚拟机地址域的地址，所述物理地址为计算机系统地址域的地址。Wherein, the first IO interface is a communication interface between the IO master device and the computer system, and the IO master device forms an IO virtual machine by establishing an association relationship with a first virtual machine preset in the computer system; the virtual The address is the address of the IO virtual machine address domain, and the physical address is the address of the computer system address domain.

可选地，虚拟机监视器还包括虚拟地址路由单元，适于在接收到来自第二IO接口的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，并在确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求路由至所述第一内存管理单元；Optionally, the virtual machine monitor further includes a virtual address routing unit, adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from the second IO interface, and determine the When the virtual address points to the IO virtual machine address domain, route the data access request to the first memory management unit;

所述第一内存管理单元，还适于在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求发送至所述虚拟地址所指向的IO虚拟机，以对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作；The first memory management unit is further adapted to obtain the virtual address of the access space included in the data access request when receiving the data access request from the virtual address routing unit, and send the data access request to The IO virtual machine pointed to by the virtual address is used to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine;

其中，所述第二IO接口为IO从设备与所述计算机系统的通信接口。Wherein, the second IO interface is a communication interface between the IO slave device and the computer system.

可选地，虚拟机监视器还包括：第二内存管理单元；Optionally, the virtual machine monitor further includes: a second memory management unit;

所述虚拟地址路由单元，还适于在确定所述数据访问请求中包含的访问空间的虚拟地址指向所述计算机系统地址域时，将所述访问请求发送至所述第二内存管理单元；The virtual address routing unit is further adapted to send the access request to the second memory management unit when it is determined that the virtual address of the access space included in the data access request points to the computer system address domain;

所述第二内存管理单元，适于在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元。The second memory management unit is adapted to obtain the virtual address of the access space included in the data access request when receiving the data access request from the virtual address routing unit, and convert the virtual address into a corresponding the physical address, and send the data access request containing the physical address to the physical address routing unit.

可选地，所述第一内存管理单元，还适于在将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址之前，根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，将所述数据访问请求发送至所述虚拟地址路由单元；Optionally, the first memory management unit is further adapted to, before converting the virtual address of the access space included in the data access request into a corresponding physical address, according to the address of the access space included in the data access request virtual address, when it is determined that the virtual address points to the IO slave device address domain, sending the data access request to the virtual address routing unit;

所述虚拟地址路由单元，还适于在接收到来自所述第一内存管理单元的数据访问请求时，根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作。The virtual address routing unit is further adapted to, when receiving a data access request from the first memory management unit, route the data access request to The IO slave device pointed to by the virtual address performs a data access operation on the access space corresponding to the virtual address in the IO slave device.

本说明书实施例还提供了一种访问控制方法，适于对IO接口的访问设备进行访问控制，所述方法包括：The embodiment of this specification also provides an access control method, which is suitable for performing access control on the access device of the IO interface, and the method includes:

第一内存管理单元接收来自第一IO接口的数据访问请求；The first memory management unit receives a data access request from the first IO interface;

所述第一内存管理单元将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至物理地址路由单元；The first memory management unit converts the virtual address of the access space included in the data access request into a corresponding physical address, and sends the data access request including the physical address to a physical address routing unit;

所述物理地址路由单元根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间；The physical address routing unit routes the data access request to the corresponding access space according to the physical address contained in the received data access request;

其中，所述第一IO接口为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，形成IO虚拟机；所述虚拟地址为所述IO虚拟机地址域的地址，所述物理地址为计算机系统地址域的地址。Wherein, the first IO interface is a communication interface between the IO master device and the computer system, and the IO master device forms an IO virtual machine by establishing an association relationship with a first virtual machine preset in the computer system; the virtual The address is the address of the IO virtual machine address domain, and the physical address is the address of the computer system address domain.

可选地，访问控制方法还包括：Optionally, the access control method also includes:

虚拟地址路由单元在接收到来自第二IO接口的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址；When the virtual address routing unit receives the data access request from the second IO interface, obtains the virtual address of the access space contained in the data access request;

所述虚拟地址路由单元在确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求发送至所述第一内存管理单元；The virtual address routing unit sends the data access request to the first memory management unit when determining that the virtual address points to the IO virtual machine address domain;

所述第一内存管理单元在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，并将所述数据访问请求发送至包含所述虚拟地址所指向的IO虚拟机，以对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作；When the first memory management unit receives the data access request from the virtual address routing unit, it obtains the virtual address of the access space included in the data access request, and sends the data access request to the The IO virtual machine pointed to by the virtual address is used to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine;

其中，所述第二IO接口为IO从设备与所述计算机系统的通信接口。Wherein, the second IO interface is a communication interface between the IO slave device and the computer system.

可选地，所述访问控制方法还包括：Optionally, the access control method also includes:

所述虚拟地址路由单元在确定所述虚拟地址指向所述计算机系统地址域时，将所述访问请求发送至第二内存管理单元；The virtual address routing unit sends the access request to the second memory management unit when determining that the virtual address points to the computer system address domain;

所述第二内存管理单元在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元。When the second memory management unit receives the data access request from the virtual address routing unit, it obtains the virtual address of the access space included in the data access request, and converts the virtual address into a corresponding physical address, and sending the data access request containing the physical address to the physical address routing unit.

可选地，在所述第一内存管理单元将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址之前，还包括：Optionally, before the first memory management unit converts the virtual address of the access space contained in the data access request into a corresponding physical address, the method further includes:

所述第一内存管理单元根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，将所述数据访问请求发送至所述虚拟地址路由单元；The first memory management unit, according to the virtual address of the access space contained in the data access request, determines that the virtual address points to the IO slave device address domain, and sends the data access request to the virtual address router unit;

所述虚拟地址路由单元在接收到来自所述第一内存管理单元的数据访问请求时，根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作。When receiving the data access request from the first memory management unit, the virtual address routing unit routes the data access request to the virtual address according to the virtual address of the access space included in the data access request The pointed IO slave device performs a data access operation on the access space corresponding to the virtual address in the IO slave device.

采用本说明书实施例提供的访问控制方案，IO主设备可以通过第一IO接口与计算机系统中预设的第一虚拟机建立关联关系，形成IO虚拟机，并且所述第一内存管理单元在接收到来自所述第一IO接口的数据访问请求时，可以将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并可以将包含所述物理地址的数据访问请求发送至所述物理地址路由单元，然后，所述物理地址路由单元可以根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间。由上可知，通过将IO主设备与预设的第一虚拟机建立关联关系，使得IO主设备的处理器可以作为所述第一虚拟机的协处理器，从而IO主设备可以作为计算机系统的一个虚拟机，形成IO虚拟机，与计算机系统共享资源，可以使用所述计算机系统中的全部资源；并且，IO虚拟机可以主动发起数据访问请求，对于所述IO主设备与所述CPU之间的数据交换，无需所述计算机系统中的处理器做任何操作，故可以减轻计算机系统中的处理器的负荷，也可以提高IO主设备与计算机系统之间的数据交换效率。Using the access control scheme provided by the embodiment of this specification, the IO master device can establish an association relationship with the first virtual machine preset in the computer system through the first IO interface to form an IO virtual machine, and the first memory management unit receives When receiving a data access request from the first IO interface, the virtual address of the access space contained in the data access request can be converted into a corresponding physical address, and the data access request containing the physical address can be sent to The physical address routing unit, then, the physical address routing unit may route the data access request to the corresponding access space according to the physical address included in the received data access request. It can be seen from the above that by establishing an association relationship between the IO master device and the preset first virtual machine, the processor of the IO master device can be used as the coprocessor of the first virtual machine, so that the IO master device can be used as the computer system's coprocessor. A virtual machine forms an IO virtual machine, shares resources with the computer system, and can use all resources in the computer system; and, the IO virtual machine can actively initiate a data access request, for the connection between the IO master device and the CPU The data exchange does not require the processor in the computer system to do any operations, so the load on the processor in the computer system can be reduced, and the data exchange efficiency between the IO master device and the computer system can also be improved.

进一步地，由于所述虚拟地址路由单元接收到来自所述第二IO接口的数据访问请求时，可以获取所述数据访问请求中包含的访问空间的虚拟地址，并在确定所述虚拟地址指向所述IO虚拟机地址域时，可以将所述数据访问请求发送至所述第一内存管理单元，因此，通过所述虚拟地址路由单元可以确定所述虚拟地址指向所述IO虚拟机地址域，使得所述第一内存管理单元可以通过所述虚拟地址查询到对应的IO虚拟机，对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作，由此，可以将所述IO从设备的数据访问请求直接发送至对应的IO虚拟机，无需进行虚拟地址与物理地址之间的转换，也无需计算机系统的处理器参与数据交互，因此可以减轻计算机系统中处理器的负荷，提高IO设备之间的数据交换效率。Further, when the virtual address routing unit receives the data access request from the second IO interface, it can obtain the virtual address of the access space contained in the data access request, and determine that the virtual address points to the When the IO virtual machine address domain is specified, the data access request can be sent to the first memory management unit, therefore, the virtual address routing unit can determine that the virtual address points to the IO virtual machine address domain, so that The first memory management unit can query the corresponding IO virtual machine through the virtual address, and perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine, so that the IO can be accessed from The data access request of the device is directly sent to the corresponding IO virtual machine, without conversion between virtual address and physical address, and without the processor of the computer system participating in data interaction, so the load on the processor in the computer system can be reduced and the IO can be improved. Data exchange efficiency between devices.

进一步地，所述虚拟地址路由单元在确定所述数据访问请求中包含的访问空间的虚拟地址指向所述计算机系统地址域时，将所述访问请求发送至所述第二内存管理单元，并由所述第二内存路由单元将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并由所述物理地址路由单元路由至对应的访问空间，可以实现所述IO从设备与计算机系统之间的数据交互，使得IO从设备可以直接使用所述计算机系统的资源。Further, when the virtual address routing unit determines that the virtual address of the access space included in the data access request points to the computer system address domain, it sends the access request to the second memory management unit, and the The second memory routing unit converts the virtual address of the access space included in the data access request into a corresponding physical address, and routes the physical address routing unit to the corresponding access space, so that the IO slave device can realize The data interaction with the computer system enables the IO slave device to directly use the resources of the computer system.

进一步地，所述第一内存管理单元根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，通过所述数据访问请求发送至所述虚拟地址路由单元，由所述虚拟地址路由单元将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，从而可以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作，使得所述IO主设备可以共享所述计算机系统的IO从设备的资源，整个数据交互过程无需所述计算机系统中的处理器进行数据迁移，从而可以进一步提高数据交互效率，减小所述计算机系统中的处理器的负荷。Further, when the first memory management unit determines that the virtual address points to the IO slave address field according to the virtual address of the access space included in the data access request, it sends the data access request to the a virtual address routing unit, the virtual address routing unit routes the data access request to the IO slave device pointed to by the virtual address, so that the data access space corresponding to the virtual address in the IO slave device can be processed The access operation enables the IO master device to share the resources of the IO slave device of the computer system, and the entire data interaction process does not require the processor in the computer system to perform data migration, thereby further improving the data interaction efficiency and reducing the The load on the processors in the computer system described above.

附图说明Description of drawings

为了更清楚地说明本说明书实施例的技术方案，下面将对本说明书实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面所描述的附图仅仅是本说明书的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of this specification, the following will briefly introduce the drawings that need to be used in the embodiments of this specification or the description of the prior art. Obviously, the drawings described below are only for this specification. For some embodiments, those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1是本说明书实施例中一种计算机系统虚拟化的层次结构示意图。FIG. 1 is a schematic diagram of a hierarchical structure of computer system virtualization in an embodiment of this specification.

图2是本说明书实施例中一种输入输出虚拟化的结构示意图。FIG. 2 is a schematic structural diagram of input and output virtualization in an embodiment of this specification.

图3是本说明书实施例中一种访问控制模组的结构示意图。Fig. 3 is a schematic structural diagram of an access control module in the embodiment of this specification.

图4是本说明书实施例中一种虚拟机监视器的结构示意图。FIG. 4 is a schematic structural diagram of a virtual machine monitor in an embodiment of this specification.

图5是本说明书实施例中一种访问控制方法的流程图。Fig. 5 is a flow chart of an access control method in the embodiment of this specification.

图6是本说明书实施例中另一种访问控制方法的流程图。Fig. 6 is a flow chart of another access control method in the embodiment of this specification.

具体实施方式Detailed ways

虚拟机(Virtual Machine，VM)是指通过软件模拟的具有完整硬件系统功能的、运行在一个完全隔离环境中的完整计算机系统。A virtual machine (Virtual Machine, VM) refers to a complete computer system that is simulated by software and has complete hardware system functions and runs in a completely isolated environment.

如图1所示，为本说明书实施例中一种计算机系统虚拟化的层次结构示意图，其中，计算机系统10包括：计算机系统资源11，以及运行于计算机系统之上的虚拟机1～N，在虚拟机1～N上可以分别运行相应的虚拟机操作系统，即虚拟机1操作系统至虚拟机N操作系统。虚拟机1～N通过虚拟机监视器(Virtual Machine Monitor，VMM)12共享底层的计算机系统资源11，虚拟机监视器通过监视虚拟机1～N的行为，可以实现虚拟机1～N资源之间的隔离，从而使虚拟机1～N对计算机系统资源进行访问时不产生冲突。As shown in FIG. 1, it is a schematic diagram of a hierarchical structure of computer system virtualization in the embodiment of this specification, wherein acomputer system 10 includes:computer system resources 11, and virtual machines 1-N running on the computer system. Corresponding virtual machine operating systems can run on the virtual machines 1-N respectively, that is, the operating systems of the virtual machine 1 to the operating systems of the virtual machine N. Virtual machines 1-N share the underlyingcomputer system resources 11 through a virtual machine monitor (Virtual Machine Monitor, VMM) 12, and the virtual machine monitor can realize the resource sharing between virtual machines 1-N by monitoring the behavior of virtual machines 1-N. isolation, so that no conflict occurs when virtual machines 1-N access computer system resources.

在现有IOV技术中，参考图2所示的一种输入输出虚拟化的结构示意图，IO设备可以通过IO接口接入计算机系统20，其中，IO主设备2A可以通过计算机系统20的第一IO接口21连接非透明桥(NTB，Non-Transparent Bridge)22，接入计算机系统20；IO从设备2B可以通过第二IO接口与输入输出设备内存管理单元(Input/Output Memory Management Unit，IOMMU)24通信。In the existing IOV technology, referring to a schematic structural diagram of input-output virtualization shown in FIG. Theinterface 21 is connected to a non-transparent bridge (NTB, Non-Transparent Bridge) 22 and connected to thecomputer system 20; theIO slave device 2B can communicate with the input/output device memory management unit (Input/Output Memory Management Unit, IOMMU) 24 through the second IO interface communication.

其中，由于IO主设备2A和计算机系统20属于两个操作系统，两者具有完全不同的地址域，因此，需要通过非透明桥22将来自IO主设备2A地址域的地址转换为计算机系统20地址域对应的地址，再通过计算机系统20中的总线27进行与处理器25进行数据交互，访问存储器26中的相应存储空间。Wherein, since the IOmain device 2A and thecomputer system 20 belong to two operating systems, the two have completely different address domains, therefore, the address from the IOmain device 2A address domain needs to be converted to the address of thecomputer system 20 through thenon-transparent bridge 22 The address corresponding to the domain, and then perform data interaction with theprocessor 25 through thebus 27 in thecomputer system 20, and access the corresponding storage space in thememory 26.

然而，非透明桥22的地址转换空间有限，只能将IO主设备2A的地址转换为计算机系统20部分地址，导致IO主设备2A仅可以使用计算机系统20的部分资源。由于非透明桥22中设置的地址转换关系是固定的，对于不与所述非透明桥22转换的计算机地址域对应的计算机资源，IO主设备2A无法直接使用，而是需要处理器25对存储器26中的数据进行搬迁，因此会增加所述处理器25的负荷，且降低了IO主设备2A与计算机系统20的数据交换效率。However, the address translation space of thenon-transparent bridge 22 is limited, and it can only convert the address of theIO master 2A to a part of the address of thecomputer system 20, so that theIO master 2A can only use part of the resources of thecomputer system 20. Since the address conversion relationship set in thenon-transparent bridge 22 is fixed, for the computer resources corresponding to the computer address domain not converted by thenon-transparent bridge 22, the IOmain device 2A cannot be used directly, but requires theprocessor 25 to store The data in 26 is relocated, so the load on theprocessor 25 will be increased, and the data exchange efficiency between theIO master 2A and thecomputer system 20 will be reduced.

针对上述问题，本说明书实施例提供了一种访问控制方案，其中，IO主设备可以通过第一IO接口与计算机系统中预设的第一虚拟机建立关联关系，形成IO虚拟机，并且所述第一内存管理单元在接收到来自所述第一IO接口的数据访问请求时，可以将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并可以将包含所述物理地址的数据访问请求发送至所述物理地址路由单元，然后，所述物理地址路由单元可以根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间。In view of the above problems, the embodiment of this specification provides an access control solution, wherein the IO master device can establish an association relationship with the first virtual machine preset in the computer system through the first IO interface to form an IO virtual machine, and the When the first memory management unit receives the data access request from the first IO interface, it can convert the virtual address of the access space contained in the data access request into a corresponding physical address, and can convert the virtual address containing the physical The data access request of the address is sent to the physical address routing unit, and then the physical address routing unit may route the data access request to the corresponding access space according to the physical address contained in the received data access request.

采用本说明书实施例方案，通过将IO主设备与预设的第一虚拟机建立关联关系，使得IO主设备的处理器可以作为所述第一虚拟机的协处理器，从而IO主设备可以作为计算机系统的一个虚拟机，形成IO虚拟机，与计算机系统共享资源，可以使用所述计算机系统中的全部资源；并且，IO虚拟机可以主动发起数据访问请求，对于所述IO主设备与所述CPU之间的数据交换，无需所述计算机系统中的处理器做任何操作，故可以减轻计算机系统中的处理器的负荷，也可以提高IO主设备与计算机系统之间的数据交换效率。By adopting the solution of the embodiment of this specification, by establishing an association relationship between the IO master device and the preset first virtual machine, the processor of the IO master device can be used as the coprocessor of the first virtual machine, so that the IO master device can be used as A virtual machine of the computer system forms an IO virtual machine, shares resources with the computer system, and can use all resources in the computer system; and, the IO virtual machine can actively initiate a data access request, for the IO master device and the The data exchange between CPUs does not require any operation by the processor in the computer system, so the load on the processor in the computer system can be reduced, and the data exchange efficiency between the IO master device and the computer system can also be improved.

为使本领域技术人员更加清楚地了解及实施本说明书实施例的构思、实现方案及优点，以下参照附图，通过具体应用场景进行详细说明。In order to enable those skilled in the art to more clearly understand and implement the ideas, implementation solutions and advantages of the embodiments of the present specification, the following describes in detail through specific application scenarios with reference to the accompanying drawings.

参照图3所示的本说明书实施例中一种访问控制模组的结构示意图，在本说明书实施例中，访问控制模组30可以包括第一IO接口301、第一内存管理单元302和物理地址路由单元303，其中：Referring to the structural diagram of an access control module in the embodiment of this specification shown in Figure 3, in the embodiment of this specification, theaccess control module 30 may include afirst IO interface 301, a firstmemory management unit 302 and a physicaladdress Routing unit 303, wherein:

所述第一IO接口301，作为IO主设备3A与计算机系统3C的通信接口，所述IO主设备3A通过与所述计算机系统3C中预设的第一虚拟机(未示出)建立关联关系，形成IO虚拟机；Thefirst IO interface 301 is used as a communication interface between theIO master device 3A and thecomputer system 3C, and theIO master device 3A establishes an association relationship with a preset first virtual machine (not shown) in thecomputer system 3C , forming an IO virtual machine;

所述第一内存管理单元302，适于在接收到来自所述第一IO接口301的数据访问请求时，将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元303，其中，所述虚拟地址为所述IO虚拟机地址域的地址，所述物理地址为计算机系统3C地址域的地址；The firstmemory management unit 302 is adapted to convert the virtual address of the access space contained in the data access request into a corresponding physical address when receiving the data access request from thefirst IO interface 301, and Send the data access request including the physical address to the physicaladdress routing unit 303, wherein the virtual address is the address of the IO virtual machine address domain, and the physical address is the address of thecomputer system 3C address domain;

所述物理地址路由单元303，适于根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间。The physicaladdress routing unit 303 is adapted to route the data access request to a corresponding access space according to the physical address included in the received data access request.

所述计算机系统3C上可以运行一个或多个虚拟机。在具体实施中，可以预先从中选取与IO主设备3A建立关联关系的虚拟机，为描述方便，这里称为第一虚拟机。所述IO主设备3A可以通过与所述计算机系统3C中预设的第一虚拟机建立关联关系，从而形成IO虚拟机。One or more virtual machines can run on thecomputer system 3C. In a specific implementation, a virtual machine that establishes an association relationship with theIO master device 3A may be selected in advance, and for the convenience of description, it is referred to as the first virtual machine here. TheIO master device 3A may form an IO virtual machine by establishing an association relationship with a preset first virtual machine in thecomputer system 3C.

在本说明书一些实施例中，可以通过虚拟机监视器建立第一虚拟机与对应的IO主设备的关联关系。例如可以预先设置并保存相应的虚拟机与IO主设备的绑定关系，形成IO虚拟机，这样IO主设备的处理器可以作为IO虚拟机的协处理器，使得IO主设备的处理器的资源得到充分利用。In some embodiments of this specification, an association relationship between the first virtual machine and the corresponding IO master device may be established through a virtual machine monitor. For example, you can pre-set and save the binding relationship between the corresponding virtual machine and the IO master device to form an IO virtual machine, so that the processor of the IO master device can be used as a coprocessor of the IO virtual machine, so that the resources of the processor of the IO master device be fully utilized.

在本说明书另一些实施例中，可以通过所述第一虚拟机的虚拟机操作系统，建立所述第一虚拟机的标识与预设的IO主设备的标识的关联关系，例如可以通过虚拟机操作系统，设置所述第一虚拟机的标识与预设的IO主设备的标识的关联关系。In some other embodiments of this specification, the first virtual machine's virtual machine operating system may be used to establish an association between the first virtual machine's identifier and the preset IO master identifier, for example, through the virtual machine The operating system sets an association relationship between the identifier of the first virtual machine and the preset identifier of the IO master device.

在具体实施中，可以将任意一个或多个虚拟机的标识与一个IO主设备的标识绑定，形成IO虚拟机或IO虚拟机群组。In a specific implementation, any one or more virtual machine identifiers may be bound with an IO master identifier to form an IO virtual machine or an IO virtual machine group.

由此，所述IO主设备的处理器可以作为所述第一虚拟机的协处理器进行使用，IO主设备可以与所述计算机系统3C上运行的一个或多个虚拟机共享计算机系统的资源。Thus, the processor of the IO master device can be used as a coprocessor of the first virtual machine, and the IO master device can share the resources of the computer system with one or more virtual machines running on thecomputer system 3C .

可以理解的是，在实际应用中，可以根据IO主设备的数量或者根据虚拟机的数量设置相应数量的第一IO接口，任一IO主设备可以与任意一个第一IO接口电连接，从而可以直接访问计算机系统资源或与所述计算机系统具有主从连接关系的从设备的资源。本说明书实施例对第一IO接口的类型和数量均不做限定。It can be understood that, in practical applications, a corresponding number of first IO interfaces can be set according to the number of IO master devices or according to the number of virtual machines, and any IO master device can be electrically connected to any first IO interface, so that Direct access to computer system resources or resources of slave devices that have a master-slave connection relationship with the computer system. The embodiment of this specification does not limit the type and quantity of the first IO interface.

在具体实施中，所述第一内存管理单元302可以设置于虚拟机监视器中，作为IO虚拟机的MMU以对IO虚拟机的访问进行地址转换管理。具体可以为：当IO虚拟机发出数据访问请求R1时，所述第一内存管理单元302可以通过所述第一IO接口301接收所述数据访问请求R1，并根据预设的地址映射关系，将所述数据访问请求R1中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求R1发送至所述物理地址路由单元303。In a specific implementation, the firstmemory management unit 302 may be set in a virtual machine monitor as an MMU of the IO virtual machine to perform address translation management on the access of the IO virtual machine. Specifically, when the IO virtual machine sends a data access request R1, the firstmemory management unit 302 can receive the data access request R1 through thefirst IO interface 301, and according to the preset address mapping relationship, the The virtual address of the access space included in the data access request R1 is converted into a corresponding physical address, and the data access request R1 including the physical address is sent to the physicaladdress routing unit 303 .

其中，所述虚拟地址可以为所述IO虚拟机地址域的地址，所述物理地址可以为计算机系统3C地址域的地址。Wherein, the virtual address may be an address in the address domain of the IO virtual machine, and the physical address may be an address in the address domain of thecomputer system 3C.

可以理解的是，所述虚拟地址和物理地址的类型可以根据实际需求进行选择，例如，所述虚拟地址的类型可以为客户机物理地址(Guest Physical Address，GPA)，所述物理地址的类型可以为宿主机虚拟地址(Host Virtual Address，HVA)或者宿主机物理地址(Host Physical Address，HPA)。It can be understood that the type of the virtual address and the physical address can be selected according to actual needs, for example, the type of the virtual address can be a guest physical address (Guest Physical Address, GPA), and the type of the physical address can be It is the host virtual address (Host Virtual Address, HVA) or the host physical address (Host Physical Address, HPA).

在具体实施中，所述物理地址路由单元303中可以预设有物理地址路由表，所述物理地址路由单元303根据接收的数据访问请求中包含的物理地址，查询所述物理地址路由表，从而可以得到路由路径，将所述数据访问请求路由至所述计算机系统3C中对应的访问空间，使用计算机系统的资源。In a specific implementation, a physical address routing table may be preset in the physicaladdress routing unit 303, and the physicaladdress routing unit 303 queries the physical address routing table according to the physical address contained in the received data access request, thereby A routing path can be obtained, and the data access request is routed to the corresponding access space in thecomputer system 3C, using resources of the computer system.

例如，当所述数据访问请求中包含的物理地址的类型为HVA，所述物理地址路由单元303经过查询所述物理地址路由表确定路由目的地址对应的访问目标为：处理器31和存储器32。由此，所述物理地址路由单元303将所述数据访问请求发送至处理器31，所述处理器31经过页表查询可以将HVA转化为对应的HPA，从而可以对所述存储器32中对应的访问空间进行数据访问操作，例如进行数据读操作或者数据写操作。For example, when the type of the physical address included in the data access request is HVA, the physicaladdress routing unit 303 checks the physical address routing table to determine that the access targets corresponding to the routing destination address are: theprocessor 31 and thememory 32 . Thus, the physicaladdress routing unit 303 sends the data access request to theprocessor 31, and theprocessor 31 can convert the HVA into the corresponding HPA through page table query, so that the corresponding HPA in thememory 32 can be processed. The access space performs data access operations, such as performing data read operations or data write operations.

又例如，当所述数据访问请求中包含的物理地址的类型为HPA，所述物理地址路由单元303经过查询所述物理地址路由表确定路由目的地址对应的访问目标为存储器32。由此，所述物理地址路由单元303可以对所述存储器32根据所述数据访问请求，进行相应的数据访问操作，例如进行读操作或者写操作。For another example, when the type of the physical address included in the data access request is HPA, the physicaladdress routing unit 303 determines that the access target corresponding to the routing destination address is thememory 32 by querying the physical address routing table. Thus, the physicaladdress routing unit 303 can perform a corresponding data access operation on thememory 32 according to the data access request, for example, perform a read operation or a write operation.

可以理解的是，所述物理地址路由单元303可以根据计算机系统的硬件结构进行设定，所述物理地址路由单元303通过不同的物理地址路由表可以确定不同的路由路径，从而可以将所述数据访问请求路由至所述计算机系统中相应的设备，如处理器、存储器、网卡、显卡等。本说明书实施例对物理地址路由表的具体内容不做限定。It can be understood that the physicaladdress routing unit 303 can be set according to the hardware structure of the computer system, and the physicaladdress routing unit 303 can determine different routing paths through different physical address routing tables, so that the data can be The access request is routed to a corresponding device in the computer system, such as a processor, a memory, a network card, a graphics card, and the like. The embodiment of this specification does not limit the specific content of the physical address routing table.

采用上述方案，通过将IO主设备与预设的第一虚拟机建立关联关系，使得IO主设备的处理器可以作为所述第一虚拟机的协处理器，从而IO主设备可以作为计算机系统的一个虚拟机，形成IO虚拟机，与计算机系统共享资源，因此可以使用所述计算机系统中的全部资源；并且，IO虚拟机可以主动发起数据访问请求，对于所述IO主设备与所述CPU之间的数据交换，无需所述计算机系统中的处理器做任何操作，故可以减轻计算机系统中的处理器的负荷，减少计算机系统中的处理器对IO主设备的操作，也可以提高IO主设备与计算机系统之间的数据交换效率。With the above solution, by establishing an association relationship between the IO master device and the preset first virtual machine, the processor of the IO master device can be used as a coprocessor of the first virtual machine, so that the IO master device can be used as a computer system A virtual machine, forming an IO virtual machine, shares resources with the computer system, so all resources in the computer system can be used; and, the IO virtual machine can actively initiate a data access request, for the connection between the IO master device and the CPU The data exchange between, does not need the processor in the described computer system to do any operations, so can reduce the load of the processor in the computer system, reduce the operation of the processor in the computer system to the IO master device, also can improve the IO master device Efficiency of data exchange with computer systems.

IO设备还可以作为计算机系统的从设备，在具体实施中，继续参照图2，IO从设备2B可以通过第二IO接口23连接IO内存管理单元(IO Memory Management Unit，IOMMU)24，从而可以接入计算机系统20。The IO device can also be used as a slave device of the computer system. In specific implementation, continue to refer to FIG. into thecomputer system 20.

可以通过IOMMU 24对IO从设备2B的访问进行权限管理和地址转换管理。IO从设备2B可以通过预设的虚拟的功能(Virtual Function，VF)与某个虚拟机进行绑定，与虚拟机绑定的IO从设备发往计算机系统20的数据访问请求中包含的访问空间的地址是虚拟机地址域的地址，所以，通过IOMMU 24，可以将数据访问请求中包含的访问空间的地址转换为计算机系统地址域的物理地址。Access to theIO slave device 2B can be managed throughIOMMU 24 and address translation management. TheIO slave device 2B can be bound to a virtual machine through a preset virtual function (Virtual Function, VF), and the IO slave device bound to the virtual machine sends to the access space contained in the data access request of thecomputer system 20 The address of the address is the address of the virtual machine address domain, so, through theIOMMU 24, the address of the access space contained in the data access request can be converted into the physical address of the computer system address domain.

经发明人研究发现，虽然现在的很多IO设备具有处理器，但是IO设备作为主设备或从设备接入计算机系统后，计算机系统外接的IO设备之间无法直接进行访问和数据交换，只有通过计算机系统的处理器发起命令，IO设备之间才能进行访问和数据交换，且需要通过计算机系统的处理器进行数据迁移，导致IO设备之间的数据交换效率很较低，且增加了计算机系统20的处理器的负荷。The inventor found that although many IO devices now have processors, after the IO devices are connected to the computer system as a master device or a slave device, direct access and data exchange cannot be performed between the IO devices connected to the computer system. Only when the processor of the system initiates a command can access and data exchange be performed between IO devices, and data migration needs to be performed through the processor of the computer system, resulting in low data exchange efficiency between the IO devices and increasing the cost of thecomputer system 20. processor load.

在具体实施中，为了提高IO设备之间的数据交换效率，减小计算机系统的处理器的负荷，可以对数据访问请求中包含的访问空间的虚拟地址进行判断，确定所述虚拟地址指向IO设备地址域还是计算机系统地址域，由此进行不同的操作，以下通过具体实施例进行详细地阐述。In a specific implementation, in order to improve the data exchange efficiency between IO devices and reduce the processor load of the computer system, the virtual address of the access space contained in the data access request can be judged, and it is determined that the virtual address points to the IO device The address field is also the computer system address field, and thus different operations are performed, which will be described in detail through specific embodiments below.

本说明书具体实施例中，如图3所示，所述访问控制模组还可以包括：第二IO接口304及虚拟地址路由单元305，其中：In a specific embodiment of this specification, as shown in FIG. 3, the access control module may further include: asecond IO interface 304 and a virtualaddress routing unit 305, wherein:

所述第二IO接口304，可以作为IO从设备3B与所述计算机系统3C的通信接口；Thesecond IO interface 304 can be used as a communication interface between theIO slave device 3B and thecomputer system 3C;

所述虚拟地址路由单元305，适于在接收到来自所述第二IO接口304的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，并在确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求路由至所述第一内存管理单元302；The virtualaddress routing unit 305 is adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from thesecond IO interface 304, and determine that the virtual address points to In the IO virtual machine address domain, route the data access request to the firstmemory management unit 302;

所述第一内存管理单元302，还适于在接收到来自所述虚拟地址路由单元305的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求发送至所述虚拟地址所指向的IO虚拟机，以对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作。The firstmemory management unit 302 is further adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from the virtualaddress routing unit 305, and transfer the data access request to The data is sent to the IO virtual machine pointed to by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine.

其中，所述数据访问请求中包含的访问空间的虚拟地址可以为GPA或者GVA。Wherein, the virtual address of the access space included in the data access request may be GPA or GVA.

在具体实施中，所述虚拟地址路由单元305中可以预设有虚拟地址路由表，所述虚拟地址路由单元305可以根据接收的数据访问请求中包含的虚拟地址，查询所述虚拟地址路由表，从而可以得到路由目的地址，在根据所述路由目的地址确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求发送至第一内存管理单元302。并且，由于所述第一内存管理单元302可以通过多个第一IO接口连接相应的IO虚拟机，因此，所述第一内存管理单元302可以根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求发送至所述虚拟地址所指向的IO虚拟机，以对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作。In a specific implementation, a virtual address routing table may be preset in the virtualaddress routing unit 305, and the virtualaddress routing unit 305 may query the virtual address routing table according to the virtual address contained in the received data access request, Therefore, the routing destination address can be obtained, and when it is determined according to the routing destination address that the virtual address points to the IO virtual machine address domain, the data access request is sent to the firstmemory management unit 302 . Moreover, since the firstmemory management unit 302 can connect to corresponding IO virtual machines through multiple first IO interfaces, the firstmemory management unit 302 can address, sending the data access request to the IO virtual machine pointed to by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine.

在具体实施中，虚拟机可以通过预设的VF使用接入计算机系统的IO从设备的资源。IO从设备可以通过预设的VF与所述VF指定的虚拟机建立关联关系，为了区分VF指定的虚拟机与其他虚拟机，可以将VF指定的虚拟机称为第二虚拟机。所述第二虚拟机可以设置所述虚拟地址路由单元305中的地址映射关系，得到相应的虚拟地址路由表。In a specific implementation, the virtual machine can use the resources of the IO slave device connected to the computer system through the preset VF. The IO slave device may establish an association relationship with the virtual machine designated by the VF through a preset VF. In order to distinguish the virtual machine designated by the VF from other virtual machines, the virtual machine designated by the VF may be called a second virtual machine. The second virtual machine may set the address mapping relationship in the virtualaddress routing unit 305 to obtain a corresponding virtual address routing table.

因此，当所述IO从设备的VF被分配到IO虚拟机后，IO虚拟机可以对虚拟地址路由单元中的虚拟地址路由表进行设定，使虚拟地址路由表包括IO虚拟机地址域和IO从设备地址域的对应关系。Therefore, after the VF of the IO slave device is assigned to the IO virtual machine, the IO virtual machine can set the virtual address routing table in the virtual address routing unit, so that the virtual address routing table includes the IO virtual machine address domain and the IO virtual machine Correspondence between slave device address fields.

由上可知，在所述虚拟地址路由单元305确定所述虚拟地址指向所述IO虚拟机地址域时，可以直接将所述数据访问请求发送至第一内存管理单元302，第一内存管理单元302在确定包含所述访问空间的IO虚拟机后，直接将所述数据访问请求通过相应的第一IO接口301发送至所述IO虚拟机，由此，IO从设备3B与IO虚拟机之间的访问可以不用进行地址转换操作，也无需处理器31参与数据交互，因而可以减轻处理器的负荷，提高IO主设备与IO从设备之间的数据交换效率。As can be seen from the above, when the virtualaddress routing unit 305 determines that the virtual address points to the IO virtual machine address domain, it can directly send the data access request to the firstmemory management unit 302, and the firstmemory management unit 302 After determining the IO virtual machine containing the access space, directly send the data access request to the IO virtual machine through the correspondingfirst IO interface 301, thus, theIO slave device 3B and the IO virtual machine The access does not need to perform address conversion operation, and does not require theprocessor 31 to participate in data interaction, so the load on the processor can be reduced, and the data exchange efficiency between the IO master device and the IO slave device can be improved.

此外，所述IO从设备3B与IO虚拟机可以使用相同的地址域，以便于第一内存管理单元302判断哪个IO虚拟机为包含所述访问空间的IO虚拟机。In addition, theIO slave device 3B and the IO virtual machine can use the same address domain, so that the firstmemory management unit 302 can determine which IO virtual machine is the IO virtual machine that includes the access space.

本说明书另一些具体实施例中，所述IO虚拟机还可以对IO从设备进行访问，如图3所示，可以对访问控制模组30作进一步的优化和扩展，作为一具体示例，在所述访问控制模组30中：In other specific embodiments of this specification, the IO virtual machine can also access the IO slave device. As shown in FIG. 3, theaccess control module 30 can be further optimized and expanded. As a specific example, in the In the access control module 30:

所述第一内存管理单元302，还适于在将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址之前，根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，将所述数据访问请求发送至所述虚拟地址路由单元305；The firstmemory management unit 302 is further adapted to, before converting the virtual address of the access space included in the data access request into a corresponding physical address, according to the virtual address of the access space included in the data access request, When it is determined that the virtual address points to the IO slave device address domain, sending the data access request to the virtualaddress routing unit 305;

所述虚拟地址路由单元305，还适于在接收到来自所述第一内存管理单元302的数据访问请求时，根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作。The virtualaddress routing unit 305 is further adapted to route the data access request according to the virtual address of the access space contained in the data access request when receiving the data access request from the firstmemory management unit 302 Routing to the IO slave device pointed to by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO slave device.

其中，由于所述虚拟地址路由单元305可以通过多个第二IO接口连接相应数量的IO从设备，因此，可以根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至包含所述访问空间的IO从设备。并且，所述数据访问请求中包含的访问空间的虚拟地址可以为GPA或者GVA。Wherein, since the virtualaddress routing unit 305 can connect a corresponding number of IO slave devices through a plurality of second IO interfaces, the data access request can be routed according to the virtual address of the access space contained in the data access request Route to the IO slave containing the access space. In addition, the virtual address of the access space included in the data access request may be GPA or GVA.

由上可知，所述第一内存管理单元302根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，通过所述数据访问请求发送至所述虚拟地址路由单元，由所述虚拟地址路由单元将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，从而可以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作，使得所述IO主设备可以共享所述计算机系统的IO从设备的资源，整个数据交互过程无需所述计算机系统中的处理器进行数据迁移，从而可以进一步提高数据交互效率，减小所述计算机系统中的处理器的负荷。As can be seen from the above, when the firstmemory management unit 302 determines that the virtual address points to the IO slave device address field according to the virtual address of the access space contained in the data access request, the data access request is sent to The virtual address routing unit routes the data access request to the IO slave device pointed to by the virtual address, so that the access space corresponding to the virtual address in the IO slave device can be Perform data access operations so that the IO master device can share the resources of the IO slave device of the computer system, and the entire data interaction process does not require the processor in the computer system to perform data migration, thereby further improving data interaction efficiency and reducing Reduce the load on the processor in the computer system.

在具体实施中，如图3所示，为了使IO从设备3B还可以对计算机系统3C的系统资源进行访问，所述访问控制模组30还可以包括第二内存管理单元306。In a specific implementation, as shown in FIG. 3 , in order to enable theIO slave device 3B to access system resources of thecomputer system 3C, theaccess control module 30 may further include a second memory management unit 306 .

相应地，所述虚拟地址路由单元305，还适于在确定所述数据访问请求中包含的访问空间的虚拟地址指向所述计算机系统3C地址域时，将所述访问请求路由至所述第二内存管理单元306；Correspondingly, the virtualaddress routing unit 305 is further adapted to route the access request to the second memory management unit 306;

所述第二内存管理单元306，适于在接收到来自所述虚拟地址路由单元305的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元303。The second memory management unit 306 is adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from the virtualaddress routing unit 305, and convert the virtual address into corresponding physical address, and send the data access request including the physical address to the physicaladdress routing unit 303.

其中，所述第二内存管理单元306可以是IOMMU或者是MMU，所述物理地址路由单元303对所述数据访问请求的具体操作可以参考上文描述，此处不再进行详细阐述。Wherein, the second memory management unit 306 may be an IOMMU or an MMU, and the specific operation of the physicaladdress routing unit 303 on the data access request may refer to the above description, and will not be described in detail here.

由上可知，通过所述虚拟地址路由单元确定所述数据访问请求中包含的访问空间的虚拟地址的指向，仅将指向计算机系统地址域的数据访问请求发送至第二内存管理单元306，从而可以减轻第二内存管理单元306的运算量和计算机系统3C的处理器31的负荷，提高IO虚拟机与IO从设备3B之间的数据交换效率。As can be seen from the above, the virtual address routing unit determines the direction of the virtual address of the access space contained in the data access request, and only sends the data access request pointing to the computer system address domain to the second memory management unit 306, so that Reduce the calculation amount of the second memory management unit 306 and the load of theprocessor 31 of thecomputer system 3C, and improve the data exchange efficiency between the IO virtual machine and theIO slave device 3B.

在具体实施中，为了提高访问的安全性，所述第一内存管理单元302还可以确定接收到的数据访问请求的发送主体是否具有对应的访问权限，并根据判断结果执行相应的访问控制操作。类似地，所述第二内存管理单元还可以确定接收到的数据访问请求的发送主体是否具有对应的访问权限，并根据判断结果执行相应的访问控制操作。In a specific implementation, in order to improve access security, the firstmemory management unit 302 may also determine whether the sender of the received data access request has corresponding access rights, and perform corresponding access control operations according to the judgment result. Similarly, the second memory management unit may also determine whether the sender of the received data access request has corresponding access rights, and perform corresponding access control operations according to the judgment result.

其中，所述发送主体可以是IO虚拟机、IO从设备、计算机系统的处理器等。当接收到的数据访问请求的发送主体不具有访问权限时，可以向计算机系统的处理器发出告警信号，由计算机系统的处理器中断所述数据访问请求。当接收到的数据访问请求的发送主体具有访问权限时，根据所述数据访问请求的发送主体，执行后续操作，如地址转换、数据访问请求发送等操作，具体发送主体对应的操作过程可以参考上文描述，此处不再进行详细阐述。Wherein, the sending subject may be an IO virtual machine, an IO slave device, a processor of a computer system, and the like. When the sender of the received data access request does not have the access right, an alarm signal can be sent to the processor of the computer system, and the processor of the computer system will interrupt the data access request. When the sender of the received data access request has access rights, follow-up operations are performed according to the sender of the data access request, such as address conversion, data access request sending and other operations. For the specific operation process corresponding to the sender, please refer to the above described in the text and will not be elaborated here.

本说明书实施例提供了一种虚拟机监视器，可以管理接入计算机系统的IO主设备和从设备，为使本领域人员更好地理解和实现本说明书中的虚拟机监视器，以下参照附图进行详细描述。The embodiment of this specification provides a virtual machine monitor, which can manage the IO master and slave devices connected to the computer system. In order to enable those skilled in the art to better understand and realize the virtual machine monitor in this specification, the following refers to the attached The figure is described in detail.

参照图4所示的本说明书实施例中一种虚拟机监视器的结构示意图，在本说明书实施例中，虚拟机监视器40可以包括第一内存管理单元41和物理地址路由单元42，其中：Referring to the schematic structural diagram of a virtual machine monitor in the embodiment of this specification shown in FIG. 4, in the embodiment of this specification, the virtual machine monitor 40 may include a first memory management unit 41 and a physicaladdress routing unit 42, wherein:

第一内存管理单元41，适于在接收到来自第一IO接口4A的数据访问请求时，将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元42；The first memory management unit 41 is adapted to convert the virtual address of the access space contained in the data access request into a corresponding physical address when receiving the data access request from thefirst IO interface 4A, and convert the virtual address containing the The data access request of the physical address is sent to the physicaladdress routing unit 42;

所述物理地址路由单元42，适于根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间；The physicaladdress routing unit 42 is adapted to route the data access request to the corresponding access space according to the physical address contained in the received data access request;

其中，所述第一IO接口4A为IO主设备4B与计算机系统4S的通信接口，所述IO主设备4B通过与所述计算机系统4S中预设的第一虚拟机(未示出)建立关联关系，形成IO虚拟机；所述虚拟地址为所述IO虚拟机地址域的地址，所述物理地址为计算机系统4S地址域的地址。Wherein, thefirst IO interface 4A is a communication interface between theIO master device 4B and thecomputer system 4S, and theIO master device 4B establishes an association with a preset first virtual machine (not shown) in thecomputer system 4S relationship, forming an IO virtual machine; the virtual address is the address of the IO virtual machine address domain, and the physical address is the address of thecomputer system 4S address domain.

并且，所述虚拟地址和物理地址的类型可以根据实际需求进行选择，例如，所述虚拟地址的类型可以为GPA，所述物理地址的类型可以为HVA或者HPA。Moreover, the type of the virtual address and the physical address may be selected according to actual requirements, for example, the type of the virtual address may be GPA, and the type of the physical address may be HVA or HPA.

可以理解的是，所述物理地址路由单元42可以根据计算机系统4S的硬件结构进行设定，所述物理地址路由单元42通过不同的物理地址路由表可以确定不同的路由路径，从而将所述数据访问请求路由至所述计算机系统4S中相应的装置，如处理器、存储器、网卡、显卡等，本说明书实施例对物理地址路由表的具体内容不做限定。It can be understood that the physicaladdress routing unit 42 can be set according to the hardware structure of thecomputer system 4S, and the physicaladdress routing unit 42 can determine different routing paths through different physical address routing tables, so that the data The access request is routed to corresponding devices in thecomputer system 4S, such as processor, memory, network card, graphics card, etc. The embodiment of this specification does not limit the specific content of the physical address routing table.

采用上述虚拟机监视器，IO虚拟机可以主动发起数据访问请求，通过灵活设置第一内存管理单元41中的地址映射关系，可以使数据访问请求中的访问空间的虚拟地址不受地址转换空间的限制，IO虚拟机可以使用计算机系统4S的全部资源，减少计算机系统4S的处理器对IO主设备4B的操作，因而可以减轻计算机系统4S的处理器的负荷，提高IO主设备4B与计算机系统4S之间的数据交换效率。By adopting the above-mentioned virtual machine monitor, the IO virtual machine can actively initiate a data access request, and by flexibly setting the address mapping relationship in the first memory management unit 41, the virtual address of the access space in the data access request can not be affected by the address translation space Restriction, the IO virtual machine can use all the resources of thecomputer system 4S, reduce the operation of the processor of thecomputer system 4S to theIO master device 4B, thereby reducing the load of the processor of thecomputer system 4S, and improving the relationship between theIO master device 4B and thecomputer system 4S. data exchange efficiency.

在具体实施中，为了提高IO设备之间的数据交换效率，虚拟机监视器可以对数据访问请求中包含的访问空间的虚拟地址进行判断，确定所述虚拟地址指向IO设备地址域还是计算机系统地址域，由此进行不同的操作，以下通过具体实施例进行详细地阐述。In a specific implementation, in order to improve the data exchange efficiency between IO devices, the virtual machine monitor can judge the virtual address of the access space contained in the data access request, and determine whether the virtual address points to the IO device address domain or the computer system address domains, thereby performing different operations, which will be described in detail below through specific embodiments.

本说明书一具体实施例中，如图4所示，所述虚拟机监视器40还可以包括虚拟地址路由单元43，其中：In a specific embodiment of this specification, as shown in FIG. 4, the virtual machine monitor 40 may further include a virtualaddress routing unit 43, wherein:

所述虚拟地址路由单元43，适于在接收到来自第二IO接口4C的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，并在确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求路由至所述第一内存管理单元41；The virtualaddress routing unit 43 is adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from thesecond IO interface 4C, and determine that the virtual address points to the When the IO virtual machine address field is used, the data access request is routed to the first memory management unit 41;

相应地，所述第一内存管理单元41，还适于在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求发送至所述虚拟地址所指向的IO虚拟机，以对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作；Correspondingly, the first memory management unit 41 is further adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from the virtual address routing unit, and transfer the data to The access request is sent to the IO virtual machine pointed to by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO virtual machine;

其中，如图4所示，所述第二IO接口4C为IO从设备4D与所述计算机系统4S的通信接口。所述数据访问请求中包含的访问空间的虚拟地址的类型可以为GPA或者GVA。Wherein, as shown in FIG. 4 , thesecond IO interface 4C is a communication interface between theIO slave device 4D and thecomputer system 4S. The type of the virtual address of the access space contained in the data access request may be GPA or GVA.

在具体实施中，接入计算机系统的IO从设备4D可以通过VF被虚拟机共享。IO从设备4D可以通过VF与VF指定的虚拟机建立关联关系，为了区分VF指定的虚拟机与其他虚拟机，可以将VF指定的虚拟机称为第二虚拟机。所述第二虚拟机可以设置所述虚拟地址路由单元43中的地址映射关系，得到相应的虚拟地址路由表。In a specific implementation, theIO slave device 4D connected to the computer system can be shared by the virtual machine through the VF. TheIO slave device 4D can establish an association relationship with the virtual machine designated by the VF through the VF. In order to distinguish the virtual machine designated by the VF from other virtual machines, the virtual machine designated by the VF can be called a second virtual machine. The second virtual machine may set the address mapping relationship in the virtualaddress routing unit 43 to obtain a corresponding virtual address routing table.

因此，当所述IO从设备的VF被分配到IO虚拟机后，IO虚拟机可以对虚拟地址路由单元43中的虚拟地址路由表进行设定，使所述虚拟地址路由表包括IO虚拟机地址域和IO从设备地址域的映射关系，进而可以实现IO从设备对IO虚拟机的直接访问。Therefore, after the VF of the IO slave device is assigned to the IO virtual machine, the IO virtual machine can set the virtual address routing table in the virtualaddress routing unit 43, so that the virtual address routing table includes the IO virtual machine address The mapping relationship between domains and IO slave device address domains can realize direct access of IO slave devices to IO virtual machines.

作为一具体示例，在所述虚拟地址路由单元43确定所述虚拟地址指向所述IO虚拟机地址域时，直接将所述数据访问请求发送至第一内存管理单元41，第一内存管理单元41在确定包含所述访问空间的IO虚拟机后，直接将所述数据访问请求发送至包含所述访问空间的IO虚拟机，由此，IO从设备与IO虚拟机之间的访问可以不用进行虚拟地址与物理地址之间的转换操作，也无需计算机系统中的处理器(图中未示出)发送相应的指令或进行数据迁移操作，因此可以减小计算机系统的处理器的负荷。As a specific example, when the virtualaddress routing unit 43 determines that the virtual address points to the IO virtual machine address domain, the data access request is directly sent to the first memory management unit 41, and the first memory management unit 41 After determining the IO virtual machine that contains the access space, the data access request is directly sent to the IO virtual machine that contains the access space, so that the access between the IO slave device and the IO virtual machine does not need to be virtualized. The conversion operation between the address and the physical address does not require the processor (not shown in the figure) in the computer system to send corresponding instructions or perform data migration operations, so the load on the processor of the computer system can be reduced.

此外，所述IO从设备4D与IO虚拟机可以使用相同的地址域，以便于第一内存管理单元41判断哪个IO虚拟机对应所述访问空间。In addition, theIO slave device 4D and the IO virtual machine can use the same address domain, so that the first memory management unit 41 can determine which IO virtual machine corresponds to the access space.

采用上述虚拟机监视器，通过所述虚拟地址路由单元可以确定所述虚拟地址指向所述IO虚拟机地址域，使得所述第一内存管理单元可以通过所述虚拟地址查询到对应的IO虚拟机，对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作，由此，可以将所述IO从设备的数据访问请求直接发送至对应的IO虚拟机，无需进行虚拟地址与物理地址之间的转换，也无需计算机系统的处理器参与数据交互，因此可以减轻计算机系统中处理器的负荷，提高IO设备之间的数据交换效率。Using the above virtual machine monitor, the virtual address routing unit can determine that the virtual address points to the IO virtual machine address field, so that the first memory management unit can query the corresponding IO virtual machine through the virtual address , performing a data access operation on the access space corresponding to the virtual address in the IO virtual machine, so that the data access request of the IO slave device can be directly sent to the corresponding IO virtual machine without performing virtual address and physical The conversion between addresses does not require the processor of the computer system to participate in data interaction, so the load on the processor in the computer system can be reduced, and the efficiency of data exchange between IO devices can be improved.

在本说明书另一些具体实施例中，IO虚拟机可以对IO从设备进行访问，如图4所示，所述第一内存管理单元41，还适于在将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址之前，根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，将所述数据访问请求发送至所述虚拟地址路由单元43；In other specific embodiments of this specification, the IO virtual machine can access the IO slave device. As shown in FIG. 4, the first memory management unit 41 is also adapted to include the access Before the virtual address of the space is converted into the corresponding physical address, according to the virtual address of the access space contained in the data access request, when it is determined that the virtual address points to the IO slave device address field, the data access request is sent to The virtualaddress routing unit 43;

所述虚拟地址路由单元43，还适于在接收到来自所述第一内存管理单元41的数据访问请求时，根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至包含所述虚拟地址所指向的IO从设备，以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作。The virtualaddress routing unit 43 is further adapted to route the data access request according to the virtual address of the access space contained in the data access request when receiving the data access request from the first memory management unit 41 Routing to the IO slave device pointed to by the virtual address, so as to perform a data access operation on the access space corresponding to the virtual address in the IO slave device.

其中，所述数据访问请求中包含的访问空间的虚拟地址可以为GPA或者GVA。Wherein, the virtual address of the access space included in the data access request may be GPA or GVA.

由上述虚拟机监视器实施例可知，所述第一内存管理单元根据所述数据访问请求中包含的访问空间的虚拟地址，确定所述虚拟地址指向所述IO从设备地址域时，通过所述数据访问请求发送至所述虚拟地址路由单元，由所述虚拟地址路由单元将所述数据访问请求路由至所述虚拟地址所指向的IO从设备，从而可以对所述IO从设备中所述虚拟地址对应的访问空间进行数据访问操作，使得所述IO主设备可以共享所述计算机系统的IO从设备的资源，整个数据交互过程无需所述计算机系统中的处理器进行数据迁移，从而可以进一步提高数据交互效率，减小所述计算机系统中的处理器的负荷。It can be known from the above virtual machine monitor embodiment that when the first memory management unit determines that the virtual address points to the IO slave device address field according to the virtual address of the access space included in the data access request, the The data access request is sent to the virtual address routing unit, and the virtual address routing unit routes the data access request to the IO slave device pointed to by the virtual address, so that the virtual address in the IO slave device can be The access space corresponding to the address performs a data access operation, so that the IO master device can share the resources of the IO slave device of the computer system, and the entire data interaction process does not require the processor in the computer system to perform data migration, thereby further improving The efficiency of data exchange reduces the load on the processor in the computer system.

在具体实施中，如图4所示，为了使IO从设备4D还可以对计算机系统的其他资源进行访问，所述虚拟机监视器40还可以包括第二内存管理单元44：In a specific implementation, as shown in FIG. 4 , in order to enable theIO slave device 4D to access other resources of the computer system, the virtual machine monitor 40 may also include a second memory management unit 44:

所述虚拟地址路由单元43，还适于在确定所述数据访问请求中包含的访问空间的虚拟地址指向所述计算机系统地址域时，将所述访问请求路由至所述第二内存管理单元44；The virtualaddress routing unit 43 is further adapted to route the access request to the secondmemory management unit 44 when it is determined that the virtual address of the access space included in the data access request points to the computer system address domain ;

所述第二内存管理单元44，适于在接收到来自所述虚拟地址路由单元43的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元42。The secondmemory management unit 44 is adapted to obtain the virtual address of the access space contained in the data access request when receiving the data access request from the virtualaddress routing unit 43, and convert the virtual address into corresponding physical address, and send the data access request containing the physical address to the physicaladdress routing unit 42.

其中，所述第二内存管理单元44可以是IOMMU或者是MMU，所述物理地址路由单元42对所述数据访问请求的具体操作可以参考上文描述，此处不再进行详细阐述。Wherein, the secondmemory management unit 44 may be an IOMMU or an MMU, and the specific operation of the physicaladdress routing unit 42 on the data access request may refer to the above description, and will not be described in detail here.

由上可知，通过所述虚拟地址路由单元确定所述数据访问请求中包含的访问空间的虚拟地址的指向，仅将指向计算机系统地址域的数据访问请求发送至第二内存管理单元，从而可以减轻第二内存管理单元的运算量和计算机系统中的处理器的负荷，提高IO设备之间的数据交换效率。As can be seen from the above, the virtual address routing unit determines the direction of the virtual address of the access space contained in the data access request, and only sends the data access request pointing to the computer system address domain to the second memory management unit, thereby reducing The calculation amount of the second memory management unit and the load of the processor in the computer system improve the data exchange efficiency between the IO devices.

在具体实施中，为了提高访问的安全性，所述第一内存管理单元41还可以确定接收到的数据访问请求的发送主体是否具有对应的访问权限，并根据判断结果执行相应的访问控制操作。类似地，所述第二内存管理单元44还可以确定接收到的数据访问请求的发送主体是否具有对应的访问权限，并根据判断结果执行相应的访问控制操作。In a specific implementation, in order to improve access security, the first memory management unit 41 may also determine whether the sender of the received data access request has corresponding access rights, and perform corresponding access control operations according to the judgment result. Similarly, the secondmemory management unit 44 may also determine whether the sender of the received data access request has corresponding access rights, and perform corresponding access control operations according to the judgment result.

其中，所述发送主体可以是IO虚拟机、IO从设备、计算机系统的处理器等。当接收到的数据访问请求的发送主体不具有访问权限时，可以向计算机系统的处理器发出告警信号，由计算机系统的处理器中断所述数据访问请求。当接收到的数据访问请求的发送主体具有访问权限时，根据所述数据访问请求的发送主体，执行后续操作，如地址转换、数据访问请求发送等操作，具体发送主体对应的操作过程可以参考上文描述，此处不再进行详细阐述。Wherein, the sending subject may be an IO virtual machine, an IO slave device, a processor of a computer system, and the like. When the sender of the received data access request does not have the access right, an alarm signal can be sent to the processor of the computer system, and the processor of the computer system will interrupt the data access request. When the sender of the received data access request has access rights, follow-up operations are performed according to the sender of the data access request, such as address conversion, data access request sending and other operations. For the specific operation process corresponding to the sender, please refer to the above described in the text and will not be elaborated here.

本说明书实施例还提供了一种访问控制方法，为使本领域人员更好地理解和实现本说明书中的方法，以下参照附图进行详细描述。The embodiment of the present specification also provides an access control method. In order to enable those skilled in the art to better understand and implement the method in the present specification, a detailed description is given below with reference to the accompanying drawings.

参照图5所示的本说明书实施例中一种访问控制方法的流程图，在本说明书实施例中，所述方法可以包括：Referring to the flow chart of an access control method in the embodiment of this specification shown in FIG. 5, in the embodiment of this specification, the method may include:

S51，第一内存管理单元接收来自第一IO接口的数据访问请求。S51. The first memory management unit receives a data access request from the first IO interface.

其中，所述第一IO接口作为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，形成IO虚拟机。Wherein, the first IO interface serves as a communication interface between the IO master device and the computer system, and the IO master device forms an IO virtual machine by establishing an association relationship with a first virtual machine preset in the computer system.

在具体实施中，所述计算机系统上可以运行一个或多个虚拟机，从中可以选取虚拟机与IO主设备建立关联关系，为描述方便，可以将与所述IO主设备建立关联关系的虚拟机，作为第一虚拟机，从而在IO主设备通过预设的通信接口接入计算机系统时，可以与所述IO主设备共享资源，且所述IO主设备的处理器可以作为所述第一虚拟机的协处理器，使得所述IO主设备的处理器的资源可以得到充分利用。In a specific implementation, one or more virtual machines can be run on the computer system, from which a virtual machine can be selected to establish an association relationship with the IO master device. For the convenience of description, the virtual machine associated with the IO master device can be , as the first virtual machine, so that when the IO master device accesses the computer system through a preset communication interface, it can share resources with the IO master device, and the processor of the IO master device can serve as the first virtual machine The coprocessor of the machine, so that the resources of the processor of the IO master can be fully utilized.

在实际应用中，如果选取多个虚拟机作为第一虚拟机，则可以为各第一虚拟机分配相应的IO接口，各IO接口均可以外接相应的IO主设备。IO主设备通过相应的IO接口接入计算机系统时，各第一虚拟机可以先判断所述IO主设备连接的IO接口是否为分配的通信接口，如果是，则可与所述IO主设备形成IO虚拟机。In practical applications, if multiple virtual machines are selected as the first virtual machine, corresponding IO interfaces can be assigned to each first virtual machine, and each IO interface can be externally connected to a corresponding IO master device. When the IO master device is connected to the computer system through the corresponding IO interface, each first virtual machine can first judge whether the IO interface connected to the IO master device is an assigned communication interface, and if so, can form a communication interface with the IO master device. IO virtual machine.

由此，所述IO主设备的处理器可以作为所述第一虚拟机的协处理器进行使用，IO主设备可以与所述计算机系统上运行的虚拟机共享计算机系统的资源，从而形成IO虚拟机。Thus, the processor of the IO main device can be used as a coprocessor of the first virtual machine, and the IO main device can share the resources of the computer system with the virtual machines running on the computer system, thereby forming an IO virtual machine. machine.

可以理解的是，在实际应用中，可以将IO主设备与计算机系统之间预设的通信接口称为第一IO接口，且第一IO接口的数量由IO虚拟机的需求量决定，本说明书实施例对第一IO接口的类型和数量不做限制。It can be understood that, in practical applications, the preset communication interface between the IO master device and the computer system can be called the first IO interface, and the number of the first IO interfaces is determined by the demand of the IO virtual machine. The embodiment does not limit the type and quantity of the first IO interface.

S52，所述第一内存管理单元将所述数据访问请求中包含的访问空间的虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至物理地址路由单元。S52. The first memory management unit converts the virtual address of the access space included in the data access request into a corresponding physical address, and sends the data access request including the physical address to a physical address routing unit.

在具体实施中，所述第一IO接口还与第一内存管理单元连接，所述第一内存管理单元可以是受虚拟机监视器控制的一种内存管理单元，作为IO虚拟机的MMU以对IO虚拟机的访问进行地址转换管理。In a specific implementation, the first IO interface is also connected to a first memory management unit, and the first memory management unit may be a memory management unit controlled by a virtual machine monitor, as an MMU of an IO virtual machine to The access of the IO virtual machine performs address translation management.

其中，所述虚拟地址可以为所述IO虚拟机地址域的地址，所述物理地址可以为计算机系统地址域的地址。可以理解的是，所述虚拟地址和物理地址的类型可以根据实际需求进行选择，例如，所述虚拟地址的类型可以为GPA，所述物理地址的类型可以为HVA或者HPA。Wherein, the virtual address may be the address of the IO virtual machine address domain, and the physical address may be the address of the computer system address domain. It can be understood that the type of the virtual address and the physical address may be selected according to actual requirements, for example, the type of the virtual address may be GPA, and the type of the physical address may be HVA or HPA.

S53，所述物理地址路由单元根据接收的数据访问请求中包含的物理地址，将所述数据访问请求路由至对应的访问空间。S53. The physical address routing unit routes the data access request to a corresponding access space according to the physical address included in the received data access request.

在具体实施中，所述物理地址路由单元中可以预设有物理地址路由表，所述物理地址路由单元根据接收的数据访问请求中包含的物理地址，查询所述物理地址路由表，从而可以得到路由目的地址，将所述数据访问请求路由至所述计算机系统中对应的访问空间，使用计算机系统的资源。In a specific implementation, a physical address routing table may be preset in the physical address routing unit, and the physical address routing unit queries the physical address routing table according to the physical address contained in the received data access request, so as to obtain The routing destination address is used to route the data access request to the corresponding access space in the computer system, and use the resources of the computer system.

可以理解的是，所述物理地址路由可以根据计算机系统的硬件结构进行设定，所述物理地址路由单元通过不同的物理地址路由表可以确定不同的路由路径，从而将所述数据访问请求路由至所述计算机系统中相应的装置，如处理器、存储器、网卡、显卡等，本说明书实施例对物理地址路由表的具体内容不做限定。It can be understood that the physical address routing can be set according to the hardware structure of the computer system, and the physical address routing unit can determine different routing paths through different physical address routing tables, so as to route the data access request to For the corresponding devices in the computer system, such as processors, memories, network cards, graphics cards, etc., the embodiment of this specification does not limit the specific content of the physical address routing table.

采用上述方案，通过将IO主设备与预设的第一虚拟机建立关联关系，使得IO主设备的处理器可以作为所述第一虚拟机的协处理器，从而IO主设备可以作为计算机系统的一个虚拟机，形成IO虚拟机，与计算机系统共享资源，可以使用所述计算机系统中的全部资源；并且，IO虚拟机可以主动发起数据访问请求，通过灵活设置内存管理单元中的地址映射关系，可以使数据访问请求中的访问空间的虚拟地址不受地址转换空间的限制，对于所述IO主设备与所述CPU之间的数据交换，无需所述计算机系统中的处理器做任何操作，故可以减轻计算机系统中的处理器的负荷，提高IO主设备与计算机系统之间的数据交换效率。With the above solution, by establishing an association relationship between the IO master device and the preset first virtual machine, the processor of the IO master device can be used as a coprocessor of the first virtual machine, so that the IO master device can be used as a computer system A virtual machine forms an IO virtual machine, shares resources with the computer system, and can use all resources in the computer system; and the IO virtual machine can actively initiate a data access request, by flexibly setting the address mapping relationship in the memory management unit, The virtual address of the access space in the data access request is not limited by the address translation space, and the data exchange between the IO master device and the CPU does not require any operation by the processor in the computer system, so The load of the processor in the computer system can be reduced, and the data exchange efficiency between the IO master device and the computer system can be improved.

在具体实施中，如图5所示，在步骤S52之前，所述访问控制方法还可以包括：In a specific implementation, as shown in FIG. 5, before step S52, the access control method may also include:

S54，所述第一内存管理单元获取所述数据访问请求中包含的访问空间的虚拟地址。S54. The first memory management unit acquires the virtual address of the access space included in the data access request.

S55，所述第一内存管理单元判断所述虚拟地址是否指向所述IO从设备地址域，如果是，则执行步骤S56，否则执行步骤S52。S55, the first memory management unit judges whether the virtual address points to the IO slave device address domain, if yes, execute step S56, otherwise execute step S52.

S56，所述第一内存管理单元将所述数据访问请求发送至所述虚拟地址路由单元。S56. The first memory management unit sends the data access request to the virtual address routing unit.

S57，所述虚拟地址路由单元在接收到来自所述第一内存管理单元的数据访问请求时，根据所述数据访问请求中包含的访问空间的虚拟地址，将所述数据访问请求路由至所述虚拟地址指向的IO从设备。S57. When receiving the data access request from the first memory management unit, the virtual address routing unit routes the data access request to the The IO slave device pointed to by the virtual address.

由上可知，通过所述第一内存管理单元可以确定所述虚拟地址指向所述IO从设备地址域，使得所述虚拟地址路由单元可以通过所述虚拟地址查询到对应的访问空间，进而确定包含所述访问空间的IO从设备，由此，可以将所述IO虚拟机的数据访问请求直接发送至对应的IO从设备，无需进行虚拟地址与物理地址转换，也无需通过计算机系统的处理器发起命令或进行数据迁移，因此可以减轻计算机系统中的处理器的负荷，也可以提高IO主设备与IO从设备之间的数据交换效率。As can be seen from the above, the first memory management unit can determine that the virtual address points to the IO slave device address field, so that the virtual address routing unit can query the corresponding access space through the virtual address, and then determine the The IO slave device of the access space, thus, the data access request of the IO virtual machine can be directly sent to the corresponding IO slave device, without virtual address and physical address translation, and without being initiated by the processor of the computer system commands or perform data migration, so that the load on the processor in the computer system can be reduced, and the data exchange efficiency between the IO master device and the IO slave device can also be improved.

在具体实施中，如图6所示，为另一种访问控制方法的流程图，所述访问控制方法还可以包括：In a specific implementation, as shown in FIG. 6, it is a flowchart of another access control method, and the access control method may also include:

S61，虚拟地址路由单元在接收来自第二IO接口的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址。S61. When the virtual address routing unit receives the data access request from the second IO interface, obtain the virtual address of the access space included in the data access request.

S62，所述虚拟地址路由单元在确定所述虚拟地址指向所述IO虚拟机地址域时，将所述数据访问请求发送至所述第一内存管理单元。S62. When the virtual address routing unit determines that the virtual address points to the IO virtual machine address domain, send the data access request to the first memory management unit.

S63，所述第一内存管理单元在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，并将所述数据访问请求发送至包含所述访问空间的IO虚拟机。S63. When the first memory management unit receives the data access request from the virtual address routing unit, obtain the virtual address of the access space contained in the data access request, and send the data access request to the The IO virtual machine of the access space.

其中，所述第二IO接口作为IO从设备与所述计算机系统的通信接口。Wherein, the second IO interface serves as a communication interface between the IO slave device and the computer system.

由上可知，通过所述虚拟地址路由单元确定所述虚拟地址指向所述IO虚拟机地址域，使得所述第一内存管理单元可以通过所述虚拟地址查询到对应的IO虚拟机，对所述IO虚拟机中所述虚拟地址对应的访问空间进行数据访问操作，由此可以将所述IO从设备的数据访问请求直接发送至对应的IO虚拟机，无需进行虚拟地址与物理地址之间的转换，也无需通过计算机系统的处理器参与数据交互，因此可以减轻计算机系统中的处理器的负荷，提高IO设备之间的数据交换效率。As can be seen from the above, the virtual address routing unit determines that the virtual address points to the IO virtual machine address domain, so that the first memory management unit can query the corresponding IO virtual machine through the virtual address, and the The access space corresponding to the virtual address in the IO virtual machine performs data access operations, so that the data access request of the IO slave device can be directly sent to the corresponding IO virtual machine without conversion between virtual addresses and physical addresses , and there is no need to participate in data interaction through the processor of the computer system, so the load on the processor in the computer system can be reduced, and the data exchange efficiency between IO devices can be improved.

在具体实施中，如图6所示，在步骤S61之后，所述访问控制方法还可以包括：In a specific implementation, as shown in FIG. 6, after step S61, the access control method may further include:

S64，所述虚拟地址路由单元在确定所述虚拟地址指向所述计算机系统地址域时，将所述访问请求发送至所述第二内存管理单元。S64. When the virtual address routing unit determines that the virtual address points to the computer system address domain, send the access request to the second memory management unit.

S65，所述第二内存管理单元在接收到来自所述虚拟地址路由单元的数据访问请求时，获取所述数据访问请求中包含的访问空间的虚拟地址，将所述虚拟地址转换为相应的物理地址，并将包含所述物理地址的数据访问请求发送至所述物理地址路由单元。S65. When the second memory management unit receives the data access request from the virtual address routing unit, obtain the virtual address of the access space included in the data access request, and convert the virtual address into a corresponding physical address, and send a data access request containing the physical address to the physical address routing unit.

其中，所述第二内存管理单元可以是IOMMU或者是MMU，所述物理地址路由单元对所述数据访问请求的具体操作可以参考上文描述，此处不再进行详细阐述。Wherein, the second memory management unit may be an IOMMU or an MMU, and the specific operation of the physical address routing unit on the data access request may refer to the above description, and will not be described in detail here.

由上可知，通过所述虚拟地址路由单元确定所述数据访问请求中包含的访问空间的虚拟地址的指向，仅将指向计算机系统地址域的数据访问请求发送至第二内存管理单元，可以减轻第二内存管理单元的运算量和计算机系统中的处理器的负荷，也可以提高IO主设备与IO从设备之间的数据交换效率。As can be seen from the above, the virtual address routing unit determines the direction of the virtual address of the access space contained in the data access request, and only sends the data access request pointing to the computer system address domain to the second memory management unit, which can reduce the second memory management unit. 2. The calculation amount of the memory management unit and the load of the processor in the computer system can also improve the data exchange efficiency between the IO master device and the IO slave device.

虽然本说明书实施例披露如上，但本发明并非限定于此。任何本领域技术人员，在不脱离本说明书实施例的精神和范围内，均可作各种更动与修改，因此本发明的保护范围应当以权利要求所限定的范围为准。Although the embodiments of the specification are disclosed above, the present invention is not limited thereto. Any person skilled in the art can make various alterations and modifications without departing from the spirit and scope of the embodiments of this specification. Therefore, the scope of protection of the present invention should be determined by the scope defined in the claims.

Claims (14)

Translated fromChinese

1.一种访问控制模组，其特征在于，包括第一IO接口、第一内存管理单元和物理地址路由单元，其中：1. An access control module, characterized in that it comprises a first IO interface, a first memory management unit and a physical address routing unit, wherein:所述第一IO接口，作为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，其中，所述IO主设备的处理器作为所述第一虚拟机的协处理器来形成IO虚拟机；The first IO interface is used as a communication interface between the IO master device and the computer system, and the IO master device establishes an association relationship with the first virtual machine preset in the computer system, wherein the processing of the IO master device The device is used as a coprocessor of the first virtual machine to form an IO virtual machine;所述第一内存管理单元，适于在接收到来自所述第一IO接口的第一数据访问请求时，判断所述第一数据访问请求中包含的第一访问空间的第一虚拟地址是否指向IO从设备的地址域，所述IO从设备与所述计算机系统通信连接，若判断为否，将所述第一数据访问请求中包含的第一访问空间的第一虚拟地址转换为相应的物理地址，并将包含所述物理地址的第一数据访问请求发送至所述物理地址路由单元；其中，所述第一虚拟地址为所述IO虚拟机的地址域的地址，所述物理地址为计算机系统地址域的地址；The first memory management unit is adapted to, when receiving the first data access request from the first IO interface, determine whether the first virtual address of the first access space contained in the first data access request points to The address domain of the IO slave device, the IO slave device is connected in communication with the computer system, if the judgment is no, convert the first virtual address of the first access space contained in the first data access request into the corresponding physical address, and send the first data access request containing the physical address to the physical address routing unit; wherein, the first virtual address is the address of the address field of the IO virtual machine, and the physical address is a computer the address of the system address field;所述物理地址路由单元，适于根据接收的第一数据访问请求中包含的物理地址，将所述第一数据访问请求路由至对应的第一访问空间。The physical address routing unit is adapted to route the first data access request to the corresponding first access space according to the physical address included in the received first data access request.2.根据权利要求1所述的访问控制模组，其特征在于，还包括：第二IO接口及虚拟地址路由单元，其中：2. The access control module according to claim 1, further comprising: a second IO interface and a virtual address routing unit, wherein:所述第二IO接口，作为IO从设备与所述计算机系统的通信接口；The second IO interface is used as a communication interface between the IO slave device and the computer system;所述虚拟地址路由单元，适于在接收到来自所述第二IO接口的第二数据访问请求时，获取所述第二数据访问请求中包含的第二访问空间的第二虚拟地址，并在确定所述第二虚拟地址指向所述IO虚拟机的地址域时，将所述第二数据访问请求路由至所述第一内存管理单元；The virtual address routing unit is adapted to obtain the second virtual address of the second access space contained in the second data access request when receiving the second data access request from the second IO interface, and When determining that the second virtual address points to the address domain of the IO virtual machine, routing the second data access request to the first memory management unit;所述第一内存管理单元，还适于在接收到所述第二数据访问请求时，获取所述第二虚拟地址，将所述第二数据访问请求经所述第一IO接口发送至所述第二虚拟地址所指向的IO虚拟机，以对所述第二访问空间进行数据访问操作。The first memory management unit is further adapted to obtain the second virtual address when receiving the second data access request, and send the second data access request to the The IO virtual machine pointed to by the second virtual address is used to perform a data access operation on the second access space.3.根据权利要求2所述的访问控制模组，其特征在于，还包括：第二内存管理单元；3. The access control module according to claim 2, further comprising: a second memory management unit;所述虚拟地址路由单元，还适于在确定所述第二数据访问请求中包含的第二访问空间的第二虚拟地址指向所述计算机系统地址域时，将所述第二数据访问请求发送至所述第二内存管理单元；The virtual address routing unit is further adapted to send the second data access request to the second memory management unit;所述第二内存管理单元，适于在接收到所述第二数据访问请求时，获取所述第二虚拟地址，将所述第二虚拟地址转换为相应的物理地址，并将包含所述物理地址的第二数据访问请求发送至所述物理地址路由单元。The second memory management unit is adapted to obtain the second virtual address when receiving the second data access request, convert the second virtual address into a corresponding physical address, and include the physical address The second data access request of the address is sent to the physical address routing unit.4.根据权利要求1所述的访问控制模组，其特征在于，还包括虚拟地址路由单元，所述第一内存管理单元还适于在判断所述第一数据访问请求中包含的第一访问空间的第一虚拟地址指向IO从设备的地址域时将所述第一数据访问请求发送至所述虚拟地址路由单元；4. The access control module according to claim 1, further comprising a virtual address routing unit, and the first memory management unit is further adapted to judge the first access included in the first data access request When the first virtual address of the space points to the address field of the IO slave device, the first data access request is sent to the virtual address routing unit;所述虚拟地址路由单元，适于在接收到所述第一数据访问请求时，根据所述第一虚拟地址，将所述第一数据访问请求路由至所述第一虚拟地址所指向的IO从设备。The virtual address routing unit is adapted to route the first data access request to the IO slave pointed to by the first virtual address according to the first virtual address when receiving the first data access request equipment.5.根据权利要求2-4任一项所述的访问控制模组，其特征在于，所述IO从设备通过预设的虚拟功能与所述虚拟功能指定的第二虚拟机建立关联关系，所述第二虚拟机适于设置所述虚拟地址路由单元中的地址映射关系。5. The access control module according to any one of claims 2-4, wherein the IO slave device establishes an association relationship with the second virtual machine specified by the virtual function through a preset virtual function, so The second virtual machine is suitable for setting the address mapping relationship in the virtual address routing unit.6.根据权利要求3所述的访问控制模组，其特征在于，所述第一内存管理单元，还适于确定接收到的数据访问请求的发送主体是否具有对应的访问权限，并根据判断结果执行相应的访问控制操作，所述数据访问请求包括来自所述第一IO接口的第一数据访问请求和来自所述第二IO接口的第二数据访问请求。6. The access control module according to claim 3, wherein the first memory management unit is further adapted to determine whether the sender of the received data access request has the corresponding access authority, and according to the judgment result Executing a corresponding access control operation, the data access request includes a first data access request from the first IO interface and a second data access request from the second IO interface.7.一种虚拟机监视器，其特征在于，包括第一内存管理单元和物理地址路由单元，其中：7. A virtual machine monitor, comprising a first memory management unit and a physical address routing unit, wherein:第一内存管理单元，适于在接收到来自第一IO接口的第一数据访问请求时，判断所述第一数据访问请求中包含的第一访问空间的第一虚拟地址是否指向IO从设备的地址域，所述IO从设备与计算机系统通信连接，若判断为否，将所述第一数据访问请求中包含的第一访问空间的第一虚拟地址转换为相应的物理地址，并将包含所述物理地址的第一数据访问请求发送至所述物理地址路由单元；The first memory management unit is adapted to, when receiving the first data access request from the first IO interface, determine whether the first virtual address of the first access space contained in the first data access request points to the IO slave device Address field, the IO slave device communicates with the computer system, if it is judged to be no, convert the first virtual address of the first access space contained in the first data access request into a corresponding physical address, and include all sending the first data access request of the physical address to the physical address routing unit;所述物理地址路由单元，适于根据接收的第一数据访问请求中包含的物理地址，将所述第一数据访问请求路由至对应的访问空间；The physical address routing unit is adapted to route the first data access request to a corresponding access space according to the physical address contained in the received first data access request;其中，所述第一IO接口为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，所述IO主设备的处理器作为所述第一虚拟机的协处理器来形成IO虚拟机；所述第一虚拟地址为所述IO虚拟机的地址域的地址，所述物理地址为计算机系统地址域的地址。Wherein, the first IO interface is a communication interface between the IO master device and the computer system, and the IO master device establishes an association relationship with the first virtual machine preset in the computer system, and the processor of the IO master device An IO virtual machine is formed as a coprocessor of the first virtual machine; the first virtual address is an address in an address domain of the IO virtual machine, and the physical address is an address in a computer system address domain.8.根据权利要求7所述的虚拟机监视器，其特征在于，还包括：虚拟地址路由单元，适于在接收到来自第二IO接口的第二数据访问请求时，获取所述第二数据访问请求中包含的第二访问空间的第二虚拟地址，并在确定所述第二虚拟地址指向所述IO虚拟机的地址域时，将所述第二数据访问请求路由至所述第一内存管理单元；8. The virtual machine monitor according to claim 7, further comprising: a virtual address routing unit adapted to acquire the second data when receiving a second data access request from the second IO interface accessing the second virtual address of the second access space contained in the request, and routing the second data access request to the first memory when it is determined that the second virtual address points to the address field of the IO virtual machine management unit;所述第一内存管理单元，还适于在接收到所述第二数据访问请求时，获取所述第二虚拟地址，将所述第二数据访问请求经所述第一IO接口发送至所述第二虚拟地址所指向的IO虚拟机，以对所述第二访问空间进行数据访问操作；The first memory management unit is further adapted to obtain the second virtual address when receiving the second data access request, and send the second data access request to the The IO virtual machine pointed to by the second virtual address is used to perform a data access operation on the second access space;其中，所述第二IO接口为IO从设备与所述计算机系统的通信接口。Wherein, the second IO interface is a communication interface between the IO slave device and the computer system.9.根据权利要求8所述的虚拟机监视器，其特征在于，还包括：第二内存管理单元；9. The virtual machine monitor according to claim 8, further comprising: a second memory management unit;所述虚拟地址路由单元，还适于在确定所述第二数据访问请求中包含的第二访问空间的第二虚拟地址指向所述计算机系统地址域时，将所述第二数据访问请求发送至所述第二内存管理单元；The virtual address routing unit is further adapted to send the second data access request to the second memory management unit;所述第二内存管理单元，适于在接收到所述第二数据访问请求时，获取所述第二虚拟地址，将所述第二虚拟地址转换为相应的物理地址，并将包含所述物理地址的第二数据访问请求发送至所述物理地址路由单元。The second memory management unit is adapted to obtain the second virtual address when receiving the second data access request, convert the second virtual address into a corresponding physical address, and include the physical address The second data access request of the address is sent to the physical address routing unit.10.根据权利要求7所述的虚拟机监视器，其特征在于，还包括虚拟地址路由单元，所述第一内存管理单元，还适于在判断所述第一数据访问请求中包含的第一访问空间的第一虚拟地址指向IO从设备的地址域时，将所述第一数据访问请求发送至所述虚拟地址路由单元；10. The virtual machine monitor according to claim 7, further comprising a virtual address routing unit, the first memory management unit is further adapted to judge the first data access request included in the first When the first virtual address of the access space points to the address field of the IO slave device, sending the first data access request to the virtual address routing unit;所述虚拟地址路由单元，适于在接收到所述第一数据访问请求时，根据所述第一虚拟地址，将所述第一数据访问请求路由至所述第一虚拟地址所指向的IO从设备。The virtual address routing unit is adapted to route the first data access request to the IO slave pointed to by the first virtual address according to the first virtual address when receiving the first data access request equipment.11.一种访问控制方法，其特征在于，适于对IO接口的访问设备进行访问控制，所述方法包括：11. An access control method, characterized in that, being suitable for performing access control to an access device of an IO interface, said method comprising:第一内存管理单元接收来自第一IO接口的第一数据访问请求；The first memory management unit receives a first data access request from the first IO interface;所述第一内存管理单元判断所述第一数据访问请求中包含的第一访问空间的第一虚拟地址是否指向IO从设备的地址域，所述IO从设备与计算机系统通信连接，若判断为否，将所述第一数据访问请求中包含的第一访问空间的第一虚拟地址转换为相应的物理地址，并将包含所述物理地址的第一数据访问请求发送至物理地址路由单元；The first memory management unit judges whether the first virtual address of the first access space contained in the first data access request points to the address domain of the IO slave device, and the IO slave device is connected to the computer system in communication, if it is judged to be No, converting the first virtual address of the first access space included in the first data access request into a corresponding physical address, and sending the first data access request including the physical address to a physical address routing unit;所述物理地址路由单元根据接收的第一数据访问请求中包含的物理地址，将所述第一数据访问请求路由至对应的访问空间；The physical address routing unit routes the first data access request to a corresponding access space according to the physical address included in the received first data access request;其中，所述第一IO接口为IO主设备与计算机系统的通信接口，所述IO主设备通过与所述计算机系统中预设的第一虚拟机建立关联关系，所述IO主设备的处理器作为所述第一虚拟机的协处理器来形成IO虚拟机；所述第一虚拟地址为所述IO虚拟机地址域的地址，所述物理地址为计算机系统地址域的地址。Wherein, the first IO interface is a communication interface between the IO master device and the computer system, and the IO master device establishes an association relationship with the first virtual machine preset in the computer system, and the processor of the IO master device An IO virtual machine is formed as a coprocessor of the first virtual machine; the first virtual address is an address in an address domain of the IO virtual machine, and the physical address is an address in a computer system address domain.12.根据权利要求11所述的访问控制方法，其特征在于，还包括：12. The access control method according to claim 11, further comprising:虚拟地址路由单元在接收到来自第二IO接口的第二数据访问请求时，获取所述第二数据访问请求中包含的第二访问空间的第二虚拟地址；When the virtual address routing unit receives the second data access request from the second IO interface, obtains the second virtual address of the second access space included in the second data access request;所述虚拟地址路由单元在确定所述第二虚拟地址指向所述IO虚拟机的地址域时，将所述第二数据访问请求发送至所述第一内存管理单元；The virtual address routing unit sends the second data access request to the first memory management unit when determining that the second virtual address points to the address domain of the IO virtual machine;所述第一内存管理单元在接收到所述第二数据访问请求时，获取所述第二虚拟地址，并将所述第二数据访问请求经所述第一IO接口发送至所述第二虚拟地址所指向的IO虚拟机，以对所述第二访问空间进行数据访问操作；When the first memory management unit receives the second data access request, it obtains the second virtual address, and sends the second data access request to the second virtual address through the first IO interface. The IO virtual machine pointed to by the address, so as to perform a data access operation on the second access space;其中，所述第二IO接口为IO从设备与所述计算机系统的通信接口。Wherein, the second IO interface is a communication interface between the IO slave device and the computer system.13.根据权利要求12所述的访问控制方法，其特征在于，还包括：13. The access control method according to claim 12, further comprising:所述虚拟地址路由单元在确定所述第二虚拟地址指向所述计算机系统地址域时，将所述第二数据访问请求发送至第二内存管理单元；The virtual address routing unit sends the second data access request to a second memory management unit when determining that the second virtual address points to the computer system address domain;所述第二内存管理单元在接收到所述第二数据访问请求时，获取所述第二虚拟地址，将所述第二虚拟地址转换为相应的物理地址，并将包含所述物理地址的第二数据访问请求发送至所述物理地址路由单元。When receiving the second data access request, the second memory management unit acquires the second virtual address, converts the second virtual address into a corresponding physical address, and converts the second virtual address containing the physical address to Two data access requests are sent to the physical address routing unit.14.根据权利要求11所述的访问控制方法，其特征在于，所述第一内存管理单元在判断所述第一数据访问请求中包含的第一访问空间的第一虚拟地址指向IO从设备的地址域时，将所述第一数据访问请求发送至所述虚拟地址路由单元；14. The access control method according to claim 11, wherein the first memory management unit determines that the first virtual address of the first access space contained in the first data access request points to the IO slave device. address domain, sending the first data access request to the virtual address routing unit;所述虚拟地址路由单元在接收到所述第一数据访问请求时，根据所述第一虚拟地址，将所述第一数据访问请求路由至所述第一虚拟地址所指向的IO从设备。When receiving the first data access request, the virtual address routing unit routes the first data access request to the IO slave device pointed to by the first virtual address according to the first virtual address.

Images