Embodiments described herein relate generally to a memory system, a controller, and a method.
In evaluation of the performance of a solid-state drive (SSD), the data transmission rate between the SSD and a host is an important factor. In a self-encrypting drive (SED) which encrypts data using a method based on the Advanced Encryption Standard (AES), a process of encrypting and decrypting data on the basis of the AES happens and a delay occurs in data transmission due to this process. It is necessary to reduce the delay in order to increase the data transmission rate with the host.
In general, according to one embodiment, a memory system which can be connected to a host includes a non-volatile memory and a controller that controls the non-volatile memory. The controller includes a first conversion unit. The first conversion unit includes a first key output unit, a plurality of first cores that perform encryption, a first sequencer, and a second sequencer. The first sequencer sequentially acquires first data as a plurality of second data items with a first size and third data. The first data is data received from the host. The third data has a second size less than the first size and being acquired last. The first sequencer causes the first key output unit to output a first key for encrypting the first data. The first sequencer distributes the plurality of second data items sequentially to the plurality of first cores. The first sequencer distributes the third data to the same first core as that to which fourth data is distributed. The fourth data is data acquired immediately before the third data. The first sequencer, before the encryption of the third data is completed, starts acquiring fifth data which is received from the host following the first data, and causes the first key output unit to output a first key for encrypting the fifth data. The second sequencer collects data encrypted by each of the plurality of first cores. The controller transmits the data collected by the second sequencer to the non-volatile memory.
Exemplary embodiments of a controller, and a method will be explained below in detail with reference to the accompanying drawings. The present invention is not limited to the following embodiments.
In this embodiment, data is encrypted and decrypted by an AES method. However, the encryption/decryption method is not limited to the AES.
The memory system 1 includes a controller 10 and a memory chip (NAND memory) 20 including a NAND flash memory. An arbitrary number of NAND memories 20 are provided in the memory system 1. The plurality of NAND memories 20 and the controller 10 have any connection relation therebetween. In the example illustrated in
The NAND memory 20 functions as a storage which stores data from the host 2. In addition, a storage device other than the NAND flash memory can be used as the storage. For example, a magnetoresistive random access memory (MRAM), a resistance random access memory (ReRAM), or a magnetic disk can be used as the storage. The memory system 1 includes an arbitrary number of NAND memories 20.
The controller 10 controls each NAND memory 20. The controller 10 transmits data between the host 2 and each NAND memory 20 as a part of the control. Specifically, the controller 10 stores data transmitted from the host 2 in each NAND memory 20, or it reads data from each NAND memory 20 and transmits the read data to the host 2.
The controller 10 includes a host interface (host I/F) 11, a NAND controller (NANDC) 12, a first AES unit (first conversion unit) 13, a second AES unit (second conversion unit) 14, a central processing unit (CPU) 15, a CPU 16, and a CPU 17.
The host I/F 11 communicates with the host 2 through the communication path 3 under the control of the CPU 15. The host I/F 11 can receive data transmitted from the host 2 to an embedded buffer 111. In addition, the host I/F 11 can transmit, to the host 2, data which has been requested by a read command from the host 2 and then read from the NAND memory 20.
The first AES unit 13 reads data from the buffer 111 and encrypts the read data using an encryption method based on the AES. The first AES unit 13 transmits the encrypted data to the NANDC 12.
The NANDC 12 transmits the encrypted data received from the first AES unit 13 to each NAND memory 20 under the control of the CPU 17. In addition, the NANDC 12 reads data which is requested by the read command from the host 2 from each NAND memory 20 and stores the read data in an embedded buffer 121. The data which is read from each NAND memory 20 and then stored in the buffer 121 is encrypted data.
The second AES unit 14 reads data from the buffer 121 and decrypts the read data. The second AES unit 14 transmits the decrypted data to the host I/F 11. The host I/F 11 transmits the decrypted data transmitted from the second AES unit 14 to the host 2.
The CPU 16 sets the operation mode of the AES units 13 and 14 while the AES units 13 and 14 do not operate and sets a key for encryption and decryption. In the AES, a key common to encryption and decryption is used. The key for encryption and decryption is referred to as an encryption key.
The process of each AES core 135 requires a predetermined time corresponding to, for example, a size of the encryption key. In order to reduce the time required for the process of each AES core 135 as much as possible, the first sequencer 131 divides the data read from the buffer 111 into a plurality of unit data items and distributes the unit data items to different AES cores 135. The second sequencer 132 collects the encrypted unit data output from each AES core 135 and sequentially transmits the collected encrypted unit data to the NANDC 12. Each unit data item has, for example, a size which can be transmitted by a clock signal of a predetermined cycle (for example, one cycle).
It is assumed that a header is given to data (sector data) of unit, which is called a sector, and each sector data is stored in the buffer 111. The sector data is larger than the unit data. The header includes LBA indicating the initial address of the storage position of the sector data.
When the header is read from the buffer 111, the first sequencer 131 extracts address information included in the header. Then, the first sequencer 131 inputs the extracted address information and a band ID search request (Req) to the band ID checker 133.
The band ID checker 133 searches for a band ID in response to the band ID search request and outputs a found band ID. The band ID is information which is used as a search key that is used by the key table unit 134 to search for the encryption key. It is assumed that an address space is divided into a plurality of sections and different band ID for every section is set in the band ID checker 133. That is, the band ID checker 133 determines the section including the address information in the band ID search request and inputs the band ID corresponding to the determined section to the key table unit 134.
The key table unit 134 stores the encryption key for each band ID in advance. The key table unit 134 searches for the encryption key using the band ID input from the band ID checker 133 as a search key and commonly inputs a found encryption key to each AES core 135.
In each AES core 135, the key calculation unit 136 expands the encryption key input from the key table unit 134. The key calculation unit 136 inputs the expanded encryption key (expanded key) to the encryption unit 137.
The encryption unit 137 encrypts an initialization vector using the expanded key input from the key calculation unit 136. The initialization vector is set to the encryption unit 137 in advance. The encryption unit 137 encrypts the unit data input from the first sequencer 131 using the encrypted initialization vector. The encrypted unit data is collected by the second sequencer 132.
In some cases, 10 AES cores 135 are identified by numbers, as AES core #1 to AES core #10. In addition, in some cases, the unit data items forming the sector data are identified by numbers, as Data #1 and Data #2. In the example illustrated in
First, the first sequencer 131 acquires the header from the buffer 111 and inputs the band ID search request to the band ID checker 133 (S1). The band ID checker 133 searches for the band ID and inputs a found band ID to the key table unit 134 (S2). The key table unit 134 searches for the encryption key corresponding to the input band ID and commonly inputs a found encryption key to AES cores #1 to #10 (S3).
In each of AES cores #1 to #10, the key calculation unit 136 expands the input encryption key (S4). The encryption unit 137 encrypts the initialization vector using the expanded key (S5).
Since the encryption key is input to AES cores #1 to #10 at the same time, the process of S5 ends in AES cores #1 to #10 at the same time. The first sequencer 131 acquires Data #1 from the buffer 111 before the process of S5 ends in AES core #1. Then, when the process of S5 ends in AES core #1, the first sequencer 131 inputs Data #1 to AES core #1. The first sequencer 131 acquires Data #2 from the buffer 111 at the same time as Data #1 is input to AES core #1. Then, after inputting Data #1 to AES core #1, the first sequencer 131 acquires Data #3 from the buffer 111 at the same time as Data #2 is input to AES core #2. As such, the first sequencer 131 sequentially acquires the unit data one by one and sequentially distributes the acquired unit data to each AES core 135 one by one.
After the process of S5 ends, each AES core 135 waits until the unit data is input. When the unit data is input, each AES core 135 encrypts the input unit data using the initialization vector encrypted in the process of S5 (S6). Since the unit data is sequentially input to AES core #1, AES core #2, AES core #3, . . . in this order, the encryption of the unit data is completed in the order of AES core #1, AES core #2, AES core #3, . . . .
The header is input from the first sequencer 131 to the second sequencer 132 at the time when the process of S6 starts in AES core #1. The second sequencer 132 outputs the input header to the NANDC 12, without any change. In addition, the second sequencer 132 acquires the encrypted unit data from the AES core 135 which has completed encryption and sequentially outputs the acquired unit data to the NANDC 12.
At the time when the first sequencer 131 ends the acquisition of Data #1 to Data #10, AES cores #1 to #10 are performing the process of S6. AES cores #1 to #10 complete the process of S6 in the order in which the unit data is input. When AES core #1 completes the process of S6, the first sequencer 131 inputs Data #11, which is unit data following Data #10, to AES core #1. Then, the first sequencer 131 inputs Data #12 to Data #20 to AES cores #2 to #10. Each AES core 135 performs the process of S6 for the input unit data and the second sequencer 132 collects the encrypted unit data and sequentially outputs the encrypted unit data to the NANDC 12.
In the AES, when the last unit data (Data #34) among the unit data items forming the sector data is less than a predetermined size (for example, a size which can be transmitted by one cycle of clock signal), it is determined to be input to the same AES core 135 as that to which the previously encrypted unit data (Data #33) is input. Here, since Data #33 is encrypted in AES core #3, Data #34 is input to AES core #3. The first sequencer 131 waits until the encryption of Data #33 in AES core #3 is completed. When the encryption of Data #33 in AES core #3 is completed, the first sequencer 131 inputs Data #34 to AES core #3. AES core #3 encrypts Data #34 after the encryption of Data #33 is completed.
In the first embodiment, after the acquisition of all unit data items of one sector data item is completed and before the encryption of all of the acquired data items is completed, the first sequencer 131 acquires the header of the next sector data. That is, in the example illustrated in
The encrypted data is read from each NAND memory 20 to the buffer 121 for each sector data item. The first sequencer 141 acquires the header from the head of the sector data stored in the buffer 121 and acquires the sector data for each unit data item. Similarly to the first sequencer 131, the first sequencer 141 distributes a plurality of unit data items forming the sector data to the plurality of AES cores 145.
When reading the header from the buffer 121, the first sequencer 141 extracts address information included in the header. Then, the first sequencer 141 inputs the extracted address information and the band ID search request (Req) to the band ID checker 143.
The band ID checker 143 has the same function as the band ID checker 133 and the key table unit 144 has the same function as the key table unit 134. That is, the band ID checker 143 searches for a band ID in response to the band ID search request and inputs a found band ID to the key table unit 144. The key table unit 144 searches for an encryption key using the band ID input from the band ID checker 143 as a search key and commonly inputs a found encryption key to each AES core 145.
The key calculation unit 146 has the same function as the key calculation unit 136. The key calculation unit 146 expands the encryption key input from the key table unit 144. The key calculation unit 146 inputs the expanded key to the decryption unit 147.
The decryption unit 147 encrypts the initialization vector using the expanded key input from the key calculation unit 146. The initialization vector is set to the decryption unit 147 in advance. The decryption unit 147 decrypts the unit data input from the first sequencer 141 using the encrypted initialization vector. The decrypted unit data is collected by the second sequencer 142.
The second sequencer 142 collects the unit data decrypted in each AES core 145 and sequentially inputs the plurality of collected unit data items to the host I/F 11.
The operation and operation timing of the first sequencer 141, the second sequencer 142, the band ID checker 143, the key table unit 144, the key calculation unit 146, and the decryption unit 147 are the same as the operation and operation timing of the first sequencer 131, the second sequencer 132, the band ID checker 133, the key table unit 134, the key calculation unit 136, and the encryption unit 137 illustrated in
The encrypted unit data items forming the sector data are decrypted in parallel by the plurality of AES cores 145. After the acquisition of all unit data items of one sector data item is completed and before the decryption of all of the acquired data items is completed, the first sequencer 141 acquires the header of the next sector data from the buffer 121. Then, the first sequencer 141 inputs the band ID search request to the band ID checker 143. The band ID checker 143 searches for the band ID. In this way, at least a portion of the delay until the decryption of the last unit data in one sector data item is completed is hidden by a process for the next sector.
As such, according to the first embodiment, after the acquisition of the last unit data in one sector data item is completed and before the encryption of the last unit data is completed, the first sequencer 131 acquires the header of the next sector data. Before the encryption of the last unit data in one sector data item is completed, the common units can start the acquisition of the unit data and the output of the encryption key for the next sector data. In this way, the time from the completion of the encryption of one sector data item to the start of the encryption of the next sector data is reduced. Therefore, latency for data transmission is reduced.
Similarly, after the acquisition of the last unit data in one sector data item is completed and before the decryption of the last unit data is completed, the first sequencer 141 acquires the header of the next sector data. Before the decryption of the last unit data among all of the acquired unit data items is completed, the common units can start the acquisition of the unit data and the output of the encryption key for the next sector data. In this way, the time from the completion of the decryption of one sector data item to the start of the decryption of the next sector data is reduced. Therefore, latency for data transmission is reduced.
The two key calculation units 136 operate alternately. For example, for an odd-numbered sector (that is, sector data in which address information has an odd value), one of the two key calculation units 136 expands an encryption key. For an even-numbered sector (that is, sector data in which address information has an even value), the other of the two key calculation units 136 expands the encryption key. Similarly, the two key calculation units 146 operate alternately.
In some cases, the two key calculation units 136 are distinguished from each other as key calculation unit #1 and key calculation unit #2.
First, the first sequencer 131 acquires a header from the buffer 111 and outputs a band ID search request to the band ID checker 133 (S11). The band ID checker 133 searches for a band ID and inputs a found band ID to the key table unit 134 (S12). The key table unit 134 searches for an encryption key corresponding to the input band ID and commonly inputs a found encryption key to key calculation unit #1 in each of AES cores #1 to #10 (S13).
In each of AES cores #1 to #10, key calculation unit #1 expands the input encryption key (S14). The encryption unit 137 encrypts an initialization vector using the expanded key calculated in key calculation unit #1 (S15).
The first sequencer 131 acquires Data #1 from buffer 111 before the process of S15 ends in AES core #1. When the process of S15 ends in AES core #1, the first sequencer 131 inputs Data #1 to AES core #1. The first sequencer 131 acquires Data #2 from the buffer 111 at the same time as it inputs Data #1 to AES core #1. Then, after inputting Data #1 to AES core #1, the first sequencer 131 acquires Data #3 from the buffer 111 at the same time as it inputs Data #2 to AES core #2. As such, the first sequencer 131 sequentially acquires unit data one by one and sequentially distributes the acquired unit data one by one to each AES core 135.
After the process of S15 is completed, each AES core 135 waits until unit data is input. When unit data is input, each AES core 135 encrypts the input unit data using the initialization vector encrypted in S15 (S16). Since unit data is input to AES core #1, AES core #2, AES core #3, in the order, the encryption of the unit data is completed in the order of AES core #1, AES core #2, AES core #3, . . . .
The header is input from the first sequencer 131 to the second sequencer 132 at the time when the process of S16 starts in AES core #1. The second sequencer 132 outputs the input header to the NANDC 12 without any change. In addition, the second sequencer 132 acquires the encrypted unit data from the AES core 135 which has completed encryption and sequentially outputs the acquired unit data to the NANDC 12.
At the time when the first sequencer 131 ends the distribution of Data #1 to Data #10, AES cores #1 to #10 are performing the process of S16. AES cores #1 to #10 complete the process of S16 in the order in which the unit data is input. When AES core #1 completes the process of S16, the first sequencer 131 inputs Data #11, which is unit data following Data #10, to AES core #1. Then, the first sequencer 131 inputs Data #12 to Data #20 to AES cores #2 to #10. Each AES core 135 performs the process of S16 for the input unit data and the second sequencer 132 collects the encrypted unit data and sequentially outputs the encrypted unit data to the NANDC 12.
The first sequencer 131 waits until AES core #3 completes the encryption of Data #33, which is unit data immediately before Data #34 that is the last unit data of the sector data. When AES core #3 completes the encryption of Data #33, the first sequencer 131 inputs Data #34 to AES core #3. After completing the encryption of Data #33, AES core #3 encrypts Data #34.
Similarly to the first embodiment, after the acquisition of all unit data items in one sector data item is completed and before the encryption of all of the acquired unit data items is completed, the first sequencer 131 acquires the header of the next sector data. That is, after Data #34 is acquired and before the encryption of Data #34 is completed, the first sequencer 131 acquires the header of the next sector data. Before the encryption of Data #34 is completed, the common units can start the process of S12 for the next sector data. In addition, immediately after the process of S12 is completed, the common portions can start the process of S13.
In the second embodiment, at the time when the process of S12 is completed, key calculation unit #2 provided in each AES core 135 is in an idle state. After the common units complete the process of S12, key calculation unit #2 provided in each AES core 135 can start the process of S14, without waiting until the encryption of Data #34 is completed.
As such, according to the second embodiment, each AES core 135 includes two key calculation units 136. One of the two key calculation units 136 calculates an expanded key for encrypting one sector data item. Before the encryption of the last unit data in the one sector data item is completed, the other of the two key calculation units 136 starts calculation of an expanded key for encrypting the next sector data following the one sector data item. Therefore, the time from the completion of the encryption of one sector data item to the start of the encryption of the next sector data is further reduced. As a result, latency for data transmission is further reduced.
Similarly, each AES core 145 includes two key calculation units 146. One of the two key calculation units 146 calculates an expanded key for decrypting one sector data item. Before the decryption of the last unit data in the one sector data item is completed, the other of the two key calculation units 146 starts calculation of an expanded key for decrypting the next sector data following the one sector data item. Therefore, the time from the completion of the decryption of one sector data item to the start of the decryption of the next sector data is further reduced. As a result, latency for data transmission is further reduced.
While certain embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the inventions. Indeed, the novel embodiments described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the embodiments described herein may be made without departing from the spirit of the inventions. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the inventions.
This application is based upon and claims the benefit of priority from U.S. Provisional Application No. 61/937,888, filed on Feb. 10, 2014; the entire contents of which are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
61937888 | Feb 2014 | US |