CN114554481B

CN114554481B - A data processing method, device and base station

Info

Publication number: CN114554481B
Application number: CN202011338282.8A
Authority: CN
Inventors: 郭恒权; 林坤; 韩森
Original assignee: Datang Mobile Communications Equipment Co Ltd
Current assignee: Datang Mobile Communications Equipment Co Ltd
Priority date: 2020-11-25
Filing date: 2020-11-25
Publication date: 2024-11-22
Anticipated expiration: 2040-11-25
Also published as: CN114554481A

Abstract

The embodiment of the present application provides a data processing method, device and base station, including: when the application layer receives an access request sent by a user, it calls a session creation interface; the driver layer allocates an index identifier for the initial session, presets encryption and decryption information in the initial session, obtains a service session, and feeds back the index identifier to the application layer; the application layer obtains the storage address of the data from the user, passes the storage address and index identifier to the driver layer, and calls the encryption and decryption interface; the driver layer allocates operation resources for the data in the hardware accelerator, and associates the service session with the operation resources; the hardware accelerator uses the preset encryption and decryption information included in the service session associated with the operation resources to process the data and obtain the processed data; after the driver layer detects that the data processing is completed, it recycles the operation resources. Applying the technical solution provided by the embodiment of the present application reduces the session operation overhead during data encryption and decryption and integrity processing, and improves the encryption and decryption performance.

Description

Data processing method, device and base station

Technical Field

The present application relates to the field of communications technologies, and in particular, to a data processing method, a data processing device, and a base station.

Background

As the number of users accessing the 5G base station increases, the data on the air interface side increases sharply, which poses a serious challenge to the data processing on the baseband side. The superposition 5G system has strict requirements on security, and the encryption and decryption of data often consume a great amount of computing resources, and in order to reduce the processing burden of a baseband side, the encryption and decryption and the integrity processing of the data are generally realized by adopting a hardware coprocessor mode.

In the related art, when encryption and decryption and integrity processing of data are realized by adopting a hardware coprocessor, session needs to be created and initialized each time of encryption and decryption, then encryption and decryption are executed, and after the encryption and decryption and integrity processing of the data are completed, the session is deleted. The encryption and decryption performance is seriously lowered due to the fact that session operation cost is high during encryption and decryption of data and integrity processing.

Disclosure of Invention

The embodiment of the application aims to provide a data processing method, a data processing device and a base station, so as to reduce session operation overhead during encryption and decryption and integrity processing of data and improve encryption and decryption performance. The specific technical scheme is as follows:

In a first aspect, an embodiment of the present application provides a data processing method, applied to a base station, where the method includes:

When receiving an access request sent by a user, an application layer invokes a session creation interface to create an initial session carrying the service of the user in a hardware accelerator;

the driving layer distributes index identification for the initial session, presets encryption and decryption information in the initial session to obtain a service session, and feeds back the index identification to the application layer;

The application layer acquires a storage address of data from the user, transmits the storage address and the index identifier to the driving layer, and calls an encryption and decryption interface to start encryption and decryption processing in the hardware accelerator;

the driving layer allocates operation resources for the data in the hardware accelerator according to the storage address and the index identifier, and associates the service session with the operation resources;

The hardware accelerator processes the data by utilizing preset encryption and decryption information included in the service session related to the operation resource to obtain processed data;

and the driving layer recovers the operation resources after detecting that the data is processed.

Optionally, the method further comprises:

When receiving a request of off-line sent by a user, the application layer calls a session deletion interface to delete the service session in the hardware accelerator;

And the driving layer releases the resources occupied by the index identifier and recovers the index identifier.

Optionally, the step of allocating, by the driving layer, an index identifier to the initial session includes:

The driving layer extracts an index identifier from a session index stack and distributes the index identifier to the initial session;

The step of the drive layer releasing the resources occupied by the index mark and recycling the index mark comprises the following steps:

And the driving layer releases the resources occupied by the index identifier and pushes the index identifier to the session index stack.

Optionally, the method further comprises:

The driving layer calculates an initialization vector corresponding to the data and adds the operation resource into a circular queue;

The hardware accelerator processes the data by using preset encryption and decryption information included in the service session associated with the operation resource to obtain processed data, and the method comprises the following steps:

And the hardware accelerator extracts the operation resources from the circular queue, and processes the data by using the extracted preset encryption and decryption information and the initialization vector, which are included in the service session related to the operation resources, so as to obtain processed data.

Optionally, the method further comprises:

After the hardware accelerator processes the data to obtain processed data, covering the processed data with the data stored in the storage address, and moving the operation resource to a completion queue;

the step of recovering the operation resource after the driving layer detects that the data is processed, comprising the following steps:

And under the condition that the driving layer detects the operation resource in the completion queue, setting a completion identifier for the processed data stored at the storage address, and recovering the operation resource.

Optionally, the pointers of the completion identifier and the pointers of the operation resource are in one-to-one correspondence, and the pointers of the completion identifier and the pointers of the operation resource are maintained through a data structure of a stack.

Optionally, the data is stored in a mbuf (memory buffer) structure.

Optionally, the driving layer is based on a DPDK (DATA PLANE Development Kit) encryption framework.

Optionally, the base station includes a plurality of application layers, and the plurality of application layers includes a main application layer;

The main application layer obtains the total number of a plurality of application layers, and distributes virtual equipment in the hardware accelerator for each application layer;

after each application layer is initialized, a mapping relation between the application layer and virtual equipment distributed for the application layer is established.

In a second aspect, an embodiment of the present application provides a base station, including a memory, a transceiver, and a processor; the memory is used for storing a computer program; the transceiver is used for receiving and transmitting data under the control of the processor; the processor is configured to read the computer program in the memory, and perform the following operations:

Optionally, the processor is further configured to read the computer program in the memory, and perform the following operations:

Optionally, the data is stored in an mbuf structure.

Optionally, the driving layer is based on a DPDK encryption frame.

the processor is further configured to read the computer program in the memory, and perform the following operations:

The main application layer obtains the total number of a plurality of application layers, and distributes virtual equipment in the hardware accelerator for each application layer; after each application layer is initialized, a mapping relation between the application layer and virtual equipment distributed for the application layer is established.

In a third aspect, an embodiment of the present application provides a data processing apparatus, applied to a base station, where the apparatus includes:

the application layer is used for calling a session creation interface when receiving an access request sent by a user so as to create an initial session carrying the service of the user in the hardware accelerator;

the driving layer is used for distributing an index identifier for the initial session, presetting encryption and decryption information in the initial session to obtain a service session, and feeding back the index identifier to the application layer;

The application layer is further used for acquiring a storage address of data from the user, transmitting the storage address and the index identifier to the driving layer, and calling an encryption and decryption interface to start encryption and decryption processing in the hardware accelerator;

the driving layer is further configured to allocate an operation resource for the data in the hardware accelerator according to the storage address and the index identifier, and associate the service session with the operation resource;

The hardware accelerator is used for processing the data by utilizing preset encryption and decryption information included in the service session related to the operation resource to obtain processed data;

the driving layer is further configured to recycle the operation resource after detecting that the processing of the data is completed.

In a fourth aspect, embodiments of the present application provide a processor-readable storage medium storing a computer program for causing a processor to perform any of the methods described above.

In the technical scheme provided by the embodiment of the application, when the application layer receives the access request of the user, a session is created in the hardware accelerator, and the index identifier allocated to the session by the drive layer is managed. Subsequently, when the application layer processes the data from the user, the execution needs to transmit the index identifier and the storage address of the data to the driving layer, and the driving layer can acquire the corresponding session and the data based on the storage address and the index identifier, so as to process the data. Therefore, in the embodiment of the application, only the session is created when the user accesses the base station, and one session is not created every time one data from the user is acquired, so that the encryption and decryption of the data and session operation overhead in the process of integrity processing are reduced, and the encryption and decryption performance is improved.

Of course, it is not necessary for any one product or method of practicing the application to achieve all of the advantages set forth above at the same time.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1a is a schematic diagram of a deployment of soft cores in a base station according to an embodiment of the present application;

FIG. 1b is a schematic diagram of a deployment of a soft core of FIG. 1 a;

FIG. 2 is a schematic deployment diagram of a model of data processing provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of a data processing method according to an embodiment of the present application;

Fig. 4a is a schematic diagram of a correspondence between a service session and an index identifier according to an embodiment of the present application;

FIG. 4b is a schematic diagram illustrating an example of the operation of the index identification stack provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of an example of operations for completing identification and operation of a resource according to an embodiment of the present application;

FIG. 6 is another schematic diagram of a data processing method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of the refinement of step S68 in FIG. 6;

FIG. 8 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;

Fig. 9 is a schematic structural diagram of a base station according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In the related art, when encryption and decryption and integrity processing of data are realized by adopting a hardware coprocessor, session needs to be created and initialized each time of encryption and decryption, then encryption and decryption are executed, and after the encryption and decryption and integrity processing of the data are finished, the session is deleted. The encryption and decryption performance is seriously lowered due to the fact that session operation cost is high during encryption and decryption of data and integrity processing.

In order to solve the above-mentioned problems, the embodiment of the present application further provides a data processing method, which is applied to a base station, and in particular, a baseband board of the base station. The base station may be a gNB (next Generation Node Base Station, a next generation base station) or an eNB (evolved Node Base Station, an evolved base station). gNB is a 5G base station, and eNB is a 4G base station. The base station comprises an application layer, a driving layer and a hardware accelerator. The application layer may be implemented based on PDCP (PACKET DATA Convergence Protocol ), and the driver layer may be based on a DPDK (DATA PLANE Development Kit) encryption framework.

In the embodiment of the present application, the DPDK encryption frame may be a DPDK CRYPTO frame. The DPDK CRYPTO device (CRYPTODEV) is a software library of a DPDK, and covers the complete framework of the software and hardware CRYPTO engine driver. DPDK CRYPTODEV can provide unified APIs (Application Programming Interface, application programming interfaces) of various types of software and hardware CRYPTO engines of different algorithms, and hide various types of highly optimized CRYPTO implementation details from the user. The CRYPTODEV round training pattern driver set of DPDK contains implementations of various chain CRYPTO/authentication operations. DPDK CRYPTODEV also has unified realization of asymmetric enqueuing and dequeuing, and can ensure optimization of hardware CRYPTO operation efficiency.

The DPDK CRYPTO framework supports batch processing interfaces. And the data is encrypted and decrypted and the integrity is processed based on the DPDK CRYPTO framework, so that multi-packet data can be processed in batches, for example, 32-packet data can be processed in batches for a single time, the processing efficiency of the DPDK CRYPTO framework approaches to the processing efficiency of QAT (Quick Assist Technology, acceleration assisting technology) hardware, and the throughput efficiency of the base station is improved. Under the condition that the spending of each flow calling process and the like is the same, the base station provided by the embodiment of the application can process more data.

In addition, the DPDK CRYPTO framework is based on the VF (Virtual Function) attribute, and the soft core and Virtual QAT device are as follows: n is deployed to meet the demands of the application program for priority and multithreading. Wherein a virtual QAT device may be understood as a VF device, which may also be referred to as a hardware accelerator.

The DPDK CRYPTO framework provides a consistent OSP IOCTL (Operating System Platform input/output control, operating system platform input output control) interface through which the soft core communicates with the virtual QAT device. A specific deployment is shown in fig. 1a and 1 b. In the embodiment of the present application, the base station includes a plurality of soft cores, as shown in fig. 1 a. Each soft core includes multiple application layers, each of which establishes a connection with a VF device (which may be understood as a virtual QAT device, simply referred to as a virtual device) through an OSP IOCTL interface, and enables a corresponding process, as shown in fig. 1 b. Each virtual device includes at least one qp (lightweight Platform), such as qp0 and qp1 in fig. 1 a. Each application layer processes user traffic data of one cell. The plurality of application layers includes a master application layer.

The method comprises the steps that a main application layer obtains the total number of a plurality of application layers, and virtual equipment in a hardware accelerator is distributed to each application layer; after each application layer is initialized, a mapping relation between the application layer and virtual equipment distributed for the application layer is established.

In the embodiment of the application, the soft core can flexibly deploy a plurality of processes (one process is connected with one application layer). When the main process (the main process is connected with the main application layer) is initialized, the soft core can read the office configuration table, acquire the number of all processes and allocate enough QAT resources. To be initialized from a process, the process id (identity ) is automatically mapped to a virtual QAT device id.

The DPDK CRYPTO framework has strong caching capability, the bottom layer queue can cache up to 4095 tasks simultaneously, the number of users in a single cell can reach 1200, and the number of sessions can reach 7200. By combining the soft core, a plurality of processes can be deployed, and the technical scheme provided by the embodiment of the application can support the processing of a large amount of user service data of a plurality of cells.

In addition, with the DPDK CRYPTO framework, the number of sessions in the base station is not limited, and the number of users that can support a plurality of cells is not limited.

Furthermore, the compatibility of the drive code and the application layer function of the DPDK CRYPTO framework and the interface design is good. Therefore, when the base station based on the DPDK CRYPTO framework adopts a new hardware accelerator platform, the migration cost is greatly reduced.

In addition, the open source code version of the DPDK CRYPTO framework is fast in iteration and convenient to maintain and upgrade. The open source characteristic of the DPDK CRYPTO framework enables the problem of source code level to be traced supported by the DPDK CRYPTO framework, and the problem can be updated in time and synchronously in the 5G base station system, so that the 5G base station system tends to be stable.

The model of data processing in this data processing method is shown in fig. 2. When receiving an access request of a user, an application layer calls a session creation interface, and creates an initial session for bearing the service of the user in a hardware accelerator; the driving layer distributes index identification for the initial session, presets encryption and decryption information in the initial session to obtain a service session, and feeds the index identification back to the application layer; the application layer acquires a storage address of data from a user and transmits the storage address and an index identifier to the driving layer; the driving layer allocates OP (operation) resources for the data in the hardware accelerator according to the storage address and the index identifier, and associates the service session with the operation resources; the hardware accelerator processes the data by utilizing preset encryption and decryption information included in the service session related to the OP resource to obtain processed data; and after the driving layer detects that the data processing is completed, recovering the operation resources.

The service session may include, but is not limited to, alg (Application LAYER GATEWAY ), dir (directory), key (keyword), IV (initialization vector ), and the like. OP resources include, but are not limited to, traffic session information, src (Source) objects, dst (destination) objects, and the like. The src object and dst object include, but are not limited to, data, and the length of the data, etc.

The following describes a data processing method provided by the embodiment of the present application in detail through a specific embodiment.

Referring to fig. 3, fig. 3 is a schematic diagram of a data processing method according to an embodiment of the present application. The method is applied to the base station and comprises the following steps:

In step S31, the application layer, upon receiving the access request of the user, invokes the session creation interface to create an initial session in the hardware accelerator that carries the user' S traffic.

In the embodiment of the application, when a user needs to be online, an access request is sent to a base station. After receiving an access request sent by a user, an application layer of the base station invokes a session creation interface to create an initial session carrying the user's service in a hardware accelerator.

In one example, for a user, the application layer creates 8 initial sessions for the user, including 4 initial sessions for SRBs (SIGNALLING RADIO BEARERS, signaling radio bearers) and 4 initial sessions for DRBs (Data Radio Bearers ) in the 8 initial sessions. The specific 8 initial sessions can be refined as follows: an initial session of uplink decryption, an initial session of uplink complete protection, an initial session of downlink encryption and an initial session of downlink complete protection of SRB, and an initial session of uplink decryption, an initial session of uplink complete protection, an initial session of downlink encryption and an initial session of downlink complete protection of DRB.

In another example, for a user, the application layer creates 6 initial sessions for the user, the 6 initial sessions comprising: an initial session of uplink decryption, an initial session of downlink encryption, and initial sessions of uplink and downlink security of SRB, an initial session of uplink decryption, an initial session of downlink encryption, and an initial session of uplink and downlink security of DRB.

Step S32, the driving layer distributes index identification for the initial session, presets encryption and decryption information in the initial session to obtain service session, and feeds back the index identification to the application layer.

After the application layer creates the initial session, the driver layer assigns an index identifier for the initial session. The index identity of each initial session is unique. The driving layer presets encryption and decryption information in the initial session to obtain a service session. The preset encryption and decryption information can include, but is not limited to, encryption and decryption algorithm types, keys and other information. The above-mentioned index identifier is allocated for the initial session or the service session

The traffic session includes the complete information needed to process the data. In addition, the index identification allocated by the driving layer for the initial session is fed back to the application layer. Then, the application layer may perform encryption and decryption processing on data from the user based on the index identifier of the initial session, and the like.

Step S33, the application layer obtains the storage address of the data from the user, transmits the storage address and the index identifier to the driving layer, and calls the encryption and decryption interface to start the encryption and decryption process in the hardware accelerator.

After the user accesses the base station and starts transmitting data, the application layer receives the data from the user and stores the data in the base station. The application layer acquires the storage address of the data and transmits the storage address of the data and the index identifier of the service session of the user to the driving layer.

In step S34, the driver layer allocates an operation resource for the data in the hardware accelerator according to the storage address and the index identifier, and associates the service session with the operation resource.

The driving layer receives the storage address and the index identifier from the application layer, acquires data from the user according to the storage address, acquires the service session of the user according to the index identifier, allocates operation resources for the acquired data in the hardware accelerator, and associates the service session with the operation resources.

And step S35, the hardware accelerator processes the data by utilizing preset encryption and decryption information included in the service session related to the operation resource to obtain processed data.

After encryption and decryption processing in the hardware accelerator, the hardware accelerator processes the data by utilizing preset encryption and decryption information included in the service session related to the operation resource, and processed data is obtained. The data processing includes encryption processing, decryption processing, integrity processing and the like.

In step S36, the driving layer recovers the operation resource after detecting that the processing of the data is completed.

The driving layer detects whether the processing of the data by the hardware accelerator is finished in real time. After the data is detected to be processed, the driving layer recovers the operation resources allocated to the data so as to allocate the operation resources to the subsequent data.

In one embodiment of the present application, a user needs to be offline, and an offline request is sent to a base station. When receiving a downlink request sent by a user, an application layer calls a session deletion interface to delete a service session of the user in a hardware accelerator; in addition, the driving layer releases the resources occupied by the index identifier of the service session of the user, and recovers the index identifier.

When a user is online, an application layer creates an initial session for bearing the service of the user, and then a driving layer fills the initial session to obtain the service session of the user. The subsequent base station processes the data from the user based on the user's traffic session. When a user needs to be offline, the service session of the user is deleted. In the embodiment of the application, the base station can process all data from the user based on the service session created when the user is online to the user is offline, namely, the base station only needs to create a session and delete a session in the process of the user online to the user offline, and does not need to re-create or delete a session every time a packet of data is received, thereby greatly reducing encryption and decryption of the data and session operation overhead in the process of integrity processing, and improving encryption and decryption performance.

In addition, in the embodiment of the application, after the application layer deletes the service session, the driving layer recovers the index identifier and distributes the index identifier for the services of other users later, thereby saving the index identifier resources.

In one embodiment of the application, the index identity of the session is maintained in a "stack" data structure. Specifically, the process of allocating index identifiers based on the "stack" data structure, that is, the step S32 may include: the driver layer extracts the index identification in the session index stack and assigns the index identification to the initial session. Further, the process of reclaiming index identifications based on "stack" data structures may include: the driver layer releases the resources occupied by the index identifier of the service session and pushes the index identifier to the session index stack.

For example, the correspondence between the service session and the index identifier as shown in fig. 4a, and the operation example of the index identifier stack as shown in fig. 4 b. The index identification in the index identification stack identifies the index identifications of sessions that are not assigned to the user. The session pool includes n sessions, where the n sessions respectively correspond to n index identifiers, and the index identifiers shown in fig. 4a include 1,2, …, and n. The index identifications are in one-to-one correspondence with the sessions. The index identification stack includes n index identifications of n sessions of the session pool, and after the application layer creates an initial session, the driving layer extracts an index identification from the index identifications, and respectively gives the initial session of the user, as shown in fig. 4b, the index identification n. When the application layer deletes a service session, the driver layer pushes the index identifier of the service session to the session index stack, as shown in fig. 4b for index identifier n. The driver layer may then proceed to assign an index identity n in the session index stack to the user's initial session.

In the embodiment of the application, the creation and deletion of the session are completely independent of the encryption and decryption process, so that the decoupling of the session and the encryption and decryption operations is realized, and the method can be understood as solidifying the unchanged part of the encryption and decryption operations to the bottom hardware and only processing the operations related to the data at each time. In addition, the drive layer manages and maintains the index identifiers by using the session index stack, and when the drive layer allocates the index identifiers, the drive layer does not need to traverse the created session to determine the index identifiers to be allocated, so that the efficiency of session creation is improved, and the processing efficiency of data is improved. In addition, the number of sessions is theoretically not limited in consideration of the efficiency of session creation.

In one embodiment of the application, the driver layer calculates the IV (initialization vector ) for the data and adds the operating resources to the circular queue. And then, the hardware accelerator extracts the operation resources from the circular queue, and processes the data by utilizing preset encryption and decryption information and IV corresponding to the data, which are included in the service session related to the extracted operation resources, so as to obtain processed data.

In the embodiment of the application, the IV is used for encrypting the data. The encryption mode using IV may be referred to as a block encryption mode. The driving layer calculates the IV corresponding to the data, and the IV is used for encrypting and decrypting the data by a subsequent hardware accelerator. In addition, the driver layer adds the operation resources to the circular queue. And then, the hardware accelerator can extract the operation resource from the circular queue, and process the data by utilizing the preset encryption and decryption information and the IV corresponding to the data included in the service session related to the operation resource, thereby obtaining the processed data.

In one embodiment of the application, the hardware accelerator, after processing the data to obtain processed data, overwrites the processed data with the data stored at the memory address and moves the operating resources to the completion queue. The driver layer may invoke an outbound queue (dequeue) interface to detect whether the completion queue includes an operating resource. When the drive layer detects the operation resource of the data in the completion queue, the hardware accelerator is described as completing the processing of the data, the drive layer sets the completion identification for the processed data stored at the storage address of the data, and the operation resource is recovered.

Wherein the completion flag may be okflag flags. The okflag flag is a flag for notifying the upper layer application that the processing is completed. After the driving layer sets the finishing identifier for the post-data, the application layer can detect whether the data is finished in processing or not, and then forward the processed data, namely forward the processed data.

In the embodiment of the application, the application layer can inquire whether the processing of the data is finished or not by calling the inquiry interface at any time, namely, whether the encryption and decryption operation is finished or not by calling the inquiry interface. After the application layer calls the query interface, the driving layer may call the outbound queue (dequeue) interface, detect whether the completion queue includes an operation resource, and then place processed data stored at a storage address of the data as a okflag flag and recover the operation resource if the completion queue detects the operation resource for the data. Therefore, the application layer can detect okflag marks of the data, further determine that encryption and decryption operations on the data are completed, and forward the processed data, namely, forward the processed data.

In the embodiment of the application, the operations of creating, inquiring and deleting the session are mutually independent, and the starting of the encryption and decryption operation and the inquiring of the result are mutually independent. The design of the full asynchronous interface is realized, and the waiting time of a CPU (Central Processing Unit ) is saved.

In one embodiment of the application, the data is stored in an mbuf structure. The mbuf structure may be directly referenced by the underlying drive (i.e., drive layer). Similarly, the processing result of the data can be directly stored in the appointed mbuf by the hardware accelerator, so that zero copy is realized, the processing efficiency of the data is further improved, and the storage resource is saved.

In one embodiment of the present application, the pointers of the completion identifier correspond to pointers of the operation resource one by one, i.e. each packet of data has a completion identifier. The pointer to the completion identifier is registered in the metadata (metadata) area of the mbuf structure header. Therefore, the application layer can directly determine whether encryption and decryption operations on the data are finished through the metadata area of the head of the mbuf structure body where the data are located, so that 'traversal-free' of the data is realized, and the forwarding efficiency of the data is improved.

In one embodiment of the present application, the pointers that complete the identification and the pointers of the operation resources may be maintained by a data structure of a "stack" (which may be referred to as a pointer identification stack hereinafter), where the pointers that complete the identification and the pointers of the operation resources are in one-to-one correspondence. A data structure of a "stack" of the pointer of the completion identification and the pointer of the operation resource is maintained, the size of which is consistent with the size of the underlying queue. For example, the bottom queue may cache up to 4095 tasks simultaneously, and the pointer identification stack may cache up to 4095 pointers to completion identifications.

In the embodiment of the present application, an example of completing the operations of identifying and operating the resource is shown in fig. 5. And storing multiple packets of data in a data storage area, wherein each packet of data corresponds to a completion identifier, and each packet of data is stored according to an mbuf structure body. The mbuf structure is divided into a header and a data area, the packet data is stored in the data area of the mbuf structure, and the mbuf structure header includes a metadata area including a pointer of the completion flag. The driver layer extracts the pointer of the operation resource and the pointer of the completion identifier (e.g., ok pointer) from the pointer identification stack. The driver layer extracts the completion identification of the data in the data storage area and populates the completion identification with pointers to the completion identification. In addition, the address of the mbuf structure (which can be understood as the storage address of the source data) is filled with pointers of the operation resources at the drive layer. After the pointer of the completion identification and the pointer of the operation resource are filled, the operation resource is pressed into the circular queue. After the data processing is completed, the driver layer fills the completion flag in the metadata area.

In the embodiment of the application, the initial session and the service session are collectively called a session. The session creation interface, the encryption and decryption interface, the session deletion interface and the like belong to the OSP IOCTL interface.

The following describes a data processing method according to an embodiment of the present application with reference to a flowchart shown in fig. 6.

In step S61, the application layer receives an access request sent by the user.

In step S62, the application layer invokes the session creation interface to create an initial session.

In step S63, the driving layer allocates an index identifier to the initial session.

In step S64, the layer configuration xfrm information and the like are driven.

In step S65, the driver layer creates a symmetric session (sym_session_create). The method specifically comprises that a driving layer fills preset encryption and decryption information and the like into a session to obtain a required service session.

In step S66, the driver layer initializes a symmetric session (sym_session_init).

In step S67, the driving layer records the information of the service session.

In step S68, the driver layer feeds back the index identity to the application layer.

In step S69, the application layer calls the encryption/decryption interface to encrypt and decrypt the data.

In step S610, the application layer receives a request for offline sent by the user.

In step S611, the application layer invokes a session deletion interface to delete the service session in the hardware accelerator.

In step S612, the driver layer deletes the symmetric session in the hardware accelerator.

In step S613, the driver layer releases the resources occupied by the index identifier.

In step S614, the drive layer retrieves the index identifier.

Next, step S68 in fig. 6 will be described in detail with reference to the flowchart shown in fig. 7.

In step S681, the application layer acquires multiple packets of data to be encrypted.

In step S682, the application layer invokes the encryption/decryption interface to start the encryption/decryption process in the hardware accelerator.

In step S683, the driving layer allocates OP resources for the data.

In step S684, the driving layer calculates information such as IV corresponding to the data. IV, etc. information may be populated into the traffic session.

In step S685, the driver layer associates the traffic session with the OP resource.

In step S686, the driver layer adds the OP resource to the circular queue and returns an enqueue success message to the application layer.

In step S687, the application layer switches to other task operations. Specifically, the method comprises the following steps: the application layer performs steps S681-S686 on other data to be encrypted.

In step S688, the application layer queries whether the processing of the data is completed by calling the query interface.

In step S689, the drive layers dequeue in batches. Specifically, the method comprises the following steps: and after the encryption and decryption processing of the multi-packet data to be encrypted is completed, the hardware accelerator adds the OP resource of the multi-packet data after the encryption and decryption processing is completed into a completion queue.

In step S6810, the driving layer sets the completion identifier for the multi-packet data after the encryption and decryption process is completed after determining that the encryption and decryption process for the multi-packet data is completed.

In step S6811, the driver layer updates the service session. For example, the number of packets of the processing data of the service session is updated, etc.

In step S6812, the driving layer recovers the OP resource.

In step S6813, the application layer reads the multi-packet data after the encryption and decryption process is completed.

In the embodiment of the present application, the descriptions of the steps S61-S613 and the parts S681-S6813 are relatively simple, and specific reference may be made to the related descriptions of the parts of fig. 1-5, which are not repeated here

Based on the data processing method, the embodiment of the application also provides a data processing device. Referring to fig. 8, fig. 8 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application. The device is applied to a base station and comprises:

An application layer 81 for, when receiving an access request sent by a user, calling a session creation interface to create an initial session carrying the service of the user in a hardware accelerator 83;

the driving layer 82 is configured to allocate an index identifier for an initial session, preset encryption and decryption information in the initial session, obtain a service session, and feed back the index identifier to the application layer 82;

The application layer 81 is further configured to obtain a storage address of data from a user, transfer the storage address and the index identifier to the driving layer 82, and call the encryption/decryption interface to start encryption/decryption processing in the hardware accelerator 83;

the driving layer 82 is further configured to allocate an operation resource for the data in the hardware accelerator 83 according to the storage address and the index identifier, and associate the service session with the operation resource;

a hardware accelerator 83, configured to process data by using preset encryption and decryption information included in a service session associated with an operation resource, so as to obtain processed data;

The driving layer 82 is further configured to recycle the operation resource after detecting that the processing of the data is completed.

In one embodiment of the present application, the application layer 81 may be further configured to, when receiving a request for offline sent by a user, invoke a session deletion interface to delete a service session in the hardware accelerator;

The driving layer 82 may also be configured to release the resources occupied by the index identifier and reclaim the index identifier.

In one embodiment of the present application, the driving layer 82 may be used in particular: extracting an index identifier from a session index stack, and distributing the index identifier to an initial session; the resources occupied by the index identification are released, and the index identification is pushed to a session index stack.

In one embodiment of the present application, the driving layer 82 may be further configured to calculate an initialization vector corresponding to the data, and add the operation resource to the circular queue;

the hardware accelerator 83 may specifically be configured to extract an operation resource from the circular queue, and process data by using preset encryption and decryption information and an initialization vector included in a service session associated with the extracted operation resource, to obtain processed data.

In one embodiment of the present application, the hardware accelerator 83 may further process the data to obtain processed data, then overwrite the processed data with the data stored in the storage address, and move the operation resource to the completion queue;

the driving layer 82 may be specifically configured to set the completion identifier for the processed data stored at the storage address and recover the operation resource when the operation resource is detected in the completion queue.

In one embodiment of the application, the pointers completing the identification correspond one-to-one with the pointers of the operating resources, and the pointers completing the identification and the pointers of the operating resources are maintained through the data structure of the stack.

In one embodiment of the application, the data is stored in an mbuf structure.

In one embodiment of the application, the drive layer is based on a DPDK encryption framework.

In one embodiment of the present application, the base station includes a plurality of application layers 81, and the plurality of application layers 81 may include one main application layer;

the system comprises a main application layer, a plurality of application layers, a hardware accelerator and a virtual device, wherein the main application layer is used for acquiring the total number of the plurality of application layers and distributing the virtual device in the hardware accelerator for each application layer;

Each application layer is further configured to establish a mapping relationship between the application layer and the virtual device allocated to the application layer after the initialization.

Based on the above data processing method, the embodiment of the present application further provides a base station, as shown in fig. 9, including a memory 91, a transceiver 92, and a processor 93; a memory 91 for storing a computer program; a transceiver 92 for transceiving data under the control of the processor 93; a processor 93 for reading the computer program in the memory 91 and performing the following operations:

The driving layer distributes index identification for the initial session, presets encryption and decryption information in the initial session to obtain a service session, and feeds the index identification back to the application layer;

the application layer acquires a storage address of data from a user, transmits the storage address and an index identifier to the driving layer, and calls an encryption and decryption interface to start encryption and decryption processing in the hardware accelerator;

And after the driving layer detects that the data processing is completed, recovering the operation resources.

In one embodiment of the application, the processor 93 may also be configured to read a computer program in memory and perform the following operations:

when receiving a downlink request sent by a user, an application layer calls a session deletion interface to delete a service session in a hardware accelerator;

the drive layer releases the resources occupied by the index identifier and recovers the index identifier.

In one embodiment of the present application, the step of allocating an index identifier to an initial session by a driver layer includes:

the driving layer extracts an index identifier from the session index stack and distributes the index identifier to the initial session;

The step of the drive layer releasing the resources occupied by the index mark and recovering the index mark comprises the following steps:

The driver layer releases the resources occupied by the index identifier and pushes the index identifier to the session index stack.

In one embodiment of the application, the processor 93 may also be configured to read a computer program in the memory 91 and perform the following operations:

the driving layer calculates an initialization vector corresponding to the data and adds operation resources into a circular queue;

the hardware accelerator processes the data by utilizing preset encryption and decryption information included in the service session related to the operation resource to obtain processed data, and the method comprises the following steps:

The hardware accelerator extracts the operation resources from the circular queue, and processes the data by using the preset encryption and decryption information and the initialization vector included in the service session associated with the extracted operation resources to obtain processed data.

In one embodiment of the application, the processor 93 is further configured to read the computer program in the memory 91 and perform the following operations:

after the hardware accelerator processes the data to obtain processed data, the processed data is covered with the data stored by the storage address, and the operation resource is moved to a completion queue;

after the driving layer detects that the data processing is completed, the step of recovering the operation resources comprises the following steps:

In one embodiment of the application, the data is stored in an mbuf structure.

In one embodiment of the application, a base station includes a plurality of application layers including a main application layer;

the processor 93 may also be configured to read a computer program in the memory 91 and perform the following operations:

In fig. 9, a bus architecture may comprise any number of interconnected buses and bridges, with various circuits of the one or more processors 93, represented in particular by processor 93, and the memory, represented by memory 91, being linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface for connecting the processor 93, the memory 91 and the transceiver 92. The transceiver 92 may be multiple elements, i.e., comprising a transmitter and a receiver, providing a means for communicating with various other apparatus over transmission media, including wireless channels, wired channels, optical cables, etc. The bus interface may also be an interface capable of interfacing with an internal connection requiring device for different user devices, including but not limited to a keypad, display, speaker, microphone, joystick, etc.

The Memory 91 may include a random access Memory (Random Access Memory, RAM) or may include a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor 93 is responsible for managing the bus architecture and general processing, and the memory 91 may store data used by the processor 93 in performing operations.

Alternatively, the processor 93 may be a CPU (Central Processing Unit ), an ASIC (Application SPECIFIC INTEGRATED Circuit, application specific integrated Circuit), an FPGA (Field-Programmable gate array GATE ARRAY), or a CPLD (Complex Programmable Logic Device ), and the processor may also employ a multi-core architecture.

Based on the above data processing method, the embodiment of the present application further provides a computer program stored in a processor readable storage medium, where the computer program is configured to cause a processor to execute any of the steps of the data processing method.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus, base station, processor readable storage medium embodiments, the description is relatively simple as it is substantially similar to method embodiments, as relevant points are found in the partial description of method embodiments.

The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims

1. A data processing method, applied to a base station, the method comprising:

2. The method according to claim 1, wherein the method further comprises:

3. The method of claim 2, wherein the step of the driver layer assigning an index identifier to the initial session comprises:

4. The method according to claim 1, wherein the method further comprises:

5. The method according to claim 4, wherein the method further comprises:

6. The method of claim 5, wherein the pointers to completion identification correspond one-to-one with pointers to the operational resources, the pointers to completion identification and pointers to the operational resources maintained by a data structure of a stack.

7. A method according to any one of claims 1-6, wherein the data is stored in a memory cache mbuf structure.

8. The method of any of claims 1-6, wherein the driver layer is based on a data plane development kit DPDK encryption framework.

9. The method according to any of claims 1-6, wherein the base station comprises a plurality of the application layers, the plurality of the application layers comprising a master application layer;

10. A base station comprising a memory, a transceiver, and a processor; the memory is used for storing a computer program; the transceiver is used for receiving and transmitting data under the control of the processor; the processor is configured to read the computer program in the memory, and perform the following operations:

11. A data processing apparatus for use in a base station, the apparatus comprising:

12. A processor-readable storage medium, characterized in that the processor-readable storage medium stores a computer program for causing a processor to perform the method of any one of claims 1-9.