The present invention relates to the field of redundant storage devices and is particularly suitable for so-called SSD (Solid State Drive) electronic disks. It relates more particularly to a secure redundant storage device and a secure read/write method on redundant electronic disks.
It relates in general to the implementation of a file system based on redundant electronic disks. The use of redundancy is a common means of providing reliability in data processing systems. Duplication of a data processing device allows the operations to be carried out in parallel on the plurality of redundant devices. The result of these operations is then compared. Thus, a fault or a malfunction of one of the devices is detected when the results provided by the redundant devices are different.
Application of this principle to a data storage system based on electronic disks leads to implementing a system of the type of system illustrated in FIG. 1. This storage device 100 is constituted by a module for management of the file system 101 and two physical storage devices, in this case redundant electronic disks 110 and 120. The example described here contains two redundant electronic disks, but a person skilled in the art will understand that the number of redundant electronic disks can be greater. These redundant electronic disks 110 and 120 are typically identical. At the very least they comprise in common at least a part of the software tasked with controlling the disk. They comprise a physical memory module 112 and 122 typically constituted by memory of the flash type, but any other type of physical medium such as an optical or magnetic medium can be envisaged. It can also be remote storage devices such as network disks in which the physical medium is located remotely and is accessed via a data network. This memory is controlled by a control module, or controller, 111 and 121. This control module is tasked with receiving read/write commands 105 and 106 issued by the file system 101 and with managing these commands, causing the required reading and writing operations on the physical memory modules 112 and 122. These control modules 111 and 121 are typically software modules executed on an on-board processor of the disks 110 and 120. These software modules for controlling the disks are particularly complex in the case of physical media of the flash memory type in comparison with the equivalent control modules used in magnetic disks. In fact, management of the memory modules requires fine management of the memory blocks to even out the wear of these blocks, manage a cache memory and organize collection of the available blocks. The file system 101 is the software module tasked with offering a logical view of data files to applications wishing to store and access data on the disk. It receives commands 102 from the applications formulated in the form of logical file management commands. The file system 101 is tasked with transforming these file-oriented commands into an order for reading/writing on the different disks 110 and 120. This file system typically integrates, in the case of redundant physical disks, a module for management of the file system proper 103 and a redundancy management module 104. The storage system can therefore be viewed as a succession of successive abstractions allowing interaction with a plurality of physical electronic disks. A first abstraction is managed by the control module of the disk, 111 and 121 which makes it possible to mask the physical memory modules 112 and 122 used for offering an interface presenting the disk as a unified logical storage volume. This logical storage volume is stored redundantly on all the redundant disks of the storage device. A second level of abstraction is offered by the redundancy management module 104 and makes it possible to see the set of physical electronic disks 110 and 120 as a single volume allowing data reading and writing. This volume is used by the file system management module 103 to offer a third level of abstraction to the applications, which are offered a system for reading/writing in logical files independently of the management of data storage on the physical disks.
When such storage systems have to be used in critical information systems such as the on-board systems in aircraft, submarines or also the systems for management and control of nuclear power stations, it is necessary to comply with security standards. These systems, if they cannot be protected from all malfunctions, must be capable of detecting the latter when they occur. The redundancy of the electronic disks aims to fulfil this role. The function of detection of malfunctions is typically implemented within the redundancy management module 104. Typically, when an order for reading at a given address is generated by the file system 103, the redundancy management module 104 will duplicate the command on the redundant electronic disks 110 and 120. It will then compare the read values returned by the redundant disks and compare them. A difference in these read values makes it possible to detect that at least one of the two disks is malfunctioning. Moreover, when a command for writing a command to an address is generated by the file system 103, this command is sent identically by the redundancy management module 104 to the different disks. The redundancy management module 104 will then reread this address on the different disks and compare the results. If at least one of the disks returns a value different from the value written, a malfunction is detected. Such a system makes it possible to detect the malfunctioning of a physical memory module 112 or 122 on the disks or a fault occurring on the processor tasked with execution of the control module of the disks 111 and 121.
However, such a system does not make it possible to detect a malfunction due to a design error of the control module of the disks 111 and 121. In fact, such a design error being present, by definition, identically in the two control modules 111 and 121, it will cause a homogeneous malfunction of the two disks. Such a malfunction therefore cannot be detected by comparing the values returned by the two disks, which will always be identical.