FIG. 1A illustrates a computer system 102 having physical hardware components 104. The physical hardware components 104 include a shared memory 110. The physical hardware components 104 also include physical central processing units (CPU) 106 and cryptographic facilities (CF) 108. Each cryptographic facility has a manual-control panel 109 attached to it. In this patent document, the terms "cryptographic" and "crypto" are used interchangeably.
The computer system 102 also includes a hypervisor 112. The hypervisor 112 is an operating system which establishes multiple logical partitions 114.
The logical partitions 114 each contains logical hardware components 124. The logical hardware components 124 include logical CPUs 116. The hypervisor 112 schedules, or allocates, the physical hardware components 104 to the logical partitions 114. For example, during a particular time-slice, the hypervisor 112 may allocate the physical CPU 106A to operate with the logical partition 114A. Specifically, the hypervisor 112 may dispatch the logical CPU 116B on the physical CPU 106A. In other words, the logical CPU 116B is a guest CPU of the physical CPU 106A.
Correspondingly, the physical CPU 106A is a host CPU of the logical CPU 116B. Note that the hypervisor 112 views the logical CPUs 116 as tasks. In this patent document, the terms "guest CPU" and "guest" are used interchangeably. Also, the terms "host CPU" and "host" are used interchangeably.
Each of the logical partitions 114 also includes an operating system (OS) 118 and a cryptographic subsystem (CS) 120. While FIG. 1A illustrates that the logical partitions 114 include distinct OSs 118 and CSs 120, such illustration is for conceptualization purposes only.
Multiple application programs 122 operate on the logical partitions 114. The OS 118 schedules, or allocates, the logical hardware components 124 to the application programs 122. For example, during a particular time-slice, the OS 118A may allocate the logical CPU 116A to operate with the application program 122C. Note that the OS 118 views the application programs 122 as tasks.
The CS 120 and CFs 108 perform cryptographic functions, such as data encryption and data decryption. As shown in FIG. 1A, the physical CPUs 106A and 106B are coupled to the CFs 108A and 108B, respectively. Thus, the physical CPUs 106A, 106B can process both crypto and non-crypto instructions. The physical CPUs 106C, 106D, 106E, 106F are not coupled to the CFs 108. Thus, the physical CPUs 106C, 106D, 106E, 106F cannot process crypto instructions.
Because the physical CPUs 106C, 106D, 106E, 106F cannot process crypto instructions, the hypervisor 112 must redispatch the logical CPUs 116A, 116B, 116D, and 116E operating on the physical CPUs 106C, 106D, 106E, 106F to the physical CPUs 106A, 106B when the logical CPUs 116A, 116B, 116D, and 116E issue crypto instructions.
The hypervisor 112 may encounter various problems when redispatching the logical CPUs 116A, 116B, 116D, and 116E from the physical CPUs 106C, 106D, 106E, 106F to the physical CPUs 106A, 106B.
A first problem involves interchangeability among the CFs 108. Specifically, the CFs 108 sometimes may be not interchangeable. The CFs 108 are not interchangeable when they do not operate identically. Conversely, the CFs 108 are interchangeable when they operate identically.
In addition, there are a number of cryptographic functions, called non-interchangeable functions, that are required to be performed on a specific CF 108, independent of whether all CFs 108 are interchangeable. Other cryptographic functions are called interchangeable functions.
Most non-interchangeable functions are manual-key-entry functions. They must be performed on a specific CF 108 because they communicate with an external agent through the manual-control panel 109. Also, execution of these functions may change the state (or contents) of the CF 108 and cause the CF 108 to become non-interchangeable. Other non-interchangeable functions are either sense-type functions that are normally used to determine if CFs 108 are interchangeable or change-type functions that alter the CF contents (or interchangeability).
While the CFs 108 are interchangeable, and for guest interchangeable crypto functions, the hypervisor 112 may dispatch the logical CPUs 116A, 116B, 116D, and 116E (which are issuing crypto instructions) to any of the physical CPUs 106A, 106B which are coupled to the CFs 108A, 108B.
When the CFs 108 are not interchangeable or when the guest performs non-interchangeable functions, however, errors may result if the hypervisor 112 dispatches the logical CPUs 116A, 116B, 116D, and 116E to any of the physical CPUs 106A, 106B.
As an example, the manual-key-entry process involves interaction with a program. When a security officer is entering cryptographic keys through the manual-control panel 109B, the program must be running on a logical CPU 116 which is assigned to the physical CPU 106B that is connected to the manual-control panel 109B. If the hypervisor 112 dispatches the logical CPU 116 to the physical CPU 106A during the process, the program, which uses non-interchangeable functions, will not be able to import the key entered by the officer.
Although presented in a cryptographic context, the above problem exists whenever the hypervisor 112 is dispatching tasks (such as the logical CPUs 116) among similar physical components (such as the CFs 108) which are, at times, not interchangeable, or whenever the hypervisor 112 is dispatching a task which is issuing non-interchangeable functions, which must be performed on a specific CPU 106.
A second problem involves the hypervisor's 112 need to access data retained in the CFs 108A, 108B. Specifically, in order to determine whether the CFs 108A, 108B are interchangeable, the hypervisor 112 must have access to this retained data in the CFs 108A, 108B. Also, the hypervisor 112 must have access to the retained data in the CFs 108A, 108B when the hypervisor 112 is saving and restoring processing states of the logical CPUs 116. However, the hypervisor 112 must not be able to obtain the value of the retained data since the retained data is secret. Therefore, a problem exists since security may be breached in order to allow the hypervisor 112 to perform its functions.
Therefore, a system and method for dispatching logical CPUs among physical CPUs in a multiprocessor computer system having multiple logical partitions, wherein the cryptographic facilities may not be interchangeable, are required. More generally, a system and method for dispatching tasks among similar physical components in a multiprocessor computer system, wherein the physical components may not be interchangeable, are required.