公开(公告)号：US08190784B1

公开(公告)日：2012-05-29

申请号：US13076056

申请日：2011-03-30

申请人： Helen S. Raizen ,  Michael E. Bappe ,  Edith Epstein ,  Atul Kabra ,  Cesareo Contreras ,  Xunce Zhou

发明人： Helen S. Raizen ,  Michael E. Bappe ,  Edith Epstein ,  Atul Kabra ,  Cesareo Contreras ,  Xunce Zhou

IPC分类号： G06F3/00 ,  G06F13/42 ,  G06F13/14

CPC分类号： G06F3/0604 ,  G06F3/0659 ,  G06F3/067 ,  G06F21/6227

摘要： An in-band protocol transport carries command-response protocol communications between first and second functional components of a storage input/output (I/O) interface stack, for example to control encryption-related processing of storage I/O commands. A storage read command used as a protocol transport message has protocol data in a read data buffer, and predetermined read address information, such as a prime-numbered starting block address and a small, odd-valued length value, unlikely to occur in normal (non-transport) storage read commands. The second functional component determines that the storage read command contains the predetermined read address information, indicating that the storage read command is a protocol transport message rather than a normal read. For greater confidence, it also determines that the protocol data in the read data buffer includes protocol identification data such as a protocol signature. The protocol data is used to control a processing action for subsequent normal storage I/O commands, such as encryption-related processing, and a protocol response is returned by creating and storing response data in the read data buffer and signaling completion of the storage read command to the first functional component.

摘要翻译： 带内协议传输在存储输入/输出（I / O）接口堆栈的第一和第二功能组件之间传送命令响应协议通信，例如用于控制存储I / O命令的加密相关处理。 用作协议传输消息的存储读取命令在读取数据缓冲器中具有协议数据，并且预定的读取地址信息，例如初始块地址和小的奇数值，可能不会发生在正常（ 非传输）存储读取命令。 第二功能部件确定存储读取命令包含指定存储读取命令是协议传输消息而不是正常读取的预定读取地址信息。 为了更有信心，它还确定读取数据缓冲器中的协议数据包括诸如协议签名的协议标识数据。 协议数据用于控制随后的正常存储I / O命令的处理动作，例如加密相关处理，并且通过在读取数据缓冲器中创建并存储响应数据并返回信号完成存储读取而返回协议响应 命令到第一个功能组件。

公开(公告)号：US08826041B1

公开(公告)日：2014-09-02

申请号：US13076010

申请日：2011-03-30

申请人： Cesareo Contreras ,  Atul Kabra ,  Michael E. Bappe ,  Edith Epstein ,  Helen S. Raizen

发明人： Cesareo Contreras ,  Atul Kabra ,  Michael E. Bappe ,  Edith Epstein ,  Helen S. Raizen

IPC分类号： G06F21/00 ,  G06F21/78 ,  H04L9/32 ,  G06F21/70

CPC分类号： G06F21/70 ,  G06F21/78 ,  G06F2221/2107 ,  H04L9/083 ,  H04L9/0894 ,  H04L9/3247 ,  H04L9/3271

摘要： A system shares encryption-related metadata between layers of a storage I/O stack. Additionally, a detection mechanism ensures that certain layers within the storage I/O stack are present and cooperate with a particular protocol. Along these lines, functional components engage in an in-band communications protocol, such as a data encryption key (DEK) management protocol. The in-band communications protocol employs protocol commands and responses carried along the data path as contents of in-band transport messages and responses, such as special SCSI read commands and their responses. The protocol commands and responses include a handshake command and a handshake response used during an initial handshake operation. Each protocol command and response has a protocol signature field carrying one of distinct first and second signature values which are used to identify the presence of the protocol command or response in the transport messages and responses at different locations along the data path.

摘要翻译： 系统在存储I / O堆栈的层之间共享与加密相关的元数据。 此外，检测机制确保存储I / O堆栈内的某些层存在并且与特定协议配合。 沿着这些方式，功能组件参与诸如数据加密密钥（DEK）管理协议的带内通信协议。 带内通信协议采用沿着数据路径携带的协议命令和响应作为带内传输消息和响应的内容，例如特殊的SCSI读取命令及其响应。 协议命令和响应包括在初始握手操作期间使用的握手命令和握手响应。 每个协议命令和响应具有携带不同的第一和第二签名值之一的协议签名字段，其用于识别在沿着数据路径的不同位置的传输消息和响应中的协议命令或响应的存在。

公开(公告)号：US09787522B1

公开(公告)日：2017-10-10

申请号：US13172172

申请日：2011-06-29

申请人： Cesareo Contreras ,  Atul Kabra ,  Michael E. Bappe ,  Edith Epstein ,  Helen S. Raizen ,  Alexander Elpaev

发明人： Cesareo Contreras ,  Atul Kabra ,  Michael E. Bappe ,  Edith Epstein ,  Helen S. Raizen ,  Alexander Elpaev

IPC分类号： H04L29/00 ,  H04L29/08 ,  H04L29/06

CPC分类号： H04L29/067 ,  H04L29/08549 ,  H04L45/24 ,  H04L63/0485 ,  H04L67/1097 ,  H04L69/14

摘要： A computer of a data processing system includes a software encryption engine and path circuitry that initially provides one or more paths for conveying data of storage I/O requests to and from a storage device, the paths including an encrypting path having a hardware encrypting component. According to a failover technique, in a first operating state, (a) the data of the storage I/O requests is conveyed via the encrypting path with encryption and decryption of the data being performed by the hardware encrypting component, and (b) monitoring is performed for occurrence of an event indicating that the hardware encrypting component has become unavailable for encrypting and decrypting the data of the storage I/O requests. Upon occurrence of the event, if the path circuitry provides a non-encrypting path for conveying the data of the storage I/O requests to and from the storage device, then operation is switched to a second operating state in which the data of the storage I/O requests is conveyed via the non-encrypting path and is encrypted and decrypted by the software encryption engine. A failback technique provides for reverting to hardware-assisted encryption under proper circumstances.

公开(公告)号：US08438315B1

公开(公告)日：2013-05-07

申请号：US12924588

申请日：2010-09-30

申请人： Tao Tao ,  Harold M. Sandstrom ,  Helen S. Raizen ,  Michael E. Bappe ,  Edith Epstein ,  Eric I. West ,  Santhosh Venkatesh Kudva

发明人： Tao Tao ,  Harold M. Sandstrom ,  Helen S. Raizen ,  Michael E. Bappe ,  Edith Epstein ,  Eric I. West ,  Santhosh Venkatesh Kudva

IPC分类号： G06F13/10 ,  G06F9/44

CPC分类号： G06F13/102 ,  G06F3/0659 ,  G06F9/4411 ,  G06F9/44505

摘要： Described are techniques for upgrading a driver. A driver is installed which includes an upgrade facility, a base driver and a first set of one or more driver extension modules for processing input/output operations for one or more devices. Processing is performed to upgrade the driver using the upgrade facility. The processing includes loading one or more upgrade modules associated with a second version of said driver and performing cutover processing for each of the one or more devices.

公开(公告)号：US08261068B1

公开(公告)日：2012-09-04

申请号：US12242638

申请日：2008-09-30

申请人： Helen S. Raizen ,  John Harwood ,  Michael E. Bappe ,  Sathiyamoorthy Kothandan ,  Edith Epstein

发明人： Helen S. Raizen ,  John Harwood ,  Michael E. Bappe ,  Sathiyamoorthy Kothandan ,  Edith Epstein

IPC分类号： G06F21/00

CPC分类号： G06F21/6218

摘要： A method is provided for providing an operating system (OS) independent input/output (I/O) filter driver capable of encrypting at least a portion of a logical unit (LUN), the method comprising the unordered steps of: providing an I/O filter driver component to an I/O stack for a host in communication with the LUN; determining, based at least in part on at least one of OS requirements and an arrangement of data on the LUN, at least one region in the LUN that contains data that is used below the I/O filter driver in an I/O stack on the host; and performing at least one of a read and a write of the one or more regions while keeping the one or more regions in plaintext, while permitting other regions of the LUN to be at least one of encrypted and decrypted.

摘要翻译： 提供了一种用于提供能够加密至少一部分逻辑单元（LUN）的操作系统（OS）独立的输入/输出（I / O）滤波器驱动器的方法，所述方法包括以下无序步骤：提供I / O过滤器驱动程序组件连接到与LUN通信的主机的I / O堆栈; 至少部分地基于至少一个OS要求和LUN上的数据的布置来确定LUN中至少一个区域，其中包含在I / O堆栈中的I / O过滤器驱动程序之下使用的数据 主人; 以及在将所述一个或多个区域保持为明文的同时执行所述一个或多个区域的读取和写入中的至少一个，同时允许所述LUN的其他区域是加密和解密中的至少一个。

公开(公告)号：US07890664B1

公开(公告)日：2011-02-15

申请号：US12059071

申请日：2008-03-31

申请人： Tao Tao ,  Michael E. Bappe ,  Harold M. Sandstrom ,  Edith Epstein ,  Eric I. West ,  Helen S. Raizen ,  Santhosh V. Kudva

发明人： Tao Tao ,  Michael E. Bappe ,  Harold M. Sandstrom ,  Edith Epstein ,  Eric I. West ,  Helen S. Raizen ,  Santhosh V. Kudva

IPC分类号： G06F3/00 ,  G06F13/00

CPC分类号： G06F9/4411 ,  G06F9/44505

摘要： Methods and apparatus for non-disruptive upgrade by redirecting I/O operations. With this arrangement, a driver upgrade does not require restarting an application. In one embodiment, a method includes installing on a computer a legacy upgrade module in a kernel having a legacy driver with first and second loadable extensions for handling input/output operations for applications to and from devices, retrieving and storing static configuration data from the legacy driver, transferring the stored static configuration data to a new driver, obtaining runtime device configuration data from the devices and transferring the runtime device configuration data to the new driver, and filtering device input/output operations such that prior to cutover input/output operations are directed by the LUM through device stacks for the legacy driver and after cutover input/output operations are directed to the new driver.

摘要翻译： 通过重定向I / O操作进行无中断升级的方法和设备。 通过这种安排，驱动程序升级不需要重新启动应用程序。 在一个实施例中，一种方法包括在具有传统驱动器的内核中的传统升级模块中安装具有第一和第二可加载扩展的传统升级模块，用于处理来自设备的应用的输入/输出操作，从传统的方式检索和存储静态配置数据 驱动器，将存储的静态配置数据传送到新驱动器，从设备获取运行时设备配置数据并将运行时设备配置数据传送到新驱动器，以及过滤设备输入/输出操作，使得在切换输入/输出操作之前 由LUM通过设备堆栈执行传统驱动程序，并且在切换输入/输出操作被引导到新的驱动程序之后。

公开(公告)号：US08751828B1

公开(公告)日：2014-06-10

申请号：US12977789

申请日：2010-12-23

申请人： Helen Raizen ,  Michael Emerald Bappe ,  Edith Epstein ,  Atul Kabra ,  Cesareo Contreras ,  Assaf Natanzon ,  Harold Martin Sandstrom

发明人： Helen Raizen ,  Michael Emerald Bappe ,  Edith Epstein ,  Atul Kabra ,  Cesareo Contreras ,  Assaf Natanzon ,  Harold Martin Sandstrom

IPC分类号： G06F12/14

CPC分类号： H04L9/08 ,  G06F21/6218

摘要： A host in an encrypted data storage system sends encryption metadata associated with an encrypted logical volume (LV) from a key controller module to an encryption endpoint via a storage I/O stack. The encryption metadata identifies an encryption key and encrypted regions of the LV, and the sending results in establishment of one or more shared associations between the key controller module and the encryption endpoint which associates the encrypted LV with the encryption metadata for the encrypted LV. A data storage operation is performed on the encrypted LV by sending a data storage command from the key controller module to an encrypted region of the encryption endpoint via the storage I/O stack. The encryption endpoint uses the encryption metadata associated with the encrypted LV to cryptographically process data of the data storage operation.

摘要翻译： 加密数据存储系统中的主机经由存储I / O堆栈将与加密的逻辑卷（LV）相关联的加密元数据从密钥控制器模块发送到加密端点。 加密元数据识别LV的加密密钥和加密区域，并且发送结果建立密钥控制器模块和加密端点之间的一个或多个共享关联，其将加密的LV与加密的LV的加密元数据相关联。 通过经由存储I / O堆栈将数据存储命令从密钥控制器模块发送到加密端点的加密区域，对加密的LV进行数据存储操作。 加密端点使用与加密的LV相关联的加密元数据来密码地处理数据存储操作的数据。

公开(公告)号：US08751757B1

公开(公告)日：2014-06-10

申请号：US13341348

申请日：2011-12-30

申请人： Deepak M. Gaikwad ,  Robert J. Pellowski ,  Edith Epstein ,  Hitesh Trivedi ,  Helen S. Raizen

发明人： Deepak M. Gaikwad ,  Robert J. Pellowski ,  Edith Epstein ,  Hitesh Trivedi ,  Helen S. Raizen

IPC分类号： G06F12/00

CPC分类号： G06F3/0611 ,  G06F3/0653 ,  G06F3/0689 ,  G06F11/3419 ,  G06F11/3485 ,  G06F2003/0692 ,  G06F2201/835 ,  G06F2201/88

摘要： An improved technique for storing I/O metrics includes assigning metric values to data buckets held in kernel memory. Each data bucket covers a particular range of values of a respective metric and is configured as a counter, whose count is incremented each time the multipathing driver obtains or computes a metric value that falls within the range of the data bucket. Bucket counts can be read by an external program to obtain aggregate information about I/O metrics over time. The aggregate information can be fed back to the multipathing driver to enable improved selections of paths for conveying data to and from a storage array.

摘要翻译： 用于存储I / O度量的改进技术包括将度量值分配给保存在内核存储器中的数据桶。 每个数据桶覆盖相应度量的特定值范围，并且被配置为计数器，其每当多路径驱动器获得或计算落在数据桶的范围内的度量值时，其计数增加。 桶数可由外部程序读取，以获取有关I / O指标的总体信息。 聚合信息可以反馈到多路径驱动器，以便改进对存储阵列传输数据的路径的选择。

公开(公告)号：US07957398B1

公开(公告)日：2011-06-07

申请号：US11682049

申请日：2007-03-05

申请人： Yechiel Yochai ,  Helen S. Raizen ,  Harold M. Sandstrom ,  Edith Epstein

发明人： Yechiel Yochai ,  Helen S. Raizen ,  Harold M. Sandstrom ,  Edith Epstein

IPC分类号： H04L12/28

CPC分类号： G06F13/385 ,  G06F3/0613 ,  G06F3/0635 ,  G06F3/0683 ,  G06F13/102 ,  G06F2213/3802 ,  H04L45/00 ,  H04L47/10 ,  H04L49/90

摘要： Methods and systems are disclosed that relate to selecting a path for sending an I/O request from a host to a data storage subsystem from among a plurality of paths from the host to the subsystem. An exemplary method includes identifying a limitation on the traffic level for the plurality of paths, tracking a first metric corresponding to the limitation on the traffic level for each path, and transmitting a first I/O request having an urgency level other than the highest urgency level by one of the plurality of paths whose first metric does not exceed its limitation on the traffic level.

摘要翻译： 公开了涉及从从主机到子系统的多个路径中选择用于从主机向数据存储子系统发送I / O请求的路径的方法和系统。 一种示例性方法包括识别针对多个路径的业务级别的限制，跟踪与每个路径的业务级别的限制相对应的第一度量，以及发送具有紧急度级别而不是最高紧急度的第一I / O请求 通过其第一度量不超过其对业务量的限制的多个路径中的一个路由。

公开(公告)号：US08705538B1

公开(公告)日：2014-04-22

申请号：US13096397

申请日：2011-04-28

申请人： Yechiel Yochai ,  Helen Raizen ,  Harold M. Sandstrom ,  Edith Epstein

发明人： Yechiel Yochai ,  Helen Raizen ,  Harold M. Sandstrom ,  Edith Epstein

IPC分类号： H04L12/28

CPC分类号： G06F13/385 ,  G06F3/0613 ,  G06F3/0635 ,  G06F3/0683 ,  G06F13/102 ,  G06F2213/3802 ,  H04L45/00 ,  H04L47/10 ,  H04L49/90

摘要： Methods and systems are disclosed that relate to selecting a path for sending an I/O request from a host to a data storage subsystem from among a plurality of paths from the host to the subsystem. An exemplary method includes identifying a limitation on the traffic level for the plurality of paths, tracking a first metric corresponding to the limitation on the traffic level for each path, and transmitting a first I/O request having an urgency level other than the highest urgency level by one of the plurality of paths whose first metric does not exceed its limitation on the traffic level.

摘要翻译： 公开了涉及从从主机到子系统的多个路径中选择用于从主机向数据存储子系统发送I / O请求的路径的方法和系统。 一种示例性方法包括识别针对多个路径的业务级别的限制，跟踪与每个路径的业务级别的限制相对应的第一度量，以及发送具有紧急度级别而不是最高紧急度的第一I / O请求 通过其第一度量不超过其对业务量的限制的多个路径中的一个路由。