WO2017166206A1

WO2017166206A1 - Techniques for accelerated secure storage capabilities

Info

Publication number: WO2017166206A1
Application number: PCT/CN2016/078136
Authority: WO
Inventors: Junyuan Wang; Ziye Yang; Songwu Shen; Ned M. Smith
Original assignee: Intel Corp
Current assignee: Intel Corp
Priority date: 2016-03-31
Filing date: 2016-03-31
Publication date: 2017-10-05
Anticipated expiration: 2018-09-30
Also published as: CN108713190B; CN108713190A; DE112016006318T5

Abstract

Providing techniques for accelerated secure storage capabilities. In particular, an offload scheduler may be configured to receive a data request for the compression, decompression, encryption, or decryption of data. The offload scheduler may determine one or more characteristics of the received data request, such as whether it involved compression, decompression, or geographically-specific cryptography. Based upon determined characteristics, the offload scheduler may schedule one or more data tasks to one of a plurality of processing elements.

Description

TECHNIQUES FOR ACCELERATED SECURE STORAGE CAPABILITIES

Technical Field

Embodiments described herein generally relate to techniques for accelerated secure storage capabilities in distributed computing or cloud computing environments.

Background

Public and private data centers are increasingly being used for secure communications, data operations, and data storage. As more public and private parties have relied upon these data centers, the amount of data that needs to be securely managed has rapidly increased. Data compression and encryption are used to efficiently and securely store data, however, compression and encryption operations may negatively impact data center performance, especially when used in conjunction with a rapid increase in data. Several techniques have been developed to improve the performance of compression and encryption of data, but the most efficient techniques may not always be utilized in a data center environment. Accordingly, properly selecting the most efficient compression and encryption techniques may provide enhanced performance and scalability in rapidly growing public and private data centers.

Brief Description of the Drawings

FIG. 1 illustrates a block diagram of a system according to an embodiment.

FIG. 2 illustrates a block diagram of a system according to an embodiment.

FIG. 3 illustrates a block diagram of a system according to an embodiment.

FIG. 4 illustrates a block diagram of a system according to an embodiment.

FIG. 5 illustrates a block diagram of a system according to an embodiment.

FIG. 6 illustrates a logic flow according to an embodiment.

FIG. 7 illustrates a logic flow according to an embodiment.

FIG. 8 illustrates a logic flow according to an embodiment.

FIG. 9 illustrates a logic flow according to an embodiment.

FIG. 10 illustrates an embodiment of computer-readable storage medium.

FIG. 11 illustrates an embodiment of a processing architecture.

FIG. 12 illustrates an embodiment of a computing system.

Detailed Description

Various embodiments are generally directed to techniques for accelerated secure storage capabilities. In particular, some embodiments are directed to dynamically scheduling compression and encryption operations based upon various criteria such that the operations are performed in an efficient manner. In a cloud-based data storage environment, data may be compressed and protected using encryption while stored on virtual machines, non-virtual hosts, or on backend storage systems. Each storage method may have tradeoffs in terms of performance and security.

In an example, protecting data on a virtual machine may use the deployment of performance optimized compression and encryption modules. Such modules may be accessible to a guest operating system or a virtual host. However, in cloud-based systems, computation tasks may be spread across many different central processing units (CPUs) , memory, and storage devices. Thus, in cloud-based systems, a performance optimization strategy may differ based upon the availability of acceleration hardware on the particular node scheduled to perform a workload task.

In embodiments described herein, compression and encryption operations may be optimized in various ways. In a first example, CPUs may be optimized specifically to increase performance for a particular encryption algorithm, such as the Advanced Encryption Standard (AES) or the Advanced Encryption Standard New Instructions (AES-NI) . The use of CPUs optimized for these instruction sets may improve the performance of operations using AES-based encryption, however, in some cases, other encryption standards may be preferred or required that will not see increased performance. In certain geographic locations, such as China, encryption standards other than AES may be preferred or required. In these cases, CPUs specifically optimized for certain types encryption may not provide an increase in performance. Thus, other techniques for increasing the performance of compression and encryption operations are preferred.

In a second example of an optimized compression and encryption technique, compression and encryption operations may be offloaded to a dedicated purpose-built compute node, such as on a cluster backplane. This technique is sometimes referred to as Quick Assist Technology (QAT) . In a third example, compression and encryption operations may be offloaded to an IP block of an I/O controller. In a fourth example, storage devices, such as solid-state drives (SSD) , may offer built-in compression and encryption modules. Network-attached storage (NAS) systems using such SSDs may be constructed from SSD building blocks that support data center storage encryption, but leave the data in the clear while in use. In a fifth example, special classes of servers with integrated field-programmable gate arrays (FPGA) may be used to offload compression and encryption operations, and may be customized for geographically-specific constraints, such as within China. While these examples have been provided to provide context for the described embodiments, they should not be construed in a limiting manner, and other techniques for optimizing compression and encryption operations may be employed by the embodiments described herein.

In the geographically-specific example of China, some of the offloading options described above may not be configured to optimize the preferred or required encryption standards. While China has been used as an example, preferred or required encryption techniques may be present based on a variety of factors including geography, the type of data, the requestor or owner of data, or corporate preferences, as some examples. When an encryption technique is preferred or required, the embodiments described herein may dynamically determine the most efficient option for compression and encryption operations and schedule the tasks accordingly. The determination of the compression and encryption needs may be based upon a request to access, store, or otherwise modify data, and may be performed dynamically, and in substantially real-time, ensuring that each compression and encryption operation is being handled in an efficient manner. Dynamically scheduling compression and encryption operations may greatly increase the performance of cloud-based data center environments and allow for increased scalability, particularly when used on a global scale.

With general reference to notations and nomenclature used herein, portions of the detailed description that follow may be presented in terms of program procedures executed on a computer or network of computers. These procedural descriptions and representations are used by those skilled in the art to most effectively convey the substance of their work to others skilled in the art. A procedure is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. These operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical, magnetic or optical signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It proves convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. It should be noted, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to those quantities.

Further, these manipulations are often referred to in terms, such as adding or comparing, which are commonly associated with mental operations performed by a human operator. However, no such capability of a human operator is necessary, or desirable in most cases, in any of the operations described herein that form part of one or more embodiments. Rather, these operations are machine operations. Useful machines for performing operations of various embodiments include general purpose digital computers as selectively activated or configured by a computer program stored within that is written in accordance with the teachings herein, and/or include apparatus specially constructed for the required purpose. Various embodiments also relate to apparatus or systems for performing these operations. These apparatus may be specially constructed for the required purpose or may incorporate a general computing device. The required structure for a variety of these machines will appear fromthe description given.

Reference is now made to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding thereof. It may be evident, however, that the novel embodiments can be practiced without these specific details. In other instances, known structures and devices are shown in block diagram form in order to facilitate a description thereof. The intention is to provide a thorough description such that all modifications, equivalents, and alternatives within the scope of the claims are sufficiently described.

Additionally, reference may be made to variables, such as, “a” , “b” , “c” , which are used to denote components where more than one component may be implemented. It is important to note, that there need not necessarily be multiple components and further, where multiple components are implemented, they need not be identical. Instead, use of variables to reference components in the figures is done for convenience and clarity of presentation.

FIG. 1 illustrates a block diagram of a system 100 according to an embodiment. System 100 may be configured to dynamically pipeline compression and cryptographic operations based upon the best-available-throughput at a given time. The best-available-throughput may be determined based upon the availability of memory and processing capabilities. In some embodiments, one or more cryptographic processing techniques may be optimized for specific types of data requests, such as certain compression and encryption operations.

System 100 includes a virtual machine monitor (VMM) 104, sometimes referred to as a hypervisor, which may be configured to monitor the operations of one or more guest virtual machines (VM) 102-a-n over a network 122. Guest VM 102 may include one or more emulations of a particular computer system and/or operating system (OS) , such as a Linux distribution, Windows, Mac OSX, or Unix, as some non-limiting examples. VM 102 may operate based upon the functions and computer architecture of a physical machine. VM 102 may include system VMs or process VMs. A system VM may include a complete system platform which supports the execution of an OS, as set forth above. A system VM may be used to efficiently run multiple instances of the same OS, or instances of different OSs, on a cloud-based platform, for example. A process VM may be used to run a single instance of an application or program, and may provide the ability to run software in an efficient and cross-platform manner. While some embodiments may include one or more process VMs, the embodiments described herein will use system VMs for purposes of illustration.

VMM 104 may be implemented in hardware and/or software, and configured to create and run one or more of VM 102. VMM 104 may operate on a host machine, while VM 102 may operate as a guest machine. In other words, VM 102 may operate as virtualized hardware and VMM 104 may manage VM 102 on physical hardware by communicating directly with the physical hardware on behalf of VM 102, including, but not limited to, processing, networking, memory management, and cryptography operations. VM 102 and VMM 104 may be configured to operate using one or more processing elements of data process engine 114, including hardware security module (HSM) 116, CPU 118, and/or dedicated system-on-a-chip (SOC) 120, each described in more detail below. In particular, cryptographic operations, such as encryption and decryption, and compression operations may be processed using one of hardware HSM 116, CPU 118, or dedicated SOC 120 based upon a determination made by HSM acceleration engine (HAE) 106 and subsequent scheduling, as described herein.

In an embodiment, VMM 104 may, among other components which have been omitted for clarity, include HAE 106. HAE 106 may be implemented in hardware and/or software, and may contain at least offload scheduler 108, ring buffer pool 110, and key manager 112. Offload scheduler 108 may be configured to analyze data requests and schedule data requests for processing by the appropriate component of data process engine 114 based upon one or more of various criteria, discussed in more detail with respect to FIG. 2. In general, offload scheduler 112 may determine whether a data request is for compression/decompression, geographic-specific cryptographic operation, or another type of operation, such as AES-based encryption. In the case of compression/decompression operations or geographic-specific cryptographic operations, offload scheduler 112 may schedule a corresponding data processing task to HSM 116. In the case of other operations, including AES-based encryption, offload scheduler may schedule a corresponding data processing task to CPU 118. In some situations when CPU 118 is experiencing a higher than normal workload, offload scheduler 112 may be configured to schedule operations using a dedicated SOC 120, or delay operations until such a time when CPU 118 is available. The logic flow for offload scheduler 112 is described in more detail with respect to FIGS. 7-8 below.

In an embodiment, HAE 106 may include ring buffer pool 110, which may provide data buffering and device virtualization capabilities. Ring buffer pool 110 may comprise physical memory space using DRAM, or other types of memory described herein, located on a physical server running VMM 104. Ring buffer pool 110 may be organized to include one or more bundles of DRAM organized into pairs of ring buffers. Each pair of ring buffers may include one ring buffer for requests and another ring buffer for responses, and each pair may be assigned to each of VM 102. In some embodiments, each ring buffer may be assigned unique physical DRAM space and be assigned to a virtual disk bus of each of VM 102. Ring buffer pool 110 is described in more detail with respect to FIG. 3 below.

In an embodiment, HAE 106 may include a dedicated key manager 112. Key manager 112 may provide key management capacities that allow offload scheduler 108 to perform key-related operations including, but not limited to, add, delete, lookup, and key generation via an interface (not shown in FIG. 1, but described in detail with respect to FIG. 4) . Key manager 112 may be comprised of one or more physical memory locations, such as data registers, and may include an internal database associated with each ring buffer pair within ring buffer pool 110, which, in turn, may be associated with a VM 102. The database may be used to store one or more keys associated with a VM 102. Key manager 112 may be implemented using a secure enclave in some embodiments, and components from data processing engine 114 may be provided access to the contents of key manager 112 when performing scheduled data tasks.

Data processing engine 114 may include a collection of one or more processing elements, which may provide optimized support for different types of compression and encryption operations. Data processing engine 114 may include one or more processing elements, each of which may provide certain advantages or disadvantages when processing compression or encryption operations. Data processing engine 114 may be configured to leverage different hardware capabilities to perform compression and encryption operations in an efficient and accelerated manner. Each component of data processing engine 114 may have one or more characteristics that may be taken into account by offload scheduler 108 when scheduling data operations. Non-limiting examples of characteristics may include a type of operation optimization, speed, and/or availability. For example, a component such as hardware security module (HSM) 116 may be configured and optimized to perform data operations using one or more compression or encryption standards. When offload scheduler 108 determines from a request that, for example, a geographically-specific encryption algorithm is required, it may schedule such operations using an appropriate HSM 116 for increased performance. When offload scheduler 108 determines from a request that a data operation, such as AES-based encryption, is required, it may schedule such operations using CPU 118, which may be optimized for such operations. If CPU 118 is determined to be busy at or above a predetermined threshold, offload scheduler 108 may schedule a data task using dedicated SOC 120. The examples are not limited in this context.

Data processing engine 114 may include HSM 116, which may be a physical computing device optimized to perform cryptographic or compression operations. HSM 116 may include a one or more secure cryptoprocessors. HSM 116 may come in the form of a plug-in card, or an external device that can be plugged into a server. In this manner, HSM 116 may provide the advantage of being upgradeable over time, as new compression and encryption standards are developed, required, and/or preferred. In some embodiments, data processing engine 114 may include a plurality of HSMs, each optimized to perform one or more cryptographic or compression operations. Alternatively, a single HSM may include one or more modules, each module specialized for certain operations. In an example, HSM 116 may be optimized to perform geographically-specific encryption, such as with respect to encryption standards associated with China, including SMS4 or ZUC. Data processing engine 114 may include an HSM for each of a plurality of particular geographic regions, or based upon particular cryptography and compression standards, or both. Likewise, rather than multiple HSMs, a single HSM may include a plurality of specialized modules. By scheduling cryptographic and compression operations using HSM 116, offload scheduler may realize increased performance in the completion of offloaded operations, while freeing up CPU 118 to perform other tasks, which may result in a significant overall increase in system performance.

In some embodiments, HSM 116 may be replaced or supplemented using SSD-based solutions, which may offer built-in compression and encryption modules. Further, in some embodiments, NAS systems using such SSDs may be constructed from SSD building blocks that support data center storage encryption, which may leave the data in the clear while in use, in some implementations. It can be appreciated that such SSD and/or NAS based solutions, or other modules that are specialized for particular processing functions may be used in addition to, or instead of, HSM-based solutions described herein. The embodiments are not limited in this context.

Data processing engine 114 may also include CPU 118. CPU 118 may be one of the processing elements described herein, and in some embodiments, may include QAT to accelerate some compression and cryptography operations. For example, AES or AES-NI-based encryption operations may be performed by CPU 118 in an optimized manner, and more efficiently than using HSM 116. Thus, offload scheduler 108 may, upon determining from a request that AES encryption is required, schedule such data tasks to CPU 118. In some embodiments, offload scheduler 108 may determine a workload for CPU 118 prior to scheduling, and if the workload meets or exceeds a predetermined threshold, either in processing power or time, may schedule tasks with dedicated SOC 120, which may include one or more of SOCs used within the art.

FIG. 2 illustrates a block diagram of offload scheduler 200, which may correspond to offload scheduler 108, described with respect to FIG. 1. Offload scheduler 200 may be configured to analyze a data request 202 and schedule one or more data tasks associated with data request 202 for processing by the appropriate component of data process engine 114 based upon one or more of various criteria. Data request 202 may include information concerning the data to be accessed, such as an address in virtual or physical memory, and other information with respect to a type of request. For example, data request 202 may indicate that the data is associated with a particular geography, encryption standard, or compression standard, which may be identified explicitly, or determined using information such as a memory address.

In general, offload scheduler 112 may perform a real-time performance evaluation 204 and determine whether data request 202 is for compression/decompression, geographic-specific cryptographic operation, or another type of operation, such as AES-based encryption. In addition, real-time performance evaluation 204 may determine the workload of one or more processing elements of data processing engine 114. For example, if a processing element has a workload higher than a predetermined threshold (based upon time and/or efficiency) , data tasks may be scheduled to another processing element that can perform the task faster and/or more efficiently. The real-time performance evaluation may be determined using one or requests for information from the processor, or modules capable of tracking processor performance.

In some embodiments, offload scheduler 112 may use one or more processes to determine and/or obtain performance characteristics for particular processing elements, and for particular processing elements in relation to particular data tasks. In a first example, a setup or configuration user interface may be used by an administrator, or other user, to enter expected performance parameters. These performance parameters may be expressed in terms of an average or peak encryption rate, average or peak decryption rate, average or peak data compression rate, and/or average or peak data decompression rate. Such performance parameters may be stored in a database (not shown) , accessible by offload scheduler 112. In a second example, a driver interface may expose performance settings which have been pre-configured by an encryption offload processor vendor. In a third example, a driver/manageability interface may run benchmarks to dynamically and, in some embodiments, periodically, assess the baseline performance of various processing elements in relation to various data tasks described herein. Results may be stored within a database and accessible to offload scheduler 112. Offload scheduler 112 may use stored baseline values, which have been obtained using one or more of the examples above, to compute performance degradation estimates given current system load.

An execution plan 206 may be determined by offload scheduler 200 in which a data task related to data request 202 is scheduled based upon the real-time performance evaluation 204. In the case of compression/decompression operations or geographic-specific cryptographic operations, offload scheduler 200 may schedule a corresponding data processing task to HSM 116. In the case of other operations, including AES-based encryption, offload scheduler may schedule a corresponding data processing task to CPU 118. In some situations when CPU 118 is experiencing a higher than normal workload, offload scheduler 200 may be configured to schedule other operations using a dedicated SOC 120, or delay operations until such a time when CPU 118 is available. The logic flow for offload scheduler 112 is described in more detail with respect to FIGS. 7-8 below.

FIG. 3 illustrates a ring buffer pool 300, which may correspond to ring buffer pool 110. Ring buffer pool 300 may provide data buffering and device virtualization capabilities. Ring buffer pool 300 may comprise physical memory space using DRAM, or other types of memory described herein, located on a physical server running a VMM. Ring buffer pool 300 may be organized to include one or more bundles of DRAM organized into pairs of ring buffers, also referred to as circular buffers, circular queues, or cyclic buffers. Each pair of ring buffers may include one ring buffer for requests and another ring buffer for responses, and each pair may be assigned to a VM, such as VM 102, described above. In some embodiments, each ring buffer may be assigned unique physical DRAM space and be assigned to a virtual disk bus of a VM.

Ring buffer pool 300 may include a plurality of bundles, which may be assigned unique portions of DRAM. While only two bundles (302, 312) are shown, more or less bundles may be created. Each of

bundles

302, 312 may include a pair of ring buffers (304, 306) and (314, 316) . Each pair may include a request ring (301, 314) and a response ring (306, 316) . Request rings may be used to buffer plain text requests for the compression and/or encryption/decryption of data. Response rings may be used to buffer cipher text, which is the result of completed compression and/or encryption/decryption operations. While embodiments disclose the use of a ring buffer pool, it can be appreciated that in other embodiments, different data structures capable of buffering data may be used based upon design and performance considerations of a particular system.

FIG. 4 illustrates a system 400 according to an embodiment. In particular, FIG. 4 illustrates the interactions between key manager 404, which may correspond with key manager 112 of FIG. 1, offload scheduler 402, and cryptographic engine 418. Key manager 404 may provide key management capacities that allow offload scheduler 402 to perform key-related operations including, but not limited to, add, delete, lookup, and key generation via an interface 406. Interface 406 may be a secure interface that allows the transfer of data and keys between key manager 404 and offload scheduler 402 and cryptographic engine 418. Access interface 406 and access control 408 may be components implemented in hardware and/or software, and may provide matching and access to keys stored within key database 410.

Key database 410 may store one or more cryptographic keys associated with guest VMs managed by a VMM. Key database may be implemented using a computer-readable storage medium and, in some embodiments, may be implemented using a secure enclave and secure execution environments, such as

Secure Guard Extensions (SGX) . Keys may be subject to access policies stored and managed by access control 408, and key database 410 may associate each key with one or more access levels. For example, access control 408 may limit the access to keys based upon an access level assigned to certain guest VMs. In an example, a particular key stored in key database 410 may be associated with a classified access level. In an embodiment, access interface 406 may receive a request to access data using the key, and only upon verification by access control 408 that the requesting guest VM has the proper access level to the key will the key be available for us from the key database 410.

In some embodiments, key manager 404 may include a random number generator TRNG 412. TRNG 412 may be a true random number generator, which may utilize

Digital Random Number Generator (DRNG) technology. TRNG 412 may be included within key manager 404 to provide fast and secure access to random numbers for cryptographic functions and key management and generation.

Key manager 404 may communicate with cryptographic engine 418 over bus 414. Bus 414 may be a secure channel or interface that allows keys to be transferred between key manager 404 and cryptographic engine 418. Cryptographic engine 418 may include one or more the processing elements described herein, such as a HSM or CPU, and may utilize ring buffer 416 to store encrypted keys or data while performing compression or cryptographic operations assigned by offload scheduler 402.

FIG. 5 illustrates a block diagram of a system 500 according to an embodiment. System 500 includes an application 502 that may interact with an OS driver 506 over API 504. Application 502 may be one of various software applications available to run on one or more VMs, and OS driver 506 may be one of various OS drivers available to communicate between applications and OSs. OS driver 506 may communicate with a data/control interface 510 of HSM 530 over an IO/memory access interface 508, which may be one of various interfaces described herein.

In an embodiment, HSM 530 may include a controller 522, memory 524, and non-volatile storage 526, each of which may be consistent with one or more controllers and memories described herein. Policy 528 may limit access to HSM 530 based upon one or more access policies associated with VMs. For example, certain VMs may be able to access HSM 530, and other may not. Policy 528 may be implemented in hardware and/or software, and access stored relationships between various VMs and access policies restricting access to HSM 530.

In an embodiment, HSM 530 may include a specialized cryptography processor 512, which may be optimized to perform encryption/decryption operations for a particular standard or set of standards, such as geographically-specific standards like SMS4 and/or ZUC. In some embodiments, one or more cryptography processors may be included within HSM 530, however, only one is shown within HSM 530 for purposes of illustration. A compression processor 514 may also be included within HSM 530, which may be optimized to perform certain compression operations. It can be appreciated that more than one compression processor 514 may be included within HSM 530, or none at all. In various embodiments, cryptography processing and compression processing may be performed using separate HSMs, or may be combined into a single HSM, such as HSM 530. Cryptography processor 512 and compression processor 514 may have access to encryption/decryption engine 518 and key generation component 518, which may be used during certain operations to perform cryptography and key operations.

The devices described herein may be any of a variety of types of computing devices, including without limitation, a server, a workstation, a data center, a laptop computer, an

computer, a tablet computer, a smart phone, or the like.

In various embodiments, the aforementioned processors may include any of a wide variety of commercially available processors, including without limitation, an

or

processor； an

application, embedded or secure processor； an

and/or

or

processor； an IBM and/or

Cell processor； or an

Core (2)

or

processor. Further, one or more of these processor elements may include a multi-core processor (whether the multiple cores coexist on the same or separate dies) , and/or a multi-processor architecture of some other variety by which multiple physically separate processors are in some way linked. Furthermore, in various embodiments any number of the processor elements 110, 210, and/or 410 may include a trusted execution environment (e.g., Intel

Intel

ARM

or the like) to provide for the processing and/or storing of sensitive information. The trusted execution environment may be used for various embodiments described herein, including for key management and the storage and transfer of cryptographically secured data.

In various embodiments, the aforementioned storages may be based on any of a wide variety of information storage technologies, possibly including volatile technologies requiring the uninterrupted provision of electric power, and possibly including technologies entailing the use of machine-readable storage media that may or may not be removable. Thus, each of these storages may include any of a wide variety of types (or combination of types) of storage devices, including without limitation, read-only memory (ROM) , random-access memory (RAM) , dynamic RAM (DRAM) , Double-Data-Rate DRAM (DDR-DRAM) , synchronous DRAM (SDRAM) , static RAM (SRAM) , programmable ROM (PROM) , erasable programmable ROM (EPROM) , electrically erasable programmable ROM (EEPROM) , flash memory, polymer memory (e.g., ferroelectric polymer memory) , ovonic memory, phase change or ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS) memory, magnetic or optical cards, one or more individual ferromagnetic disk drives, or a plurality of storage devices organized into one or more arrays (e.g., multiple ferromagnetic disk drives organized into a Redundant Array of Independent Disks array, or RAID array) . It should be noted that although each of these storages is depicted as a single block, one or more of these may include multiple storage devices that may be based on differing storage technologies. Thus, for example, one or more of each of these depicted storages may represent a combination of an optical drive or flash memory card reader by which programs and/or data may be stored and conveyed on some form of machine-readable storage media, a ferromagnetic disk drive to store programs and/or data locally for a relatively extended period, and one or more volatile solid state memory devices enabling relatively quick access to programs and/or data (e.g., SRAM or DRAM) . It should also be noted that each of these storages may be made up of multiple storage components based on identical storage technology, but which may be maintained separately as a result of specialization in use (e.g., some DRAM devices employed as a main storage while other DRAM devices employed as a distinct frame buffer of a graphics controller) .

In various embodiments, networks may be a single network possibly limited to extending within a single building or other relatively limited area, a combination of connected networks possibly extending a considerable distance, and/or may include the Internet. Thus, networks may be based on any of a variety (or combination) of communications technologies by which signals may be exchanged, including without limitation, wired technologies employing electrically and/or optically conductive cabling, and wireless technologies employing infrared, radio frequency or other forms of wireless transmission. Accordingly, the aforementioned interfaces may include circuitry providing at least some of the requisite functionality to enable such coupling. However, the aforementioned interfaces may also be at least partially implemented with sequences of instructions executed by the processor elements (e.g., to implement a protocol stack or other features) . Where one or more portions of the networks may employs electrically and/or optically conductive cabling, the interface may employ signaling and/or protocols conforming to any of a variety of industry standards, including without limitation, RS-232C, RS-422, USB, Ethernet (IEEE-802.3) or IEEE-1394. Alternatively or additionally, where one or more portions of the networks entail the use of wireless signal transmission, corresponding ones of these interfaces may employ signaling and/or protocols conforming to any of a variety of industry standards, including without limitation, IEEE 802.11a, 802.11b, 802.11g, 802.16, 802.20 (commonly referred to as "Mobile Broadband Wireless Access" ) ； Bluetooth； ZigBee； or a cellular radiotelephone service such as GSM with General Packet Radio Service (GSM/GPRS) , CDMA/1xRTT, Enhanced Data Rates for Global Evolution (EDGE) , Evolution Data Only/Optimized (EV-DO) , Evolution For Data and Voice (EV-DV) , High Speed Downlink Packet Access (HSDPA) , High Speed Uplink Packet Access (HSUPA) , 4G LTE, etc. It should be noted that although the interface is depicted as a single block, it might include multiple interfaces that may be based on differing signaling technologies. This may be the case especially where one or more of these interfaces couples the components to more than one network, each employing differing communications technologies.

Some of the following figures may include a logic flow. Although such figures presented herein may include a particular logic flow, it can be appreciated that the logic flow merely provides an example of how the general functionality as described herein can be implemented. Further, the given logic flow does not necessarily have to be executed in the order presented unless otherwise indicated. In addition, the given logic flow may be implemented by a hardware element, a software element executed by a processor, or any combination thereof. For example, a logic flow may be implemented by a processor component executing instructions stored on an article of manufacture, such as a storage medium. A storage medium may comprise any non-transitory computer-readable medium or machine-readable medium, such as an optical, magnetic or semiconductor storage. The storage medium may store various types of computer executable instructions, such as instructions to implement one or more disclosed logic flows. Examples of a computer readable or machine readable storage medium may include any tangible media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth. Examples of computer executable instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, object-oriented code, visual code, and the like. The embodiments are not limited in this context.

FIG. 6 illustrates a logic flow 600 according to an embodiment. Logic flow 600 sets forth an initialization process according to an embodiment. Initialization may occur before a VM boots up, and the initialization process may initial one or more modules. At block 602, a host boots up according to well-known host booting procedures.

At block 604, several initialization steps may occur for modules or components described herein. For example, at block 604-a, a data process engine may be loaded and initialized, which may make one or more processing elements available to the host and subsequently created VMs via a VMM. At block 604-b, a key management module may be initialized, which may include preparing a key database for access and initializing any secure memory or interfaces such that they may be accessed during compression and/or cryptography operations. As described above, at block 604-c, a ring buffer pool may be created, which may be initialized to contain ring buffer pairs for each VM.

At block 606, a virtual machine may be created, which may be managed by a VMM such that the VM is provided access to the host. At block 608, a ring bundle from the ring buffer pool may be assigned to a VM, and each ring buffer from the ring bundle (each ring bundle includes a pair of ring buffers, as described above) may be mapped by a VMM to a virtual disk bus.

At block 610, a cipher key and key map may be generated in a key management module. The cipher key and key map may be used to associate a VM with one or more keys within the key management module, and may allow access to certain keys based upon one or more access policies.

FIGS. 7-8 illustrate logic flows 700 and 800 according to an embodiment. Logic flow 700 illustrates an egress or encryption scenario, and logic flow 800 illustrates an ingress or decryption scenario. Both scenarios may be performed using an offload scheduler as described herein. At block 702/802, a data request may be made for encryption (702) or decryption (802) . The request may set forth one or more characteristics for the request, including the data to be accessed, the location of the data using a memory address, a cryptography standard to be used, whether compression is requested, or other information identifying the nature of the request.

At block 704/804, it may be determined whether the request involved compression or a geographically-specific encryption/decryption. While these examples are used for purposes of illustration, it can be appreciated that the encryption/decryption may not need to be geographically-specific, and the identification of a certain compression or cryptography standard, geography notwithstanding, may be determined. At block 706/806, it may be determined that a compression or geographically-specific encryption/decryption operation has been requested, and the request may be scheduled using an HSM, providing increased optimization and performance.

At block 708/808, it may be determined that a non-geographically-specific cryptography standard has been request, such as an AES or AES-NI encryption/decryption operation. In this case, a CPU may be already optimized to perform such operations, and the use of an HSM may not be desired. However, in some cases, a CPU may be busy, and there may be a delay involved in assigning such operations to the CPU. Thus, at block 708/808, it may be determined whether a CPU has a workload over a predetermined threshold, which may be units of performance or time, and may be determined by making one or more requests for data from the CPU directly, performance-determining modules, or underlying system. If the CPU is not too busy, the request may be scheduled with the CPU at 712/812. Ifthe CPU is busy, a SOC may be scheduled with the request at 710/810. Likewise, it may be determined whether a delay associated with using the CPU for a task is above a threshold, and a dedicated SOC may be used for one or more tasks if that is the case. Further, one or more data tasks may be scheduled to the dedicated SOC when an estimated time for completion using the dedicated SOC is lower than an estimated time for completion using the CPU. The embodiments are not limited in this context.

FIG. 9 illustrates a logic flow 900 according to an embodiment. Logic flow 900 may be performed by an offload scheduler, as described herein. At block 902, an offload scheduling component to may receive a data request for the compression or encryption of data. In some embodiments, the data request may also include decryption. The data request may include information concerning the data to be accessed, such as an address in virtual or physical memory, and other information with respect to a type of request. For example, data request 202 may indicate that the data is associated with a particular geography, encryption standard, or compression standard.

At block 904, an offload scheduling component may determine one or more characteristics of the received data request, such as whether the data request involves compression or a particular cryptography standard. The characteristic may be determined based upon information within the data request, and can be derived from information regarding where particular data is stored or where a request originated. For example, if a request is made from a VM originating in a geography associated with a particular encryption channel, such as China, the data request may be determined to be associated with a Chinese encryption standard. The embodiments are not limited in this context.

At block 906, an offload scheduling component may schedule one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics. In general, an offload scheduler may perform a real-time performance evaluation and determine whether data request is for compression/decompression, geographic-specific cryptographic operation, or another type of operation, such as AES-based encryption. In addition, a real-time performance evaluation may determine the workload of one or more processing elements of a data processing engine. For example, if a processing element has a workload higher than a predetermined threshold (based upon time and/or efficiency) , data tasks may be scheduled to another processing element that can perform the task faster and/or more efficiently.

An execution plan may be determined by offload scheduler in which a data task related to the data request is scheduled based upon the real-time performance evaluation. In the case of compression/decompression operations or geographic-specific cryptographic operations, the offload scheduler may schedule a corresponding data processing task to an HSM, for example. In the case of other operations, including AES-based encryption, an offload scheduler may schedule a corresponding data processing task to a CPU. In some situations when a CPU is experiencing a higher than normal workload, the offload scheduler may be configured to schedule other operations using a dedicated SOC, or delay operations until such a time when the CPU is available.

FIG. 10 illustrates an embodiment of a storage medium 1000. The storage medium 1000 may comprise an article of manufacture. In some examples, the storage medium 1000 may include any non-transitory computer readable medium or machine readable medium, such as an optical, magnetic or semiconductor storage. The storage medium 1000 may store various types of computer executable instructions e.g., 1002) . For example, the storage medium 1000 may store various types of computer executable instructions to implement logic flows 600/700/800/900 using one or more processors and components described herein.

Examples of a computer readable or machine readable storage medium may include any tangible media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth. Examples of computer executable instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, object-oriented code, visual code, and the like. The examples are not limited in this context.

FIG. 11 illustrates an embodiment of an exemplary processing architecture 1100 suitable for implementing various embodiments as previously described. More specifically, the processing architecture 1100 (or variants thereof) may be implemented as part of the systems and/or the devices described herein with respect to FIGS. 1-5.

The processing architecture 1100 includes various elements commonly employed in digital processing, including without limitation, one or more processors, multi-core processors, co-processors, memory units, chipsets, controllers, peripherals, interfaces, oscillators, timing devices, video cards, audio cards, multimedia input/output (I/O) components, power supplies, etc. As used in this application, the terms “system” and “component” are intended to refer to an entity of a computing device in which digital processing is carried out, that entity being hardware, a combination of hardware and software, software, or software in execution, examples of which are provided by this depicted exemplary processing architecture. For example, a component can be, but is not limited to being, a process running on a processor element, the processor element itself, astorage device (e.g., a hard disk drive, multiple storage drives in an array, etc. ) that may employ an optical and/or magnetic storage medium, an software object, an executable sequence of instructions, a thread of execution, a program, and/or an entire computing device (e.g., an entire computer) . By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and/or thread of execution, and a component can be localized on one computing device and/or distributed between two or more computing devices. Further, components may be communicatively coupled to each other by various types of communications media to coordinate operations. The coordination may involve the uni-directional or bi-directional exchange of information. For instance, the components may communicate information in the form of signals communicated over the communications media. The information can be implemented as signals allocated to one or more signal lines. Each message may be a signal or a plurality of signals transmitted either serially or substantially in parallel.

As depicted, in implementing the processing architecture 1100, a computing device incorporates at least a processor element 1110, a storage 1130, an interface 1190 to other devices, and coupling 1115. Depending on various aspects of a computing device implementing the processing architecture 1100, including its intended use and/or conditions of use, such a computing device may further incorporate additional components, such as without limitation, a counter element 1115.

The coupling 1115 incorporates one or more buses, point-to-point interconnects, transceivers, buffers, crosspoint switches, and/or other conductors and/or logic that communicatively couples at least the processor element 1110 to the storage 1130. The coupling 1115 may further couple the processor element 1110 to one or more of the interface 1190 and the display interface 1155 (depending on which of these and/or other components are also present) . With the processor element 1110 being so coupled by couplings 1115, the processor element 1110 is able to perform the various ones of the tasks described at length above, for the processing architecture 1100. The coupling 1115 may be implemented with any of a variety of technologies or combinations of technologies by which signals are optically and/or electrically conveyed. Further, at least portions of couplings 1115 may employ timings and/or protocols conforming to any of a wide variety of industry standards, including without limitation, Accelerated Graphics Port (AGP) , CardBus, Extended Industry Standard Architecture (E-ISA) , Micro Channel Architecture (MCA) , NuBus, Peripheral Component Interconnect (Extended) (PCI-X) , PCI Express (PCI-E) , Personal Computer Memory Card International Association (PCMCIA) bus, HyperTransport^TM, QuickPath, and the like.

As previously discussed, the processor element 1110 may include any of a wide variety of commercially available processors, employing any of a wide variety of technologies and implemented with one or more cores physically combined in any of a number of ways.

As previously discussed, the storage 1130 may include one or more distinct storage devices based on any of a wide variety of technologies or combinations of technologies. More specifically, as depicted, the storage 1130 may include one or more of a volatile storage 1131 (e.g., solid state storage based on one or more forms of RAM technology) , a non-volatile storage 1132 (e.g., solid state, ferromagnetic or other storage not requiring a constant provision of electric power to preserve their contents) , and a removable media storage 1133 (e.g., removable disc or solid state memory card storage by which information may be conveyed between computing devices) . This depiction of the storage 1130 as possibly comprising multiple distinct types of storage is in recognition of the commonplace use of more than one type of storage device in computing devices in which one type provides relatively rapid reading and writing capabilities enabling more rapid manipulation of data by the processor element 1110 (but possibly using a "volatile" technology constantly requiring electric power) while another type provides relatively high density of non-volatile storage (but likely provides relatively slow reading and writing capabilities) .

Given the often different characteristics of different storage devices employing different technologies, it is also commonplace for such different storage devices to be coupled to other portions of a computing device through different storage controllers coupled to their differing storage devices through different interfaces. By way of example, where the volatile storage 1131 is present and is based on RAM technology, the volatile storage 1131 may be communicatively coupled to coupling 1115 through a storage controller 1135a providing an appropriate interface to the volatile storage 1131 that perhaps employs row and column addressing, and where the storage controller 1135a may perform row refreshing and/or other maintenance tasks to aid in preserving information stored within the volatile storage 1131. By way of another example, where the non-volatile storage 1132 is present and includes one or more ferromagnetic and/or solid-state disk drives, the non-volatile storage 1132 may be communicatively coupled to coupling 1115 through a storage controller 1135b providing an appropriate interface to the non-volatile storage 1132 that perhaps employs addressing of blocks of information and/or of cylinders and sectors. By way of still another example, where the removable media storage 1133 is present and includes one or more optical and/or solid-state disk drives employing one or more pieces of removable machine-readable storage media 1139, the removable media storage 1133 may be communicatively coupled to coupling 1115 through a storage controller 1135c providing an appropriate interface to the removable media storage 1133 that perhaps employs addressing of blocks of information, and where the storage controller 1135c may coordinate read, erase and write operations in a manner specific to extending the lifespan of the machine-readable storage media 1139.

One or the other of the volatile storage 1131 or the non-volatile storage 1132 may include an article of manufacture in the form of a machine-readable storage media on which a routine comprising a sequence of instructions executable by the processor element 1110 may be stored, depending on the technologies on which each is based. By way of example, where the non-volatile storage 1132 includes ferromagnetic-based disk drives (e.g., so-called "hard drives" ) , each such disk drive typically employs one or more rotating platters on which a coating of magnetically responsive particles is deposited and magnetically oriented in various patterns to store information, such as a sequence of instructions, in a manner akin to removable storage media such as a floppy diskette. By way of another example, the non-volatile storage 1132 may be made up of banks of solid-state storage devices to store information, such as sequences of instructions, in a manner akin to a compact flash card. Again, it is commonplace to employ differing types of storage devices in a computing device at different times to store executable routines and/or data. Thus, a routine comprising a sequence of instructions to be executed by the processor element 1110 may initially be stored on the machine-readable storage media 1139, and the removable media storage 1133 may be subsequently employed in copying that routine to the non-volatile storage 1132 for longer term storage not requiring the continuing presence of the machine-readable storage media 1139 and/or the volatile storage 1131 to enable more rapid access by the processor element 1110 as that routine is executed.

As previously discussed, the interface 1190 may employ any of a variety of signaling technologies corresponding to any of a variety of communications technologies that may be employed to communicatively couple a computing device to one or more other devices. Again, one or both of various forms of wired or wireless signaling may be employed to enable the processor element 1110 to interact with input/output devices (e.g., the depicted example keyboard 1140 or printer 1145) and/or other computing devices, possibly through a network (e.g., the network 1199) or an interconnected set of networks. In recognition of the often greatly different character of multiple types of signaling and/or protocols that must often be supported by any one computing device, the interface 1190 is depicted as comprising multiple

different interface controllers

1195a, 1195b and 1195c. The interface controller 1195a may employ any of a variety of types of wired digital serial interface or radio frequency wireless interface to receive serially transmitted messages from user input devices, such as the depicted keyboard 1140. The interface controller 1195b may employ any of a variety of cabling-based or wireless signaling, timings and/or protocols to access other computing devices through the depicted network 1199 (perhaps a network comprising one or more links, smaller networks, or perhaps the Internet) . The interface 1195c may employ any of a variety of electrically conductive cabling enabling the use of either serial or parallel signal transmission to convey data to the depicted printer 1145. Other examples of devices that may be communicatively coupled through one or more interface controllers of the interface 1190 include, without limitation, microphones, remote controls, stylus pens, card readers, finger print readers, virtual reality interaction gloves, graphical input tablets, joysticks, other keyboards, retina scanners, the touch input component of touch screens, trackballs, various sensors, laser printers, inkjet printers, mechanical robots, milling machines, etc.

Where a computing device is communicatively coupled to (or perhaps, actually incorporates) a display (e.g., the depicted example display 1150) , such a computing device implementing the processing architecture 1100 may also incorporate the display interface 1155. Although more generalized types of interface may be employed in communicatively coupling to a display, the somewhat specialized additional processing often required in visually displaying various forms of content on a display, as well as the somewhat specialized nature of the cabling-based interfaces used, often makes the provision of a distinct display interface desirable. Wired and/or wireless signaling technologies that may be employed by the display interface 1155 in a communicative coupling of the display 1150 may make use of signaling and/or protocols that conform to any of a variety of industry standards, including without limitation, any of a variety of analog video interfaces, Digital Video Interface (DVI) , DisplayPort, etc.

FIG. 12 illustrates one embodiment of a system 1200. In various embodiments, system 1200 may be representative of a system or architecture suitable for use with one or more embodiments described herein.

As shown in FIG. 12, system 1200 may include multiple elements. One or more elements may be implemented using one or more circuits, components, registers, processors, software subroutines, modules, or any combination thereof, as desired for a given set of design or performance constraints. Although FIG. 12 shows a limited number of elements in a certain topology by way of example, it can be appreciated that more or less elements in any suitable topology may be used in system 1200 as desired for a given implementation. The embodiments are not limited in this context.

In various embodiments, system 1200 may include a computing device 1205 which may be any type of computer or processing device including a personal computer, desktop computer, tablet computer, netbook computer, notebook computer, laptop computer, server, server farm, blade server, or any other type of server, and so forth.

Examples of a computing device also may include computers that are arranged to be worn by a person, such as a wrist computer, finger computer, ring computer, eyeglass computer, belt-clip computer, arm-band computer, shoe computers, clothing computers, and other wearable computers. In embodiments, for example, a mobile computing device may be implemented as a smart phone capable of executing computer applications, as well as voice communications and/or data communications. Although some embodiments may be described with a mobile computing device implemented as a smart phone by way of example, it may be appreciated that other embodiments may be implemented using other wireless mobile computing devices as well. The embodiments are not limited in this context.

In various embodiments, computing device 1205 may include processor circuit 1202. Processor circuit 1202 may be implemented using any processor or logic device. The processing circuit 1202 may be one or more of any type of computational element, such as but not limited to, a microprocessor, a processor, central processing unit, digital signal processing unit, dual core processor, mobile device processor, desktop processor, single core processor, a system-on-chip (SoC) device, complex instruction set computing (CISC) microprocessor, a reduced instruction set (RISC) microprocessor, a very long instruction word (VLIW) microprocessor, or any other type of processor or processing circuit on a single chip or integrated circuit. The processing circuit 1202 may be connected to and communicate with the other elements of the computing system via an interconnect 1253, such as one or more buses, control lines, and data lines.

In one embodiment, computing device 1205 may include a memory unit 1204 to couple to processor circuit 1202. Memory unit 1204 may be coupled to processor circuit 1202 via communications bus 1253, or by a dedicated communications bus between processor circuit 1202 and memory unit 1204, as desired for a given implementation. Memory unit 1204 may be implemented using any machine-readable or computer-readable media capable of storing data, including both volatile and non-volatile memory. In some embodiments, the machine-readable or computer-readable medium may include a non-transitory medium. The embodiments are not limited in this context.

Computing device 1205 may include a graphics processing unit (GPU) 1206, in various embodiments. The GPU 1206 may include any processing unit, logic or circuitry optimized to perform graphics-related operations as well as the video decoder engines and the frame correlation engines. The GPU 906 may be used to render 2-dimensional (2-D) and/or 3-dimensional (3-D) images for various applications such as video games, graphics, computer-aided design (CAD) , simulation and visualization tools, imaging, etc. Various embodiments are not limited in this manner； GPU 1206 may process any type of graphics data such as pictures, videos, programs, animation, 3D, 2D, objects images and so forth.

In some embodiments, computing device 1205 may include a display controller 1208. Display controller 1208 may be any type of processor, controller, circuit, logic, and so forth for processing graphics information and displaying the graphics information. The display controller 1208 may receive or retrieve graphics information from one or more buffers. After processing the information, the display controller 1208 may send the graphics information to a display, which may be coupled to computing device 1205 wired, such as display 1245, or wirelessly using a transceiver, described below.

In various embodiments, system 1200 may include a transceiver 1244. Transceiver 1244 may include one or more radios capable of transmitting and receiving signals using various suitable wireless communications techniques. Such techniques may involve communications across one or more wireless networks. Exemplary wireless networks include (but are not limited to) wireless local area networks (WLANs) , wireless personal area networks (WPANs) , wireless metropolitan area network (WMANs) , cellular networks, and satellite networks. In communicating across such networks, transceiver 1244 may operate in accordance with one or more applicable standards in any version. The embodiments are not limited in this context.

In various embodiments, computing device 1205 may include a display 1245. Display 1245 may constitute any display device capable of displaying information received from processor circuit 1202, graphics processing unit 1206 and display controller 1208.

In various embodiments, computing device 1205 may include storage 1246. Storage 1246 may be implemented as a non-volatile storage device such as, but not limited to, a magnetic disk drive, optical disk drive, tape drive, an internal storage device, an attached storage device, flash memory, battery backed-up SDRAM (synchronous DRAM) , and/or a network accessible storage device. In embodiments, storage 1246 may include technology to increase the storage performance enhanced protection for valuable digital media when multiple hard drives are included, for example. Further examples of storage 1246 may include a hard disk, floppy disk, Compact Disk Read Only Memory (CD-ROM) , Compact Disk Recordable (CD-R) , Compact Disk Rewriteable (CD-RW) , optical disk, magnetic media, magneto-optical media, removable memory cards or disks, various types of DVD devices, a tape device, a cassette device, or the like. The embodiments are not limited in this context.

In various embodiments, computing device 1205 may include one or more I/O adapters 1247. Examples of I/O adapters 1247 may include Universal Serial Bus (USB) ports/adapters, IEEE 1394 Firewire ports/adapters, and so forth. The embodiments are not limited in this context

More generally, the various elements of the devices described herein may include various hardware elements, software elements, or a combination of both. Examples of hardware elements may include devices, logic devices, components, processors, microprocessors, circuits, processor elements, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth) , integrated circuits, application specific integrated circuits (ASIC) , programmable logic devices (PLD) , digital signal processors (DSP) , field programmable gate array (FPGA) , memory units, logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth. Examples of software elements may include software components, programs, applications, computer programs, application programs, system programs, software development programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (API) , instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. However, determining whether an embodiment is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints, as desired for a given implementation.

Some embodiments may be described using the expression “one embodiment” or “an embodiment” along with their derivatives. These terms mean that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment. Further, some embodiments may be described using the expression "coupled" and "connected" along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments may be described using the terms “connected” and/or “coupled” to indicate that two or more elements are in direct physical or electrical contact with each other. The term "coupled, ” however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

It is emphasized that the Abstract of the Disclosure is provided to allow a reader to quickly ascertain the nature of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In addition, in the foregoing Detailed Description, it can be seen that various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment. In the appended claims, the terms "including" and "in which" are used as the plain-English equivalents of the respective terms "comprising" and "wherein, " respectively. Moreover, the terms "first, " "second, " "third, " and so forth, are used merely as labels, and are not intended to impose numerical requirements on their objects.

What has been described above includes examples of the disclosed architecture. It is, of course, not possible to describe every conceivable combination of components and/or methodologies, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the novel architecture is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. The disclosure now turns to providing various examples implementations.

Example 1. An apparatus, comprising logic, a portion of which is implemented in hardware, the logic to comprise: an offload scheduling component to: receive a data request to include an indication to compress, decompress, encrypt, or decrypt data； determine one or more characteristics of the received data request； and schedule one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.

Example 2. The apparatus of example 1, the plurality of processing elements are components of a data process engine, the data process engine comprising one or more of a hardware security module, CPU, or SOC.

Example 3. The apparatus of example 1, the one or more characteristics include whether the data request is for compression, decompression, or a geographically-specific cryptography operation.

Example 4. The apparatus of example 3, the offload scheduling component to schedule compression, decompression, or geographically-specific cryptography operations to a hardware security module.

Example 5. The apparatus of example 2, the one or more characteristics include whether the data request is for AES or AES-NI operations.

Example 6. The apparatus of example 5, the offload scheduling component to: determine whether a workload of the CPU is at or above a threshold； and schedule the one or more data tasks to the SOC based on a determination that the workload of the CPU is at or above the threshold； or schedule the one or more data tasks to the CPU based on a determination that the workload of the CPU is not at or above the threshold.

Example 7. The apparatus of example 5, the offload scheduling component to: determine whether a delay associated with the CPU is at or above a threshold； and schedule the one or more data tasks to the SOC based on a determination that the delay associated with the CPU is at or above the threshold； or schedule the one or more data tasks to the CPU based on a determination that the delay associated with the CPU is not at or above the threshold.

Example 8. The apparatus of example 5, the offload scheduling component to schedule the one or more data tasks to the SOC based upon a determination that an estimated time for completion using the SOC is lower than an estimated time for completion using the CPU.

Example 9. The apparatus of example 1, the offload scheduling component to receive the data request from one or more virtual machines.

Example 10. The apparatus of example 1, the offload scheduling component to operate on a virtual machine monitor.

Example 11. The apparatus of example 1, the offload scheduling component to store and receive data from a ring buffer pool.

Example 12. The apparatus of example 11, the ring buffer pool comprising one or more ring buffer pairs, each ring buffer pair corresponding to one of a plurality of virtual machines.

Example 13. The apparatus of example 1, the plurality of processing elements to access a key manager to perform cryptographic operations associated with the one or more data tasks.

Example 14. The apparatus of example 13, the key manager includes a dedicated random number generator.

Example 15. The apparatus of example 13, the key manager includes a key database stored within a secure enclave.

Example 16. The apparatus of example 13, the key manager includes an access control component to determine whether access to a requested key complies with one or more access policies.

Example 17. At least one machine-readable storage medium comprising instructions that when executed by a processor, cause the processor to: receive, by a offload scheduling component, a data requestto include an indication to compress, decompress, encrypt, or decrypt of data； determine, by the offload scheduling component, one or more characteristics of the received data request； and schedule, by the offload scheduling component, one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.

Example 18. The at least one machine-readable storage medium of example 17, the plurality of processing elements are components of a data process engine, the data process engine comprising one or more of a hardware security module, CPU, or SOC.

Example 19. The at least one machine-readable storage medium of example 17, the one or more characteristics include whether the data request is for compression, decompression, or a geographically-specific cryptography operation.

Example 20. The at least one machine-readable storage medium of example 19, the offload scheduling component to schedule compression, decompression, or geographically-specific cryptography operations to a hardware security module.

Example 21. The at least one machine-readable storage medium of example 18, the one or more characteristics include whether the data request is for AES or AES-NI operations.

Example 22. The at least one machine-readable storage medium of example 20, the offload scheduling component to: determine whether a workload of the CPU is at or above a threshold； and schedule the one or more data tasks to the SOC based on a determination that the workload of the CPU is at or above the threshold； or schedule the one or more data tasks to the CPU based on a determination that the workload of the CPU is not at or above the threshold.

Example 23. The at least one machine-readable storage medium of example 20, the offload scheduling component to: determine whether a delay associated with the CPU is at or above a threshold； and schedule the one or more data tasks to the SOC based on a determination that the delay associated with the CPU is at or above the threshold； or schedule the one or more data tasks to the CPU based on a determination that the delay associated with the CPU is not at or above the threshold.

Example 24. The at least one machine-readable storage medium of example 20, the offload scheduling component schedule the one or more data tasks to the SOC based on a determination that an estimated time for completion using the SOC is lower than an estimated time for completion using the CPU.

Example 25. The at least one machine-readable storage medium of example, the offload scheduling component to receive a data request from one or more virtual machines.

Example 26. The at least one machine-readable storage medium of example 17, the offload scheduling component to operate on a virtual machine monitor.

Example 27. The at least one machine-readable storage medium of example, the offload scheduling component to store and receive data from a ring buffer pool.

Example 28. The at least one machine-readable storage medium of example 27, the ring buffer pool includes one or more ring buffer pairs, each ring buffer pair corresponding to one of a plurality of virtual machines.

Example 29. The at least one machine-readable storage medium of example 17, the plurality of processing elements access a key manager to perform cryptographic operations associated with the one or more data tasks.

Example 30. The at least one machine-readable storage medium of example 29, the key manager includes a dedicated random number generator.

Example 31. The at least one machine-readable storage medium of example 29, the key manager includes a key database stored within a secure enclave.

Example 32. The at least one machine-readable storage medium of example 29, the key manager includes an access control component to determine whether access to a requested key complies with one or more access policies.

Example 33. A computer-implemented method, comprising: receiving, by an offload scheduling component, a data request to include an indication to compress, decompress, encrypt, or decrypt data； determining, by the offload scheduling component, one or more characteristics of the received data request； and scheduling, by the offload scheduling component, one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.

Example 34. The computer-implemented method of example 33, the plurality of processing elements are components of a data process engine to include one or more of a hardware security module, CPU, and SOC.

Example 35. The computer-implemented method of example 33, the one or more characteristics include whether the data request is for compression, decompression, or a geographically-specific cryptography operation.

Example 36. The computer-implemented method of example 35, the offload scheduling component to schedule compression, decompression, and geographically-specific cryptography operations to a hardware security module.

Example 37. The computer-implemented method of example 34, the one or more characteristics include whether the data request is for AES or AES-NI operations.

Example 38. The computer-implemented method of example 36, the offload scheduling component to: determine whether a workload of the CPU is at or above a threshold； and schedule the one or more data tasks to the SOC based on a determination that the workload of the CPU is at or above the threshold； or schedule the one or more data tasks to the CPU based on a determination that the workload of the CPU is not at or above the threshold.

Example 39. The computer-implemented method of example 36, the offload scheduling component to: determine whether a delay associated with the CPU is at or above a threshold； and schedule the one or more data tasks to the SOC based on a determination that the delay associated with the CPU is at or above the threshold； or schedule the one or more data tasks to the CPU based on a determination that the delay associated with the CPU is not at or above the threshold.

Example 40. The computer-implemented method of example 36, the offload scheduling component to schedule the one or more data tasks to the SOC based on a determination that an estimated time for completion using the SOC is lower than an estimated time for completion using the CPU.

Example 41. The computer-implemented method of example, the offload scheduling component receives data request from one or more virtual machines.

Example 42. The computer-implemented method of example 33, the offload scheduling component operating on a virtual machine monitor.

Example 43. The computer-implemented method of example 33, the offload scheduling component to store and receive data from a ring buffer pool.

Example 44. The computer-implemented method of example 43, the ring buffer pool includes one or more ring buffer pairs, each ring buffer pair corresponding to one of a plurality of virtual machines.

Example 45. The computer-implemented method of example 33, the plurality of processing elements to access a key manager to perform cryptographic operations associated with the one or more data tasks.

Example 46. The computer-implemented method of example 45, the key manager includes a dedicated random number generator.

Example 47. The computer-implemented method of example 45, the key manager includes a key database stored within a secure enclave.

Example 48. The computer-implemented method of example 45, the key manager includes an access control component to determine whether access to a requested key complies with one or more access policies.

Example 49. An apparatus for a device, the apparatus comprising means for performing the method of any one of examples 33-48.

Example 50. An apparatus comprising: means for receiving, by a offload scheduling component, a data request to include an indication to compress, decompress, encrypt, or decrypt data； means for determining, by the offload scheduling component, one or more characteristics of the received data request； and means for scheduling, by the offload scheduling component, one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.

Claims

An apparatus, comprising:

logic, a portion of which is implemented in hardware, the logic to comprise an offload scheduling component to:

receive a data request to include an indication to compress, decompress, encrypt, or decrypt data；

determine one or more characteristics of the received data request； and

schedule one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.
The apparatus of claim 1, the plurality of processing elements are components of a data process engine, the data process engine comprising one or more of a hardware security module, CPU, or SOC.
The apparatus of claim 1, the one or more characteristics include whether the data request is for compression, decompression, or a geographically-specific cryptography operation.
The apparatus of claim 3, the offload scheduling component to schedule compression, decompression, or geographically-specific cryptography operations to a hardware security module.
The apparatus of claim 2, the one or more characteristics include whether the data request is for AES or AES-NI operations.
The apparatus of claim 5, the offload scheduling component to:

determine whether a workload of the CPU is at or above a threshold； and

schedule the one or more data tasks to the SOC based on a determination that the workload of the CPU is at or above the threshold； or

schedule the one or more data tasks to the CPU based on a determination that the workload of the CPU is not at or above the threshold.
The apparatus of claim 5, the offload scheduling component to:

determine whether a delay associated with the CPU is at or above a threshold； and

schedule the one or more data tasks to the SOC based on a determination that the delay associated with the CPU is at or above the threshold； or

schedule the one or more data tasks to the CPU based on a determination that the delay associated with the CPU is not at or above the threshold.
The apparatus of claim 5, the offload scheduling component to schedule the one or more data tasks to the SOC based upon a determination that an estimated time for completion using the SOC is lower than an estimated time for completion using the CPU.
The apparatus of claim 1, the offload scheduling component to receive the data request from one or more virtual machines.
The apparatus of claim 1, the offload scheduling component to operate on a virtual machine monitor.
At least one machine-readable storage medium comprising instructions that when executed by a processor, cause the processor to:

receive, by a offload scheduling component, adata request to include an indication to compress, decompress, encrypt, or decrypt data；

determine, by the offload scheduling component, one or more characteristics of the received data request； and

schedule, by the offload scheduling component, one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.
The at least one machine-readable storage medium of claim 11, the plurality of processing elements are components of a data process engine, the data process engine comprising one or more of a hardware security module, CPU, or SOC.
The at least one machine-readable storage medium of claim 11, the one or more characteristics include whether the data request is for compression, decompression, or a geographically-specific cryptography operation.
The at least one machine-readable storage medium of claim 13, the offload scheduling component to schedule compression, decompression, or geographically-specific cryptography operations to a hardware security module.
The at least one machine-readable storage medium of claim 12, the one or more characteristics include whether the data request is for AES or AES-NI operations.
The at least one machine-readable storage medium of claim 15, the offload scheduling component to:

determine whether a workload of the CPU is at or above a threshold； and

schedule the one or more data tasks to the SOC based on a determination that the workload of the CPU is at or above the threshold； or

schedule the one or more data tasks to the CPU based on a determination that the workload of the CPU is not at or above the threshold.
The at least one machine-readable storage medium of claim 15, the offload scheduling component to:

determine whether a delay associated with the CPU is at or above a threshold； and

schedule the one or more data tasks to the SOC based on a determination that the delay associated with the CPU is at or above the threshold； or

schedule the one or more data tasks to the CPU based on a determination that the delay associated with the CPU is not at or above the threshold.
The at least one machine-readable storage medium of claim 15, the offload scheduling component to schedule the one or more data tasks to the SOC based on a determination that an estimated time for completion using the SOC is lower than an estimated time for completion using the CPU.
The at least one machine-readable storage medium of claim 1, the offload scheduling component to receive a data request from one or more virtual machines.
The at least one machine-readable storage medium of claim 1, the offload scheduling component to operate on a virtual machine monitor.
A computer-implemented method, comprising:

receiving, by an offload scheduling component, a data request to include an indication to compress, decompress, encrypt, or decrypt data；

determining, by the offload scheduling component, one or more characteristics of the received data request； and

scheduling, by the offload scheduling component, one or more data tasks to one of a plurality of processing elements based upon the determined one or more characteristics.
The computer-implemented method of claim 21, the plurality of processing elements are components of a data process engine to include one or more of a hardware security module, CPU, and SOC.
The computer-implemented method of claim 22, the one or more characteristics include whether the data request is for compression, decompression, or a geographically-specific cryptography operation.
The computer-implemented method of claim 23, the offload scheduling component to schedule compression, decompression, or geographically-specific cryptography operations to a hardware security module.
The computer-implemented method of claim 22, the one or more characteristics include whether the data request is for AES or AES-NI operations.