System-on-chip for providing virtualization environment and electronic device including the same

1 . A system-on-chip comprising: a storage host controller comprising a virtual machine identifier register and a buffer, wherein the virtual machine identifier register is configured to store an operating virtual machine identifier of an operating virtual machine that is currently running among a plurality of virtual machines and the buffer is configured to store a command generated by the operating virtual machine; and a storage encryption controller configured to store a plurality of encrypted storage keys respectively assigned to a plurality of virtual machine identifiers of the plurality of virtual machines, select a first encrypted storage key from among the plurality of encrypted storage keys based on the operating virtual machine identifier stored in the virtual machine identifier register according to the command, and encrypt or decrypt data corresponding to the command based on the first encrypted storage key. 2 . The system-on-chip of claim 1 , further comprising a protection circuit configured to store information about a storage area assigned to the operating virtual machine identifier of the operating virtual machine, from among a plurality of storage areas of a storage device. 3 . The system-on-chip of claim 2 , wherein the protection circuit is further configured to delete information about the storage area allocated to the operating virtual machine identifier of the operating virtual machine based on an execution of the operating virtual machine being terminated. 4 . The system-on-chip of claim 2 , wherein the storage host controller is further configured to provide an address of the storage area, encrypted data, and the command to the storage device. 5 . The system-on-chip of claim 2 , wherein the storage host controller is further configured to read the data from an address of the storage area according to the command, and provide the read data to the storage encryption controller. 6 . The system-on-chip of claim 1 , wherein the storage encryption controller further comprises a plurality of storage key encryption keys (KEKs) respectively assigned to the plurality of virtual machine identifiers, and is further configured to select a first storage KEK from among the plurality of storage KEKs based on the operating virtual machine identifier stored in the virtual machine identifier register according to the command, decrypt the first encrypted storage key based on the first storage KEK to obtain a decrypted first storage key, and decrypt or encrypt the data corresponding to the command based on the decrypted first storage key. 7 . The system-on-chip of claim 6 , wherein the storage encryption controller comprises a memory comprising: a storage key slot comprising a plurality of key slots respectively storing the plurality of encrypted storage keys corresponding to the plurality of virtual machine identifiers; and a storage KEK table storing the plurality of storage KEKs corresponding to the plurality of virtual machine identifiers. 8 . The system-on-chip of claim 7 , wherein the command comprises the operating virtual machine identifier and a key slot identifier, and wherein the storage encryption controller is further configured to select a first key slot of the plurality of key slots, based on the operating virtual machine identifier and the key slot identifier provided in the command, and select an encrypted storage key stored in the selected key slot as the first encrypted storage key. 9 . A method of controlling access to a storage device in a virtualization environment comprising a plurality of virtual machines and a hypervisor, the method comprising: generating, by the hypervisor, a plurality of storage key encryption keys (KEKs) respectively corresponding to virtual machine identifiers of the plurality of virtual machines; generating, by the hypervisor, a plurality of encrypted storage keys respectively corresponding to the virtual machine identifiers; obtaining a first storage KEK from among the plurality of storage KEKs based on a first virtual machine identifier, among the virtual machine identifiers, of a first virtual machine among the plurality of virtual machines; obtaining a first encrypted storage key from among the plurality of encrypted storage keys based on the first virtual machine identifier; decrypting the first encrypted storage key based on the first storage KEK to obtain a first storage key; and encrypting or decrypting data related to a command generated by the first virtual machine based on the first storage key. 10 . The method of claim 9 , wherein the generating, by the hypervisor, of the plurality of storage KEKs comprises: generating, by the hypervisor, a second encrypted storage key by encrypting the first storage key, based on a first key; and storing, by the first virtual machine, the second encrypted storage key. 11 . The method of claim 10 , wherein the generating, by the hypervisor, of the plurality of storage KEKs comprises: providing, by the first virtual machine, the second encrypted storage key to the hypervisor; decrypting, by the hypervisor, the second encrypted storage key, based on the first key to obtain the first storage key; generating, by the hypervisor, the first encrypted storage key by encrypting the first storage key, based on the first storage KEK corresponding to the first virtual machine identifier among the plurality of storage KEKs; and storing, by the first virtual machine, the first encrypted storage key in a database. 12 . The method of claim 11 , wherein the generating, by the hypervisor, of the plurality of storage KEKs further comprises obtaining, by the first virtual machine, a key identifier corresponding to the first encrypted storage key from the database. 13 . The method of claim 12 , wherein the generating, by the hypervisor, of the plurality of encrypted storage keys further comprises: obtaining, by the first virtual machine, the first encrypted storage key from the database based on the key identifier; and storing, by the first virtual machine, the first encrypted storage key in a storage key slot corresponding to the first virtual machine identifier. 14 . The method of claim 13 , wherein the generating, by the hypervisor, of the plurality of encrypted storage keys further comprises generating, by the first virtual machine, the command based on a slot identifier of the storage key slot. 15 . (canceled) 16 . The method of claim 9 , further comprising: generating mapping information between the first virtual machine identifier and an address of a storage area of the storage device; and blocking access to the storage device based on the first virtual machine identifier and an address provided in the command. 17 . The method of claim 16 , further comprising removing the mapping information between the first virtual machine identifier and the address of the storage area of the storage device based on an execution of the first virtual machine being terminated. 18 . An electronic device comprising: a memory comprising volatile memory cells; a storage device comprising nonvolatile memory cells; and a system-on-chip configured to: store a plurality of encrypted storage keys respectively assigned to a plurality of virtual machine identifiers of a plurality of virtual machines; store a plurality of storage key encryption keys (KEKs) assigned to the plurality of virtual machine identifiers; select a first encrypted storage key from among the plurality of encrypted storage keys based on a first virtual machine identifier of a first vi