Abstract: A technique improves implementation of an index for an operations log (oplog) that coalesces random write operations directed to a virtual disk (vdisk) stored on an extent store. The oplog temporarily caches data associated with the random write operations (i.e., write data) as well as metadata describing the write data. The metadata includes descriptors to the write data stored on virtual address regions, i.e., offset ranges, of the vdisk and are used to identify the offset ranges of write data for the vdisk that are cached in the oplog. To facilitate fast lookup operations of the offset ranges when determining whether write data is cached in the oplog, an oplog index provides a state of the latest data for offset ranges of the vdisk. The technique improves implementation of the oplog index by storing the oplog index in storage class memory, such as persistent memory, to obviate failure and subsequent recovery of the oplog index.

Abstract: A technique replicates an index of an operations log (oplog) from a primary node to a secondary node of a cluster in the event of failure. The oplog functions as a staging area to coalesce random write operations directed to a virtual disk (vdisk) stored on a backend storage tier. The oplog temporarily caches write data as well as metadata describing the write data. The metadata includes descriptors to the write data corresponding to offset ranges of the vdisk and are used to identify ranges of write data for the vdisk that are cached in the oplog. To facilitate fast lookup operations of whether write data is cached in the oplog, an oplog index provides a state of the latest data for offset ranges of the vdisk that enables fast failover of metadata used to construct the oplog index in memory without downtime or significant metadata replay.

Abstract: Techniques for supporting invocations of the RDTSC (Read Time-Stamp Counter) instruction, or equivalents thereof, by guest program code running within a virtual machine (VM), including guest program code running within a secure hardware enclave of the VM, are provided. In one set of embodiments, a hypervisor can activate time virtualization heuristics for the VM, where the time virtualization heuristics cause accelerated delivery of system clock timer interrupts to a guest operating system (OS) of the VM. The hypervisor can further determine a scaling factor to be applied to timestamps generated by one or more physical CPUs, where the timestamps are generated in response to invocations of a CPU instruction made by guest program code running within the VM, and where the scaling factor is based on the activated time virtualization heuristics. The hypervisor can then program the scaling factor into the one or more physical CPUs.

Abstract: Techniques for supporting invocations of the RDTSC (Read Time-Stamp Counter) instruction, or equivalents thereof, by guest program code running within a virtual machine (VM), including guest program code running within a secure hardware enclave of the VM, are provided. In one set of embodiments, a hypervisor can activate time virtualization heuristics for the VM, where the time virtualization heuristics cause accelerated delivery of system clock timer interrupts to a guest operating system (OS) of the VM. The hypervisor can further determine a scaling factor to be applied to timestamps generated by one or more physical CPUs, where the timestamps are generated in response to invocations of a CPU instruction made by guest program code running within the VM, and where the scaling factor is based on the activated time virtualization heuristics. The hypervisor can then program the scaling factor into the one or more physical CPUs.

Abstract: Methods, systems, and computer program products for high-performance cluster computing. Multiple components are operatively interconnected to carry out operations for high-performance RDMA I/O transfers over an RDMA NIC. A virtual machine of a virtualization environment initiates a first I/O call to an HCI storage pool controller using RDMA. Responsive to the first I/O call, a second I/O call is initiated from the HCI storage pool controller to a storage device of an HCI storage pool. The first I/O call to the HCI storage pool controller is implemented through a first virtual function of an RDMA NIC that is exposed in the user space of the virtualization environment. Prior to the first RDMA I/O call, a contiguous unit of memory to use in an RDMA I/O transfer is registered with the RDMA NIC. The contiguous unit of memory comprises memory that is registered using non-RDMA paths such as TCP or iSCSI.

Abstract: A technique improves implementation of an index for an operations log (oplog) that coalesces random write operations directed to a virtual disk (vdisk) stored on an extent store. The oplog temporarily caches data associated with the random write operations (i.e., write data) as well as metadata describing the write data. The metadata includes descriptors to the write data stored on virtual address regions, i.e., offset ranges, of the vdisk and are used to identify the offset ranges of write data for the vdisk that are cached in the oplog. To facilitate fast lookup operations of the offset ranges when determining whether write data is cached in the oplog, an oplog index provides a state of the latest data for offset ranges of the vdisk. The technique improves implementation of the oplog index by storing the oplog index in storage class memory, such as persistent memory, to obviate failure and subsequent recovery of the oplog index.

Abstract: A technique replicates an index of an operations log (oplog) from a primary node to a secondary node of a cluster in the event of a failure of the primary node. The oplog functions as a staging area to coalesce random write operations directed to a virtual disk (vdisk) stored on a backend storage tier organized as an extent store. The oplog temporarily caches data associated with the random write operations (i.e., write data) as well as metadata describing the write data. The metadata includes descriptors to the write data corresponding to virtual address regions, i.e., offset ranges, of the vdisk and are used to identify the offset ranges of write data for the vdisk that are cached in the oplog. To facilitate fast lookup operations of the offset ranges when determining whether write data io is cached in the oplog, an oplog index provides a state of the latest data for offset ranges of the vdisk.

Abstract: Mechanisms to protect the integrity of memory of a virtual machine are provided. The mechanisms involve utilizing certain capabilities of the hypervisor underlying the virtual machine to monitor writes to memory pages of the virtual machine. A guest integrity driver communicates with the hypervisor to request such functionality. Additional protections are provided for protecting the guest integrity driver and associated data, as well as for preventing use of these mechanisms by malicious software. These additional protections include an elevated execution mode, termed “integrity mode,” which can only be entered from a specified entry point, as well as protections on the memory pages that store the guest integrity driver and associated data.

Abstract: Methods, systems and computer program products for lockless acquisition of memory for RDMA operations. A contiguous physical memory region is allocated. The contiguous physical memory region is divided into a plurality of preregistered chunks that are assigned to one or more process threads that are associated with an RDMA NIC. When responding to a request from a particular one of the one or more process threads, a buffer carved from the preregistered chunk of the contiguous physical memory region is assigned to the requesting process thread. Since the memory is pre-registered, and since the associations are made at the thread level, there is no need for locks when acquiring a buffer. Furthermore, since the memory is pre-registered, the threads do not incur registration latency. The contiguous physical memory region can be a contiguous HugePage contiguous region from which a plurality of individually allocatable buffers can be assigned to different threads.

Abstract: Methods, systems, and computer program products for high-performance cluster computing. Multiple components are operatively interconnected to carry out operations for high-performance RDMA I/O transfers over an RDMA NIC. A virtual machine of a virtualization environment initiates a first I/O call to an HCI storage pool controller using RDMA. Responsive to the first I/O call, a second I/O call is initiated from the HCI storage pool controller to a storage device of an HCI storage pool. The first I/O call to the HCI storage pool controller is implemented through a first virtual function of an RDMA NIC that is exposed in the user space of the virtualization environment. Prior to the first RDMA I/O call, a contiguous unit of memory to use in an RDMA I/O transfer is registered with the RDMA NIC. The contiguous unit of memory comprises memory that is registered using non-RDMA paths such as TCP or iSCSI.

Abstract: Methods, systems, and computer program products for high-performance cluster computing. Multiple components are operatively interconnected to carry out operations for high-performance RDMA I/O transfers over an RDMA NIC. A virtual machine of a virtualization environment initiates a first I/O call to an HCI storage pool controller using RDMA. Responsive to the first I/O call, a second I/O call is initiated from the HCI storage pool controller to a storage device of an HCI storage pool. The first I/O call to the HCI storage pool controller is implemented through a first virtual function of an RDMA NIC that is exposed in the user space of the virtualization environment. Prior to the first RDMA I/O call, a contiguous unit of memory to use in an RDMA I/O transfer is registered with the RDMA NIC. The contiguous unit of memory comprises memory that is registered using non-RDMA paths such as TCP or iSCSI.

Abstract: The present disclosure provides an approach for migrating the contents of an enclave, together with a virtual machine comprising the enclave, from a source host to a destination host. The approach provides a technique that allows the contents of the enclave to remain secure during the migration process, and also allows the destination host to decrypt the contents of the enclave upon receiving the contents and upon receiving the VM that includes the enclave. The approach allows for the VM to continue execution on the destination host. The enclave retains its state from source host to destination host. Applications using the enclave in the source host are able to continue using the enclave on the destination host using the data migrated from the source host to the destination host.

Abstract: Techniques for implementing a secure enclave-based guest firewall are provided. In one set of embodiments, a host system can load a policy enforcer for a firewall into a secure enclave of a virtual machine (VM) running on the host system, where the secure enclave corresponds to a region of memory in the VM's guest memory address space that is inaccessible by processes running in other regions of the guest memory address space (including privileged processes that are part of the VM's guest operating system (OS) kernel). The policy enforcer can then, while running within the secure enclave: (1) obtain one or more security policies from a policy manager for the firewall, (2) determine that an event has occurred pertaining to a new or existing network connection between the VM and another machine, and (3) apply the one or more security policies to the network connection.

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: Techniques for supporting invocations of the RDTSC (Read Time-Stamp Counter) instruction, or equivalents thereof, by guest program code running within a virtual machine (VM), including guest program code running within a secure hardware enclave of the VM, are provided. In one set of embodiments, a hypervisor can activate time virtualization heuristics for the VM, where the time virtualization heuristics cause accelerated delivery of system clock timer interrupts to a guest operating system (OS) of the VM. The hypervisor can further determine a scaling factor to be applied to timestamps generated by one or more physical CPUs, where the timestamps are generated in response to invocations of a CPU instruction made by guest program code running within the VM, and where the scaling factor is based on the activated time virtualization heuristics. The hypervisor can then program the scaling factor into the one or more physical CPUs.

Abstract: The disclosure herein describes verifying integrity of security policies on a client device. Policy data sets associated with security applications of virtual machines on the client device are received from a server and stored on the client device. An integrity verifier on the client device receives verified checksums from the server, wherein the verified checksums are associated with the policy data sets. Client-side checksums are generated by the integrity verifier based on the stored policy data sets. Upon generating the client-side checksums, the integrity verifier compares the verified checksums to the generated client-side checksums. Based on the comparison indicating that a verified checksum and a client-side checksum differ, the integrity verifier generates a checksum failure indicator, wherein the client device is configured to take corrective measures to restore integrity of the virtual machines based on the checksum failure indicator.

Abstract: In a computer system operable at more than one privilege level, an interrupt security module handles interrupts without exposing a secret value of a register to virtual interrupt handling code that executes at a lower privilege level than the interrupt security module. The interrupt security module is configured to intercept interrupts generated while executing code at lower privilege levels. Upon receiving such an interrupt, the interrupt security module overwrites the secret value of the register with an unrelated constant. Subsequently, the interrupt security module generates a virtual interrupt corresponding to the interrupt and forwards the virtual interrupt to the virtual interrupt handling code. Advantageously, although the virtual interrupt handling code is able to determine the value of the register and consequently the unrelated constant, the virtual interrupt handling code is unable to determine the secret value.

Abstract: In a computer system operable at more than one privilege level, an interrupt security module handles interrupts without exposing a secret value of a register to virtual interrupt handling code that executes at a lower privilege level than the interrupt security module. The interrupt security module is configured to intercept interrupts generated while executing code at lower privilege levels. Upon receiving such an interrupt, the interrupt security module overwrites the secret value of the register with an unrelated constant. Subsequently, the interrupt security module generates a virtual interrupt corresponding to the interrupt and forwards the virtual interrupt to the virtual interrupt handling code. Advantageously, although the virtual interrupt handling code is able to determine the value of the register and consequently the unrelated constant, the virtual interrupt handling code is unable to determine the secret value.

Abstract: The present disclosure provides an approach for migrating the contents of an enclave, together with a virtual machine comprising the enclave, from a source host to a destination host. The approach provides a technique that allows the contents of the enclave to remain secure during the migration process, and also allows the destination host to decrypt the contents of the enclave upon receiving the contents and upon receiving the VM that includes the enclave. The approach allows for the VM to continue execution on the destination host. The enclave retains its state from source host to destination host. Applications using the enclave in the source host are able to continue using the enclave on the destination host using the data migrated from the source host to the destination host.

Abstract: Embodiments of the present disclosure relate to container-level monitoring. Embodiments include detecting, by an agent of a virtual machine, an event. Embodiments include determining, by the agent of the virtual machine, an address related to the event. Embodiments include accessing, by the agent of the virtual machine, container mapping information. Embodiments include locating, by the agent of the virtual machine, the address in the container mapping information. Embodiments include determining, by the agent of the virtual machine, based on the locating, that the event is associated with a container. Embodiments include determining, by the agent of the virtual machine, one or more attributes of the container. Embodiments include determining, by the agent of the virtual machine, based on information related to the event and the one or more attributes of the container, whether to block or allow an action related to the event.