Abstract: Disclosed are various approaches for exposing peripheral component interconnect express (PCIe) configuration space implementations as Enhanced Configuration Access Mechanism (ECAM)-compatible. In some examples, a bridge device is identified on a segment corresponding to a root complex of a computing device. An endpoint device is connected to a bus downstream from the bridge device. A synthetic segment identifier is assigned to the bus once the endpoint device is identified as connected to the bus. Synthetic address data is generated for the endpoint device. The synthetic address data includes the synthetic segment identifier for the bus and sets a bus identifier of the bus to zero regardless of a hierarchical position of the bus in a standard peripheral component interconnect express (PCIe) bus hierarchy.

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

Abstract: System and method for creating and managing trusted execution environments (TEEs) using different underlying hardware TEE mechanisms use a virtual secure enclave device which runs in a virtualized environment in a computer system. The device enables an enclave command transmitted to the virtual secure enclave device to be retrieved and parsed to extract an enclave operation to be executed. A TEE backend module is used to interact with a particular hardware TEE mechanism among those available in the computer system. The module ensures the enclave operation for the software process is executed by the particular hardware TEE mechanism, or the TEE scheme based on a particular hardware TEE mechanism.

Abstract: Disclosed are various approaches for exposing peripheral component interconnect express (PCIe) configuration space implementations as Enhanced Configuration Access Mechanism (ECAM)-compatible. In some examples, a bridge device is identified on a segment corresponding to a root complex of a computing device. An endpoint device is connected to a bus downstream from the bridge device. A synthetic segment identifier is assigned to the bus once the endpoint device is identified as connected to the bus. Synthetic address data is generated for the endpoint device. The synthetic address data includes the synthetic segment identifier for the bus and sets a bus identifier of the bus to zero regardless of a hierarchical position of the bus in a standard peripheral component interconnect express (PCIe) bus hierarchy.

Abstract: Techniques for enabling efficient guest OS access to PCIe configuration space are provided. In one set of embodiments, a hypervisor can reserve a single host physical memory page in the host physical memory of a host system and can populate the single host physical memory page with a value indicating non-presence of PCIe device functions. The hypervisor can then create, for each guest physical memory page in a guest physical memory of a virtual machine (VM) corresponding to a PCIe configuration space of an absent PCIe device function in the VM, a mapping in the hypervisor's second-level page tables that maps the guest physical memory page to the single host physical memory page.

Abstract: A combined data processing unit (DPU) and server solution with DPU operating system (OS) integration is described. A DPU OS is executed on a DPU or other computing device, where the DPU OS exercises secure calls provided by a DPU's trusted firmware component, that may be invoked by DPU OS components to abstract DPU vendor-specific and server vendor-specific integration details. An invocation of one of the secure calls made on the DPU to communicate with its associated server computing device is identified. In an instance in which the one of the secure calls is invoked, the secure call invoked is translated into a call or request specific to an architecture of the server computing device and the call is performed, which may include sending a signal to the server computing device in a format interpretable by the server computing device.

Abstract: Disclosed are various embodiments for various approaches for implementing trust domains to provide boundaries between PCIe devices connected to the same PCIe switch. A first trust identifier can be assigned to a first virtual machine hosted by the computing device. The first trust identifier can also be assigned to a first PCIe device assigned to the first virtual machine. Later, it can be determined that a second PCIe device connected to the PCIe switch is assigned a second trust identifier assigned to a second virtual machine. An Address Control Services (ACS) direct translated bit for peer-to-peer memory requests in the PCIe switch can be disabled in response to a determination that the second PCIe device is associated with the second trust identifier assigned to the second virtual machine.

Abstract: Disclosed are various examples of providing efficient bit compression for direct mapping of physical memory addresses. In some examples, a hypervisor operating system component generates a mask of used address space bits indicated by memory map entries for a computing device. A longest range of unused address space bits is identified using the mask. The memory map entries are transformed to omit the longest range of unused address space bits.

Abstract: Boot failure protection on smartNICs and other computing devices is described. During a power-on stage of a booting process for a computing device, a boot loading environment is directed to install an application programming interface (API) able to be invoked to control operation of a hardware-implemented watchdog. During an operating system loading stage of the booting process, the application programming interface is invoked to enable the hardware-implemented watchdog. During an operating system hand-off stage of the booting process, a last watchdog refresh of the hardware-implemented watchdog is performed, and execution of the boot loading environment is handed off to a kernel boot loader of an operating system. The application programming interface may not be accessible after the hand off to the kernel boot loader.

Abstract: Disclosed are various examples of provisioning a data processing unit (DPU) management operating system (OS). A host device boots a host provisioning image, which executes a host provisioning agent. The host provisioning agent launches a server component that serves a DPU management OS. A provisioning command is transmitted to a DPU device installed to the host device. The server component transmits the DPU management OS from the host device to the DPU device. A host OS is executed once an indication that the DPU device is executing on the DPU management OS is received.

Abstract: Disclosed are various examples of loading management hypervisors from user space. In some examples, a host device executes a first stage bootloader of a management hypervisor from within a host operating system. The first stage bootloader loads management hypervisor data and handoff instructions into a memory of the host device, and invokes a kernel execute call of the host operating system. The handoff instructions invoke a second stage bootloader that configures and launches the management hypervisor using the management hypervisor data.

Abstract: Disclosed are various examples of loading management hypervisors from a system control processor. In some examples, a host device executes a first stage bootloader of a management hypervisor from a system control processor. The first stage bootloader loads management hypervisor data and firmware instructions into a main processor memory of a main processor, and initializes the main processor to execute the firmware instructions. The system then jumps to a second stage bootloader that configures and launches the management hypervisor using the management hypervisor data.

Abstract: Disclosed are various examples of hosting a data processing unit (DPU) management operating system using an operating system software stack of a preinstalled DPU operating system. The preinstalled DPU operating system of the DPU is leveraged to provide a virtual machine environment. A DPU management operating system is executed within the virtual machine environment of the preinstalled DPU operating system. A third-party DPU function or a management service function is provided using the DPU hardware resources accessed through the DPU management operating system and the virtual machine environment.

Abstract: Disclosed are various examples of lifecycle and recovery management for virtualized data processing unit (DPU) management operating systems. A DPU device executes a DPU management hypervisor that communicates with a management service over a network. The DPU management hypervisor virtualizes DPU hardware resources and passes control of the virtualized DPU hardware resources to a DPU management operating system (OS) virtual machine (VM). The DPU management hypervisor maintains control of a management network interface card (NIC) of the DPU device.

Abstract: Disclosed are various embodiments for various approaches for implementing trust domains to provide boundaries between PCIe devices connected to the same PCIe switch. A first trust identifier can be assigned to a first virtual machine hosted by the computing device. The first trust identifier can also be assigned to a first PCIe device assigned to the first virtual machine. Later, it can be determined that a second PCIe device connected to the PCIe switch is assigned a second trust identifier assigned to a second virtual machine. An Address Control Services (ACS) direct translated bit for peer-to-peer memory requests in the PCIe switch can be disabled in response to a determination that the second PCIe device is associated with the second trust identifier assigned to the second virtual machine.

Abstract: A hardware-assisted paravirtualized hardware watchdog is described that is used to detect and recover from computer malfunctions. A computing device determines that a hardware-implemented watchdog of the computing device does not comply with predetermined watchdog criteria, where the hardware-implemented watchdog is configured to send a reset signal when a first predetermined amount of time elapses without receipt of a first refresh signal. If the hardware-implemented watchdog does not comply with the predetermined watchdog criteria, a runtime watchdog service is initialized using a second predetermined amount of time. The runtime watchdog service is directed to periodically send the refresh signal to the hardware-implemented watchdog before an expiration of the first predetermined amount of time that causes the hardware-implemented watchdog to expire.

Abstract: Disclosed are various examples of providing provide efficient waiting for detection of memory value updates for Advanced RISC Machines (ARM) architectures. An ARM processor component instructs a memory agent to perform a processing action, and executes a waiting function. The waiting function ensures that the processing action is completed by the memory agent. The waiting function performs an exclusive load at a memory location, and a wait for event (WFE) instruction that causes the ARM processor component to wait in a low-power mode for an event register to be set. Once the event register is set, the waiting function completes and a second processing action is executed by the ARM processor component.

Abstract: A combined data processing unit (DPU) and server solution with DPU operating system (OS) integration is described. A DPU OS is executed on a DPU or other computing device, where the DPU OS exercises secure calls provided by a DPU's trusted firmware component, that may be invoked by DPU OS components to abstract DPU vendor-specific and server vendor-specific integration details. An invocation of one of the secure calls made on the DPU to communicate with its associated server computing device is identified. In an instance in which the one of the secure calls is invoked, the secure call invoked is translated into a call or request specific to an architecture of the server computing device and the call is performed, which may include sending a signal to the server computing device in a format interpretable by the server computing device.

Abstract: Disclosed are various examples of provisioning a data processing unit (DPU) management operating system (OS). A management hypervisor installer executed on a host device launches or causes a server component to provide a management operating system (OS)installer image at a particular URI accessible over a network internal to the host device. A baseboard management controller (BMC) transfers the DPU management OS installer image to the DPU device. A volatile memory based virtual disk is created using the DPU management OS installer image. The DPU device is booted to a DPU management OS installer on the volatile memory based virtual disk. The DPU management OS installer installs a DPU management operating system to a nonvolatile memory of the DPU device on reboot of the DPU device.

Abstract: Disclosed are various embodiments for various approaches for implementing trust domains to provide boundaries between PCIe devices connected to the same PCIe switch. A first trust identifier can be assigned to a first virtual machine hosted by the computing device. The first trust identifier can also be assigned to a first PCIe device assigned to the first virtual machine. Later, it can be determined that a second PCIe device connected to the PCIe switch is assigned a second trust identifier assigned to a second virtual machine. An Address Control Services (ACS) direct translated bit for peer-to-peer memory requests in the PCIe switch can be disabled in response to a determination that the second PCIe device is associated with the second trust identifier assigned to the second virtual machine.