Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.

Abstract: Systems and methods are provided, whereby partitions may become enlightened and discover the presence of a hypervisor. Several techniques of hypervisor discovery are discussed, such as detecting the presence of virtual processor registers (e.g. model specific registers or special-purpose registers) or the presence of virtual hardware devices. Upon discovery, information (code and/or data) may be injected in a partition by the hypervisor, whereby such injection allows the partition to call the hypervisor. Moreover, the hypervisor may present a versioning mechanism that allows the partition to match up the version of the hypervisor to its virtual devices. Next, once code and/or data is injected, calling conventions are established that allow the partition and the hypervisor to communicate, so that the hypervisor may perform some operations on behalf of the partition.

Abstract: Various operations are disclosed for improving the operational efficiency of register handling in a virtualized environment. Some infrequently accessed software managed registers are managed lazily when switching contexts between virtual processors. The states of those registers are not saved on exit from a guest or restored on entry to the guest. Rather, guest accesses to those registers are intercepted. For some frequently accessed registers, register states are saved or restored only upon exit from a hypervisor to a different guest that that from which the hypervisor was entered. For enable-flag-gated registers, updates to a physical register value are not made unless the register is enabled. A shadow register cache may be used to speed accesses to some registers. When a shadowed register is modified, the new value is cached as a shadow copy in RAM and subsequent reads of the register are taken from the shadow copy.

Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.

Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.

Abstract: Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.

Abstract: Mechanisms are disclosed herein that manage operations in virtual machine environments. A first partition can have a proxy driver object corresponding to a driver object in a second partition. The driver object can control a physical device, but because of the proxy driver object, the first partition can retain some measure of control over the physical device. The driver object can be surrounded by a first filter object beneath it, and a second filter object above it. The first filter object can provide interfaces to the driver object so that the driver object can perform various bus-related functionalities; and, the second filter object can receive redirected instructions from the first partition and provide them to the driver object, and intercept any instructions originating from within the second partition, such that if these instructions are inconsistent with policies set in the first partition, they can be manipulated.

Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.

Abstract: The present invention provides for trusted side-band communications between components in a computer system, so that use of the system bus may be avoided. Two components may be connected by means other than a bus (e.g., an infrared port, a wire, an unused pin, etc.), whereby these components may communicate without the use of the system bus. The non-bus communication channel may be referred to as “side-band.” The side-band channel may be used to communicate information that might identify the user's hardware (e.g., a public key) or other information that the user may not want to be easily intercepted by the public at large. Communication over the side-band channel may also be used to verify that the participants in a communication are within a defined positional relationship to each other.

Abstract: A method is provided for a processor of a computing device to obtain a trusted identification of a hardware peripheral of the computing device, for the computing device and the peripheral to derive a set of shared keys, and for the processor to send trusted data to the peripheral.

Abstract: A system and method to facilitate communication between an associated bus, such as employs a standard bus protocol, and a connector to which a removable SFF device can be attached. A desired operating mode is selected based on the device attached at the connector, such as either to pass the protocol between the bus and device generally unchanged or to implement suitable protocol conversion for such communication. Thus, by configuring the SFF device to appear as device currently supported by the bus, the SFF device can operate at the connector with native operating system support.

Abstract: Various operations are disclosed for improving the operational efficiency of register handling in a virtualized environment. Some infrequently accessed software managed registers are managed lazily when switching contexts between virtual processors. The states of those registers are not saved on exit from a guest or restored on entry to the guest. Rather, guest accesses to those registers are intercepted. For some frequently accessed registers, register states are saved or restored only upon exit from a hypervisor to a different guest that that from which the hypervisor was entered. For enable-flag-gated registers, updates to a physical register value are not made unless the register is enabled. A shadow register cache may be used to speed accesses to some registers. When a shadowed register is modified, the new value is cached as a shadow copy in RAM and subsequent reads of the register are taken from the shadow copy.

Abstract: Mechanisms are disclosed herein that manage operations in virtual machine environments. A first partition can have a proxy driver object corresponding to a driver object in a second partition. The driver object can control a physical device, but because of the proxy driver object, the first partition can retain some measure of control over the physical device. The driver object can be surrounded by a first filter object beneath it, and a second filter object above it. The first filter object can provide interfaces to the driver object so that the driver object can perform various bus-related functionalities; and, the second filter object can receive redirected instructions from the first partition and provide them to the driver object, and intercept any instructions originating from within the second partition, such that if these instructions are inconsistent with policies set in the first partition, they can be manipulated.

Abstract: A system and method to facilitate communication between an associated bus, such as employs a standard bus protocol, and a connector to which a removable SFF device can be attached. A desired operating mode is selected based on the device attached at the connector, such as either to pass the protocol between the bus and device generally unchanged or to implement suitable protocol conversion for such communication. Thus, by configuring the SFF device to appear as device currently supported by the bus, the SFF device can operate at the connector with native operating system support.

Abstract: Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.