Abstract: A method of creating a new page table structure after first stage boot operations has completed but before handoff to a hypervisor occurs. Firmware page tables are reused and copied to a region of memory by a first-stage bootloader while the firmware is running, processed to have an expected multi-stage page table structure and desired access rights, and copied again to another region of memory by the first-stage bootloader after the first-stage bootloader has completed its booting operations and after the firmware has been quiesced.

Abstract: A method of creating a new page table structure after first stage boot operations has completed but before handoff to a hypervisor occurs. Firmware page tables are reused and copied to a region of memory by a first-stage bootloader while the firmware is running, processed to have an expected multi-stage page table structure and desired access rights, and copied again to another region of memory by the first-stage bootloader after the first-stage bootloader has completed its booting operations and after the firmware has been quiesced.

Abstract: A method of emulating nested page table (NPT) mode-based execute control in a virtualized computing system includes: providing NPT mode-based execute control from a hypervisor to a virtual machine (VM) executing in the virtualized computing system; generating a plurality of shadow NPT hierarchies at the hypervisor based on an NPT mode-based execute policy obtained from the VM; configuring a processor of the virtualized computing system to exit from the VM to the hypervisor in response to an escalation from a user privilege level to a supervisor privilege level caused by guest code of the VM; and exposing a first shadow NPT hierarchy of the plurality of shadow NPT hierarchies to the processor in response to an exit from the VM to the hypervisor due to the escalation from the user privilege level to the supervisor privilege level.

Abstract: Techniques for securely supporting a global view of system memory in a physical/virtual computer system comprising a plurality of physical/virtual CPUs are provided. In one set of embodiments, the physical/virtual computer system can receive an interrupt indicating that a first physical/virtual CPU should enter a privileged CPU operating mode. The physical/virtual computer system can further determine that none of the plurality of physical/virtual CPUs are currently in the privileged CPU operating mode. In response to this determination, the physical/virtual computer system can modify the global view of system memory to include a special memory region comprising program code to be executed while in the privileged CPU operating mode; communicate, to the other physical/virtual CPUs, a signal to enter a stop state in which execution is halted but interrupts are accepted for entering the privileged CPU operating mode; and cause the first physical/virtual CPU to enter the privileged CPU operating mode.

Abstract: Techniques for virtualizing NVDIMM WPQ flushing with minimal overhead are provided. In one set of embodiments, a hypervisor of a computer system can allocate a virtual flush hint address (FHA) for a virtual machine (VM), where the virtual flush hint address is associated with one or more physical FHAs corresponding to one or more physical memory controllers of the computer system. The hypervisor can further determine whether one or more physical NVDIMMs of the computer system support WPQ flushing. If so, the hypervisor can write protect a guest physical address (GPA) to host physical address (HPA) mapping for the virtual FHA in the page tables of the computer system, thereby enabling the hypervisor to trap VM writes to the virtual FHA and propagate those write to the physical FHAs of the system.

Abstract: Techniques for virtualizing NVDIMM WPQ flushing with minimal overhead are provided. In one set of embodiments, a hypervisor of a computer system can allocate a virtual flush hint address (FHA) for a virtual machine (VM), where the virtual flush hint address is associated with one or more physical FHAs corresponding to one or more physical memory controllers of the computer system. The hypervisor can further determine whether one or more physical NVDIMMs of the computer system support WPQ flushing. If so, the hypervisor can write protect a guest physical address (GPA) to host physical address (HPA) mapping for the virtual FHA in the page tables of the computer system, thereby enabling the hypervisor to trap VM writes to the virtual FHA and propagate those write to the physical FHAs of the system.

Abstract: Techniques for securely supporting a global view of system memory in a physical/virtual computer system comprising a plurality of physical/virtual CPUs are provided. In one set of embodiments, the physical/virtual computer system can receive an interrupt indicating that a first physical/virtual CPU should enter a privileged CPU operating mode. The physical/virtual computer system can further determine that none of the plurality of physical/virtual CPUs are currently in the privileged CPU operating mode. In response to this determination, the physical/virtual computer system can modify the global view of system memory to include a special memory region comprising program code to be executed while in the privileged CPU operating mode; communicate, to the other physical/virtual CPUs, a signal to enter a stop state in which execution is halted but interrupts are accepted for entering the privileged CPU operating mode; and cause the first physical/virtual CPU to enter the privileged CPU operating mode.

Abstract: An example method of emulating nested page table (NPT) mode-based execute control in a virtualized computing system includes: providing NPT mode-based execute control from a hypervisor to a virtual machine (VM) executing in the virtualized computing system; generating a plurality of shadow NPT hierarchies at the hypervisor based on an NPT mode-based execute policy obtained from the VM; configuring a processor of the virtualized computing system to exit from the VM to the hypervisor in response to an escalation from a user privilege level to a supervisor privilege level caused by guest code of the VM; and exposing a first shadow NPT hierarchy of the plurality of shadow NPT hierarchies to the processor in response to an exit from the VM to the hypervisor due to the escalation from the user privilege level to the supervisor privilege level.

Abstract: Probes are instrumented in multiple software modules of a computer system having virtual machines running therein and executed in a coordinated manner. An output of one probe may be used to conditionally trigger another probe so that the precision of collected data may be improved. In addition, outputs of probes that are triggered in different software modules by related events may be synchronized and analyzed collectively. Probes also may be parallel processed in different processors so that multiple probes can be processed concurrently.

Abstract: Probes are instrumented in multiple software modules of a computer system having virtual machines running therein and executed in a coordinated manner. An output of one probe may be used to conditionally trigger another probe so that the precision of collected data may be improved. In addition, outputs of probes that are triggered in different software modules by related events may be synchronized and analyzed collectively. Probes also may be parallel processed in different processors so that multiple probes can be processed concurrently.