Abstract: Atomic instructions, including a Compare And Swap Register, a Load and AND Register, and a Load and OR Register instruction, use registers instead of storage to communicate and share information in a multi-threaded processor. The registers are accessible to multiple threads of the multi-threaded processor, and the instructions operate on these shared registers. Access to the shared registers is controlled by the instructions via interlocking.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.

Abstract: Atomic instructions, including a Compare And Swap Register, a Load and AND Register, and a Load and OR Register instruction, use registers instead of storage to communicate and share information in a multi-threaded processor. The registers are accessible to multiple threads of the multi-threaded processor, and the instructions operate on these shared registers. Access to the shared registers is controlled by the instructions via interlocking.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, by a hypervisor that is executing on a host server, a request to dispatch a virtual machine. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine by determining, by a secure interface control of the host server, a security mode of the virtual machine. Based on the security mode being a first mode, the secure interface control loads a virtual machine state from a first state descriptor, which is stored in a non-secure portion of memory. Based on the security mode being a second mode, the secure interface control loads the virtual machine state from a second state descriptor, which is stored in a secure portion of the memory.

Abstract: Increasing the scope of local purges of structures associated with address translation. A hardware thread of a physical core of a machine configuration issues a purge request. A determination is made as to whether the purge request is a local request. Based on the purge request being a local request, entries of a structure associated with address translation are purged on at least multiple hardware threads of a set of hardware threads of the machine configuration.

Abstract: A transaction is detected. The transaction has a begin-transaction indication and an end-transaction indication. If it is determined that the begin-transaction indication is not a no-speculation indication, then the transaction is processed.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

Abstract: A system and method of implementing a wait state for a plurality of threads executing on a computer processor core of the processor. The processor is configured to execute instruction streams by the plurality of threads, wherein the plurality of threads includes a first thread and a set of remaining threads and determine that the first thread has entered a first wait state loop. The processor is also configured to determine that any of the set of remaining threads has not entered a corresponding wait state loop and remain by the first thread in the first wait state loop until each of the set of remaining threads has entered the corresponding wait state loop.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

Abstract: A method is provided. The method is implemented by a communication interface of a secure interface control executing between the secure interface control of a computer and hardware of the computer/In this regard, the communication interface receives an instruction and determines whether the instruction is a millicoded instruction. Further, the communication interface enters a millimode comprising enabling the secure interface control to engage millicode of the hardware through the communication interface based on the instruction being the millicoded instruction.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a secure access request for a secure page of memory at a secure interface control of a computer system. The secure interface control can check a disable virtual address compare state associated with the secure page. The secure interface control can disable a virtual address check in accessing the secure page to support mapping of a plurality of virtual addresses to a same absolute address to the secure page based on the disable virtual address compare state being set and/or to support secure pages that are accessed using an absolute address and do not have an associated virtual address.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: An computer-implemented method according to examples includes receiving, by a secure interface control of a computing system, a request by a requestor to access a page in a memory of the computing system. The method further includes, responsive to determining that the requestor is a non-secure requestor and responsive to a secure-storage bit being set, prohibiting access to the page without performing an authorization check. The method further includes, responsive to determining that the requestor is a secure requestor, performing the authorization check.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, by a hypervisor that is executing on a host server, a request to dispatch a virtual machine. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine by determining, by a secure interface control of the host server, a security mode of the virtual machine. Based on the security mode being a first mode, the secure interface control loads a virtual machine state from a first state descriptor, which is stored in a non-secure portion of memory. Based on the security mode being a second mode, the secure interface control loads the virtual machine state from a second state descriptor, which is stored in a secure portion of the memory.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

Abstract: Secure processing within a computing environment is provided by incrementally decrypting a secure operating system image, including receiving, for a page of the secure operating system image, a page address and a tweak value used during encryption of the page. Processing determines that the tweak value has not previously been used during decryption of another page of the secure operating system image, and decrypts memory page content at the page address using an image encryption key and the tweak value to facilitate obtaining a decrypted secure operating system image. Further, integrity of the secure operating system image is verified, and based on verifying integrity of the secure operating system image, execution of the decrypted secure operating system image is started.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.

Abstract: A method for testing storage protection hardware includes receiving by a non-trusted entity that is executing on a host server, a request to dispatch a secure entity. It is determined, by a secure interface control of the host server, whether the host server is in an auxiliary-secure (AS) debug mode for testing an AS entity. Based on determining that the host server is in the AS debug mode, a secure guest entity state is loaded from a state descriptor for the secure entity into an AS entity state in hardware to test, upon dispatch of the secure entity, accesses to pages in a memory that are registered as secure and as belonging to the AS entity.