Abstract: A method is provided that includes receiving, by a firmware from an originating software, an asynchronous request for an instruction of an algorithm for compression of data. The firmware operates on a first processor and the originating software operates on a second processor. The firmware issues a synchronous request to the first processor to cause the processor to execute the instruction synchronously. It is determined, by the firmware, whether an interrupt is received from the first processor with respect to the first processor executing the instruction. The firmware retries the issuance of the synchronous request each time the interrupt is received until a retry threshold is reached.

Abstract: Vector pack and unpack instructions are described. An instruction to perform a conversion between one decimal format and another decimal format is executed, in which the one decimal format or the other decimal format is a zoned decimal format. The executing includes obtaining a value from at least one register specified using the instruction. At least a portion of the value is converted from the one decimal format to the other decimal format different from the one decimal format to provide a converted result. A result obtained from the converted result is written into a single register specified using the instruction.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: Vector pack and unpack instructions are described. An instruction to perform a conversion between one decimal format and another decimal format is executed, in which the one decimal format or the other decimal format is a zoned decimal format. The executing includes obtaining a value from at least one register specified using the instruction. At least a portion of the value is converted from the one decimal format to the other decimal format different from the one decimal format to provide a converted result. A result obtained from the converted result is written into a single register specified using the instruction.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method, computer program product, and a system where a secure interface control determines functionality of a secure guest based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest to be started by an owner and managed by the hypervisor, where the metadata comprises control(s) that indicate whether a secure guest generated with the image is permitted to obtain a response to a particular request. The SC intercepts, from the secure guest generated with the image, during runtime, a request. The SC determines, based on the control(s), if the secure guest is permitted to obtain a response to the request. If permitted, the SC commences fulfillment of the request, within the computing system. If not permitted, the SC ignores the request.

Abstract: A select processor obtains a request to perform a requested operation. The request includes encrypted data and a protected key. The protected key is to be used by the select processor on behalf of an entity unauthorized to use the protected key. The encrypted data is decrypted using the protected key to obtain decrypted data. The requested operation is performed on the decrypted data to obtain resulting data. The resulting data is encrypted (e.g., using the protected key) to obtain encrypted resulting data. The encrypted resulting data is provided to a requestor of the request.

Abstract: Aspects include circuitry that includes a first global generation counter (GGC) that is increased upon decoding of a branch instruction and a second GGC that is increased upon a completion of the branch instruction. Upon a triggered rollback, the first GGC is reset. The circuitry also includes a generation tag memory associated with a register that receives loads during a side-channel attacks which is set to the first GGC upon a first load, and a determination unit to determine, for a second load from an address depending on the register of the first load, a generation tag value associated with the register of the second load as a function of the first GGC, the second GGC, and the generation tag value associated with the register of the first load. A wait queue is configured to block the second load, if the generation tag is larger than the second GGC.

Abstract: Secure processing within a computing environment is provided by incrementally decrypting a secure operating system image, including receiving, for a page of the secure operating system image, a page address and a tweak value used during encryption of the page. Processing determines that the tweak value has not previously been used during decryption of another page of the secure operating system image, and decrypts memory page content at the page address using an image encryption key and the tweak value to facilitate obtaining a decrypted secure operating system image. Further, integrity of the secure operating system image is verified, and based on verifying integrity of the secure operating system image, execution of the decrypted secure operating system image is started.

Abstract: A method, computer program product, and a system where a secure interface control determines functionality of a secure guest based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest to be started by an owner and managed by the hypervisor, where the metadata comprises control(s) that indicate whether a secure guest generated with the image is permitted to obtain a response to a particular request. The SC intercepts, from the secure guest generated with the image, during runtime, a request. The SC determines, based on the control(s), if the secure guest is permitted to obtain a response to the request. If permitted, the SC commences fulfillment of the request, within the computing system. If not permitted, the SC ignores the request.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

Abstract: A method is provided. The method is implemented by a secure interface control of a computer that prevents unauthorized accesses to locations in a memory of the computer. The secure interface control determines that a host absolute page is not previously mapped to a virtual page in accordance with securing the host absolute page and a host virtual page is not already mapped to an absolute page in accordance with securing the host absolute page.

Abstract: An input/output store instruction is handled. A data processing system includes a system nest coupled to at least one input/output bus by an input/output bus controller. The data processing system further includes at least a data processing unit including a core, system firmware and an asynchronous core-nest interface. The data processing unit is coupled to the system nest via an aggregation buffer. The system nest is configured to asynchronously load from and/or store data to at least one external device which is coupled to the at least one input/output bus. The data processing unit is configured to complete the input/output store instruction before an execution of the input/output store instruction in the system nest is completed. The asynchronous core-nest interface includes an input/output status array with multiple input/output status buffers.

Abstract: A method for processing an instruction by a processor operationally connected to one or more buses comprises determining the instruction is to access an address of an address space that maps a memory and comprises a range of MMIO addresses. The method determines the address being accessed is within the range of MMIO addresses and generates, based on the determination, a first translation of the address being accessed to a bus identifier identifying one of the buses and a bus address of a bus address space. The bus address resulting from the translation is assigned to a device accessible via the identified bus. The method generates an entry in a translation lookaside buffer. A request directed to the device is sent via the identified bus to the bus address resulting from the translation.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: A method, computer program product, and system includes a processor obtaining data including values and generating a value conversion dictionary by applying a parse tree based compression algorithm to the data, where the value conversion dictionary includes dictionary entries that represent the values. The processor obtains a distribution of the values and estimates a likelihood for each based on the distribution. The processor generates a code word to represent each value, a size of each code word is inversely proportional to the likelihood of the word. The processor assigns a rank to each code word, the rank for each represents the likelihood of the value represented by the code word; and based on the rank associated with each code word, the processor reorders each dictionary entry in the value conversion dictionary to associate each dictionary entry with an equivalent rank, the reordered value conversion dictionary comprises an architected dictionary.

Abstract: A single architected instruction to produce a signature for a message is obtained. The instruction is executed, and the executing includes determining a sign function of a plurality of sign functions supported by the instruction to be performed. Input for the instruction is obtained, and the input includes a message and a cryptographic key. A signature is produced based on the sign function to be performed and the input. The signature is to be used to verify the message.

Abstract: Saving and restoring machine state between multiple executions of an instruction. A determination is made that processing of an operation of an instruction executing on a processor has been interrupted prior to completion. Based on determining that the processing of the operation has been interrupted, current metadata of the processor is extracted. The metadata is stored in a location associated with the instruction and used to re-execute the instruction to resume forward processing of the instruction from where it was interrupted.

Abstract: A method is provided. A secure interface control in communication with an untrusted entity perform the method. In this regard, the secure interface control implements an initialization instruction to set donated storage as secure. The implementing of the initialization instruction is responsive to an instruction call issued from the untrusted entity.