Abstract: A system includes a memory, a processor in communication with the memory, a hypervisor, and a guest OS. The guest OS is configured to store a plurality of hints in a list at a memory location. Each hint includes an address value and the memory location of the list is included in one of the respective address values associated with the plurality of hints. The guest OS is also configured to pass the list to the hypervisor. Each address value points to a respective memory page of a plurality of memory pages including a first memory page and a last memory page. The hypervisor is configured to free the first memory page pointed to by a first hint of the plurality of hints and free the last memory page pointed to by a second hint of the plurality of hints. Additionally, the last memory page includes the list.

Abstract: Systems and methods for memory management for nested virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor, wherein the Level 1 hypervisor manages a Level 2 virtual machine, wherein the Level 2 virtual machine is associated with a Peripheral Component Interconnect (PCI) device; generating, by the Level 0 hypervisor, a Level 1 page table by combining records from the guest page table with records from a host page table maintained by the Level 0 hypervisor; generating a Level 2 page table comprising a plurality of Level 2 page table entries; and causing a device driver of the Level 2 virtual machine to use the Level 2 page table for second level address translation.

Abstract: A system includes a memory and a processor in communication with the memory. The processor is configured to supply a library with a list of safe callback values, protect the list of safe callback values, invoke a callback, and validate the callback against the list of safe callback values to determine a status of the callback. The status of the callback is one of safe and unsafe. Additionally, the processor is configured to execute the callback responsive to determining the status of the callback is safe. The processor is also configured to abort the callback responsive to determining the status of the callback is unsafe.

Abstract: Systems and methods for securing assigned peripheral device in virtualized computer system. An example method may comprise receiving, by a virtualized execution environment, a state measurement associated with a peripheral device of the computing system. Generating a guest cryptographic key. Responsive to validating the state measurement, transmitting, to the peripheral device, the guest cryptographic key encrypted using the device cryptographic key. Transmitting, to the peripheral device, an access request that is cryptographically signed using a first value derived from the device cryptographic key or a second value derived from the guest cryptographic key and encrypted using a third value derived from the guest cryptographic key.

Abstract: Systems and methods for managing host virtual addresses in a system call are disclosed. In one implementation, a processing device may receive, by a supervisor managing a first application), a system call initiated by the first application, wherein a first parameter of the system call specifies a memory buffer virtual address of the first application and a second parameter of the system call specifies the memory buffer virtual address of the second application. The processing device may also translate the memory buffer virtual address of the first application to a first physical address and may translate the memory buffer virtual address of the second application to a second physical address. The processing device may further compare the first physical address to the second physical address and responsive to determining that the first physical address matches the second physical address, the processing device may execute the system call using the memory buffer virtual address of the second application.

Abstract: A system includes a memory, an application TEE instance, an escrow TEE instance, and a server. The server is configured to receive a request to start the application TEE instance and launch the escrow TEE instance provisioned with a secret. The secret is initially accessible from a first location until the escrow TEE instance is provisioned and accessibility to the secret in the first location is restricted after provisioning the escrow TEE instance with the secret. The escrow TEE instance is configured to obtain a cryptographic measurement associated with the application TEE instance, validate the application TEE instance, and provide the secret from a second location to the application TEE instance.

Abstract: A system includes a memory, a processor in communication with the memory, a hypervisor, and a trusted execution environment (TEE). The TEE is provisioned with a workload and includes an introspection module. The introspection module is configured to execute an introspection command according to an introspection policy. The introspection command is configured to validate at least one memory access associated with the workload. The introspection module is also configured to determine a status of a result of the introspection commands, wherein the status is one of a failure status and a success status.

Abstract: A system includes a memory and a processor. The memory is in communication with the processor and configured to initialize a secure interface configured to provide access to a virtual machine (VM) from a device, where the VM is associated with a level of security. A buffer is allocated and associated with the secure interface, where the level of security of the VM indicates whether the device has access to guest memory of the VM via the buffer. The buffer is then provided to the device. Inputs/outputs (I/Os) are sent between the device and the VM using the secure interface.

Abstract: A method includes creating, by a hypervisor executing on a processing device, a first virtual machine nested within a second virtual machine. The method further includes identifying a context of the second virtual machine and providing, to a context of the first virtual machine, a parent context pointer indicating the context of the second virtual machine.

Abstract: Systems and methods of the disclosure include: publishing, by a first host computer system of a computing cluster comprising a plurality of host computer systems running a plurality of virtual machines, a list of memory page identifiers, wherein each memory page identifier is associated with a corresponding content identifier; receiving, from a second host computer system of the computing cluster, a memory page request comprising a first memory page identifier; and sending, to the first host computer system, a first memory page identified by the first memory page identifier.

Abstract: Page request interface overhead reduction for virtual machine migration and write protection in memory may be provided by generating a page table associated with the memory; in response to receiving a write-protection command to prevent write-access to data from a portion of the memory, write-protecting a first range of memory addresses comprising the data write protected from the portion of the memory, wherein a second range of memory addresses comprises data not write protected in the memory; and modifying the page table to include a page table entry associated with the first range of memory addresses being write-protected, wherein write access to a memory address in the first range of memory addresses by a device during write-protection is tracked.

Abstract: An example method may include responsive to receiving, by a processing device, an interrupt deferral instruction requesting that interrupts be deferred, disabling delivery of interrupts by the processing device, receiving one or more interrupt requests subsequent to disabling delivery of interrupts, and responsive to determining that a deferral termination criterion is satisfied, delivering one or more interrupts, wherein each of the one or more interrupts is specified by a respective one of the interrupt requests. The method may further include receiving a resume interrupt delivery instruction requesting that deferred and subsequent interrupts be delivered, wherein the deferral termination criterion is satisfied in response to receiving the resume interrupt delivery instruction. The method may further include, responsive to receiving the resume interrupt delivery instruction, enabling delivery of the one or more interrupts and subsequent interrupts by the processing device.

Abstract: Systems and methods for memory management for virtual machines. An example method may include receiving, by a host computing system, a memory access request initiated by a peripheral component interconnect (PCI) device, wherein the memory access request comprises a memory address and an address translation flag specifying an address space associated with the memory address; and responsive to determining that the address translation flag is set to a first value indicating a host address space, causing a host system input/output memory management unit (IOMMU) to pass-through the memory access request.

Abstract: A fair and efficient guest to hypervisor virtual machine socket protocol may be provided by: in response to a host determining to reject a message received from a guest that was previously accepted for processing by the host, transmitting a rejection to the guest; in response to receiving, at the guest, the rejection, adding the message to a processing request queue on the guest; in response to determining that resources to handle the message have become available for the guest, transmitting an indication to the guest that the host is able to reaccept the message; in response to receiving, at the guest, the indication, retransmitting the message to the host according to the processing request queue; and in response to receiving the message from the guest a second time, accepting the message in an execution queue in a virtual memory of the host.

Abstract: Systems and methods for enhancing efficient memory swap for virtual machines. An example method may comprise: receiving, by a hypervisor running on a host computer system, a request, from a virtual machine managed by the hypervisor, to write to a virtual disk a content of a memory page identified by a guest physical address (GPA); detecting, by the hypervisor, that the content of the memory page is stored on a storage device; storing, on the virtual disk, an identifier of a location of the content of the memory page on the storage device; and un-mapping the GPA from the storage device.

Abstract: An example method may include executing one or more first instructions that cause the processing device to enter a privileged execution mode, switching a memory consistency model of the processing device to a strong instruction ordering mode, and executing one or more second instructions in the privileged execution mode, where the one or more second instructions are executed using the strong instruction ordering mode. The method may further include executing one or more third instructions that cause the processing device to exit the privileged execution mode, and, responsive to executing the one or more third instructions, switching the memory consistency model of the processing device to a relaxed instruction ordering mode.

Abstract: Systems and methods for enhancing memory management for virtual machines. An example method may comprise: accessing, by a hypervisor running on a host computer system, a data structure exposed by a virtual machine managed by the hypervisor, wherein the data structure includes an estimated next access time for one or more memory pages of a plurality of memory pages associated with the virtual machine; estimating a read latency time associated with the virtual machine; identifying, using the data structure, a memory page associated with an estimated next access time that satisfies a predefined condition with respect to the read latency time; and swapping out the memory page.

Abstract: Systems and methods for virtual machine networking can include detecting, by a virtual machine (VM), a primary virtual Network Interface Controller (vNIC) configured with a first media access control (MAC) address assigned to the VM by a hypervisor running on a host computer system, and detecting a standby vNIC configured with a second MAC address. They can further include binding a software Network Interface Controller (NIC) configured with a third MAC address to the primary vNIC and the standby vNIC, and selecting a vNIC from among those two vNICs for use by the software NIC for communicating network data packets. Additionally, they can include assigning the third MAC address to the selected vNIC, and communicating network data packets through the software NIC using the third MAC address.

Abstract: An example method may include generating a block list comprising a plurality of list items, wherein each list item identifies a respective block of a source virtual machine image, and the list items are ordered in the block list according to a timestamp of each respective block, wherein the timestamp indicates a time of a last access of the respective block, sending the block list to a destination computing device, receiving, from the destination computing device, one or more candidate blocks, determining whether the one or more candidate blocks are included in the source virtual machine image, and sending, to the destination computing device, a result indicating whether the one or more candidate blocks are included in the source virtual machine image.

Abstract: Systems and method for automated efficient memory migration in Non-uniform Memory Access (NUMA) based virtual machines are introduced, comprising exporting one or more informative data objects, from a host machine to at least one virtual machine, wherein the informative data objects include references to pages that have been migrated from a physical source memory node (source node) on the host machine to a new source location on the host machine; inspecting, the informative data objects, by the at least one virtual machine; detecting, by the at least one virtual machine, the pages that have been migrated to the new source location; sending a request, by the at least one virtual machine, to the host machine via the hypervisor, to map the pages to a physical destination memory node (destination node) corresponding to a desired virtual destination memory node (destination vNode); and undertaking at least one efficient data migration operation.