Abstract: Systems and methods for enabling a hypervisor that is implemented in the user space to execute privileged instructions on behalf of the virtual machines without triggering VM exits. An example method may comprise detecting, by an exception handler of a virtual machine running on a host computer system, a request to execute a privileged instruction by the virtual machine; storing at least a part of a state of the virtual machine in a memory associated with the virtual machine; signaling, by modifying a predefined memory location in the memory associated with the VM, a request to execute a privileged instruction by a user space processing thread running on the host computer system; and pausing execution of the virtual machine.

Abstract: Page table entries for a maximum number of virtual functions configurable by a physical function of a single root input-output virtualization (SR-IOV) device can be pre-allocated to provide access for nested virtual machines and containers. For example, a computing device can allocate, by an input-output memory management unit (IOMMU), a page table comprising page table entries to a physical function executed by an SR-IOV device. The number of page table entries can be the maximum number of virtual functions that are configurable by the physical function. A virtual IOMMU executing in a virtual machine deployed by the computing device can map a virtual page table comprising virtual page table entries to the page table comprising page table entries. The virtual machine can assign a virtual function using a virtual page table entry. The virtual page table entry can include a function number and a virtual memory address.

Abstract: A method includes detecting a change in control of a peripheral device from a first security domain to a second security domain of a computer system and in response to detecting the change in control of the peripheral device, reading a current firmware version of the peripheral device and determining whether the current firmware version of the peripheral device is trusted by the computer system. The method further includes in response to determining that the current firmware version is trusted by the computer system, providing control of the peripheral device to the second security domain.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: An example system includes a memory, a processor in communication with the memory, and a hypervisor. The hypervisor is configured to store, as dirty memory, data from a virtual machine (VM) at least until the data is written back into a data storage. The hypervisor is also configured to assign a persistence setting for managing write back of the dirty memory of the VM into the data storage. The hypervisor is also configured to periodically trigger writing at least a portion of the dirty memory of the VM into the data storage based on the persistence setting being a first setting. The hypervisor is also configured to disable periodic triggering, by the hypervisor, of the writing of the dirty memory of the VM into the data storage based on the persistence setting being a second setting.

Abstract: Systems and methods for enabling efficient communication between the hypervisor and the virtual machine to reduce the transition events between the virtual machine and the hypervisor. An example method may include: identifying, by a hypervisor running on a host computer system, a guest memory page referenced by a guest memory page address in a guest memory space of a virtual machine managed by the hypervisor; making the guest memory page inaccessible by the virtual machine; notifying the virtual machine of the guest memory page address; and responsive to receiving, from the virtual machine, a page fault notification with respect to the guest memory page, mapping a host memory page to the guest memory page.

Abstract: A method includes receiving a memory access request comprising a first memory address and translating the first memory address to a second memory address using a first page table associated with the first virtual machine. The first page table indicates whether the memory of the first virtual machine is encrypted. The method further includes determining that the first virtual machine is nested within a second virtual machine and translating the second memory address to a third memory address using a second page table associated with the second virtual machine. The second page table indicates whether the memory of the second virtual machine is encrypted.

Abstract: Systems and methods for verifying firmware before it is loaded to a memory device are presented herein. An amount of available memory remaining in a memory device after firmware is written to the memory device is determined, and padding data having a size equal to the determined amount of remaining available memory is generated and appended to the firmware (e.g., the firmware is padded with the padding data). In this way, there is no room for malicious code or a malicious version of the firmware in the memory device. A processing device may determine a verification value of the padded firmware and store the verification value. The verification value may be a cryptographic hash of the padded firmware or a cryptographic signature of the padded firmware. The padded firmware is then written to the memory device. The firmware may be read from the memory device and verified using the verification value.

Abstract: In response to a request to remove a PCI device from a virtual machine (VM), a processing device may transmit, to a guest operating system (OS) of a VM, an indication that a peripheral component interconnect (PCI) device connected to the VM has been disconnected such that the PCI device appears disconnected to a PCI port driver of the guest OS and simultaneously communicates with a device driver of the guest OS. The processing device may transmit a device removal request to the device driver. The removal request may be transmitted to the device driver without the delay associated with the “push button” approach to device removal since the guest OS already believes the PCI device has been disconnected from the VM. A graceful removal of the device driver may be performed and the PCI device may be disconnected from the VM.

Abstract: Aspects of the disclosure provide for mechanisms providing a captive portal to manage a driver application for a peripheral device. Systems and methods of the disclosure include: receiving, at a peripheral device from a client device, a request to connect with the peripheral device over a wireless network provided by the peripheral device; in response to receiving the request, establishing a connection with the client device over the wireless network; receiving, at the peripheral device from the client device, another request to access a first web page at a first address via the connection; and redirecting, by a processing device of the peripheral device, the client device to a second web page associated with a driver application for the peripheral device instead of providing the first web page, wherein the driver application enables the client device to request the peripheral device to perform an operation.

Abstract: Systems and methods are disclosed for establishing controlled remote access to debug logs. An example method may comprise: receiving, by a first computing device, from a second computing device, an encrypted file comprising a debug log; running, within a trusted execution environment of the first computing device, a log access application; sending, to the second computing device, a request for access to the debug log by the log access application, wherein the request comprises a validation measurement generated by the trusted execution environment with respect to the log access application; receiving, from the second computing device, an access key; and accessing the debug log using the access key.

Abstract: A system includes a memory and a processor in communication with the memory. The processor is configured to supply a library with a list of safe callback values, protect the list of safe callback values, invoke a callback, and validate the callback against the list of safe callback values to determine a status of the callback. The status of the callback is one of safe and unsafe. Additionally, the processor is configured to execute the callback responsive to determining the status of the callback is safe. The processor is also configured to abort the callback responsive to determining the status of the callback is unsafe.

Abstract: A packet is received by a hypervisor from a first container, the packet to be provided to a second container, the packet including a header including a first network address associated with the second container. A network policy is identified for the packet in view of the first network address. A second network address corresponding to the second container is determined in view of the network policy. A network address translation is performed by the hypervisor to modify the header of the packet to include the second network address corresponding to the second container.

Abstract: Systems and methods are disclosed for establishing secure remote access to debug logs. An example method may comprise: receiving, by a processing device, from a computing device, an encrypted virtual disk image comprising a set of debug logs; initiating, by the processing device, instantiation of a virtual machine (VM) using the encrypted virtual disk image, wherein the VM is to execute a log access application to analyze the set of debug logs; sending, to the computing device, a request for access to the set of debug logs by the log access application; receiving, from the computing device, an indication granting access to the set of debug logs by the log access application, wherein having access to the set of debug logs allows the log access application to analyze the set of debug logs to identify an issue associated with the set of debug logs.

Abstract: A method includes receiving a request to migrate a virtual machine from a source host to a destination host, mapping, by a hypervisor running on the source host, a first portion of a memory of the virtual machine to a persistent memory device, where the persistent memory device is accessible by the source host machine and the destination host machine, responsive to determining that a time period to execute a synchronization operation with respect to the first portion of the memory by the persistent memory device is below a threshold, stopping the virtual machine on the source host, and starting the virtual machine on the destination host.

Abstract: The technology disclosed herein enhances a fault-based communication channel between a virtual machine and a hypervisor. An example method may include: configuring, by a hypervisor, a first memory location to generate one or more faults when accessed by a virtual machine process, wherein the first memory location is mapped to a device and a second memory location is mapped to memory; detecting, by firmware, a fault caused by a first execution of an instruction of the virtual machine process, wherein the instruction comprises a reference to a register comprising the first memory location; responsive to the detecting the fault, causing the hypervisor performing a computing task for the virtual machine process. Updating the register to comprise the second memory location; and initiating, by the firmware, a second execution of the instruction of the virtual machine process, wherein the second execution of the instruction accesses the second memory location.

Abstract: Systems and methods for virtual machine communication in a virtualized environment can include identifying an encrypted guest memory location of a virtual machine (VM), the encrypted guest memory location associated with a virtual device, and copying a first set of encrypted data from the encrypted guest memory location to hypervisor memory to create a copied set of encrypted data. They can also include comparing a second set of encrypted data from the encrypted guest memory location with the copied set of encrypted data, and responsive to detecting a difference between the second set of encrypted data and the copied set of encrypted data, requesting, unencrypted data comprising a request related to the virtual device.

Abstract: Systems and methods for enabling a Virtual Machine (VM) and hypervisor to communicate are disclosed. An example method includes sending data from a hypervisor to a virtual machine (VM) by storing, by the hypervisor, the data to an encrypted memory page of the VM, wherein the data stored by the hypervisor to the encrypted memory page is not encrypted. The method also includes processing, by the VM, the data stored to the encrypted memory page according to a decryption routine to generate scrambled data. The method also includes looking up, by the VM, the scrambled data in a translation table to obtain unscrambled data, wherein the unscrambled data is the data as it was originally stored to the encrypted memory page by the hypervisor.

Abstract: Systems and methods for duplication avoidance are disclosed. In one implementation, a VM can receive a request to perform a file access operation with respect to a file and determine a hash value corresponding to a content of the file. The VM can search the file identified by the hash value in in a host file system. Responsive to failing to find the hash value in the host file system, the VM can search the hash value in a guest file system of the VM and responsive to finding the file identified by the hash value in the guest file system, can perform the file access operation with respect to the file.

Abstract: An example method may include determining whether a preemption flag associated with a first input/output (I/O) handling thread is equal to a first value indicating that preemption of the first I/O queue handling thread is forthcoming, wherein the first I/O queue handling thread is executing on a first processor, the first I/O queue handling thread is associated with a first set of one or more queue identifiers, and each queue identifier identifies a queue being handled by the first I/O queue handling thread, and, responsive to determining that the preemption flag is equal to the first value, transferring the first set of one or more queue identifiers to a second I/O queue handling thread executing on a second processor. Transferring the first set of queue identifiers may include removing the one or more queue identifiers from the first set.