Abstract: Systems and methods for accelerating hypercalls for nested virtual machines. An example method comprises: executing, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine (VM); receiving, by a Level 1 hypervisor managing a Level 2 VM, a first function component from a Level 2 hypervisor managing a Level 3 VM, wherein the first function component performs a first functionality associated with a hypercall issued by the Level 3 VM; generating, by the Level 1 hypervisor, a second function component that performs a second functionality associated with the hypercall issued by the Level 2 VM; and responsive to detecting the hypercall issued by the Level 3 VM, causing the Level 0 hypervisor to execute at least one of: the first function component or the second function component.

Abstract: A packet is received by a first virtual machine supported by a host system from a second virtual machine via a shared memory device that is accessible to a plurality of virtual machines supported by the host system. The first virtual machine determines that the second virtual machine is supported by the host system in view of receiving the packet via the shared memory device. Identification information associated with the second virtual machine is stored in a virtual bond data structure, wherein the identification information associated with the second virtual machine being present in the virtual bond data structure causes the first virtual machine to transmit a subsequent packet to the second virtual machine via the shared memory device.

Abstract: Efficient central processing unit overcommit for virtual machines with symmetric multi-processing may be provided by, in response to receiving a preemption-disable request on behalf of a virtual machine (VM) running on a physical central processing unit (PCPU), initiating a counter on the PCPU; in response to receiving a preempting task from a hypervisor to perform on the PCPU, checking a counter status for the counter; in response to the counter status being active: performing an ongoing task from the VM on the PCPU; and delaying performance of the preempting task until the counter status is inactive.

Abstract: A system includes a physical host, a host operating system, and a virtual machine having a virtual network-interface controller. The virtual network-interface controller comprises an uplink, a virtual function, and a physical function having a physical channel and a virtual channel. The hypervisor is configured to receive data that originates at the virtual function, which is forwarded to the physical function on the physical channel of the physical function. The data is further forwarded from the physical function to the uplink. Additionally, the hypervisor is configured to send data that does not originate at the virtual function. The hypervisor sends the data on the virtual channel of the physical function and the physical function forwards the data to the virtual function.

Abstract: Systems and methods for virtual machine networking can include creating, by a hypervisor running on a host computer system, a first virtual machine (VM) using a first set of computing resources, where the first set of computing resources includes a portion of a second set of computing resources allocated to a second VM managed by the hypervisor. They can further include assigning a first vNIC (virtual Network Interface Controller) to the first VM and setting up a second vNIC to receive data packets transmitted by the first vNIC. Additionally, they can include associating the second vNIC with an identifier of the first VM and assigning the second vNIC to the second VM.

Abstract: Technology for enabling a hypervisor to perform copy on write features on encrypted storage of a virtual machine. An example method may involve: receiving, by a source virtual machine managed by a hypervisor, a measurement associated with a state of a firmware of the hypervisor, a first identifier of a first storage block of the source virtual machine, and a second identifier of a second storage block of a destination virtual machine; validating the measurement associated with the state of the firmware of the hypervisor; and transmitting, to a worker virtual machine, a first cryptographic key for use in copying data of the first storage block to the second storage block.

Abstract: A packet is received by a hypervisor from a first virtualized execution environment, the packet to be provided to a second virtualized execution environment. It is then determined whether the packet was successfully delivered to the second virtualized execution environment. In response to determining that the packet was not successfully delivered to the second virtualized execution environment, a network policy is identified that indicates whether to subsequently provide the packet to the virtualized execution environment. In response to the network policy indicating that the packet is to be subsequently provided, the packet is provided to the virtualized execution environment again.

Abstract: An example method may include allocating, on a host computer system, a memory page in a memory of an input/output (I/O) device, mapping the memory page into a memory space of a virtual machine associated with a first virtual processor, creating a first entry in an interrupt mapping table in the memory of the I/O device, where the first entry includes a memory address that is associated with a second virtual processor identifier and further includes an interrupt vector identifier; and creating a second entry in an interrupt injection table of an interrupt injection unit of the host computer system, where the second entry is associated with a memory address that corresponds to a second virtual processor, the second entry includes the interrupt vector identifier, and the second entry is further associated with the second virtual processor identifier.

Abstract: A system includes a memory, a processor in communication with the memory, and a first TEE instance. The first TEE instance is configured to maintain an encrypted secret, obtain a cryptographic measurement associated with a second TEE instance, validate the cryptographic measurement, and provision the second TEE instance with the encrypted secret. Additionally, the first TEE instance and the second TEE instance are both configured to service at least a first type of request.

Abstract: The technology disclosed herein enables a hypervisor to send a security policy to a virtual machine, which may use the security policy to validate system call invocations requested by a guest operating system. The system call invocations may be validated prior to being received by the hypervisor. The hypervisor may also validate system call invocations that are successfully validated by the virtual machine. An example method may include: identifying, by a hypervisor on a host machine, a security policy associated with a virtual machine, wherein the security policy specifies one or more validation rules, causing, by the hypervisor, the security policy to be imported into a guest operating system of the virtual machine from the hypervisor, and responsive to receiving, by the guest operating system, a first request to perform a system call, validating, by the guest operating system, the first request in accordance with the validation rules.

Abstract: Systems and methods for memory management for virtual machines. An example method may include creating, by a hypervisor running on a host computer system, a virtual device associated with a virtual machine managed by the hypervisor. The virtual device may include a virtual input/output memory management unit (IOMMU). The method may further include appending, by a driver of the virtual device, a plurality of page table entries to a page table of the virtual IOMMU, wherein each page table entry of the plurality of page table entries references unencrypted memory pages used by the virtual machine. Responsive to receiving a memory access request with respect to a memory page, the hypervisor may determine, using the page table of the virtual IOMMU, whether the memory page is encrypted.

Abstract: Systems and methods for event notification support for nested virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor, wherein the Level 1 hypervisor manages a Level 2 virtual machine. The Level 1 hypervisor may generate a virtual device and an input/output (I/O) translation table comprising an I/O translation table entry associated with the virtual device, and associate the I/O translation table entry with a Level 1 virtual machine context maintained by at least one of the Level 0 hypervisor or Level 1 hypervisor. The method may further responsive to detecting, by the Level 0 hypervisor, an event notification from the Level 2 virtual machine, cause a central processing unit (CPU) to use the I/O translation table to execute access to the Level 1 guest virtual address.

Abstract: Implementations of the disclosure are directed to network updates for virtual machine migration. A method of the disclosure includes receiving an indication over a network that a virtual machine successfully migrated from a source host to a destination host, responsive to the indication, monitoring incoming packets to the source host for an incoming packet having a virtual machine address of the virtual machine at the source host in a destination address field, and upon determining that one or more of the incoming packets to the source host comprise the destination address field having the virtual machine address, providing, to the destination host, a notification that the one or more of the incoming packets having the virtual machine address were received at the source host, the notification indicating that an update of the virtual machine address is to be performed by one or more endpoints of the network.

Abstract: A system and method for input/output communication is disclosed. In one embodiment, a device identifies a queue including a plurality of input/output (I/O) descriptors, each of the plurality of I/O descriptors representing one of: an active descriptor associated with an active I/O request or an executed descriptor that is associated with an executed I/O request. The device retrieves, from a first index in the queue, one or more active descriptors associated with an I/O request. The device executes the I/O request. The device writes a first executed descriptor to a second index in the queue, where the first executed descriptor indicates the I/O request has been executed.

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method involves: receiving, by a processor of a host, a request to create a computing process comprising a first and second executable code, wherein the computing process comprises an instruction to cause the processor to switch between first and second page table structures; loading the first and second executable code into memory of the host, wherein the first page table structure comprises mapping data for the first executable code and for the second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to provide the second executable code with access to the device; and restricting the first executable code from accessing the device.

Abstract: A system includes a memory including a plurality of memory pages, a processor in communication with the memory, and a supervisor. The supervisor is configured to locate at least two duplicate memory pages of the plurality of memory pages, write-protect the at least two duplicate memory pages, and add the at least two duplicate memory pages to a list. Responsive to a first page of the at least two duplicate memory pages changing, the supervisor is configured to remove the first page from the list. Responsive to a memory pressure-triggering event, the supervisor is configured to remove a second page of the at least two duplicate memory pages from the list. The second page is reused after removal from the list.

Abstract: Systems and methods for memory management for virtual machines. An example method may include receiving, by a hypervisor running on a host computer system, a request that no topology change notifications be delivered to a virtual machine managed by the hypervisor. The method may include then install a packet filter on a virtual network interface controller (vNIC) associated with the virtual machine. Responsive to receiving, by the packet filter, a topology change notification packet, the method may include dropping the topology change notification packet.

Abstract: A packet is received by a hypervisor from a first container, the packet to be provided to a second container, the packet including a header including a first network address associated with the second container. A network policy is identified for the packet in view of the first network address. A second network address corresponding to the second container is determined in view of the network policy. A network address translation is performed by the hypervisor to modify the header of the packet to include the second network address corresponding to the second container.

Abstract: Peripheral component interface (PCI) cards can be used to coordinate timer access for virtual machines. For example, a computing device can send, by a virtual machine deployed by a hypervisor, a request for a timer. A guest driver can write a timer for the virtual machine into a first portion of memory on a PCI card. The first portion of memory can be mapped to the virtual machine by the hypervisor. The computing device can receive a card interrupt for the timer. The computing device can translate the card interrupt into a timer interrupt. For example, the card interrupt may be received and translated by the hypervisor or the guest driver. The computing device can inject the timer interrupt to the virtual machine. In some examples, the virtual machine may receive the timer interrupt without exiting to the hypervisor.

Abstract: A system includes an application instance or application environment instance and a first cloud service of a trusted cloud provider. The first cloud service is configured to receive an encrypted disk image and to launch the application instance or application environment instance. The system also includes a second cloud service of a first alternate cloud provider, which is configured to launch a first attestation service instance from an attestation disk image that includes a secret and to provide the secret to the application instance or application environment instance.