Abstract: Safe critical section operations for virtual machines with virtual central processing unit overcommit are provided by: in response to identifying a preempting task to run on a first physical central processing unit (PCPU) from a second PCPU, setting a status of a flag in a virtual memory used by a first virtual central processing unit (VCPU) running on the first PCPU to indicate that the preempting task will interrupt the first VCPU; in response to initiating execution of a read-side critical section operation scheduled by the first VCPU to run on the first PCPU, checking the status of the flag in the virtual memory; and in response to the status of the flag being positive: exiting the first VCPU to a hypervisor; executing, by the hypervisor, the preempting task on the first PCPU; and after completing the preempting task, continuing execution of the read-side critical section operation.

Abstract: Systems and methods for ensuring that data received from a virtual device is random are provided. A processing device may be used to generate, by a virtual device executing on a hypervisor, data intended for a virtual machine (VM) having a guest memory that includes one or more encrypted pages and one or more unencrypted pages. Data written to an encrypted page of the guest memory by the VM is encrypted using an encryption key assigned to the VM and information read from the encrypted page by the VM is decrypted using the encryption key. The hypervisor may write the data to the encrypted page, wherein the data is not encrypted by the encryption key assigned to the VM because it is written by the hypervisor. The VM reads the data from the encrypted page as randomized data because it cannot be properly decrypted by the encryption key.

Abstract: A method may include receiving, by a privileged component executed by a processing device, bytecode of a packet processing component from an unprivileged component executed by the processing device, analyzing, by the privileged component, the bytecode of the packet processing component to identify whether the bytecode comprises a first command that returns a redirect, analyzing, by the privileged component, the bytecode of the packet processing component to identify whether the bytecode comprises a second command that returns a runtime computed value, and responsive to determining that the bytecode comprises the first command or the second command, setting a redirect flag maintained by the privileged component.

Abstract: Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory. The first portion of the guest memory may include an exclusion range marked as reserved. The second portion of the guest memory may b e encrypted using an ephemeral encryption key. Virtual machine firmware may identify, in the second portion of the guest memory, an instruction to a virtual device associated with the virtual machine, copy data corresponding to the instruction to the first portion of guest memory, and alert the hypervisor of the data stored in the first portion of guest memory.

Abstract: A method includes exposing a public cryptographic key associated with a peripheral device of a computing system to a guest running on the computing system. The method further includes receiving, from the guest, a message including a cryptographic nonce value encrypted with the public cryptographic key. The method further includes producing the cryptographic nonce value by decrypting the message using a private cryptographic key associated with the public cryptographic key. The method further includes using a shared cryptographic key generated from the cryptographic nonce value to access contents of a direct memory access (DMA) buffer associated with the peripheral device.

Abstract: Systems and methods for accelerating hypercalls for nested virtual machines. An example method may comprise executing, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine (VM). The Level 0 hypervisor receives a first function component from a Level 2 hypervisor managing a Level 3 VM, where the first function component performs a first functionality associated with a hypercall issued by the Level 3 VM; stores the first function component in a memory space associated with the Level 0 hypervisor; detects the hypercall issued by the Level 3 VM; and responsive to detecting the hypercall, executes the first function component to modify a VM context for the Level 3 VM.

Abstract: Systems and methods providing robust resource removal for virtual machines. In one implementation, a hypervisor may receive configuration data associated with a virtual machine (VM). The hypervisor may determine, based on the configuration data, a type of support by the VM of recovery from unexpected hardware resource removal. The hypervisor may identify, based on the type of support of recovery form unexpected hardware resource removal, a type of access of the VM to one or more hardware resources. The hypervisor may launch the VM according to the type of access to the one or more hardware resources.

Abstract: The technology disclosed herein enhances a fault-based communication channel between a virtual machine and a hypervisor. An example method may include: configuring, by a hypervisor, a first memory location to generate one or more faults when accessed by a virtual machine process, wherein the first memory location is mapped to a device and a second memory location is mapped to memory; detecting, by the hypervisor, a fault caused by a first execution of an instruction of the virtual machine process, wherein the instruction comprises a reference to a register comprising the first memory location; responsive to the detecting the fault, the hypervisor performing a computing task for the virtual machine process and updating the register to comprise the second memory location; and initiating, by the hypervisor, a second execution of the instruction of the virtual machine process, wherein the second execution of the instruction accesses the second memory location.

Abstract: A processing device executing a guest receives a request from an application to disable memory deduplication for a memory page associated with the application; identifies a non-mergeable memory range for memory space of the guest, where the non-mergeable memory range is associated with guest memory pages not to be deduplicated; maps, in a page table of the guest, an entry for the memory page to a memory address within the non-mergeable memory range; and causes a host to disable memory deduplication for the memory page responsive to detecting an access of the memory page by the application.

Abstract: A method may include determining, by a navigation system, a route to a destination from an initial position of the navigation system, the route comprising a plurality of edges of a graph representing a map of navigable paths, where each edge represents a path through an environment, the path connecting a first vertex and a second vertex, and each vertex represents at least one of: an endpoint of a path or a junction of two or more paths. Determining the route may include determining an environmental complexity parameter in view of one or more time-varying environmental characteristics of the path at a current time, determining a weight of the edge in view of the environmental complexity parameter, and assigning the weight to the edge, where the route is determined in view of the weight of the edge.

Abstract: A processing device of a host machine detects a read access of a memory address by a guest executing on the host machine, and causes a memory page to be provided to the guest responsive to detecting the read access. The memory address is associated with a device slot of a communication bus that is not associated with at least one hardware device, and the memory page has a page table entry, mapped to the memory address, that indicates that the memory page is a read-only memory page for the guest.

Abstract: Systems and methods for memory management for nested virtual machines. An example method may comprise running, by a host computer system, a hypervisor managing a first virtual machine; responsive to receiving, by the hypervisor, a request to create a second virtual machine nested within the first virtual machine, determining whether the second virtual machine will be using a physical address as a virtual address for a peripheral device; and responsive to determining that the second virtual machine will be using the physical address as the virtual address for the peripheral device, initializing a first data structure for address translation of the physical addresses of the second virtual machine corresponding to virtual addresses of the peripheral device to a host virtual addresses.

Abstract: Zero copy message reception for guests is disclosed. For example, a host has a memory, a device with access to device memory addresses, a processor, and a supervisor. An application with access to application memory addresses (AMA) executes on the host. An AMA is mapped to a page table entry (PTE). The application shares access to a first page of memory addressed by the AMA with the device to store data received by the device for the first application, where the first page is mapped as a device memory address of the plurality of device memory addresses. The application later sends a request to disconnect from the device. The supervisor is configured to copy contents of the first page to a second page in the memory after receiving the request to disconnect, and then update the PTE to address the second page instead of the first page.

Abstract: Systems and methods for firmware validation for encrypted virtual machines are disclosed. An example method may include initiating a boot process to launch a virtual machine on a host machine. The virtual machine can be associate with a first firmware. The method may further include authenticating the virtual machine with an external server using the first firmware. The method may further include receiving secret data associated with the virtual machine from the external server. The secret data may be encrypted with an encryption key. The method may further include, responsive to authenticating a second firmware using the first firmware, completing the boot process to launch the virtual machine using the secret data.

Abstract: The technology disclosed herein may detect, avoid, or protect against “use after free” or “double free” programing logic errors. An example method may involve: receiving, by a processing device, a memory allocation request; identifying a physical memory address referencing a chunk of memory; identifying a security parameter specifying a number of virtual memory addresses comprised by a set of memory addresses that are mapped to the identified physical memory address; generating a plurality of pointers to the chunk of memory, wherein each pointer of the plurality of pointers references a corresponding virtual memory address of the set of virtual memory addresses; determining a sequential number assigned to the memory allocation request; selecting, among the plurality of pointers, a pointer corresponding to the sequential number; providing the pointer in response to the memory allocation request; and updating pointer validation data indicating validity of the pointer.

Abstract: Technology for enabling a hypervisor to perform copy on write features on encrypted storage of a virtual machine. An example method may involve: receiving, by a guest program from a hypervisor, an indication that identifies a first storage block of a first virtual machine, wherein the first storage block is write protected by the hypervisor; identifying, by the guest program, a second storage block of a second virtual machine; and copying, by the guest program, data of the first storage block to the second storage block, wherein the data of the first storage block and data of the second storage block are encrypted using different cryptographic inputs.

Abstract: Systems and methods for ballooning related memory allocation techniques for execution environments. An example method may comprise maintaining, by an operating system of a hypervisor, a list of free memory pages associated with the execution environment, wherein each entry in the list references a set of memory pages that are contiguous in a guest address space; receiving, from a management application, a request for guest memory to be made available to the hypervisor, wherein the request comprises a minimum size of guest memory requested and a maximum size of guest memory; and responsive to identifying, by the operating system, in the list of free memory pages, a set of contiguous guest memory pages that is greater than or equal to the minimum size of memory requested, and less than or equal to the maximum size of memory requested, releasing the set of contiguous guest memory pages to the hypervisor.

Abstract: A system includes a memory and a processor. The memory is in communication with the processor and configured to initialize a secure interface configured to provide access to a virtual machine (VM) from a device, where the VM is associated with a level of security. A buffer is allocated and associated with the secure interface, where the level of security of the VM indicates whether the device has access to guest memory of the VM via the buffer. The buffer is then provided to the device. Inputs / outputs (I/Os) are sent between the device and the VM using the secure interface.

Abstract: An example method may include: receiving, by a hypervisor, a data packet, identifying a memory location associated with a guest virtual machine and accessible to the guest virtual machine and the hypervisor, wherein a program mapping table comprising one or more mapping table entries is stored at the memory location, each mapping table entry specifying a program selection criterion and a packet processing program. The example method may further include identifying, among the one or more mapping table entries in the program mapping table stored at the memory location, a mapping table entry comprising a particular program selection criterion that is satisfied by the data packet, wherein the identified mapping table entry specifies a first packet processing program, and executing the first packet processing program, wherein the data packet is provided to the first packet processing program as input.

Abstract: Systems and methods for enabling binary execution by a virtual device. An example method may include creating, by a hypervisor running on a host computer system, a virtual device associated with a virtual machine (VM) managed by the hypervisor; receiving, by the hypervisor, a request to offload a binary file from the VM to the virtual device; determining, by the hypervisor, whether a first measurement associated with the binary file matches a stored second measurement; and responsive to determining that the first measurement matches the second measurement, enabling the virtual device to execute the binary file using the host operating system.