Abstract: Example implementations include a system of secure decryption by virtualization and translation of physical encryption keys, the system having a key translation memory operable to store at least one physical mapping address corresponding to at least one virtual key address, a physical key memory operable to store at least one physical encryption key at a physical memory address thereof; and a key security engine operable generate at least one key address translation index, obtain, from the key translation memory, the physical mapping address based on the key address translation index and the virtual key address, and retrieve, from the physical key memory, the physical encryption key stored at the physical memory address.

Abstract: An apparatus including a processor comprising at least one core to execute instructions of a plurality of virtual machines and a virtual machine monitor; and a cryptographic engine comprising circuitry to protect data associated with the plurality of virtual machines through use of a plurality of private keys and an accessor key, wherein each of the plurality of private keys are to protect a respective virtual machine and the accessor key is to protect management structures of the plurality of virtual machines; and wherein the processor is to provide, to the virtual machine monitor, direct read access to the management structures of the plurality of virtual machines through the accessor key and indirect write access to the management structures of the plurality of virtual machines through a secure software module.

Abstract: Methods, systems and computer program products are provided for managing protection domains (PDs) for files at a file-level or a page-level. PDs may be allocated for multiple purposes, e.g., to protect processes, files, buffers, etc. Files stored in nonvolatile memory (NVM) subject to direct access (DAX) may be protected by file-level or page-level PDs. PDs may comprise protection keys (PKEYs) with user-configurable read and write access control registers (PKRUs). NVM files may be protected from corruption (e.g. by stray writes) by leaving write access disabled except for temporary windows of time for valid writes. File PDs may be managed by a file manager while buffer PDs may be managed by a buffer pool manager. File associations between PDs, files and file address space may be maintained in a file object. Buffer associations between PDs, buffers and buffer address space may be maintained in a buffer descriptor.

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory device to store memory data in a plurality of physical pages shared by a plurality of devices, a first table to map each page of memory to an associated bundle identifier (ID) that identifies one or more devices having access to a page of memory, a second table to map each bundle ID to page access permissions that define access to one or more pages associated with a bundle ID and a translation agent to receive requests from the plurality of devices to perform memory operations on the memory and determine page access permissions for requests received from the plurality of devices using the first table and the second table.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: In a method for allocating space on a logical disk, a computer receives an allocation request to allocate a number of requested logical disk extents. The computer selects one of a first group having an array of logical disk extents and a second group having an array of logical disk extents. The computer selects a group having a number of free logical disk extents that is greater than or equal to the number of requested logical disk extents. The logical disk extents in the array of the first group and in the array of the second group correspond to disk blocks on a logical disk. The logical disk spans one or more physical random access disks. The computer locks the selected group to prevent allocating a logical disk extent other than in response to the allocation request.

Abstract: A disk drive is disclosed comprising a head actuated over a rotatable disk. A write operation is processed to write data on the disk using the head, wherein prior to writing the data on the disk, logical-to-physical mapping information is stored in a circular buffer, wherein the logical-to-physical mapping information identifies locations on the disk to write the data. A plurality of metadata files are written on the disk using the head, wherein the plurality of metadata files are interspersed with the data on the disk and each of the metadata files includes contents of the circular buffer at a time the metadata file is written on the disk. When the write operation is aborted, the logical-to-physical mapping information in the circular buffer is modified to identify the locations on the disk actually written.

Abstract: With a RAID group not configured from a plurality of storage devices, a storage area of a storage device is provided directly to a virtual volume instead of providing a logical volume inside the RAID group to the virtual volume. That is, the storage system, upon receiving a write request with respect to a virtual storage area, first, specifies a data redundancy configuration (the number of data partitions and the number of created parities) and a RAID level set to a virtual volume including this virtual storage area. The storage system selects storage devices in the numbers in accordance with the specified RAID level and redundancy configuration for this virtual storage area. The storage system selects, from among the selected storage devices, a storage area that is not allocated to any virtual storage area, and allocates this storage area to this virtual storage area. The storage system partitions the data and writes this data together with the parity to this allocated storage area.

Abstract: A method for providing hardware support for memory protection and virtual memory address translation for a virtual machine. The method includes executing a host machine application within a host machine context and executing a virtual machine application within a virtual machine context. A plurality of TLB (translation look aside buffer) entries for the virtual machine context and the host machine context are stored within a TLB. Memory protection bits for the plurality of TLB entries are logically combined to enforce memory protection on the virtual machine application.

Abstract: The storage system is coupled to a host apparatus and includes a plurality of storage devices, each of which includes a plurality of real pages, and a controller. The controller is configured to: manage the plurality of storage devices as a pool; provide a virtual volume to the host apparatus, the virtual volume including a plurality of virtual pages to each of which a portion of the pool is allocated in accordance with a write command; distribute data written in a first virtual page to a first group of real pages, the first group of real pages making up a redundant array and being selected from different storage devices; and migrate data stored in a first real page, which is a real page of the first group and belongs to a first storage device, to another storage device without migrating data stored in another real page of the first group.

Abstract: Provided are a method and a system for processing an access to a disk block. The system receives a disk block access request from an OS domain, determines whether the OS domain is permitted to access a disk block with reference to a predetermined block table and processes disk block access of the OS domain according to the determination result. Accordingly, OS domains can share caches without having data copy through memory access control in a virtual machine monitor environment. Furthermore, a device domain controls access to a disk drive so that data corruption can be prevented.

Abstract: An apparatus includes: a memory; a management memory for storing first virtual addresses used by the first program, second virtual addresses used by the second program and management information indicative of association between first and second virtual addresses and physical addresses of the memory; and a processor for executing the first, the second and a management programs, the management program including: receiving a request to assign a shared area to be shared by the first and second programs from the second program; determining a physical address of the shared area corresponding to one of the first and one of the second virtual addresses; transmitting a notification of data writing by the first program to the second program; locking the shared area so as to prevent the second program from writing data after the notification; and unlocking the shared area after the second program has read data from the shared area.

Abstract: A shared object space in a computer system provides synchronized access to data objects accessible to a plurality of concurrently running applications in the computer system. The shared object space is allocated a portion of memory of the computer system and concurrently running applications are able to connect to the shared object space. The shared object space restricts simultaneous access to data objects by the concurrently running applications by associating locks with the data objects.

Abstract: A first plurality of operating system processes is assigned to a first protection domain, and a second plurality of operating system processes is assigned to a second protection domain. One or more hardware protection mechanisms are used to prevent the first plurality of operating system processes from accessing the memory space of the second plurality of operating system processes, and also to prevent the second plurality of operating system processes from accessing the memory space of the first plurality of operating system processes.

Abstract: A simple to customize secure IT infrastructure architecture. The IT infrastructure architecture includes a secure general purpose virtualized architecture platform. The IT infrastructure architecture is well suited for delivering simple pre-packaged software solutions to the small business segment as plug and play type appliances. In certain embodiments, the IT infrastructure architecture includes a secure virtual appliance device such as a virtual appliance universal serial bus (USB) key. The IT infrastructure architecture uses embedded server virtualization technology to host applications as a virtual appliance.

Abstract: An apparatus includes: a memory; a management memory for storing first virtual addresses used by the first program, second virtual addresses used by the second program and management information indicative of association between first and second virtual addresses and physical addresses of the memory; and a processor for executing the first, the second and a management programs, the management program including: receiving a request to assign a shared area to be shared by the first and second programs from the second program; determining a physical address of the shared area corresponding to one of the first and one of the second virtual addresses; transmitting a notification of data writing by the first program to the second program; locking the shared area so as to prevent the second program from writing data after the notification; and unlocking the shared area after the second program has read data from the shared area.

Abstract: The present invention, in particular embodiments, is directed to methods, apparatuses and systems directed to the authentication of cartridge-based storage media. In a particular embodiment, the present invention provides authentication passwords that are stored on authorized cartridge-based hard disc drives. The authentication password, in one embodiment, is a hash of an interleaved combination of a cartridge-based hard disc drive's serial number and model number strings. Upon insertion of a locked cartridge-based hard disc drive into a carrier, carrier logic obtains the serial number and model number strings of the hard disc drive and generates a password additionally using a base string. The carrier logic then attempts to unlock/authenticate the cartridge-based hard disc drive with the newly-generated password. Authentication occurs with an authorized cartridge as the password contained in the associated hard disc drive will match the password sent by the carrier logic.

Abstract: Access control to shared virtual address space within a single logical partition is provided. The access control includes: associating, by a hypervisor of the data processing system, a memory protection key with a portion of a single logical partition's virtual address space being shared by multiple entities, the key preventing access by one of the multiple entities to that portion of the virtual address space, and allowing access by another of the entities to that portion of the virtual address space; and locking by the hypervisor the memory protection key from modification by the one entity, wherein the locking prevents the one entity from modifying the key and thereby gaining access to the portion of the single logical partition's virtual address space with the associated memory protection key. In one embodiment, the one entity is the single logical partition itself, and the another entity is a partition adjunct.