Abstract: Systems and methods for secured peripheral device communication via a bridge device in virtualized computer systems. An example method may comprise receiving, by a virtualized execution environment running on a computing system, a state measurement associated with a bridge device of the computing system; generating an ephemeral key; responsive to validating the state measurement, transmitting, to the bridge device, the ephemeral key encrypted using a device key associated with the bridge device; and transmitting, to the bridge device, an access request directed to a peripheral device accessible via the bridge device, wherein the access request is encrypted using a value derived from the ephemeral key.

Abstract: Systems and methods for memory management for nested virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor, wherein the Level 1 hypervisor manages a Level 2 virtual machine, wherein the Level 2 virtual machine is associated with a Peripheral Component Interconnect (PCI) device; generating, by the Level 0 hypervisor, a Level 1 page table by combining records from the guest page table with records from a host page table maintained by the Level 0 hypervisor; generating a Level 2 page table comprising a plurality of Level 2 page table entries; and causing a device driver of the Level 2 virtual machine to use the Level 2 page table for second level address translation.

Abstract: Systems and methods for securing assigned peripheral device in virtualized computer system. An example method may comprise receiving, by a virtualized execution environment, a state measurement associated with a peripheral device of the computing system. Generating a guest cryptographic key. Responsive to validating the state measurement, transmitting, to the peripheral device, the guest cryptographic key encrypted using the device cryptographic key. Transmitting, to the peripheral device, an access request that is cryptographically signed using a first value derived from the device cryptographic key or a second value derived from the guest cryptographic key and encrypted using a third value derived from the guest cryptographic key.

Abstract: Page request interface overhead reduction for virtual machine migration and write protection in memory may be provided by generating a page table associated with the memory; in response to receiving a write-protection command to prevent write-access to data from a portion of the memory, write-protecting a first range of memory addresses comprising the data write protected from the portion of the memory, wherein a second range of memory addresses comprises data not write protected in the memory; and modifying the page table to include a page table entry associated with the first range of memory addresses being write-protected, wherein write access to a memory address in the first range of memory addresses by a device during write-protection is tracked.

Abstract: A method includes detecting a change in control of a peripheral device from a first security domain to a second security domain of a computer system and in response to detecting the change in control of the peripheral device, reading a current firmware version of the peripheral device and determining whether the current firmware version of the peripheral device is trusted by the computer system. The method further includes in response to determining that the current firmware version is trusted by the computer system, providing control of the peripheral device to the second security domain.

Abstract: Systems and methods for verifying firmware before it is loaded to a memory device are presented herein. An amount of available memory remaining in a memory device after firmware is written to the memory device is determined, and padding data having a size equal to the determined amount of remaining available memory is generated and appended to the firmware (e.g., the firmware is padded with the padding data). In this way, there is no room for malicious code or a malicious version of the firmware in the memory device. A processing device may determine a verification value of the padded firmware and store the verification value. The verification value may be a cryptographic hash of the padded firmware or a cryptographic signature of the padded firmware. The padded firmware is then written to the memory device. The firmware may be read from the memory device and verified using the verification value.

Abstract: A system includes a physical host, a host operating system, and a virtual machine having a virtual network-interface controller. The virtual network-interface controller comprises an uplink, a virtual function, and a physical function having a physical channel and a virtual channel. The hypervisor is configured to receive data that originates at the virtual function, which is forwarded to the physical function on the physical channel of the physical function. The data is further forwarded from the physical function to the uplink. Additionally, the hypervisor is configured to send data that does not originate at the virtual function. The hypervisor sends the data on the virtual channel of the physical function and the physical function forwards the data to the virtual function.

Abstract: Systems and methods for virtual machine networking can include creating, by a hypervisor running on a host computer system, a first virtual machine (VM) using a first set of computing resources, where the first set of computing resources includes a portion of a second set of computing resources allocated to a second VM managed by the hypervisor. They can further include assigning a first vNIC (virtual Network Interface Controller) to the first VM and setting up a second vNIC to receive data packets transmitted by the first vNIC. Additionally, they can include associating the second vNIC with an identifier of the first VM and assigning the second vNIC to the second VM.

Abstract: An example method may include allocating, on a host computer system, a memory page in a memory of an input/output (I/O) device, mapping the memory page into a memory space of a virtual machine associated with a first virtual processor, creating a first entry in an interrupt mapping table in the memory of the I/O device, where the first entry includes a memory address that is associated with a second virtual processor identifier and further includes an interrupt vector identifier; and creating a second entry in an interrupt injection table of an interrupt injection unit of the host computer system, where the second entry is associated with a memory address that corresponds to a second virtual processor, the second entry includes the interrupt vector identifier, and the second entry is further associated with the second virtual processor identifier.

Abstract: The technology disclosed herein enables a hypervisor to send a security policy to a virtual machine, which may use the security policy to validate system call invocations requested by a guest operating system. The system call invocations may be validated prior to being received by the hypervisor. The hypervisor may also validate system call invocations that are successfully validated by the virtual machine. An example method may include: identifying, by a hypervisor on a host machine, a security policy associated with a virtual machine, wherein the security policy specifies one or more validation rules, causing, by the hypervisor, the security policy to be imported into a guest operating system of the virtual machine from the hypervisor, and responsive to receiving, by the guest operating system, a first request to perform a system call, validating, by the guest operating system, the first request in accordance with the validation rules.

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method involves: receiving, by a processor of a host, a request to create a computing process comprising a first and second executable code, wherein the computing process comprises an instruction to cause the processor to switch between first and second page table structures; loading the first and second executable code into memory of the host, wherein the first page table structure comprises mapping data for the first executable code and for the second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to provide the second executable code with access to the device; and restricting the first executable code from accessing the device.

Abstract: Peripheral component interface (PCI) cards can be used to coordinate timer access for virtual machines. For example, a computing device can send, by a virtual machine deployed by a hypervisor, a request for a timer. A guest driver can write a timer for the virtual machine into a first portion of memory on a PCI card. The first portion of memory can be mapped to the virtual machine by the hypervisor. The computing device can receive a card interrupt for the timer. The computing device can translate the card interrupt into a timer interrupt. For example, the card interrupt may be received and translated by the hypervisor or the guest driver. The computing device can inject the timer interrupt to the virtual machine. In some examples, the virtual machine may receive the timer interrupt without exiting to the hypervisor.

Abstract: Systems and methods for memory management for nested virtual machines. An example method may comprise running, by a host computer system, a hypervisor managing a first virtual machine; responsive to receiving, by the hypervisor, a request to create a second virtual machine nested within the first virtual machine, determining whether the second virtual machine will be using a physical address as a virtual address for a peripheral device; and responsive to determining that the second virtual machine will be using the physical address as the virtual address for the peripheral device, initializing a first data structure for address translation of the physical addresses of the second virtual machine corresponding to virtual addresses of the peripheral device to a host virtual addresses.

Abstract: Methods and systems for improved live migration of computing processes with guaranteed maximum downtime are provided. In a first embodiment, a method is provided that includes migrating a computing process between two virtual machines according to a first migration phase. The computing process may continue executing during the first migration phase. A second migration phase may begin, in which execution of the computing process may stop. It may be detected that a duration of the second migration phase exceeds a predetermined period of time, and the second migration phase may be halted such that the computing process continues executing on an original virtual machine. The predetermined period of time can be determined based on a downtime for resuming execution of the computing process and a predicted worst case start time for the computing process.

Abstract: Systems and methods for storage snapshots for nested virtual machines. An example method may comprise running, by a host computer system, a hypervisor managing a first virtual machine associated with a first virtual device. Responsive to creating a second virtual machine by the hypervisor, requesting, by the first virtual machine, a first snapshot of the first virtual device. The hypervisor generates the first snapshot of the first virtual device and forwards the first snapshot of the first virtual device to the second virtual machine.

Abstract: System and method for running virtual machines within containers. An example method may include: running, by a host computer system, a hypervisor managing a first virtual machine implemented by a first container with a first set of resources, creating, by the hypervisor, a second container implementing the second virtual machine, wherein the second container is nested within the first container, determining, by the first virtual machine of the first container, one or more of the first set of resources to assign to the second container, and assigning, by the hypervisor, to the second container one or more of the first set of resources.

Abstract: System and method for reducing latency for nested virtual machines. An example method may include: running, by a host computer system, a hypervisor managing a first virtual machine associated with a first virtual processor (vCPU) implemented by a first processing thread, wherein the first virtual machine manages a second virtual machine; creating, by the hypervisor, a second processing thread implementing a second vCPU associated with the second virtual machine; and responsive to receiving an interrupt directed to the second virtual machine, causing, by the hypervisor, the second processing thread to process the interrupt.

Abstract: Systems and methods for memory management for nested virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor, wherein the Level 1 hypervisor manages a Level 2 virtual machine, wherein the Level 2 virtual machine is associated with a Peripheral Component Interconnect (PCI) device; generating, by the Level 0 hypervisor, a Level 1 page table by combining records from the guest page table with records from a host page table maintained by the Level 0 hypervisor; generating a Level 2 page table comprising a plurality of Level 2 page table entries; and causing a device driver of the Level 2 virtual machine to use the Level 2 page table for second level address translation.

Abstract: Systems and methods for zero-copy forwarding for network function virtualization (NFV). An example method comprises: receiving, by a supervisor of a host computer system, a definition of a packet filter originated by a virtual execution environment running on the host computer system; responsive to validating the packet filter, associating the packet filter with a vNIC of the virtual execution environment; receiving, by the supervisor, a network packet originated by the vNIC; and responsive to matching the network packet to a network connection specified by the packet filter, causing the packet filter to forward the network packet via the network connection.

Abstract: Page request interface overhead reduction for virtual machine migration and write protection in memory may be provided by generating a page table associated with the memory; in response to receiving a write-protection command to prevent write-access to data from a portion of the memory, write-protecting a first range of memory addresses comprising the data write protected from the portion of the memory, wherein a second range of memory addresses comprises data not write protected in the memory; and modifying the page table to include a page table entry associated with the first range of memory addresses being write-protected, wherein write access to a memory address in the first range of memory addresses by a device during write-protection is tracked.