Abstract: A method includes generating a set of virtual-machine-specific (VMS) encryption keys for a dedicated virtual machine, storing the set of VMS encryption keys in a protected memory, storing a first look-up table in the protected memory, and replacing an encryption key stored in a crypto unit with at least one VMS encryption key of the set of VMS encryption keys in an operation mode where the dedicated virtual machine is executed by a processor. The protected memory is selectively excluded from access by operating systems executable on a computer system. The look-up table being accessible only by firmware of the computer system.

Abstract: A management system and method that generally allocates a virtual function to a virtual function definition of a virtual server, where the virtual function definition of the virtual server is previously assigned with a unique function identifier, and assigns the unique function identifier to the virtual function in response to the allocating of the virtual function, where the unique function identifier causes a discovery of the virtual function by the virtual server.

Abstract: A method includes generating a set of virtual-machine-specific (VMS) encryption keys for a dedicated virtual machine, storing the set of VMS encryption keys in a protected memory, storing a first look-up table in the protected memory, and replacing an encryption key stored in a crypto unit with at least one VMS encryption key of the set of VMS encryption keys in an operation mode where the dedicated virtual machine is executed by a processor. The protected memory is selectively excluded from access by operating systems executable on a computer system. The look-up table being accessible only by firmware of the computer system.

Abstract: A management system and method that generally allocates a virtual function to a virtual function definition of a virtual server, where the virtual function definition of the virtual server is previously assigned with a unique function identifier, and assigns the unique function identifier to the virtual function in response to the allocating of the virtual function, where the unique function identifier causes a discovery of the virtual function by the virtual server.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: A method, a computer program product, and a computer system for processing interrupt requests in a computer system. The computer system disables, for a processor, an interrupt request for threads other than an interrupt request handling thread. The computer system configures the processor to route the interrupt request to the interrupt request handling thread. The computer system determines, by the interrupt request handling thread, whether one of the threads needs to process the interrupt request. The computer presents, by the interrupt request handling thread, the interrupt request to the one of the threads, in response to determining that the one of the threads needs to process the interrupt request.

Abstract: Dynamically assigning network addresses provided by a server in a network to virtual network adapters in virtual machines, in which a reassignment of the assigned network addresses due to suspending virtual machines is prevented. Network addresses of the virtual machines in the network are logged. Network addresses are combined with information about suspending and/or resuming virtual machines by a control instance. Information about the network addresses of suspended virtual machines for its virtual network adapters with dynamically assigned network addresses is sent to the server.

Abstract: A method, a computer program product, and a computer system for processing interrupt requests in a computer system. The computer system disables, for a processor, an interrupt request for threads other than an interrupt request handling thread. The computer system configures the processor to route the interrupt request to the interrupt request handling thread. The computer system determines, by the interrupt request handling thread, whether one of the threads needs to process the interrupt request. The computer presents, by the interrupt request handling thread, the interrupt request to the one of the threads, in response to determining that the one of the threads needs to process the interrupt request.

Abstract: A method of securely deleting data from a data storage device is described. The method includes the steps of receiving a secure delete command to securely delete a file. A data block of the file to securely delete is identified. A pointer to the data block is stored in a deletion buffer. It is then determined whether the secure delete command has a highest priority over other data storage device commands. In response to the secure delete command having the highest priority, the secure delete command to the data block is performed.

Abstract: Methods are provided for using a hardware module connectable to multiple computer systems, where the multiple computer systems are connectable to a server within a common network. The method includes: providing a network address of the server in persistent memory of the hardware security module; providing an encrypted secret entity in the persistent memory of the hardware security module; providing a private key in the persistent memory of the hardware security module; and based on the hardware security module being connectable to one of the computer systems, the method includes: establishing a secure connection between the hardware security module and the server; retrieving, via the secure connection, a wrapping key from the server and storing it in volatile memory of the hardware security module; and decrypting the encrypted secret entity with the wrapping key and storing the decrypted secret entity in the volatile memory of the hardware security module.

Abstract: Managing a virtual computer resource on at least one virtual machine. The managing of the virtual computer resource on the at least one virtual machine is by controlling execution of the virtual computer resource on the at least one virtual machine by a virtual machine instance, such as a firmware facility, of a trusted part of a computer system. The virtual machine instance is unique in the computer system.

Abstract: Managing a virtual computer resource on at least one virtual machine. The managing of the virtual computer resource on the at least one virtual machine is by controlling execution of the virtual computer resource on the at least one virtual machine by a virtual machine instance, such as a firmware facility, of a trusted part of a computer system. The virtual machine instance is unique in the computer system.

Abstract: A computer-implemented method, carried out by one or more processors, for policy based virtual resource allocation. In an embodiment, the method includes identifying a number of host resources specified by host resource requirements for a first resource consumer. The method determines if the host resource requirements include a list of host resource pools for the first resource consumer. Responsive to determining that the host resource requirements include the list of host resource pools for the first resource consumer, a first set of eligible host resource pools is identified. An allocation policy may be identified, where the allocation policy includes one or more parameters for allocating host resources. Host resources from the first set of eligible host resource pools are allocated based on the allocation policy.

Abstract: Approving a group purchase request for a group of articles. A sub-group of articles is selected, wherein a unique article approval index is assigned to each of the articles and a highest article approval index is determined among the unique article approval indexes of the articles of the group, wherein the article of the group is selected into the sub-group if the article of the group complies with at least one of following article selection criteria: the unique article approval index of the article of the group is above a predetermined approval index threshold and the unique approval index of the article of the group is equal to the highest article approval index; approving the group purchase request for the group if the group purchase request for the sub-group is approved; and rejecting the group purchase request for the group if the group purchase request for the sub-group is rejected.

Abstract: A computer-implemented method, carried out by one or more processors, for policy based virtual resource allocation. In an embodiment, the method includes identifying a number of host resources specified by host resource requirements for a first resource consumer. The method determines if the host resource requirements include a list of host resource pools for the first resource consumer. Responsive to determining that the host resource requirements include the list of host resource pools for the first resource consumer, a first set of eligible host resource pools is identified. An allocation policy may be identified, where the allocation policy includes one or more parameters for allocating host resources. Host resources from the first set of eligible host resource pools are allocated based on the allocation policy.

Abstract: Techniques are disclosed for concurrently loading a plurality of new modules while code of a plurality of modules of an original computer program is loaded and executed on a computer system. An associated method may include allocating a module thread local storage (TLS) block for each thread within an initial computer program, wherein the allocated module TLS blocks are large enough to hold all module thread variables that are loaded or to be loaded. The method further may include reserving spare areas between the module TLS blocks for adding new module thread variables and arranging at an end of the module TLS blocks a thread data template section for resetting threads or creating new threads. The method may result in addition of modules to the original computer program and/or application of a concurrent patch through replacement of one or more of the plurality of original computer program modules.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Generating a pool of random numbers for use by computer applications. Vibration sensors are placed throughout a machine and collects information theoretic entropy data from the measurement of the vibration sensors. The data is then filtered and added to an entropy pool. Applications needing a random number may acquire a number from the pool. A method, computer program product and system to generate the pool are provided.

Abstract: A method and data processing system are disclosed for concurrently loading a plurality of new modules while code of a plurality of modules of an original (i.e., currently running) computer program is loaded and executed on a computer system. The method may include allocating a module thread local storage (TLS) block for each thread within an initial computer program, wherein the allocated module TLS blocks are large enough to hold all module thread variables that are loaded or to be loaded. The method further may include providing constant offsets between module TLS block pointers corresponding to the module TLS blocks and the module thread variables for all of the threads. The disclosed method may be used to add modules to the original computer program and/or to apply a concurrent patch by replacing one or more of the plurality of original computer program modules.