Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.

Abstract: Generating a pool of random numbers for use by computer applications. Vibration sensors are placed throughout a machine and collect entropy data from the measurements of the vibration sensors. The data is then filtered and sent via secure connection to a second machine to be added to the second machine's entropy pool. Applications needing a random number may acquire a number from the pool. A method, computer program product and system to generate the pool are provided.

Abstract: A method and data processing system are disclosed for concurrently loading a plurality of new modules while code of a plurality of modules of an original (i.e., currently running) computer program is loaded and executed on a computer system. The method may include allocating a module thread local storage (TLS) block for each thread within an initial computer program, wherein the allocated module TLS blocks are large enough to hold all module thread variables that are loaded or to be loaded. The method further may include providing constant offsets between module TLS block pointers corresponding to the module TLS blocks and the module thread variables for all of the threads. The disclosed method may be used to add modules to the original computer program and/or to apply a concurrent patch by replacing one or more of the plurality of original computer program modules.

Abstract: A method and data processing system are disclosed for concurrently loading a plurality of new modules while code of a plurality of modules of an original (i.e., currently running) computer program is loaded and executed on a computer system. The method may include allocating a module thread local storage (TLS) block for each thread within an initial computer program, wherein the allocated module TLS blocks are large enough to hold all module thread variables that are loaded or to be loaded. The method further may include providing constant offsets between module TLS block pointers corresponding to the module TLS blocks and the module thread variables for all of the threads. The disclosed method may be used to add modules to the original computer program and/or to apply a concurrent patch by replacing one or more of the plurality of original computer program modules.

Abstract: A computer-implemented method, carried out by one or more processors, for policy based virtual resource allocation. In an embodiment, the method includes identifying a number of host resources specified by host resource requirements for a first resource consumer. The method determines if the host resource requirements include a list of host resource pools for the first resource consumer. Responsive to determining that the host resource requirements include the list of host resource pools for the first resource consumer, a first set of eligible host resource pools is identified. An allocation policy may be identified, where the allocation policy includes one or more parameters for allocating host resources. Host resources from the first set of eligible host resource pools are allocated based on the allocation policy.

Abstract: A computer-implemented method, carried out by one or more processors, for policy based virtual resource allocation. In an embodiment, the method includes identifying a number of host resources specified by host resource requirements for a first resource consumer. The method determines if the host resource requirements include a list of host resource pools for the first resource consumer. Responsive to determining that the host resource requirements include the list of host resource pools for the first resource consumer, a first set of eligible host resource pools is identified. An allocation policy may be identified, where the allocation policy includes one or more parameters for allocating host resources. Host resources from the first set of eligible host resource pools are allocated based on the allocation policy.

Abstract: Aspects include encrypting data exchanged between two computer systems. A method includes accessing content of a memory, via a memory address, by at least one processing unit of one of the computer systems. Based on the accessing being a write operation, the content of the memory is encrypted using a memory encryption key, the encrypting is by a crypto unit of the at least one of the processing units. Based on the accessing being a read operation, the content of the memory is decrypted using the same memory encryption key, the decrypting is by a crypto unit of the at least once of the processing units. Remote direct memory access is established via memory addresses between the computer systems, the establishing including at least one of the computer systems locally storing a respective network encryption key as memory encryption keys for memory areas used for the data exchange.

Abstract: In an approach to grouping tasks initialized by a first user, one or more computer processors receive a first task initialization by a first user. The one or more computer processors determine whether one or more additional tasks contained in one or more task groups are in use by the first user. Responsive to determining one or more additional tasks contained in one or more task groups are in use, the one or more computer processors determine whether the first task is related to at least one task of the one or more additional tasks. Responsive to determining the first task is related to at least one task of the one or more additional tasks, the one or more computer processors add the first task to the task group containing the at least one related task of the one or more additional tasks.

Abstract: At least one hardware security module out of a plurality of hardware security modules is assigned to a guest system. The at least one hardware security module out of the plurality of hardware security modules is configured with a master key. A data pattern is used for a challenge protocol adapted to prove that the at least one hardware security module out of the plurality of hardware security modules is configured with the master key. The at least one hardware security module including the master key is assigned to the guest system based on a positive outcome of the challenge protocol.

Abstract: At least one hardware security module out of a plurality of hardware security modules is assigned to a guest system. The at least one hardware security module out of the plurality of hardware security modules is configured with a master key. A data pattern is used for a challenge protocol adapted to prove that the at least one hardware security module out of the plurality of hardware security modules is configured with the master key. The at least one hardware security module including the master key is assigned to the guest system based on a positive outcome of the challenge protocol.

Abstract: A computer-implemented method, carried out by one or more processors, for managing resources in a server environment. In an embodiment, the method includes determining to prepare one or more virtual resources for activation of one or more allocated host resources, based, at least in part, on virtual resource definitions. The one or more allocated host resources and the one or more virtual resources are activated. Activation of the one or more virtual resources is finalized, wherein finalizing the activation includes updating the virtual resource definitions.

Abstract: A computer-implemented method, carried out by one or more processors, for managing resources in a server environment. In an embodiment, the method includes determining to prepare one or more virtual resources for activation of one or more allocated host resources, based, at least in part, on virtual resource definitions. The one or more allocated host resources and the one or more virtual resources are activated. Activation of the one or more virtual resources is finalized, wherein finalizing the activation includes updating the virtual resource definitions.

Abstract: Integrating a further communication bridge into a running data processing system. The data processing system includes a communication client running a first operating system having no own communication stack and at least a first communication bridge running a second operating system having an own communication stack. The first communication bridge is configured as a master communication bridge. The further communication bridge announces itself as a slave communication bridge at an announcement time. The master communication bridge executes a quiesce process on the network adapter and on the API of the communication client when there are no data packets in the queue with a sending time earlier than the announcement time. The master communication bridge extracts the state of its communication stack and sends it to the further communication bridge. The master communication bridge resumes the network adapter and the API.

Abstract: A virtual machine (VM) migration from a source virtual machine monitor (VMM) to a destination VMM on a computer system. Each of the VMMs includes virtualization software, and one or more VMs are executed in each of the VMMs. The virtualization software allocates hardware resources in a form of virtual resources for the concurrent execution of one or more VMs and the virtualization software. A portion of a memory of the hardware resources includes hardware memory segments. A first portion of the memory segments is assigned to a source logical partition and a second portion is assigned to a destination logical partition. The source VMM operates in the source logical partition and the destination VMM operates in the destination logical partition. The first portion of the memory segments is mapped into a source VMM memory, and the second portion of the memory segments is mapped into a destination VMM memory.

Abstract: Dynamically assigning network addresses provided by a server in a network to virtual network adapters in virtual machines, in which a reassignment of the assigned network addresses due to suspending virtual machines is prevented. Network addresses of the virtual machines in the network are logged. Network addresses are combined with information about suspending and/or resuming virtual machines by a control instance. Information about the network addresses of suspended virtual machines for its virtual network adapters with dynamically assigned network addresses is sent to the server.

Abstract: Generating a pool of random numbers for use by computer applications. Vibration sensors are placed throughout a machine and collect entropy data from the measurements of the vibration sensors. The data is then filtered and sent via secure connection to a second machine to be added to the second machine's entropy pool. Applications needing a random number may acquire a number from the pool. A method, computer program product and system to generate the pool are provided.

Abstract: Methods are provided for using a hardware module connectable to multiple computer systems, where the multiple computer systems are connectable to a server within a common network. The method includes: providing a network address of the server in persistent memory of the hardware security module; providing an encrypted secret entity in the persistent memory of the hardware security module; providing a private key in the persistent memory of the hardware security module; and based on the hardware security module being connectable to one of the computer systems, the method includes: establishing a secure connection between the hardware security module and the server; retrieving, via the secure connection, a wrapping key from the server and storing it in volatile memory of the hardware security module; and decrypting the encrypted secret entity with the wrapping key and storing the decrypted secret entity in the volatile memory of the hardware security module.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.