Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Techniques are disclosed for coalescing timer ticks generated by timers used to service guest operating systems executing in virtual machines. By coalescing timer ticks a logical processor can enter a low power mode thereby reducing power consumed by the system.

Abstract: The present disclosure relates to a distributed disk image deployment during virtual machine instance creation, and to deploying a virtual machine instances based on disk image locality. On example method includes receiving, at a first computing node, a request to create a virtual machine instance, the request identifying a disk image to be associated with the virtual machine instance; determining a set of computing nodes from which to transfer the disk image on a locality of the first computing node to each computing node in the set of computing nodes, generating a set of requests for a plurality of portions of the disk image, sending at least one request from the set of requests to each computing node in the set of computing nodes; and receiving, from at least one of the set of computing nodes, one or more portions of the disk image.

Abstract: A method includes receiving a break-glass ticket scope identifying one or more secure containers of a secure container system. The secure containers are instantiated in a non-debuggable state and execute corresponding secure execution environments for contents of the corresponding secure containers. The method also includes generating a pending break-glass ticket having the break-glass ticket scope and transmitting the pending break-glass ticket to a break-glass approver for approver. In response to receiving an approved break-glass ticket from the break-glass approver, the method includes altering an access setting of the one or more secure containers defined in the break-glass ticket scope. The altered access setting allows debugging of the respective contents of the one or more secure containers executing the corresponding secure execution environments.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Principles for enabling power management techniques for virtual machines. In a virtual machine environment, a physical computer system may maintain management facilities to direct and control one or more virtual machines executing thereon. In some techniques described herein, the management facilities may be adapted to place a virtual processor in an idle state in response to commands from a guest operating system. One or more signaling mechanisms may be supported such that the guest operating system will command the management facilities to place virtual processors in the idle state.

Abstract: The present disclosure relates to a distributed disk image deployment during virtual machine instance creation, and to deploying a virtual machine instances based on disk image locality. On example method includes receiving a request to create a virtual machine instance identifying a disk image; determining one or more storage devices storing the disk image; determining a distance measurement between each of a plurality of computing nodes and the one or more storage devices storing the disk image; selecting a computing node on which to create the virtual machine instance based on a locality of the computing node to a storage device from the one or more storage devices storing the disk image, the locality including the distance measurement between the computing node and the storage device; and creating the virtual machine instance on the computing node using the disk image from the storage device.

Abstract: In the host operating system of a computing device, entropy data is collected based at least in part on each of one or more hardware components of the computing device. An entropy pool is updated based at least in part on the collected entropy data, and data from the entropy pool is provided to a guest operating system running as a virtual machine of the computing device. The guest operating system maintains a guest operating system entropy pool based on the data from the entropy pool provided by the host operating system. The guest operating system accesses the guest operating system entropy pool and uses the guest operating system entropy pool as a basis for generating values including random numbers.

Abstract: Principles for enabling power management techniques for virtual machines. In a virtual machine environment, a physical computer system may maintain management facilities to direct and control one or more virtual machines executing thereon. In some techniques described herein, the management facilities may be adapted to place a virtual processor in an idle state in response to commands from a guest operating system. One or more signaling mechanisms may be supported such that the guest operating system will command the management facilities to place virtual processors in the idle state.

Abstract: A method and apparatus are provided to detect malicious code in a computing system, where the malicious code is obscured by manipulation of an input/output memory management unit. A peripheral component interconnect express (PCIe) device requests a translation of a bus address for a given device in the system and determines whether the requested translation was received. If the requested translation was received, the PCIe device further determines whether the bus address for the given device corresponds to a physical address for the given device. If the bus address for the given device does not correspond to the physical address for the given device, the PCIe device sends a notification that the computing system is potentially compromised.

Abstract: Principles for enabling power management techniques for virtual machines. In a virtual machine environment, a physical computer system may maintain management facilities to direct and control one or more virtual machines executing thereon. In some techniques described herein, the management facilities may be adapted to place a virtual processor in an idle state in response to commands from a guest operating system. One or more signaling mechanisms may be supported such that the guest operating system will command the management facilities to place virtual processors in the idle state.

Abstract: Methods, systems, and apparatuses, including computer programs encoded on a computer storage medium, for distribution of cryptographic keys. In one aspect, a method includes receiving a plurality of requests, each request being received by a different respective virtual machine of a plurality of virtual machines; generating, by each of the virtual machines, a different host key pair, wherein each of the host key pairs comprises an encryption key and a decryption key that are associated with the virtual machine that generated it; providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine; and sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system.

Abstract: In the host operating system of a computing device, entropy data is collected based at least in part on each of one or more hardware components of the computing device. An entropy pool is updated based at least in part on the collected entropy data, and data from the entropy pool is provided to a guest operating system running as a virtual machine of the computing device. The guest operating system maintains a guest operating system entropy pool based on the data from the entropy pool provided by the host operating system. The guest operating system accesses the guest operating system entropy pool and uses the guest operating system entropy pool as a basis for generating values including random numbers.

Abstract: Principles for enabling power management techniques for virtual machines. In a virtual machine environment, a physical computer system may maintain management facilities to direct and control one or more virtual machines executing thereon. In some techniques described herein, the management facilities may be adapted to place a virtual processor in an idle state in response to commands from a guest operating system. One or more signaling mechanisms may be supported such that the guest operating system will command the management facilities to place virtual processors in the idle state.

Abstract: Techniques are disclosed for coalescing timer ticks generated by timers used to service guest operating systems executing in virtual machines. By coalescing timer ticks a logical processor can enter a low power mode thereby reducing power consumed by the system.

Abstract: Avoiding cache-line sharing in virtual machines can be implemented in a system running a host and multiple guest operating systems. The host facilitates hardware access by a guest operating system and oversees memory access by the guest. Because cache lines are associated with memory pages that are spaced at regular intervals, the host can direct guest memory access to only select memory pages, and thereby restrict guest cache use to one or more cache lines. Other guests can be restricted to different cache lines by directing memory access to a separate set of memory pages.

Abstract: Avoiding cache-line sharing in virtual machines can be implemented in a system running a host and multiple guest operating systems. The host facilitates hardware access by a guest operating system and oversees memory access by the guest. Because cache lines are associated with memory pages that are spaced at regular intervals, the host can direct guest memory access to only select memory pages, and thereby restrict guest cache use to one or more cache lines. Other guests can be restricted to different cache lines by directing memory access to a separate set of memory pages.