Abstract: Secure memory sharing between enclaves (virtual machines) and virtual input/output adapters includes, in response to a request for an enclave to create a virtual input/output adapter, creating a virtual input/output adapter associated with the enclave, creating a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter, generating a key by a memory encryption engine of an ultravisor for the virtual input/output adapter for use by only the virtual input/output adapter, in response to a request to obtain data from the enclave by the virtual input/output adapter, exchanging the key with the non-sharable micro-enclave, in response to receiving the key, decrypting memory of only the non-sharable micro-enclave associated with the virtual input/output adapter to obtain the data, and sending the data from the non-sharable micro-enclave nested within the enclave to the virtual input/output adapter.

Abstract: A system and method for tailoring container images stored in a container image registry to a specific microarchitecture that a host operating system is running on in a virtualized environment. A container image fetch request is sent to the container image registry. Microarchitecture identification instructions are received from the image registry in response to the container image fetch request. Results from the microarchitecture identification instructions are transmitted to the container image registry to identify the specific microarchitecture that the host operating system is running on in the virtualized environment, and a container within the virtualized environment is started using an optimal container image received from the container image registry, the optimal container image being tailored to the specific microarchitecture to leverage the functionalities and capabilities of the specific microarchitecture of the computing system.

Abstract: Virtual memory address space is divided according to areas of the virtual memory address and allocating some areas to low-cost volatile memory (such as RAM) when the memory areas are not required by an application to be stored in non-volatile memory, such as NVDIMM. A loader mechanism creates and maintains a layout address table in non-volatile memory for recovery from an unexpected reset.

Abstract: A service request for an automobile is detected. The service request includes a service version number. A first integrated circuit of the automobile is verified. The verification of the first integrated circuit is in response to detecting the service request. A component version number of the first integrated circuit is determined in response to verifying the first integrated circuit. The service version number is compared to the component version number of the first integrated circuit. The comparison is based on the determining the component version number. A service operation regarding the automobile is performed. The service operation is performed based on the comparing the service version number to the component version number.

Abstract: Systems and methods for improved process caching through iterative feedback are disclosed. In embodiments, a computer implemented method comprises retrieving updated metadata of a process to be executed, wherein the updated metadata includes information regarding cache misses from a prior execution of the process; automatically modifying a setting of a data stream control register based on the updated metadata; automatically setting a hint at a data cache block touch module; performing an initial execution of the process after the steps of retrieving the updated metadata, automatically modifying the setting of the data stream control register, and automatically setting the hint at the data cache block touch module; and modifying the updated metadata of the process after the execution of the process based on cache miss statistical data gathered during the execution of the process, to produce newly updated metadata.

Abstract: Embodiments of the present invention include receiving, by an operating system, a request from an application to reserve a subset of a memory allocated to the application for mirroring. The request specifies a size of the subset. A first portion of the specified size and a second portion of the specified size of the memory are reserved by the operating system for the mirroring. Data to write to the first portion of the memory is received from the application. The operating system writes the data to the first portion of the memory and initiates a background write-back process of the data to the second portion of the memory.

Abstract: A computer-implemented method comprises receiving a request to write to a file and, in response to the request, determining that the file exists in a storage device. In response to the determination that the file exists, the method further comprises mapping the file into a region of a non-volatile dual in-line memory module (NVDIMM); initiating a transaction to write to the mapped file in the NVDIMM without acquiring a speculative lock on the mapped file; and determining whether a conflict occurred in writing to the mapped file in the NVDIMM. In response to a determination that a conflict occurred, the method comprises restarting the transaction to write to the mapped file in the NVDIMM without acquiring the speculative lock on the mapped file. In response to a determination that no conflict occurred, the method comprises committing changes made to the mapped file to the file in the storage device.

Abstract: A method and system for improving virtual machine allocation and migration is provided. The method includes initiating a migration process for migrating database files of a virtual machine from a first hardware device to a second hardware device. A checkpoint and restart command is transmitted to a first hypervisor of the first hardware device and a request for a cryptographic key from a memory encryption engine is received. The cryptographic key is transmitted to a first enclave and the first enclave is encrypted resulting in an encrypted enclave. A resulting a data file comprising the database files is generated and the encrypted enclave is disconnected from the first hardware device. The encrypted enclave is destroyed and checkpoint and restart code is executed for restarting the first hardware device.

Abstract: Memory management that includes allocating physical memory having an append-only permission associated therewith to requesting user space applications is described. If a page frame is append-only, then data written to the page frame cannot be overwritten. Rather, any new data written to an append-only page frame must be written beginning at the next available write location within the page frame. An MMU determines whether a write request is requesting an append-only page frame, in which case, the MMU reserves the append-only page frame for the write request and consults a corresponding entry in a page table append to determine whether an offset associated with the write request is larger than a stored value in the entry that indicates the next available write location in the page frame. If so, the write request is executed and the data is written to the page frame beginning at the next available write location.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for managing memory bandwidth usage in software containers. Software container properties are received from a software container engine. In response to detecting the execution of one or more software containers by the software container engine, a monitoring layer is generated. At periodic time intervals, the generated monitoring layer monitors a memory bandwidth use value associated with each of the executed software containers. For each periodic time interval, an average memory use value is calculated, associated with each executed software container. In response to the calculated average memory use value being above a threshold associated with a monitored software container of the executed containers, the monitored software container is suspended for a suspend time duration. The suspended monitored software container is reactivated based on the suspend time duration expiring.

Abstract: Embodiments include method, systems and computer program products for providing entropy to generate random numbers.

Abstract: Embodiments are disclosed for managing a non-volatile dual in-line memory module (NVDIMM) storage system. The techniques include loading an executable to a volatile random access memory. The techniques also include in response to a store operation attempted by the executable, determining that a target address of the store operation is not mapped from an address in the random access memory to an address in an NVDIMM. The techniques further include mapping the target address from the address in the volatile random access memory to the address in the NVDIMM. Additionally, the techniques include performing the store operation in the address in the NVDIMM based on the mapping.

Abstract: Virtual memory address space is divided according to areas of the virtual memory address and allocating some areas to low-cost volatile memory (such as RAM) when the memory areas are not required by an application to be stored in non-volatile memory, such as NVDIMM. A loader mechanism creates and maintains a layout address table in non-volatile memory for recovery from an unexpected reset.

Abstract: Identifying malicious code execution of executing subject code of a software enclave of a processing system follows a process that includes monitoring performance characteristics of the processing system attributed to execution of the subject code of the software enclave. The monitoring produces performance data, which is stored to a relational database. The process applies a classification model to the stored performance data to obtain an output, and, based on the output of the classification model, identifies anomalous behavior in the execution of the subject code and determines a confidence level that the anomalous behavior exhibits malicious activity. Based on the confidence level exceeding a threshold, the process determines that the executing subject code is malicious and initiates halting of the execution of the subject code.

Abstract: Embodiments describe an approach for generating a sign language translation of an audio portion of a video. Embodiments receive a request for a sign language translation for a selected video and extract audio from the selected video. Additionally, embodiments, convert the extracted audio into text, identify contextual sounds in the audio, and convert the text and the contextual sounds into sign language content. Furthermore, embodiments, generate a sign language video based on the sign language content, and display the sign language video in a separate display window on the selected video.

Abstract: Aspects define a union mixed secure virtual machine image to include an encrypted code virtualization machine for code machine instructions of a first retrieved package; and an unsecure virtualization hypervisor that includes a non-encrypted code virtualization machine for code machine instructions of a second retrieved package and a non-encrypted data storage device.

Abstract: Booting a virtual machine instance using remote direct memory access is provided. In response to beginning to receive pages of a predetermined set of pages corresponding to a requested image of a virtual machine from an image provider server, a boot process of an instance of the virtual machine is commenced while the received pages are written directly into a random-access memory (RAM) disk. The received pages are read from the RAM disk during the boot process of the instance of the virtual machine until transfer of the predetermined set of pages corresponding to the requested image is complete. The predetermined set of pages corresponding to the requested image are written to a local hard disk drive from the memory releasing memory usage. In response to completing the boot process, a RAM image is switched to a local hard disk drive image.

Abstract: Managing seamless server halt and restart is provided. A suspend event corresponding to a non-non-volatile dual-inline memory module (non-NVDIMM) server that comprises a set of virtual machines is received. In response to receiving the suspend event corresponding to the non-NVDIMM server, running virtual machine processes are stopped on the non-NVDIMM server. Virtual machine state information corresponding to stopped non-NVDIMM server virtual machine processes is saved on a set of non-volatile dual-inline memory modules (NVDIMMs) located in a non-volatile dual-inline memory module (NVDIMM) server.

Abstract: A service request for an automobile is detected. The service request includes a service version number. A first integrated circuit of the automobile is verified. The verification of the first integrated circuit is in response to detecting the service request. A component version number of the first integrated circuit is determined in response to verifying the first integrated circuit. The service version number is compared to the component version number of the first integrated circuit. The comparison is based on the determining the component version number. A service operation regarding the automobile is performed. The service operation is performed based on the comparing the service version number to the component version number.

Abstract: Embodiments of the present invention provide methods, systems, and computer program products for container communication. In an embodiment, it is determined whether a message is going to a container on a same machine or to a container on a machine at a geographically different location. If it is determined that the message is going to a container on a machine at a geographically different location, then it is determined whether a predetermined threshold has been reached. If it is determined that the predetermined threshold has been reached, then the container from a first machine is migrated to the container on the container on the machine at the geographically different location. A data tracking structure is used to visually represent the migration of containers to other machines.