Abstract: Example implementations relate to a logical rack controller. In an example, a logical rack controller receives an inventory of a plurality of physical computing racks. The logical rack controller receives a logical rack definition that indicates selected physical infrastructure from among the inventory to form a logical rack. The logical rack controller validates the logical rack definition by verifying network connectivity of the selected physical infrastructure. After validation of the logical rack definition, the logical rack controller provides, to a provisioning controller, an interface to the logical rack. The provisioning controller can utilize the interface to access the logical rack.

Abstract: A system includes a memory and a controller. The controller controls access to the memory and is adapted to be programmed with a key that is associated with a context. The controller is adapted to, in response to a request to access the memory, perform a cryptographic function on data associated with the request based on the key.

Abstract: A virtual machine is migrated from a first physical machine to a second physical machine in response to a failure of an instruction to execute. A migration constraint also is created which limits future migration of the virtual machine by a placement controller to only those physical machines that can execute the failed instruction.

Abstract: In various embodiments of the present invention, execution-state transitions occur in a first portion of a system, and a cumulative execution state for each process is maintained by a second portion of the system so that, when a second-portion routine is called, the second-portion routine can determine whether or not the current execution state is suitable for execution of the second-portion routine. In various embodiments, a callpoint log, allocated and maintained for each process, stores the cumulative execution state for the process. In one embodiment, the first portion is an operating system, and the second portion is a secure kernel, with the cumulative execution state used by the secure kernel to prevent unauthorized access by erroneously or maliciously invoked operating-system routines to secure kernel routines. In another embodiment, the cumulative execution state is used as a debugging tool by the second-portion routines to catch errors in the implementation of the first-portion routines.

Abstract: Various embodiments of the present invention introduce privilege-level mapping into a computer architecture not initially designed for supporting virtualization. Privilege-level mapping can, with relatively minor changes to processor logic, fully prevent privileged-level-information leaks by which non-privilege code can determine the current machine-level privilege level at which they are executing. In one embodiment of the present invention, a new privilege-level mapping register is introduced, and privilege-level mapping is enabled for all but code invoked by privileged-level-0-forcing hardware events.

Abstract: A combined-hardware-and-software secure-platform interface to which operating systems and customized control programs interface within a computer system. The combined-hardware-and-software secure-platform interface employs a hardware platform that provides at least four privilege levels, non-privileged instructions, non-privileged registers, privileged instructions, privileged registers, and firmware interfaces. The combined-hardware-and-software secure-platform interface conceals all privileged instructions, privileged registers, and firmware interfaces and privileged registers from direct access by operating systems and custom control programs, providing to the operating systems and custom control programs the non-privileged instructions and non-privileged registers provided by the hardware platform as well as a set of callable software services.

Abstract: Various embodiments of the present invention introduce privilege-level mapping into a computer architecture not initially designed for supporting virtualization. Privilege-level mapping can, with relatively minor changes to processor logic, fully prevent privileged-level-information leaks by which non-privilege code can determine the current machine-level privilege level at which they are executing. In one embodiment of the present invention, a new privilege-level mapping register is introduced, and privilege-level mapping is enabled for all but code invoked by privileged-level-0-forcing hardware events.

Abstract: In various embodiments of the present invention, execution-state transitions occur in a first portion of a system, and a cumulative execution state for each process is maintained by a second portion of the system so that, when a second-portion routine is called, the second-portion routine can determine whether or not the current execution state is suitable for execution of the second-portion routine. In various embodiments, a callpoint log, allocated and maintained for each process, stores the cumulative execution state for the process. In one embodiment, the first portion is an operating system, and the second portion is a secure kernel, with the cumulative execution state used by the secure kernel to prevent unauthorized access by erroneously or maliciously invoked operating-system routines to secure kernel routines. In another embodiment, the cumulative execution state is used as a debugging tool by the second-portion routines to catch errors in the implementation of the first-portion routines.

Abstract: Method and system for controlling areas of memory within a computer system to routines executing at a specific privilege levels in a modern computer architecture featuring protection keys, operating-system-routine calls and interrupts result in promotion of the current privilege level to the highest privilege level prior to dispatch to an operating system routine with concomitant demotion of the CPL Current Privilege Level to operating-system-privilege level. By partitioning the 24-bit protection queue space into multiple protection-key domains, each protection-key domain associated with a privilege level, and by invalidating protection-key registers during each protection of the current privilege level to a higher privilege level, regions of memory are provided that can only be accessed by routines running at low privilege levels and by routines at the highest privilege level, but not accessible to routines running at intermediate privilege levels.

Abstract: Method and system for providing hardware-enforced synchronization and serialization mechanisms, such as semaphores, to allow for control of access to memory regions within a computer system. In addition to the traditional semaphore protocol, hardware enforced semaphores are associated with memory regions and with protection keys selected from a pool of protection keys that control access to those memory regions. Hardware-enforced semaphores control insertion and deletion of protection keys from protection-key registers and internal data structures in order to enforce access grants provided by the semaphore protocol.

Abstract: Method and system for controlling areas of memory within a computer system to routines executing at a specific privilege levels in a modern computer architecture featuring protection keys, operating-system-routine calls and interrupts result in promotion of the current privilege level to the highest privilege level prior to dispatch to an operating system routine with concomitant demotion of the CPL to operating-system-privilege level. By partitioning the 24-bit protection queue space into multiple protection-key domains, each protection-key domain associated with a privilege level, and by invalidating protection-key registers during each protection of the current privilege level to a higher privilege level, regions of memory are provided that can only be accessed by routines running at low privilege levels and by routines at the highest privilege level, but not accessible to routines running at intermediate privilege levels.

Abstract: A combined-hardware-and-software secure-platform interface to which operating systems and customized control programs interface within a computer system. The combined-hardware-and-software secure-platform interface employs a hardware platform that provides at least four privilege levels, non-privileged instructions, non-privileged registers, privileged instructions, privileged registers, and firmware interfaces. The combined-hardware-and-software secure-platform interface conceals all privileged instructions, privileged registers, and firmware interfaces and privileged registers from direct access by operating systems and custom control programs, providing to the operating systems and custom control programs the non-privileged instructions and non-privileged registers provided by the hardware platform as well as a set of callable software services.