Abstract: Example embodiments relate to executing services in containers. The examples disclosed herein include a computing device comprising instructions to load an inner portion of an operating system kernel in an inner region of a kernel space and an outer portion of the operating system kernel in an outer region of the kernel space. The example computing device may execute a service in a container in a user space. The container may be communicatively coupled with the outer region of the operating system kernel but divided from the inner portion of the operating system kernel.

Abstract: Example implementations relate to global capabilities transferrable across node boundaries. For example, in an implementation, a switch that routes traffic between a node and global memory may receive an instruction from the node. The switch may recognize that data referenced by the instruction is a global capability, and the switch may process that global capability accordingly.

Abstract: A computing system and a method of handling a system management request. The computing system includes a virtual high-privilege mode in a trusted domain managed by the virtual machine monitor. The virtual high-privilege mode handles the system management request.

Abstract: Example implementations relate to a capability enforcement processor. In an example, a capability enforcement processor may be interposed between a memory that stores data accessible via capabilities and a system processor that executes processes. The capability enforcement processor intercepts a memory request from the system processor and enforces the memory request based on capability enforcement processor capabilities maintained in per-process capability spaces of the capability enforcement processor.

Abstract: Memory blocks are associated with each memory level of a hierarchy of memory levels. Each memory block has a matching key capability (MaKC). The MaKC of a memory block governs access to the memory block, in accordance with permissions specified by the MaKC. The MaKC of a memory block can uniquely identify the memory block across the hierarchy of memory levels, and can be globally unique across the memory blocks. An MaKC of a memory block includes a block protection key (BPK) stored with the memory block, and an execution protection key (EPK). If a provided EPK for a memory block matches the memory block's BPK upon comparison, access to the memory block is allowed according to the permissions specified by the MaKC.

Abstract: Examples include configuration of a memory controller for copy-on-write with a resource controller. Some examples include, in response to a determination to take a snapshot of memory accessible to a first component, a resource controller configuring a memory controller to treat location IDs, mapped to initial memory locations of the accessible memory, as copy-on-write for the first component and not for a second component independent of the resource controller after the configuring.

Abstract: According to an example, memory integrity checking may include receiving computer program code, and using a loader to load the computer program code in memory. Memory integrity checking may further include verifying the integrity of the computer program code by selectively implementing synchronous verification and/or asynchronous verification. The synchronous verification may be based on loader security features associated with the loading of the computer program code. Further, the asynchronous verification may be based on a media controller associated with the memory containing the computer program code.

Abstract: Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata record that specifies an application type of the application. The container platform receives a data structure that specifies a set of system call policies for a set of application types and queries the data structure to determine a policy of the set of system call policies to apply to the container based on the application type in the metadata record. A kernel implements the policy for the container to allow or deny permission for a system call by the application running in the container based on a comparison of the system call to the policy.

Abstract: Techniques for a firewall to determine access to a portion of memory are provided. In one aspect, an access request to access a portion of memory within a pool of shared memory may be received at a firewall. The firewall may determine whether the access request to access the portion of memory is allowed. The access request may be allowed to proceed based on the determination. The operation of the firewall may not utilize address translation.

Abstract: An electronic device for management of cryptographic keys, and a corresponding method implemented in a computing device comprising a physical processor, transmit feature data of the device to a key generation module, wherein the feature data comprises information corresponding to an identifier or an attribute of the device, and receive, by the device from the key generation module, a digital signature of the transmitted feature data. The device installs the received digital signature as a cryptographic private key for communication, and performs a cryptographic operation using the installed digital signature as the cryptographic private key.

Abstract: A secure communication channel is established between a virtual trusted runtime basic input output system (BIOS) and a virtual machine that includes a virtual BIOS. The virtual trusted runtime BIOS communicates with the virtual machine according to a web-based protocol over the secure communication channel using a secure socket layer.

Abstract: There is provided an example memory system comprising a plurality of memory modules, each memory module comprising a persistent memory to store root key information and encrypted primary data; a volatile memory to store a working key for encrypting data, the encrypted primary data stored in the persistent memory being encrypted using the working key; and a control unit to provide load and store access to the primary data. The memory system further comprises a working key recovery mechanism to retrieve first root key information from a first module and second root key information from a second module; and compute the working key for a given module based on the retrieved first root key information and the retrieved second root key information.

Abstract: Examples include configuration of a memory controller for copy-on-write. Some examples include, in response to a determination to take a snapshot of memory accessible to a first component, a management subsystem configuring a memory controller to treat location IDs, mapped to initial memory locations of the accessible memory, as copy-on-write for the first component and not for a second component.

Abstract: Example implementations relate to encrypted capabilities stored in global memory. For example, in an implementation, a capability protection system may store an encrypted capability into global memory, where the encrypted capability is encrypted based on a condition. The capability protection system may receive, from a node in communication with the global memory, a request to access the encrypted capability stored in the global memory. The capability protection system may provide to the node a decrypted form of the encrypted capability upon satisfaction of the condition by the node.

Abstract: Example implementations relate to cryptographic evidence of persisted capabilities. In an example implementation, in response to a request to access a persisted capability stored in a globally shared memory, a system may decide whether to trust the persisted capability by verification of cryptographic evidence accompanying the persisted capability. The system may load the persisted capability upon a decision to trust the persisted capability based on successful verification.

Abstract: Example embodiments relate to storage systems for containers. An example storage system may include a set of servers associated with a global namespace for containers, a plurality of storage domains connected under the global namespace, and a processor to identify a storage tree for a container image of a container, where the storage tree is mapped to a storage domain storing the container image, and to clone the container to a second container, where the second container image is stored in a second storage domain.

Abstract: Example implementations relate to global capabilities transferrable across node boundaries. For example, in an implementation, a switch that routes traffic between a node and global memory may receive an instruction from the node. The switch may recognize that data referenced by the instruction is a global capability, and the switch may process that global capability accordingly.

Abstract: In an example, memory address encryption is facilitated for transactions between electronic circuits in a memory fabric. An electronic circuit may obtain a transaction integrity key and a transaction encryption key. The electronic circuit may encrypt an address using the transaction encryption key and a compute a truncated message authentication code (MAC) using the transaction integrity key.

Abstract: Techniques for storing hypervisor messages in a network packet are described. In one aspect, a hypervisor of a computing device obtains a network packet generated by a virtual machine. The hypervisor may then identify available space within the network packet that can store data relating to a hypervisor message. The hypervisor may then store the hypervisor message in the available space within the network packet. The hypervisor may cause a physical network interface controller to transmit the network packet to a destination device through a network path that includes a message logging device.

Abstract: A bus between a requester and a target component includes a portion dedicated to carry information indicating a privilege level, from among a plurality of privilege levels, of machine-readable instructions executed on the requester.