Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A method is provided. The method is implemented by a communication interface of a secure interface control executing between the secure interface control of a computer and hardware of the computer/In this regard, the communication interface receives an instruction and determines whether the instruction is a millicoded instruction. Further, the communication interface enters a millimode comprising enabling the secure interface control to engage millicode of the hardware through the communication interface based on the instruction being the millicoded instruction.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes computing a hash value of a page of memory of a computer system and comparing the hash value with a previously computed hash value of the page. A per-encryption value per page can be used in encrypting the page based on determining that the hash value matches the previously computed hash value. A modified value of the per-encryption value per page can be used in encrypting the page based on determining that the hash value mismatches the previously computed hash value.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: Secure processing within a computing environment is provided by incrementally decrypting a secure operating system image, including receiving, for a page of the secure operating system image, a page address and a tweak value used during encryption of the page. Processing determines that the tweak value has not previously been used during decryption of another page of the secure operating system image, and decrypts memory page content at the page address using an image encryption key and the tweak value to facilitate obtaining a decrypted secure operating system image. Further, integrity of the secure operating system image is verified, and based on verifying integrity of the secure operating system image, execution of the decrypted secure operating system image is started.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: Selective purging of entries of structures associated with address translation. A request to purge entries of a structure associated with address translation is obtained. Based on obtaining the request, a determination is made as to whether selective purging of the structure associated with address translation is to be performed. Based on determining that selective purging is to be performed, one or more entries of the structure associated with address translation are purged. The selectively purging includes clearing the one or more entries of the structure associated with address translation for a host of the computing environment and leaving one or more entries of one or more guest operating systems in the structure associated with address translation. The one or more guest operating systems are managed by the host.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: Selective purging of guest entries of structures associated with address translation. A request to purge entries of a structure associated with address translation is obtained. Based on obtaining the request, a determination is made as to whether selective purging of the structure associated with address translation is to be performed. Based on determining that selective purging is to be performed, one or more entries of the structure associated with address translation are purged. The selectively purging includes clearing the one or more entries of the structure associated with address translation for a selected guest operating system of the computing environment and leaving one or more other entries of one or more other guest operating systems in the structure associated with address translation. The selected guest operating system and the one or more other guest operating systems are managed by a host of the computing environment.

Abstract: Selective purging of entries of structures associated with address translation. A request to purge entries of a structure associated with address translation is obtained. Based on obtaining the request, a determination is made as to whether selective purging of the structure associated with address translation is to be performed. Based on determining that selective purging is to be performed, one or more entries of the structure associated with address translation are purged. The selectively purging includes clearing the one or more entries of the structure associated with address translation for a host of the computing environment and leaving one or more entries of one or more guest operating systems in the structure associated with address translation. The one or more guest operating systems are managed by the host.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A process can be scheduled between first and second hosts that using a virtual file system that is shared between the hosts can be used. The process, running on a first hypervisor of the first host, can be scheduled to run on a second hypervisor of the second host. A file can be created that includes the data content of the process address space for the file. The file can be mapped address space of the virtual file system. Data from the physical memory of the first host can be transferred to physical memory of the second host using page fault routines.

Abstract: A process can be scheduled between first and second hosts that using a virtual file system that is shared between the hosts can be used. The process, running on a first hypervisor of the first host, can be scheduled to run on a second hypervisor of the second host. A file can be created that includes the data content of the process address space for the file. The file can be mapped address space of the virtual file system. Data from the physical memory of the first host can be transferred to physical memory of the second host using page fault routines.