Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: At least one request to store diagnostic state of a virtual machine is obtained. Based on obtaining the at least one request, a store of diagnostic state of the virtual machine is performed to provide stored diagnostic state of the virtual machine. The performing the store includes encrypting the diagnostic state of the virtual machine that is unencrypted and being stored to prevent a reading of the diagnostic state of the virtual machine by an untrusted entity prior to encrypting the diagnostic state of the virtual machine that is unencrypted and being stored.

Abstract: Deferred reclaiming of secure guest resources within a computing environment is provided, which includes initiating, by a host of the computing environment, removal of a secure guest from the computing environment, while leaving one or more resources of the secure guest to be reclaimed asynchronous to the removal of the secure guest. The deferring also includes reclaiming the one or more secure guest resources asynchronous to the removal of the secure guest, where the one or more secure guest resources are available for reuse as the one or more secure guest resources are reclaimed asynchronous to the removal of the secure guest.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: A method for starting a secure guest includes receiving, by a hypervisor that is executing on a host server, a request to dispatch a virtual machine (VM) on the host server. The VM is dispatched on the host server by the hypervisor. The VM includes a reboot instruction. The reboot instruction is triggered by the hypervisor to restart the VM in a secure mode.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: A method for starting a secure guest includes receiving, by a hypervisor that is executing on a host server, a request to dispatch a virtual machine (VM) on the host server. The VM is dispatched on the host server by the hypervisor. The VM includes a reboot instruction. The reboot instruction is triggered by the hypervisor to restart the VM in a secure mode.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.