Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: Techniques for a recovery environment for a virtual machine are described herein. Generally, a recovery environment provides a secure environment in which a damaged virtual machine can undergo repair procedures without compromising the security of the damaged virtual machine. In at least some implementations, a recovery environment represents an instance of a virtual machine that is executed to wrap a damaged virtual machine to enable the damaged virtual machine to be repaired.

Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: An operating system running on a computing device, also referred to herein as a host device, uses containers for hardware resource partitioning. A container can include one or more of various different components, such as a base operating system, a user-mode environment, an application, virtual devices, combinations thereof, and so forth. One or more container templates are maintained for a computing device, and in response to a request to create a new container, a template container is copied into memory of the computing device to create the new container. The template container includes the various components of the container, and these components are copied into memory of the computing device rather than being launched or started one after the other. Thus, time need not be expended starting the various components included in the container—the components are just copied into memory as a new container.

Abstract: Techniques for a recovery environment for a virtual machine are described herein. Generally, a recovery environment provides a secure environment in which a damaged virtual machine can undergo repair procedures without compromising the security of the damaged virtual machine. In at least some implementations, a recovery environment represents an instance of a virtual machine that is executed to wrap a damaged virtual machine to enable the damaged virtual machine to be repaired.

Abstract: A virtual machine manager (e.g., hypervisor) implements a virtual secure mode that makes multiple different virtual trust levels available to virtual processors of a virtual machine. Different memory access protections (such as the ability to read, write, and/or execute memory) can be associated with different portions of memory (e.g., memory pages) for each virtual trust level. The virtual trust levels are organized as a hierarchy with a higher level virtual trust level being more privileged than a lower virtual trust level, and programs running in the higher virtual trust level being able to change memory access protections of a lower virtual trust level. The number of virtual trust levels can vary, and can vary for different virtual machines as well as for different virtual processors in the same virtual machine.

Abstract: Memory page de-duplication in a computer system that includes a plurality of virtual machine partitions managed by a hypervisor, where each virtual machine is assigned a different dedicated memory partition, may include: identifying, by the hypervisor, a plurality of identical memory pages in memory of one or more dedicated memory partitions; assigning, by the hypervisor, one of the identical memory pages as a master page; mapping, for each virtual machine having an identical memory page, each of the identical memory pages to the master page; and directing, by the hypervisor, reads of the memory page to the master page.

Abstract: Memory page de-duplication in a computer system that includes a plurality of virtual machine partitions managed by a hypervisor, where each virtual machine is assigned a different dedicated memory partition, may include: identifying, by the hypervisor, a plurality of identical memory pages in memory of one or more dedicated memory partitions; assigning, by the hypervisor, one of the identical memory pages as a master page; mapping, for each virtual machine having an identical memory page, each of the identical memory pages to the master page; and directing, by the hypervisor, reads of the memory page to the master page.

Abstract: A virtual machine manager (e.g., hypervisor) implements a virtual secure mode that makes multiple different virtual trust levels available to virtual processors of a virtual machine. Different memory access protections (such as the ability to read, write, and/or execute memory) can be associated with different portions of memory (e.g., memory pages) for each virtual trust level. The virtual trust levels are organized as a hierarchy with a higher level virtual trust level being more privileged than a lower virtual trust level, and programs running in the higher virtual trust level being able to change memory access protections of a lower virtual trust level. The number of virtual trust levels can vary, and can vary for different virtual machines as well as for different virtual processors in the same virtual machine.

Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: Memory page de-duplication in a computer system that includes a plurality of virtual machine partitions managed by a hypervisor, where each virtual machine is assigned a different dedicated memory partition, may include: identifying, by the hypervisor, a plurality of identical memory pages in memory of one or more dedicated memory partitions; assigning, by the hypervisor, one of the identical memory pages as a master page; mapping, for each virtual machine having an identical memory page, each of the identical memory pages to the master page; and directing, by the hypervisor, reads of the memory page to the master page.

Abstract: Memory page de-duplication in a computer system that includes a plurality of virtual machine partitions managed by a hypervisor, where each virtual machine is assigned a different dedicated memory partition, may include: identifying, by the hypervisor, a plurality of identical memory pages in memory of one or more dedicated memory partitions; assigning, by the hypervisor, one of the identical memory pages as a master page; mapping, for each virtual machine having an identical memory page, each of the identical memory pages to the master page; and directing, by the hypervisor, reads of the memory page to the master page.

Abstract: Two or more processors that each provides a specified thread to access a shared resource that can only be accessed by one thread at a given time. A locking mechanism enables one of the threads to access the shared resource while other threads are retained in a waiting queue. Responsive to an additional thread that is not one of the specified threads being provided access the shared resource during an identified time period, and responsive to a first criterion an a second criterion being met, the additional thread accesses the shared resource before the other threads in the waiting queue.

Abstract: A method includes atomically reading a next field of a current element of the linked list to determine a first value that encodes a first pointer to the first element and a first indication of an owner of the first element. The first indication of the owner is stored in a first of a plurality of multi-field reservation data structures. The operation includes determining whether the next field of the current element still indicates the first value. The operation includes reading the first element of the linked list via the first pointer if the next field of the current element still indicates the first value. If the next field of the current element indicates a current value different than the first value, the first indication of the owner is removed from the first multi-field reservation data structure, and storing and determining with the second value is repeated.

Abstract: Disclosed is a computer implemented method and computer program product to prioritize paging-in pages in a remote paging device. An arrival machine receives checkpoint data from a departure machine. The arrival machine restarts at least one process corresponding to the checkpoint data. The arrival machine determines whether a page associated with the process is pinned. The arrival machine associates the page to the remote paging device, responsive to a determination that the page is pinned. The arrival machine touches the page.

Abstract: In one embodiment a method for migrating a workload from one processing resource to a second processing resource of a computing platform is disclosed. The method can include a command to migrate a workload that is processing and the process can be interrupted and some memory processes can be frozen in response to the migration command. An index table can be created that identifies memory locations that determined where the process was when it is interrupted. Table data, pinned page data, and non-private process data can be sent to the second processing resource. Contained in this data can be restart type data. The second resource or target resource can utilize this data to restart the process without the requirement of bulk data transfers providing an efficient migration process. Other embodiments are also disclosed.

Abstract: Controlled partition shut-down is provided within a shared memory partition data processing system including a shared memory partition, a paging service partition, a hypervisor and a shared memory pool within physical memory. The hypervisor manages access to logical pages within the pool and page-out of pages from the pool to external paging storage via the paging service partition. A respective paging service stream exists between the paging service partition and hypervisor for each shared memory partition, with each stream including a stream state. The control method includes: responsive to a shut-down initiating event, notifying the paging service partition to shut down, and determining whether a shared memory partition is currently active, and if so, signaling the hypervisor to complete paging activity for the active memory partition and waiting for its stream state to enter a suspended or a completed state before automatically shutting down the paging service partition.

Abstract: A method of dynamically reallocating memory affinity in a virtual machine after migrating the virtual machine from a source computer system to a destination computer system migrates processor states and resources used by the virtual machine from the source computer system to the destination computer system. The method maps memory of the virtual machine to processor nodes of the destination computer system. The method deletes memory mappings in processor hardware, such as translation lookaside buffers and effective-to-real address tables, for the virtual machine on the destination computer system. The method starts the virtual machine on the destination computer system in virtual real memory mode. A hypervisor running on the destination computer system receives a page fault and virtual address of a page for said virtual machine from a processor of the destination computer system and determines if the page is in local memory of the processor.

Abstract: A method includes atomically reading a next field of a current element of the linked list to determine a first value that encodes a first pointer to the first element and a first indication of an owner of the first element. The first indication of the owner is stored in a first of a plurality of multi-field reservation data structures. The operation includes determining whether the next field of the current element still indicates the first value. The operation includes reading the first element of the linked list via the first pointer if the next field of the current element still indicates the first value. If the next field of the current element indicates a current value different than the first value, the first indication of the owner is removed from the first multi-field reservation data structure, and storing and determining with the second value is repeated.