Abstract: Transparently providing a virtualization feature to an unenlightened guest operating system (OS). A guest partition, corresponding to a virtual machine, is divided into a first guest privilege context and a second guest privilege context. A compatibility component executes within the first guest privilege context, while a guest OS executes within the second guest privilege context. The compatibility component is configured to intercept input/output (I/O) operations associated with the guest operating OS. Based on the compatibility component intercepting an I/O operation associated with the guest OS, the compatibility component processes the I/O operation using a virtualization feature that is unsupported by the guest OS. Examples of the virtualization feature include accelerated access to a hardware device and virtual machine guest confidentiality.

Abstract: Methods, systems, and computer program products for direct assignment of physical devices to confidential virtual machines (VMs). At a first guest privilege context of a guest partition, a direct assignment of a physical device associated with a host computer system to the guest partition is identified. The guest partition includes the first guest privilege context and a second guest privilege context, which is restricted from accessing memory associated with the first guest privilege context. The guest partition corresponds to a confidential VM, such that a memory region associated with the guest partition is inaccessible to a host operating system. It is determined, based on a policy, that the physical device is allowed to be directly assigned to the guest partition. Communication between the physical device and the second guest privilege context is permitted, such as by exposing the physical device on a virtual bus and/or forwarding an interrupt.

Abstract: Data-at-rest protection for virtual machines includes operating a data protection component within a first privilege context of a guest partition, and operating a guest operating system (OS) within a second privilege context of the guest partition. The data protection component participates in data input/output operations of the guest OS. Based on a data output operation of the guest OS, the data protection component applies a first data protection operation to first data associated with the data output operation; and initiates storage of a first result of the first data protection operation to a data storage device. Based a data input operation of the guest OS, the data protection component applies a second data protection operation to second data associated with the data input operation; and, based on applying the second data protection operation to the second data, communicates an outcome of the data input operation to the guest OS.

Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.

Abstract: Isolating resources of a virtual machine (VM) guest from a host operating system. A computer system receives an acceptance request from a guest partition corresponding to an isolated VM. The acceptance request identifies a guest memory page that is mapped into a guest physical address space of the guest partition, and a memory page visibility class. The computer system determines whether a physical memory page that is mapped to the guest memory page meets the memory page visibility class. The computer system sets a page acceptance indication for the guest memory page from an unaccepted state to an accepted state based on the physical memory page meeting the memory page visibility class.

Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.

Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.

Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.

Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.

Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.

Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.

Abstract: An operation of a VM running first and second VM components is suspended so that a servicing operation for the VM can be performed. The VM has devices directly attached to it. A state of the first VM components is saved. An identification pointer for the second VM components is saved in a portion of the computing system physical memory without removing any underlying data structures of second VM components from computing system physical hardware. The directly attached devices remain configured as attached to the VM and remain configured to communicate with the VM while the VM is suspended and while the servicing operation is performed. The first VM components are shut down and then restored at the completion of the servicing operation using the saved state. The restored first VM components are reconnected to the second VM components using the identification pointers. The operation of the VM is restored.

Abstract: The disclosed technology is generally directed to the patching of executing binaries. In one example of the technology, at separate times, a plurality of hot patch requests is received. Each hot patch request of the plurality of hot patch requests includes a corresponding hot patch to hot patch the executing binary. A cardinality of the plurality of hot patch requested is greater than the fixed number of logical patch slots. with the executing binary continuing to execute, each time a request to apply a hot patch to the executing binary is received, the corresponding hot patch is assigned to an inactive logical patch slot of the fixed number of logical patch slots. The corresponding hot patch is executed from the assigned logical patch slot to hot patch the executing binary based on the corresponding hot patch.

Abstract: Speculative side channels exist when memory is accessed by speculatively-executed processor instructions. Embodiments use uncacheable memory mappings to close speculative side channels that could allow an unprivileged execution context to access a privileged execution context's memory. Based on allocation of memory location(s) to the unprivileged execution context, embodiments map these memory location(s) as uncacheable within first page table(s) corresponding to the privileged execution context, but map those same memory locations as cacheable within second page table(s) corresponding to the unprivileged execution context. This prevents a processor from carrying out speculative execution of instruction(s) from the privileged execution context that access any of this memory allocated to the unprivileged execution context, due to the unprivileged execution context's memory being mapped as uncacheable for the privileged execution context.

Abstract: An operation of a VM running first and second VM components is suspended so that a servicing operation for the VM can be performed. The VM has devices directly attached to it. A state of the first VM components is saved. An identification pointer for the second VM components is saved in a portion of the computing system physical memory without removing any underlying data structures of second VM components from computing system physical hardware. The directly attached devices remain configured as attached to the VM and remain configured to communicate with the VM while the VM is suspended and while the servicing operation is performed. The first VM components are shut down and then restored at the completion of the servicing operation using the saved state. The restored first VM components are reconnected to the second VM components using the identification pointers. The operation of the VM is restored.

Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.

Abstract: The disclosed technology is generally directed to the patching of executing binaries. In one example of the technology, at separate times, a plurality of hot patch requests is received. Each hot patch request of the plurality of hot patch requests includes a corresponding hot patch to hot patch the executing binary. A cardinality of the plurality of hot patch requested is greater than the fixed number of logical patch slots. with the executing binary continuing to execute, each time a request to apply a hot patch to the executing binary is received, the corresponding hot patch is assigned to an inactive logical patch slot of the fixed number of logical patch slots. The corresponding hot patch is executed from the assigned logical patch slot to hot patch the executing binary based on the corresponding hot patch.

Abstract: Speculative side channels exist when memory is accessed by speculatively-executed processor instructions. Embodiments use uncacheable memory mappings to close speculative side channels that could allow an unprivileged execution context to access a privileged execution context's memory. Based on allocation of memory location(s) to the unprivileged execution context, embodiments map these memory location(s) as uncacheable within first page table(s) corresponding to the privileged execution context, but map those same memory locations as cacheable within second page table(s) corresponding to the unprivileged execution context. This prevents a processor from carrying out speculative execution of instruction(s) from the privileged execution context that access any of this memory allocated to the unprivileged execution context, due to the unprivileged execution context's memory being mapped as uncacheable for the privileged execution context.

Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.

Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.