Abstract: This invention relates to updating an operating system in a hypervisor comprising: determining a new version of a component of the operating system; installing the new component version; measuring an identifying characteristic of the component and making it available to an attestation system; notifying the attestation system that a component has been updated to a new version whereby, when the attestation system finds that the identifying characteristic of the new component does not match a pre-stored attestation value it is aware that a legitimate mis-match could have occurred. The installing of the new version of the component comprises: identifying an updater associated with new version of the component; measuring an identifying characteristic of the identified updater; loading and installing the new version of the component; and making both the identifying measurement of the updater and the new version of the component available to the attestation system.

Abstract: A technique for attesting a plurality of data processing systems includes generating a logical grouping for a data processing system. The logical grouping is associated with a rule that describes a condition that must be met in order for the data processing system to be considered trusted. A list of one or more children associated with the logical grouping is retrieved. The one or more children are attested to determine whether each of the one or more children is trusted. In response to the attesting, the rule is applied to determine whether the condition has been met in order for the data processing system to be considered trusted. A plurality of logical groupings is associated to determine whether an associated plurality of data processing systems can be considered trusted.

Abstract: A technique for attesting a plurality of data processing systems. The method includes: configuring a chain of data processing systems wherein a first data processing system is responsible for retrieving attestation data associated with a second data processing system; sending a request for attestation of the first data processing system; in response to receiving the request, retrieving a list of associated one or more children, wherein the one or more children comprise the second data processing system; retrieving and storing attestation data associated with each child; retrieving and storing attestation data associated with the first data processing system; and sending to the requester a concatenated response containing the attestation data associated with the first and second data processing systems, such that the attestation data associated with the first and second data processing systems can be used to attest the first and second data processing systems, respectively.

Abstract: A system, method, and computer program product for controlling migration of a VM operable on a first site and a second site. The system includes an identify component for identifying the second site; a request component for sending a consent request message to a software component, wherein the consent request message comprises at least one of an identifier of the VM and an identifier of the second site; a calculate component, operable on the software component and responsive to receiving the consent request message, for determining consent for the second site; a send component, responsive to a positive determination, for sending a consent message; and a migrate component, responsive to receiving the consent message, for migrating the VM from the first site to the second site.

Abstract: Attesting a virtual machine that is migrating from a first environment to a second environment includes in response to initiation of migration of the virtual machine from the first environment to the second environment, accessing one or more stored trust values generated during the trusted boot of the virtual machine in the first environment, determining if the accessed trust values define a security setting sufficient for the second environment, and if the accessed trust values do not define a security setting sufficient for the second environment, performing a predetermined action in relation to the migration of the virtual machine to the second environment.

Abstract: A technique for attesting a plurality of data processing systems. The method includes: configuring a chain of data processing systems wherein a first data processing system is responsible for retrieving attestation data associated with a second data processing system; sending a request for attestation of the first data processing system; in response to receiving the request, retrieving a list of associated one or more children, wherein the one or more children comprise the second data processing system; retrieving and storing attestation data associated with each child; retrieving and storing attestation data associated with the first data processing system; and sending to the requester a concatenated response containing the attestation data associated with the first and second data processing systems, such that the attestation data associated with the first and second data processing systems can be used to attest the first and second data processing systems, respectively.

Abstract: An improved architecture for a program code conversion apparatus and method for generating intermediate representations for program code conversion. The program code conversion apparatus determines which types of IR nodes to generate in an intermediate representation (IR) of subject code (10) to be translated. Depending upon the particular subject and target computing environments involved in the conversion, the program code conversion apparatus utilizes either base nodes, complex nodes, polymorphic nodes, and architecture specific nodes, or some combination thereof, in generating the intermediate representation.

Abstract: During program code conversion, such as in a dynamic binary translator, automatic code generation provides target code 21 executable by a target processor 13. Multiple instruction ports 610 disperse a group of instructions to functional units 620 of the processor 13. Disclosed is a mechanism of preparing an instruction group 606 using a plurality of pools 700 having a hierarchical structure 711-715. Each pool represents a different overlapping subset of the issue ports 610. Placing an instruction 600 into a particular pool 700 also reduces vacancies in any one or more subsidiary pools in the hierarchy. In a preferred embodiment, a counter value 702 is associated with each pool 700 to track vacancies. A valid instruction group 606 is formed by picking the placed instructions 600 from the pools 700. The instruction groups are generated accurately and automatically. Decoding errors and stalls are minimized or completely avoided.

Abstract: An improved architecture for a program code conversion apparatus and method for generating intermediate representations for program code conversion. The program code conversion apparatus determines which types of IR nodes to generate in an intermediate representation (IR) of subject code (10) to be translated. Depending upon the particular subject and target computing environments involved in the conversion, the program code conversion apparatus utilizes either base nodes, complex nodes, polymorphic nodes, and architecture specific nodes, or some combination thereof, in generating the intermediate representation.

Abstract: An improved architecture for a program code conversion apparatus and method for generating intermediate representations for program code conversion. The program code conversion apparatus determines which types of IR nodes to generate in an intermediate representation (IR) of subject code (10) to be translated. Depending upon the particular subject and target computing environments involved in the conversion, the program code conversion apparatus utilizes either base nodes, complex nodes, polymorphic nodes, and architecture specific nodes, or some combination thereof, in generating the intermediate representation.

Abstract: An improved architecture for a program code conversion apparatus and method for generating intermediate representations for program code conversion. The program code conversion apparatus determines which types of IR nodes to generate in an intermediate representation (IR) of subject code (10) to be translated. Depending upon the particular subject and target computing environments involved in the conversion, the program code conversion apparatus utilizes either base nodes, complex nodes, polymorphic nodes, and architecture specific nodes, or some combination thereof, in generating the intermediate representation.

Abstract: During program code conversion, such as in a dynamic binary translator, automatic code generation provides target code 21 executable by a target processor 13. Multiple instruction ports 610 disperse a group of instructions to functional units 620 of the processor 13. Disclosed is a mechanism of preparing an instruction group 606 using a plurality of pools 700 having a hierarchical structure 711-715. Each pool represents a different overlapping subset of the issue ports 610. Placing an instruction 600 into a particular pool 700 also reduces vacancies in any one or more subsidiary pools in the hierarchy. In a preferred embodiment, a counter value 702 is associated with each pool 700 to track vacancies. A valid instruction group 606 is formed by picking the placed instructions 600 from the pools 700. The instruction groups are generated accurately and automatically. Decoding errors and stalls are minimised or completely avoided.

Abstract: An improved architecture for a program code conversion apparatus and method for generating intermediate representations for program code conversion. The program code conversion apparatus determines which types of IR nodes to generate in an intermediate representation of subject code to be translated. Depending upon the particular subject and target computing environments involved in the conversion, the program code conversion apparatus utilizes either base nodes, complex nodes, polymorphic nodes, and architecture specific nodes, or some combination thereof, in generating the intermediate representation.