Abstract: A security framework for virtual machines is described. In one or more implementations, a hardware platform comprises physical computer hardware, the physical computer hardware including one or more processing units and one or more memories. The system also includes a virtual machine monitor configured to virtualize the physical computer hardware of the hardware platform to instantiate a plurality of framework-secure virtual machines. Further, the system includes a root framework-secure virtual machine instantiated by the virtual machine monitor. In accordance with the described techniques, the root framework-secure virtual machine is configured to control access to the hardware platform by the framework-secure virtual machines instantiated by the virtual machine monitor.

Abstract: Root-trusted guest memory page management is described. A root-trusted guest is loaded by a hardware platform and authenticated. The root-trusted guest is configured to manage memory operations of different guests via special privileges that permit the root-trusted guest to execute memory operations using a guest's private memory page. To do so, a guest page table includes a novel “T-bit” in each entry, which indicates whether the root-trusted guest or a different guest owns the associated memory page. Each entry in the guest page table for the root-trusted guest additionally includes a “C-bit” that indicates whether the corresponding memory page is a protected page. Combined C-bit and T-bit values for a page table entry dictate whether operations performed as part of handling a guest's memory request are offloaded from the hardware platform to the root-trusted guest.

Abstract: The present disclosure provides binding agents, such as antibodies, that specifically bind ILT3, including human ILT3, as well as compositions comprising the binding agents, and methods of their use. The disclosure also provides related polynucleotides and vectors encoding the binding agents and cells comprising the binding agents.

Abstract: The present disclosure relates to cell cultured adipose tissue. In one embodiment, the cultured adipose tissue is produced by culturing adipose cells in a culture media in vitro, harvesting the adipose cells after a desired amount of adipose cells are produced, and aggregating the harvested adipose cells to provide the cultured adipose tissue. In some embodiments, aggregating the harvested adipose cells comprises mixing the harvested adipose cells with a hydrogel or binder in a three-dimensional (3D) mold. In other embodiments, aggregating the harvested adipose cells comprises cross-linking the harvested adipose cells in a 3D mold. The cultured adipose tissue have a defined 3D shape and a size on the macroscale. In some embodiments, the cultured adipose tissue may be a food product.

Abstract: A processor includes a virtual machine manager (VMM) configured to map a guest process address space identifier (PASID) associated with a virtual machine (VM) to a host PASID associated with a host machine of the VM. The processor further includes a processor core configured to maintain, responsive to the guest PASID being mapped to the host PASID, an entry in a PASID reverse mapping table (PMP) including one or more security attributes associated with the host PASID.

Abstract: A processor configured to execute one or more virtual machines (VMs) includes an input-output memory management unit (IOMMU) configured to handle memory-mapped input-output (MMIO) requests and direct memory access (DMA) requests from a processor core of the processor or one or more input/output (I/O) devices. In response to receiving an MMIO or DMA request, the IOMMU is configured to determine a VM associated with the request. The IOMMU then checks a security indicator field of an address space identifier (ASID) mask table to determine if the VM was previously the target of an attack by a malicious entity. In response to the VM previously being a target of an attack, the IOMMU denies the received MMIO or DMA request.

Abstract: A processor includes a security processor and an input-output memory management unit (IOMMU). The security processor is configured to maintain device control information in a secure data structure and prevent a hypervisor from accessing the secure data structure. The IOMMU is configured to process at least one device request targeting a virtual machine from an input/output device based on the secure data structure.

Abstract: Systems and devices for cooling and dispensing a beverage fluid are disclosed herein. One beverage dispensing system includes a beverage tower comprising a tower body, a shank, and a faucet. In some implementations, a coolant line is routed proximal to a beverage supply line through the tower body, through the shank, and into the faucet. In these and other implementations, the faucet includes a removable nozzle having a supplemental portion of the coolant line. In these and still other implementations, the faucet include a removable nozzle having a second coolant line. The coolant line and the second coolant line are configured to transport a coolant medium proximal to a beverage fluid in the beverage supply line to maintain or adjust the temperature of the beverage fluid. Many other features are described herein.

Abstract: A processor manages memory-mapped input/output (MMIO) accesses, in secure fashion, at an input/output memory management unit (IOMMU). The processor is configured to ensure that, for a given MMIO request issued by a processor core and associated with a particular executing VM, the request is targeted to a MMIO address that has been assigned to the VM by a security module (e.g., a security co-processor). The processor thus prevents a malicious entity from accessing confidential information of a VM via MMIO requests.

Abstract: A processing system includes a memory configured to store encrypted information representing state and control information for a guest virtual machine. The processing system further includes a processor configured to selectively reserve exclusive use of a set of performance monitoring counters by the guest virtual machine during execution of the guest virtual machine based on a state of a first control field accessed from the encrypted information for the guest virtual machine. The processor further is configured to permit or deny use of the set of performance monitoring counters by the guest virtual machine based on a state of a second control field set by a hypervisor and accessed from the decryption of the encrypted information for the guest virtual machine accessed from the memory.

Abstract: A processor supports programmable control, by a trusted layer of a virtual machine (VM), of the interception of events at the processor. The trusted layer of the VM programs security control information (e.g., a control register or other control structure) that designates particular events that are to be intercepted when triggered by another layer of the VM. In response to detecting a designated event, system hardware intercepts the event, rather than executing the event. The VM is thereby able to protect confidential information and program behavior without relying on a hypervisor, thus improving overall system security.

Abstract: A computing device comprises a processor, a table walker, and a memory storing a segmented reverse map table in multiple non-contiguous portions of the memory. The table walker is configured to translate a virtual memory address specified by a memory access request to a physical memory address associated with the virtual memory address; and provide a requester associated with the memory access request with access to the associated physical memory address in response to an indication at the reverse map table that the requester is authorized to access the associated physical memory address.

Abstract: A processor supports managing DMA accesses, in secure fashion, at an IOMMU. The IOMMU is configured to ensure that, for a given DMA request issued by an I/O device and associated with a particular executing VM, the device is bound to the VM according to a specified security registration process, and the request is targeted to a region of memory that has been assigned to the VM. The IOMMU thus prevents a malicious entity from accessing confidential information of a VM via DMA requests.

Abstract: Techniques for implementing programmable control by a guest virtual machine (VM) of interrupts at a processing system using a guest owned backing page are disclosed. The VM programs a guest owned backing page (e.g., a data structure in memory) that designates particular interrupts that are to be blocked. In response to detecting a designated interrupt, system hardware or software blocks the interrupt, rather than executing an interrupt handler to process the interrupt. The VM is thereby able to protect confidential information and program behavior with less risk of a malicious hypervisor failing to protect the VM from, e.g., unexpected or unwanted interrupts, thereby improving overall system security and predictability.

Abstract: A security module of a processor manages the lifecycle of devices interfaces of input/output (I/O) devices within a virtualization environment in a secure and trusted manner. For example, the security module is configured to bind a device interface of an I/O device interface to a virtual machine (VM). Responsive to the device interface being bound, the security module is configured to attest at least one of the device interface and the I/O device. Responsive to the at least one of the device interface or the I/O device being attested, the security module is configured to configure an input-output memory management unit (IOMMU) and memory resources associated with the VM.

Abstract: An electronic device includes a memory and controller circuitry. The controller circuitry, responsive to a read request to read encrypted data stored in the memory, acquires, from metadata stored with the encrypted data in the memory, an ownership identifier identifying a type of writing entity that stored the encrypted data in the memory. The controller circuitry uses the ownership identifier to control whether, when responding to the read request, data decrypted from the encrypted data is returned or substitute data is returned instead of data decrypted from the encrypted data.

Abstract: A processing system receives graph object data and graph object metadata. The processing system stores the graph object metadata inline with the graph object data. The graph object metadata indicates access permissions for corresponding graph objects. Because the graph object metadata is stored inline with the graph object data, the graph object metadata is more easily retrieved and fewer system resources are consumed to determine access permissions of a requester as compared to a system where graph object metadata is stored separately from the graph object data.

Abstract: A processing system executing a virtual machine (VM) in a confidential computing environment selectively randomizes the values of registers before the register values are encrypted to ciphertext and written to a secure region of memory upon the VM exiting execution at a processor of the processing system. When the VM later resumes executing at the processor, the processor de-randomizes the register values. By randomizing the register values, the processor obfuscates the register values from a hypervisor or physical attack, thereby protecting against side channel attacks on the encrypted ciphertext.

Abstract: Systems and devices for cooling and dispensing a beverage fluid are disclosed herein. One beverage dispensing system includes a beverage tower comprising a tower body, a shank, and a faucet. In some implementations, a coolant line is routed proximal to a beverage supply line through the tower body, through the shank, and into the faucet. In these and other implementations, the faucet includes a removable nozzle having a supplemental portion of the coolant line. In these and still other implementations, the faucet include a removable nozzle having a second coolant line. The coolant line and the second coolant line are configured to transport a coolant medium proximal to a beverage fluid in the beverage supply line to maintain or adjust the temperature of the beverage fluid. Many other features are described herein.

Abstract: Gasket assemblies and related system and methods. An apparatus includes a system, a flow cell, and a plurality of gasket assemblies. The system includes a flow cell interface and the flow cell has one or more channels. Each channel has a first channel opening and a second channel opening. The first channel openings are positioned at a first end of the flow cell and the second channel openings are positioned at a second end of the flow cell. A gasket assembly coupled at each second channel opening. Each gasket assembly includes an adhesive stack and a gasket. The adhesive stack includes a first side bonded to the gasket and a second side bonded to the flow cell. The flow cell interface is engagable with the corresponding gaskets to establish a fluidic coupling between system and the flow cell.