Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A system and method for sharing services provides for generating one or more trigger conditions associated with a process executable in a source container having a source namespace in a source pod, executing the process in the source container, and when a trigger condition occurs, interrupting the executed process and moving the process into a target pod by switching from the source namespace of the source container to a target namespace of the target pod. The trigger condition may be associated with a service executable in a target container having the target namespace in the target pod.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A trusted component commences a debugging session, based on determining that debugging of a virtual machine is to be initiated. The commencing of the debugging session includes generating encryption information to be provided to a client for which debugging is to be performed. The encryption information includes a key that is encrypted and to be used to encrypt a debug request to debug the virtual machine. The trusted component obtains an encrypted debug request indicating one or more operations to be performed to debug the virtual machine. The one or more operations are performed by the trusted component to obtain debugging results for the virtual machine.

Abstract: A system and method for sharing services provides for generating one or more trigger conditions associated with a process executable in a source container having a source namespace in a source pod, executing the process in the source container, and when a trigger condition occurs, interrupting the executed process and moving the process into a target pod by switching from the source namespace of the source container to a target namespace of the target pod. The trigger condition may be associated with a service executable in a target container having the target namespace in the target pod.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A trusted component commences a debugging session, based on determining that debugging of a virtual machine is to be initiated. The commencing of the debugging session includes generating encryption information to be provided to a client for which debugging is to be performed. The encryption information includes a key that is encrypted and to be used to encrypt a debug request to debug the virtual machine. The trusted component obtains an encrypted debug request indicating one or more operations to be performed to debug the virtual machine. The one or more operations are performed by the trusted component to obtain debugging results for the virtual machine.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.

Abstract: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.

Abstract: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.

Abstract: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.