Abstract: Aspects and features include maintaining at least one auxiliary disk image on a computing device. Certain code that is aligned with the base operating system of the computing device resides in and is executed from the auxiliary disk image. In one example, a computing device receives an update asset and uses it to patch the auxiliary disk image. The computing device executes the updated code from the patched disk image without rebooting or otherwise restarting the base operating system. The existing auxiliary disk image may be replaced with the patched disk image in response to a reboot or some other event, or while executing the code in the patched disk image from memory.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: Techniques are disclosed for ensuring consistent metadata across computing devices. In one example, a user device of a plurality of user devices receives a manifest that includes first metadata associated with a file system update of a file system of the user device. The user device generates second metadata of the file system based on performing the file system update. The user device then generates a dictionary based on comparing metadata records of the first metadata with metadata records of the second metadata. The dictionary may indicate a difference between at least one metadata record of the first metadata and at least one metadata record of the second metadata. The user device then updates the second metadata of the file system to match the first metadata based at least in part on the difference indicated by the dictionary.

Abstract: Enclosed herein are techniques for securely executing an application. A method can be implemented by an operating system of a computing device, where the computing device includes a file system volume that includes a first data structure, and the method includes the steps of (1) receiving a request to launch the application, where the request references an application archive file that includes a second data structure that: (i) defines an organization of a plurality of files associated with the application, and (ii) includes cryptographic information for verifying the plurality of files and the second data structure; (2) in response to receiving the request: determining whether the second data structure, the plurality of files, or both, are valid using the cryptographic information; and (3) in response to determining that the second data structure, the plurality of files, or both, are valid: associating the second data structure with the first data structure.

Abstract: Techniques are disclosed for ensuring consistent metadata across computing devices. In one example, a user device of a plurality of user devices receives a manifest that includes first metadata associated with a file system update of a file system of the user device. The user device generates second metadata of the file system based on performing the file system update. The user device then generates a dictionary based on comparing metadata records of the first metadata with metadata records of the second metadata. The dictionary may indicate a difference between at least one metadata record of the first metadata and at least one metadata record of the second metadata. The user device then updates the second metadata of the file system to match the first metadata based at least in part on the difference indicated by the dictionary.

Abstract: Representative embodiments set forth herein disclose techniques for implementing improved links between paths of one or more file systems. According to some embodiments, techniques are disclosed for establishing a system volume and a data volume within a container. According to other embodiments, techniques are disclosed for establishing a link from a source path of a system volume within a container to a target path of a data volume within the container. According to yet other embodiments, techniques are disclosed for determining whether to allow a file system operation on a data volume of a container based on at least determining whether a target path is associated with a reference to a source path.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: Techniques are disclosed for ensuring consistent metadata across computing devices. In one example, a user device of a plurality of user devices receives a manifest that includes first metadata associated with a file system update of a file system of the user device. The user device generates second metadata of the file system based on performing the file system update. The user device then generates a dictionary based on comparing metadata records of the first metadata with metadata records of the second metadata. The dictionary may indicate a difference between at least one metadata record of the first metadata and at least one metadata record of the second metadata. The user device then updates the second metadata of the file system to match the first metadata based at least in part on the difference indicated by the dictionary.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: The embodiments set forth a technique for over-provisioning storage space within a solid-state storage device (SSD). In particular, a file system can (1) receive a first request to create a file, where the first request includes a size for the file, (2) identifying at least one extent that corresponds to storage space within the SSD that satisfies the size for the file, and associating the file with the at least one extent to indicate that the storage space is occupied, (3) receive a second request to cause (i) the file to remain established within the file system, and (ii) the storage space to be marked free within the SSD, and (4) carrying out the second request by causing the storage space to be marked free within the SSD.

Abstract: Representative embodiments set forth herein disclose techniques for implementing improved links between paths of one or more file systems. According to some embodiments, techniques are disclosed for establishing a system volume and a data volume within a container. According to other embodiments, techniques are disclosed for establishing a link from a source path of a system volume within a container to a target path of a data volume within the container. According to yet other embodiments, techniques are disclosed for determining whether to allow a file system operation on a data volume of a container based on at least determining whether a target path is associated with a reference to a source path.

Abstract: A device implementing a system for defragmenting metadata of a filesystem includes a processor configured to, in response to receiving a trigger from a server remote from the device, obtain the metadata from a first data structure, the first data structure comprising a first set of one or more nodes and a second set of one or more nodes, and insert the metadata obtained from the first data structure into a third set of one or more nodes of a second data structure, wherein the third set of one or more nodes omits one or more entries from the second set of nodes. The at least one processor is further configured to, in accordance with a determination that the metadata was successfully inserted into the second data structure, provide the second data structure as a replacement of the first data structure for the filesystem.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: Representative embodiments set forth herein disclose techniques for modifying encryption classes of files. According to some embodiments, a technique can include receiving a request to update an encryption configuration of a file from a current encryption class to an updated encryption class. In response, the technique involves obtaining (i) a first class key associated with the current encryption class, and (ii) a second class key associated with the updated encryption class. Next, the technique involves identifying file extents of the file, where each file extent is encrypted by a respective extent key that is encrypted by the first class key. Finally, the technique involves, for each file extent of the file: (i) decrypting the respective extent key using the first class key to produce a decrypted respective extent key, and (ii) encrypting the decrypted respective extent key using the second class key to produce an updated respective extent key.

Abstract: The embodiments set forth a technique for carrying out a backup of data managed at a computing device. According to some embodiments, the technique can include the steps of (1) receiving a request to carry out the backup of the data, (2) in response to the request, generating a current snapshot of the data, (3) identifying, in accordance with the current snapshot of the data, block data of at least one data block to be reflected in the backup of the data, wherein the at least one data block is tagged with an identifier of a file node to which the at least one data block corresponds, and (4) providing information to a storage to cause the block data to be reflected in the backup of the data.

Abstract: This application sets forth a key rolling technique for a file system of a computing device. The key rolling technique allows for files to be transparently re-encrypted in a background process while still allowing applications to access the files being re-encrypted. During re-encryption, at least one file extent of a file is decrypted using a current key for the file extent and re-encrypted using a new key for the file extent. Moreover, the file extent can be relocated to another location in memory during re-encryption to enhance accessibility and crash protection features. Metadata associated with the file can be updated to include information pertaining to both the location of the re-encrypted file extent as well as the new key that can be used to decrypt the re-encrypted file extent. In this manner, the metadata can be used to properly construct a complete file when the file needs to be accessed.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: The described embodiments set forth techniques for performing live updates to file system volumes (e.g., operating system (OS) file system volumes) of computing devices through the utilization of snapshots. In particular, the techniques enable a computing device to remain active while a majority of an update process is performed, which eliminates the considerable functional downtime that is normally imposed when implementing conventional update techniques. Moreover, the overall robustness of the update process is enhanced as the techniques described herein reduce the amount of time that is required for the computing device to remain in the above-described specialized update mode.

Abstract: The embodiments set forth a technique for over-provisioning storage space within a solid-state storage device (SSD). In particular, a file system can (1) receive a first request to create a file, where the first request includes a size for the file, (2) identifying at least one extent that corresponds to storage space within the SSD that satisfies the size for the file, and associating the file with the at least one extent to indicate that the storage space is occupied, (3) receive a second request to cause (i) the file to remain established within the file system, and (ii) the storage space to be marked free within the SSD, and (4) carrying out the second request by causing the storage space to be marked free within the SSD.

Abstract: This application relates to a key rolling process for a file system of a computing device. The key rolling process allows for files to be transparently re-encrypted in a background process while still allowing applications to access files being re-encrypted. During re-encryption, a portion of the file is decrypted using a current key for the file and re-encrypted using a new key for the file. During re-encryption, the portion of the file can be relocated to another location in memory. Metadata associated with the file can be updated to include information pertaining to the location of the re-encrypted portion. The metadata can also be updated include information pertaining to how much of the file has been re-encrypted with the new key and how much of the file remains encrypted with the current key.