Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a secure access request for a secure page of memory at a secure interface control of a computer system. The secure interface control can check a disable virtual address compare state associated with the secure page. The secure interface control can disable a virtual address check in accessing the secure page to support mapping of a plurality of virtual addresses to a same absolute address to the secure page based on the disable virtual address compare state being set and/or to support secure pages that are accessed using an absolute address and do not have an associated virtual address.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.

Abstract: A virtual machine is dispatched and based on the dispatch, a determination is made as to whether a select area of memory expected to be accessible to the virtual machine and used in communication between the virtual machine and an operating system is accessible to the virtual machine. Based on determining that the select area of memory is inaccessible to the virtual machine, virtual machine execution is exited with a select interception code.

Abstract: A computer-implemented method includes identifying two or more memory locations and referencing, by a memory access request, the two or more memory locations. The memory access request is a single action pursuant to a memory protocol. The computer-implemented method further includes sending the memory access request from one or more processors to a node and fetching, by the node, data content from each of the two or more memory locations. The computer-implemented method further includes packaging, by the node, the data content from each of the two or more memory locations into a memory package, and returning the memory package from the node to the one or more processors. A corresponding computer program product and computer system are also disclosed.

Abstract: An computer-implemented method according to examples includes receiving, by a secure interface control of a computing system, a request by a requestor to access a page in a memory of the computing system. The method further includes, responsive to determining that the requestor is a non-secure requestor and responsive to a secure-storage bit being set, prohibiting access to the page without performing an authorization check. The method further includes, responsive to determining that the requestor is a secure requestor, performing the authorization check.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

Abstract: A method for testing storage protection hardware includes receiving by a non-trusted entity that is executing on a host server, a request to dispatch a secure entity. It is determined, by a secure interface control of the host server, whether the host server is in an auxiliary-secure (AS) debug mode for testing an AS entity. Based on determining that the host server is in the AS debug mode, a secure guest entity state is loaded from a state descriptor for the secure entity into an AS entity state in hardware to test, upon dispatch of the secure entity, accesses to pages in a memory that are registered as secure and as belonging to the AS entity.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: Secure processing within a computing environment is provided by incrementally decrypting a secure operating system image, including receiving, for a page of the secure operating system image, a page address and a tweak value used during encryption of the page. Processing determines that the tweak value has not previously been used during decryption of another page of the secure operating system image, and decrypts memory page content at the page address using an image encryption key and the tweak value to facilitate obtaining a decrypted secure operating system image. Further, integrity of the secure operating system image is verified, and based on verifying integrity of the secure operating system image, execution of the decrypted secure operating system image is started.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided. A secure interface control in communication with an untrusted entity perform the method. In this regard, the secure interface control implements an initialization instruction to set donated storage as secure. The implementing of the initialization instruction is responsive to an instruction call issued from the untrusted entity.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a request from a requestor, to access a page of memory. The requestor is either a secure entity of a computer system or a secure interface control of the computer system. The request is tagged as a secure request from a secure domain of the computer system. It is verified that the request is making an access to a page that is both registered as secure and registered as belonging to the secure domain. The requestor is provided access to the page based at least in part on the page being registered as secure and as belonging to the secure domain. The requestor is prevented from accessing the page, based on one or both of the page not being registered as secure, and the page not being registered as belonging to the secure domain.

Abstract: A method, system, and computer program product are provided for prioritizing transactions. A processor in a computing environment initiates the execution of a transaction. The processor includes a transactional core, and the execution of the transaction is performed by the transactional core. The processor obtains concurrent with the execution of the transaction by the transactional core, an indication of a conflict between the transaction and at least one other transaction being executed by an additional core in the computing environment. The processor determines if the transactional core includes an indicator and based on determining that the transactional core includes an indicator, the processor ignores the conflict and utilizing the transactional core to complete executing the transaction.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: A system and method of executing a plurality of threads, including a first thread and a set of remaining threads, on a computer processor core. The system and method includes determining that a start interpretive execution exit condition exists; determining that the computer processor core is within a grace period; and entering by the first thread a start interpretive execution exit sync loop without signaling to any of the set of remaining threads. In turn, the first thread remains in the start interpretive execution exit sync loop until the grace period expires or each of the remaining threads enters a corresponding start interpretive execution exit sync loop.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.