Abstract: A processor, circuit and method provide for fast decryption of encrypted program instructions for execution by the processor. A programmable look-up coding is used to decode a field within the instructions. The decoded field for the instructions are recombined with the remaining portion of the same instructions to yield the decoded instructions. The programmable look-up coding can be programmed and controlled by a process executing at a higher privilege level than the program represented by the instructions, so that security against code-modifying attacks is enhanced.

Abstract: A processor, circuit and method provide for fast decryption of encrypted program instructions for execution by the processor. A programmable look-up coding is used to decode a field within the instructions. The decoded field for the instructions are recombined with the remaining portion of the same instructions to yield the decoded instructions. The programmable look-up coding can be programmed and controlled by a process executing at a higher privilege level than the program represented by the instructions, so that security against code-modifying attacks is enhanced.

Abstract: A method, apparatus, and computer instructions for processing instructions by a processing unit. An instruction set is dynamically set for the processing unit using a selected instruction map. The selected instruction map is selected as one being different from a normal instruction map for the processing unit. The instructions are processed at the processor using the instruction set. A set of authorized instructions are encoded using the selected instruction map.

Abstract: A method and apparatus for an independent operating system that prevents certain classes of computer attacks. Instruction decryption is performed on an existing instruction set for a processor. The processor architecture limits the impact on processor execution timing. The instruction execution timing is not altered in the processor core and any additional processing is overlapped into existing operations.

Abstract: A method, apparatus, and computer instructions for managing operating systems. A request from an operating system is received in the multi-partitioned data processing system to register for access to hardware in the multi-partitioned data processing system. The request includes a key code for the operating system. A determination is made as to whether the operating system is an authorized operating system using the key code in response to receiving the request. The operating system is registered if the operating system is the authorized operating system. Otherwise, the operating system is terminated.

Abstract: A system and method to reduce external access to hypervisor interfaces in a computer system, thereby reducing the possibility of attacks. In a preferred embodiment, addresses for calls are used to fill a table, where the addresses are specifically selected for a requesting computer. For example, in one embodiment, a routine searches for the adapter type of a requesting computer and populates the table with calls specific to that type of adapter. Other types of calls are not put in the table. Instead, those calls are replaced by routines that will return an error. In other embodiments, the operating system type is used to determine what addresses are used to populate the table. These and other embodiments are explained more fully below.

Abstract: A method, apparatus, and computer instructions for processing trace data in a logical partitioned data processing system. A partition causing an exception is identified in response to detecting the exception. The partition is one within a set of partitions in the logical partitioned data processing system. The trace data for the identified partition is stored in an error log or other data structure for a machine check interrupt handler.

Abstract: A system and method to reduce external access to hypervisor interfaces in a computer system, thereby reducing the possibility of attacks. In a preferred embodiment, addresses for calls are used to fill a table, where the addresses are specifically selected for a requesting computer. For example, in one embodiment, a routine searches for the adapter type of a requesting computer and populates the table with calls specific to that type of adapter. Other types of calls are not put in the table. Instead, those calls are replaced by routines that will return an error. In other embodiments, the operating system type is used to determine what addresses are used to populate the table. These and other embodiments are explained more fully below.

Abstract: A system and method to reduce external access to hypervisor interfaces in a computer system, thereby reducing the possibility of attacks. In a preferred embodiment, addresses for calls are used to fill a table, where the addresses are specifically selected for a requesting computer. For example, in one embodiment, a routine searches for the adapter type of a requesting computer and populates the table with calls specific to that type of adapter. Other types of calls are not put in the table. Instead, those calls are replaced by routines that will return an error. In other embodiments, the operating system type is used to determine what addresses are used to populate the table. These and other embodiments are explained more fully below.

Abstract: A method, apparatus, and computer instructions for processing instructions by a processing unit. An instruction set is dynamically set for the processing unit using a selected instruction map. The selected instruction map is selected as one being different from a normal instruction map for the processing unit. The instructions are processed at the processor using the instruction set. A set of authorized instructions are encoded using the selected instruction map.

Abstract: A method, apparatus, and computer instructions in a logical partitioned data processing system for managing trace data. A call is received for the trace data from a calling partition within a plurality of partitions in the logical partitioned data processing system. The trace data in a buffer associated with the calling partition to form identified trace data is identified. Only the identified trace data for the calling partition is returned. The trace data for other partitions within the plurality of partitions is not returned to the calling partition.

Abstract: A method for processing instructions by a processing unit. An instruction set is dynamically set for the processing unit using a selected instruction map. The selected instruction map is selected as one being different from a normal instruction map for the processing unit. The instructions are processed at the processor using the instruction set. A set of authorized instructions are encoded using the selected instruction map.

Abstract: A method, apparatus, and computer instructions for managing operating systems. A request from an operating system is received in the multi-partitioned data processing system to register for access to hardware in the multi-partitioned data processing system. The request includes a key code for the operating system. A determination is made as to whether the operating system is an authorized operating system using the key code in response to receiving the request. The operating system is registered if the operating system is the authorized operating system. Otherwise, the operating system is terminated.

Abstract: A method for managing operating systems. A request from an operating system is received in the multi-partitioned data processing system to register for access to hardware in the multi-partitioned data processing system. The request includes a key code for the operating system. A determination is made as to whether the operating system is an authorized operating system using the key code in response to receiving the request. The operating system is registered if the operating system is the authorized operating system. Otherwise, the operating system is terminated.

Abstract: A method, apparatus, and computer instructions for preserving trace data in a logical partitioned data processing system. A call is received from a partition in a plurality of partitions to register a buffer in the partition for the trace data. The call includes a pointer to the buffer. The buffer is associated with a trace routine in platform firmware. The trace routine stores the trace data for calls made by the partition to the platform firmware in the buffer.

Abstract: A method, apparatus, and computer instructions for processing trace data in a logical partitioned data processing system. A partition causing an exception is identified in response to detecting the exception. The partition is one within a set of partitions in the logical partitioned data processing system. The trace data for the identified partition is stored in an error log or other data structure for a machine check interrupt handler.

Abstract: A method, apparatus, and computer instructions for reporting errors occurring in a data processing system. Responsive to an error occurring in a host bridge in the data processing system, a determination is made as to whether a device required for generating an error report is located below the host bridge. Responsive to the device required for generating an error report being located below a host bridge, the host bridge is isolated from other portions of the data processing system, wherein only a processor analyzing the error is able to access the host bridge. An error reporting process is performed. The error reporting process is able to access the host bridge and the device.

Abstract: A interrupt is generated for all processors in a multiprocessor system when a critical datapath experiences an error. Serialization code in the interrupt handling routine for that interrupt suspends all processors except one and places the suspended processors in a waiting queue while the one processor handles the error. After the error has been handled, the remaining processors are allow to execute the interrupt handler, which simply exits detecting no error.

Abstract: A method, apparatus, and computer instructions for processing errors in a hierarchical input/output sub-system having an input/output bridge with a plurality of hardware devices in a level below the bridge. A value is read from a selected register to form a read value in response to detecting an error. The selected register is reset. Each bit in the read value associated with the error is cleared to form a cleared value. The cleared value is written into the selected register such that errors occurring since the register was cleared are preserved. The error registers below the bridge are scanned in response to an absence of an error being detected in a bridge within the input/output sub-system. A determination is made as to whether the error has previously occurred in response to a presence of an error being found by scanning the registers below the bridge. The error is reported in response to an absence of a determination that the error has previously occurred.

Abstract: A hypervisor (management) layer synchronizes use of virtualized input/output (I/O) devices that may regularly be used by multiple partitions of a logically partitioned data processing system by making them callable by any system partition to the hypervisor layer. A partition makes a call to the hypervisor to reserve an I/O resource. If the I/O resource is presently allocated to another partition when a call is made to reserve the resource, the hypervisor rejects the request to reserve the device. If the resource is available, the hypervisor issues a command to the resource to service calls made from the reserving partition. After utilizing the resource as necessary, the reserving partition releases control over the I/O device and sends a notification to hypervisor that it has released the I/O device. Upon release, the I/O device will automatically be available for use by another partition via a call to the hypervisor.