Abstract: In a computer system operable at multiple hierarchical privilege levels, a “wait-for-event” (WFE) communication channel between components operating at different privilege levels is established. Initially, a central processing unit (CPU) is configured to “trap” WFE instructions issued by a client, such as an operating system, operating at one privilege level to an agent, such as a hypervisor, operating at a more privileged level. After storing a predefined special sequence in a storage component (e.g., a register), the client executes a WFE instruction. As part of trapping the WFE instruction, the agent reads and interprets the special sequence from the storage component and may respond to the special sequence by storing another special sequence in a storage component that is accessible to the client. Advantageously, a client may leverage this WFE communication channel to safely and reliably detect whether an agent is present.

Abstract: A method of providing a backdoor interface between software executing in a virtual machine and a hypervisor executing on a computing system that supports the virtual machine includes trapping, at the hypervisor, an exception generated in response to execution of a debug instruction on a central processing unit (CPU) by the software; identifying, by an exception handler of the hypervisor handling the exception, an equivalence between an immediate operand of the debug instruction and a predefined value; and invoking, in response to the equivalence, a backdoor service of the hypervisor using state of at least one register of the CPU as parametric input, the state being set by the software prior to executing the debug instruction.

Abstract: An example method of initializing a plurality of processors in a hardware platform of computing device for use by system software executing on the hardware platform includes: parsing a descriptor table that has been loaded into memory from firmware to identify an original boot protocol for initializing at least one secondary processor of the plurality of processors; creating at least one mailbox structure in the memory associated with the at least one secondary processor; causing the at least one secondary processor to execute secondary processor initialization code stored in the memory, the secondary processor initialization code implementing a mailbox-based boot protocol that uses the at least one mailbox structure to initialize the at least one secondary processor; and modifying the descriptor table to identify the mailbox-based boot protocol for initializing the at least one secondary processor in place of the original boot protocol.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract: In an example, a computer system includes a hardware platform and a hypervisor executing on the hardware platform. The hypervisor includes a kernel and a plurality of user-space instances within a user-space above the kernel. Each user-space instance is isolated from each other user-space instance through namespaces. Each user-space instance includes resources confined by hierarchical resource groups. The computer system includes a plurality of virtual hypervisors, where each virtual hypervisor executes in a respective user-space instance of the plurality of user-space instances.

Abstract: A computer system provides a mechanism for assuring a safe, non-preemptible access to a private data area (PRDA) belonging to a CPU. PRDA accesses generally include obtaining an address of a PRDA and performing operations on the PRDA using the obtained address. Safe, non-preemptible access to a PRDA generally ensures that a context accesses the PRDA of the CPU on which the context is executing, but not the PRDA of another CPU. While a context executes on a first CPU, the context obtains the address of the PRDA. After the context is migrated to a second CPU, the context performs one or more operations on the PRDA belonging to the second CPU using the address obtained while the context executed on the first CPU. In another embodiment, preemption and possible migration of a context from one CPU to another CPU is delayed while a context executes non-preemptible code.

Abstract: In a computer system operable at multiple hierarchical privilege levels, a “wait-for-event” (WFE) communication channel between components operating at different privilege levels is established. Initially, a central processing unit (CPU) is configured to to “trap” WFE instructions issued by a client, such as an operating system, operating at one privilege level to an agent, such as a hypervisor, operating at a more privileged level. After storing a predefined special sequence in a storage component (e.g., a register), the client executes a WFE instruction. As part of trapping the WFE instruction, the agent reads and interprets the special sequence from the storage component and may respond to the special sequence by storing another special sequence in a storage component that is accessible to the client. Advantageously, the client may leverage this WFE communication channel to establish low-overhead watchdog functionality for the client.

Abstract: A method is provided for handling interrupts in a processor, the interrupts including regular interrupts having a range of priorities and a pseudo non-maskable interrupt (PNMI) that is of a higher priority than any of the regular interrupts. The method includes the steps of obtaining an interrupt vector corresponding to a received interrupt, and if the received interrupt is a regular interrupt, enabling interrupts in the processor so that a PNMI can be received while handling the regular interrupt, executing a regular interrupt handler using the interrupt vector, and disabling interrupts in the processor. On the other hand, if the received interrupt is a PNMI, a PNMI interrupt handler is executed using the interrupt vector as an input thereto.

Abstract: Devices are emulated as PCI devices so that existing PCI drivers can be used for the devices. This is accomplished by creating a shim PCI device with a emulated PCI configuration space, accessed via a emulated PCI Extended Configuration Access Mechanism (ECAM) space which is emulated by accesses to trapped unbacked memory addresses. When system software accesses the PCI ECAM space to probe for PCI configuration data or program base address registers of the PCI ECAM space, an exception is raised and the exception is handled by a secure monitor that is executing at a higher privilege level than the system software. The secure monitor in handling the exception emulates the PCI configuration space access of the emulated PCI device corresponding to the ECAM address accessed, such that system software may discover the device and bind and appropriately configure a PCI driver to it with the right IRQ and memory base ranges.

Abstract: A method is provided for handling interrupts in a processor, the interrupts including regular interrupts having a range of priorities and a pseudo non-maskable interrupt (PNMI) that is of a higher priority than any of the regular interrupts. The method includes obtaining an interrupt vector corresponding to a received interrupt, and if the received interrupt is a PNMI, executing a PNMI interrupt handler. If the received interrupt is a regular interrupt, the method further comprises reading a mask flag that indicates whether regular interrupts are enabled in an interrupt controller and further: if the mask flag indicates that regular interrupts are enabled, enabling interrupts in the processor so that a PNMI can be received while handling the regular interrupt, executing, a regular interrupt handler, and disabling interrupts in the processor; and if the mask flag indicates that regular interrupts are disabled, saving the interrupt vector for subsequent handling.

Abstract: A mapping table is passed to system software upon loading of the system software in a computer system. The mapping table is generated from a user-defined configuration file and maps device identifiers of various devices implemented in the computer system, as assigned by the device manufacturers, to device identifiers that are recognizable by the system software. The mapping is used by the system software when it performs binding of device drivers to devices so that devices that have been given generic and sometimes obscure names by the device manufacturers can still be associated with and bound to device drivers loaded by the system software.

Abstract: A computer system that does not natively support non-maskable interrupts (NMIs) implements NMI-like functionality in a secure monitor. The computer system detects a high priority interrupt and determines whether or not interrupts are enabled or disabled. If interrupts are enabled, the computer system injects an exception into a currently executing thread of system software operating at the second privilege level, and an exception handler processes the exception like a standard exception. If interrupts are disabled, the computer system saves the current system state (e.g., the current program counter and CPU state) and values of one or more exception handling registers in temporary storage and injects an exception into the currently executing thread of the system software, and the exception handler processes the exception in a special manner.

Abstract: A mapping table is passed to system software upon loading of the system software in a computer system. The mapping table is generated from a user-defined configuration file and maps device identifiers of various devices implemented in the computer system, as assigned by the device manufacturers, to device identifiers that are recognizable by the system software. The mapping is used by the system software when it performs binding of device drivers to devices so that devices that have been given generic and sometimes obscure names by the device manufacturers can still be associated with and bound to device drivers loaded by the system software.

Abstract: One embodiment of the present invention provides a system that facilitates storing an image file of a virtual machine on a potentially unprotected flash storage exhibiting sub-optimal non-sequential write performance on a mobile phone. During operation, the system stores in the flash storage data in a log-structured format and in a protected storage meta-data associated with the data stored in the flash storage. The system also checks integrity of the data stored in the flash storage using the meta-data in the protected storage.

Abstract: In a computer system with multiple central processing units (CPUs), initialization of a memory management unit (MMU) for a secondary CPU is performed using an exception generated by the MMU. In general, this technique leverages the exception handling features of the secondary CPU to switch the CPU from executing secondary CPU initialization code with the MMU “off” to executing secondary CPU initialization code with the MMU “on.” Advantageously, in contrast to conventional techniques for MMU initialization, this exception-based technique does not require identity mapping of the secondary CPU initialization code to ensure proper execution of the secondary CPU initialization code.

Abstract: Particular embodiments provide a method to authenticate a user of an application running on a mobile operating system (OS) installed on a mobile device, wherein the mobile OS invokes callback methods of the application upon making changes to an execution state of the application. Code embedded into the application causes the application to communicate with a management agent installed in the mobile OS upon invocation of a hooked callback method. Upon invocation of the hooked callback method, the embedded code assesses whether the user should be provided an authentication challenge prior to enabling the application to run in the foreground, and presents the authentication challenge if necessary. Finally, the embedded code returns execution control from the management agent back to the application wherein the application executes the at least one callback method prior to running in the foreground.

Abstract: In a computer system with multiple central processing units (CPUs), initialization of a memory management unit (MMU) for a secondary CPU is performed using an exception generated by the MMU. In general, this technique leverages the exception handling features of the secondary CPU to switch the CPU from executing secondary CPU initialization code with the MMU “off” to executing secondary CPU initialization code with the MMU “on.” Advantageously, in contrast to conventional techniques for MMU initialization, this exception-based technique does not require identity mapping of the secondary CPU initialization code to ensure proper execution of the secondary CPU initialization code.

Abstract: In a computer system operable at multiple hierarchical privilege levels, a “wait-for-event” (WFE) communication channel between components operating at different privilege levels is established. Initially, a central processing unit (CPU) is configured to to “trap” WFE instructions issued by a client, such as an operating system, operating at one privilege level to an agent, such as a hypervisor, operating at a more privileged level. After storing a predefined special sequence in a storage component (e.g., a register), the client executes a WFE instruction. As part of trapping the WFE instruction, the agent reads and interprets the special sequence from the storage component and may respond to the special sequence by storing another special sequence in a storage component that is accessible to the client. Advantageously, a client may leverage this WFE communication channel to safely and reliably detect whether an agent is present.

Abstract: In a computer system operable at multiple hierarchical privilege levels, a “wait-for-event” (WFE) communication channel between components operating at different privilege levels is established. Initially, a central processing unit (CPU) is configured to to “trap” WFE instructions issued by a client, such as an operating system, operating at one privilege level to an agent, such as a hypervisor, operating at a more privileged level. After storing a predefined special sequence in a storage component (e.g., a register), the client executes a WFE instruction. As part of trapping the WFE instruction, the agent reads and interprets the special sequence from the storage component and may respond to the special sequence by storing another special sequence in a storage component that is accessible to the client. Advantageously, the client may leverage this WFE communication channel to establish low-overhead watchdog functionality for the client.

Abstract: Machine memory fragmentation in a computer system having a host operating system and virtual machine running on a hypervisor hosted by the host operating system is reduced by having the hypervisor identify and release those machine memory pages that are more likely than others to reduce the fragmented state of the host machine memory.