Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided. The method is implemented by a secure interface control of a computer that prevents unauthorized accesses to locations in a memory of the computer. The secure interface control determines that a host absolute page is not previously mapped to a virtual page in accordance with securing the host absolute page and a host virtual page is not already mapped to an absolute page in accordance with securing the host absolute page.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes computing a hash value of a page of memory of a computer system and comparing the hash value with a previously computed hash value of the page. A per-encryption value per page can be used in encrypting the page based on determining that the hash value matches the previously computed hash value. A modified value of the per-encryption value per page can be used in encrypting the page based on determining that the hash value mismatches the previously computed hash value.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes computing a hash value of a page of memory of a computer system and comparing the hash value with a previously computed hash value of the page. A per-encryption value per page can be used in encrypting the page based on determining that the hash value matches the previously computed hash value. A modified value of the per-encryption value per page can be used in encrypting the page based on determining that the hash value mismatches the previously computed hash value.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided. The method is implemented by a secure interface control of a computer that prevents unauthorized accesses to locations in a memory of the computer. The secure interface control determines that a host absolute page is not previously mapped to a virtual page in accordance with securing the host absolute page and a host virtual page is not already mapped to an absolute page in accordance with securing the host absolute page.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A trusted component commences a debugging session, based on determining that debugging of a virtual machine is to be initiated. The commencing of the debugging session includes generating encryption information to be provided to a client for which debugging is to be performed. The encryption information includes a key that is encrypted and to be used to encrypt a debug request to debug the virtual machine. The trusted component obtains an encrypted debug request indicating one or more operations to be performed to debug the virtual machine. The one or more operations are performed by the trusted component to obtain debugging results for the virtual machine.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A trusted component commences a debugging session, based on determining that debugging of a virtual machine is to be initiated. The commencing of the debugging session includes generating encryption information to be provided to a client for which debugging is to be performed. The encryption information includes a key that is encrypted and to be used to encrypt a debug request to debug the virtual machine. The trusted component obtains an encrypted debug request indicating one or more operations to be performed to debug the virtual machine. The one or more operations are performed by the trusted component to obtain debugging results for the virtual machine.

Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.

Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.

Abstract: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.

Abstract: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.