Abstract: A method for sharing secret data between multiple containers. In response to the initial booting of an operating system instance in a container, a unique operating system identifier is generated for the operating system instance. A grant authority stores the unique operating system identifier in a reserved area of a secure storage device. In response to a request from the operating system instance to access secret data in the secure storage device, the grant authority determines whether the unique operating system identifier is stored in the secure storage device. The operating system instance may be granted access to secret data in the non-reserved area of the secure storage device.

Abstract: Technology for decrypting and using a security module in a processor cache in a secure mode such that dynamic address translation prevents access to portions of the volatile memory outside of a secret store in a volatile memory.

Abstract: Auditably proving a usage history of an asset, in which the asset includes a hardware security module with at least a public key and a private key. A client application logs hash values of a pair of request data and response data. Usage history of the asset is proved. The proving includes verifying, using the public key, a signature of other hash values of the pair of request data and response data. The other hash values are signed with the private key. The proving further includes comparing the hash values logged by the client application with the other hash values.

Abstract: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.

Abstract: In an approach to grouping related tasks, one or more computer processors receive a first task initialization by a first user. The one or more computer processors determine whether one or more additional tasks contained in one or more task groups are in use by the first user. Responsive to determining one or more additional tasks contained in one or more task groups are in use, the one or more computer processors determine whether the first task is related to at least one task of the one or more additional tasks. Responsive to determining the first task is related to at least one task of the one or more additional tasks, the one or more computer processors add the first task to the task group containing the at least one related task of the one or more additional tasks.

Abstract: Auditably proving a usage history of an asset, in which the asset includes a hardware security module with at least a public key and a private key. A client application logs hash values of a pair of request data and response data. Usage history of the asset is proved. The proving includes verifying, using the public key, a signature of other hash values of the pair of request data and response data. The other hash values are signed with the private key. The proving further includes comparing the hash values logged by the client application with the other hash values.

Abstract: Integrating a further communication bridge into a running data processing system. The data processing system includes a communication client running a first operating system having no own communication stack and at least a first communication bridge running a second operating system having an own communication stack. The first communication bridge is configured as a master communication bridge. The further communication bridge announces itself as a slave communication bridge at an announcement time. The master communication bridge executes a quiesce process on the network adapter and on the API of the communication client when there are no data packets in the queue with a sending time earlier than the announcement time. The master communication bridge extracts the state of its communication stack and sends it to the further communication bridge. The master communication bridge resumes the network adapter and the API.

Abstract: A secure storage device is connected to a computer system. The secure storage device has a memory including a domain and a subdomain storing first and second data, respectively. The computer system includes a first level hypervisor managing a first level virtual machine, which supports a first operating system, and a second level hypervisor. The second level hypervisor manages a second level virtual machine, which supports a second level operating system. A first authentication process for the first level operating system uses first profile data sent by the computer system and a portion of the first data. A second authentication process for the second level operating system uses second profile data sent by the computer system and a portion of the second data. The first data is not accessible by the second level operating system. The second data is not accessible by the first level operating system.

Abstract: A method is provided for suspending and resuming virtual machines in a network in dependence of network activity. The method includes providing a virtual machine manager. The virtual machine manager monitors network traffic of the virtual machines on a network bridge in a network layer using data packet analysis to detect dedicated network protocol traffic. More particularly, the monitoring of network traffic of the virtual machines may include: logging network addresses of the virtual machines of the network; combining logged network addresses with information about suspending or resuming virtual machines based on filtering rules being provided for such combination; and sending information about the network addresses of active and suspended virtual machines for virtual network adapters assigned to the virtual machines to the virtual machine manager.

Abstract: A method for operating a secure storage device with a non-volatile memory on a computer system which executes multiple operating system instances. The non-volatile memory comprises one or more domains which are used by the operating system instances. A separate trusted key entry system is used to configure secret data of an operating system instance stored in the non-volatile memory. The method comprises setting a domain to either secure or non-secure mode; generating a unique identifier of the operating system instance; generating a secure hash for the operating system instance; and storing the secure hash in the domain.

Abstract: A secure storage device is connected to a computer system. The secure storage device has a memory including a domain and a subdomain storing first and second data, respectively. The computer system includes a first level hypervisor managing a first level virtual machine, which supports a first operating system, and a second level hypervisor. The second level hypervisor manages a second level virtual machine, which supports a second level operating system. A first authentication process for the first level operating system uses first profile data sent by the computer system and a portion of the first data. A second authentication process for the second level operating system uses second profile data sent by the computer system and a portion of the second data. The first data is not accessible by the second level operating system. The second data is not accessible by the first level operating system.

Abstract: A method for sharing secret data between multiple containers. In response to the initial booting of an operating system instance in a container, a unique operating system identifier is generated for the operating system instance. A grant authority stores the unique operating system identifier in a reserved area of a secure storage device. In response to a request from the operating system instance to access secret data in the secure storage device, the grant authority determines whether the unique operating system identifier is stored in the secure storage device. The operating system instance may be granted access to secret data in the non-reserved area of the secure storage device.

Abstract: Technology for decrypting and using a security module in a processor cache in a secure mode such that dynamic address translation prevents access to portions of the volatile memory outside of a secret store in a volatile memory.

Abstract: Methods and systems for executing dumping of main memory content and CPU states and for an adaptive boot. The methods and the systems provide a configuration list of the computer system comprising a pre-defined set of dedicated resources for the dumping, provide threshold values for a pre-defined set of minimum resources for executing a reboot of the computer system, assign the pre-defined set of the dedicated resources for executing the dumping, start the dumping, release ones of the dedicated resources after content of the ones of the dedicated resources has been dumped, start a reboot process of the computer system in response to determining that the ones of the dedicated resources exceeds the threshold values for the pre-defined set of the minimum resources for executing the reboot process, and continue to release others of the dedicated resources to the reboot process until the dumping is completed.

Abstract: Integrating a further communication bridge into a running data processing system. The data processing system includes a communication client running a first operating system having no own communication stack and at least a first communication bridge running a second operating system having an own communication stack. The first communication bridge is configured as a master communication bridge. The further communication bridge announces itself as a slave communication bridge at an announcement time. The master communication bridge executes a quiesce process on the network adapter and on the API of the communication client when there are no data packets in the queue with a sending time earlier than the announcement time. The master communication bridge extracts the state of its communication stack and sends it to the further communication bridge. The master communication bridge resumes the network adapter and the API.

Abstract: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.

Abstract: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.

Abstract: Methods and systems for executing dumping of main memory content and CPU states and for an adaptive boot. The methods and the systems provide a configuration list of the computer system comprising a pre-defined set of dedicated resources for the dumping, provide threshold values for a pre-defined set of minimum resources for executing a reboot of the computer system, assign the pre-defined set of the dedicated resources for executing the dumping, start the dumping, release ones of the dedicated resources after content of the ones of the dedicated resources has been dumped, start a reboot process of the computer system in response to determining that the ones of the dedicated resources exceeds the threshold values for the pre-defined set of the minimum resources for executing the reboot process, and continue to release others of the dedicated resources to the reboot process until the dumping is completed.

Abstract: Approving a group purchase request for a group of articles. A sub-group of articles is selected, wherein a unique article approval index is assigned to each of the articles and a highest article approval index is determined among the unique article approval indexes of the articles of the group, wherein the article of the group is selected into the sub-group if the article of the group complies with at least one of following article selection criteria: the unique article approval index of the article of the group is above a predetermined approval index threshold and the unique approval index of the article of the group is equal to the highest article approval index; approving the group purchase request for the group if the group purchase request for the sub-group is approved; and rejecting the group purchase request for the group if the group purchase request for the sub-group is rejected.

Abstract: Integrating a further communication bridge into a running data processing system. The data processing system includes a communication client running a first operating system having no own communication stack and at least a first communication bridge running a second operating system having an own communication stack. The first communication bridge is configured as a master communication bridge. The further communication bridge announces itself as a slave communication bridge at an announcement time. The master communication bridge executes a quiesce process on the network adapter and on the API of the communication client when there are no data packets in the queue with a sending time earlier than the announcement time. The master communication bridge extracts the state of its communication stack and sends it to the further communication bridge. The master communication bridge resumes the network adapter and the API.