Abstract: Technology for decrypting and using a security module in a processor cache in a secure mode such that dynamic address translation prevents access to portions of the volatile memory outside of a secret store in a volatile memory.

Abstract: Technology for decrypting and using a security module in a processor cache in a secure mode such that dynamic address translation prevents access to portions of the volatile memory outside of a secret store in a volatile memory.

Abstract: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.

Abstract: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.

Abstract: Provided is a method for configuring the functional capabilities of a computer system. The computer system may include a persistent memory and a replaceable functional unit. The method may include transferring, in response to a repair action for the functional unit, enablement data that is stored on the functional unit to the persistent memory. The enablement data may specify one or more functional capabilities of the functional unit that are enabled. The method may further include erasing the enablement data from the functional unit after it has been transferred to the persistent storage. The method may further include obtaining a second unique identification item from a replacement unit. The method may further include obtaining new enablement data. The new enablement data may be transferred to the replacement unit.

Abstract: Integrating a further communication bridge into a running data processing system. The data processing system includes a communication client running a first operating system having no own communication stack and at least a first communication bridge running a second operating system having an own communication stack. The first communication bridge is configured as a master communication bridge. The further communication bridge announces itself as a slave communication bridge at an announcement time. The master communication bridge executes a quiesce process on the network adapter and on the API of the communication client when there are no data packets in the queue with a sending time earlier than the announcement time. The master communication bridge extracts the state of its communication stack and sends it to the further communication bridge. The master communication bridge resumes the network adapter and the API.

Abstract: An approach for simultaneous multithreading in a processor. The approach comprises measuring SMT-performance value of a software code and measuring non-SMT-performance value the software code, comparing the SMT-performance value with the non-SMT performance value and dispatching the software code for execution mode by the processor based on the comparison, wherein the execution mode comprises SMT-mode and non-SMT-mode of the processor.

Abstract: An approach for simultaneous multithreading in a processor. The approach comprises measuring SMT-performance value of a software code and measuring non-SMT-performance value the software code, comparing the SMT-performance value with the non-SMT performance value and dispatching the software code for execution mode by the processor based on the comparison, wherein the execution mode comprises SMT-mode and non-SMT-mode of the processor.

Abstract: A method includes generating a set of virtual-machine-specific (VMS) encryption keys for a dedicated virtual machine, storing the set of VMS encryption keys in a protected memory, storing a first look-up table in the protected memory, and replacing an encryption key stored in a crypto unit with at least one VMS encryption key of the set of VMS encryption keys in an operation mode where the dedicated virtual machine is executed by a processor. The protected memory is selectively excluded from access by operating systems executable on a computer system. The look-up table being accessible only by firmware of the computer system.

Abstract: A method includes generating a set of virtual-machine-specific (VMS) encryption keys for a dedicated virtual machine, storing the set of VMS encryption keys in a protected memory, storing a first look-up table in the protected memory, and replacing an encryption key stored in a crypto unit with at least one VMS encryption key of the set of VMS encryption keys in an operation mode where the dedicated virtual machine is executed by a processor. The protected memory is selectively excluded from access by operating systems executable on a computer system. The look-up table being accessible only by firmware of the computer system.

Abstract: Embodiments include method, systems and computer program products for extracting entropy from mobile devices to generate random numbers. In some embodiments, first vibration data may be received from a first device. Second vibration data may be received from a second device. A first piece of entropy data may be generated using the first vibration data and a second piece of entropy data may be generated using the second vibration data. The first piece of entropy data and the second piece of entropy data may be aggregated. The first piece of entropy data and the second piece of entropy data may be stored in an entropy pool.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: A method, a computer program product, and a computer system for processing interrupt requests in a computer system. The computer system disables, for a processor, an interrupt request for threads other than an interrupt request handling thread. The computer system configures the processor to route the interrupt request to the interrupt request handling thread. The computer system determines, by the interrupt request handling thread, whether one of the threads needs to process the interrupt request. The computer presents, by the interrupt request handling thread, the interrupt request to the one of the threads, in response to determining that the one of the threads needs to process the interrupt request.

Abstract: Dynamically assigning network addresses provided by a server in a network to virtual network adapters in virtual machines, in which a reassignment of the assigned network addresses due to suspending virtual machines is prevented. Network addresses of the virtual machines in the network are logged. Network addresses are combined with information about suspending and/or resuming virtual machines by a control instance. Information about the network addresses of suspended virtual machines for its virtual network adapters with dynamically assigned network addresses is sent to the server.

Abstract: A method, a computer program product, and a computer system for processing interrupt requests in a computer system. The computer system disables, for a processor, an interrupt request for threads other than an interrupt request handling thread. The computer system configures the processor to route the interrupt request to the interrupt request handling thread. The computer system determines, by the interrupt request handling thread, whether one of the threads needs to process the interrupt request. The computer presents, by the interrupt request handling thread, the interrupt request to the one of the threads, in response to determining that the one of the threads needs to process the interrupt request.

Abstract: A method of securely deleting data from a data storage device is described. The method includes the steps of receiving a secure delete command to securely delete a file. A data block of the file to securely delete is identified. A pointer to the data block is stored in a deletion buffer. It is then determined whether the secure delete command has a highest priority over other data storage device commands. In response to the secure delete command having the highest priority, the secure delete command to the data block is performed.

Abstract: Methods are provided for using a hardware module connectable to multiple computer systems, where the multiple computer systems are connectable to a server within a common network. The method includes: providing a network address of the server in persistent memory of the hardware security module; providing an encrypted secret entity in the persistent memory of the hardware security module; providing a private key in the persistent memory of the hardware security module; and based on the hardware security module being connectable to one of the computer systems, the method includes: establishing a secure connection between the hardware security module and the server; retrieving, via the secure connection, a wrapping key from the server and storing it in volatile memory of the hardware security module; and decrypting the encrypted secret entity with the wrapping key and storing the decrypted secret entity in the volatile memory of the hardware security module.

Abstract: Embodiments include method, systems and computer program products for anonymous secure socket layer (SSL) certificate verification in a trusted group. In some embodiments, a device associated with a user receiving a web server certificate from a web server. A message that includes the web server certificate and associated universal resource locator (URL) may be encrypted using a group key and a proxy key. The message may be transmitted to a proxy server. An anonymized request based on the message may be received from the proxy server. An encrypted response may be generated and transmitted to the proxy server. Encrypted and anonymized responses from members of a trusted group may be received. The responses may be processed and an action associated with the web server certificate may be facilitated.

Abstract: Managing a virtual computer resource on at least one virtual machine. The managing of the virtual computer resource on the at least one virtual machine is by controlling execution of the virtual computer resource on the at least one virtual machine by a virtual machine instance, such as a firmware facility, of a trusted part of a computer system. The virtual machine instance is unique in the computer system.