Abstract: Managing a virtual computer resource on at least one virtual machine. The managing of the virtual computer resource on the at least one virtual machine is by controlling execution of the virtual computer resource on the at least one virtual machine by a virtual machine instance, such as a firmware facility, of a trusted part of a computer system. The virtual machine instance is unique in the computer system.

Abstract: Approving a group purchase request for a group of articles. A sub-group of articles is selected, wherein a unique article approval index is assigned to each of the articles and a highest article approval index is determined among the unique article approval indexes of the articles of the group, wherein the article of the group is selected into the sub-group if the article of the group complies with at least one of following article selection criteria: the unique article approval index of the article of the group is above a predetermined approval index threshold and the unique approval index of the article of the group is equal to the highest article approval index; approving the group purchase request for the group if the group purchase request for the sub-group is approved; and rejecting the group purchase request for the group if the group purchase request for the sub-group is rejected.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Stateful network connections between a first virtual machine and at least a second virtual machine are preserved during a suspend and resume cycle. The virtual machines are interconnected by a network. A control instance is provided to manage a routing of network traffic of the virtual machines to the network. In case of a suspend operation, the control instance tracks network addresses of each virtual machine, whereas in case of a resume operation, the control instance sets up a router for each virtual machine and requests new network addresses for each router. The control instance configures a network address translation on the router assigned to each virtual machine to map the new network addresses to the network addresses used before suspending the virtual machines.

Abstract: Provided is a method for configuring the functional capabilities of a computer system. The computer system may include a persistent memory and a replaceable functional unit. The method may include transferring, in response to a repair action for the functional unit, enablement data that is stored on the functional unit to the persistent memory. The enablement data may specify one or more functional capabilities of the functional unit that are enabled. The method may further include erasing the enablement data from the functional unit after it has been transferred to the persistent storage. The method may further include obtaining a second unique identification item from a replacement unit. The method may further include obtaining new enablement data. The new enablement data may be transferred to the replacement unit.

Abstract: Provided is a method for configuring the functional capabilities of a computer system. The computer system may include a persistent memory and a replaceable functional unit. The method may include transferring, in response to a repair action for the functional unit, enablement data that is stored on the functional unit to the persistent memory. The enablement data may specify one or more functional capabilities of the functional unit that are enabled. The method may further include erasing the enablement data from the functional unit after it has been transferred to the persistent storage. The method may further include obtaining a second unique identification item from a replacement unit. The method may further include obtaining new enablement data. The new enablement data may be transferred to the replacement unit.

Abstract: A method is provided for suspending and resuming virtual machines in a network in dependence of network activity. The method includes providing a virtual machine manager. The virtual machine manager monitors network traffic of the virtual machines on a network bridge in a network layer using data packet analysis to detect dedicated network protocol traffic. More particularly, the monitoring of network traffic of the virtual machines may include: logging network addresses of the virtual machines of the network; combining logged network addresses with information about suspending or resuming virtual machines based on filtering rules being provided for such combination; and sending information about the network addresses of active and suspended virtual machines for virtual network adapters assigned to the virtual machines to the virtual machine manager.

Abstract: Approving a group purchase request for a group of articles. A sub-group of articles is selected, wherein a unique article approval index is assigned to each of the articles and a highest article approval index is determined among the unique article approval indexes of the articles of the group, wherein the article of the group is selected into the sub-group if the article of the group complies with at least one of following article selection criteria: the unique article approval index of the article of the group is above a predetermined approval index threshold and the unique approval index of the article of the group is equal to the highest article approval index; approving the group purchase request for the group if the group purchase request for the sub-group is approved; and rejecting the group purchase request for the group if the group purchase request for the sub-group is rejected.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.

Abstract: At least one hardware security module out of a plurality of hardware security modules is assigned to a guest system. The at least one hardware security module out of the plurality of hardware security modules is configured with a master key. A data pattern is used for a challenge protocol adapted to prove that the at least one hardware security module out of the plurality of hardware security modules is configured with the master key. The at least one hardware security module including the master key is assigned to the guest system based on a positive outcome of the challenge protocol.

Abstract: At least one hardware security module out of a plurality of hardware security modules is assigned to a guest system. The at least one hardware security module out of the plurality of hardware security modules is configured with a master key. A data pattern is used for a challenge protocol adapted to prove that the at least one hardware security module out of the plurality of hardware security modules is configured with the master key. The at least one hardware security module including the master key is assigned to the guest system based on a positive outcome of the challenge protocol.

Abstract: Securely removing system capabilities, being available to at least one logical partition, from that partition, the partition being hosted by a computer system running an operating system. The system capabilities are available to a boot loader of the computer system, wherein the boot loader is started in the logical partition. The logical partition remains activated while removing the system capabilities. A removal request is initiated by the boot loader; and a deconfigure command is performed by the boot loader.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: Embodiments include method, systems and computer program products for extracting entropy from mobile devices to generate random numbers. In some embodiments, first vibration data may be received from a first device. Second vibration data may be received from a second device. A first piece of entropy data may be generated using the first vibration data and a second piece of entropy data may be generated using the second vibration data. The first piece of entropy data and the second piece of entropy data may be aggregated. The first piece of entropy data and the second piece of entropy data may be stored in an entropy pool.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: A method of securely deleting data from a data storage device is described. The method includes the steps of receiving a secure delete command to securely delete a file. A data block of the file to securely delete is identified. A pointer to the data block is stored in a deletion buffer. It is then determined whether the secure delete command has a highest priority over other data storage device commands. In response to the secure delete command having the highest priority, the secure delete command to the data block is performed.