Abstract: The present disclosure is directed towards methods and systems for maintaining state in a virtual machine when disconnected from graphics hardware. The virtual machine is one of a plurality of virtual machines hosted by a hypervisor executing on a computing device. A control virtual machine may be hosted by a hypervisor executing on a computing device. The control virtual machine may store state information of a graphics processing unit (GPU) of the computing device. The GPU may render an image from a first virtual machine. The control virtual machine may remove, from the first virtual machine, access to the GPU. The control virtual machine may redirect the first virtual machine to a GPU emulation program. The GPU emulation program may render the image from the first virtual machine using at least a portion of the stored state information.

Abstract: The methods and systems described herein provide for allocating a universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted virtual machine. A control program receives data indicating a USB port on the computing machine received a USB device and identifies at least one attribute of the USB device. The control program selects, based on application of a policy to the identified at least one device attribute, one of a trusted virtual machine and a non-trusted virtual machine executing. The control program grants, to the virtual machine selected by the control program, access to the USB device.

Abstract: The present disclosure is directed towards methods and systems for maintaining state in a virtual machine when disconnected from graphics hardware. The virtual machine is one of a plurality of virtual machines hosted by a hypervisor executing on a computing device. A control virtual machine may be hosted by a hypervisor executing on a computing device. The control virtual machine may store state information of a graphics processing unit (GPU) of the computing device. The GPU may render an image from a first virtual machine. The control virtual machine may remove, from the first virtual machine, access to the GPU. The control virtual machine may redirect the first virtual machine to a GPU emulation program. The GPU emulation program may render the image from the first virtual machine using at least a portion of the stored state information.

Abstract: The methods and systems described herein provide for preventing a non-trusted virtual machine from reading the graphical output of a trusted virtual machine. A graphics manager receives a request from a trusted virtual machine to render graphical data using a graphics processing unit. The graphics manager assigns, to the trusted virtual machine, a secure section of a memory of the graphics processing unit. The graphics manager renders graphics from the trusted virtual machine graphical data to the secure section of the graphics processing unit memory. The graphics manager receives a request from a non-trusted virtual machine to read graphics rendered from the trusted virtual machine graphical data and stored in the secure section of the graphics processing unit memory, and prevents the non-trusted virtual machine from reading the trusted virtual machine rendered graphics stored in the secure section of the graphics processing unit memory.

Abstract: The present disclosure is directed towards methods and systems for maintaining state in a virtual machine when disconnected from graphics hardware. The virtual machine is one of a plurality of virtual machines hosted by a hypervisor executing on a computing device. A control virtual machine may be hosted by a hypervisor executing on a computing device. The control virtual machine may store state information of a graphics processing unit (GPU) of the computing device. The GPU may render an image from a first virtual machine. The control virtual machine may remove, from the first virtual machine, access to the GPU. The control virtual machine may redirect the first virtual machine to a GPU emulation program. The GPU emulation program may render the image from the first virtual machine using at least a portion of the stored state information.

Abstract: The present disclosure is directed towards methods and systems for virtualizing audio hardware for one or more virtual machines. A control virtual machine (VM) may translate a first stream of audio functions calls from a first VM hosted by a hypervisor. The translated first stream of audio function calls may be destined for a sound card of the computing device executing the hypervisor. The control VM may detect a second stream of audio functions calls from a second VM hosted by the hypervisor. The control VM may translate the second stream of audio functions calls from the second VM. The control VM may further merge the translated first stream of audio function calls and the translated second stream of the audio function calls in response to the detected second stream. The control VM may transmit the merged stream of audio function calls to the sound card.

Abstract: The methods and systems described herein provide functionality for managing injection of input events to one virtual machine of a plurality of guest virtual machines, in a computing device executing a hypervisor hosting a trusted virtual machine and a non-trusted virtual machine. An input manager receives a first item of input data from an input device communicating with the computing device. The input manager identifies whether the first item of input data includes a predetermined string. The input manager forwards, responsive to the identification, the first item of input data to one of (i) a first virtual machine of a plurality of guest virtual machines executed by the processor of the computing device and (ii) an application executed by the control virtual machine, wherein at least one virtual machine of the plurality of guest virtual machines is a trusted virtual machine.

Abstract: The methods and systems described herein provide for preventing a non-trusted virtual machine from reading the graphical output of a trusted virtual machine. A graphics manager receives a request from a trusted virtual machine to render graphical data using a graphics processing unit. The graphics manager assigns, to the trusted virtual machine, a secure section of a memory of the graphics processing unit. The graphics manager renders graphics from the trusted virtual machine graphical data to the secure section of the graphics processing unit memory. The graphics manager receives a request from a non-trusted virtual machine to read graphics rendered from the trusted virtual machine graphical data and stored in the secure section of the graphics processing unit memory, and prevents the non-trusted virtual machine from reading the trusted virtual machine rendered graphics stored in the secure section of the graphics processing unit memory.

Abstract: The methods and systems described herein provide for allocating a universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted virtual machine. A control program receives data indicating a USB port on the computing machine received a USB device and identifies at least one attribute of the USB device. The control program selects, based on application of a policy to the identified at least one device attribute, one of a trusted virtual machine and a non-trusted virtual machine executing. The control program grants, to the virtual machine selected by the control program, access to the USB device.

Abstract: The methods and systems described herein provide for establishing a secure communication channel between a non-trusted virtual machine and a trusted virtual machine, in a computing device executing a hypervisor hosting the trusted virtual machine, the non-trusted virtual machine, and a third virtual machine. The method includes writing, by a non-trusted virtual machine, a first string of data to a region of memory of the computing device. The method also includes detecting, by a trusted virtual machine, the first string of data written to the region of memory. The method further includes establishing a communication channel between the trusted virtual machine and the non-trusted virtual machine by locking, by the trusted virtual machine and responsive to the detection, the region of memory for the duration of the communication to prevent a third virtual machine from accessing the region of memory.

Abstract: The methods and systems described herein provide for granting a virtual machine exclusive access to an optical disc drive responsive to a determination the virtual machine initiated a transaction with the optical disc drive. A drive manager maps an optical disc drive connected to the computing device to a plurality of virtual machines hosted by a hypervisor executed by the computing device. The drive manager intercepts a transaction stream generated by the optical disc drive and converts the transaction stream to a command stream. The drive manager determines, based on an analysis of the command stream, a first virtual machine of the plurality of virtual machines initiated a transaction with the optical disc drive. Responsive to the determination, the drive manager locks the optical disc drive to grant the first virtual machine exclusive access to the optical disc drive.

Abstract: The methods and systems provide for allocating a universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted virtual machine. A control program receives data indicating a USB port on the computing machine received a USB device and identifies at least one attribute of the USB device. The control program selects, based on application of a policy to the identified at least one device attribute, one of a trusted virtual machine and a non-trusted virtual machine executing. The control program grants, to the virtual machine selected by the control program, access to the USB device.

Abstract: The methods and systems provide for preventing a non-trusted virtual machine from reading the graphical output of a trusted virtual machine. A graphics manager receives a request from a trusted virtual machine to render graphical data using a graphics processing unit. The graphics manager assigns, to the trusted virtual machine, a secure section of a memory of the graphics processing unit. The graphics manager renders graphics from the trusted virtual machine graphical data to the secure section of the graphics processing unit memory. The graphics manager receives a request from a non-trusted virtual machine to read graphics rendered from the trusted virtual machine graphical data and stored in the secure section of the graphics processing unit memory, and prevents the non-trusted virtual machine from reading the trusted virtual machine rendered graphics stored in the secure section of the graphics processing unit memory.

Abstract: The present disclosure is directed towards methods and systems for maintaining state in a virtual machine when disconnected from graphics hardware. The virtual machine is one of a plurality of virtual machines hosted by a hypervisor executing on a computing device. A control virtual machine may be hosted by a hypervisor executing on a computing device. The control virtual machine may store state information of a graphics processing unit (GPU) of the computing device. The GPU may render an image from a first virtual machine. The control virtual machine may remove, from the first virtual machine, access to the GPU. The control virtual machine may redirect the first virtual machine to a GPU emulation program. The GPU emulation program may render the image from the first virtual machine using at least a portion of the stored state information.

Abstract: The present disclosure is directed towards methods and systems for virtualizing audio hardware for one or more virtual machines. A control virtual machine (VM) may translate a first stream of audio functions calls from a first VM hosted by a hypervisor. The translated first stream of audio function calls may be destined for a sound card of the computing device executing the hypervisor. The control VM may detect a second stream of audio functions calls from a second VM hosted by the hypervisor. The control VM may translate the second stream of audio functions calls from the second VM. The control VM may further merge the translated first stream of audio function calls and the translated second stream of the audio function calls in response to the detected second stream. The control VM may transmit the merged stream of audio function calls to the sound card.

Abstract: The methods and systems described herein provide for establishing a secure communication channel between a non-trusted virtual machine and a trusted virtual machine, in a computing device executing a hypervisor hosting the trusted virtual machine, the non-trusted virtual machine, and a third virtual machine. The method includes writing, by a non-trusted virtual machine, a first string of data to a region of memory of the computing device. The method also includes detecting, by a trusted virtual machine, the first string of data written to the region of memory. The method further includes establishing a communication channel between the trusted virtual machine and the non-trusted virtual machine by locking, by the trusted virtual machine and responsive to the detection, the region of memory for the duration of the communication to prevent a third virtual machine from accessing the region of memory.

Abstract: The methods and systems described herein provide for preventing a non-trusted virtual machine from reading the graphical output of a trusted virtual machine. A graphics manager receives a request from a trusted virtual machine to render graphical data using a graphics processing unit. The graphics manager assigns, to the trusted virtual machine, a secure section of a memory of the graphics processing unit. The graphics manager renders graphics from the trusted virtual machine graphical data to the secure section of the graphics processing unit memory. The graphics manager receives a request from a non-trusted virtual machine to read graphics rendered from the trusted virtual machine graphical data and stored in the secure section of the graphics processing unit memory, and prevents the non-trusted virtual machine from reading the trusted virtual machine rendered graphics stored in the secure section of the graphics processing unit memory.

Abstract: The methods and systems described herein provide functionality for managing injection of input events to one virtual machine of a plurality of guest virtual machines, in a computing device executing a hypervisor hosting a trusted virtual machine and a non-trusted virtual machine. An input manager receives a first item of input data from an input device communicating with the computing device. The input manager identifies whether the first item of input data includes a predetermined string. The input manager forwards, responsive to the identification, the first item of input data to one of (i) a first virtual machine of a plurality of guest virtual machines executed by the processor of the computing device and (ii) an application executed by the control virtual machine, wherein at least one virtual machine of the plurality of guest virtual machines is a trusted virtual machine.

Abstract: The methods and systems described herein provide for allocating a universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted virtual machine. A control program receives data indicating a USB port on the computing machine received a USB device and identifies at least one attribute of the USB device. The control program selects, based on application of a policy to the identified at least one device attribute, one of a trusted virtual machine and a non-trusted virtual machine executing. The control program grants, to the virtual machine selected by the control program, access to the USB device.

Abstract: The methods and systems described herein provide for granting a virtual machine exclusive access to an optical disc drive responsive to a determination the virtual machine initiated a transaction with the optical disc drive. A drive manager maps an optical disc drive connected to the computing device to a plurality of virtual machines hosted by a hypervisor executed by the computing device. The drive manager intercepts a transaction stream generated by the optical disc drive and converts the transaction stream to a command stream. The drive manager determines, based on an analysis of the command stream, a first virtual machine of the plurality of virtual machines initiated a transaction with the optical disc drive. Responsive to the determination, the drive manager locks the optical disc drive to grant the first virtual machine exclusive access to the optical disc drive.