Abstract: A trusted execution environment obtains an attestation request. The attestation request includes at least an attestation key. Based on obtaining the attestation request, one or more integrity measurements are computed, and the computing uses at least the attestation key. The one or more integrity measurements are provided to an entity, and the one or more integrity measurements are to be used to verify that a secure guest has been started using a selected secure guest image and selected secure guest metadata.

Abstract: Deferred reclaiming of secure guest resources within a computing environment is provided, which includes initiating, by a host of the computing environment, removal of a secure guest from the computing environment, while leaving one or more resources of the secure guest to be reclaimed asynchronous to the removal of the secure guest. The deferring also includes reclaiming the one or more secure guest resources asynchronous to the removal of the secure guest, where the one or more secure guest resources are available for reuse as the one or more secure guest resources are reclaimed asynchronous to the removal of the secure guest.

Abstract: A computer-implemented method for providing a system-specific secret to a computing system having a plurality of computing components is disclosed. The method includes storing permanently a component-specific import key as part of a computing component and storing the component-specific import key in a manufacturing-side storage system. Upon a request for the system-specific secret for a computing system, the method includes identifying the computing component comprised in the computing system, retrieving a record relating to the identified computing component, determining the system-specific secret protected by a hardware security module and determining a system-specific auxiliary key. Furthermore, the method includes encrypting the system-specific auxiliary key with the retrieved component-specific import key, thereby creating a auxiliary key bundle, encrypting the system-specific secret and storing the auxiliary key bundle and a system record in a storage medium of the computing system.

Abstract: A secure guest of a computing environment requests confidential data. The confidential data is included in metadata of the secure guest, which is stored in a trusted execution environment of the computing environment. Based on the request, the confidential data is obtained from the metadata of the secure guest that is stored in the trusted execution environment.

Abstract: A secure guest generates an updated image for the secure guest, and computes one or more measurements for the updated image. The secure guest provides the one or more measurements to a trusted execution environment and obtains from the trusted execution environment metadata for the updated image. The metadata is generated based on metadata of the secure guest and obtaining the one or more measurements.

Abstract: A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.

Abstract: An exception summary is provided for an invalid value detected during instruction execution. An indication that a value determined to be invalid was included in input data to a computation of one or more computations or in output data resulting from the one or more computations is obtained. The value is determined to be invalid due to one exception of a plurality of exceptions. Based on obtaining the indication that the value is determined to be invalid, a summary indicator is set. The summary indicator represents the plurality of exceptions collectively.

Abstract: A first processor processes an instruction configured to perform a plurality of functions. The plurality of functions includes one or more functions to operate on one or more tensors. A determination is made of a function of the plurality of functions to be performed. The first processor provides to a second processor information related to the function. The second processor is to perform the function. The first processor and the second processor share memory providing memory coherence.

Abstract: An instruction to perform a recurrent neural network cell activation is executed. The executing includes performing a plurality of operations of the recurrent neural network cell activation to provide a result of the recurrent neural network cell activation. The plurality of operations is performed in a single invocation of the instruction. The recurrent neural network cell activation is, for instance, a long short-term memory cell activation or a gated recurrent unit cell activation.

Abstract: A conversion operation is performed which includes a plurality of conversion actions. A conversion action includes processing an instruction to convert selected data from a source data type to a target data type. The processing includes determining whether a data type indicated using the instruction is a valid data type for a select machine. The data type is a selected data type selected from the source data type or the target data type. The selected data is converted from the source data type to the target data type, based on determining that the data type is a valid data type for the select machine. An indicator is set to a select value to indicate the data type is an invalid data type, based on determining that the data type is an invalid data type for the select machine. The indicator is checked at an end of the conversion operation.

Abstract: An instruction is executed to perform a query function. The executing includes obtaining information relating to a selected model of a processor. The information includes at least one model-dependent data attribute of the selected model of the processor. The information is placed in a selected location for use by at least one application in performing one or more functions.

Abstract: An indication of a function to be executed is obtained, in which the function is one function of an instruction and configured to perform multiple operations. A determination is made of an operation of the multiple operations to be performed, and a set of function-specific parameters is validated using a set of values and a corresponding set of relationships. The set of values and corresponding set of relationships are based on the operation to be performed. One set of values and corresponding set of relationships are to be used for the operation to be performed, and another set of values and corresponding set of relationships are to be used for another operation of the multiple operations.

Abstract: A plurality of tensors is obtained, and the plurality of tensors is reformatted to provide a plurality of reformatted tensors of a select dimension. The reformatting includes adding padding to at least one reformatted tensor of the plurality of reformatted tensors. The plurality of reformatted tensors is concatenated to provide a concatenated tensor. The concatenated tensor is to be used in recurrent neural network processing.

Abstract: An computer-implemented method according to examples includes receiving, by a secure interface control of a computing system, a request by a requestor to access a page in a memory of the computing system. The method further includes, responsive to determining that the requestor is a non-secure requestor and responsive to a secure-storage bit being set, prohibiting access to the page without performing an authorization check. The method further includes, responsive to determining that the requestor is a secure requestor, performing the authorization check.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

Abstract: A security module, such as a cryptographic adapter, is reserved for a secure guest of a computing environment. The reserving includes binding one or more queues of the security module to the secure guest. The one or more queues are then managed based on one or more actions relating to the reservation.

Abstract: A method is provided that includes receiving, by a firmware from an originating software, an asynchronous request for an instruction of an algorithm for compression of data. The firmware operates on a first processor and the originating software operates on a second processor. The firmware issues a synchronous request to the first processor to cause the processor to execute the instruction synchronously. It is determined, by the firmware, whether an interrupt is received from the first processor with respect to the first processor executing the instruction. The firmware retries the issuance of the synchronous request each time the interrupt is received until a retry threshold is reached.

Abstract: Vector pack and unpack instructions are described. An instruction to perform a conversion between one decimal format and another decimal format is executed, in which the one decimal format or the other decimal format is a zoned decimal format. The executing includes obtaining a value from at least one register specified using the instruction. At least a portion of the value is converted from the one decimal format to the other decimal format different from the one decimal format to provide a converted result. A result obtained from the converted result is written into a single register specified using the instruction.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.