Abstract: A method and system for protection and security of IO devices using credential are provided. The system may include at least one consumer arranged to initiate IO requests from the IO device, and the IO requests may include IO capability allocation and additional parameters. The system may also include an IO resource manager (IORM) arranged to translate the IO capability allocation and additional parameters included in said IO request to a set of capability tokens for the consumer or for a group of consumers, to generate a global key to protect the capability tokens, and further arranged to manage the IO device. The system may further include a channel component arranged to transfer and receive the IO request to and from the IO device.

Abstract: A method for receiving data in a network acceleration architecture for use with TCP (transport control protocol), iSCSI (Internet Small Computer System Interface) and RDMA (Remote Direct Memory Access) over TCP, including providing a hardware acceleration engine, called a streamer, adapted for communication with and processing data from a consumer application in a system that supports TCP, iSCSI and RDMA over TCP, providing a software protocol processor adapted for carrying out TCP implementation, the software control processor being called a TCE (TCP Control Engine), wherein the streamer and the TCE are adapted to operate asynchronously and independently of one another, and receiving an inbound TCP segment with the streamer.

Abstract: A mechanism enabling a processor in a multiprocessor complex to function as a coprocessor to execute a specific function. The method includes a mechanism for activating a coprocessor to function as a coprocessor as well as a mechanism to execute a coprocessor request on the system. The present invention also provides a mechanism for efficient processor to processor communication for processors coupled to a common bus. Overall system performance is enhanced by significantly reducing the use of hardware interrupts for processor to processor communication.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A network acceleration architecture for use with TCP, iSCSI and/or RDMA over TCP, including a hardware acceleration engine adapted for communication with and processing data from a consumer application in a system that supports TCP, iSCSI and RDMA over TCP, a software protocol processor adapted for carrying out TCP implementation, and an asynchronous dual-queue interface for exchanging information between the hardware acceleration engine and the software protocol processor, wherein the hardware acceleration engine and the software protocol processor are adapted to operate asynchronously and independently of one another.

Abstract: A computer-implemented method for protecting a memory is provided. The method includes responsive to a direct memory access (DMA) request received from a consumer for a transaction of data from an IO device to the memory, the request including an IO command and a capability (CAP), generating a cryptographically signed capability (CAPB), forming a credential from CAP and CAPB, appending the credential to the IO command, configuring the IO device according to the credential and the IO command, transmitting the data from the IO device to the memory and prior to allowing execution of the DMA, authenticating that the credential is valid, further includes regenerating CAPB from a key available to an authenticating entity and from the CAP (included in CAPB) and verifying that the memory region information described in the cryptographically signed capability is the same as the requested region that was originally created, and that the cryptographically signed capability encompasses the IO command.

Abstract: Methods for recovery from server-failures wherein servers control a communication initiator's access to a set of resources. A probable server failure leads to a communication initiator performing a discovery operation to identify available servers capable of accessing a required resource. A server checks whether any of the servers has failed. If a server has failed, a server other than the failed server sends the communication initiator an identification of the failed server together with a network address of an identified available server. The identified available server configures itself to respond to resource access requests directed to the failed server. The communication initiator establishes a connection to an available server enabling access to the required resource. The available server uses initiator-provided elements to recreate a reservation identifier, so that replacing server can also manage resources that were reserved by the failed server at the time of its failure.

Abstract: Techniques for maintaining connectivity between a remote application stored on a remote device and an application being executed in a system environment, wherein the system environment is migrated from a first device to a second device, are provided. A first connection between the remote application stored on the remote device and the application being executed in the system environment stored on the first device is established via a first communication over a first negotiation channel. The first negotiation channel connects a first socket layer interface linked to the application being executed in the system environment to a second socket layer interface linked to the remote application. The first connection between the remote application and the application being executed in the system environment is disconnected for migration of the system environment from the first device to the second device. Disconnecting the first connection is coordinated via the first negotiation channel.

Abstract: A system and method for unifying access to a physical memory by operations using virtual addresses of the same virtual address space are provided. The operations may be generated by at least one central processing unit (CPU operations) and/or by at least one IO device (IO operations). The system may include a bus arranged to transfer data and virtual addresses of the same virtual address space from the central processing unit (CPU) and the IO device to a unified memory management unit (UMMU), a unified memory management unit (UMMU) arranged to translate the virtual addresses to physical addresses, and to protect the physical memory from illegal access attempts of the CPU operations and the IO operations. The system may further include a memory controller arranged to manage access to the physical memory. The access is done by using physical addresses.

Abstract: A method for receiving data in a network acceleration architecture for use with TCP (transport control protocol), iSCSI (Internet Small Computer System Interface) and/or RDMA (Remote Direct Memory Access) over TCP, including providing a hardware acceleration engine, called a streamer, adapted for communication with and processing data from a consumer application in a system that supports TCP, iSCSI and RDMA over TCP, providing a software protocol processor adapted for carrying out TCP implementation, the software control processor being called a TCE (TCP Control Engine), wherein the streamer and the TCE are adapted to operate asynchronously and independently of one another, and transmitting a TCP segment with the streamer.

Abstract: A method and system for memory address translation and pinning are provided. The method includes attaching a memory address space identifier to a direct memory access (DMA) request, the DMA request is sent by a consumer and using a virtual address in a given address space. The method further includes looking up for the memory address space identifier to find a translation of the virtual address in the given address space used in the DMA request to a physical page frame. Provided that the physical page frame is found, pinning the physical page frame as long as the DMA request is in progress to prevent an unmapping operation of said virtual address in said given address space, and completing the DMA request, wherein the steps of attaching, looking up and pinning are centrally controlled by a host gateway.

Abstract: A method and system for memory address translation and pinning are provided. The method includes attaching a memory address space identifier to a direct memory access (DMA) request, the DMA request is sent by a consumer and using a virtual address in a given address space. The method further includes looking up for the memory address space identifier to find a translation of the virtual address in the given address space used in the DMA request to a physical page frame. Provided that the physical page frame is found, pinning the physical page frame al song as the DMA request is in progress to prevent an unmapping operation of said virtual address in said given address space, and completing the DMA request, wherein the steps of attaching, looking up and pinning are centrally controlled by a host gateway.

Abstract: A method for facilitating direct memory access in a computing system in response to a request to transfer data is provided. The method comprises selecting a thread for transferring the data, wherein the thread executes on a processing core within the computing system; providing the thread with the request, wherein the request comprises information for carrying out a data transfer; and transferring the data according to the request. The method may further comprise: coordinating the request with a memory management unit, such that virtual addresses may be used to transfer data; invalidating a cache line associated with the source address or flushing a cache line associated with the destination address, if requested. Multiple threads can be selected to transfer data based on their proximity to the destination address.

Abstract: A transmission method adjusts the size of aggregated packets based at least on the congestion of a transmitting network device. The adjusting comprises includes aggregating at least two small messages, received from an upper layer, into a packet, providing the packet to a pending queue, passing packets to a network device and selecting packets from the pending queue or the buffer depending on whether or not the pending queue is empty.

Abstract: A novel and useful mechanism enabling a processor in a multiprocessor complex to function as a coprocessor to execute a specific function. The method includes a mechanism for activating a coprocessor to function as a coprocessor as well as a mechanism to execute a coprocessor request on the system. The present invention also provides a mechanism for efficient processor to processor communication for processors coupled to a common bus. Overall system performance is enhanced by significantly reducing the use of hardware interrupts for processor to processor communication.

Abstract: A method for accessing a memory space allocated to a virtual machine, the method includes: receiving a request from the virtual machine to generate, for another virtual machine, a memory credential associated with a certain memory space allocated to the virtual machine; generating, in response to the request, a cryptographically signed credential; sending the cryptographically signed credential to the other virtual machine; receiving from the other virtual machine an access request to access at least one memory entry within the certain memory space; and accessing the at least one memory entry, if the access request complies with the memory credential.

Abstract: Provided are methods, apparatus and computer programs for recovery from failures affecting a server in a data processing environment in which a set of servers controls a client's access to a set of resource instances. Independent of any server failure, the client or a gateway is provided with an identification of both a primary server for accessing the resource and at least one secondary server for use as a backup server for accessing the same resource instance (for example, the same physical storage disk). The client or gateway connects to the primary server to perform resource access operations. Following a failure that affects availability of the primary server, the client or gateway connects to the previously identified secondary server to access the same resource instance. Provision of the identification of at least one backup secondary server (without requiring the ‘trigger’ of a failure) avoids the need to discover a new server as part of the recovery operation following a failure.

Abstract: A method for processing a memory page, the method includes: retrieving, in response to a request to provide a first memory page to a processor, first memory page metadata associated with first memory page address information; wherein the first memory page address information is stored in a memory page table; and performing a page operation in response to the memory page metadata; wherein the page operation is selected from a group consisting of compression, cryptography, searching a page for a virus signature, searching a page for digital right management signature, error correction code verification, error correction code addition.

Abstract: A computer system includes a local area network (LAN) and a plurality of computers. Each of the computers includes at least one central processing unit (CPU) and a LAN interface, which is coupled to communicate over the LAN, while the computers include no on-board input/output (I/O) device controllers other than the LAN interface. One or more peripheral devices are coupled to communicate with the computers over the LAN.

Abstract: A method for accessing a storage device, the method includes: receiving, by storage device, a block based storage access command and cryptographically secured access control information; wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size block of data and with a client; processing at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and selectively executing the block based storage access command in response to a result of the processing.