Abstract: In a processor supporting execution of a plurality of functions of an instruction, an instruction blocking value is set for blocking one or more of the plurality of functions, such that an attempt to execute one of the blocked functions, will result in a program exception and the instruction will not execute, however the same instruction will be able to execute any of the functions that are not blocked functions.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a secure access request for a secure page of memory at a secure interface control of a computer system. The secure interface control can check a disable virtual address compare state associated with the secure page. The secure interface control can disable a virtual address check in accessing the secure page to support mapping of a plurality of virtual addresses to a same absolute address to the secure page based on the disable virtual address compare state being set and/or to support secure pages that are accessed using an absolute address and do not have an associated virtual address.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.

Abstract: A virtual machine is dispatched and based on the dispatch, a determination is made as to whether a select area of memory expected to be accessible to the virtual machine and used in communication between the virtual machine and an operating system is accessible to the virtual machine. Based on determining that the select area of memory is inaccessible to the virtual machine, virtual machine execution is exited with a select interception code.

Abstract: Operating system deactivation of write protection for a storage block is provided absent quiescing of processors in a multi-processor computing environment. The process includes receiving an address translation protection exception interrupt resulting from an attempted write access by a processor to a storage block, and determining by the operating system whether write protection for the storage block is active. Based on write protection for the storage block not being active, the operating system issues an instruction to clear or modify translation lookaside buffer entries of the processor associated with the storage block, absent waiting for an action by another processor of multiple processors of the computing environment, to facilitate write access to the storage block proceeding at the processor.

Abstract: An computer-implemented method according to examples includes receiving, by a secure interface control of a computing system, a request by a requestor to access a page in a memory of the computing system. The method further includes, responsive to determining that the requestor is a non-secure requestor and responsive to a secure-storage bit being set, prohibiting access to the page without performing an authorization check. The method further includes, responsive to determining that the requestor is a secure requestor, performing the authorization check.

Abstract: An instruction is provided to perform a reset address translation protection operation when executed. Executing the instruction includes determining, by a processor, that an address translation protection bit in a specified translation table entry associated with a storage block is to be reset. Based on determining that the address translation protection bit is to be reset, executing the instruction includes resetting the address translation protection bit to deactivate write protection for the storage block. The resetting is absent waiting for an action by one or more other processors of the computing environment.

Abstract: Operating system deactivation of write protection for a storage block is provided absent quiescing of processors in a multi-processor computing environment. The process includes receiving an address translation protection exception interrupt resulting from an attempted write access by a processor to a storage block, and determining by the operating system whether write protection for the storage block is active. Based on write protection for the storage block not being active, the operating system issues an instruction to clear or modify translation lookaside buffer entries of the processor associated with the storage block, absent waiting for an action by another processor of multiple processors of the computing environment, to facilitate write access to the storage block proceeding at the processor.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

Abstract: A method for testing storage protection hardware includes receiving by a non-trusted entity that is executing on a host server, a request to dispatch a secure entity. It is determined, by a secure interface control of the host server, whether the host server is in an auxiliary-secure (AS) debug mode for testing an AS entity. Based on determining that the host server is in the AS debug mode, a secure guest entity state is loaded from a state descriptor for the secure entity into an AS entity state in hardware to test, upon dispatch of the secure entity, accesses to pages in a memory that are registered as secure and as belonging to the AS entity.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided. The method is implemented by a secure interface control of a computer that prevents unauthorized accesses to locations in a memory of the computer. The secure interface control determines that a host absolute page is not previously mapped to a virtual page in accordance with securing the host absolute page and a host virtual page is not already mapped to an absolute page in accordance with securing the host absolute page.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

Abstract: A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.

Abstract: A method is provided. A secure interface control in communication with an untrusted entity perform the method. In this regard, the secure interface control implements an initialization instruction to set donated storage as secure. The implementing of the initialization instruction is responsive to an instruction call issued from the untrusted entity.