Abstract: Techniques of implementing software filtered non-volatile memory in a computing device are disclosed herein. In one embodiment, a method includes detecting an entry being written to a guest admin submission queue (gASQ) by a memory driver of a virtual machine hosted on the computing device. Upon detecting the entry written to the gASQ by the memory driver, the command in the entry is analyzed to determine whether the command is allowed based on a list of allowed or disallowed commands. In response to determining that the command in the entry is not allowed, without sending the command to the non-volatile memory, generating an execution result of the command in response to the entry being written to the gASQ by the memory driver. As such, potentially harmful commands from the memory driver are prevented from being executed by the non-volatile memory.

Abstract: Techniques of implementing software filtered non-volatile memory in a computing device are disclosed herein. In one embodiment, a method includes detecting an entry being written to a guest admin submission queue (gASQ) by a memory driver of a virtual machine hosted on the computing device. Upon detecting the entry written to the gASQ by the memory driver, the command in the entry is analyzed to determine whether the command is allowed based on a list of allowed or disallowed commands. In response to determining that the command in the entry is not allowed, without sending the command to the non-volatile memory, generating an execution result of the command in response to the entry being written to the gASQ by the memory driver. As such, potentially harmful commands from the memory driver are prevented from being executed by the non-volatile memory.

Abstract: Techniques for secure sharing of data in computing systems are disclosed herein. In one embodiment, a method includes when exchanging data between the host operating system and the guest operating system, encrypting, at a trusted platform module (TPM) of the host, data to be exchanged with a first key to generate encrypted data. The method also includes transmitting the encrypted data from the host operating system to the guest operating system and decrypting, at the guest operating system, the transmitted encrypted data using a second key previously exchanged between the TPM of the host and a virtual TPM of the guest operating system.

Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: Techniques of implementing software filtered non-volatile memory in a computing device are disclosed herein. In one embodiment, a method includes detecting an entry being written to a guest admin submission queue (gASQ) by a memory driver of a virtual machine hosted on the computing device. Upon detecting the entry written to the gASQ by the memory driver, the command in the entry is analyzed to determine whether the command is allowed based on a list of allowed or disallowed commands. In response to determining that the command in the entry is not allowed, without sending the command to the non-volatile memory, generating an execution result of the command in response to the entry being written to the gASQ by the memory driver. As such, potentially harmful commands from the memory driver are prevented from being executed by the non-volatile memory.

Abstract: Techniques of implementing software filtered non-volatile memory in a computing device are disclosed herein. In one embodiment, a method includes detecting an entry being written to a guest admin submission queue (gASQ) by a memory driver of a virtual machine hosted on the computing device. Upon detecting the entry written to the gASQ by the memory driver, the command in the entry is analyzed to determine whether the command is allowed based on a list of allowed or disallowed commands. In response to determining that the command in the entry is not allowed, without sending the command to the non-volatile memory, generating an execution result of the command in response to the entry being written to the gASQ by the memory driver. As such, potentially harmful commands from the memory driver are prevented from being executed by the non-volatile memory.

Abstract: Securely performing file operations. A method includes determining a trust characteristic assigned to a file. When the trust characteristic assigned to the file meets or exceeds a predetermined trust condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the container operating system. When the trust characteristic assigned to the file does not meet or exceed the predetermined trust condition, then the method includes performing the file operation on the file in the container operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: Techniques for memory assignment for guest operating systems are disclosed herein. In one embodiment, a method includes generating a license blob containing data representing a product key copied from a record of license information in the host storage upon receiving a user request to launch an application in the guest operating system. The method also includes storing the generated license blob in a random memory location accessible by the guest operating system. The guest operating system can then query the license blob for permission to launch the application and launching the application in the guest operating system without having a separate product key for the guest operating system.

Abstract: Techniques of implementing software filtered non-volatile memory in a computing device are disclosed herein. In one embodiment, a method includes detecting an entry being written to a guest admin submission queue (gASQ) by a memory driver of a virtual machine hosted on the computing device. Upon detecting the entry written to the gASQ by the memory driver, the command in the entry is analyzed to determine whether the command is allowed based on a list of allowed or disallowed commands. In response to determining that the command in the entry is not allowed, without sending the command to the non-volatile memory, generating an execution result of the command in response to the entry being written to the gASQ by the memory driver. As such, potentially harmful commands from the memory driver are prevented from being executed by the non-volatile memory.

Abstract: Techniques for secure sharing of data in computing systems are disclosed herein. In one embodiment, a method includes when exchanging data between the host operating system and the guest operating system, encrypting, at a trusted platform module (TPM) of the host, data to be exchanged with a first key to generate encrypted data. The method also includes transmitting the encrypted data from the host operating system to the guest operating system and decrypting, at the guest operating system, the transmitted encrypted data using a second key previously exchanged between the TPM of the host and a virtual TPM of the guest operating system.

Abstract: Techniques for memory assignment for guest operating systems are disclosed herein. In one embodiment, a method includes generating a license blob containing data representing a product key copied from a record of license information in the host storage upon receiving a user request to launch an application in the guest operating system. The method also includes storing the generated license blob in a random memory location accessible by the guest operating system. The guest operating system can then query the license blob for permission to launch the application and launching the application in the guest operating system without having a separate product key for the guest operating system.

Abstract: Securely storing, installing, or launching applications. A method includes determining a trust characteristic or a license characteristic assigned to an application. When the trust characteristic or the license characteristic meets or exceeds a predetermined trust condition or a predetermined license condition, then the method includes at least one of storing, installing or launching the application in a first, more secure operating system while preventing the application from, being at least one of stored, installed or launched in a second, less secure operating system. When the trust characteristic or the license characteristic does not meet or exceed the predetermined trust condition or the predetermined license condition, then the method includes at least one of storing, installing or launching the application in the second less secure operating system while preventing the application from being at least one of stored, installed or launched in the first, more secure operating system.

Abstract: Reading and copying data as file data in a persistent memory storage device. A method may be practiced in a virtual machine environment. The virtual machine environment includes a persistent memory storage device. The persistent memory storage device has the ability to appear as a memory device having available memory to a virtual machine on a host and as a file to the host. The method includes acts for copying data stored in the persistent memory storage device for a first virtual machine. The method includes the host reading data from the persistent memory storage device as file data. The method further includes the host writing the data from the persistent memory storage device as file data.

Abstract: Mounting a filesystem for media. The method includes detecting that media has been connected to a computing device. The method further includes causing a filesystem for the media to be mounted to a virtual machine. The virtual machine is coupled to a server. The method further includes causing file data from the media organized by the filesystem to be served from the server to the computing device.

Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: Securely performing file operations. A method includes determining a trust characteristic assigned to a file. When the trust characteristic assigned to the file meets or exceeds a predetermined trust condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the container operating system. When the trust characteristic assigned to the file does not meet or exceed the predetermined trust condition, then the method includes performing the file operation on the file in the container operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: Reading and copying data as file data in a persistent memory storage device. A method may be practiced in a virtual machine environment. The virtual machine environment includes a persistent memory storage device. The persistent memory storage device has the ability to appear as a memory device having available memory to a virtual machine on a host and as a file to the host. The method includes acts for copying data stored in the persistent memory storage device for a first virtual machine. The method includes the host reading data from the persistent memory storage device as file data. The method further includes the host writing the data from the persistent memory storage device as file data.

Abstract: Mounting a filesystem for media. The method includes detecting that media has been connected to a computing device. The method further includes causing a filesystem for the media to be mounted to a virtual machine. The virtual machine is coupled to a server. The method further includes causing file data from the media organized by the filesystem to be served from the server to the computing device.

Abstract: A computing device runs a host on which multiple guests (e.g., virtual machines run via a virtual machine monitor such as a hypervisor) can run. The guest is used for isolation as well as hardware resource partitioning. The guest and the host agree on a name and a size for shared memory. Both the guest and the host map to the shared memory, and both the guest and the host to access the shared memory. The access allowed to the shared memory can be the same for both the host and the guest (e.g., both may be allowed read/write access) or different (e.g., the guest may be allowed write only access and the host may be allowed read only access).

Abstract: A storage system creates a snapshot of a virtual hard disk by switching an I/O request target for the virtual hard disk. A requestor may issue requests to the storage system requesting that specific operations of the process should be performed. A request may specify that more than one operation should be performed in one operation. After initializing a new virtual hard disk file, I/O requests directed to a target virtual hard disk file are held for later deliver. The I/O request target is switched from the target to the new virtual hard disk file. I/O requests are unblocked and the stored requests are delivered to the new virtual hard disk file. Additional I/O requests sent to the target virtual hard disk file may be redirected to the new virtual hard disk file.