Abstract: Systems and methods providing efficient dirty memory page expiration. In one implementation, a processing device may identify a storage device. The processing device may determine a value of an indicator associated with the storage device. The indicator may indicate a level of consistency between a volatile memory device and a non-volatile memory device of the storage device. In view of the value of the indicator, the processing device may modify a synchronization timeout value associated with the volatile memory device.

Abstract: An example method may include responsive to receiving, by a processing device, an interrupt deferral instruction requesting that interrupts be deferred, disabling delivery of interrupts by the processing device, receiving one or more interrupt requests subsequent to disabling delivery of interrupts, and responsive to determining that a deferral termination criterion is satisfied, delivering one or more interrupts, wherein each of the one or more interrupts is specified by a respective one of the interrupt requests. The method may further include receiving a resume interrupt delivery instruction requesting that deferred and subsequent interrupts be delivered, wherein the deferral termination criterion is satisfied in response to receiving the resume interrupt delivery instruction. The method may further include, responsive to receiving the resume interrupt delivery instruction, enabling delivery of the one or more interrupts and subsequent interrupts by the processing device.

Abstract: Single-root input-output virtualization (SR-IOV) can be enabled for nested virtual machines using mapping. In one example, a host hypervisor can assign at least two guest virtual functions to a guest virtual machine such that each guest virtual function maps to a respective host virtual function executed by a SR-IOV device. The first guest virtual function of the at least two guest virtual functions can be configured to act as a guest physical function. The host hypervisor can receive a request generated by a nested virtual function assigned to a nested virtual machine hosted by the guest virtual machine. In response to receiving the request, the host hypervisor can translate a guest memory address of the guest physical function to a host memory address for the guest physical function. The host hypervisor can forward the request to the guest physical function for fulfillment using the translated host memory address.

Abstract: A system can receive a request, from an application executing in a virtual machine, for registering the application to receive fork notifications. The application can be configured to perform an operation using first data. In response to receiving the request, the system can register the application to receive the fork notifications. Subsequent to registering the application to receive fork notifications, the system can determine that the virtual machine has been forked. In response to determining that the virtual machine has been forked, the system can determine that the application is registered to receive fork notifications. Based on determining that the application is registered to receive fork notifications, the system can transmit a fork notification to the application. The application can be configured to receive the fork notification and responsively obtain second data for use in performing the operation.

Abstract: Systems and methods for networking overhead reduction for encrypted virtual machines are disclosed. A method may include receiving, by a virtual machine running on a host computer system, a request to send a data packet to a specified recipient via a network; identifying a network connection to the specified recipient; determining whether the identified network connection is associated with an encryption option indicating data encryption; responsive to determining that the identified network connection is associated with the encryption option, storing the data packet in a shared memory buffer of the host computer system; and notifying an input/output (I/O) device driver of an address of the shared memory buffer.

Abstract: Systems and methods for efficient peripheral device software request queue shadowing for virtual machines can include creating a virtual machine and assigning a peripheral device to it. They can also include assigning, to the peripheral device, a first process address space identifier (PASID) associated with a shadow memory buffer and a second PASID associated with a device data buffer. They can further include causing a host input/output memory management unit (IOMMU) to identify a software request in the shadow memory buffer, and fetching, from the shadow memory buffer, the software request and a guest memory address of data requested to be accessed. They can also include, causing the host IOMMU to identify the data in the device data buffer, and transmitting the data, from the guest memory, to the peripheral device.

Abstract: Disclosed herein is technology to efficiently test versions. An example method may include: receiving a plurality of versions of one or more code objects, wherein each version of the plurality of versions has at least one ancestor or descendent version among the plurality of versions; determining a first number of versions in a testing round; selecting, from the plurality of versions, a first set of versions satisfying a weight-based criterion, wherein a number of the first set of versions equals the first number; testing the first set of versions; and updating the plurality of versions based on a result of testing the first set of versions.

Abstract: A method includes receiving, by a hypervisor executing on a computing system, a request to associate an input/output (I/O) device with a virtual machine running on the computing system. The I/O device corresponds to a physical device attached to a first peripheral bus of a first bus type. The method further includes determining whether the I/O device is a trusted I/O device. The method further includes, in response to determining that the I/O device is not a trusted I/O device, exposing the I/O device to the virtual machine via a first virtual bus of a second bus type. Exposing the I/O device to the virtual machine via the first virtual bus causes the virtual machine to initiate a first security protocol associated with the first virtual bus.

Abstract: Systems and methods for memory management for guests. An example method may include running, by a host computer system, a host component managing a guest in communication with a peripheral device, wherein the peripheral device comprises an input/output memory management unit (IOMMU). The method may further include appending, to a page table of the IOMMU, a plurality of records referencing present memory pages associated with a task running on the guest and appending, to the page table of the IOMMU, a plurality of records referencing read-only memory pages associated with the task, wherein the read-only memory pages are indicated as read-only in the page table.

Abstract: An authentication code for an authentication process such as multifactor authentication can be automatically inputted according to some examples described herein. In one example, a computing device can execute an authenticator application to generate an authentication code for use during an authentication process associated with a user logging into an account. The computing device can establish a connection with a target device that is separate from the computing device. The target device may be configured to display a graphical user interface that includes an input box into which the user is to manually type the authentication code as part of the authentication process. The computing device can transmit the authentication code to the target device via the connection. The target device can be configured to receive the authentication code and automatically enter the authentication code into the input box on behalf of the user.

Abstract: Technology for enabling a kernel to perform data deduplication on encrypted storage of a container. An example method may involve: enabling, by a kernel, a guest program of a container to access a first storage block of a first container and a second storage block of a second container; receiving, by the kernel from the guest program, an indication that the first storage block and the second storage block are duplicate storage blocks; and updating the first storage block or the second storage block to cause the duplicate storage blocks to reference a common storage location.

Abstract: Systems and methods for providing memory over-commit support for live migration of virtual machines (VMs). In one implementation, a processing device of a source host computer system may identify a host page cache associated with a VM undergoing live migration from the source to a destination host computer system. The host page cache comprises a first plurality of memory pages associated with the VM. The processing device may transmit, from the source to the destination, at least a part of the host page cache. The processing device may discard the part of the host page cache. The processing device may read into the host page cache one or more memory pages of a second plurality of memory pages associated with the VM. The processing device may transmit, from the source to the destination, the one or more memory pages stored by the host page cache.

Abstract: Systems and methods for storage snapshots for nested virtual machines. An example method may comprise running, by a host computer system, a hypervisor managing a first virtual machine associated with a first virtual device. Responsive to creating a second virtual machine by the hypervisor, requesting, by the first virtual machine, a first snapshot of the first virtual device. The hypervisor generates the first snapshot of the first virtual device and forwards the first snapshot of the first virtual device to the second virtual machine.

Abstract: A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

Abstract: A system includes a host with a memory, a processor, a supervisor, and a device with access to DMAs. The system also includes a guest with access to GMAs and configured to initialize a first driver for the device. The supervisor is configured to map GMAs to a first subset of DMAs, map SMAs to a second subset of DMAs, which are located in a reserved range of addresses, and to initialize a second driver for the device with access to the SMAs. The device is configured to communicate with the guest and the supervisor via the first subset of DMAs and the SMAs respectively. The supervisor is configured to intercept a request from the first driver and validate that memory addresses associated with the request are outside of the reserved range. The supervisor is also configured to send the request to the device via the second driver.

Abstract: Memory pages can be migrated between non-uniform memory access (NUMA) nodes based on entries in a page modification log according to some examples described herein. In one example, a physical processor can detect a request from a virtual machine to access a memory page. The physical processor can then update a page modification log to include an entry indicating the request. A hypervisor supporting the virtual machine can be configured to detect the request based on the entry in the page modification log and, in response to detecting the request, migrate the memory page from a second NUMA node to a destination NUMA node.

Abstract: An input/output memory management unit (IOMMU) can assign input/output virtual addresses (IOVA) using a predetermined randomness algorithm according to some examples. For instance, the IOMMU can determine an input/output virtual address (IOVA) using the pre-defined randomness algorithm. Then, the IOMMU can store, in a translation table, an entry which maps the IOVA to a physical memory address of a storage device. Subsequent to storing the entry in the translation table the IOMMU can receive a request from an input/output (IO) device, where the request is to access data at the IOVA. In response to receiving the request, the IOMMU can identify the physical memory address that is mapped to the IOVA in the entry. The IOMMU can then allow the IO device to access the data at the physical memory address.

Abstract: A computing device can receive, from a version control system, a first set of pre-computed checksums for source files for a software program. The computing device can receive, from the version control system, a second set of pre-computed checksums for a second set of source files for the software program. The computing device can determine a first total checksum by combining the first set of pre-computed checksums. The computing device can also determine a second total checksum by combining the first set of pre-computed checksums. The computing device can determine, by comparing the first total checksum to the second total checksum, that the first set of source files was previously built by the build engine. The computing device can then prevent the build engine from re-building the first set of source files.

Abstract: An example method may include determining whether a preemption flag associated with a first input/output (I/O) handling thread is equal to a first value indicating that preemption of the first I/O queue handling thread is forthcoming, wherein the first I/O queue handling thread is executing on a first processor, the first I/O queue handling thread is associated with a first set of one or more queue identifiers, and each queue identifier identifies a queue being handled by the first I/O queue handling thread, and, responsive to determining that the preemption flag is equal to the first value, transferring the first set of one or more queue identifiers to a second I/O queue handling thread executing on a second processor. Transferring the first set of queue identifiers may include removing the one or more queue identifiers from the first set.

Abstract: A system includes a memory including a ring buffer having a plurality of slots, a processor in communication with the memory, a guest operating system, and a hypervisor. The hypervisor is configured to detect a request associated with a memory entry, retrieve up to a predetermined quantity of memory entries in the ring buffer from an original slot to an end slot, and test a respective descriptor of each successive slot from the original slot through the end slot while the respective descriptor of each successive slot in the ring buffer remains unchanged. Additionally, the hypervisor is configured to execute the request associated with the memory entries and respective valid descriptors. The hypervisor is also configured to walk the ring buffer backwards from the end slot to the original slot while clearing the valid descriptors.