Abstract: Systems, methods, and apparatuses for managing memory usage in virtualized computing environments are provided herein. An example method includes generating a random key, associating the key with a page or range of pages in a memory, and selectively deduplicating pages based upon the key associated with each respective page.

Abstract: Systems and methods for zero-copy forwarding for network function virtualization (NFV). An example method comprises: receiving, by a supervisor of a host computer system, a definition of a packet filter originated by a virtual execution environment running on the host computer system; responsive to validating the packet filter, associating the packet filter with a vNIC of the virtual execution environment; receiving, by the supervisor, a network packet originated by the vNIC; and responsive to matching the network packet to a network connection specified by the packet filter, causing the packet filter to forward the network packet via the network connection.

Abstract: Systems and methods for enhancing efficient memory swap for virtual machines. An example method may comprise: receiving, by a hypervisor running on a host computer system, a request, from a virtual machine managed by the hypervisor, to write to a virtual disk a content of a memory page identified by a guest physical address (GPA); detecting, by the hypervisor, that the content of the memory page is stored on a storage device; storing, on the virtual disk, an identifier of a location of the content of the memory page on the storage device; and un-mapping the GPA from the storage device.

Abstract: An example system includes a memory, a processor in communication with the memory, and a hypervisor. The hypervisor is configured to store, as dirty memory, data from a virtual machine (VM) at least until the data is written back into a data storage. The hypervisor is also configured to assign a persistence setting for managing write back of the dirty memory of the VM into the data storage. The hypervisor is also configured to periodically trigger writing at least a portion of the dirty memory of the VM into the data storage based on the persistence setting being a first setting. The hypervisor is also configured to disable periodic triggering, by the hypervisor, of the writing of the dirty memory of the VM into the data storage based on the persistence setting being a second setting.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments.

Abstract: An authentication code for an authentication process such as multifactor authentication can be automatically inputted according to some examples described herein. In one example, a computing device can execute an authenticator application to generate an authentication code for use during an authentication process associated with a user logging into an account. The computing device can establish a connection with a target device that is separate from the computing device. The target device may be configured to display a graphical user interface that includes an input box into which the user is to manually type the authentication code as part of the authentication process. The computing device can transmit the authentication code to the target device via the connection. The target device can be configured to receive the authentication code and automatically enter the authentication code into the input box on behalf of the user.

Abstract: Systems and methods for duplication avoidance are disclosed. In one implementation, a VM can receive a request to perform a file access operation with respect to a file and determine a hash value corresponding to a content of the file. The VM can search the file identified by the hash value in in a host file system. Responsive to failing to find the hash value in the host file system, the VM can search the hash value in a guest file system of the VM and responsive to finding the file identified by the hash value in the guest file system, can perform the file access operation with respect to the file.

Abstract: Safe critical section operations for virtual machines with virtual central processing unit overcommit are provided by: in response to identifying a preempting task to run on a first physical central processing unit (PCPU) from a second PCPU, setting a status of a flag in a virtual memory used by a first virtual central processing unit (VCPU) running on the first PCPU to indicate that the preempting task will interrupt the first VCPU; in response to initiating execution of a read-side critical section operation scheduled by the first VCPU to run on the first PCPU, checking the status of the flag in the virtual memory; and in response to the status of the flag being positive: exiting the first VCPU to a hypervisor; executing, by the hypervisor, the preempting task on the first PCPU; and after completing the preempting task, continuing execution of the read-side critical section operation.

Abstract: Systems and methods for virtual machine networking can include creating, by a hypervisor running on a host computer system, a first virtual machine (VM) using a first set of computing resources, where the first set of computing resources includes a portion of a second set of computing resources allocated to a second VM managed by the hypervisor. They can further include assigning a first vNIC (virtual Network Interface Controller) to the first VM and setting up a second vNIC to receive data packets transmitted by the first vNIC. Additionally, they can include associating the second vNIC with an identifier of the first VM and assigning the second vNIC to the second VM.

Abstract: An example method may include booting, by a host computer system, an operating system (OS) kernel; locking, by a security service running on the host computer system, a plurality of physical pages in a memory of the host computer system, wherein the plurality of physical pages is designated for use by the OS kernel, wherein the plurality of physical pages, upon locking, are unmodifiable by the OS kernel, and wherein the security service is associated with a privilege level higher than a privilege level of the OS kernel; performing, by the security service, a cryptographic measurement on the plurality of the physical pages; and generating, by the host computer system, a measurement report based on the cryptographic measurement.

Abstract: A system includes a physical host, a host operating system, and a virtual machine having a virtual network-interface controller. The virtual network-interface controller comprises an uplink, a virtual function, and a physical function having a physical channel and a virtual channel. The hypervisor is configured to receive data that originates at the virtual function, which is forwarded to the physical function on the physical channel of the physical function. The data is further forwarded from the physical function to the uplink. Additionally, the hypervisor is configured to send data that does not originate at the virtual function. The hypervisor sends the data on the virtual channel of the physical function and the physical function forwards the data to the virtual function.

Abstract: Page table entries for a maximum number of virtual functions configurable by a physical function of a single root input-output virtualization (SR-IOV) device can be pre-allocated to provide access for nested virtual machines and containers. For example, a computing device can allocate, by an input-output memory management unit (IOMMU), a page table comprising page table entries to a physical function executed by an SR-IOV device. The number of page table entries can be the maximum number of virtual functions that are configurable by the physical function. A virtual IOMMU executing in a virtual machine deployed by the computing device can map a virtual page table comprising virtual page table entries to the page table comprising page table entries. The virtual machine can assign a virtual function using a virtual page table entry. The virtual page table entry can include a function number and a virtual memory address.

Abstract: A method includes receiving a message at a network bridge from a computer system where the network bridge stores a forwarding table. The method also includes determining a type of the message. The method also includes upon a determination that the type of message is a network notification message, determining whether data within the message corresponds to an entry within the forwarding table. The method also includes upon determining that the data within the message corresponds to the entry within the forwarding table, halting a transmission of the message. The method also includes upon determining that the data within the message does not correspond to the entry in the forwarding table, transmitting the message to a device in communication with the network bridge.

Abstract: A system includes a memory, at least one physical processor in communication with the memory, and a plurality of threads executing on the at least one physical processor. A first thread of the plurality of threads is configured to execute a plurality of instructions that includes a restartable sequence. Responsive to a different second thread in communication with the first thread being pre-empted while the first thread is executing the restartable sequence, the first thread is configured to restart the restartable sequence prior to reaching a memory barrier.

Abstract: Embodiments of the present disclosure relate to determining modification bounds that identify portions of a packet that are safe to modify so that modified portions of the packet may be flushed from a cache to a memory of a network interface card (NIC) of a host system when the entire packet is synchronized from the NIC. A modification bound of the filter may be determined, and a network packet may be received from the NIC. In response to determining that the network packet is to be modified, a portion of the network packet that is safe to modify may be identified based on the modification bound of the filter and modifications may be made thereto. The modified portion of the network packet may be synchronized to the NIC.

Abstract: An input/output memory management unit (IOMMU) can assign input/output virtual addresses (IOVA) using a predetermined randomness algorithm according to some examples. For instance, the IOMMU can determine an input/output virtual address (IOVA) using the pre-defined randomness algorithm. Then, the IOMMU can store, in a translation table, an entry which maps the IOVA to a physical memory address of a storage device. Subsequent to storing the entry in the translation table the IOMMU can receive a request from an input/output (IO) device, where the request is to access data at the IOVA. In response to receiving the request, the IOMMU can identify the physical memory address that is mapped to the IOVA in the entry. The IOMMU can then allow the IO device to access the data at the physical memory address.

Abstract: Systems and methods of the disclosure include: identifying, by a destination host computer system, a first memory page residing in a memory of the destination host computer system; transmitting, by the destination host computer system, at least a part of the first memory page to a source host computer system; receiving, by the destination host computer system, a confirmation from the source host computer system that the first memory page matches a second memory page associated with a virtual machine to be migrated from the source host computer system to the destination host computer system; and associating, by the destination host computer system, the first memory page with the virtual machine.

Abstract: Page table entries for a maximum number of virtual functions configurable by a physical function of a single root input-output virtualization (SR-IOV) device can be pre-allocated to provide access for nested virtual machines and containers. For example, a computing device can allocate, by an input-output memory management unit (IOMMU), a page table comprising page table entries to a physical function executed by an SR-IOV device. The number of page table entries can be the maximum number of virtual functions that are configurable by the physical function. A virtual IOMMU executing in a virtual machine deployed by the computing device can map a virtual page table comprising virtual page table entries to the page table comprising page table entries. The virtual machine can assign a virtual function using a virtual page table entry. The virtual page table entry can include a function number and a virtual memory address.

Abstract: Aspects of the disclosure provide for mechanisms providing a captive portal to manage a driver application for a peripheral device. Systems and methods of the disclosure include: providing, by a client device, a first request for a connection with a peripheral device over a wireless network provided by the peripheral device; receiving a message granting the connection to the wireless network; providing a second request to access a first web page at an address; receiving a second web page associated with a driver application for the peripheral device instead of the first web page; and launching the driver application by using a first link that facilitates an installation of the driver application and a second link that launches the driver application.

Abstract: Systems, methods, and apparatuses for reducing context switches in a virtualized computing environment are provided herein. An example method comprises executing a supervisor, executing a first virtual machine on the supervisor, detecting a first exit from the first virtual machine, responsive to detecting the first exit, loading a userspace context without loading a supervisor context, executing a second virtual machine on the supervisor, detecting a second exit from the second virtual machine, and responsive to detecting the second exit, loading the supervisor context.