Abstract: A system includes a memory and a processor. The memory is in communication with the processor and configured to initialize a secure interface configured to provide access to a virtual machine (VM) from a device, where the VM is associated with a level of security. A buffer is allocated and associated with the secure interface, where the level of security of the VM indicates whether the device has access to guest memory of the VM via the buffer. The buffer is then provided to the device. Inputs / outputs (I/Os) are sent between the device and the VM using the secure interface.

Abstract: An example method may include: receiving, by a hypervisor, a data packet, identifying a memory location associated with a guest virtual machine and accessible to the guest virtual machine and the hypervisor, wherein a program mapping table comprising one or more mapping table entries is stored at the memory location, each mapping table entry specifying a program selection criterion and a packet processing program. The example method may further include identifying, among the one or more mapping table entries in the program mapping table stored at the memory location, a mapping table entry comprising a particular program selection criterion that is satisfied by the data packet, wherein the identified mapping table entry specifies a first packet processing program, and executing the first packet processing program, wherein the data packet is provided to the first packet processing program as input.

Abstract: Systems and methods for enabling binary execution by a virtual device. An example method may include creating, by a hypervisor running on a host computer system, a virtual device associated with a virtual machine (VM) managed by the hypervisor; receiving, by the hypervisor, a request to offload a binary file from the VM to the virtual device; determining, by the hypervisor, whether a first measurement associated with the binary file matches a stored second measurement; and responsive to determining that the first measurement matches the second measurement, enabling the virtual device to execute the binary file using the host operating system.

Abstract: Aspects of the disclosure provide for mechanisms for memory protection of virtual machines in a computer system. A method of the disclosure includes: determining a plurality of host latency times for a plurality of processor power states of a processor of a host computer system; comparing, by a hypervisor executed on the host computer system, each of the host latency times to a target latency time associated with a virtual machine running on the host computer system; mapping the plurality of processor power states to a plurality of host power states in view of the comparison; and providing the host power states to the virtual machine.

Abstract: Implementations for scheduling a sub-idle thread priority class are described. An example method may include assigning, by a scheduler of a computer system, a sub-idle execution priority class to a processing thread associated with a request queue of an input/output (I/O) device; identifying, by a processing device, a work completion request in the request queue; and responsive to predicting, for a processor of the computer system, an idle time exceeding a threshold idle period, running the processing thread.

Abstract: A system includes an application trusted execution environment (“TEE”) instance and an escrow TEE instance. The escrow TEE instance is hosted along with the application TEE instance and is outside the control of a TEE instance owner. The system also includes a server, which is configured to receive a request to start the application TEE instance. The server is also configured to launch the escrow TEE instance. The escrow TEE instance is validated by the TEE instance owner. Additionally, the escrow TEE instance is configured to obtain a key for the application TEE instance, validate the application TEE instance, and provide the key to the application TEE instance.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments.

Abstract: A system includes a memory, a processor in communication with the memory, and a first TEE instance. The first TEE instance is configured to maintain an encrypted secret, obtain a cryptographic measurement associated with a second TEE instance, validate the cryptographic measurement, and provision the second TEE instance with the encrypted secret. Additionally, the first TEE instance and the second TEE instance are both configured to service at least a first type of request.

Abstract: Methods and systems for improved live migration of computing processes with guaranteed maximum downtime are provided. In a first embodiment, a method is provided that includes migrating a computing process between two virtual machines according to a first migration phase. The computing process may continue executing during the first migration phase. A second migration phase may begin, in which execution of the computing process may stop. It may be detected that a duration of the second migration phase exceeds a predetermined period of time, and the second migration phase may be halted such that the computing process continues executing on an original virtual machine. The predetermined period of time can be determined based on a downtime for resuming execution of the computing process and a predicted worst case start time for the computing process.

Abstract: Systems and methods for ensuring that data received from a virtual device is random are provided. A processing device may be used to generate, by a virtual device executing on a hypervisor, data intended for a virtual machine (VM) having a guest memory that includes one or more encrypted pages and one or more unencrypted pages. Data written to an encrypted page of the guest memory by the VM is encrypted using an encryption key assigned to the VM and information read from the encrypted page by the VM is decrypted using the encryption key. The hypervisor may write the data to the encrypted page, wherein the data is not encrypted by the encryption key assigned to the VM because it is written by the hypervisor. The VM reads the data from the encrypted page as randomized data because it cannot be properly decrypted by the encryption key.

Abstract: An example system includes a memory, a processor in communication with the memory, and a supervisor. The supervisor is configured to allocate a memory space in the memory to a workload executing on the processor. The supervisor is configured to store data written by the workload as dirty memory in the memory space at least until the data is written back to a data storage. Based on a type of the workload being a first type, the supervisor is configured to trigger write back of at least a portion of the dirty memory into the data storage in response to the dirty memory exceeding a threshold level. Based on the type of the workload being a second type, the supervisor is configured to delay write back of the dirty memory into the data storage in response to the dirty memory exceeding the threshold level.

Abstract: A method includes receiving a request to migrate a virtual machine executing on a source host computer system to a first destination host computer system. The method further includes receiving, from the virtual machine executing on the source host computer system, an encryption key specific to the virtual machine. One or more memory pages associated with the virtual machine are encrypted using the encryption key specific to the virtual machine. The method further includes causing the one or more memory pages associated with the virtual machine to be copied to the first destination host computer system.

Abstract: In one implementation, a method of sharing a physical device between multiple virtual machines is provided. The method includes receiving, from a first virtual machine, a request to access a physical device of a computing device. The method also includes assigning, by a processing device, the physical device to the first virtual machine in view of power state information associated with the physical device of the computing device, wherein the power state information is received from one or more other virtual machines of the computing device.

Abstract: A method includes receiving, by a virtual machine running on a computing system, a public cryptographic key associated with a peripheral device of the computing system. The method further includes, responsive to validating the public cryptographic key, encrypting a cryptographic nonce value with the public cryptographic key. The cryptographic nonce value encrypted with the public cryptographic key is transmitted to the peripheral device. The method further includes using a shared cryptographic key generated from the cryptographic nonce value to access contents of a direct memory access (DMA) buffer utilized by the peripheral device.

Abstract: Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory; booting, by a hypervisor of the host computer system, the virtual machine; and responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.

Abstract: Systems and methods for supporting page faults for virtual machine network accelerators. In one implementation, a processing device may receive, at a network accelerator device of a computer system, from a network, a first incoming packet and a second incoming packet. Responsive to receiving a first notification that an attempt to store the first incoming packet at a first buffer of a plurality of buffers associated with the network accelerator device caused a page fault, the processing device may store the first incoming packet at a second buffer and append a first identifier of the first buffer to a faulty buffer data structure. Responsive to receiving a second notification indicating a resolution of the page fault, the processing device may remove the first identifier from the faulty buffer data structure. The processing device may store the second incoming packet at the first buffer.

Abstract: A system includes a memory, at least one processor in communication with the memory, a guest hypervisor, and a host hypervisor executing on the at least one processor. The host hypervisor is configured to receive a request for additional memory, request the additional memory from a paravirtualized memory device, allocate the additional memory to the guest hypervisor, and report a status of the request. The status of the request is either a success status or a failure status.

Abstract: Zero copy message reception for devices is disclosed. For example, a host has a memory, a processor, a supervisor, and a device with access to device memory addresses mapped in a device page table via an IOMMU. An application has access to application memory addresses and is configured to identify a first page of memory addressed by an application memory address to share with the device as a receiving buffer to store data received by the device for the application, where the first page is mapped to a first device memory address in a first device page table entry (PTE). A supervisor is configured to detect that the first application has disconnected from the device, and in response to detecting the application disconnecting, to update the first device PTE to address a second page instead of the first page.

Abstract: An example method may include allocating, on a host computer system, a memory page in a memory of an input/output (I/O) device, mapping the memory page into a memory space of a virtual machine associated with a first virtual processor, creating a first entry in an interrupt mapping table in the memory of the I/O device, where the first entry includes a memory address that is associated with a second virtual processor identifier and further includes an interrupt vector identifier; and creating a second entry in an interrupt injection table of an interrupt injection unit of the host computer system, where the second entry is associated with a memory address that corresponds to a second virtual processor, the second entry includes the interrupt vector identifier, and the second entry is further associated with the second virtual processor identifier.

Abstract: Systems and methods for preventing kernel stalling attacks. An example method may comprise receiving, by a kernel, an address range associated with a data store of an application program; mapping, by the kernel, a portion of random access memory (RAM) to the address range; disabling page fault handling with respect to addresses falling within the address range; and responsive to receiving, from the application program, a memory access request specifying an address outside of the address range, returning a memory access error to the application program.