Abstract: Technologies include an interface processor configured to be communicatively coupled to a memory and a first processor. The interface processor is to obtain, from a first module compiled from a first software language, first data having a first native type of the first software language. The interface processor is further to convert the first data into second data having a first interface type, convert the second data having the first interface type into third data having a second native type of a second software language, and provide the third data to a second module associated with the second software language. The first software language may be compiled to WebAssembly binary code. The second software language may also be compiled to WebAssembly binary code and may be different than the first software language.

Abstract: Systems and methods for code generation for a plurality of architectures. At a host architecture, a JIT compile operation is performed for a received JavaScript or Web Assembly file. The JIT compiler references a host library that has been updated to include at least one new JIT instruction. Output from the JIT compile operation is compiled machine code for the host architecture that has new opcodes (OPX) added, responsive to the new JIT instruction. The JIT compiler executes the opcodes (OPX) in XuCode mode, meaning that the host architecture switches into a hardware protected private ISA (Instruction Set Architecture) called XuCode to implement the new JIT opcode instruction in XuCode.

Abstract: Methods and apparatus to implement always-on context sensor hubs for processing multiple different types of data inputs are disclosed. An examples apparatus includes a first processor core to implement a host controller, and a second processor core to implement an offload engine. The host controller includes first logic to process sensor data associated with an electronic device when the electronic device is in a low power mode. The host controller is to offload a computational task associated with the sensor data to the offload engine. The offload engine includes second logic to execute the computational task.

Abstract: Various embodiments are generally directed to techniques for supporting the distributed execution of a task routine among multiple secure controllers incorporated into multiple computing devices. An apparatus includes a first processor component and first secure controller of a first computing device, where the first secure controller includes: a selection component to select the first secure controller or a second secure controller of a second computing device to compile a task routine based on a comparison of required resources to compile the task routine and available resources of the first secure controller; and a compiling component to compile the task routine into a first version of compiled routine for execution within the first secure controller by the first processor component and a second version for execution within the second secure controller by a second processor component in response to selection of the first secure controller. Other embodiments are described and claimed.

Abstract: Systems, apparatuses and methods may provide technology for managing a runtime computing environment having tiered object memory placement that assigns a hotness score to an object having an object type based on an invocation count of objects referenced by a hot method, allocates a newly-created object to one of a hot object heap, said hot object heap assigned to store hot objects in a first memory tier, or a cold object heap, said cold object heap assigned to store cold objects in a second memory tier, based on the hotness score associated with the object type for the newly-created object, and migrates a plurality of objects between the hot object heap and the cold object heap based on a hotness score associated with each object. The technology may also operate the object migration in an execution thread independent of an execution thread for the object allocation.

Abstract: Various embodiments are generally directed to techniques for supporting the distributed execution of a task routine among multiple secure controllers incorporated into multiple computing devices. An apparatus includes a first processor component and first secure controller of a first computing device, where the first secure controller includes: a selection component to select the first secure controller or a second secure controller of a second computing device to compile a task routine based on a comparison of required resources to compile the task routine and available resources of the first secure controller; and a compiling component to compile the task routine into a first version of compiled routine for execution within the first secure controller by the first processor component and a second version for execution within the second secure controller by a second processor component in response to selection of the first secure controller. Other embodiments are described and claimed.

Abstract: Various embodiments are generally directed to an apparatus, system, and other techniques for executing program code, such as managed runtime language, entirely in a hardware trusted execution environment (TEE) while enforcing and abiding by security requirements. Components in the TEE may receive the program, which may include metadata, perform analysis on the metadata, determine whether any API should be disabled from accessing untrusted resources, and execute an exception if the API attempts to access an untrusted resource. One or more security domains may be used in the TEE along with respective protection keys to enhance and maintain security.

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

Abstract: A method and apparatus for cooperative scheduling of virtual machines. An exemplary method includes maintaining a CPU mask by a virtual machine manager, wherein the CPU mask comprises a real-time availability of each of a plurality of physical CPUs (PCPUs). A virtual machine (VM) is allowed to read the CPU mask.

Abstract: Embodiments of systems, apparatuses and methods provide enhanced function as a service (FaaS) to users, e.g., computer developers and cloud service providers (CSPs). A computing system configured to provide such enhanced FaaS service include one or more controls architectural subsystems, software and orchestration subsystems, network and storage subsystems, and security subsystems. The computing system executes functions in response to events triggered by the users in an execution environment provided by the architectural subsystems, which represent an abstraction of execution management and shield the users from the burden of managing the execution. The software and orchestration subsystems allocate computing resources for the function execution by intelligently spinning up and down containers for function code with decreased instantiation latency and increased execution scalability while maintaining secured execution.

Abstract: Methods and apparatus to implement always-on context sensor hubs for processing multiple different types of data inputs are disclosed. An examples apparatus includes a first processor core to implement a host controller, and a second processor core to implement an offload engine. The host controller includes first logic to process sensor data associated with an electronic device when the electronic device is in a low power mode. The host controller is to offload a computational task associated with the sensor data to the offload engine. The offload engine includes second logic to execute the computational task.

Abstract: A virtual machine migration controller may perform the live migration of a plurality of virtual machines from a first physical host system to a second physical host system. The virtual machine migration controller may determine a memory page dirty rate for each of a plurality of virtual machines. The virtual machine migration controller may additionally identify virtual machines that share memory pages and/or map to different memory pages having, at least in part, identical data or information. The virtual machine migration controller may group virtual machines demonstrating commonality among mapped memory pages. The virtual machine migration controller may determine a projected migration time based on the dirtying rate, the commonality of memory pages, and the available bandwidth. The virtual machine migration controller orders and transfers virtual machine groups based on the projected migration time.

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

Abstract: Various systems and methods for virtual CPU consolidation to avoid physical CPU contention between virtual machines are described herein. A processor system that includes multiple physical processors (PCPUs) includes a first virtual machine (VM) that includes multiple first virtual processors (VCPUs); a second VM that includes multiple second VCPUs; and a virtual machine monitor (VMM) to map individual ones of the first VCPUs to run on at least one of, individual PCPUs of a first subset of the PCPUs and individual PCPUs of a set of PCPUs that includes the first subset of the PCPUs and a second subset of the PCPUs, based at least in part upon compute capacity of the first subset of the PCPUs to run the first VCPUs, and to map individual ones of the second VCPUs to run on individual ones of the second subset of the PCPUs.

Abstract: Apparatuses, methods and storage medium associated with installing and executing an application program on an embedded system are described herein. In embodiments, an embedded system may include an application management program and an application execution program to install an application program onto the embedded system. The application management program is to verify metadata associated with the application program, in response to a first request to install the application program on the embedded system; and the application execution program is to verify the application program, in response to a second request, subsequent to the first request, to verify the application program. Other aspects and embodiments may be described and/or claimed.

Abstract: An automated method for distributed and redundant firmware evaluation involves using a first interface that is provided by system firmware of a client device to obtain, at an evaluation server, a first firmware resource table (FRT) from the client device. The evaluation server also uses a second interface that is provided by a component of the client device other than the system firmware to obtain a second FRT from the client device. The evaluation server automatically uses the first and second FRTs to identify a trustworthy FRT among the first and second FRTs. The evaluation server automatically uses the trustworthy FRT to determine whether the client device should be updated. For instance, the evaluation server may automatically use the trustworthy FRT to determine whether firmware in the client device should be updated. Other embodiments are described and claimed.

Abstract: Technologies for configuring a launch enclave include a computing device having a processor with secure enclave support. A trusted execution environment (TEE) of the computing device stores a launch enclave hash in a launch enclave hash table in secure storage and provisions the launch enclave hash to platform firmware at runtime. The TEE may receive the launch enclave hash via trusted I/O. The platform firmware sets a configure enclave launch bit and resets the computing device. On reset, the TEE determines whether the launch enclave hash is allowed for launch. The TEE may evaluate one or more launch configuration policies and may select a launch enclave hash based on the launch configuration policies. If allowed, the platform firmware writes the launch enclave hash to a model-specific register of the processor, and the launch enclave may be loaded and verified with the launch enclave hash. Other embodiments are described and claimed.

Abstract: A microservice infrastructure that securely maintains the currency of computing platform microservices implemented within a process virtual machine is provided. The computing platform microservices maintained by the infrastructure may include protected methods that provide and control access to components of the underlying computing environment. These components may include, for example, storage devices, peripherals, and network interfaces. By providing a software-defined microservice layer between these hardware components and workflows that specify high-level application logic, the embodiments disclosed herein have enhanced flexibility and scalability when compared to conventional technology.

Abstract: A point-of-sale device (“POS”) is described to include a secure transaction tunnel generator (“STG”). The STG may generate secure tunnels between peripherals attached to the POS and remote network resources. The secure tunnel may be generated using a trusted execution environment (“TEE”) of the POS. The STG may be alerted to the need to generate the secure tunnel based on an alert from the peripheral. The STG may execute under a protected environment and may generate two ends of a secure transaction tunnel using the TEE. The STG may also check the peripheral against whitelists and/or blacklists to determine whether the peripheral is allowed or not disallowed to participate in secure transactions. By generating the secure tunnel, the STG may facilitate performance of transactions in such a way that sensitive information is not available to unsecured processes in the POS. Other embodiments may be described and/or claimed.

Abstract: Apparatuses, methods and storage medium associated with installing and executing an application program on an embedded system are described herein. In embodiments, an embedded system may include an application management program and an application execution program to install an application program onto the embedded system. The application management program is to verify metadata associated with the application program, in response to a first request to install the application program on the embedded system; and the application execution program is to verify the application program, in response to a second request, subsequent to the first request, to verify the application program. Other aspects and embodiments may be described and/or claimed.