Abstract: An example method of authenticating software executing in a computer system includes verifying first software executing on the computer system, the software including a hypervisor, verifying second software executing in a virtual machine (VM) managed by the hypervisor, generating a binding key having public and private portions, signing an object to identifies the VM using the private portion of the binding key, and verifying a signature of the object using a public portion of the binding key.

Abstract: A hypervisor exchange, e.g., an upgrade, can include consolidating resident virtual machines into a single host virtual machine, exchanging an old hypervisor with a new (upgraded) hypervisor, and disassociating the virtual resident virtual machines by migrating them to the new hypervisor. The consolidating can involve migrating the resident virtual machines from the old hypervisor to a guest hypervisor on the host virtual machine. The exchange can involve: 1) suspending the host virtual machine before the exchange; and 2) resuming the host virtual machine after the exchange; or migrating the host virtual machine from a partition including the old hypervisor to a partition hosting the new hypervisor. Either way, an exchange (upgrade) is achieve without requiring a bandwidth consuming migration over a network to a standby machine.

Abstract: The approaches described herein implement synchronous execution of a user space operation from a kernel context. A thread, executing on a computing device, initializes a second kernel stack based on a first kernel stack. The computing device executes an operating system having a user space and a kernel space. The thread, executing in kernel space, performs a non-blocking call (e.g., an upcall) to execute an upcall function in user space. The upcall function may further call other user space functions or system calls. The system calls are performed using the second kernel stack. Upon termination of the upcall function, the thread continues execution on the first kernel stack.

Abstract: A hypervisor exchange, e.g., an upgrade, can include consolidating resident virtual machines into a single host virtual machine, exchanging an old hypervisor with a new (upgraded) hypervisor, and disassociating the virtual resident virtual machines by migrating them to the new hypervisor. The consolidating can involve migrating the resident virtual machines from the old hypervisor to a guest hypervisor on the host virtual machine. The exchange can involve: 1) suspending the host virtual machine before the exchange; and 2) resuming the host virtual machine after the exchange; or migrating the host virtual machine from a partition including the old hypervisor to a partition hosting the new hypervisor. Either way, an exchange (upgrade) is achieve without requiring a bandwidth consuming migration over a network to a standby machine.

Abstract: In a computer-implemented method for automated monitoring certificate expiration, automatically periodically accessing a plurality of computing nodes in a computing system for certificate expiration of a certificate of the plurality of computing nodes. The automatically periodically accessing is provided by a central management tool of the computing system. Automatically determining the certificate of the plurality of computing nodes has an impending certificate expiration by the central management tool of said computing system. In response to the determining, automatically generating an alert, by the central management tool, that indicates the impending certificate expiration of the certificate.

Abstract: A first hypervisor uses a first version of a virtual-memory file system (VMemFS) suspends virtual machines. A second hypervisor uses a instance of the VMemFS, the version of which may be the same or different from the first version. The VMemFS is designed so that an instance of the same or a later version of the VMemFS can read and ingest information in memory written to memory by another instance of the VMemFS. Accordingly, the second hypervisor resumes the virtual machines, effecting an update or other swap of hypervisors with minimal interruption. In other examples, the swapped hypervisors support process containers or simply support virtual memory.

Abstract: Hardware management systems for disaggregated rack architectures in virtual server rack deployments are disclosed herein. An example apparatus to manage disaggregated physical hardware resources in a physical rack includes a hardware management system to discover disaggregated physical hardware resources in the physical rack and generate a listing of the disaggregated physical hardware resources, and a physical resource manager to generate a composed resource based on resources from the listing of the disaggregated physical hardware resources, the hardware management system to manage the composed resource.

Abstract: A computer system is securely booted by executing a boot firmware to locate a boot loader and verify the boot loader using a first key that is associated with the boot firmware. Upon verifying the boot loader, computer system executes the boot loader to verify a system software kernel and a secure boot verifier using a second key that is associated with the boot loader. The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key that is associated with the secure boot verifier and a fourth key that is associated with a user of the computer system.

Abstract: A first hypervisor uses a first version of a virtual-memory file system (VMemFS) suspends virtual machines. A second hypervisor uses a instance of the VMemFS, the version of which may be the same or different from the first version. The VMemFS is designed so that an instance of the same or a later version of the VMemFS can read and ingest information in memory written to memory by another instance of the VMemFS. Accordingly, the second hypervisor resumes the virtual machines, effecting an update or other swap of hypervisors with minimal interruption. In other examples, the swapped hypervisors support process containers or simply support virtual memory.

Abstract: A computer system is rebooted after updating a boot image without running platform firmware with its power-on self-test of system hardware devices and without retrieving all of the modules included in a boot image from an external source and reloading them into system memory. The reboot process includes the steps of loading one or more updated modules of the boot image into the system memory, executing the boot loader module to load for execution modules of the boot image including a system software kernel and the updated modules, and transferring execution control to the system software kernel.

Abstract: In a computer-implemented method for automated provisioning a certificate in a computing system a certificate signing request is accessed from a computing node by a centralized management tool of the computing system. The certificate signing request is provided to a certificate authority by the centralized management tool. A signed certificate is accessed from the certificate authority for the computing node. The signed certificate is provided to the computing node, by the centralized management tool, such that there is automated provisioning of the signed certificate at the computing node to establish trust of the computing node in the computing system.

Abstract: The approaches described herein implement synchronous execution of a user space operation from a kernel context. A thread, executing on a computing device, initializes a second kernel stack based on a first kernel stack. The computing device executes an operating system having a user space and a kernel space. The thread, executing in kernel space, performs a non-blocking call (e.g., an upcall) to execute an upcall function in user space. The upcall function may further call other user space functions or system calls. The system calls are performed using the second kernel stack. Upon termination of the upcall function, the thread continues execution on the first kernel stack.

Abstract: A file descriptor data structure is configured as a hierarchy of tables. File descriptors are stored as entries in tables that are at the bottom of the hierarchy. When a request to add a file descriptor is received and there are no more entries remaining in the file descriptor tables, the file descriptor data structure is extended by obtaining a lock on a variable containing a maximum number of file descriptors, adding the file descriptor to a new file descriptor table, updating entries in existing upper level tables of the hierarchy so that they point to the new file descriptor table, updating the variable containing the maximum number of file descriptors, and releasing the lock.

Abstract: An “old” hypervisor is upgraded to or otherwise replaced by a “new” hypervisor without migrating virtual machines to a standby computer. The old hypervisor partitions the computer that it controls between a source partition and a target partition. The hypervisor and its virtual machines initially run on the source partition, while a new hypervisor is installed on the target partition. The virtual machines are migrated to the new hypervisor without physically moving the in-memory virtual-machine data. Instead, the old hypervisor sends memory pointers, and the new hypervisor claims the respective memory locations storing the virtual-machine data. After all virtual machines are migrated, the old hypervisor bequeaths the hypervisor memory and a last processor that the old hypervisor requires to run. The new hypervisor claims the bequeathed processor and hypervisor memory after the old hypervisor terminates to complete the upgrade/exchange.

Abstract: The approaches described herein implement synchronous execution of a user space operation from a kernel context. A thread, executing on a computing device, initializes a second kernel stack based on a first kernel stack. The computing device executes an operating system having a user space and a kernel space. The thread, executing in kernel space, performs a non-blocking call (e.g., an upcall) to execute an upcall function in user space. The upcall function may further call other user space functions or system calls. The system calls are performed using the second kernel stack. Upon termination of the upcall function, the thread continues execution on the first kernel stack.

Abstract: In a computer-implemented method for automated provisioning a certificate in a computing system a certificate signing request is accessed from a computing node by a centralized management tool of the computing system. The certificate signing request is provided to a certificate authority by the centralized management tool. A signed certificate is accessed from the certificate authority for the computing node. The signed certificate is provided to the computing node, by the centralized management tool, such that there is automated provisioning of the signed certificate at the computing node to establish trust of the computing node in the computing system.

Abstract: A computer system is securely booted by executing a boot firmware to locate a boot loader and verify the boot loader using a first key that is associated with the boot firmware. Upon verifying the boot loader, computer system executes the boot loader to verify a system software kernel and a secure boot verifier using a second key that is associated with the boot loader. The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key that is associated with the secure boot verifier and a fourth key that is associated with a user of the computer system.

Abstract: A computer system is securely booted by executing a boot firmware to locate a boot loader and verify the boot loader using a first key that is associated with the boot firmware. Upon verifying the boot loader, computer system executes the boot loader to verify a system software kernel and a secure boot verifier using a second key that is associated with the boot loader. The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key that is associated with the secure boot verifier.

Abstract: A computer system is rebooted after updating a boot image without running platform firmware with its power-on self-test of system hardware devices and without retrieving all of the modules included in a boot image from an external source and reloading them into system memory. The reboot process includes the steps of loading one or more updated modules of the boot image into the system memory, executing the boot loader module to load for execution modules of the boot image including a system software kernel and the updated modules, and transferring execution control to the system software kernel.

Abstract: A hypervisor-exchange process includes: suspending, by an “old” hypervisor, resident virtual machines; exchanging the old hypervisor for a new hypervisor, and resuming, by the new hypervisor, the resident virtual machines. The suspending can include “in-memory” suspension of the virtual machines until the virtual machines are resumed by the new hypervisor. Thus, there is no need to load the virtual machines from storage prior to the resuming. As a result, any interruption of the virtual machines is minimized. In some embodiments, the resident virtual machines are migrated onto one or more host virtual machines to reduce the number of virtual machines being suspended.