Abstract: Disclosed herein are techniques for maintaining a secure execution environment on a server. In one embodiment, the server includes a non-volatile memory storing firmware, a programmable security logic coupled to the non-volatile memory, an adapter device coupled to the programmable security logic, and a processor communicatively coupled to the non-volatile memory via the programmable security logic. The adapter device and/or the programmable security logic can verify the firmware in the non-volatile memory while holding the processor and/or a baseboard management controller (BMC) in power reset, release the processor and the BMC from reset to boot the processor and the BMC after the firmware is verified, and then disable communications between the processor and the BMC and deny at least some requests to write to the non-volatile memory by the processor or the BMC.

Abstract: Provided are systems and methods for a location-aware, self-configuring peripheral device. In some implementations, the peripheral device may include two or more personalities. In these implementations, a personality enables the peripheral device to provide a service. In some implementations, the peripheral device may be configured to receive a configuration cycle. In some implementations, the peripheral device may further select a personality from among two or more personalities. The peripheral device may use information derived from the configuration cycle to make this selection. Selecting a personality may further include configuring the peripheral device according to the selected personality.

Abstract: Provided are systems and methods for reliable, out-of-order receipt of packets. In some implementations, provided is an apparatus configured to communicate with a network and a host device. The apparatus may receive packets over the network at a receive queue. The packets may originate from a source on the network, and may be received out of order. The apparatus may further, for each received packet, identify a transport context associated with the source and a destination of the packet, and determine whether the packet can be accepted. Upon determining that the packet can be accepted, the apparatus may further identify the one receive queue at which the packet was received; determine a user application to receive the packet, transfer the packet from the one receive queue to a buffer in host memory, and identify an order in which the packet was received with respect to other packets.

Abstract: Provided are systems and methods for reliable, out-of-order transmission of packets. In some implementations, provided is an apparatus configured to communicate with a network and a host device. The apparatus may receive messages from the host device at a send queue, where each message includes destination information. The apparatus may further determine, using the destination information and an identify of the send queue, a transport context associated with a destination on the network. The apparatus may further, for each message and using the transport context, generate a packet including the message and transmit the packet over the network. The apparatus may further monitor status for each transmitted packet.

Abstract: Methods and apparatus are disclosed for programming reconfigurable logic devices such as FPGAs in a networked server environment. In one example, a system hosting a network service providing field programmable gate array (FPGA) services includes a network service provider configured to receive a request to implement application logic in a plurality of FPGAs, allocate a computing instance comprising the FPGAs in responses to receiving the request, produce configuration information for programming the FPGAs, and send the configuration information to an allocated computing instance. The system further includes a computing host that is allocated by the network service provider as a computing instance which includes memory, processors configured to execute computer-executable instructions stored in the memory, and the programmed FPGAs.

Abstract: An emulated input/output memory management unit (IOMMU) includes a management processor to perform page table translation in software. The emulated IOMMU can also include a hardware input/output translation lookaside buffer (IOTLB) to store translations between virtual addresses and physical memory addresses. When a translation from a virtual address to a physical address is not found in the IOTLB for an I/O request, the translation can be generated by the management processor using page tables from a memory and can be stored in the IOTLB. Some embodiments can be used to emulate interrupt translation service for message based interrupts for an interrupt controller.

Abstract: A hardware cipher module to cipher a packet. The cipher module includes a key scheduling engine and a ciphering engine. The key scheduling engine is configured to receive a compact key and iteratively generate a set of round keys, including a first round key, based on the compact key and determine, based upon a cipher mode indication and a type of ciphering whether to generate a key-scheduling-done indication after the first round key is generated and before all of the set of round keys are generated or to generate the key-scheduling-done indication after all of the set of round keys is generated. The ciphering engine is configured to begin to cipher the packet with one of the set of round keys as a result of receiving the key schedule done indication.

Abstract: Techniques for updating code of a device may be described. In an example, bus may connect the device to a management entity. The device may run a first version of the code. A second version of the code may be available from memory. The device may access the second version from the memory, stop running the first version of the code, and start running the second version of the code without restarting the management entity or the device.

Abstract: Methods and apparatus are disclosed for securely erasing partitions of reconfigurable logic devices such as FPGAs in a multi-tenant server environment. In one example, a method of securely erasing an FPGA includes identifying one partition of previously-programmed resources in the FPGA, erasing the identified partition by storing new values in memory or storage elements of the identified partition, and storing new values in memory or storage elements of additional external resources electrically connected to the integrated circuit and associated with the identified partition. Thus, other partitions and subsequent users of the identified partition are prevented from accessing the securely erased data. A configuration circuit, accessible by a host computer via DMA, can be programmed into the FPGA reconfigurable logic for performing the disclosed erasing operations.

Abstract: In a multi-tenant environment, separate virtual machines can be used for configuring and operating different subsets of programmable integrated circuits, such as a Field Programmable Gate Array (FPGA). The programmable integrated circuits can communicate directly with each other within a subset, but cannot communicate between subsets. Generally, all of the subsets of programmable ICs are within a same host server computer within the multi-tenant environment, and are sandboxed or otherwise isolated from each other so that multiple customers can share the resources of the host server computer without knowledge or interference with other customers.

Abstract: Provided are systems and methods for distributing ordering tasks in a computing system that includes master and target devices. In some implementations, a computing device is provided. The computing device may include a master device that is operable to initiate transactions. The computing device may further include a target device that is operable to receive transactions. In some implementations, the master device may be configured to transmit one or more transactions to the target device. The master device may further asynchronously indicate to the target device a number of transactions to execute. The master device may further asynchronously receive from the target device a number of transactions executed. The master device may then signal that at least one transaction from the one or more transactions it sent has completed.

Abstract: The following description is directed to a configurable logic platform. In one example, a configurable logic platform includes host logic and a plurality of reconfigurable logic regions. Each reconfigurable region can include hardware that is configurable to implement an application logic design. The host logic can be used for separately encapsulating each of the reconfigurable logic regions. The host logic can include a plurality of data path functions where each data path function can include a layer for formatting data transfers between a host interface and the application logic of a corresponding reconfigurable logic region. The host interface can be configured to apportion bandwidth of the data transfers generated by the application logic of the respective reconfigurable logic regions.

Abstract: A multi-tenant environment is described with configurable hardware logic (e.g., a Field Programmable Gate Array (FPGA)) positioned on a host server computer. For communicating with the configurable hardware logic, an intermediate host integrated circuit (IC) is positioned between the configurable hardware logic and virtual machines executing on the host server computer. The host IC can include management functionality and mapping functionality to map requests between the configurable hardware logic and the virtual machines. Shared peripherals can be located either on the host IC or the configurable hardware logic. The host IC can apportion resources amongst the different configurable hardware logics to ensure that no one customer can over consume resources.

Abstract: The following description is directed to a logic repository service. In one example, a method of a logic repository service can include receiving a first request to generate configuration data for configurable hardware using a specification for application logic of the configurable hardware. The method can include generating the configuration data for the configurable hardware. The configuration data can include data for implementing the application logic. The method can include encrypting the configuration data to generate encrypted configuration data. The method can include signing the encrypted configuration data using a private key. The method can include transmitting the signed encrypted configuration data in response to the request.

Abstract: A peripheral device may implement storage virtualization for non-volatile storage devices connected to the peripheral device. A host system connected to the peripheral device may host one or multiple virtual machines. The peripheral device may implement different virtual interfaces for the virtual machines or the host system that present a storage partition at a non-volatile storage device to the virtual machine or host system for storage. Access requests from the virtual machines or host system are directed to the respective virtual interface at the peripheral device. The peripheral device may perform data encryption or decryption, or may perform throttling of access requests. The peripheral device may generate and send physical access requests to perform the access requests received via the virtual interfaces to the non-volatile storage devices. Completion of the access requests may be indicated to the virtual machines via the virtual interfaces.

Abstract: The following description is directed to a configurable logic platform. In one example, a configurable logic platform includes host logic and a reconfigurable logic region. The reconfigurable logic region can include logic blocks that are configurable to implement application logic. The host logic can be used for encapsulating the reconfigurable logic region. The host logic can include a host interface for communicating with a processor. The host logic can include a management function accessible via the host interface. The management function can be adapted to cause the reconfigurable logic region to be configured with the application logic in response to an authorized request from the host interface. The host logic can include a data path function accessible via the host interface. The data path function can include a layer for formatting data transfers between the host interface and the application logic.

Abstract: Provided are systems and methods for generating transactions with a configurable port. In some implementations, a peripheral device is provided. The peripheral device comprises a configurable port. In some implementations, the configurable port may be configured to receive a first transaction. In these implementations, the first transactions may include an address. The address may include a transaction attribute. In some implementations, the configurable port may extract the transaction attribute and a transaction address from the address. The configurable port may further generate a second transaction that includes the transaction attribute and the transaction address. The configurable port may also transmit the second transaction.

Abstract: A packet header is received from a host and written to a header queue. A direct memory access (DMA) descriptor is received from the host and written to a packet descriptor queue. The DMA descriptor points to packet data in a host memory. The packet data is fetched from host memory and the packet header and the packet data are provided to a network interface.

Abstract: An I/O (Input/Output) adapter device can present itself as a network backend driver with an emulated network backend driver interface to a corresponding network frontend driver executing from an operating system running on a host device independent of a virtualization or non-virtualization environment. For each guest operating system executing from its respective virtual machine running on the host device, para-virtualized (PV) frontend drivers can communicate with corresponding PV backend drivers implemented by the I/O adapter device using a corresponding virtual function by utilizing SR-IOV (single root I/O virtualization) functionality.

Abstract: Indirect destination determinations for forwarding tunnel network packets may be performed. Tunneling may be initiated for network packets received at a packet processor according to a forwarding route or other prior packet processing stage, such as an access control list stage. A corresponding entry in a tunnel lookup table may be accessed to determine the tunneling to be applied to the network packet, such as Internet Protocol tunneling or Multiprotocol Label Switching tunneling. The corresponding entry may also include a pointer to a next hop address table that stores a next hop address for the tunneled version of the network packet. The tunneled version of the network packet may be forwarded to the next hop address.