Abstract: A processing device of a host machine detects a read access of a memory address by a guest executing on the host machine, and causes a memory page to be provided to the guest responsive to detecting the read access. The memory address is associated with a device slot of a communication bus that is not associated with at least one hardware device, and the memory page has a page table entry, mapped to the memory address, that indicates that the memory page is a read-only memory page for the guest.

Abstract: A hypervisor identifies a memory address associated with a device slot of a communication bus; determines that the device slot of the communication bus is not associated with any of one or more devices; generates a memory page for the memory address, wherein the memory page comprises a value that indicates that the memory address is not associated with any of the devices; maps, in a page table, a page table entry for the memory page to the memory address, wherein the page table entry indicates that the memory page is read only for a guest operating system (OS) of a virtual machine (VM); and causes the memory page to be provided to the guest OS of the VM in view of a read access of the memory address by the guest OS.

Abstract: Systems and methods are disclosed for securing an application running on a guest. An example method includes detecting, by a guest running on a virtual machine, that a set of physical memory pages is allocated to an application. The virtual machine runs on a hypervisor, and the application runs on the guest. During runtime, the guest may send a request to the hypervisor to set the set of physical memory pages to an executable-by-user mode in the hypervisor's page tables.

Abstract: Aspects of the disclosure provide for mechanisms for memory protection of virtual machines in a computer system. A first host page table and a second host page table is generated by a processing device running a hypervisor in view of a guest page table associated with a virtual machine. The first host page table includes a first mapping corresponding to a privileged page of a guest memory and a second mapping corresponding to an unprivileged page of the guest memory. The second host page table includes a third mapping corresponding to the unprivileged page of the guest memory. The first host page table is associated with the virtual machine. In response to detecting a transition from a first guest mode to a second guest mode by the virtual machine, the virtual machine is associated with the second page table.

Abstract: A hypervisor receives a notification from a guest operating system (OS) of a virtual machine (VM), where the notification indicates a guest OS access of a memory address associated with a device slot of a communication bus, where the device slot is unavailable to the guest OS; maps, in a page table of the hypervisor, a page table entry for a memory configuration space of the device slot to the memory address, where the page table entry indicates that the configuration space is available to the guest OS; identifies an additional device slot associated with the communication bus; and maps, in the page table, an additional page table entry for an additional memory configuration space of the additional device slot to an additional memory address, where the additional page table entry indicates that the additional configuration space is available to the guest OS.

Abstract: According to one example, a method performed by a physical computing system includes, with a hypervisor, detecting that a guest system running on a virtual machine has executed a halt instruction for a virtual processor of the virtual machine. The method further includes, with a physical processor, switching from a context of the virtual machine to a context of the hypervisor. The method further includes re-entering the context of the virtual machine in response to determining that there are no tasks pending for processes outside the context of the virtual machine, the processes being for execution by the physical processor.

Abstract: Systems and methods for enabling a user space process of a guest operating system to initiate hardware operations in a security-enhanced manner. An example method may comprise: configuring a storage unit to store resource requests of one or more user space processes, wherein the storage unit is accessible to a hypervisor and to a user space process managed by a guest operating system; determining, by a processing device, that the user space process managed by the guest operating system is authorized to store a resource request at the storage unit; and receiving, by the hypervisor, a signal from the user space process, wherein the signal is associated with the storage unit and initiates execution of the resource request.

Abstract: A hypervisor receives a notification from a guest operating system (OS) of a virtual machine (VM), where the notification indicates a guest OS access of a memory address associated with a device slot of a communication bus, where the device slot is unavailable to the guest OS; maps, in a page table of the hypervisor, a page table entry for a memory configuration space of the device slot to the memory address, where the page table entry indicates that the configuration space is available to the guest OS; identifies an additional device slot associated with the communication bus; and maps, in the page table, an additional page table entry for an additional memory configuration space of the additional device slot to an additional memory address, where the additional page table entry indicates that the additional configuration space is available to the guest OS.

Abstract: A hypervisor identifies a memory address associated with a device slot of a communication bus; determines that the device slot of the communication bus is not associated with any of one or more devices; generates a memory page for the memory address, wherein the memory page comprises a value that indicates that the memory address is not associated with any of the devices; maps, in a page table, a page table entry for the memory page to the memory address, wherein the page table entry indicates that the memory page is read only for a guest operating system (OS) of a virtual machine (VM); and causes the memory page to be provided to the guest OS of the VM in view of a read access of the memory address by the guest OS.

Abstract: In one embodiment, a hypervisor may identify a memory location associated with a user space process operating on a virtual machine and a type of a request to be stored at the memory location by the user space process when the user space process invokes the hypercall. The hypervisor may associate a hypercall parameter with the memory location and the type of the request, the hypercall parameter to be used to determine whether the type of the request associated with the hypercall invoked by the user space process is permitted to be executed. The hypervisor may transmit a notification comprising the hypercall parameter to the user space process to cause the user space process to use the hypercall parameter when invoking the hypercall to indicate to the hypervisor the memory location and type of the request is stored at the memory location.

Abstract: Aspects of the disclosure provide for mechanisms for memory protection of virtual machines in a computer system. A first host page table and a second host page table is generated by a processing device running a hypervisor in view of a guest page table associated with a virtual machine. The first host page table includes a first mapping corresponding to a privileged page of a guest memory and a second mapping corresponding to an unprivileged page of the guest memory. The second host page table includes a third mapping corresponding to the unprivileged page of the guest memory. The first host page table is associated with the virtual machine. In response to detecting a transition from a first guest mode to a second guest mode by the virtual machine, the virtual machine is associated with the second page table.

Abstract: A hypervisor associates a combined register space with a virtual device to be presented to a guest operating system of a virtual machine, the combined register space comprising a default register space and an additional register space. Responsive to detecting an access of the additional register space by the guest operating system of the virtual machine, the hypervisor performs an operation on behalf of the virtual machine, the operation pertaining to the access of the additional register space.

Abstract: An operating system (OS) receives a request to allocate a physical memory page to an address space of an application. The OS maintains a data structure that stores references to a plurality of physical memory pages that are available to be allocated, and generates a random index into the data structure, wherein the random index comprises a random number, and wherein the random index corresponds to a first reference for a first physical memory page of the plurality of physical memory pages. The OS selects the first physical memory page of the plurality of memory pages from the data structure using the random index, and maps the first physical memory page to the address space of the application.

Abstract: Aspects of the disclosure provide for mechanisms for memory protection of virtual machines in a computer system. A method of the disclosure includes: obtaining, by a hypervisor, a guest page table associated with a virtual machine, wherein the guest page table comprises a first guest page table entry associated with a privilege flag indicating that a first virtual page of a guest memory of the virtual machine is accessible to unprivileged code; and in view of a determination that the virtual machine is running in a kernel mode, generating a first host page table in view of the guest page table, wherein the first host page table comprises a first host page table entry corresponding to the first guest page table entry, and wherein the first host page table entry is associated with a privilege flag indicating that the first virtual page is not accessible to the unprivileged code.

Abstract: A hypervisor configures a page table entry in a host page table to map an address associated with memory-mapped input-output (MMIO) for a virtual device of a guest of the hypervisor to an input/output (I/O) instruction. The address is marked in the page table entry as a hypervisor exit entry, and the page table entry to cause an exit to the hypervisor responsive to the guest attempting to access the address. Responsive to detecting an exit to the hypervisor caused by the guest attempting to access the address, the hypervisor receives the I/O instruction mapped to the address that caused the exit. The hypervisor then executes the I/O instruction on behalf of the guest.

Abstract: Systems and methods for enabling a user space process of a guest operating system to initiate hardware operations in a security-enhanced manner. An example method may comprise: configuring a storage unit to store resource requests of one or more user space processes, wherein the storage unit is accessible to a hypervisor and to a user space process managed by a guest operating system; determining, by a processing device, that the user space process managed by the guest operating system is authorized to store a resource request at the storage unit; and receiving, by the hypervisor, a signal from the user space process, wherein the signal is associated with the storage unit and initiates execution of the resource request.

Abstract: An example method of sharing message-signaled interrupt vectors in multi-processor computer systems comprises: associating an interrupt vector with a first device component, by creating a first interrupt mapping entry of an interrupt mapping table, wherein the first interrupt mapping entry references a first processor and the interrupt vector; associating the interrupt vector with a second device component, by creating a second interrupt mapping entry of the interrupt mapping table, wherein the second interrupt mapping entry references a second processor and the interrupt vector; and creating, in an interrupt descriptor table (IDT) associated with the first processor and the second processor, an interrupt descriptor for the interrupt vector.

Abstract: Methods, systems, and computer program products are included for loading a code module. A method includes verifying, by a guest, a digital signature of a code module stored in an initial guest memory buffer. The guest copies the verified code module stored at the initial guest memory buffer into a target guest memory buffer and applies, using one or more symbol entries, one or more relocations to the verified code module stored at the target guest memory buffer. The guest sends a request to a hypervisor to set the target guest memory buffer to a write-protect mode. In response to a determination that first content stored in the initial guest memory buffer corresponds to second content stored in the target guest memory buffer, the guest sends a request to the hypervisor to set the target guest memory buffer to an executable mode.

Abstract: Systems and methods for enabling a user space process of a guest operating system to initiate hardware operations in a security-enhanced manner. An example method may comprise: configuring a storage unit to store one or more resource requests, the storage unit being accessible to a user space process managed by a guest operating system and to a hypervisor; determining, by a processing device, that the user space process managed by the guest operating system is authorized to store a resource request at the storage unit; and transmitting to the hypervisor a signal associated with the storage unit comprising the resource request, the signal being initiated by a hypercall executed by the user space process.

Abstract: In one embodiment, a hypervisor may identify a memory location associated with a user space process operating on a virtual machine and a type of a request to be stored at the memory location by the user space process when the user space process invokes the hypercall. The hypervisor may associate a hypercall parameter with the memory location and the type of the request, the hypercall parameter to be used to determine whether the type of the request associated with the hypercall invoked by the user space process is permitted to be executed. The hypervisor may transmit a notification comprising the hypercall parameter to the user space process to cause the user space process to use the hypercall parameter when invoking the hypercall to indicate to the hypervisor the memory location and type of the request is stored at the memory location.