Abstract: An example method for secure virtual machine access to a protected virtual machine function includes storing a first virtual machine function instruction, which is executable to configure access privileges of a guest according to a trampoline view, as a last instruction on a first trampoline page. The method also includes storing a clear interrupt flag instruction as a first instruction on a second trampoline page. The method further includes storing a second virtual machine function instruction, which is executable to configure access privileges of the guest according to a protected view, as a last instruction on the second trampoline page. The method also includes in response to detecting an extended page fault violation while the trampoline view is active, clearing the interrupt flag of the guest and entering execution on an instruction following the clear interrupt flag instruction on the second trampoline page.

Abstract: Methods, systems, and computer program products are included for loading a code module. A method includes providing, by a hypervisor, a virtual machine that includes a guest operating system. The code module and a signature corresponding to the code module are sent by the guest operating system to the hypervisor. One or more relocations are applied to the code module. The hypervisor verifies the signature corresponding to the code module. After verifying the signature, the hypervisor allows the guest operating system to execute the code module.

Abstract: Methods, systems, and computer program products for accessing a protected function are provided. A computer-implemented method includes allocating and initializing a guest virtual address for a virtual machine function. A user bit and a valid bit are configured to protect a page associated with the guest virtual address. Once the user bit and the valid bit are configured, the virtual machine function is mapped to the guest virtual address. Supervisor mode is requested in order to access the virtual machine function. In supervisor mode, the virtual machine function is validated and executed.

Abstract: A hypervisor identifies one or more interrupts of a networking device for a virtual machine. The hypervisor queues the interrupts and determines the execution state of at least one virtual processor of a virtual machine. Upon determining that the execution state of the virtual processor is active, the hypervisor continues queuing the interrupts of the networking device. Upon determining that the execution state of the virtual processor has changed to idle, the hypervisor provides the queued interrupts to the virtual machine.

Abstract: According to one example, a method includes with a hypervisor, detecting that a guest has executed a memory monitor command for a virtual processor, making a copy of a memory address associated with the memory monitor command, the copy being placed in hypervisor memory, and with the hypervisor, in response to detecting that the guest system has executed a wait command, executing a loop until the copy is different than the data stored in the memory address.

Abstract: A snapshot manager in a virtual machine monitor receives a write request comprising data from a guest operating system of a virtual machine, wherein the write request is directed to a sector of a virtual disk associated with the virtual machine. The snapshot manager writes the data from the guest operating system of the virtual machine to the sector in a base image of the virtual disk, the base image comprising a current version of the virtual disk, wherein the virtual disk comprises the base image and a overlay image, the overlay image comprising a snapshot of the base image at a previous point in time.

Abstract: A method performed by a physical computing system includes, with a hypervisor, determining that a multilevel guest page table includes an upper directory that maps a set of contiguous entries to privileged pages, with the hypervisor, determining that, within the multilevel page table, only the set of contiguous entries map to the privileged pages, with the hypervisor, receiving a request from the guest to execute a virtual machine function, receiving a pointer as a parameter for the virtual machine function, and in response to determining that the pointer references a memory address that is within a range associated with the set of contiguous entries, aborting the virtual machine function.

Abstract: An example method for host virtual address reservation comprises: reserving a host virtual address range within a virtual address space of a computer system; associating a first virtual memory device with a first guest physical address range a virtual machine running on the computer system; associating a second virtual memory device with a second guest physical address range of the virtual machine; mapping a first guest physical address of the first guest physical address range to a first host virtual address of the host virtual address range, wherein the first host virtual address is identified by an offset with respect to the first guest physical address; mapping a second guest physical address of the second guest physical address range to a second host virtual address of the host virtual address range, wherein the second host virtual address is identified by the offset with respect to the second guest physical address.

Abstract: Systems and methods for sharing message-signaled interrupt vectors in multi-processor computer systems. An example method may comprise: associating an interrupt vector with a first device component; associating the interrupt vector with the second device component; creating, in a first interrupt descriptor table (IDT) associated with a first processor, a first interrupt descriptor to reference a first interrupt service routine to process a first interrupt triggered by the first device component; and creating, in a second IDT associated with a second processor, a second interrupt descriptor to reference a second interrupt service routine to process a second interrupt triggered by the second device component, wherein the first interrupt descriptor and the second interrupt descriptor reference the interrupt vector.

Abstract: A system, methods, and apparatus for protection against interrupts in virtual machine functions are disclosed. A system includes memory, one or more physical processors, a virtual machine executing on the one or more physical processors, and a hypervisor executing on the one or more physical processors. The hypervisor determines a first location in the memory, corresponding to a physical address of the virtual machine function, and loads into memory at a second location in the memory outside the first location in the memory. The hypervisor initializes abort code at the second location in the memory. Prior to an execution of an instruction that loads an interrupt data structure on the virtual machine, a trap to the hypervisor is activated. The hypervisor then modifies a page table corresponding to the interrupt data structure to point to the initialized abort code.

Abstract: Systems and methods for guest page table validation by virtual machine (VM) functions. An example method comprises: storing a first VM function invocation instruction in a first memory page executable from a default memory view of a VM, wherein executing the first VM function invocation instruction switches a page table pointer to a trampoline memory view of the VM; configuring a write access permission, from the trampoline memory view, to a page table comprised by a VM page table hierarchy; storing a second VM function invocation instruction in a second memory page executable from the trampoline memory view, wherein executing the second VM function invocation instruction switches the page table pointer to an alternative memory view of the VM; storing, in the second memory page, validation instructions to validate the VM page table hierarchy; and storing protected instructions within a third memory page executable from the alternative memory view.

Abstract: A method performed by a physical computing system includes, with a hypervisor, determining that a multilevel guest page table includes an upper directory that maps a set of contiguous entries to privileged pages, with the hypervisor, determining that, within the multilevel page table, only the set of contiguous entries map to the privileged pages, with the hypervisor, receiving a request from the guest to execute a virtual machine function, receiving a pointer as a parameter for the virtual machine function, and in response to determining that the pointer references a memory address that is within a range associated with the set of contiguous entries, aborting the virtual machine function.

Abstract: A system, methods, and apparatus for protection against interrupts in virtual machine functions are disclosed. A hypervisor determines a first location in the memory, corresponding to a physical address of the virtual machine function. The hypervisor then determines a second location in the memory of the virtual machine function, where the second location is offset from the first location. The hypervisor modifies the virtual machine function at the second location in the memory to include checking code. The virtual machine function is executed and the checking code is executed while the virtual machine function is executing. While executing the checking code, the hypervisor determines whether interrupts are disabled on a virtual machine. Responsive to determining that interrupts are enabled on the virtual machine, disabling the interrupts on the virtual machine and/or aborting the virtual machine function.

Abstract: An example method of providing a dirty bitmap to an application includes receiving a request for a snapshot of an internal dirty bitmap. The internal dirty bitmap indicates whether a guest has updated one or more pages in guest memory since a previously received request for a snapshot of the internal dirty bitmap. The method also includes copying a set of bits of the internal dirty bitmap into a shared dirty bitmap, which is accessible by the hypervisor and application. The method further includes for each bit of the set of bits having a first value, setting the respective bit to a second value. The method also includes invalidating all cache lines in a set of pages corresponding to one or more bits having the first value in the shared dirty bitmap. The method further includes after invalidating the cache lines, providing the shared dirty bitmap to the application.

Abstract: Methods, systems, and computer program products for accessing a protected function are provided. A computer-implemented method includes allocating and initializing a guest virtual address for a virtual machine function. A user bit and a valid bit are configured to protect a page associated with the guest virtual address. Once the user bit and the valid bit are configured, the virtual machine function is mapped to the guest virtual address. Supervisor mode is requested in order to access the virtual machine function. In supervisor mode, the virtual machine function is validated and executed.

Abstract: Systems and methods for delivering certain types of interrupts to virtual machines executing privileged virtual machine functions. An example method may comprise: receiving, by a hypervisor being executed by a processing device of a host computer system, a request to send an interrupt to a virtual central processing unit (vCPU) of a virtual machine; responsive to detecting that the vCPU is executing a virtual machine (VM) function, monitoring the vCPU for completion of the VM function; and responsive to detecting that execution of the VM function is complete, delivering the interrupt to the vCPU.

Abstract: Systems and methods for transmitting inter-processor interrupt messages by privileged virtual machine functions. An example method may comprise: mapping, by a hypervisor being executed by a processing device of a host computer system, a plurality of interrupt controller registers of the host computer system into a memory address space of a virtual machine being executed by the host computer system; mapping, into the memory address space of the virtual machine, a task mapping data structure comprising a plurality of records, each record associating a task with a processor of the host computer system; and mapping, into the memory address space of the virtual machine, a notification code module to be invoked by the virtual machine for writing a notification message into an interrupt controller register associated with a processor identified using the task mapping data structure.

Abstract: A system, methods, and apparatus for protection against interrupts in virtual machine functions are disclosed. A system includes memory, one or more physical processors, a virtual machine executing on the one or more physical processors, and a hypervisor executing on the one or more physical processors. The hypervisor determines a first location in the memory, corresponding to a physical address of the virtual machine function, and loads into memory at a second location in the memory outside the first location in the memory. The hypervisor initializes abort code at the second location in the memory. Prior to an execution of an instruction that loads an interrupt data structure on the virtual machine, a trap to the hypervisor is activated. The hypervisor then modifies a page table corresponding to the interrupt data structure to point to the initialized abort code.

Abstract: A system, methods, and apparatus for protection against interrupts in virtual machine functions are disclosed. A hypervisor determines a first location in the memory, corresponding to a physical address of the virtual machine function. The hypervisor then determines a second location in the memory of the virtual machine function, where the second location is offset from the first location. The hypervisor modifies the virtual machine function at the second location in the memory to include checking code. The virtual machine function is executed and the checking code is executed while the virtual machine function is executing. While executing the checking code, the hypervisor determines whether interrupts are disabled on a virtual machine. Responsive to determining that interrupts are enabled on the virtual machine, disabling the interrupts on the virtual machine and/or aborting the virtual machine function.

Abstract: A system, methods, and apparatus for using hypervisor trapping for protection against interrupts in virtual machine functions are disclosed. A system includes memory, one or more physical processors, a virtual machine executing on the one or more physical processors, and a hypervisor executing on the one or more physical processors. The hypervisor reads an interrupt data structure on the virtual machine. The hypervisor determines whether the interrupt data structure points to an alternate page view. Responsive to determining that the interrupt data structure points to an alternate page view, the hypervisor disables a virtual machine function.