Abstract: Techniques and architecture are described for validating and verifying iPXE scripts prior to execution during a booting process. During the booting process of a network device, right after the UEFI/BIOS stage of the booting process, a trusted iPXE script may make a request to a network server for the ownership voucher and owner certificate of the network device. The ownership voucher and owner certificate may then be stored in a trusted platform module (TPM) on the network device. In configurations, the retrieved owner certificate may be validated by the ownership voucher. The owner certificate may be used to validate iPXE scripts. Once validated, the iPXE scripts may be executed and the booting process may be continued to the kernel loading step and the application loading step. During a subsequent booting process of the network device, the ownership voucher and owner certificate may be retrieved from the TPM.

Abstract: In one embodiment, methods for mediated transfer of ownership are described. The method may include receiving a request for an ownership voucher from a device, validating an identifier of the device, determining whether to issue the ownership voucher, generating a signed ownership voucher, and sending the signed ownership voucher to the device. In another embodiment, methods for unmediated transfer of ownership are described, including receiving, an ownership voucher associated with a first ownership certificate, determining whether the ownership voucher comprises a signature associated with a manufacturer, based at least in part on determining that the signature of the manufacturer is absent, determining that a second ownership certificate is stored in memory, determining that the second ownership certificate comprises a signature associated with a user, validating the ownership voucher; and based at least in part on the validating, enrolling the first ownership certificate on the network device.

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: The present disclosure is directed to seamless access to a common physical disk in an AMP system without an external hypervisor, and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations including instantiating, by a first instance, a second instance during a system upgrade, creating, in the first instance, a first disk abstraction for a block device of a physical disk, and attaching the block device under the first disk abstraction. The operations further include providing the second instance network-based access to the physical disk using the first disk abstraction of the first instance during the system upgrade.

Abstract: The present disclosure is directed to seamless access to a common physical disk in an AMP system without an external hypervisor, and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations including instantiating, by a first instance, a second instance during a system upgrade, creating, in the first instance, a first disk abstraction for a block device of a physical disk, and attaching the block device under the first disk abstraction. The operations further include providing the second instance network-based access to the physical disk using the first disk abstraction of the first instance during the system upgrade.

Abstract: The present disclosure is directed to migrating logical volumes from a thick provisioned layout to a thin provisioned layout, and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising creating an abstraction layer on top of a logical volume in a storage device, the abstraction layer for accessing the logical volume, the logical volume one of a plurality of logical volumes in a volume group of the storage device; allocating a thin pool from remaining storage space in the volume group of the storage device; creating a snapshot of the logical volume; adding a thin virtual volume corresponding to the logical volume to the thin pool; and copying data from the snapshot to the thin virtual volume.

Abstract: The present disclosure is directed to migrating logical volumes from a thick provisioned layout to a thin provisioned layout, and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising creating an abstraction layer on top of a logical volume in a storage device, the abstraction layer for accessing the logical volume, the logical volume one of a plurality of logical volumes in a volume group of the storage device; allocating a thin pool from remaining storage space in the volume group of the storage device; creating a snapshot of the logical volume; adding a thin virtual volume corresponding to the logical volume to the thin pool; and copying data from the snapshot to the thin virtual volume.

Abstract: The present disclosure is directed to an in-memory communication infrastructure for an asymmetric multiprocessing system without an external hypervisor, and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including identifying data for transmission from a first instance to a second instance, writing, by the first instance, the data into a first ring of a shared memory, the first ring configured as a first transmit ring for the first instance, sending an inter-processor interrupt to the second instance to alert the second instance of the data written into the first ring, reading, by the second instance, the data from the first ring, the first ring configured as a first receive ring for the second instance, and transmitting the data to an application of the second instance.

Abstract: Packets of various protocols may contain timestamps generated by a single timestamp engine. In one embodiment, packets of two different protocols, which are referred to as Protocols A and B for simplicity, contain timestamps generated by the same Protocol B timestamp engine. In order to cause a Protocol B timestamp engine to produce a timestamp for a Protocol A packet, information can be provided to the Protocol B timestamp engine indicating that the Protocol A packet is a packet of Protocol B. The information can be provided by an internal header appended to the Protocol A packet that effectively misidentifies the Protocol A packet as a Protocol B packet. As a result, the Protocol B timestamp engine generates and inserts a timestamp for the Protocol A packet as if it were a Protocol B packet. The Protocol A packet, now including the timestamp, can be output or further processed.

Abstract: Packets of various protocols may contain timestamps generated by a single timestamp engine. In one embodiment, packets of two different protocols, which are referred to as Protocols A and B for simplicity, contain timestamps generated by the same Protocol B timestamp engine. In order to cause a Protocol B timestamp engine to produce a timestamp for a Protocol A packet, information can be provided to the Protocol B timestamp engine indicating that the Protocol A packet is a packet of Protocol B. The information can be provided by an internal header appended to the Protocol A packet that effectively misidentifies the Protocol A packet as a Protocol B packet. As a result, the Protocol B timestamp engine generates and inserts a timestamp for the Protocol A packet as if it were a Protocol B packet. The Protocol A packet, now including the timestamp, can be output or further processed.

Abstract: A method and apparatus create a bundle of soft permanent virtual circuits (SPVCs) coupling form a source end to a destination end via a communications network. The SPVC bundle includes a plurality of member SPVCs, each member SPVC including a permanent virtual circuit (PVC) and a switched virtual circuit (SVC). The SPVC bundle creation includes (a) creating the SPVC bundle for the source end, each of the member SPVCs being associated with a respective connection characteristic and coupling to the same destination, and (b) transmitting, from the source end to the destination end, an SPVC setup message containing configuration information of the SPVC bundle. The SPVC bundle creation may further includes automatically creating, at the destination end, in response to the SPVC setup message, the SPVC bundle for the destination end in accordance with the configuration information.