Abstract: A computer system and associated methods are disclosed for mitigating side-channel attacks using a shared cache. The computer system includes a host having a main memory and a shared cache. The host executes a virtual machine manager (VMM) that determines respective security keys for a plurality of co-located virtual machines (VMs). A cache controller for the shared cache includes a scrambling function that scrambles addresses of memory accesses performed by threads of the VMs according to the respective security keys. Different cache tiers may implement different scrambling functions optimized to the architecture of each cache tier. Security keys may be periodically updated to further reduce predictability of shared cache to memory address mappings.

Abstract: A computer system and associated methods are disclosed for mitigating side-channel attacks using a shared cache. The computer system includes a main memory, a shared cache and a cache controller for the shared cache including a scrambling function that scrambles addresses of memory accesses according to the respective scrambling keys selected for a sequence of time periods. Different cache tiers may implement different scrambling functions optimized to the architecture of each cache tier. Scrambling keys may be updated to reduce predictability of shared cache to memory address mappings. These updates may occur opportunistically, on demand or on specified schedule. Multiple scrambling keys may be simultaneously active during transitions between active time periods.

Abstract: As part of a compute instance migration, a compute instance which was executing at a first server begins execution at a second server before at least some state information of the compute instance has reached the second server. In response to a determination that a particular page of state information is not present at the second server, a migration manager running at one or more offload cards of the second server causes the particular page to be transferred to the second server via a network channel set up between the offload cards of both servers, and stores the page into main memory of the second server.

Abstract: Provided are systems and methods for enabling peer-to-peer communications between peripheral devices. In various implementations, a computing system can include a PCI switch device. The first PCI switch device can include a first port and be communicatively coupled to a first root complex port. The first PCI switch device can have access to a first PCI endpoint address range. The computing system can further include a second PCI switch device. The second PCI switch device can include a second port, connected to the first port. The second PCI switch device can be communicatively coupled to a second root complex port that is different from the first root complex port. The second PCI switch device can receive a transaction addressed to the first PCI endpoint address range, and identify the transaction as associated with the second port. The second PCI switch device can subsequently transmit the transaction using the second port.

Abstract: Disclosed herein are techniques for migrating data from a source memory range to a destination memory while data is being written into the source memory range. An apparatus includes a control logic configured to receive a request for data migration and initiate the data migration using a direct memory access (DMA) controller, while the source memory range continues to accept write operations. The apparatus also includes a tracking logic coupled to the control logic and configured to track write operations performed to the source memory range while data is being copied from the source memory range to the destination memory. The control logic is further configured to initiate copying data associated with the tracked write operations to the destination memory.

Abstract: A computer system and associated methods are disclosed for mitigating side-channel attacks using a shared cache. The computer system includes a host having a main memory and a shared cache. The host executes a virtual machine manager (VMM) that supports a plurality of co-located virtual machines (VMs), which can initiate side-channel attacks using the shared cache. The VMM is configured to maintain respective memory maps for the VMs. The VMM is further configured to determine a subset of current host memory pages for a selected VM that can be used in a side-channel attack, relocate the contents of the current host memory pages to replacement host memory pages in the main memory, and modify the subset of entries to change current host memory pages to the respective replacement host memory pages.

Abstract: A multi-tenant trusted platform module (MTTPM) is attached to a communication bus of a virtualization host. The MTTPM includes a plurality of per-guest-virtual-machine (per-GVM) memory location sets. In response to an indication of a first trusted computing request (TCR) associated with a first GVM of a plurality of GVMs instantiated at the virtualization host, a first memory location of a first per-GVM memory location set is accessed to generate a first response indicative of a configuration of the first GVM. In response to an indication of a second TCR associated with a second GVM, a second memory location of a second-per-GVM memory location set is accessed to generate a second response, wherein the second response is indicative of a different configuration of the second GVM.

Abstract: Disclosed herein are techniques for migrating data from a source memory range to a destination memory while data is being written into the source memory range. An apparatus includes a control logic configured to receive a request for data migration and initiate the data migration using a direct memory access (DMA) controller, while the source memory range continues to accept write operations. The apparatus also includes a tracking logic coupled to the control logic and configured to track write operations performed to the source memory range while data is being copied from the source memory range to the destination memory. The control logic is further configured to initiate copying data associated with the tracked write operations to the destination memory.

Abstract: A code patching component may insert a binary patch into a native-code representation of a program during execution. Prior to inserting the binary patch, a patch code analysis tool may receive a source code patch for the program, and determine that applying the source code patch would change the binary for the program outside of the patched area (e.g., due to changes in the number of lines, changes in the file names or path information for source code files from which the program is built, or line directives that embed line numbers or file names in the binary for the patched program). The tool may modify the source code patch to limit its effects to the patch area by adding empty lines, merging of lines of code, or forcing a line number change. The tool may filter line directives to match previously embedded file name information.

Abstract: Techniques for in-place updates of hypervisors are described herein. At a time after receiving an update hypervisor request, one or more controlling domains within a computing system invoke one or more system capabilities at least to pause execution of currently running client domains and non-essential CPUs. While the client domains and non-essential CPUs are paused, a new hypervisor in instantiated, state information is copied from the existing hypervisor to the new hypervisor. After the state and/or configuration copy is complete, control is switched form the existing hypervisor to the new hypervisor and client domains and non-essential CPUs are resumed.

Abstract: A method includes, in a virtualized processing system, generating a local value of a first counter. The local value is accessible while executing in a first mode of the virtualized processing system. The local value is generated based on a value of a second counter and a ratio of a rate of the first counter to a rate of the second counter. The first counter is inaccessible while executing in the first mode of the virtualized processing system and accessible while executing in a second mode of the virtualized processing system. The first mode may be a guest mode and the second mode may be a host mode. The first counter may be an ACPI Power Management Timer. The second counter may be a Time Stamp Counter.

Abstract: A processing system has one or more processors that implement a plurality of virtual machines that are managed by a hypervisor. Each virtual machine provides a secure and isolated hardware-emulation environment for execution of one or more corresponding guest operating systems (OSs). Each guest OS, as well as the hypervisor itself, has an associated address space, identified with a corresponding “WorldID.” Further, each virtual machine and the hypervisor can manage multiple lower-level address spaces, identified with a corresponding “address space identifier” or “ASID”. The address translation logic of the processing system translates the WorldID and ASID of the current address space context of the processing system to corresponding WorldID and ASID search keys, which have fewer bits than the original identifiers and thus require less complex translation lookaside buffer (TLB) hit logic.

Abstract: A method includes, in a virtualized processing system, generating a local value of a first counter. The local value is accessible while executing in a first mode of the virtualized processing system. The local value is generated based on a value of a second counter and a ratio of a rate of the first counter to a rate of the second counter. The first counter is inaccessible while executing in the first mode of the virtualized processing system and accessible while executing in a second mode of the virtualized processing system. The first mode may be a guest mode and the second mode may be a host mode. The first counter may be an ACPI Power Management Timer. The second counter may be a Time Stamp Counter.

Abstract: A processing system has one or more processors that implement a plurality of virtual machines that are managed by a hypervisor. Each virtual machine provides a secure and isolated hardware-emulation environment for execution of one or more corresponding guest operating systems (OSs). Each guest OS, as well as the hypervisor itself, has an associated address space, identified with a corresponding “WorldID.” Further, each virtual machine and the hypervisor can manage multiple lower-level address spaces, identified with a corresponding “address space identifier” or “ASID”. The address translation logic of the processing system translates the WorldID and ASID of the current address space context of the processing system to corresponding WorldID and ASID search keys, which have fewer bits than the original identifiers and thus require less complex translation lookaside buffer (TLB) hit logic.