Abstract: Operation of a multi-slice processor that includes a plurality of execution slices, a plurality of load/store slices, and one or more translation caches, where operation includes: determining, at the load/store slice, a real address from a cache hit in the translation cache for an effective address for an instruction received at a load/store slice; determining, at the load/store slice, an error condition corresponding to an access of the real address; determining, at the load/store slice, a process type indicating a source of the instruction to be a guest process; and responsive to determining the error condition, initiating, in dependence upon the process type indicating a source of the instruction to be a guest process, an effective address translation corresponding to a cache miss in the translation cache for the effective address for the instruction.

Abstract: A method of migrating a virtual machine (VM) having a virtual disk from a source data center to a destination data center includes generating a snapshot of the VM to create a base disk and a delta disk in which writes to the virtual disk subsequent to the snapshot are recorded, and copying the base disk to a destination data store. The method further includes, in response to a request to migrate the VM, preparing a migration specification at the source and transmitting the migration specification to the destination, the migration specification including a VM identifier and a current content ID of the base disk, and determining that a content ID of the copied base disk matches the current content ID of the base disk included in the migration specification and updating the migration specification to indicate that the base disk does not need to be migrated.

Abstract: Component objects of a virtual disk are backed by first storage nodes, which are at a primary site, and second storage nodes, which are at a secondary site. The method of resynchronizing the component objects of the virtual disk includes, at a coordinating node at the primary site, responsive to a second storage node coming back online, identifying an out-of-sync block of the second storage node, locating the out-of-sync block in an address space maintained for blocks of the virtual disk, and transmitting a resync command to a replication module of a coordinating node at the secondary site, the resync command identifying the out-of-sync block within the address space.

Abstract: A method of GPU virtualization comprises allocating each virtual machine (or operating system running on a VM) an identifier by the hypervisor and then this identifier is used to tag every transaction deriving from a GPU workload operating within a given VM context (i.e. every GPU transaction on the system bus which interconnects the CPU, GPU and other peripherals). Additionally, dedicated portions of a memory resource (which may be GPU registers or RAM) are provided for each VM and whilst each VM can only see their allocated portion of the memory, a microprocessor within the GPU can see all of the memory. Access control is achieved using root memory management units which are configured by the hypervisor and which map guest physical addresses to actual memory addresses based on the identifier associated with the transaction.

Abstract: An agent for managing virtual machines includes a persistent storage and a processor. The persistent storage stores backup/restoration policies. The processor identifies a virtual machine of the virtual machines that is likely to fail and, in response to identifying the virtual machine, identifies backup data associated with the identified virtual machine; instantiates a clone of the identified virtual machine using the identified backup; exposes the clone while the identified virtual machine is exposed; and hides the virtual machine after the clone is exposed.

Abstract: Optimizations are provided for frame management operations, including a clear operation and/or a set storage key operation, requested by pageable guests. The operations are performed, absent host intervention, on frames not resident in host memory. The operations may be specified in an instruction issued by the pageable guests.

Abstract: Methods, systems, and computer program products are provided for migrating memory pages. A virtual machine is run by a hypervisor. The virtual machine includes a guest that is allocated a plurality of guest memory pages. A data structure is initialized corresponding to a memory page of the plurality of guest memory pages. A first status is assigned in the data structure to the memory page. The memory page is migrated to a destination and the data structure is modified to assign the memory page a second status.

Abstract: Management of storage used by pageable guests of a computing environment is facilitated. A query instruction is provided that details information regarding the storage location indicated in the query. It specifies whether the storage location, if protected, is protected by host-level protection or guest-level protection.

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

Abstract: Providing memory management unit (MMU)-assisted address sanitizing in processor-based devices is disclosed. In one aspect, a processor-based device provides an MMU that includes a last-level page table that is configured to store page table entry (PTE) tokens for validating memory accesses, as well as fragment order indicators representing a count of page fragments for each memory page in the system memory. Upon receiving a memory access request comprising a pointer token and a virtual address of a memory fragment within a memory page of the system memory, the MMU uses the virtual address and the fragment order indicator of the PTE corresponding to the virtual address to retrieve a PTE token for the virtual address from the last-level page table, and determines whether the PTE token corresponds to the pointer token. If so, the MMU performs the memory access request using the pointer, and otherwise may raise an exception.

Abstract: Systems, methods, apparatuses, and software for data storage systems are provided herein. In one example, a data storage assembly is provided that includes a plurality of storage drives each comprising a PCIe host interface and solid state storage media. The data storage assembly includes a PCIe switch circuit coupled to the PCIe host interfaces of the storage drives and configured to receive storage operations issued by one or more host systems over a shared PCIe interface and transfer the storage operations for delivery to the storage drives over selected ones of the PCIe host interfaces. The data storage assembly includes a control processor configured to monitor usage statistics of the storage drives, and power control circuitry configured to selectively remove the power from ones of the storage drives based at least on the usage statistics of the storage drives.

Abstract: System for for managing host reclaimable memory based on VM needs includes a plurality of VMs; a hypervisor configured to process VM memory requests; a host CPU configured to control host physical memory reclaim process; at least one VM being allocated physical memory; Guest tool configured to determine page types based on a memory map; and a host module configured to scan an LRU list for pages that it can reacquire, and to force a slowdown in VM operations when reclaim operations use up more than a predefined share of CPU time. The host CPU performs the following based on the page type: (i) hard lock protection, when the page is a VM kernel page, for host-based reclaim of the page when no other VM pages are left to reacquire; and (ii) access/dirty (A/D) bit marking, when the page is a regular VM page.

Abstract: Some embodiments described herein are directed to memory page or bad block monitoring and retirement algorithms, systems and methods for random access memory (RAM). Reliability issues or errors can be detected for multiple memory pages using one or more retirement criterion. In some embodiments, when reliability errors are detected, it may be desired to remove such pages from operation before they create a more serious problem, such as a computer crash. Thus, bad block retirement and replacement mechanisms are described herein.

Abstract: Embodiments of the disclosure provide a method and an apparatus for accessing private data in a physical memory of an electronic device, wherein the method includes: receiving a request for accessing private data in the physical memory from a process running in the electronic device; and accessing private data in a particular physical address interval of the physical memory through a secure memory access interface added to a virtual machine monitor of the electronic device, wherein a mapping relationship for the particular physical address interval is not established in a memory management unit of the electronic device, and the secure memory access interface is pre-designed to realize access to the private data in the particular physical address interval of the physical memory. The method and the apparatus of the present application can enhance security of private data in a physical memory.

Abstract: A method and a Memory Availability Managing Module (110) “MAMM” for managing availability of memory pages (130) are disclosed. A disaggregated hardware system (100) comprises sets of memory blades (105, 106, 107) and computing pools (102, 103, 104). The MAMM (110) receives (A010) a message relating to allocation of at least one memory page to at least one operating system (120). The message comprises an indication about availability for said at least one memory page. The MAMM (110) translates (A020) the indication about availability to a set of memory blade parameters, identifying at least one memory blade (105, 106, 107). The MAMM (110) generates (A030) address mapping information for said at least one memory page, including a logical address of said at least one memory page mapped to at least two physical memory addresses of said at least one memory blade (105, 106, 107).

Abstract: One or more embodiments provide techniques for migrating a virtual machine (VM) from a private data center to a cloud data center. A hybridity manager receives a request at the cloud data center to replicate a VM from the private data center on the cloud data center. The hybridity manager identifies a source network associated with the VM. The hybridity manager identifies whether there exists a stretched network associated with the source network of the VM. Responsive to determining that there is a stretched network associated with the source network of the VM, the hybridity manager replicates the VM on the stretched network without reconfiguring internet-protocol (IP) settings of the VM.

Abstract: The invention relates to a method, computer program product and computer system for providing attribute value information for a data extent having a set of data entries.

Abstract: Techniques for placing virtual machines based on compliance of device profiles are disclosed. In one embodiment, a list of device profiles may be maintained, each device profile including details of at least one virtual device and associated capabilities. Further, a first device profile from the list of device profiles may be assigned to a virtual machine. Furthermore, the virtual machine may be placed on a host computing system based on compliance of the first device profile.

Abstract: A system for provisioning an elastic computing infrastructure is provided. The system include a memory and at least one processor coupled to the memory. The system also includes a management component executed by the at least one processor and configured to instantiate an objective object having a resource collection and instructions that specify processing performed by the objective object, the resource collection identifying at least one resource object that controls a capacity of at least one resource provided by at least one computer system, the capacity being sufficient for processing to be performed at a predetermined performance level.

Abstract: Systems and methods for efficient migration for encrypted virtual machines (VMs) by active page copying are disclosed. An example method may include receiving a request to migrate a VM, identifying a first page of memory of the VM on the source host machine for migration, the first page of memory encrypted with a VM-specific encryption key, protecting the first page from access by the VM, executing a send command to modify the first page from encrypted with the guest-specific encryption key to encrypted with a migration key while the first page remains in place in the memory, allocating a second page in a buffer, copying contents of the first page to the second page, executing a receive command to modify the first page from encrypted with the migration key to encrypted with the guest-specific encryption key while the first page remains in place in the memory, and transmitting contents of the second page.

Abstract: A method, an apparatus, and a system for migrating virtual machine backup information, which implement backup information migration after a virtual machine is migrated. The method includes: receiving, by a first backup server, a migration trigger message, where the migration trigger message carries pre-migration virtual-machine identification information and indication information of a second backup server; determining, by the first backup server, backup information of the virtual machine according to the pre-migration virtual-machine identification information; and sending, by the first backup server, the backup information to the second backup server. Therefore, the migrated virtual machine inherits backup information existing before the migration, such that the migrated virtual machine continues to be protected by backup data existing before the migration, and data of the virtual machine is backed up according to a backup policy existing before the migration.

Abstract: A security module in a memory access path of a processor of a processing system protects secure information by verifying the contents of memory pages as they transition between one or more virtual machines (VMs) executing at the processor and a hypervisor that provides an interface between the VMs and the processing system's hardware. The security module of the processor is employed to monitor memory pages as they transition between one or more VMs and a hypervisor so that memory pages that have been altered by a hypervisor or other VM cannot be returned to the VM from which they were transitioned.

Abstract: A hypervisor generates first and second page views, where a guest physical address points to a first page of the first page view and a second page of the second page view. A first pointer value is written to the first page and a second pointer value is written to the second page. A guest operating system executes a first task and if a determination to switch to the second task is made, the guest operating system reads a current pointer value and determines what the current page view is. If the guest operating system determines that the current page view is the first page view, the guest operating system saves the first pointer value in a first memory of the first task, loads the second pointer value from a second memory of the second task, and executes a virtual machine function to switch to the second page view.

Abstract: Methods, systems, and devices for memory buffer management and bypass are described. Data corresponding to a page size of a memory array may be received at a virtual memory bank of a memory device, and a value of a counter associated with the virtual memory bank may be incremented. Upon determining that a value of the counter has reached a threshold value, the data may be communicated from the virtual memory bank to a buffer of the same memory device. For instance, the counter may be incremented based on the virtual memory bank receiving an access command from a host device.

Abstract: A computing device features one or more hardware processors and a memory that is coupled to the one or more processors. The memory comprises software that supports virtualization, including a virtual machine operating in the guest mode and a virtualization layer operating in the host mode. The virtual machine is configured to execute a plurality of processes including a guest agent process. The virtualization layer is configured to protect the guest agent process operating within the virtual machine that provides metadata to the virtualization layer by restricting page permissions for memory pages associated with the guest agent process when the guest agent process is inactive.

Abstract: A microservice application can be tested inside an inner cloud environment that is within an outer cloud environment. For example, a software application can generate an inner cloud environment within an outer cloud environment in response to an event associated with a microservice application. The software application can then deploy another version of the microservice application in the inner cloud environment. The software application can perform at least one test on the other version of the microservice application in the inner cloud environment to determine a compatibility of the other version of the microservice application with the inner cloud environment.

Abstract: A computer system includes a translation lookaside buffer (TLB) data cache and a processor. The TLB data cache includes a hierarchical configuration comprising a first TLB array, a second TLB array, a third TLB array, and a fourth TLB array. The processor is configured to receive a first address for translation to a second address, and determine whether translation should be performed using a hierarchical page table or a hashed page table. The processor also determines (using a first portion of the first address) whether the first array stores a mapping of the first portion of the first address in response to determining that the translation should be performed using the hashed page table, and retrieving the second address from the third TLB array or the fourth TLB array in response to determining that the first TLB array stores the mapping of the first portion of the first address.

Abstract: Circuitry comprises a translation lookaside buffer to store data representing memory address translations, each memory address translation being between an input memory address range defining a contiguous range of one or more input memory addresses in an input memory address space and a translated output memory address range defining a contiguous range of one or more output memory addresses in an output memory address space; in which the translation lookaside buffer comprises a plurality of memory elements to store one or more arrays each having a base input memory address, a base output memory address and a plurality of entries each mapping an n-bit offset to an m-bit offset, each entry representing a memory address translation of an input memory address range defined by the respective n-bit offset relative to the base input memory address to a translated output memory address range defined by the respective m-bit offset relative to the base output memory address; in which n and m are positive integers and n

Abstract: A method for detecting a ROP attack comprising processing of an object within a virtual machine managed by a virtual machine monitor (VMM), intercepting an attempted execution by the object of an instruction, the instruction stored on a page in memory that is accessed by the virtual machine, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of a function call, and (ii) setting a permission of the page to be execute only, and responsive to triggering the first transition event, halting, by the VMM, the processing of the object and analyzing, by logic within the VMM, content of last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a ROP attack is shown.

Abstract: Acquiring location information is presented, including acquiring disk location information for logical partitions, the logical partitions pertaining to a virtual machine, matching the disk location information corresponding to the logical partitions against location information for at least one virtual disk stored on a physical device, in the event that the disk location information matches the location information for the at least one virtual disk, determining the location information for the at least one virtual disk obtained by the matching to be the disk location information for the logical partitions in the physical device, and outputting the location information for the at least one virtual disk.

Abstract: A selection of a document that includes a command and a parameter is received, and a user is caused to be associated with a policy that grants permission to execute the document. A request is received, from a requestor, to execute the document, the request including a parameter value, and the requestor is determined to be the user associated with the policy. The user is validated to have access to a resource indicated by the parameter value, and the command is caused to be executed against the resource.

Abstract: A system and method include receiving, by a computing system, an initial container file of a container as input, such that the container is to be converted into a virtual machine and the initial container file is part of a plurality of container files associated with the container. The system and method also include parsing, by the computing system, the plurality of container files including the initial container file, generating, by the computing system, an ISO image from each of the parsed container files, and booting, by the computing system, the virtual machine using the ISO image from each of the parsed container files.

Abstract: Embodiments of apparatuses and methods for processing virtualization events in a layered virtualization architecture are disclosed. In one embodiment, an apparatus includes a hardware processor including event circuit to recognize a virtualization event, and evaluation circuit to determine whether to transfer control of the apparatus from a child guest to a parent guest in response to the virtualization event, wherein the child guest and the parent guest each include a bit per virtualization event to indicate whether the parent guest is to gain control when the virtualization event occurs.

Abstract: An apparatus, system, and method provide remote management of a distributed computer system through a wireless communication link. A wireless server application utilizes a stateless protocol to communicate with a wireless client. An administrator uses the wireless client running on a portable device connected to a wireless server through the wireless communication link to access a network management application connected to the distributed computer network.

Abstract: Disclosed is a method that includes calculating, at a collector receiving a data flow and via a hashing algorithm, all possible hashes associated with at least one virtual attribute associated with the data flow to yield resultant hash values. Based on the resultant hash values, the method includes computing a multicast address group and multicasting the data flow to n leafs based on the multicast address group. At respective other collectors, the method includes filtering received sub-flows of the data flow based on the resultant hashes, wherein if a respective hash is owned by a collector, the respective collector accepts and saves the sub-flow in a local switch collector database. A scalable, distributed netflow is possible with the ability to respond to queries for fabric-level netflow statistics even on virtual constructs.

Abstract: An example method of preserving a modification to an internal state of a computer system includes applying an overlay on a target container. The overlay includes a set of events corresponding to a first set of modifications to a computer system. The method also includes after applying the overlay, receiving a set of user requests corresponding to a second set of modifications to the computer system. The method further includes changing, based on the set of user requests, the third set of internal states of the computer system to the fourth set of internal states. The method also includes removing the overlay from the target container, while preserving the second set of modifications to the computer system.

Abstract: A method and system using face tracking and object tracking is disclosed. The method and system use face tracking, location, and/or recognition to enhance object tracking, and use object tracking and/or location to enhance face tracking.

Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.

Abstract: Systems and methods for copy and decrypt support for encrypted virtual machines are disclosed. An example method may include receiving, at a source host machine hosting a virtual machine (VM), a request to migrate the VM to a destination host machine, identifying a first page of memory of the VM on the source host machine for migration, write-protecting the first page, the first page of memory encrypted with a VM-specific encryption key, allocating a second page, executing a copy-and-reencrypt command using the first page and the second page as parameters for the copy-and-reencrypt command, the copy-and-reencrypt command to output the second page comprising contents of the first page re-encrypted with a migration key, and transmitting contents of the second page to the destination host machine.

Abstract: An image forming apparatus capable of preventing compatibility with an extension application from being impaired. The image forming apparatus installs an operation program of an extension application therein, and includes a VM (Virtual Machine) that executes a bytecoded program generated based on the operation program. The bytecoded program is generated by converting the operation program to bytecode. The operation program and the bytecoded program are written into a package, and the package is stored in a storage of the image forming apparatus.

Abstract: Apparatuses, methods and storage medium associated with computing that include usage and backup of persistent memory are disclosed herein. In embodiments, an apparatus for computing may comprise one or more processors and persistent memory to host operation of one or more virtual machines; and one or more page tables to store a plurality of mappings to map a plurality of virtual memory pages of a virtualization of the persistent memory of the one or more virtual machines to a plurality of physical memory pages of the persistent memory allocated to the one or more virtual machines. The apparatus may further include a memory manager to manage accesses of the persistent memory that includes a copy-on-write mechanism to service write instructions that address virtual memory pages mapped to physical memory pages that are marked as read-only. Other embodiments may be described and/or claimed.

Abstract: In one embodiment, a solid state drive (SSD) with power loss protection (PLP) includes a SSD controller, a secondary controller and a power circuit configured to supply power to the SSD from a power source during normal operation and backup power from a backup power source in response to a loss of power supplied by the power source. In the event of a loss of power, the secondary controller is configured to track the holdup time, or duration of time for which the primary controller can operate on backup power. In one embodiment, the holdup time tracked by the secondary controller is stored in a non-volatile memory in communication with the secondary controller.

Abstract: Various techniques for detection of malware using an instrumented virtual machine environment are disclosed. In some embodiments, detection of malware using an instrumented virtual machine environment includes instantiating a first virtual machine in the instrumented virtual machine environment, in which the first virtual machine is configured to support installation of two or more versions of a resource; installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource; and installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource.

Abstract: According to one or more embodiments of the disclosure, virtual replication of physical things for scale-out in an Internet of Things (IoT) integrated developer environment (IDE) is shown and described. In particular, in one embodiment, a computer operates an Internet of Things (IoT) integrated developer environment (IDE) that accesses one or more real-world physical devices within a computer network that are configured to participate with the IoT IDE. The IoT IDE may then virtually replicate the one or more real-world physical devices within the IoT IDE into a configuration of virtual devices within the IoT IDE, such that simulating an IoT application within the IoT IDE results in relaying input and/or output (I/O) messages between the IoT IDE and the one or more real-world physical devices, and virtually replicating those I/O messages according to the configuration of virtual devices within the IoT IDE.

Abstract: A power consumption optimization system includes a virtual machine (VM) provisioned on a host, a memory, a server, and a processor in communication with the memory. The processor causes the server to store a power consumption profile of the VM. The VM runs at a processor frequency state. Additionally, the processor causes the server to receive a request to lower a processor frequency for the VM from an original processor frequency state to a reduced processor frequency state. The request has request criteria indicating a time duration associated with the request. The server validates the request criteria and a requirement of another tenant on the host. Responsive to validating the request criteria and the requirement the other tenant on the host, the server confirms the request to lower the processor frequency. Additionally, the server lowers the processor frequency to the reduced processor frequency state during the time duration.

Abstract: Techniques for configurable compute instance resets are described. A user can issue a request to securely reset one or more compute instances implemented within a service provider system. Each compute instance is reset to a previous point in time, such that any activity of the compute instance or effects thereof occurring since that point in time are completely eliminated. Each compute instance reset can include removing an existing volume of the compute instance, obtaining a volume, attaching the obtained volume to the compute instance, and rebooting the compute instance. Configuration data of the compute instance, such as an instance identifier or network addresses, can be maintained after the reset.

Abstract: Described herein is a method for allocating resources for rendering. The method can include assembling a plurality of render nodes. The render nodes can have their defined input(s) and output(s). From the assembled set of render nodes a schedule can be compiled. The compiled schedule for the plurality of rendering nodes can be based at least on the defined input(s) and output(s). Additionally, the plurality of rendering nodes can be scheduled such that more than one rendering algorithm can be carried out at a point in time. Within the compiling, a set of resource barriers can be defined. The set of resource barriers can include system resource barriers. These system resource barriers can be for processing the set of render nodes based on the created schedule.

Abstract: The present invention relates to a technology that performs: checking an integrity of a paravirtualization agent before executing the paravirtualization agent; protecting the paravirtualization agent by obstructing the modulation of a memory region to which the paravirtualization agent is allocated; when file input-output is generated in the paravirtualization agent, transmitting information associated with the generated file input-output to a host-based file system protection service to inquire about accessibility; determining an authority for access to the generated file input-output through a reasoning engine in the host-based file system protection service; and transmitting a result of the determination to the paravirtualization agent, and processing the generated file input-output, thereby protecting a file in a file system.

Abstract: Various computer peripheral cards, devices, systems, methods, and software are provided herein. In one example, a storage card insertable into a host system includes a plurality of storage device connectors in a stacked arrangement, each configured to mate with associated storage devices and carry Peripheral Component Interconnect Express (PCIe) signaling for the associated storage devices. The storage card also includes a PCIe switch circuit configured to communicatively couple the PCIe signaling of the plurality of storage device connectors and PCIe signaling of a host connector of the storage card, where the PCIe switch circuit is configured to receive storage operations over the PCIe signaling of the host connector of the storage card and transfer the storage operations for delivery over the PCIe signaling of selected ones of the plurality of storage device connectors.

Abstract: Described herein is a method for allocating resources of a graphics processing unit (GPU). Methods as described herein can include assembling a plurality of work nodes having defined inputs and outputs, wherein at least one work node is a rendering work node and at least one work node is a compute work node. A schedule can be created for the plurality of work nodes based at least on the defined inputs and outputs, wherein the plurality of work nodes can be scheduled such that more than one GPU process can be carried out at a point in time. Additionally, the schedule can be created such that both render nodes and compute nodes can use the same GPU resources either simultaneously or at separate times. For example, the GPU does not need to be partitioned where certain resources are only for compute processes and others are reserved for rendering processes. A set of system resource barriers can be determined for processing the set of work nodes based on the created schedule.