WO2014207581A3 - Processing guest event in hypervisor-controlled system - Google Patents

Processing guest event in hypervisor-controlled system Download PDF

Info

Publication number
WO2014207581A3
WO2014207581A3 PCT/IB2014/059780 IB2014059780W WO2014207581A3 WO 2014207581 A3 WO2014207581 A3 WO 2014207581A3 IB 2014059780 W IB2014059780 W IB 2014059780W WO 2014207581 A3 WO2014207581 A3 WO 2014207581A3
Authority
WO
WIPO (PCT)
Prior art keywords
guest
hypervisor
event
memory
firmware
Prior art date
Application number
PCT/IB2014/059780
Other languages
French (fr)
Other versions
WO2014207581A2 (en
Inventor
Utz Bacher
Reinhard Buendgen
Einar Lueck
Original Assignee
International Business Machines Corporation
Ibm (China) Investment Company Ltd.
Ibm Deutschland Management & Business Support Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation, Ibm (China) Investment Company Ltd., Ibm Deutschland Management & Business Support Gmbh filed Critical International Business Machines Corporation
Priority to JP2016522898A priority Critical patent/JP6347831B2/en
Priority to CN201480036373.2A priority patent/CN105453034B/en
Priority to GB1600172.9A priority patent/GB2530225B/en
Priority to US14/899,166 priority patent/US9690947B2/en
Priority to DE112014000965.2T priority patent/DE112014000965T5/en
Publication of WO2014207581A2 publication Critical patent/WO2014207581A2/en
Publication of WO2014207581A3 publication Critical patent/WO2014207581A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/542Event management; Broadcasting; Multicasting; Notifications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Abstract

A method for processing a guest event in a hypervisor-controlled system (10), comprising the steps: (i) the guest event triggering a first firmware service being specific for the guest event in a firmware (70), the guest event being associated with a guest (20) and with a guest state (52) and a guest memory (22) encrypted with a guest key (24); (ii) the firmware (70) processing information associated with the guest event, comprising information of the guest state (52) and the guest memory (22), and presenting only a subset of the information of the guest state (52) and the guest memory (22) in decrypted form to a hypervisor (30), wherein the subset of the information is selected to suffice for the hypervisor (30) to process the guest event; (iii) the firmware (70) retaining a part of the information of the guest state (52) and the guest memory (22) that is not being sent to the hypervisor (30); (iv) the hypervisor (30) processing the guest event based on the received subset of the information of the guest state (52) and the guest memory (22) and sending a process result to the firmware (70) triggering a second firmware service being specific for the guest event; (v) the firmware (70) processing the received process result together with the part of the information of the guest state (52) and the guest memory (22) that was not sent to the hypervisor (30), generating a state and/or memory modification;(vi) the firmware (70) performing the state and/or memory modification associated with the guest event at the guest memory (22) in encrypted form.
PCT/IB2014/059780 2013-06-27 2014-03-14 Processing a guest event in a hypervisor-controlled system WO2014207581A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
JP2016522898A JP6347831B2 (en) 2013-06-27 2014-03-14 Method, data processing program, computer program product, and data processing system for handling guest events in a system controlled by a hypervisor
CN201480036373.2A CN105453034B (en) 2013-06-27 2014-03-14 Customer event is handled in the system of manager control
GB1600172.9A GB2530225B (en) 2013-06-27 2014-03-14 Processing a guest event in a hypervisor-controlled system
US14/899,166 US9690947B2 (en) 2013-06-27 2014-03-14 Processing a guest event in a hypervisor-controlled system
DE112014000965.2T DE112014000965T5 (en) 2013-06-27 2014-03-14 Processing a guest event in a hypervisor-driven system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1311430.1 2013-06-27
GB1311430.1A GB2515536A (en) 2013-06-27 2013-06-27 Processing a guest event in a hypervisor-controlled system

Publications (2)

Publication Number Publication Date
WO2014207581A2 WO2014207581A2 (en) 2014-12-31
WO2014207581A3 true WO2014207581A3 (en) 2015-04-09

Family

ID=48999042

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2014/059780 WO2014207581A2 (en) 2013-06-27 2014-03-14 Processing a guest event in a hypervisor-controlled system

Country Status (6)

Country Link
US (1) US9690947B2 (en)
JP (1) JP6347831B2 (en)
CN (1) CN105453034B (en)
DE (1) DE112014000965T5 (en)
GB (2) GB2515536A (en)
WO (1) WO2014207581A2 (en)

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015026336A1 (en) * 2013-08-21 2015-02-26 Intel Corporation Processing data privately in the cloud
GB2532415A (en) * 2014-11-11 2016-05-25 Ibm Processing a guest event in a hypervisor-controlled system
US9875047B2 (en) * 2015-05-27 2018-01-23 Red Hat Israel, Ltd. Exit-less host memory locking in a virtualized environment
GB2539428B (en) 2015-06-16 2020-09-09 Advanced Risc Mach Ltd Data processing apparatus and method with ownership table
GB2539429B (en) 2015-06-16 2017-09-06 Advanced Risc Mach Ltd Address translation
GB2539435B8 (en) 2015-06-16 2018-02-21 Advanced Risc Mach Ltd Data processing memory access control, in which an owning process for a region of memory is specified independently of privilege level
GB2539433B8 (en) * 2015-06-16 2018-02-21 Advanced Risc Mach Ltd Protected exception handling
US9767318B1 (en) * 2015-08-28 2017-09-19 Frank Dropps Secure controller systems and associated methods thereof
CN105184154B (en) * 2015-09-15 2017-06-20 中国科学院信息工程研究所 A kind of system and method that crypto-operation service is provided in virtualized environment
US9894061B2 (en) 2015-10-16 2018-02-13 International Business Machines Corporation Method for booting and dumping a confidential image on a trusted computer system
US10102151B2 (en) 2015-11-06 2018-10-16 International Business Machines Corporation Protecting a memory from unauthorized access
US9841987B2 (en) 2015-12-17 2017-12-12 International Business Machines Corporation Transparent secure interception handling
US10019279B2 (en) 2015-12-17 2018-07-10 International Business Machines Corporation Transparent secure interception handling
US9898326B2 (en) * 2016-02-23 2018-02-20 Red Hat Israel, Ltd. Securing code loading in a virtual environment
US11188651B2 (en) * 2016-03-07 2021-11-30 Crowdstrike, Inc. Hypervisor-based interception of memory accesses
US10348500B2 (en) * 2016-05-05 2019-07-09 Adventium Enterprises, Llc Key material management
US10243746B2 (en) * 2017-02-27 2019-03-26 Red Hat, Inc. Systems and methods for providing I/O state protections in a virtualized environment
CN107240408B (en) * 2017-05-11 2019-05-10 中国科学院信息工程研究所 For the read-write managing and control system of CD-ROM CD media
GB2563886B (en) 2017-06-28 2019-12-25 Advanced Risc Mach Ltd Realm management unit-private memory regions
US10686605B2 (en) * 2017-09-29 2020-06-16 Intel Corporation Technologies for implementing mutually distrusting domains
US10757082B2 (en) * 2018-02-22 2020-08-25 International Business Machines Corporation Transforming a wrapped key into a protected key
US10949547B2 (en) * 2018-10-05 2021-03-16 Google Llc Enclave fork support
US11403409B2 (en) 2019-03-08 2022-08-02 International Business Machines Corporation Program interruptions for page importing/exporting
US10956188B2 (en) 2019-03-08 2021-03-23 International Business Machines Corporation Transparent interpretation of guest instructions in secure virtual machine environment
US11443040B2 (en) * 2019-03-08 2022-09-13 International Business Machines Corporation Secure execution guest owner environmental controls
US11308215B2 (en) 2019-03-08 2022-04-19 International Business Machines Corporation Secure interface control high-level instruction interception for interruption enablement
US11354421B2 (en) 2019-03-08 2022-06-07 International Business Machines Corporation Secure execution guest owner controls for secure interface control
WO2021167659A1 (en) * 2019-11-14 2021-08-26 Trideum Corporation Systems and methods of monitoring and controlling remote assets
US11475167B2 (en) 2020-01-29 2022-10-18 International Business Machines Corporation Reserving one or more security modules for a secure guest
CN111833108A (en) * 2020-07-17 2020-10-27 上海国际技贸联合有限公司 Information acquisition, analysis and processing system, method and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101179379A (en) * 2007-12-11 2008-05-14 中兴通讯股份有限公司 Firmware security management method for microwave access global intercommunication system
US20080178171A1 (en) * 2007-01-23 2008-07-24 Masahiro Sueyoshi Management System, Management Method, Terminal Device, Management Server and Program
CN101470783A (en) * 2007-12-25 2009-07-01 中国长城计算机深圳股份有限公司 Identity recognition method and device based on trusted platform module

Family Cites Families (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5404563A (en) * 1991-08-28 1995-04-04 International Business Machines Corporation Scheduling normally interchangeable facilities in multiprocessor computer systems
US5371867A (en) * 1992-11-10 1994-12-06 International Business Machines Corporation Method of using small addresses to access any guest zone in a large memory
JP2003051819A (en) * 2001-08-08 2003-02-21 Toshiba Corp Microprocessor
US7024555B2 (en) * 2001-11-01 2006-04-04 Intel Corporation Apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment
CN100447736C (en) * 2004-05-08 2008-12-31 英特尔公司 Firmware interface runtime environment protection field
US8627315B2 (en) * 2004-12-31 2014-01-07 Intel Corporation Apparatus and method for cooperative guest firmware
US7299337B2 (en) * 2005-05-12 2007-11-20 Traut Eric P Enhanced shadow page table algorithms
US20080059556A1 (en) * 2006-08-31 2008-03-06 Egenera, Inc. Providing virtual machine technology as an embedded layer within a processing platform
US8615643B2 (en) * 2006-12-05 2013-12-24 Microsoft Corporation Operational efficiency of virtual TLBs
US7788464B2 (en) * 2006-12-22 2010-08-31 Microsoft Corporation Scalability of virtual TLBs for multi-processor virtual machines
US8688920B2 (en) * 2007-05-14 2014-04-01 International Business Machines Corporation Computing system with guest code support of transactional memory
US8127292B1 (en) * 2007-06-22 2012-02-28 Parallels Holdings, Ltd. Virtualization system with hypervisor embedded in bios or using extensible firmware interface
JP4678396B2 (en) * 2007-09-25 2011-04-27 日本電気株式会社 Computer and method for monitoring virtual machine monitor, and virtual machine monitor monitor program
US8156298B1 (en) * 2007-10-24 2012-04-10 Adam Stubblefield Virtualization-based security apparatuses, methods, and systems
US20090113111A1 (en) * 2007-10-30 2009-04-30 Vmware, Inc. Secure identification of execution contexts
US8261028B2 (en) * 2007-12-31 2012-09-04 Intel Corporation Cached dirty bits for context switch consistency checks
US8364983B2 (en) * 2008-05-08 2013-01-29 Microsoft Corporation Corralling virtual machines with encryption keys
US8381032B2 (en) * 2008-08-06 2013-02-19 O'shantel Software L.L.C. System-directed checkpointing implementation using a hypervisor layer
JP4643702B2 (en) * 2008-10-27 2011-03-02 株式会社東芝 Microprocessor
US20100146267A1 (en) * 2008-12-10 2010-06-10 David Konetski Systems and methods for providing secure platform services
US8738932B2 (en) * 2009-01-16 2014-05-27 Teleputers, Llc System and method for processor-based security
US10496670B1 (en) * 2009-01-21 2019-12-03 Vmware, Inc. Computer storage deduplication
US8538919B1 (en) * 2009-05-16 2013-09-17 Eric H. Nielsen System, method, and computer program for real time remote recovery of virtual computing machines
US20110041126A1 (en) * 2009-08-13 2011-02-17 Levy Roger P Managing workloads in a virtual computing environment
US20110202765A1 (en) * 2010-02-17 2011-08-18 Microsoft Corporation Securely move virtual machines between host servers
JP5484117B2 (en) * 2010-02-17 2014-05-07 株式会社日立製作所 Hypervisor and server device
US9703586B2 (en) * 2010-02-17 2017-07-11 Microsoft Technology Licensing, Llc Distribution control and tracking mechanism of virtual machine appliances
WO2011101972A1 (en) * 2010-02-18 2011-08-25 株式会社東芝 Program
US8793439B2 (en) * 2010-03-18 2014-07-29 Oracle International Corporation Accelerating memory operations using virtualization information
US8375437B2 (en) * 2010-03-30 2013-02-12 Microsoft Corporation Hardware supported virtualized cryptographic service
US8671405B2 (en) * 2010-03-31 2014-03-11 Microsoft Corporation Virtual machine crash file generation techniques
JP5574230B2 (en) * 2010-04-28 2014-08-20 株式会社日立製作所 Fault handling method and computer
US8555377B2 (en) * 2010-04-29 2013-10-08 High Cloud Security Secure virtual machine
US8812871B2 (en) * 2010-05-27 2014-08-19 Cisco Technology, Inc. Method and apparatus for trusted execution in infrastructure as a service cloud environments
US8566613B2 (en) * 2010-06-11 2013-10-22 Intel Corporation Multi-owner deployment of firmware images
US9183023B2 (en) * 2010-07-01 2015-11-10 Hewlett-Packard Development Company, L.P. Proactive distribution of virtual environment user credentials in a single sign-on system
US8239620B2 (en) * 2010-09-27 2012-08-07 Mips Technologies, Inc. Microprocessor with dual-level address translation
CA2825811A1 (en) * 2011-01-27 2012-08-02 L-3 Communications Corporation Internet isolation for avoiding internet security threats
WO2012157019A1 (en) * 2011-05-16 2012-11-22 株式会社日立製作所 Computer system and node search method
JP5365664B2 (en) * 2011-06-20 2013-12-11 富士通セミコンダクター株式会社 Secure processor
US8984478B2 (en) * 2011-10-03 2015-03-17 Cisco Technology, Inc. Reorganization of virtualized computer programs
US9256552B2 (en) * 2011-11-21 2016-02-09 Cisco Technology, Inc. Selective access to executable memory
US9146847B2 (en) * 2011-12-14 2015-09-29 Vmware, Inc. Optimizing for page sharing in virtualized java virtual machines
US8918608B2 (en) * 2012-01-09 2014-12-23 Ravello Systems Ltd. Techniques for handling memory accesses by processor-independent executable code in a multi-processor environment
US8959577B2 (en) * 2012-04-13 2015-02-17 Cisco Technology, Inc. Automatic curation and modification of virtualized computer programs
US10152409B2 (en) * 2012-04-30 2018-12-11 Vmware, Inc. Hybrid in-heap out-of-heap ballooning for java virtual machines
US10063380B2 (en) * 2013-01-22 2018-08-28 Amazon Technologies, Inc. Secure interface for invoking privileged operations
US9503268B2 (en) * 2013-01-22 2016-11-22 Amazon Technologies, Inc. Securing results of privileged computing operations
US20150363220A1 (en) * 2013-02-01 2015-12-17 Hitachi, Ltd. Virtual computer system and data transfer control method for virtual computer system
US9606818B2 (en) * 2013-03-14 2017-03-28 Qualcomm Incorporated Systems and methods of executing multiple hypervisors using multiple sets of processors
US9880773B2 (en) * 2013-03-27 2018-01-30 Vmware, Inc. Non-homogeneous disk abstraction for data oriented applications

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080178171A1 (en) * 2007-01-23 2008-07-24 Masahiro Sueyoshi Management System, Management Method, Terminal Device, Management Server and Program
CN101179379A (en) * 2007-12-11 2008-05-14 中兴通讯股份有限公司 Firmware security management method for microwave access global intercommunication system
CN101470783A (en) * 2007-12-25 2009-07-01 中国长城计算机深圳股份有限公司 Identity recognition method and device based on trusted platform module

Also Published As

Publication number Publication date
JP2016523421A (en) 2016-08-08
US20160148001A1 (en) 2016-05-26
GB201311430D0 (en) 2013-08-14
GB2530225A (en) 2016-03-16
CN105453034B (en) 2018-11-16
US9690947B2 (en) 2017-06-27
GB2530225B (en) 2016-10-19
WO2014207581A2 (en) 2014-12-31
GB2515536A (en) 2014-12-31
CN105453034A (en) 2016-03-30
DE112014000965T5 (en) 2015-12-03
JP6347831B2 (en) 2018-06-27
GB201600172D0 (en) 2016-02-17

Similar Documents

Publication Publication Date Title
WO2014207581A3 (en) Processing guest event in hypervisor-controlled system
GB2548268A (en) Processing guest event in hypervisor-controlled system
NZ746653A (en) Access control for encrypted data in machine-readable identifiers
WO2014116528A3 (en) Providing an encrypted account credential from a first device to a second device
WO2018229549A3 (en) System and method for digital environment reconstruction
EP3627843A3 (en) Systems and methods for performing transport i/o
EP3407534A4 (en) In-car computer system, vehicle, key generation device, management method, key generation method, and computer program
GB2545838A (en) Hypervisor and virtual machine protection
AU2012225621A8 (en) Secure file sharing method and system
EP3602954A4 (en) Method and system for hierarchical cryptographic key management
NZ701459A (en) Systems and methods for secure processing with embedded cryptographic unit
WO2013068843A8 (en) Multi-key cryptography for encrypting file system acceleration
MX2017005313A (en) Transaction messaging.
EP3334085A4 (en) Management device, management system, key generation device, key generation system, key management system, vehicle, management method, key generation method, and computer program
EP3598714A4 (en) Method, device, and system for encrypting secret key
AU2017269280B2 (en) Executable logic for processing keyed data in networks
UA100829C2 (en) Systems, methods, and apparatuses for ciphering error detection and recovery
MX2016002467A (en) Format preservation based masking system and method.
IN2015CH03249A (en)
MX362756B (en) Systems and methods for a credential including multiple access privileges.
WO2013106798A3 (en) Method and apparatus for generating a privilege-based key
PH12016500612A1 (en) Relevance based visual media item modification
IN2014MU00771A (en)
WO2016144258A3 (en) Methods and systems for facilitating secured access to storage devices
WO2015066209A3 (en) Opt-in and time limited bi-directional real-time location sharing

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480036373.2

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 112014000965

Country of ref document: DE

Ref document number: 1120140009652

Country of ref document: DE

ENP Entry into the national phase

Ref document number: 2016522898

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 14899166

Country of ref document: US

ENP Entry into the national phase

Ref document number: 1600172

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20140314

122 Ep: pct application non-entry in european phase

Ref document number: 14817597

Country of ref document: EP

Kind code of ref document: A2