公开(公告)号：EP3274822A1

公开(公告)日：2018-01-31

申请号：EP15886773.9

申请日：2015-03-27

申请人： Intel Corporation

发明人： WANG, Wei ,  DONG, Yaozu ,  ZHANG, Yang

IPC分类号： G06F9/445

CPC分类号： G06F9/45558 ,  G06F9/5088 ,  G06F12/1027 ,  G06F2009/45566 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2212/657

摘要： Technologies for virtual machine migration are disclosed. A plurality of virtual machines may be established on a source node at varying tiers of quality-of-service. The source node may identify a set of virtual machines from the plurality of virtual machines having a lower or lowest tier of quality-of-service. Additionally, the source node may perform a pseudo-migration for each of the virtual machines of the identified set to determine a dynamic working set for each corresponding virtual machine. The source node may select a virtual machine for migration based on the dynamic working set. The pseudo migration may include emulation of a pre-copy phase of a corresponding live migration to identify the number of dirty memory pages likely to result during the corresponding live migration of the corresponding virtual machine.

公开(公告)号：EP2795464A4

公开(公告)日：2015-07-29

申请号：EP11878055

申请日：2011-12-22

申请人： INTEL CORP

发明人： TIAN KUN ,  DONG YAO ZU

IPC分类号： G06F9/455

CPC分类号： G06F9/45533 ,  G06F9/45558 ,  G06F2009/45566

摘要： Embodiments of the invention enable dynamic level boosting of operations across virtualization layers to enable efficient nested virtualization. Embodiments of the invention execute a first virtual machine monitor (VMM) to virtualize system hardware. A nested virtualization environment is created by executing a plurality of upper level VMMs via virtual machines (VMs). These upper level VMMs are used to execute an upper level virtualization layer including an operating system (OS). During operation of the above described nested virtualization environment, a privileged instruction issued from an OS is trapped and emulated via the respective upper level VMM (i.e., the VMM that creates the VM for that OS). Embodiments of the invention enable the emulation of the privileged instruction via a lower level VMM. In some embodiments, the emulated instruction is executed via the first VMM with little to no involvement of any intermediate virtualization layers residing between the first and upper level VMMs.

公开(公告)号：EP2182438A1

公开(公告)日：2010-05-05

申请号：EP09013427.1

申请日：2009-10-23

申请人： Hitachi Ltd.

发明人： Moriki, Toshiomi ,  Hattori, Naoya ,  Tsushima, Yuji

IPC分类号： G06F9/455

CPC分类号： G06F9/45533 ,  G06F9/45558 ,  G06F9/463 ,  G06F2009/45566

摘要： Provided is a virtual machine including a first virtualization module operating on a physical CPU, for providing a first CPU, and a second virtualization module operating on the first CPU, for providing second CPU. The second virtualization module includes first processor control information holding a state of the first CPU obtained at a time of execution of the user program. The first virtualization module includes second processor control information containing a state of the physical CPU obtained at the time of the execution of the second virtualization module, third processor control information containing a state of the physical CPU obtained at the time of the execution of the user program, and prefetch entry information in which information to be prefetched from the third processor control information is set, and, upon detection of a event, the information set in the prefetch entry information is reflected to the first processor control information.

摘要翻译： 提供了一种虚拟机，其包括在物理CPU上操作的第一虚拟化模块，用于提供第一CPU，以及在第一CPU上操作的第二虚拟化模块，用于提供第二CPU。 第二虚拟化模块包括保持执行用户程序时获得的第一CPU的状态的第一处理器控制信息。 第一虚拟化模块包括第二处理器控制信息，其包含执行第二虚拟化模块时获得的物理CPU的状态，第三处理器控制信息，其包含在执行用户时获得的物理CPU的状态 程序和预取条目信息，其中设置从第三处理器控制信息预取的信息，并且在检测到事件时，将预取条目信息中设置的信息反映到第一处理器控制信息。

公开(公告)号：EP1995662A1

公开(公告)日：2008-11-26

申请号：EP07254788.8

申请日：2007-12-12

申请人： Intel Corporation

发明人： Bennett, Steven M. ,  Rodgers, Scott D. ,  Shekhar, Shashank ,  Anderson, Andrew V. ,  Huntley, Barry E. ,  Neiger, Gilbert ,  Smith III, Lawrence

IPC分类号： G06F9/455 ,  G06Q30/00

CPC分类号： G06F9/45558 ,  G06F2009/45566

摘要： Embodiments of apparatuses, methods, and systems for controlling virtual machines based on activity state are disclosed. In one embodiment, an apparatus includes virtual machine entry logic and activity state evaluation logic. The virtual machine entry logic is to transfer control of the apparatus from a host to a guest. The activity state evaluation logic is to determine whether the activity state of the guest would be inactive upon receiving control.

摘要翻译： 公开了用于基于活动状态来控制虚拟机的设备，方法和系统的实施例。 在一个实施例中，装置包括虚拟机入口逻辑和活动状态评估逻辑。 虚拟机入口逻辑是将设备的控制从主机传送到访客。 活动状态评估逻辑是确定访客的活动状态是否在接收到控制时处于不活动状态。

公开(公告)号：EP3158489A1

公开(公告)日：2017-04-26

申请号：EP15809533.1

申请日：2015-06-17

申请人： Waratek Limited

发明人： HOLT, John Matthew

IPC分类号： G06F21/00 ,  G06F9/44

CPC分类号： G06F21/53 ,  G06F9/45558 ,  G06F2009/45566 ,  G06F2009/45587

摘要： A computer architecture providing enhanced JVM security and a method of providing enhanced security for a JVM are disclosed. The host computer runs a single, first, trusted JAVA API library above which is located a hypervisor software layer, and then at least one untrusted JAVA API library. The code of each second, upper, untrusted JAVA API library is modified at, or before runtime to call the hypervisor software layer instead of the JVM to thereby create a silo corresponding to each of the second, upper, untrusted JAVA API libraries. Each silo extends between the host computer and the corresponding second, upper, untrusted JAVA API library. The hypervisor software layer is operated to only permit communication between each of the second, upper, untrusted JAVA API libraries and a corresponding portion of the memory and functional assets of the host computer. Consequently, each of the second, upper, untrusted JAVA API libraries cannot communicate with all of the host computer memory and/or all of the host computer functional assets. A computer program product is also disclosed.

摘要翻译： 公开了提供增强的JVM安全性的计算机体系结构和为JVM提供增强的安全性的方法。 主机运行一个单独的，第一个可信的JAVA API库，在其上面定位一个管理程序软件层，然后至少有一个不可信的JAVA API库。 在运行时调整管理程序软件层而不是JVM，从而修改每个第二，较高的，不可信的JAVA API库的代码，从而创建与第二，较高的，不可信的JAVA API库相对应的筒仓。 每个筒仓都在主机和相应的第二个不可信的JAVA API库之间进行扩展。 管理程序软件层被操作以仅允许每个第二，较高的，不可信的JAVA API库与主机的存储器和功能资产的对应部分之间的通信。 因此，第二个不可信的JAVA API库中的每一个都不能与所有的主计算机存储器和/或所有主计算机功能资产通信。 还公开了一种计算机程序产品。

公开(公告)号：EP1955154A2

公开(公告)日：2008-08-13

申请号：EP06826781.4

申请日：2006-10-25

申请人： Secure64 Software Corporation

发明人： WORLEY, William, S. Jr.,

IPC分类号： G06F9/455

CPC分类号： G06F21/53 ,  G06F9/45558 ,  G06F2009/45566 ,  G06F2009/45583 ,  G06F2009/45587

摘要： Embodiments of the present invention provide secure virtual-machine monitors and secure, base-level operating systems that, in turn, provide secure execution environments for guest operating systems and certain special functions that can interface directly to base-level operating systems. Security is accomplished by employing a small, verifiable component of a secure foundation that executes at highest privilege between the hardware interface and the virtual-machine monitor. The virtual-machine monitor and secure foundation employ virtual-machine-monitor-resident guest-operating-system monitors, memory compartmentalization, and authenticated calls to securely isolate computational entities from one another within the computer system.

公开(公告)号：EP1922619A1

公开(公告)日：2008-05-21

申请号：EP06802600.4

申请日：2006-08-29

申请人： Microsoft Corporation

发明人： TRAUT, Eric, P.

IPC分类号： G06F9/455 ,  G06F9/06 ,  G06F9/00 ,  G06F12/00

CPC分类号： G06F9/45558 ,  G06F2009/45566

摘要： Hierarchical virtualization is disclosed, where such virtualization can be accomplished with a multi-level mechanism. The hierarchical virtualization includes using a hypervisor that maintains a first partition and using a virtualization stack within the first partition to create and control a second partition. Multiple virtualization stacks can subsist within the first partition, and each such virtualization stack can create and control multiple partitions. In one particular implementation, a child partition can have exclusive control over a portion or all of its resources with respect to a parent partition. The hypervisor as the ultimate arbiter in such a virtualized environment enforces such a setup and is able to communicate directly within any partition within the virtualized hierarchy.

公开(公告)号：EP0187603A3

公开(公告)日：1989-04-26

申请号：EP85402639.0

申请日：1985-12-26

申请人： DIGITAL EQUIPMENT CORPORATION

发明人： Karger, Paul A. ,  Leonard, Timothy E. ,  Mason, Andrew H.

IPC分类号： G06F12/14

CPC分类号： G06F12/1491 ,  G06F9/45558 ,  G06F2009/45566 ,  G06F2009/45583

摘要： A computer system including a processor and memory, the processor having a virtual mode of operation in which it uses a virtual machine monitor which allows it to service a plurality of users contemporaneously in a multiplexed manner, and a non-virtual, or real, mode of operation. The computer system has a set of at least three operation mode protection rings representing a hierarchy of access privilege levels in both the real and virtual modes, with the number of privilege levels in both the real and virtual modes being the same. The privilege levels govern the accessibility of memory locations to programs and the executability of certain privileged instructions, which cause control to be transferred to the virtual machine monitor when the processor is in a virtual mode. The two most privileged levels in the virtual mode are both treated as corresponding to the second most privileged level in the real mode, whereby if the processor is in the most privileged virtual operating mode, access to memory locations is permitted only if the location is accessible to the second most privileged mode. When an instruction is retrieved, the processor first performs a probe operation to determine whether it can access any required memory locations in response to its current privilege level, and then determines whether it is in a privilege level which allows it to process the instruction.

公开(公告)号：EP0067344A2

公开(公告)日：1982-12-22

申请号：EP82104713.1

申请日：1982-05-28

申请人： International Business Machines Corporation

发明人： Bullions III, Robert Jackson ,  Curlee III, Thomas Oscar ,  Gum, Peter Hermon ,  McGilvray, Bruce Lloyd ,  Richardson, Ethel Louise

IPC分类号： G06F9/46 ,  G06F9/44

CPC分类号： G06F12/1063 ,  G06F9/44 ,  G06F9/45558 ,  G06F2009/45566 ,  G06F2009/45583

摘要： A data processing system includes TLB hardware (DLAT 131) in a CP that receives the results of double-level address translations to eliminate the need for having shadow tables for the second-level in a virtual machine (VM) environment. Each TLB entry contains hardware (G-Field) which indicates whether the address sent by the CP Instruction Execution (IE) unit for translation is a guest or host/native request, and for a guest request if it is a real or virtual address (R-Field). Intermediate translations for a double-level translation are inhibited from being loaded into the TLB (line 54A). Guest entries are purged from the TLB without disturbing any host entries (DLAT purge control 140). An accelerated preferred guest mode in the CP forces its hardware adder translation hardware (113, 117) to translate each accelerated preferred guest request, since it requires only a single level translation. A non-accelerated guest request is instead translated by microcode in the IE. A limit check register (102) is provided to check preferred guest addresses without causing performance degradation.

摘要翻译： 数据处理系统包括CP中的TLB硬件（DLAT 131），其接收双级地址转换的结果，以消除在虚拟机（VM）环境中为第二级具有影子表的需要。 每个TLB条目包含硬件（G-Field），其指示由用于转换的CP指令执行（IE）单元发送的地址是来宾还是主机/本地请求，以及如果是真实或虚拟地址的客户请求 R-场）。 双级翻译的中间翻译被禁止加载到TLB（第54行）。 访客条目从TLB清除，而不会干扰任何主机条目（DLAT清除控制140）。 CP中加速的优先客户模式迫使其硬件加法器转换硬件（113,117）翻译每个加速的优选客户请求，因为它仅需要单个级别的转换。 IE中的微码转换为非加速访客请求。 提供限制检查寄存器（102）以检查优先访客地址而不会导致性能下降。

公开(公告)号：EP1922619B1

公开(公告)日：2016-11-02

申请号：EP06802600.4

申请日：2006-08-29

申请人： Microsoft Technology Licensing, LLC

发明人： TRAUT, Eric, P.

IPC分类号： G06F9/455

CPC分类号： G06F9/45558 ,  G06F2009/45566