公开(公告)号：US11799670B2

公开(公告)日：2023-10-24

申请号：US17119068

申请日：2020-12-11

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: H04L9/32 ,  G06F9/455

CPC classification number: H04L9/3268 ,  G06F9/45558 ,  H04L9/3247 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: A framework is provided that assigns a digital certificate to each VM-based control plane element and computing node (i.e., worker VM) of a workload orchestration platform implemented in a virtualized environment, where the digital certificate is signed by a trusted entity and provides cryptographic proof that the control plane element/worker VM has been successfully attested by that trusted entity using hardware-based attestation. Each control plane element/worker VM is configured to verify the digital certificates of other platform components prior to communicating with those components. With these digital certificates in place, when an end-user submits to the platform's front-end control plane element a new workload for deployment, the end-user can verify the digital certificate of the front-end control plane element in order to be assured that the workload will be deployed and executed by the platform in a secure manner.

公开(公告)号：US11709700B2

公开(公告)日：2023-07-25

申请号：US17148445

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David A. Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F9/45545 ,  G06F2009/4557 ,  G06F2009/45575 ,  G06F2009/45587

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; sending the attestation report from the security module to a trust authority; receiving, in response to verification of the attestation report by the trust authority, a secret from the trust authority at the security module; and providing the secret from the security module to the guest.

公开(公告)号：US11972283B2

公开(公告)日：2024-04-30

申请号：US17683239

申请日：2022-02-28

Applicant: VMware, Inc.

Inventor： Yash Nitin Desai ,  Abhishek Srivastava

IPC: G06F9/455 ,  G06F9/445 ,  G06F9/54

CPC classification number: G06F9/45558 ,  G06F9/44505 ,  G06F9/45545 ,  G06F9/547 ,  G06F2009/4557 ,  G06F2009/45579

Abstract: An example virtualized computing system includes: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs and native VMs, the pod VMs including container engines supporting execution of containers in the pod VMs, the native VMs including applications executing on guest operating systems; an orchestration control plane integrated with the virtualization layer and including a master server and native VM controllers, the master server managing lifecycles of the pod VMs and the native VMs; and management agents, executing in the native VMs, configured to receive decoupled information from the master server through the native VM controllers and to provide the decoupled information for consumption by the applications executing in the native VMs, the decoupled information including at least one of configuration information and secret information.

公开(公告)号：US11893410B2

公开(公告)日：2024-02-06

申请号：US17148428

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David A. Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: G06F9/455 ,  G06F9/50 ,  G06F21/53

CPC classification number: G06F9/45558 ,  G06F9/505 ,  G06F9/5077 ,  G06F21/53 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

公开(公告)号：US20220191046A1

公开(公告)日：2022-06-16

申请号：US17119068

申请日：2020-12-11

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: H04L9/32 ,  G06F9/455

Abstract: A framework is provided that assigns a digital certificate to each VM-based control plane element and computing node (i.e., worker VM) of a workload orchestration platform implemented in a virtualized environment, where the digital certificate is signed by a trusted entity and provides cryptographic proof that the control plane element/worker VM has been successfully attested by that trusted entity using hardware-based attestation. Each control plane element/worker VM is configured to verify the digital certificates of other platform components prior to communicating with those components. With these digital certificates in place, when an end-user submits to the platform's front-end control plane element a new workload for deployment, the end-user can verify the digital certificate of the front-end control plane element in order to be assured that the workload will be deployed and executed by the platform in a secure manner.

公开(公告)号：US11579916B2

公开(公告)日：2023-02-14

申请号：US16838542

申请日：2020-04-02

Applicant: VMware, Inc.

Inventor： Benjamin J. Corrie ,  Abhishek Srivastava ,  Adrian Drzewiecki

IPC: G06F16/13 ,  G06F9/455

Abstract: A virtualized computing system includes: a host cluster including hosts executing a virtualization layer on hardware platforms thereof, the virtualization layer configured to support execution of virtual machines (VMs), the VMs including a pod VM, the pod VM including a container engine configured to support execution of containers in the pod VM, the pod VM including a first virtual disk attached thereto; and an orchestration control plane integrated with the virtualization layer, the orchestration control plane including a master server in communication with a pod VM controller, the pod VM controller configured to execute in the virtualization layer external to the VMs and cooperate with a pod VM agent in the pod VM, the pod VM agent generating root directories for the containers in the pod VM, each of the root directories comprising a union a read/write ephemeral layer stored on the first virtual disk and a read-only layer.

公开(公告)号：US11263041B2

公开(公告)日：2022-03-01

申请号：US16933812

申请日：2020-07-20

Applicant: VMware, Inc.

Inventor： Yash Nitin Desai ,  Abhishek Srivastava

IPC: G06F9/455 ,  G06F9/445 ,  G06F9/54

Abstract: An example virtualized computing system includes: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs and native VMs, the pod VMs including container engines supporting execution of containers in the pod VMs, the native VMs including applications executing on guest operating systems; an orchestration control plane integrated with the virtualization layer and including a master server and native VM controllers, the master server managing lifecycles of the pod VMs and the native VMs; and management agents, executing in the native VMs, configured to receive decoupled information from the master server through the native VM controllers and to provide the decoupled information for consumption by the applications executing in the native VMs, the decoupled information including at least one of configuration information and secret information.

公开(公告)号：US20190079896A1

公开(公告)日：2019-03-14

申请号：US15704278

申请日：2017-09-14

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  Bryan Tan ,  Aditya Sarwade

IPC: G06F15/173 ,  G06F9/455 ,  G06F15/167

Abstract: Described herein are systems, methods, and software to enhance virtualization connection management for virtual remote direct memory access (RDMA) devices. In one implementation, virtual machines may register with a hypervisor for the virtual machines, wherein the registration for each virtual machine includes at least one address for the virtual machine. Once registered, the hypervisor may identify a packet placed in a queue pair from a physical RDMA interface and determine whether a destination address in the packet corresponds to a virtual machine. If the destination address corresponds to a virtual machine, then the hypervisor may provide a callback to the virtual machine, wherein the callback provides access to the packet in the virtual machine as if the packet received at a virtual RDMA interface of the virtual machine.

公开(公告)号：US11513830B2

公开(公告)日：2022-11-29

申请号：US16838432

申请日：2020-04-02

Applicant: VMware, Inc.

Inventor： Daniel Mueller ,  Abhishek Srivastava ,  Adrian Drzewiecki

IPC: G06F9/455 ,  H04L67/02 ,  H04L12/46 ,  H04L69/16

Abstract: Introspection into containers running in virtual machines (VMs) that are instantiated on a host computer is achieved. A method of processing an introspection command for a container, funning in a virtual machine, is carried out by a VM management process, and includes the steps of receiving a first request that is formulated according to a first protocol, e.g., transmission control protocol, and includes the introspection command, identifying the virtual machine from the first request, formulating a second request that includes the introspection command, according to a second protocol (e.g., virtual socket protocol), and transmitting the second request to a container management process running in the virtual machine for the container management process to execute the introspection command.

公开(公告)号：US20220191025A1

公开(公告)日：2022-06-16

申请号：US17118978

申请日：2020-12-11

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: H04L9/32 ,  G06F9/455 ,  H04L9/08 ,  G06F21/62

Abstract: In one set of embodiments, confidential data needed by a workload component running within a worker VM can be placed on an encrypted virtual disk that is attached to the worker VM and hardware-based attestation can be used to validate the worker VM's software and isolate its guest memory from its hypervisor. Upon successful completion of this attestation process, a data decryption key can be delivered to the worker VM via a secure channel established via the attestation, such that the hypervisor cannot read or alter the key. The worker VM can then decrypt the contents of the encrypted virtual disk using the data decryption key, thereby granting the workload component access to the confidential data.