公开(公告)号：US11893410B2

公开(公告)日：2024-02-06

申请号：US17148428

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David A. Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: G06F9/455 ,  G06F9/50 ,  G06F21/53

CPC classification number: G06F9/45558 ,  G06F9/505 ,  G06F9/5077 ,  G06F21/53 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

公开(公告)号：US11698737B2

公开(公告)日：2023-07-11

申请号：US17647291

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Mounesh Badiger ,  Wenguang Wang ,  Adrian Drzewiecki

IPC: G06F3/06 ,  G06F12/10 ,  G06F9/455 ,  G06F12/06 ,  G06F21/44 ,  G06F16/172

CPC classification number: G06F3/0631 ,  G06F3/0604 ,  G06F3/0664 ,  G06F3/0673 ,  G06F9/45558 ,  G06F12/0646 ,  G06F12/10 ,  G06F16/172 ,  G06F21/44 ,  G06F2009/45583 ,  G06F2212/152 ,  G06F2212/163 ,  G06F2212/657

Abstract: Examples provide a method of communication between a client application and a filesystem server in a virtualized computing system. The client application executes in a virtual machine (VM) and the filesystem server executes in a hypervisor. The method includes: allocating, by the client application, first shared memory in a guest virtual address space of the client application; creating a guest application shared memory channel between the client application and the filesystem server upon request by the client application to a driver in the VM, the driver in communication with the filesystem server, the guest application shared memory channel using the first shared memory; sending authentication information associated with the client application to the filesystem server to create cached authentication information at the filesystem server; and submitting a command in the guest application shared memory channel from the client application to the filesystem server, the command including the authentication information.

公开(公告)号：US20220191046A1

公开(公告)日：2022-06-16

申请号：US17119068

申请日：2020-12-11

Applicant: VMware, Inc.

Inventor： Abhishek Srivastava ,  David Dunn ,  Jesse Pool ,  Adrian Drzewiecki

IPC: H04L9/32 ,  G06F9/455

Abstract: A framework is provided that assigns a digital certificate to each VM-based control plane element and computing node (i.e., worker VM) of a workload orchestration platform implemented in a virtualized environment, where the digital certificate is signed by a trusted entity and provides cryptographic proof that the control plane element/worker VM has been successfully attested by that trusted entity using hardware-based attestation. Each control plane element/worker VM is configured to verify the digital certificates of other platform components prior to communicating with those components. With these digital certificates in place, when an end-user submits to the platform's front-end control plane element a new workload for deployment, the end-user can verify the digital certificate of the front-end control plane element in order to be assured that the workload will be deployed and executed by the platform in a secure manner.

公开(公告)号：US20220075643A1

公开(公告)日：2022-03-10

申请号：US17527399

申请日：2021-11-16

Applicant: VMware, Inc.

Inventor： Sahan Gamage ,  Benjamin J. Corrie ,  Adrian Drzewiecki ,  Pranshu Jain ,  Mark Johnson ,  Zhelong Pan ,  Rajesh Venkatasubramanian

IPC: G06F9/455 ,  G06F9/50 ,  G06F9/48

Abstract: Various aspects are disclosed for unified resource management of containers and virtual machines. A podVM resource configuration for a pod virtual machine (podVM) is determined using container configurations. The podVM comprising a virtual machine (VM) that provides resource isolation for a pod based on the podVM resource configuration. A host selection for the podVM is received from a VM scheduler. The host selection identifies hardware resources for the podVM. A container scheduler is limited to bind the podVM to a node corresponding to the hardware resources of the host selection from the VM scheduler. The podVM is created in a host corresponding to the host selection. Containers are started within the podVM. The containers correspond to the container configurations.

公开(公告)号：US09934067B2

公开(公告)日：2018-04-03

申请号：US14304480

申请日：2014-06-13

Applicant: VMware, Inc.

Inventor： Christoph Klee ,  Mukund Gunti ,  Adrian Drzewiecki

IPC: G06F9/46 ,  G06F9/50 ,  G06F9/52 ,  G06F3/06 ,  G06F9/54

CPC classification number: G06F9/50 ,  G06F3/0605 ,  G06F3/0659 ,  G06F3/0673 ,  G06F9/5005 ,  G06F9/52 ,  G06F9/545

Abstract: The approaches described herein implement synchronous execution of a user space operation from a kernel context. A thread, executing on a computing device, initializes a second kernel stack based on a first kernel stack. The computing device executes an operating system having a user space and a kernel space. The thread, executing in kernel space, performs a non-blocking call (e.g., an upcall) to execute an upcall function in user space. The upcall function may further call other user space functions or system calls. The system calls are performed using the second kernel stack. Upon termination of the upcall function, the thread continues execution on the first kernel stack.

公开(公告)号：US09542224B2

公开(公告)日：2017-01-10

申请号：US14304477

申请日：2014-06-13

Applicant: VMware, Inc.

Inventor： Christoph Klee ,  Mukund Gunti ,  Adrian Drzewiecki

IPC: G06F3/00 ,  G06F9/50 ,  G06F9/52 ,  G06F3/06 ,  G06F9/54

CPC classification number: G06F9/50 ,  G06F3/0605 ,  G06F3/0659 ,  G06F3/0673 ,  G06F9/5005 ,  G06F9/52 ,  G06F9/545

Abstract: The approaches described herein implement execution of a user space operation from a kernel context. A thread, executing on a computing device, initializes a second kernel stack based on a first kernel stack. The computing device executes an operating system having a user space and a kernel space. The thread, executing in kernel space, performs a non-blocking call (e.g., an upcall) to execute an upcall function in user space, such as filtering input/output (I/O) requests. The upcall function may further call other user space functions or system calls. The system calls are performed using the second kernel stack. Upon termination of the upcall function, the thread continues execution on the first kernel stack in kernel space. For example, the thread handles the filtered I/O commands.

Abstract translation: 本文描述的方法实现了从内核上下文执行用户空间操作。 在计算设备上执行的线程基于第一内核栈初始化第二内核栈。 计算设备执行具有用户空间和内核空间的操作系统。 在内核空间中执行的线程执行非阻塞调用（例如，上调）来执行用户空间中的上调功能，例如过滤输入/输出（I / O）请求。 上调功能可以进一步调用其他用户空间功能或系统调用。 使用第二个内核堆栈执行系统调用。 在上调功能终止后，线程将继续执行内核空间中的第一个内核栈。 例如，线程处理过滤的I / O命令。

公开(公告)号：US09542112B2

公开(公告)日：2017-01-10

申请号：US14686527

申请日：2015-04-14

Applicant: VMware, Inc.

Inventor： Adrian Drzewiecki ,  Christoph Klee ,  Mounesh Badiger

IPC: G06F12/14 ,  G06F3/06 ,  G06F13/16

CPC classification number: G06F3/0622 ,  G06F3/0637 ,  G06F3/0659 ,  G06F3/0673 ,  G06F12/14 ,  G06F12/1416 ,  G06F13/1663

Abstract: Techniques for enabling secure cross-process memory sharing are provided. In one set of embodiments, a first user process executing on a computer system can create a memory handle representing a memory space of the first user process. The first user process can further define one or more access restrictions with respect to the memory handle. The first user process can then transmit the memory handle to a second user process executing on the computer system, the memory handle enabling the second user process to access at least a portion of the first process' memory space, subject to the one or more access restrictions.

Abstract translation: 提供了用于实现安全的跨进程内存共享的技术。 在一组实施例中，在计算机系统上执行的第一用户进程可以创建表示第一用户进程的存储器空间的存储器句柄。 第一用户进程可以进一步定义关于存储器句柄的一个或多个访问限制。 然后，第一用户进程可以将存储器句柄传送到在计算机系统上执行的第二用户进程，存储器句柄使得第二用户进程能够访问第一进程的存储器空间的至少一部分，受到一个或多个访问 限制

公开(公告)号：US20240256315A1

公开(公告)日：2024-08-01

申请号：US18101939

申请日：2023-01-26

Applicant: VMware, Inc.

Inventor： Krishna Chaitanya Bandi ,  Rohith Jagannathan ,  Adrian Drzewiecki ,  Abhishek Srivastava

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/4557 ,  G06F2009/45583

Abstract: A method for provisioning images to deploy containerized workloads in a virtualized environment can include bringing up a containerized workload in a virtualized computing environment responsive to receiving a request to run a containerized workload in the virtualized computing environment. Bringing up the containerized workload can include creating a VMDK that includes a container image in shared storage of an image registry responsive to authenticating with the image registry, attaching the VMDK to a virtual computing instance, responsive to receiving a request, made by a container running in the VCI, for a file of the container image in the attached VMDK, retrieving the file from the shared storage, and bringing up the containerized workload using the file.

公开(公告)号：US11645100B2

公开(公告)日：2023-05-09

申请号：US16751505

申请日：2020-01-24

Applicant: VMware, Inc.

Inventor： Benjamin J. Corrie ,  Mark Russell Johnson ,  Adrian Drzewiecki

IPC: G06F9/455 ,  G06F8/61

CPC classification number: G06F9/45558 ,  G06F8/61 ,  G06F2009/45579

Abstract: Container images are managed in a clustered container host system with a shared storage device. Hosts of the system include a virtualization software layer that supports execution of virtual machines (VMs) in the hosts, and one or more VMs have implemented therein a container engine that supports execution of containers within the respective VMs. Deploying a container in a first VM includes creating a virtual disk in the storage device, storing a container image in the virtual disk, mounting the virtual disk to the first VM, and updating a metadata cache to associate the container image to the virtual disk. Deploying the container in a second VM executed in a host different from a host in which the first VM is executed, includes checking the metadata cache to determine that the container image is stored in the virtual disk, and mounting the virtual disk to the second VM.

公开(公告)号：US11341058B2

公开(公告)日：2022-05-24

申请号：US16046829

申请日：2018-07-26

Applicant: VMware Inc.

Inventor： Adrian Drzewiecki

IPC: G06F12/00 ,  G06F12/1009

Abstract: The present disclosure relates to handling page faults in a constant time. In particular, a data structure of a fixed height is used to store the page tables, allowing for a constant look up time for a particular page. Further, a virtual address descriptor corresponding to the page is used to obtain and load the data into the corresponding instruction data into the page. The virtual address descriptor is directly accessible from the page obtained from walking the page table. This allows page faults to be handled more efficiently in constant time.