公开(公告)号：US20160170679A1

公开(公告)日：2016-06-16

申请号：US14572505

申请日：2014-12-16

Applicant: VMware, Inc.

Inventor： Andrei WARKENTIN ,  Harvey TUCH

IPC: G06F3/06

CPC classification number: G06F3/0632 ,  G06F3/0604 ,  G06F3/0673 ,  G06F9/4401 ,  G06F9/4403 ,  G06F11/00

Abstract: In a computer system with multiple central processing units (CPUs), initialization of a memory management unit (MMU) for a secondary CPU is performed using an exception generated by the MMU. In general, this technique leverages the exception handling features of the secondary CPU to switch the CPU from executing secondary CPU initialization code with the MMU “off” to executing secondary CPU initialization code with the MMU “on.” Advantageously, in contrast to conventional techniques for MMU initialization, this exception-based technique does not require identity mapping of the secondary CPU initialization code to ensure proper execution of the secondary CPU initialization code.

Abstract translation: 在具有多个中央处理单元（CPU）的计算机系统中，使用由MMU生成的异常来执行用于辅助CPU的存储器管理单元（MMU）的初始化。 一般来说，这种技术利用辅助CPU的异常处理功能，将CPU从执行辅助CPU初始化代码的MMU“关闭”切换到执行次级CPU初始化代码，MMU“打开”。有利的是，与传统技术 对于MMU初始化，这种基于异常的技术不需要辅助CPU初始化代码的身份映射，以确保辅助CPU初始化代码的正确执行。

公开(公告)号：US20150371036A1

公开(公告)日：2015-12-24

申请号：US14312249

申请日：2014-06-23

Applicant: VMware, Inc.

Inventor： Andrei WARKENTIN ,  Harvey TUCH

IPC: G06F21/53 ,  G06F9/455

CPC classification number: G06F9/45516 ,  G06F9/45533 ,  G06F21/74

Abstract: A secure mode of a computer system is used to provide simulated devices. In operation, if an instruction executing in a non-secure mode accesses a simulated device, then a resulting exception is forwarded to a secure monitor executing in the secure mode. Based on the address accessed by the instruction, the secure monitor identifies the device and simulates the instruction. The secure monitor executes independently of other applications included in the computer system, and does not rely on any hardware virtualization capabilities of the computer system.

Abstract translation: 使用计算机系统的安全模式来提供模拟设备。 在操作中，如果以非安全模式执行的指令访问模拟设备，则将产生的异常转发到以安全模式执行的安全监视器。 根据指令访问的地址，安全监视器识别设备并模拟指令。 安全监视器独立于计算机系统中包括的其他应用程序执行，并且不依赖于计算机系统的任何硬件虚拟化功能。

公开(公告)号：US20150370592A1

公开(公告)日：2015-12-24

申请号：US14312225

申请日：2014-06-23

Applicant: VMware, Inc.

Inventor： Harvey TUCH ,  Andrei WARKENTIN

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45587

Abstract: In a virtualized computer system operable in more than two hierarchical privilege levels, components of a hypervisor, which include a virtual machine kernel and virtual machine monitors (VMMs), are assigned to different privilege levels. The virtual machine kernel operates at a low privilege level to be able to exploit certain features provided by the low privilege level, and the VMMs operate at a high privilege level to support execution of virtual machines. Upon determining that a context switch from the virtual machine kernel to a VMM is to be performed, the computer system exits the low privilege level, and enters the high privilege level to execute a trampoline that supports context switches to VMMs, such as state changes, and then the VMM. The trampoline is deactivated after execution control is switched to the VMM.

Abstract translation: 在可在多于两个分层特权级别中操作的虚拟化计算机系统中，包括虚拟机内核和虚拟机监视器（VMM）的管理程序的组件被分配给不同的权限级别。 虚拟机内核在低权限级别下运行，以便能够利用低权限级别提供的某些功能，并且VMM以高权限级别运行以支持虚拟机的执行。 在确定将要执行从虚拟机内核到VMM的上下文切换时，计算机系统退出低权限级别，并且进入高权限级别以执行支持到VMM的上下文切换的蹦床，例如状态改变， 然后是VMM。 执行控制切换到VMM后，蹦床停用。

公开(公告)号：US20240119138A1

公开(公告)日：2024-04-11

申请号：US17960738

申请日：2022-10-05

Applicant: VMware, Inc.

Inventor： Ye LI ,  Anoop JAISHANKAR ,  John MANFERDELLI ,  David OTT ,  Andrei WARKENTIN

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/54

CPC classification number: G06F21/53 ,  G06F21/121 ,  G06F21/54

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

公开(公告)号：US20230195487A1

公开(公告)日：2023-06-22

申请号：US17559313

申请日：2021-12-22

Applicant: VMware, Inc.

Inventor： Regis DUCHESNE ,  Andrei WARKENTIN ,  Cyprien LAPLACE ,  Ye LI ,  Shruthi Muralidhara HIRIYURU ,  Alexander FAINKICHEN ,  Sunil Kumar KOTIAN

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45583

Abstract: An example method of virtualizing a host virtual counter and timer in a central processing unit (CPU) of a virtualized host computer includes: creating, by a hypervisor of the host computer in response to power on of a virtual machine (VM), a guest virtual counter, the guest virtual counter comprising a data structure including scaling factors; mapping a shared memory page having the data structure into an address space of memory allocated to the VM; and notifying a guest operating system (OS) of the VM of a location in the address space for the shared memory page having the data structure, the guest OS being paravirtualized to scale the host virtual counter and timer based on the scaling factors of the guest virtual counter.

公开(公告)号：US20230195470A1

公开(公告)日：2023-06-22

申请号：US17559346

申请日：2021-12-22

Applicant: VMware, Inc.

Inventor： Cyprien LAPLACE ,  Sunil Kumar KOTIAN ,  Andrei WARKENTIN ,  Regis DUCHESNE ,  Alexander FAINKICHEN ,  Shruthi Muralidhara HIRIYURU ,  Ye LI

IPC: G06F9/38 ,  G06F9/455

CPC classification number: G06F9/3861 ,  G06F9/45558

Abstract: An example method of exception handling in a computer system is described. The computer system includes a physical central processing unit (PCPU) and a system memory, the system memory storing a first stack, a second stack, and a double fault stack associated with the PCPU. The method includes: storing, by an exception handler executing in the computer system, an exception frame on the double fault stack in response to a stack overflow condition of the first stack; switching, by the exception handler, a first stack pointer of the PCPU from pointing to the first stack to pointing to the double fault stack; setting a current stack pointer of the PCPU to the first stack pointer; and executing software on the PCPU with the current stack pointer pointing to the double fault stack.

公开(公告)号：US20220066787A1

公开(公告)日：2022-03-03

申请号：US17403399

申请日：2021-08-16

Applicant: VMware, Inc.

Inventor： Andrei WARKENTIN ,  Harvey TUCH ,  William LAM

IPC: G06F9/4401 ,  G06F9/455 ,  G06F8/61

Abstract: Examples provide for automatically provisioning hosts in a cloud environment. A cloud daemon generates a cloud host-state configuration, for a given cloud instance of a host, stored on a cloud metadata service prior to first boot of the given cloud instance of the host. A first boot of a plurality of cloud instances of hosts is performed using a stateless, master boot image lacking host-specific configuration data. On completion of the first boot of a given cloud instance of a host, the cloud host-state configuration is installed on the master boot image to generate a self-configured boot image including host-specific configuration data for the given cloud instance of the host. A second boot is performed on the given cloud instance of the host by executing the self-configured boot image to automatically provision the given cloud instance of the host in the cloud environment.

公开(公告)号：US20210224090A1

公开(公告)日：2021-07-22

申请号：US16744356

申请日：2020-01-16

Applicant: VMware, Inc.

Inventor： Andrei WARKENTIN ,  Cyprien LAPLACE ,  Regis DUCHESNE ,  Alexander FAINKICHEN ,  Shruthi Muralidhara HIRIYURU ,  Ye LI

IPC: G06F9/455

Abstract: An example method of interfacing with a hypervisor in a computing system is described, which includes a processor having at least three hierarchical privilege levels including a third privilege level more privileged than a second privilege level, the second privilege level more privileged than a first privilege level. The method includes: identifying an input/output (I/O) space instruction, not supported by the processor, to be performed for backdoor communication between the hypervisor and guest software executing in a virtual machine (VM) managed by the hypervisor, the hypervisor executing at the third privilege level; writing one or more parameters to one or more registers of the processor that are mapped to one or more unsupported registers used by the I/O space instruction; writing a value indicative of the I/O space instruction to a designated register of the processor; executing an instruction, by the guest software executing at the first or second privilege level, which is trapped to the third privilege level.

公开(公告)号：US20190391814A1

公开(公告)日：2019-12-26

申请号：US16013263

申请日：2018-06-20

Applicant: VMware, Inc.

Inventor： Andrei WARKENTIN ,  Cyprien LAPLACE ,  Alexander FAINKICHEN ,  Ye LI ,  Regis DUCHESNE

IPC: G06F9/38 ,  G06F9/455 ,  G06F12/10

Abstract: An example method of implementing firmware runtime services in a computer system having a processor with a plurality of hierarchical privilege levels, the method including: calling, from software executing at a first privilege level of the processor, a runtime service stub in a firmware of the computer system; executing, by the runtime service stub, an upcall instruction from the first privilege level to a second privilege level of the processor that is more privileged than the first privilege level; and executing, by a handler, a runtime service at the second privilege level in response to execution of the upcall instruction.

公开(公告)号：US20190213095A1

公开(公告)日：2019-07-11

申请号：US15865770

申请日：2018-01-09

Applicant: VMware, Inc.

Inventor： Andrei WARKENTIN ,  Cyprien LAPLACE ,  Regis DUCHESNE ,  Ye LI ,  Alexander FAINKICHEN

IPC: G06F11/30 ,  G06F13/10 ,  G06F9/455

Abstract: A method of detecting virtualization in a computing system, which includes a processor having at least three hierarchical privilege levels including a third privilege level more privileged than a second privilege level, the second privilege level more privileged than a first privilege level, is described. The method includes: executing a program on the processor at a privilege level less privileged than the third privilege level, the program including a load-exclusive instruction of the processor, followed by at least one instruction of the processor capable of being trapped to the third privilege level, followed by a store-exclusive instruction of the processor; and determining presence or absence of virtualization software at least a portion of which executes at the third privilege level in response to a return status of the store-exclusive instruction.