公开(公告)号：US09542350B1

公开(公告)日：2017-01-10

申请号：US13860857

申请日：2013-04-11

Applicant: Google Inc.

Inventor： Kevin D. Kissell ,  Benjamin Charles Serebrin

IPC: G06F13/14 ,  G06F13/40

CPC classification number: G06F13/4068 ,  G06F13/14

Abstract: A method of authenticating shared peripheral component interconnect express devices of a switched fabric includes associating at least one requester identifier with a physical function of a device on the switched fabric and instantiating a virtual function of the device based on the physical function. The virtual function includes the associated at least one requester identifier. The method further includes accepting memory-mapped input/output traffic through the virtual function only from a requester having a corresponding requester identifier matching an associated requester identifier of the virtual function. The method may also include allowing a write operation of the virtual function or the physical function only to an address residing within an allowable address range associated with the device.

Abstract translation: 验证交换结构的共享外围组件互连快递设备的方法包括将至少一个请求者标识符与交换结构上的设备的物理功能相关联，并且基于物理功能实例化设备的虚拟功能。 虚拟功能包括相关联的至少一个请求者标识符。 该方法还包括仅通过具有与虚拟功能的相关联的请求者标识符匹配的对应请求者标识符的请求者通过虚拟功能来接受存储器映射的输入/输出流量。 该方法还可以包括允许将虚拟功能或物理功能的写入操作仅限于驻留在与该设备相关联的允许地址范围内的地址。

公开(公告)号：US09436751B1

公开(公告)日：2016-09-06

申请号：US14132477

申请日：2013-12-18

Applicant: Google Inc.

Inventor： Benjamin Charles Serebrin

IPC: G06F17/30 ,  G06F9/48

CPC classification number: G06F9/4856 ,  G06F9/45558 ,  G06F2009/4557

Abstract: A method and apparatus are provided to perform live migration of a guest in a computer system using device assignment. In this method and apparatus, one or more pages of the guest are copied to a target computer system. It is determined which pages have been copied, and what incremental changes have been made to the pages that were copied. For example, the incremental changes may be indicated to a hypervisor of an initial host of the guest by a network interface controller or other device in the computer system. The incremental changes are then copied to the target computer system. Detection and copying of incremental changes may continue until a time when all dirty pages can be copied to the target computer system.

Abstract translation: 提供了一种使用设备分配在计算机系统中执行访客的实时迁移的方法和装置。 在该方法和装置中，将客户端的一个或多个页面复制到目标计算机系统。 确定已复制哪些页面，以及对已复制的页面进行了哪些增量更改。 例如，增量更改可以由计算机系统中的网络接口控制器或其他设备指示给客户的初始主机的管理程序。 然后将增量更改复制到目标计算机系统。 检测和复制增量更改可能会持续到所有脏页面都可以复制到目标计算机系统的时间。

公开(公告)号：US20140372665A1

公开(公告)日：2014-12-18

申请号：US13917261

申请日：2013-06-13

Applicant: GOOGLE INC.

Inventor： Benjamin Charles Serebrin ,  Jonathan M. McCune

IPC: G06F12/02

CPC classification number: G06F21/572 ,  G06F8/65 ,  G06F21/64

Abstract: An apparatus includes an interface module, a controller, a key storage module, where the key storage module is configured to store a key, and a non-volatile storage module that is configured to store data. The non-volatile storage module has a first partition and a second partition, where the first partition is designated as a read-only storage area for the data and the second partition is designated as a write-only storage area for new data. The first partition is re-designated as the write-only storage area for other new data and the second partition is re-designated as the read-only storage area for the new data in response to the new data being written to the second partition with a signature and the controller verifying the signature using the key stored in the key storage module.

Abstract translation: 一种装置包括接口模块，控制器，密钥存储模块，其中密钥存储模块被配置为存储密钥，以及被配置为存储数据的非易失性存储模块。 非易失性存储模块具有第一分区和第二分区，其中第一分区被指定为数据的只读存储区域，第二分区被指定为新数据的只写存储区域。 第一分区被重新指定为其他新数据的只写存储区域，并且响应于新数据被写入第二分区，将第二分区重新指定为新数据的只读存储区域， 签名和控制器使用存储在密钥存储模块中的密钥来验证签名。

公开(公告)号：US10459847B1

公开(公告)日：2019-10-29

申请号：US14789535

申请日：2015-07-01

Applicant: GOOGLE INC.

Inventor： Monish Shah ,  Albert Thomas Borchers ,  Joel Dylan Coburn ,  Benjamin Charles Serebrin

IPC: G06F13/36 ,  G06F12/1081 ,  G06F12/02 ,  G11C7/10

Abstract: A method includes deploying non-volatile random access memory (NVRAM) coupled to a processor or central processing unit (CPU) core of a computing device as a peripheral device via an input/output (I/O) bus, and providing a NVRAM application programming interface (API) for the CPU core to conduct NVRAM read and write operations. Providing the NVRAM API includes allocating a single memory buffer per command to hold data transferred to or from the NVRAM. The method includes configuring the processor in conjunction with the NVRAM API to set up command queues inside in the host Memory Mapped Input Output (MMIO) space.

公开(公告)号：US10126966B1

公开(公告)日：2018-11-13

申请号：US15247626

申请日：2016-08-25

Applicant: GOOGLE INC.

Inventor： Benjamin Charles Serebrin ,  Scott Johnson ,  Timothy Chen

IPC: G06F3/06 ,  G11C16/32 ,  G06F21/52 ,  G11C16/28

Abstract: A method for reading a first data bit from a non-volatile memory of a memory system is disclosed. The N most-significant bits are stored for each of M words in a rotated storage section. Address bits are serially received according to the clock signals. Before receiving a final address bit, a rotated word made up of the most significant bit of the M words is fetched from the rotated storage section. Address bits are serially received and rotated words are fetched until the N most-significant bits of the M words have been fetched. Then, un-rotated words are serially fetched from the non-volatile memory. Within one clock signal of the final address bit receipt, a bit is selected out of the fetched rotated words based on the received address bits. The first data bit is returned based on the selected bit and un-rotated words are returned based on the address.

公开(公告)号：US09755978B1

公开(公告)日：2017-09-05

申请号：US14632464

申请日：2015-02-26

Applicant: Google Inc.

Inventor： Jeffrey Clifford Mogul ,  Jakov Seizovic ,  Benjamin Charles Serebrin

IPC: H04L12/815 ,  H04L12/851 ,  H04L12/865

CPC classification number: H04L47/2441 ,  H04L47/32 ,  H04L47/6275

Abstract: The present application describes a system and method for rate limiting traffic of a virtual machine (VM). In this regard, a VM bypasses a hypervisor and enqueues a packet on an assigned transmission queue. Based on information contained in the packet, the NIC determines whether the packet is to be delayed or transmitted immediately. If the NIC determines that the packet is to be transmitted immediately, the packet is moved to one of a plurality of primary output queues to be transmitted to the external network. If the packet is to be delayed, the packet is moved to one of a plurality of rate limited secondary output queues. In this regard, the NIC classifies the packets, thereby improving performance by allowing high-rate flows to bypass the hypervisor.

公开(公告)号：US09436823B1

公开(公告)日：2016-09-06

申请号：US14109005

申请日：2013-12-17

Applicant: Google Inc.

Inventor： Benjamin Charles Serebrin ,  Brandon S. Baker

IPC: G06F11/00 ,  G06F21/56 ,  G06F12/10 ,  G06F12/14 ,  G06F12/16

CPC classification number: G06F21/561 ,  G06F12/1027 ,  G06F12/1081 ,  G06F21/567

Abstract: A method and apparatus are provided to detect malicious code in a computing system, where the malicious code is obscured by manipulation of an input/output memory management unit. A peripheral component interconnect express (PCIe) device requests a translation of a bus address for a given device in the system and determines whether the requested translation was received. If the requested translation was received, the PCIe device further determines whether the bus address for the given device corresponds to a physical address for the given device. If the bus address for the given device does not correspond to the physical address for the given device, the PCIe device sends a notification that the computing system is potentially compromised.

Abstract translation: 提供了一种方法和装置，用于检测计算系统中的恶意代码，其中恶意代码被输入/输出存储器管理单元的操纵遮蔽。 外围组件互连快递（PCIe）设备请求系统中给定设备的总线地址的翻译，并确定是否接收到所请求的翻译。 如果接收到所请求的翻译，则PCIe设备进一步确定给定设备的总线地址是否对应于给定设备的物理地址。 如果给定设备的总线地址与给定设备的物理地址不对应，则PCIe设备会发送计算系统潜在危害的通知。

公开(公告)号：US20150326542A1

公开(公告)日：2015-11-12

申请号：US14708685

申请日：2015-05-11

Applicant: GOOGLE INC.

Inventor： Benjamin Charles Serebrin

IPC: H04L29/06 ,  H04L9/08

Abstract: An example of a system and method implementing a live migration of a guest on a virtual machine of a host server to a target server is provided. For example, a host server may utilize a flow key to encrypt and decrypt communications with a target server. This flow key may be encrypted using a receive master key, which may result in a receive token. The receive token may be sent to the Network Interface Controller of the host server, which will then encrypt the data packet and forward the information to the target server. Multiple sender schemes may be employed on the host server, and various updates may take place on the target server as a result of the new location of the migrating guest from the host server to the target server.

Abstract translation: 提供了一种将主机服务器的虚拟机上的客户端实时迁移到目标服务器的系统和方法的示例。 例如，主机服务器可以使用流密钥来加密和解密与目标服务器的通信。 该流密钥可以使用接收主密钥加密，这可能导致接收令牌。 接收令牌可以发送到主机服务器的网络接口控制器，然后将其加密数据包并将信息转发到目标服务器。 可以在主机服务器上采用多个发送者方案，并且由于迁移客人从主机服务器到目标服务器的新位置的结果，目标服务器上可能会发生各种更新。

公开(公告)号：US20180018123A1

公开(公告)日：2018-01-18

申请号：US15267404

申请日：2016-09-16

Applicant: Google Inc.

Inventor： Monish Shah ,  Benjamin Charles Serebrin ,  Albert Borchers

IPC: G06F3/06

CPC classification number: G06F3/0647 ,  G06F3/0611 ,  G06F3/0656 ,  G06F3/0685 ,  G06F12/08 ,  G06F12/0868 ,  G06F12/1081 ,  G06F13/28 ,  G06F2212/1024 ,  G06F2212/312

Abstract: IOMMU map-in may be overlapped with second tier memory access, such that the two operations are at least partially performed at the same time. For example, when a second tier memory read into a storage device controller internal buffer is initiated, an IOMMU mapping may be built simultaneously. To achieve this overlap, a two-stage command buffer is used. In a first stage, content is read from a second tier memory address into the storage device controller internal buffer. In a second stage, the internal buffer is written into the DRAM physical address.

公开(公告)号：US20170357595A1

公开(公告)日：2017-12-14

申请号：US15616486

申请日：2017-06-07

Applicant: Google Inc.

Inventor： Eric Northup ,  Benjamin Charles Serebrin

IPC: G06F12/1027 ,  G06F12/1009

Abstract: Aspects of the disclosure relate to directing and tracking translation lookaside buffer (TLB) shootdowns within hardware. One or more processors, comprising one or more processor cores, may determine that a process executing on a processing core causes one or more virtual memory pages to become disassociated with one or more previously associated physical memory addresses. The processing core which is executing that process which caused the disassociation may generate a TLB shootdown request. The processing core may transmit the TLB shootdown request to the other cores. The TLB shootdown request may include identification information, a shootdown address indicating the disassociated virtual memory page or pages which need to be flushed from the respective TLBs of the other cores, and a notification address indicating where the other cores may acknowledge completion of the TLB shootdown request.