公开(公告)号：US20230083083A1

公开(公告)日：2023-03-16

申请号：US17474220

申请日：2021-09-14

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Jonathan D. Bradbury ,  Torsten Hendel ,  Reinhard Theodor Buendgen ,  Claudio Imbrenda ,  Christian Borntraeger ,  Janosch Andreas Frank

IPC分类号： G06F21/62

摘要： At least one request to store diagnostic state of a virtual machine is obtained. Based on obtaining the at least one request, a store of diagnostic state of the virtual machine is performed to provide stored diagnostic state of the virtual machine. The performing the store includes encrypting the diagnostic state of the virtual machine that is unencrypted and being stored to prevent a reading of the diagnostic state of the virtual machine by an untrusted entity prior to encrypting the diagnostic state of the virtual machine that is unencrypted and being stored.

公开(公告)号：US20200285747A1

公开(公告)日：2020-09-10

申请号：US16296452

申请日：2019-03-08

申请人： International Business Machines Corporation

发明人： Christian Borntraeger ,  Claudio Imbrenda ,  Fadi Y. Busaba ,  Jonathan D. Bradbury ,  Lisa Cranton Heller

IPC分类号： G06F21/57 ,  G06F9/455

摘要： A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

公开(公告)号：US11308215B2

公开(公告)日：2022-04-19

申请号：US16296452

申请日：2019-03-08

申请人： International Business Machines Corporation

发明人： Christian Borntraeger ,  Claudio Imbrenda ,  Fadi Y. Busaba ,  Jonathan D. Bradbury ,  Lisa Cranton Heller

IPC分类号： H04L9/40 ,  G06F21/57 ,  G06F9/455

摘要： A method is provided by a secure interface control of a computer that provides a partial instruction interpretation for an instruction which enables an interruption. The secure interface control fetches a program status word or a control register value from a secure guest storage. The secure interface control notifies an untrusted entity of guest interruption mask updates. The untrusted entity is executed on and in communication with hardware of the computer through the secure interface control to support operations of a secure entity executing on the untrusted entity. The secure interface control receives, from the untrusted entity, a request to present a highest priority, enabled guest interruption in response to the notifying of the guest interruption mask updates. The secure interface control moves interruption information into a guest prefix page and injecting the interruption in the secure entity when an injection of the interruption is determined to be valid.

公开(公告)号：US11176054B2

公开(公告)日：2021-11-16

申请号：US16296301

申请日：2019-03-08

申请人： International Business Machines Corporation

发明人： Claudio Imbrenda ,  Christian Borntraeger ,  Lisa Cranton Heller ,  Fadi Y. Busaba ,  Jonathan D. Bradbury

IPC分类号： G06F12/1009 ,  G06F9/455

摘要： According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.

公开(公告)号：US20200285495A1

公开(公告)日：2020-09-10

申请号：US16296332

申请日：2019-03-08

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Claudio Imbrenda ,  Fadi Y. Busaba ,  Lisa Cranton Heller ,  Jonathan D. Bradbury

IPC分类号： G06F9/455 ,  G06F9/38 ,  G06F9/48

摘要： According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

公开(公告)号：US12019772B2

公开(公告)日：2024-06-25

申请号：US17474220

申请日：2021-09-14

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Jonathan D. Bradbury ,  Torsten Hendel ,  Reinhard Theodor Buendgen ,  Claudio Imbrenda ,  Christian Borntraeger ,  Janosch Andreas Frank

IPC分类号： G06F21/62

CPC分类号： G06F21/6209

摘要： At least one request to store diagnostic state of a virtual machine is obtained. Based on obtaining the at least one request, a store of diagnostic state of the virtual machine is performed to provide stored diagnostic state of the virtual machine. The performing the store includes encrypting the diagnostic state of the virtual machine that is unencrypted and being stored to prevent a reading of the diagnostic state of the virtual machine by an untrusted entity prior to encrypting the diagnostic state of the virtual machine that is unencrypted and being stored.

公开(公告)号：US11347529B2

公开(公告)日：2022-05-31

申请号：US16296332

申请日：2019-03-08

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Claudio Imbrenda ,  Fadi Y. Busaba ,  Lisa Cranton Heller ,  Jonathan D. Bradbury

IPC分类号： G06F9/455 ,  G06F9/38 ,  G06F9/48

摘要： According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

公开(公告)号：US10970100B2

公开(公告)日：2021-04-06

申请号：US16296304

申请日：2019-03-08

申请人： International Business Machines Corporation

发明人： Viktor Mihajlovski ,  Claudio Imbrenda

IPC分类号： G06F9/455

摘要： A method for starting a secure guest includes receiving, by a hypervisor that is executing on a host server, a request to dispatch a virtual machine (VM) on the host server. The VM is dispatched on the host server by the hypervisor. The VM includes a reboot instruction. The reboot instruction is triggered by the hypervisor to restart the VM in a secure mode.

公开(公告)号：US10956188B2

公开(公告)日：2021-03-23

申请号：US16296316

申请日：2019-03-08

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Fadi Y. Busaba ,  Lisa Cranton Heller ,  Jonathan D. Bradbury ,  Christian Borntraeger ,  Claudio Imbrenda

IPC分类号： G06F9/455

摘要： According to one or more embodiments of the present invention, a computer implemented method includes executing, by a virtual machine that is executing on a host server, a stream of instructions, wherein an instruction from the stream of instructions is to be intercepted to a hypervisor. The method further includes, based on a determination that the virtual machine is a secure virtual machine, preventing the hypervisor from directly accessing any data of the secure virtual machine. The method further includes performing by a secure interface control of the host server, based on a determination that the instruction is not interpretable by the secure interface control itself, extracting one or more parameter data associated with the instruction from the secure virtual machine, and storing the parameter data into a buffer that is accessible by the hypervisor. The instruction is subsequently intercepted into the hypervisor.

公开(公告)号：US11669462B2

公开(公告)日：2023-06-06

申请号：US17475757

申请日：2021-09-15

申请人： International Business Machines Corporation

发明人： Claudio Imbrenda ,  Christian Borntraeger ,  Lisa Cranton Heller ,  Fadi Y. Busaba ,  Jonathan D. Bradbury

IPC分类号： G06F12/1009 ,  G06F9/455

CPC分类号： G06F12/1009 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2212/657

摘要： According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.