公开(公告)号：US20050154869A1

公开(公告)日：2005-07-14

申请号：US10756702

申请日：2004-01-12

申请人： Mark Shaw ,  Vipul Gandhi ,  Leon Hong ,  Gary Gostin ,  Craig Warner ,  Paul Bouchier ,  Todd Kjos ,  Guy Kuntz ,  Richard Powers ,  Bryan Stephenson ,  Ryan Weaver ,  Brian Johnson ,  Glen Edwards ,  Brendan Voge ,  Gregg Lesartre

发明人： Mark Shaw ,  Vipul Gandhi ,  Leon Hong ,  Gary Gostin ,  Craig Warner ,  Paul Bouchier ,  Todd Kjos ,  Guy Kuntz ,  Richard Powers ,  Bryan Stephenson ,  Ryan Weaver ,  Brian Johnson ,  Glen Edwards ,  Brendan Voge ,  Gregg Lesartre

IPC分类号： G06F15/177 ,  G06F9/00 ,  G06F9/50 ,  G06F11/00 ,  G06F15/00 ,  G06F15/173 ,  G06F21/20 ,  G06F21/22 ,  H04L29/06

CPC分类号： H04L63/104 ,  G06F9/5077

摘要： A partitionable computer system and method of operating the same is disclosed. The partitionable computer system has a state machine, a processor, and a device controller. The state machine can be configured to monitor the status of a partition of the partitionable computer system. The information provided by the state machine can be used to provide security within the partitionable computing system.

摘要翻译： 公开了一种可分割计算机系统及其操作方法。 可分割计算机系统具有状态机，处理器和设备控制器。 可以将状态机配置为监视可分区计算机系统的分区的状态。 状态机提供的信息可用于在可分区计算系统内提供安全性。

公开(公告)号：US07178015B2

公开(公告)日：2007-02-13

申请号：US10756702

申请日：2004-01-12

申请人： Mark Edward Shaw ,  Vipul Gandhi ,  Leon Hong ,  Gary Belgrave Gostin ,  Craig W. Warner ,  Paul Henry Bouchier ,  Todd Kjos ,  Guy Lowell Kuntz ,  Richard Dickert Powers ,  Bryan Craig Stephenson ,  Ryan Weaver ,  Brian Johnson ,  Glen Edwards ,  Brendan A. Voge ,  Gregg Bernard Lesartre

发明人： Mark Edward Shaw ,  Vipul Gandhi ,  Leon Hong ,  Gary Belgrave Gostin ,  Craig W. Warner ,  Paul Henry Bouchier ,  Todd Kjos ,  Guy Lowell Kuntz ,  Richard Dickert Powers ,  Bryan Craig Stephenson ,  Ryan Weaver ,  Brian Johnson ,  Glen Edwards ,  Brendan A. Voge ,  Gregg Bernard Lesartre

IPC分类号： G06F15/177 ,  G06F9/00 ,  G06F9/455

CPC分类号： H04L63/104 ,  G06F9/5077

摘要： A partitionable computer system and method of operating the same is disclosed. The partitionable computer system has a state machine, a processor, and a device controller. The state machine can be configured to monitor the status of a partition of the partitionable computer system. The information provided by the state machine can be used to provide security within the partitionable computing system.

摘要翻译： 公开了一种可分割计算机系统及其操作方法。 可分割计算机系统具有状态机，处理器和设备控制器。 可以将状态机配置为监视可分区计算机系统的分区的状态。 状态机提供的信息可用于在可分区计算系统内提供安全性。

公开(公告)号：US20060026389A1

公开(公告)日：2006-02-02

申请号：US11030530

申请日：2005-01-05

申请人： Christophe Dinechin ,  Todd Kjos ,  Jonathan Ross

发明人： Christophe Dinechin ,  Todd Kjos ,  Jonathan Ross

IPC分类号： G06F9/30

CPC分类号： G06F9/45533 ,  G06F9/30101

摘要： In one embodiment of the present invention, a virtual-machine monitor detects entry and exit from guest-operating system code, storing the values of a set of high-order floating point registers in memory on entry, and restoring the values of the set of high-order floating point registers on exit. The virtual-machine monitor can then use the set of high-order floating point registers as scratch registers for emulation of guest-operating-system instructions. In alternative embodiments of the present invention, a virtual-machine monitor obtains scratch registers for any code that the virtual-machine monitor can detect entry into and exit from, and for which a set of infrequently used registers can be identified, by storing the current contents of the set of registers upon detected entry into the code and restoring the original contents of the set of registers upon exit from the code, emulating access to the set of registers in the code by memory-access operations.

摘要翻译： 在本发明的一个实施例中，虚拟机监视器检测进入和退出客户操作系统代码，将一组高阶浮点寄存器的值存储在存储器中，并且恢复该组值 退出时有高位浮点寄存器。 然后，虚拟机监视器可以使用该组高阶浮点寄存器作为临时寄存器来仿真客户操作系统指令。 在本发明的替代实施例中，虚拟机监视器获得用于虚拟机监视器可以检测进入和退出的任何代码的暂存寄存器，并且可以通过存储当前的一些不经常使用的寄存器来识别一组不经常使用的寄存器 检测到进入代码后检测到的寄存器组的内容，以及在从代码退出时恢复寄存器组的原始内容，通过存储器访问操作模拟对代码中的寄存器组的访问。

公开(公告)号：US06895491B2

公开(公告)日：2005-05-17

申请号：US10260645

申请日：2002-09-26

申请人： Todd Kjos ,  Jonathan Ross ,  Christophe de Dinechin

发明人： Todd Kjos ,  Jonathan Ross ,  Christophe de Dinechin

IPC分类号： G06F12/00 ,  G06F12/10

CPC分类号： G06F12/145 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/109

摘要： A software monitor, interposed between the hardware layer of a computer system and one or more guest operating systems, constructs and maintains a guest-physical-address-to-host-physical-address map for each guest operating system, and maintains a virtual memory addressing context for each guest operating system that may include a virtual-hash-page table for each guest operating system, the contents of translation registers for each guest operating system, CPU-specific virtual-memory translations for each guest operating system, and the contents of various status registers. The monitor runs at the highest privilege level provided by the hardware system, intercepting attempts to execute privileged instructions by guest operating systems, and simulates or enhances certain of the privileged instructions related to virtual-memory addressing in order to construct and maintain the guest-physical-address-to-host-physical-address map and to provide each guest operating system with the illusion that the guest operating system is executing as the most privileged process on a virtual machine.

摘要翻译： 插入在计算机系统的硬件层和一个或多个客户操作系统之间的软件监视器构建并维护每个客户操作系统的客体 - 物理地址到主机 - 物理地址映射，并维护虚拟存储器 每个客户机操作系统的寻址上下文可以包括每个客户操作系统的虚拟散列表，每个客户操作系统的翻译寄存器的内容，每个客户操作系统的特定于CPU的虚拟存储器翻译以及内容 各种状态寄存器。 监视器以硬件系统提供的最高权限级别运行，拦截由客户操作系统执行特权指令的尝试，并模拟或增强与虚拟内存寻址相关的某些特权指令，以便构建和维护客户物理 - 地址到主机的物理地址映射，并为每个客户机操作系统提供客户机操作系统作为虚拟机上最特权进程执行的错觉。

公开(公告)号：US20060036830A1

公开(公告)日：2006-02-16

申请号：US11020432

申请日：2004-12-22

申请人： Christophe de Dinechin ,  Jonathan Ross ,  Todd Kjos

发明人： Christophe de Dinechin ,  Jonathan Ross ,  Todd Kjos

IPC分类号： G06F21/00 ,  G06F9/34

CPC分类号： G06F21/79 ,  G06F2221/2101 ,  G06F2221/2149

摘要： Various embodiments of the present invention are directed to efficient methods for virtual-machine monitors to detect, at run time, initial attempts by guest operating systems and other higher-level software to access or execute particular instructions or values corresponding to the particular instructions, that, when accessed for execution, need to be emulated by a virtual-machine monitor, rather than directly accessed by guest operating systems. In certain embodiments of the present invention, the virtual-machine monitor assigns various guest-operating-system-code-containing memory pages to one of a small number of protection-key domains. By doing so, the virtual-machine monitor can arrange for any initial access to the memory pages assigned to the protection-key domains to generate a key-permission fault, after which the key-permission-fault handler of the virtual-machine monitor is invoked to arrange for subsequent, efficient access or emulation of access to the protected pages. In alternative embodiments, protection domains can be implemented by using page-level access rights or translation-lookaside-buffer entry fields.

摘要翻译： 本发明的各种实施例涉及虚拟机监视器在运行时检测由客户操作系统和其他更高级软件访问或执行与特定指令相对应的特定指令或值的初始尝试的有效方法， 当访问执行时，需要由虚拟机监视器进行仿真，而不是由客户机操作系统直接访问。 在本发明的某些实施例中，虚拟机监视器将各种客户操作系统代码存储器页面分配给少数保护关键域中的一个。 通过这样做，虚拟机监视器可以安排对分配给保护关键域的存储器页面的任何初始访问以产生密钥许可故障，之后虚拟机监视器的密钥许可故障处理程序为 调用以安排对受保护页面的访问的后续，高效访问或仿真。 在替代实施例中，可以通过使用页面级访问权限或翻译后备缓冲区条目字段来实现保护域。

公开(公告)号：US07996833B2

公开(公告)日：2011-08-09

申请号：US10909966

申请日：2004-07-31

申请人： Christophe de Dinechin ,  Todd Kjos ,  Jonathan Ross

发明人： Christophe de Dinechin ,  Todd Kjos ,  Jonathan Ross

IPC分类号： G06F9/455

CPC分类号： G06F8/65 ,  G06F9/45558 ,  G06F2009/45583

摘要： Various embodiments of the present invention are directed to efficient methods by which virtual-machine monitors can introduce instructions into guest-operating-system code. In one embodiment of the present invention, the virtual-machine monitor builds instructions dynamically, at insertion time, using specified values for fields within the instruction. In one embodiment of the present invention, the instructions and instruction field values are stored in an instruction-block-representing data structure.

摘要翻译： 本发明的各种实施例涉及虚拟机监视器可以将指令引入到客户操作系统代码中的有效方法。 在本发明的一个实施例中，虚拟机监视器在插入时使用指令内的字段的指定值动态地构建指令。 在本发明的一个实施例中，指令和指令字段值被存储在指令块表示数据结构中。

公开(公告)号：US20060026387A1

公开(公告)日：2006-02-02

申请号：US11027910

申请日：2004-12-29

申请人： Christophe Dinechin ,  Todd Kjos ,  Jonathan Ross

发明人： Christophe Dinechin ,  Todd Kjos ,  Jonathan Ross

IPC分类号： G06F15/00

CPC分类号： G06F9/45537 ,  G06F12/1491

摘要： Various embodiments of the present invention are directed to efficient and robust methods by which virtual-machine monitors can recognize individual instructions and blocks of instructions within guest-operating-system code. In a described embodiment of the present invention, the guest operating system recognizes the instructions by recognizing an overall form, or pattern, for the instruction as well as the values of various fields within the instruction that may change with re-compilations and/or re-linking of guest operating system code.

摘要翻译： 本发明的各种实施例涉及有效和鲁棒的方法，通过该方法，虚拟机监视器可以识别来宾操作系统代码内的各种指令和指令块。 在本发明的描述的实施例中，客户操作系统通过识别用于指令的整体形式或模式以及指令中可能随着重新编译和/或重新改变而改变的各种领域的值来识别指令 链接客户机操作系统代码。

公开(公告)号：US20060026385A1

公开(公告)日：2006-02-02

申请号：US10909969

申请日：2004-07-31

申请人： Christophe Dinechin ,  Todd Kjos ,  Jonathan Ross

发明人： Christophe Dinechin ,  Todd Kjos ,  Jonathan Ross

IPC分类号： G06F12/10

CPC分类号： G06F12/1036 ,  G06F9/45558 ,  G06F2009/45583

摘要： Various embodiments of the present invention are directed to methods by which a virtual-machine monitor can introduce branch instructions, in order to emulate privileged and other instructions on behalf of a guest operating system, into guest-operating-system code residing on virtually aliased virtual-memory pages. In a described embodiment of the present invention, the virtual-machine monitor physically aliases each virtual alias for a particular physical memory page by allocating a physical page for the virtual alias, copying the original contents of the physical memory page to the allocated physical page, or physical alias page, and subsequently patching each physical alias page appropriate to the physical address of the physical alias page.

摘要翻译： 本发明的各种实施例涉及一种虚拟机监视器可以引入分支指令以便将代表客户操作系统的特权和其他指令模拟成驻留在虚拟虚拟虚拟机上的客户操作系统代码中的方法 - 内存页。 在本发明的描述的实施例中，虚拟机监视器通过分配虚拟别名的物理页面将物理存储器页面的原始内容复制到所分配的物理页面来物理地别名为特定物理存储器页面的每个虚拟别名， 或物理别名页面，随后修补与物理别名页面的物理地址相适应的每个物理别名页面。

公开(公告)号：US20060026383A1

公开(公告)日：2006-02-02

申请号：US11027553

申请日：2004-12-29

申请人： Christophe de Dinechin ,  Todd Kjos ,  Jonathan Ross

发明人： Christophe de Dinechin ,  Todd Kjos ,  Jonathan Ross

IPC分类号： G06F12/10

CPC分类号： G06F12/1036 ,  G06F12/1018 ,  G06F12/109

摘要： Various embodiments of the present invention are directed to efficient provision, by a virtual-machine monitor, of a virtual, physical memory interface to guest operating systems and other programs and routines interfacing to a computer system through a virtual-machine interface. In one embodiment of the present invention, a virtual-machine monitor maintains control over a translation lookaside buffer (“TLB”), machine registers which control virtual memory translations, and a processor page table, providing each concurrently executing guest operating system with a guest-processor-page table and guest-physical memory-to-physical memory translations. In one embodiment, a virtual-machine monitor can rely on hardware virtual-address-translation mechanisms for the bulk of virtual-address translations needed during guest-operating-system execution, thus providing a guest-physical memory interface without introducing excessive overhead and inefficiency.

摘要翻译： 本发明的各种实施例涉及通过虚拟机监视器向客户操作系统和通过虚拟机接口与计算机系统接口的其他程序和例程的虚拟物理存储器接口有效地提供。 在本发明的一个实施例中，虚拟机监视器维护对翻译后备缓冲器（“TLB”），控制虚拟存储器转换的机器寄存器以及处理器页表的控制，为每个并发执行的客户操作系统提供客户 处理器页表和访客物理内存到物理内存转换。 在一个实施例中，虚拟机监视器可以依靠硬件虚拟地址转换机制来实现客户操作系统执行期间所需的大量虚拟地址转换，从而提供客体物理存储器接口而不引入过多的开销和低效率 。

公开(公告)号：US08091090B2

公开(公告)日：2012-01-03

申请号：US11030530

申请日：2005-01-05

申请人： Christophe de Dinechin ,  Todd Kjos ,  Jonathan Ross

发明人： Christophe de Dinechin ,  Todd Kjos ,  Jonathan Ross

IPC分类号： G06F3/00 ,  G06F9/455

CPC分类号： G06F9/45533 ,  G06F9/30101

摘要： In one embodiment of the present invention, a virtual-machine monitor detects entry and exit from guest-operating system code, storing the values of a set of high-order floating point registers in memory on entry, and restoring the values of the set of high-order floating point registers on exit. The virtual-machine monitor can then use the set of high-order floating point registers as scratch registers for emulation of guest-operating-system instructions. In alternative embodiments, a virtual-machine monitor obtains scratch registers for any code that the virtual-machine monitor can detect entry into and exit from, and for which a set of infrequently used registers can be identified, by storing the current contents of the set of registers upon detected entry into the code and restoring the original contents of the set of registers upon exit from the code.

摘要翻译： 在本发明的一个实施例中，虚拟机监视器检测进入和退出客户操作系统代码，将一组高阶浮点寄存器的值存储在存储器中，并且恢复该组值 退出时有高位浮点寄存器。 然后，虚拟机监视器可以使用该组高阶浮点寄存器作为临时寄存器来仿真客户操作系统指令。 在替代实施例中，虚拟机监视器获得用于虚拟机监视器可以检测进入和退出的任何代码的暂存寄存器，并且可以通过存储该组的当前内容来为其识别一组不经常使用的寄存器 的寄存器，当检测到进入代码后，退出代码时恢复寄存器组的原始内容。