-
公开(公告)号:US20210334377A1
公开(公告)日:2021-10-28
申请号:US16856880
申请日:2020-04-23
Applicant: VMware, Inc.
Inventor: Chen DRORI , Michael A. FOLEY , Jesse POOL , Nishant ARYA
Abstract: A method and system are disclosed in which a secure computing infrastructure is established and maintained. The method requires that upon any attestation event, a component to be added or newly activated (i.e., used the first time) be checked for its trustworthiness, where the checking includes cryptographic proof of the trustworthiness of the component. If the component is not trustworthy, then security precautions are taken to protect the secure computing infrastructure. Those precautions include refusing to accept the component, quarantining the component, encrypting and decrypting all traffic to and from the component, or allowing the component to perform only non-secure operations.
-
公开(公告)号:US20220222099A1
公开(公告)日:2022-07-14
申请号:US17148445
申请日:2021-01-13
Applicant: VMware, Inc.
Inventor: Abhishek SRIVASTAVA , David A. DUNN , Jesse POOL , Adrian DRZEWIECKI
Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; sending the attestation report from the security module to a trust authority; receiving, in response to verification of the attestation report by the trust authority, a secret from the trust authority at the security module; and providing the secret from the security module to the guest.
-
3.发明申请公开(公告)号:US20220222098A1
公开(公告)日:2022-07-14
申请号:US17148428
申请日:2021-01-13
Applicant: VMware, Inc.
Inventor: Abhishek SRIVASTAVA , David A. DUNN , Jesse POOL , Adrian DRZEWIECKI
Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.
-
公开(公告)号:US20180095775A1
公开(公告)日:2018-04-05
申请号:US15282740
申请日:2016-09-30
Applicant: VMware, Inc.
Inventor: Mohammed Junaid AHMED , Nishant YADAV , Jesse POOL
IPC: G06F9/455
Abstract: One or more embodiments provide techniques for promoting a linked clone virtual machine to a full clone virtual machine. In one embodiment, a method includes receiving an instruction to promote the linked clone virtual machine to a full clone virtual machine. The method also includes creating a second base disk for the linked clone virtual machine. The method includes installing a mirror driver between the first delta disk and the second base disk. The method includes copying the contents of the first delta disk to the second base disk with the mirror driver. After the contents of the first delta disk have been copied to the second base disk, the method includes removing the mirror driver and operating the linked clone virtual machine as a full clone virtual machine on the second base disk.
-
5.发明申请公开(公告)号:US20220198021A1
公开(公告)日:2022-06-23
申请号:US17127696
申请日:2020-12-18
Applicant: VMware, Inc.
Inventor: Samyuktha SUBRAMANIAN , Jesse POOL , Petr VANDROVEC , Viswesh NARAYANAN
Abstract: A method for protecting an OS disk of a computing device without block encrypting the OS disk. The method identifies one or more files that store configuration data associated with OS binaries executed on the computing device. The method encrypts the configuration data stored in the one or more files using an encryption key and seals the encryption key to a TPM of the computing device. The method then boots the computing device by attempting to unseal the encryption key by authenticating one or more of the OS binaries with the TPM. When authenticating the one or more of the OS binaries is successful, the method completes boot of the computing device by decrypting the configuration data using the encryption key. If authentication of the one or more of the OS binaries is not successful, however, the method aborts boot of the computing device.
-
Patent Agency Ranking
公开(公告)号:US20220070225A1
公开(公告)日:2022-03-03
申请号:US17011286
申请日:2020-09-03
Applicant: VMware, Inc.
Inventor: Chen DRORI , Michael A. FOLEY , Jesse POOL , Nishant ARYA
Abstract: A method for placing a workload on one or more resources based on security requirements of the workload, a declared security policy, and security capabilities of the resources, includes determining the security requirements of the workload and the declared security policy, searching for and finding a resource that meets the security requirements of the workload and the declared security policy, and deploying the workload onto the resource. The method further includes, after deploying the workload onto the resource, discovering that the resource does not meet the security requirements of the workload and the declared security policy, determining that a new environment has a resource having security capabilities that meet the security requirements of the workload and the declared security policy, and deploying the workload onto the resource in the new environment.
-
公开(公告)号:US20170102876A1
公开(公告)日:2017-04-13
申请号:US15388591
申请日:2016-12-22
Applicant: VMware, Inc.
Inventor: Yury BASKAKOV , Alexander GARTHWAITE , Jesse POOL
Abstract: One or more embodiments provide techniques for accessing a memory page of a virtual machine for which loading might have been deferred, according to an embodiment of the invention, includes the steps of examining metadata of the memory page and determining that a flag in the metadata for indicating that the contents of the memory page needs to be updated is set, and updating the contents of the memory page.
-
公开(公告)号:US20140164723A1
公开(公告)日:2014-06-12
申请号:US13710215
申请日:2012-12-10
Applicant: VMWARE, INC.
Inventor: Alexander Thomas GARTHWAITE , Yury BASKAKOV , Irene ZHANG , Kevin Scott CHRISTOPHER , Jesse POOL
IPC: G06F12/16
CPC classification number: G06F12/16 , G06F9/45558 , G06F9/461 , G06F2009/45575 , G06F2009/45583
Abstract: A process for lazy checkpointing is enhanced to reduce the number of read/write accesses to the checkpoint file and thereby speed up the checkpointing process. The process for restoring a state of a virtual machine (VM) running in a physical machine from a checkpoint file that is maintained in persistent storage includes the steps of detecting access to a memory page of the virtual machine that has not been read into physical memory of the VM from the checkpoint file, determining a storage block of the checkpoint file to which the accessed memory page maps, writing contents of the storage block in a buffer, and copying contents of a block of memory pages that includes the accessed memory page from the buffer to corresponding locations of the memory pages in the physical memory of the VM. The storage block of the checkpoint file may be compressed or uncompressed.
Abstract translation: 增强了用于延迟检查点的过程,以减少对检查点文件的读/写访问次数,从而加快了检查点处理过程。 从维护在持久存储器中的检查点文件恢复在物理机器中运行的虚拟机(VM)的状态的过程包括以下步骤:检测对尚未被读入物理存储器的虚拟机的存储器页面的访问 从所述检查点文件确定所述VM的存储块,确定所访问的存储器页映射到的所述检查点文件的存储块,将所述存储块的内容写入缓冲器,以及将包括所访问的存储器页的存储器页块的内容从 缓冲区到VM的物理内存中的内存页的相应位置。 检查点文件的存储块可以被压缩或未压缩。
-
公开(公告)号:US20220222100A1
公开(公告)日:2022-07-14
申请号:US17148461
申请日:2021-01-13
Applicant: VMware, Inc.
Inventor: Abhishek SRIVASTAVA , David A. DUNN , Jesse POOL , Adrian DRZEWIECKI
Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; receiving, at the guest from a trust authority, a secret in response to verification of the attestation report; obtaining, at the guest from an entity, at least one key using transport layer security (TLS) data in the secret to verify identity of the guest to the entity; and using, at the guest, the at least one key to access or verify at least one disk attached thereto
-
公开(公告)号:US20210409223A1
公开(公告)日:2021-12-30
申请号:US16917719
申请日:2020-06-30
Applicant: VMware, Inc.
Inventor: Samyuktha SUBRAMANIAN , Jesse POOL
IPC: H04L9/32
Abstract: A method of attestation of a host machine based on runtime configuration of the host machine is provided. The method receives, at an attestation machine, a request from the host machine for attestation of a software executing on the host machine, the request including at least one security-related configuration of the software at launch time and a corresponding runtime behavior of the software when the security-related configuration changes. The method then generates a claim based on evaluating a value associated with the at least one security-related configuration and the corresponding runtime behavior of the software when the value changes. The method also generates an attestation token after a successful attestation of the software and include in the attestation token the generated claim. The method further transmits the attestation token to the host machine.
-
-
-
-
-
-
-
-
-
Search Results
15
records
(took 0.014 seconds)
