公开(公告)号：US10409628B2

公开(公告)日：2019-09-10

申请号：US15242097

申请日：2016-08-19

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Matthew Shawn Wilson ,  Ian Paul Nowland

IPC: G06F9/50 ,  G06F9/455

Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a interconnect interface. The interconnect interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.

公开(公告)号：US10318162B2

公开(公告)日：2019-06-11

申请号：US15279352

申请日：2016-09-28

Applicant: Amazon Technologies, Inc.

Inventor： Raviprasad Venkatesha Murthy Mummidi ,  Matthew Shawn Wilson ,  Anthony Nicholas Liguori ,  Nafea Bshara ,  Saar Gross ,  Jaspal Kohli

IPC: G06F13/00 ,  G06F3/06 ,  G06F12/14 ,  G06F13/20 ,  G06F13/40

Abstract: A peripheral device may implement storage virtualization for non-volatile storage devices connected to the peripheral device. A host system connected to the peripheral device may host one or multiple virtual machines. The peripheral device may implement different virtual interfaces for the virtual machines or the host system that present a storage partition at a non-volatile storage device to the virtual machine or host system for storage. Access requests from the virtual machines or host system are directed to the respective virtual interface at the peripheral device. The peripheral device may perform data encryption or decryption, or may perform throttling of access requests. The peripheral device may generate and send physical access requests to perform the access requests received via the virtual interfaces to the non-volatile storage devices. Completion of the access requests may be indicated to the virtual machines via the virtual interfaces.

公开(公告)号：US20190138736A1

公开(公告)日：2019-05-09

申请号：US16237703

申请日：2019-01-01

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Matthew Shawn Wilson ,  Cristian M. Ilac

IPC: G06F21/60 ,  G06F9/455 ,  G06F21/57

Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.

公开(公告)号：US10268500B2

公开(公告)日：2019-04-23

申请号：US15217910

申请日：2016-07-22

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Matthew Shawn Wilson ,  Ian Paul Nowland

IPC: G06F9/50 ,  G06F9/455 ,  G06F13/24 ,  G06F13/42

Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.

公开(公告)号：US10198377B2

公开(公告)日：2019-02-05

申请号：US15173445

申请日：2016-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Matthew Shawn Wilson ,  Anthony Nicholas Liguori ,  Shuvabrata Ganguly

IPC: G06F13/28 ,  G06F12/00 ,  G06F9/455 ,  G06F9/48

Abstract: A DMA-capable device of a virtualization host stores a DMA write record, indicating a portion of host memory that is targeted by a DMA write operation, in a write buffer accessible from a virtualization management component of the host. The virtualization management component uses the DMA write record to identify a portion of memory to be copied to a target location to save a representation of a state of a particular virtual machine instantiated at the host.

公开(公告)号：US10063380B2

公开(公告)日：2018-08-28

申请号：US13746737

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F21/00 ,  H04L9/32 ,  G06F21/60 ,  G06F21/33 ,  G06F21/51 ,  G06F21/53 ,  G06F21/62 ,  G06F9/455 ,  H04L29/06

CPC classification number: H04L9/3263 ,  G06F9/45558 ,  G06F21/335 ,  G06F21/51 ,  G06F21/53 ,  G06F21/602 ,  G06F21/629 ,  G06F2009/45587 ,  G06F2221/033 ,  G06F2221/2107 ,  G06F2221/2115 ,  G06F2221/2141 ,  G06F2221/2149 ,  H04L63/0823

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

公开(公告)号：US09794195B1

公开(公告)日：2017-10-17

申请号：US14752518

申请日：2015-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Matthew Shawn Wilson ,  Nafea Bshara ,  Peter Nicholas Desantis

IPC: H04L12/931

CPC classification number: H04L49/40 ,  H04L49/351

Abstract: A communication device with receded ports includes one or more port connectors in a first position, one or more port connectors in a setback position that is receded back from the first position, and one or more port connectors in one or more additional setback positions. The communication device with receded ports includes, a circuit board, and one or more circuits mounted on the circuit board. Circuit traces electrically connect the port connectors in the first position, the setback position, and the one or more subsequent setback positions to a circuit mounted on a circuit board. The port connectors in the first position, setback position, and one or more subsequent setback positions may be situated in a triangular pattern, stair-stepped pattern, curved pattern, or some other pattern.

公开(公告)号：US09792143B1

公开(公告)日：2017-10-17

申请号：US14921555

申请日：2015-10-23

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Derek Del Miller ,  Mark Bradley Davis ,  Matthew Shawn Wilson ,  Eric Jason Brandwine ,  Anthony Nicholas Liguori ,  Rahul Gautam Patel

IPC: G06F9/455 ,  G06F21/74 ,  G06F21/62 ,  G06F21/72

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/72 ,  G06F21/74 ,  G06F2009/45587

Abstract: The performing of virtual machine (VM)-based secure operations is enabled using a trusted co-processor that is able to operate in a secure mode to perform operations in a multi-tenant environment that are protected from other VMs and DOM-0, among other domains and components. A customer VM can contact a VM manager (VMM) to perform an operation with respect to sensitive data. The VMM can trigger secure mode operation, whereby memory pages are marked and access blocked to entities outside a trusted enclave. The trusted co-processer can measure the VMM and compare the result against an earlier result to ensure that the VMM has not been compromised. Once the operations are performed, the trusted co-processor can return the results, and the VMM can exit the secure mode such that access to the marked pages and customer data is restored.

公开(公告)号：US09729517B2

公开(公告)日：2017-08-08

申请号：US13746702

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: H04L29/06 ,  H04L9/08 ,  G06F3/06 ,  G06F9/48 ,  G06F21/57 ,  G06F9/455

CPC classification number: H04L63/0428 ,  G06F3/0647 ,  G06F9/45558 ,  G06F9/4856 ,  G06F21/57 ,  G06F2009/45562 ,  G06F2009/4557 ,  G06F2009/45587 ,  H04L9/0844 ,  H04L63/0869

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to enable secure migration of virtual machine instances between multiple host computing devices. The migration is performed by receiving a request to migrate a virtual machine where the request includes public keys for the source host computing and the destination host computing. The source and destination hosts use the public keys to establish an encrypted session and then use the encrypted session to migrate the virtual machine.

公开(公告)号：US20170161505A1

公开(公告)日：2017-06-08

申请号：US14960553

申请日：2015-12-07

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Matthew Shawn Wilson ,  Cristian M. Ilac

IPC: G06F21/60 ,  G06F9/455

CPC classification number: G06F21/602 ,  G06F9/45558 ,  G06F21/57 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2221/2153

Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.