公开(公告)号：US11734048B2

公开(公告)日：2023-08-22

申请号：US17408817

申请日：2021-08-23

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F9/455 ,  G06F9/54 ,  G06F9/50 ,  G06F8/65 ,  G06F12/1009

CPC classification number: G06F9/45558 ,  G06F8/65 ,  G06F9/5077 ,  G06F9/545 ,  G06F12/1009 ,  G06F2009/45583

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method involves: receiving, by a processor of a host, a request to create a computing process comprising a first and second executable code, wherein the computing process comprises an instruction to cause the processor to switch between first and second page table structures; loading the first and second executable code into memory of the host, wherein the first page table structure comprises mapping data for the first executable code and for the second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to provide the second executable code with access to the device; and restricting the first executable code from accessing the device.

公开(公告)号：US20210382747A1

公开(公告)日：2021-12-09

申请号：US17408817

申请日：2021-08-23

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F9/455 ,  G06F9/54 ,  G06F9/50 ,  G06F8/65 ,  G06F12/1009

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method involves: receiving, by a processor of a host, a request to create a computing process comprising a first and second executable code, wherein the computing process comprises an instruction to cause the processor to switch between first and second page table structures; loading the first and second executable code into memory of the host, wherein the first page table structure comprises mapping data for the first executable code and for the second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to provide the second executable code with access to the device; and restricting the first executable code from accessing the device.

公开(公告)号：US20190065229A1

公开(公告)日：2019-02-28

申请号：US15688791

申请日：2017-08-28

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F9/455 ,  H04L12/26 ,  H04L12/24

Abstract: A method includes receiving, by a processing device of a monitoring node, an indication over a network that a virtual machine successfully migrated from a first host to a second host. The indication includes a virtual machine address of the virtual machine executing on the second host. The method also includes, responsive to the indication that the virtual machine successfully migrated from the first host to the second host, starting to monitor incoming packets of the monitoring node for an incoming packet that includes a source address field having the virtual machine address, and, upon determining, after a threshold period of time, that none of the incoming packets include the source address field having the virtual machine address, notifying a reporting node that the incoming packet was not received to facilitate performance of an action to reduce downtime of communication with the virtual machine over the network.

公开(公告)号：US10140214B2

公开(公告)日：2018-11-27

申请号：US15250335

申请日：2016-08-29

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F3/06 ,  G06F12/10 ,  G06F9/455

Abstract: A system and method of translation bypass includes a hypervisor configuring a host input-output memory management unit to translate a guest memory of a guest virtual machine. The hypervisor reserves a first portion of the guest memory. The hypervisor receives, from the guest virtual machine, a guest physical address. The hypervisor stores the guest physical address in the first portion of the guest memory. The hypervisor configures a device to access the first portion of the guest memory to locate a command.

公开(公告)号：US11099874B2

公开(公告)日：2021-08-24

申请号：US16258924

申请日：2019-01-28

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F9/455 ,  G06F9/54 ,  G06F12/1009 ,  G06F9/50 ,  G06F8/65

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method may involve: associating a computing process with a virtual machine data structure, wherein the computing process initiates an update to the virtual machine data structure to cause a processor to switch between a page table structures; loading first and second executable code into user space memory of the computing process, wherein a first page table structure comprises mapping data for the first and second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to map a portion of the user space memory to the device; and restricting the first executable code from accessing the memory mapped device.

公开(公告)号：US11070629B2

公开(公告)日：2021-07-20

申请号：US15691605

申请日：2017-08-30

Applicant: Red Hat Israel, LTD

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/12 ,  G06F9/455

Abstract: An indication that a virtual machine has been migrated may be received. In response to receiving the indication, one or more network addresses associated with the virtual machine may be identified. A notification message corresponding to the one or more network addresses may be generated. The notification message may be transmitted on networks for the one or more network addresses. The virtual machine may determine whether a response message has been received for each of the one or more network addresses. The virtual machine may transmit a subsequent notification message in view of determining that at least one response message has not been received for at least one of the one or more network addresses.

公开(公告)号：US20180060245A1

公开(公告)日：2018-03-01

申请号：US15250335

申请日：2016-08-29

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F12/10 ,  G06F3/06 ,  G06F9/455

CPC classification number: G06F12/10 ,  G06F3/0605 ,  G06F3/061 ,  G06F3/0647 ,  G06F3/0659 ,  G06F3/0664 ,  G06F3/0673 ,  G06F9/45558 ,  G06F2009/45579 ,  G06F2009/45583

Abstract: A system and method of translation bypass includes a hypervisor configuring a host input-output memory management unit to translate a guest memory of a guest virtual machine. The hypervisor reserves a first portion of the guest memory. The hypervisor receives, from the guest virtual machine, a guest physical address. The hypervisor stores the guest physical address in the first portion of the guest memory. The hypervisor configures a device to access the first portion of the guest memory to locate a command.

公开(公告)号：US11237859B2

公开(公告)日：2022-02-01

申请号：US16203060

申请日：2018-11-28

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F9/455 ,  G06F9/48 ,  G06F9/50 ,  H04L12/26

Abstract: Aspects of the disclosure provide for mechanisms for securing virtual machines in a computer system. A method of the disclosure includes: receiving a first resource request initiated by an application running on a virtual machine during initialization of the application; allocating, by a hypervisor, a resource to the application in view of the first resource; and in response to receiving a message indicating completion of the initialization of the application, blocking, by the hypervisor, at least one hypercall initiated by the virtual machine. The completion of the initialization of the application may correspond to initiation of execution of the application using the allocated resource.

公开(公告)号：US10409633B2

公开(公告)日：2019-09-10

申请号：US15985482

申请日：2018-05-21

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F9/455

Abstract: Responsive to receiving a first request from an application to create a thread for the application, a guest operating system sends a first notification to a hypervisor to create a dedicated virtual processor for the thread. Responsive to receiving an identifier associated with the dedicated virtual processor from the hypervisor, the guest operating system starts the thread using the dedicated virtual processor, and pins the thread to the dedicated virtual processor.

公开(公告)号：US10013199B2

公开(公告)日：2018-07-03

申请号：US15351853

申请日：2016-11-15

Applicant: Red Hat Israel, Ltd.

Inventor： Michael Tsirkin ,  Amnon Ilan

IPC: G06F13/00 ,  G06F3/06 ,  G06F9/455

CPC classification number: G06F9/45558 ,  G06F13/16 ,  G06F2009/45579 ,  G06F2009/45583

Abstract: A system and method of translation bypass includes a hypervisor retrieving a physical bus address range from a host input-output memory management unit. The hypervisor reserves an allowed address range of the physical bus address range, and sends the allowed address range to a guest virtual machine. Sending the allowed address range sets a guest bus address range mapped by a virtual input-output memory management unit. The guest virtual machine is prevented from accessing any bus address outside of the allowed address range. The hypervisor receives, from the guest virtual machine, an access request to a guest bus address, which is an address within the allowed address range. The hypervisor stores the access request to the guest bus address in physical memory mapped in the host input-output memory management unit to an address outside of the allowed address range.