-
公开(公告)号:WO2014207581A3
公开(公告)日:2015-04-09
申请号:PCT/IB2014059780
申请日:2014-03-14
Inventor: BACHER UTZ , BUENDGEN REINHARD , LUECK EINAR
IPC: G06F9/44
CPC classification number: G06F21/602 , G06F9/45558 , G06F9/542 , G06F21/57 , G06F2009/45587
Abstract: A method for processing a guest event in a hypervisor-controlled system (10), comprising the steps: (i) the guest event triggering a first firmware service being specific for the guest event in a firmware (70), the guest event being associated with a guest (20) and with a guest state (52) and a guest memory (22) encrypted with a guest key (24); (ii) the firmware (70) processing information associated with the guest event, comprising information of the guest state (52) and the guest memory (22), and presenting only a subset of the information of the guest state (52) and the guest memory (22) in decrypted form to a hypervisor (30), wherein the subset of the information is selected to suffice for the hypervisor (30) to process the guest event; (iii) the firmware (70) retaining a part of the information of the guest state (52) and the guest memory (22) that is not being sent to the hypervisor (30); (iv) the hypervisor (30) processing the guest event based on the received subset of the information of the guest state (52) and the guest memory (22) and sending a process result to the firmware (70) triggering a second firmware service being specific for the guest event; (v) the firmware (70) processing the received process result together with the part of the information of the guest state (52) and the guest memory (22) that was not sent to the hypervisor (30), generating a state and/or memory modification;(vi) the firmware (70) performing the state and/or memory modification associated with the guest event at the guest memory (22) in encrypted form.
Abstract translation: 一种用于处理管理程序控制系统(10)中的客户事件的方法,包括以下步骤:(i)客户事件触发在固件(70)中特定于访客事件的第一固件服务,客户事件被关联 与宾客(20)以及宾客状态(52)和客人记忆体(22)用客人键(24)加密; (ii)所述固件(70)处理与所述客户事件相关联的信息,包括所述访客状态(52)和所述访客存储器(22)的信息,以及仅呈现所述访客状态(52)的信息的子集和 客户机存储器(22)以解密的形式发送到管理程序(30),其中所述信息的子集被选择为足以管理程序(30)处理客人事件; (iii)保持未被发送到管理程序(30)的客户状态信息(52)和客户机存储器(22)的一部分的固件(70); (iv)所述虚拟机管理程序(30)基于接收到的状态信息(52)和来宾存储器(22)的所接收的子集来处理客体事件,并将处理结果发送到固件(70),以触发第二固件服务 特定于客人活动; (v)固件(70)与未发送到管理程序(30)的访客状态(52)和来宾存储器(22)的部分信息一起处理接收的处理结果,生成状态和/ 或存储器修改;(vi)固件(70)以加密形式执行与访客存储器(22)处的客户事件相关联的状态和/或存储器修改。
-
公开(公告)号:ZA202106316B
公开(公告)日:2023-03-29
申请号:ZA202106316
申请日:2021-08-30
Applicant: IBM
Inventor: BUENDGEN REINHARD , VISEGRADY TAMAS , FRANZKI INGO
Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.
-
公开(公告)号:DE112020000289T5
公开(公告)日:2021-10-14
申请号:DE112020000289
申请日:2020-03-06
Applicant: IBM
Inventor: BACHER UTZ , BUENDGEN REINHARD , BRADBURY JONATHAN , HELLER LISA , BUSABA FADI
IPC: G06F9/455
Abstract: Gemäß einer oder mehreren Ausführungsformen der vorliegenden Erfindung umfasst ein durch einen Computer umgesetztes Verfahren ein Empfangen einer Abfrage für eine Speichermenge im Arbeitsspeicher eines Computersystems, die einer sicheren Schnittstellensteuerung des Computersystems überlassen werden soll. Die sichere Schnittstellensteuerung kann die zu überlassende Speichermenge auf Grundlage einer Mehrzahl von sicheren Entitäten bestimmen, die durch die sichere Schnittstellensteuerung als eine Mehrzahl von vorbestimmten Werten unterstützt werden. Die sichere Schnittstellensteuerung kann eine Antwort auf die Abfrage, die für die Speichermenge indikativ ist, als Antwort auf die Abfrage zurückgeben. Eine Überlassung von zu sicherndem Speicher zur Verwendung durch die sichere Schnittstellensteuerung kann auf Grundlage der Antwort auf die Abfrage empfangen werden.
-
公开(公告)号:GB2530225A
公开(公告)日:2016-03-16
申请号:GB201600172
申请日:2014-03-14
Applicant: IBM
Inventor: BACHER UTZ , BUENDGEN REINHARD , LUECK EINAR
Abstract: The invention relates to a method for processing a guest event in a hypervisor- controlled system (10), comprising the steps: (i) the guest event triggering a first firmware service being specific for the guest event in a firmware (70), the guest event being associated with a guest (20) and with a guest state (52) and a guest memory (22) encrypted with a guest key (24); (ii) the firmware (70) processing information associated with the guest event, comprising information of the guest state (52) and the guest memory (22), and presenting only a subset of the information of the guest state (52) and the guest memory (22) in decrypted form to a hypervisor (30), wherein the subset of the information is selected to suffice for the hypervisor (30) to process the guest event; (iii) the firmware (70) retaining a part of the information of the guest state (52) and the guest memory (22) that is not being sent to the hypervisor (30); (iv) the hypervisor (30) processing the guest event based on the received subset of the information of the guest state (52) and the guest memory (22) and sending a process result to the firmware (70) triggering a second firmware service being specific for the guest event; (v) the firmware (70) processing the received process result together with the part of the information of the guest state (52) and the guest memory (22) that was not sent to the hypervisor (30), generating a state and/or memory modification; (vi) the firmware (70) performing the state and/or memory modification associated with the guest event at the guest memory (22) in encrypted form.
-
公开(公告)号:GB2472057A
公开(公告)日:2011-01-26
申请号:GB0912795
申请日:2009-07-23
Applicant: IBM
Inventor: BUENDGEN REINHARD , HOLZHEU MICHAEL , DENGLER HOLGER , SAMESKE VOLKER
IPC: G06F15/167 , G06F9/46
Abstract: A coupling device for communication between operating systems in a cluster has a number of FIFO queues. The operating systems have an application programming interface which uses Linux pipe semantics to read from and write to the queues. The coupling device maintains the data structures and locks needed to represent Linux pipes. This allows the use of standard mount, open, write, read and close function calls to the operating system kernel to be used to access the FIFO queues on the coupling device. A write function call with more data than will fit in a single queue entry is split into several entries. A read function call, for less data than will fit into single queue entry, will return an error code indicating that it has failed and not alter the queue. The operating systems my run on a single computer system or be distributed across several computer systems.
-
Patent Agency Ranking
公开(公告)号:AU2020234675B2
公开(公告)日:2022-11-24
申请号:AU2020234675
申请日:2020-02-27
Applicant: IBM
Inventor: BUENDGEN REINHARD , VISEGRADY TAMAS , FRANZKI INGO
Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control ("SC") obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.
-
公开(公告)号:DE112020005526T5
公开(公告)日:2022-09-01
申请号:DE112020005526
申请日:2020-12-10
Applicant: IBM
Inventor: BUENDGEN REINHARD , URBAN VOLKER , KISLEY RICHARD VICTOR , BRADBURY JONATHAN , HENDEL TORSTEN , FREUDENBERGER HARALD , KLOTZ BENEDIKT , WERNER KLAUS , SELVE MARKUS
Abstract: Ein Sicherheitsmodul wie zum Beispiel ein Verschlüsselungsadapter wird für einen sicheren Gast einer Datenverarbeitungsumgebung reserviert. Das Reservieren enthält ein Binden einer oder mehrerer Warteschlangen des Sicherheitsmoduls an den sicheren Gast. Die eine oder mehreren Warteschlangen werden anschließend auf Grundlage einer oder mehrerer Aktionen verwaltet, die sich auf die Reservierung beziehen.
-
公开(公告)号:BR112021017439A2
公开(公告)日:2021-11-16
申请号:BR112021017439
申请日:2020-02-27
Applicant: IBM
Inventor: FRANZKI INGO , BUENDGEN REINHARD , VISEGRADY TAMAS
Abstract: vinculação de chaves seguras de convidados seguros a um módulo de segurança de hardware. um método, produto de programa de computador, e um sistema onde um controle de interface seguro configuras um módulo de segurança de hardware para o uso exclusivo por um convidado seguro. o controle de interface seguro ("sc") obtém uma solicitação de configuração (através de um hipervisor) para configurar o módulo de segurança de hardware (hsm), a partir de um dado convidado de convidados gerenciados pelo hipervisor. o sc determina se o hsm já está configurado para um convidado específico dos um ou mais convidados, mas com base na determinação de que o hsm não está configurado para o e é um convidado seguro o sc executa o estabelecimento de uma configuração do hsm através da limitação dos acessos pelos convidados para o hsm exclusivamente para o dado convidado. o sc registra o dado convidado para o hsm utilizando um segredo do dado convidado. o sc obtém, a partir do hsm, um código de sessão e retém o código de sessão.
-
公开(公告)号:DE112020000694T5
公开(公告)日:2021-10-21
申请号:DE112020000694
申请日:2020-01-31
Applicant: IBM
Inventor: BACHER UTZ , BUENDGEN REINHARD , MORJAN PETER , FRANK JANOSCH
Abstract: Ein durch einen Computer ausgeführtes Verfahren zum Erzeugen eines sicheren Software-Containers kann bereitgestellt werden. Das Verfahren umfasst das Bereitstellen eines ersten mehrschichtigen Software-Container-Images, das Umsetzen von allen Dateien, mit Ausnahme von entsprechenden Metadaten, einer jeden Schicht des ersten mehrschichtigen Software-Container-Images in einen Datenträger, wobei der Datenträger einen Satz von Blöcken aufweist, wobei jede Schicht einen inkrementellen Unterschied zu einer nächstniedrigeren Schicht aufweist, das Verschlüsseln eines jeden Blocks des Satzes von Blöcken von einem Teil der Schichten und das Speichern eines jeden verschlüsselten Satzes der Blöcke als eine Schicht eines verschlüsselten Container-Images zusammen mit unverschlüsselten Metadaten, um eine Reihenfolge des Satzes von Blöcken wiederherzustellen, die gleich einer Reihenfolge des ersten mehrschichtigen Software-Container-Images ist, so dass ein sicherer verschlüsselter Software-Container erzeugt wird.
-
公开(公告)号:SG11202105432WA
公开(公告)日:2021-06-29
申请号:SG11202105432W
申请日:2020-02-27
Applicant: IBM
Inventor: BUENDGEN REINHARD , BRADBURY JONATHAN , HELLER LISA
Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.
-
-
-
-
-
-
-
-
-
Search Results
41
records
(took 0.035 seconds)
