US20220413892A1 - Secure access of virtual machine memory suitable for ai assisted automotive applications - Google Patents
Secure access of virtual machine memory suitable for ai assisted automotive applications Download PDFInfo
- Publication number
- US20220413892A1 US20220413892A1 US17/898,904 US202217898904A US2022413892A1 US 20220413892 A1 US20220413892 A1 US 20220413892A1 US 202217898904 A US202217898904 A US 202217898904A US 2022413892 A1 US2022413892 A1 US 2022413892A1
- Authority
- US
- United States
- Prior art keywords
- host controller
- data
- memory
- vmm
- command
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000015654 memory Effects 0.000 title claims abstract description 177
- 238000000034 method Methods 0.000 claims description 77
- 230000008569 process Effects 0.000 claims description 24
- 230000004044 response Effects 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 230000003190 augmentative effect Effects 0.000 claims description 4
- 230000008447 perception Effects 0.000 claims 3
- 238000010200 validation analysis Methods 0.000 abstract description 8
- 238000004891 communication Methods 0.000 description 41
- 238000010586 diagram Methods 0.000 description 12
- 230000002093 peripheral effect Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 102100026964 M1-specific T cell receptor beta chain Human genes 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05D—SYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
- G05D1/00—Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
- G05D1/0088—Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots characterized by the autonomous decision making process, e.g. artificial intelligence, predefined behaviours
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0622—Securing storage systems in relation to access
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0655—Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
- G06F3/0659—Command handling arrangements, e.g. command buffers, queues, command scheduling
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0662—Virtualisation aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/067—Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
Definitions
- Virtualization allows multiple Virtual Machine (VMs)—often used to host Operating System Instances (OSI)—to run concurrently within a single host system.
- a default interface (without virtualization of the interface) presented by a host controller to the host system may include a Physical Function (PF), or host controller interface.
- host controller interfaces include those used for Universal Serial Bus (USB), FireWire, Bluetooth, Ethernet, Peripheral Component Interconnect (PCI), or other types of communications.
- USB Universal Serial Bus
- FireWire FireWire
- PCI Peripheral Component Interconnect
- xHCI eXtensible Host Controller Interface
- Virtualization of the host controller interface enables multiple Virtual Functions (VF) to share a PF.
- the physical interface presented by a VF typically includes only a subset of that presented by the corresponding PF and relies on virtualization software to emulate portions of the VF interface to fill in the gaps.
- the virtualization software may be used to facilitate a connection between a VM and another entity using a VF, such as another entity within the host system (e.g., another VM), or an entity external to the host system (e.g., a hardware device).
- the virtualization software may assist the VM in establishing a connection using the VF, or modifying an existing connection using the VF.
- the virtualization software may read data from the memory of the VM which indicates information requested by the VM, such as connection properties. In the example of xHCI, the data may be Command Transfer Request Block (TRB) data used to request device properties of a newly connected device.
- TRB Command Transfer Request Block
- a component of the virtualization software responsible for mapping VM memory may manipulate the mapping to access unauthorized locations in memory.
- the present disclosure relates, in part, to securing access to VM memory by virtualization software to facilitate a connection between a VM and another entity using a VF.
- a trusted firmware of a host controller may validate one or more of a command to read a VM's memory and/or the data read from VM memory in order to protect against improper access to data in VM memory. If validation fails, the firmware may refrain from reading the data and/or from providing the virtualization software with access to the data. Thus, if virtualization software becomes compromised, a malicious actor may be prevented from arbitrarily accessing VM memory.
- one or more virtual machine managers (VMMs) of the virtualization software may send a read command to trusted firmware of the host controller that indicates memory locations to read in order to access the data.
- the host controller firmware may validate the read command and/or the data read from VM memory. For example, the host controller firmware may confirm that the read command matches a doorbell event for a corresponding VM's command ring, confirm that it sent a doorbell event to the VMM prior to receiving the read command, and/or check that a memory size specified by command is valid.
- the host controller firmware may read the data and confirm the data is of a proper format and/or includes proper information or parameters. The host controller may refrain from providing the VMM to access the data if the command and/or the data is not validated (e.g., determined to be invalid).
- FIG. 1 is a diagram of an example of an operational environment for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure
- FIG. 2 is a flow diagram of an example of a process for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure
- FIG. 3 is a flow diagram of an example of a method for validating data read from VM memory in response to a read command from virtualization software, in accordance with some embodiments of the present disclosure
- FIG. 4 is a flow diagram of an example of a method for validating a command from virtualization software to read VM memory, in accordance with some embodiments of the present disclosure
- FIG. 5 is a flow diagram of an example of a method for virtualization software to read data from VM memory using a host controller firmware, in accordance with some embodiments of the present disclosure.
- FIG. 6 is a block diagram of an example computing environment suitable for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure.
- Systems and methods are disclosed related to using trusted firmware of a host controller to validate one or more of a command to read a VM's memory (e.g., system memory dedicated or allocated to a VM) and/or the data read from VM memory in order to protect against improper access to data in system memory.
- a VM's memory e.g., system memory dedicated or allocated to a VM
- the data read from VM memory in order to protect against improper access to data in system memory.
- one or more virtual machine managers (VMM(s)) of virtualization software and a VF may be used to facilitate a connection between a VM and another entity (e.g., an external VM, an external device), such as another entity within the host system (e.g., another VM), or an entity external to the host system.
- the VMM(s) may or may not include a hypervisor of a host system.
- the VM may receive a notification from the VMM regarding the entity. For example, a user may connect a USB device to an xHCI controller, and the xHCI controller may notify the VMM of the new device, which in turn notifies the appropriate VM.
- the VM may provide a command intended for the VMM that it stores as data in the memory of the underlying system or device designated for the VM.
- the VMM may send a read command to the trusted firmware of the host controller that indicates memory locations to read in order to access the data.
- the host controller firmware may validate the read command. For example, the host controller firmware may confirm that the read command matches a doorbell event for a corresponding VM's command ring. As another example, the host controller firmware may confirm that it sent a doorbell event to the VMM (e.g., to indicate to the VMM to help process commands in the VM's command ring) prior to receiving the command. As another example, the host controller firmware may check that a memory size specified by a command is valid (e.g., a TRB may be 16 bytes and a larger or smaller size may indicate an invalid command). If the command is not validated, the host controller firmware may refrain from reading the memory locations and/or from providing the VMM(s) with access to data read from the memory locations.
- a memory size specified by a command e.g., a TRB may be 16 bytes and a larger or smaller size may indicate an invalid command.
- the host controller firmware may validate data read from the memory locations. For example, the host controller firmware may read the data and confirm the data is of a proper format and/or includes proper information or parameters. This may include checking that a request type field has a valid value, one or more reserved fields has an expected value, a Slot Identifier (ID) is within a predetermined range, and/or the data is in a predefined format. In the example of an xHCI interface, this may include checking that a TRB type field is within a valid range, one or more reserved fields are equal to zero, the Slot ID is within a predetermined range, and/or the data is in a TRB format. If the data that is read is not validated, the host controller firmware may refrain from providing the VMM(s) with access to data read from the memory locations.
- the host controller firmware may refrain from providing the VMM(s) with access to data read from the memory locations.
- FIG. 1 is a diagram of an example of an operational environment 100 for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure. It should be understood that this and other arrangements described herein are set forth only as examples. Other arrangements and elements (e.g., machines, interfaces, functions, orders, groupings of functions, etc.) may be used in addition to or instead of those shown, and some elements may be omitted altogether. Further, many of the elements described herein are functional entities that may be implemented as discrete or distributed components or in conjunction with other components, and in any suitable combination and location. Various functions described herein as being performed by entities may be carried out by hardware, firmware, and/or software. For instance, various functions may be carried out by a processor executing instructions stored in memory.
- the operational environment 100 may include among other things, a host system(s) 102 , and an external device(s) 130 .
- the operational environment 100 may, for example, be implemented using one or more computing devices 600 of FIG. 6 .
- the host system 102 may include a VMM 104 , a host controller firmware/hardware 106 (also referred as “host controller 106 ” or “host controller firmware 106 ”), a VM 108 , a VM 110 , a VM 114 , a VM 116 , and a memory 118 .
- the VMM 104 may include a VMM memory 134 , an interface manager 136 , a communications processor 138 , and a memory mapper 140 .
- the host controller firmware 106 may include a validator 142 , a communications processor 144 , and an interface manager 146 .
- the memory 118 may include a VM memory 120 , a VM memory 122 , a VM memory 124 , and a VM memory 126 .
- the host system(s) 102 may be configured to host one or more virtualized environments.
- the virtualized environments may be managed by virtualization software, an example of which may include the one or more VMMs 104 .
- the VMM(s) 104 may or may not include a hypervisor of the host system 102 .
- the hypervisor may create and run any number of VMs, such as the VMs 108 , 110 , 114 , or 116 (e.g., guest VMs), and/or virtualization services (e.g., the VMM 104 ) of the virtual environment(s).
- the VMM 104 may, amongst other potential functionalities, be configured to facilitate (e.g., using an xHCI compliant server) a connection between any of the VMs, such as the VM 108 , and another entity via the host controller 106 using a VF.
- the other entity include an entity within the host system 102 (e.g., the VM 116 ), or an entity external to the host system (e.g., the external device 130 ).
- the interface manager 136 of the VMM 104 may be configured to manage communications to and from the VMM 104 .
- the communications processor 138 of the VMM 104 may be configured to generate communications, such as read commands to read VM memory, and/or to process received communications, such as doorbell events or request commands in the VMM memory 134 from VMs.
- the memory mapper 140 of the VMM 104 may be configured to map data corresponding to a VF or VM to a corresponding memory address in the memory 118 (e.g., the VM memory 120 for the VM 108 ) for a read command to read data from the VM's memory.
- the host controller 106 may be configured to provide an interface for the connections between VMs and other entities, as well as validate the reads commands from the VMM 104 and/or data read from VM memory.
- the interface manager 146 of the host controller 106 may be configured to manage communications to and from the host controller 106 .
- the communications processor 144 of the host controller 106 may be configured to process received communications, such as doorbell events from VMs, the read commands from the VMM 104 , and/or data read from VM memory based on the read commands, such as request commands from VMs.
- the communications processor 144 of the host controller 106 may also be configured to generate communications, such as doorbell events for the VMM 104 .
- At least some of the processing performed by the communications processor 144 may use the validator 142 of the host controller 106 to validate a read command and/or the data read from VM memory of a VM, as described herein. Once validated, the interface manager 146 of the host controller 106 may provide the data to the VMM memory 134 for use in establishing and/or modifying a connection between the VM and another entity. The interface manager 146 may then communicate directly with the VM and the other entity to host the connection without requiring use of the VMM 104 (e.g., for data transfer related work).
- the host system 102 may be implemented on one or more Integrated Circuits (ICs) that may include, but is not limited to, one or more System-on-Chip (SoCs) and/or Graphics Processing Units (GPUs).
- ICs Integrated Circuits
- SoCs System-on-Chip
- GPUs Graphics Processing Units
- the host system 102 may generally be used in any application in which a VM communicates with another entity using a host controller interface.
- the host system 102 may form at least a portion of an embedded system, such as an Electronic Control Unit (ECU).
- ECU Electronic Control Unit
- the host system 102 may be incorporated into, for example, non-autonomous vehicles, semi-autonomous vehicles (e.g., in one or more advanced driver assistance systems (ADAS)), robots, warehouse vehicles, off-road vehicles, flying vessels, boats, and/or other vehicle types.
- ADAS advanced driver assistance systems
- the host system 102 may use the VM 108 , 110 , 114 , or 116 , for example, to determine and/or convey (e.g., using the host controller 106 ) controls for accelerators, braking, and/or functions of one or more devices.
- This may be used for ADAS, robotics (e.g., path planning for a robot), aerial systems (e.g., path planning for a drone or other aerial vehicle), boating systems (e.g., path planning for a boat or other water vessel), and/or other technologies.
- Each of the VMs 108 , 110 , 114 , and 116 of the host system 102 may be a virtual computing device.
- Each of the VMs 108 , 110 , 114 , and 116 may have separate capabilities and operational address spaces in the memory 118 .
- the VMs 108 , 110 , 114 , and 116 may have respective address spaces that correspond to the VM memory 120 , the VM memory 122 , the VM memory 124 , and the VM memory 126 respectively.
- the memory 118 may refer to one or more physical memory devices and the hypervisor and/or the VMM 104 may be responsible for supporting the ability of the VMs 108 , 110 , 114 , and 116 to share the physical device(s) while enforcing the distinct address spaces.
- each VM is on a different partition supported by the hypervisor and/or the VMM 104 .
- One or more of the VMs 108 , 110 , 114 , or 116 may receive and provide communications with peripheral devices (e.g., the external device 130 ) and components via the host controller 106 .
- peripheral devices e.g., the external device 130
- the external device 130 include any device capable of communicating with a VM over a host controller interface, such as an ECU, a USB drive, a camera, a smartphone, a VM, a laptop, a personal computer, a network device, a peripheral device, a client device, etc.
- Each VM may comprise an OSI, such as a guest OS, examples of which include deployments of Linux, Android, GENIVI, QNX, etc.
- one of the guest OSes may control an In-Vehicle Infotainment (IVI) system, another a vehicle cluster, another a Heads-Up-Display (HUD) system, and yet another an ADAS and/or autonomous driving system.
- IVI In-Vehicle Infotainment
- HUD Heads-Up-Display
- Any number of communications used to implement this functionality may be provided over the interface provided by the host controller 106 .
- each of the VMs 108 , 110 , 114 , and 116 may have a command ring to which the VM may provide any number of commands.
- Each VM may provide the commands in the VM's memory (e.g., address space) in the memory 118 .
- the VM 108 may provide a command to the VM memory 120 that is assigned to the VM 108 .
- An example of such a command includes a request command, which a VM may use to request information regarding a connection and/or device capabilities (e.g., of the external device 130 ) in order to establish and/or modify a connection to another device, such as the external device 130 or another VM or logical device or component.
- the VMM 104 and/or the hypervisor may use the request command to modify and/or establish the connection.
- a request command may indicate what formats or transfers the digital camera supports.
- the request command may be in different formats and/or may contain different types of information depending on the controller interface implemented by the host controller 106 and/or other connection criteria.
- the command may include TRB data.
- the TRB data may be in the form of a data structure constructed in the memory and be representative of such information as a TRB type field, one or more reserved fields, and a Slot ID.
- Each VF (and VM) may be assigned a slot using a slot ID.
- the slot may have a slot context address including a slot context data structure containing information that relates to a device as a whole or affects all endpoints of a device.
- the VMM 104 may read this slot context address and program in PFs in a slot context.
- the VMM 104 and/or the hypervisor may not have the capability to directly read the VM's memory for command ring handling.
- the VMM 104 could be able to read from an arbitrary location in the memory 118 and/or within a particular VM's memory.
- the interface manager 136 of the VMM 104 may provide a read command to the host controller 106 and the interface manager 146 of the host controller 106 may receive the read command, and in response use one or more controller direct memory accesses (DMAs) to read the data from the VM memory.
- DMAs controller direct memory accesses
- the interface manager 146 of the host controller 106 may further provide the VMM 104 with access to the data, such as by providing (e.g., writing) the data to the VMM memory 134 , which can be read by the interface manager 136 of the VMM 104 .
- the VMM 104 may then use the communications processor 138 to process the command and facilitate the connection.
- the VMM memory 134 is shown as within the VMM 104 but may be external to the VMM 104 . Further the VMM memory 134 may be included in the memory 118 and/or in various other components of the host system 102 .
- the VMM memory 134 may generally refer to memory locations that are accessible to the interface manager 136 of the VMM 104 .
- the VMM 104 may be configured to provide at least some virtualization services to each of the VMs 108 , 110 , 114 , and 116 . This may include the VMM 104 trapping the capabilities and operational register space of each of the VMs 108 , 110 , 114 , and 116 . In some embodiments, the VMM 104 is configured to perform root port level virtualization of the VMs 108 , 110 , 114 , and 116 , where all devices may be connected to one root port and may be assigned to one guest operating system therein. The VMM 104 may also manage the physical function and the command ring of each of the VMs 108 , 110 , 114 , and 116 .
- the VMM 104 may get notified via the interface manager 136 whenever a VF is trying to access capabilities and operational register space of the host controller 106 .
- PF command and event rings of the VMM 104 may be configured to process VF commands using the communications processor 138 and to receive event TRBs from the host controller 106 using the interface manager 136 .
- the interface manager 136 of the VMM 104 may also receive pad interrupts for all ports associated with the host controller 106 which the interface manager 136 may then forward to a respective VM in the form of an Inter VM Communications (IVC) message.
- IVC Inter VM Communications
- the host controller firmware 106 may be a trusted entity of the host system 102 that is signed and authenticated when loaded by the host system 102 through the system's chain of trust.
- the host controller firmware 106 may support any of a variety of host controller interfaces, such as those used for Universal Serial Bus (USB), FireWire, Bluetooth, Ethernet, Peripheral Component Interconnect (PCI), Near-Field Communication (NFC), Vehicle-to-everything (V2X), Car 2 Car, Cellular, Wireless Fidelity (WiFi), or other types of communications.
- USB Universal Serial Bus
- FireWire FireWire
- Bluetooth Ethernet
- PCI Peripheral Component Interconnect
- NFC Near-Field Communication
- V2X Vehicle-to-everything
- Car 2 Car Car
- Cellular Cellular
- WiFi Wireless Fidelity
- the host controller firmware 106 may determine what to access in the memory 118 , how to do it securely, and how the results are made available to other components of the host system 102 . To this effect, the host controller 106 may use the validator 142 to validate the read commands from the VMM 104 and/or data read from the memory 118 in response to the read commands in order to regulate access to the data. To validate a read command from the VM, the validator 142 may confirm that the read command matches a doorbell event for a corresponding VM's command ring. For example, when the VM 108 writes a request command to the VM memory 120 , it may provide a doorbell event that is received by the interface manager 146 of the host controller firmware 106 .
- the validator 142 may determine that the read command is invalid.
- the validator 142 may confirm that the interface manager 146 of the host controller 106 sent a doorbell event to the VMM 104 prior to receiving the read command.
- the interface manager 146 of the host controller firmware 106 may provide a corresponding doorbell event to the VMM 104 .
- the doorbell event to the VMM 104 may indicate to the VMM 104 to use the memory mapper 140 to determine a memory address for the VM 108 and provide the memory address or other indicator of one or more memory locations in the read command to the host controller 106 .
- the validator 142 may determine that the read command is invalid.
- the validator 142 of the host controller 106 may use information in the read command to determine whether the read command is valid.
- the read command may comprise one or more of a slot ID, a VF ID, a memory address to read from, or a memory size to read.
- the validator 142 of the host controller 106 may determine that a read command is invalid if the VF ID does not match the ID of a VF provided to the host controller firmware 106 by the VM 108 in the doorbell event.
- the validator 142 of the host controller 106 may determine that a read command is invalid if the slot ID does not match the ID of a slot provided to the host controller firmware 106 by the VM 108 in the doorbell event.
- the validator 142 of the host controller 106 may validate the read command based on the memory size specified by the read command. This may include determining that the memory size is within a predetermined range and/or is of a predetermined size (which may vary based on other factors). For example, a TRB may be 16 bytes and a larger or smaller size may indicate an invalid command. Thus, if the validator 142 determines the memory size is not equal to 16 bytes, the validator 142 may determine the read command is invalid. If the read command is not validated by the validator 142 , the host controller firmware 106 may refrain from using the interface manager 146 to read the memory locations indicated by the read command and/or from providing the VMM 104 with access to data read from the memory locations.
- the validator 142 may validate the data read from the memory locations indicated by a read command. For example, the validator 142 may read the data and confirm the data is of a proper format and/or includes proper information or parameters. This may include the validator 142 checking that a request type field has a valid value, one or more reserved fields has an expected value, a Slot ID is within a predetermined range, and/or the data is in a predefined format. The expected value and/or the predetermined range may have static values or may be dynamically generated. Further, either may be predetermined or defined by the host controller firmware 106 such as coded to the host controller firmware 106 .
- any of the values may be hard-coded or computed by code at run-time and/or predetermined by the host controller firmware 106 .
- this may include checking that a TRB type field is within a valid range, one or more reserved fields are equal to zero, the Slot ID is within a predetermined range, and/or the data is in a TRB format. If the validator 142 does not validate the data (e.g., determines the data is invalid), the interface manager 146 of the host controller firmware 106 may refrain from providing the VMM 104 with access to data read from the memory locations.
- FIG. 2 depicts a flow diagram of an example of a process 200 for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure.
- the example process 200 is illustrated using the VM 108 and the VM memory 120 of FIG. 1 , by way of example. However, the process 200 may similarly be formed for the VMs and VM memory, such as the VMs 110 , 114 , or VM 116 of FIG. 1 and the VM memories 122 , 124 , or 126 .
- the specific arrangement and make up of components from FIG. 1 are not intended to be limited by FIG. 2 , and may vary in some embodiments.
- the process 200 is depicted with blocks and arrows, this is not intended to limit all embodiments of the process 200 to a particular order, or to particular operations.
- the interface manager 136 of the VMM 104 may send a notification to the VM 108 of a connection related event.
- the notification may, for example, indicate to the VM 108 that a logical or physical device/entity (e.g., the external device 130 ) has connected to a port (e.g., a root port) and/or the device/entity is requesting a new or modified connection to the VM 108 .
- the VMM 104 may optionally detect the connection related event over a VF. In some embodiments, this may include the interface manager 136 of the VMM 104 receiving a pad interrupt for the port associated with the VM 108 .
- the interface manager 136 of the VMM 104 may then forward the notification comprising corresponding information (e.g., interrupt information) to the VM 108 at 202 in the form of an Inter VM Communications (IVC) message.
- IVC Inter VM Communications
- the VM 108 may, at 204 A, the VM 108 write a request command to the VM memory 120 .
- the VM 108 may write the request command to the command ring of the VM 108 .
- the request command may be based on the notification and may include, for example, a request for connection and/or device properties (e.g., for the connected device). While a request command is described the request command may correspond to any number of commands (e.g., multiple request commands).
- the VM 108 may, at 204 B, notify the host controller firmware 106 about the command stored at 204 A. For example, after, during, or prior to 204 A, the VM 108 may send a doorbell event to the host controller firmware 106 to ring the doorbell of the host controller firmware 106 .
- the interface manager 146 of the host controller firmware 106 may receive the notification and at 206 may send a request to the VMM 104 based on receiving the notification at 204 B. In some examples, this includes forwarding the doorbell event to the VMM 104 .
- the communications processor 144 records information regarding the notification from the VM 108 , which the validator 142 may use to validate read requests received from the VMM 104 . This may include, for example, a number of notifications received from the VM 108 and/or any VM, a number of requests sent to the VMM 104 based on notifications received from the VM 108 and/or any VM, and/or a VM ID (e.g., VF ID) of the VM 108 .
- a VM ID e.g., VF ID
- the request (e.g., a forwarded doorbell event) may be received by the interface manager 136 of the VMM 104 and indicate to the VMM 104 to help process the request command(s) in the VM memory 120 (e.g., to help process one or more commands in the command ring of the VM 108 ).
- the communications processor 144 of the VMM 104 may process the request from 206 and use the memory mapper 140 to map the request to one or more memory locations.
- the communications processor 144 may use the one or more memory locations to generate a read command and the interface manager 136 of the VMM 104 may provide the read command to the host controller 106 at 208 .
- the read command may indicate the one or more memory locations for the host controller firmware 106 to read, such as using a memory address in the memory 118 and a memory size for the read.
- the read command may also include a slot ID or VF ID of the VM 108 .
- the interface manager 146 of the host controller firmware 106 may receive the read command(s) from the VMM 104 and the communications processor 144 may use information in the read command(s) to read the request command(s) (e.g., command TRB data) at 210 A that were stored to the VM memory 120 by the VM 108 at 204 A.
- the communications processor 144 may use the slot ID or VF ID to determine the unique stream ID for the VM 108 .
- the interface manager 146 of the host controller firmware 106 may use the stream ID, the memory address, and the memory size to read from the VM memory 120 .
- stream IDs may be separately programmed in another hardware register by the hypervisor and used for memory access security with different stream IDs being assigned to different VFs/VMs.
- the communications processor 144 may use the validator 142 to validate one or more of the read command(s) from 208 and/or the data read at 210 A. For example, in some embodiments, if the validator 142 determines the read command is invalid, 210 A may not be performed. In other examples, the validator 142 may still read the data at 210 A even if the read command is found to be invalid. Also, the validator 142 may or may not analyze the data to determine if the data is valid. In some examples, the validator 142 will always read the data without validation, if possible, then perform the validation on the data.
- the interface manager 146 of the host controller firmware 106 may provide the data and/or information represented by the data to the VMM 104 .
- the interface manager 146 may do so by storing the information (e.g., the command TRB data) in the VMM memory 134 at 210 B.
- the interface manager 146 of the host controller firmware 106 may provide a notification(s) to the VMM 104 .
- the notification(s) may indicate to the VMM 104 that the information from 210 B is in the VMM memory 134 , the read command(s) from 208 were found valid by the validator 142 , and/or the data read at 210 A was found valid by the validator 142 .
- the notification may be referred to, for example, as a command completion event.
- the command completion event (e.g., CCode) may indicate that one or more of the data and/or the read command were found to be invalid.
- the information may not have been stored to the VMM memory 134 at 210 B were one or more of the data and/or the read command were found to be invalid.
- the interface manager 136 of the VMM 104 may receive the notification from 212 from the host controller firmware 106 and based on the notification, read the information from the VMM memory 134 .
- the VMM 104 may not attempt to read the information, and may optionally perform some other action.
- the VMM 104 may notify the VM 108 regarding the failure.
- the communications processor 138 may process the information and send the results (e.g., the requested information) to the VM 108 (e.g. in a command completion event TRB). Subsequently, the connection to the device/entity may be established and/or modified based on the results.
- each block of methods 300 , 400 , and 500 comprises a computing process that may be performed using any combination of hardware, firmware, and/or software. For instance, various functions may be carried out by a processor executing instructions stored in memory.
- the methods 300 , 400 , and 500 may also be embodied as computer-usable instructions stored on computer storage media.
- the methods 300 , 400 , and 500 may be provided by a standalone application, a service or hosted service (standalone or in combination with another hosted service), or a plug-in to another product, to name a few non-limiting examples.
- methods 300 , 400 , and 500 are described, by way of example, with respect to the host system 102 of FIG. 1 .
- these methods 300 , 400 , and 500 may additionally or alternatively be executed by any one system, or any combination of systems, including, but not limited to, those described herein. Further, the methods 300 , 400 , or 500 may or may not correspond to the process 200 of FIG. 2 .
- FIG. 3 depicts a flow diagram of an example of a method for validating data read from VM memory in response to a read command from virtualization software, in accordance with some embodiments of the present disclosure.
- the method 300 includes receiving a command indicating a memory address of a virtual machine.
- the interface manager 146 of the host controller firmware 106 of FIG. 1 may receive a command (e.g., a read command) from the VMM 104 .
- the command may indicate a memory address of the VM 108 .
- the method 300 includes reading data from the memory address.
- the interface manager 146 of the host controller firmware 106 may read data from the memory address in the VM memory 120 based on the receiving of the command.
- the method 300 includes validating the data read from the memory address.
- the validator 142 of the host controller firmware 106 may validate the data read from the memory address.
- the method 300 includes providing a VMM with access to the data read.
- the interface manager 146 of the host controller firmware 106 may provide the VMM 104 with access to the data read from the memory address based on the validation (e.g., via the VMM memory 134 ).
- the method 300 includes sending a command completion event.
- the interface manager 146 of the host controller firmware 106 may send a command completion event to the VMM 104 indicating the data read from the memory address is validated.
- At least block B 308 may not be performed. Also, in some embodiments, had the data not be validated at block B 306 , the command completion event at block B 310 may indicate the data was not validated (e.g., found to be invalid).
- FIG. 4 depicts is a flow diagram of an example of a method 400 for validating a command from virtualization software to read VM memory, in accordance with some embodiments of the present disclosure.
- the method 400 may be incorporated into the method 300 .
- the method 400 and the method 300 may be independent from one another.
- the method 400 includes receiving a command indicating a memory address of a virtual machine.
- the interface manager 146 of the host controller firmware 106 of FIG. 1 may receive a command (e.g., a read command) from the VMM 104 .
- the command may indicate a memory address of the VM 108 .
- the method 400 at block B 404 may include validating the command.
- the communications processor 144 may use the validator 142 to validate the command received from the VMM 104 .
- the method 400 at block B 406 includes reading data from the memory address.
- the interface manager 146 of the host controller firmware 106 may read data from the memory address in the VM memory 120 based on the receiving of the command.
- the reading of the data from the memory address may be based on the validator 142 validating the command.
- the data may be read regardless of whether the command is determined to be valid.
- the method 400 includes providing a VMM with access to the data read.
- the interface manager 146 of the host controller firmware 106 may provide the VMM 104 with access to the data read from the memory address based on the validation (e.g., via the VMM memory 134 ).
- the method 400 includes sending a command completion event.
- the interface manager 146 of the host controller firmware 106 may send a command completion event to the VMM 104 indicating the data read from the memory address is validated.
- At least block B 408 may not be performed. Also, in some embodiments, had the data not been validated at block B 404 , the command completion event at block B 410 may indicate the command was not validated (e.g., found to be invalid) and/or block B 406 may not be performed. Further in some cases, block B 406 may be performed prior to block B 404 .
- FIG. 5 depicts is a flow diagram of an example of a method 500 for virtualization software to read data from VM memory using a host controller firmware, in accordance with some embodiments of the present disclosure.
- the method 500 may be incorporated into one or more of the method 300 or the method 400 .
- the method 500 may correspond to the method 300 and/or the method 400 from a perspective of a VMM.
- the method 500 and the method 300 or the method 400 may be independent from one another.
- the method 500 includes sending a command indicating a memory address of a virtual machine.
- the interface manager 136 of the VMM 104 of FIG. 1 may send a command (e.g., a read command) to the host controller firmware 106 .
- the command may indicate a memory address of the VM 108 .
- block B 502 may be based on the interface manager 136 of the VMM 104 receiving a doorbell event from the host controller 106 , as described herein.
- the method 500 includes receiving a command completion event indicating a validation of the data read from the memory address, the command, or both.
- the interface manager 136 of the VMM 104 may receive a command completion event from the host controller firmware 106 .
- the command completion event may indicate (e.g., via a CCode as described herein) a validation, by the host controller firmware 106 , of the command, the data read from the memory address based on the command, or both.
- the method 500 includes reading the data read from the memory address.
- interface manager 136 of the VMM 104 may read the data read from the memory address.
- FIG. 6 is a block diagram of an example computing environment suitable for validating access by virtualization software to data in memory in some implementations of the present application.
- Computing device 600 may include a bus 602 that directly or indirectly couples the following devices: memory 604 , one or more central processing units (CPU) 606 , one or more graphics processing units (GPU) 608 , a communication interface 610 , input/output (I/O) ports 612 , input/output components 614 , a power supply 616 , and one or more presentation components 618 (e.g., display(s)).
- CPU central processing units
- GPU graphics processing units
- I/O input/output
- 614 input/output components 614
- power supply 616 e.g., a power supply 616
- presentation components 618 e.g., display(s)
- a presentation components 618 such as a display device, may be considered an I/O component 614 (e.g., if the display is a touch screen).
- the CPU(s) 606 and/or GPU(s) 608 may include memory (e.g., the memory 604 may be representative of a storage device in addition to the memory of the GPU(s) 608 , the CPU(s) 606 , and/or other components).
- the computing device of FIG. 6 is merely illustrative.
- Distinction is not made between such categories as “workstation,” “server,” “laptop,” “desktop,” “tablet,” “client device,” “mobile device,” “hand-held device,” “game console,” “electronic control unit (ECU),” “virtual reality system,” and/or other device or system types, as all are contemplated within the scope of the computing device of FIG. 6 .
- the bus 602 may represent one or more busses, such as an address bus, a data bus, a control bus, or a combination thereof.
- the bus 602 may include one or more bus types, such as an industry standard architecture (ISA) bus, an extended industry standard architecture (EISA) bus, a video electronics standards association (VESA) bus, a peripheral component interconnect (PCI) bus, a peripheral component interconnect express (PCIe) bus, and/or another type of bus.
- ISA industry standard architecture
- EISA extended industry standard architecture
- VESA video electronics standards association
- PCI peripheral component interconnect
- PCIe peripheral component interconnect express
- the memory 604 may include any of a variety of computer-readable media.
- the computer-readable media may be any available media that may be accessed by the computing device 600 .
- the computer-readable media may include both volatile and nonvolatile media, and removable and non-removable media.
- the computer-readable media may comprise computer-storage media and communication media.
- the computer-storage media may include both volatile and nonvolatile media and/or removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program applications, and/or other data types.
- the memory 604 may store computer-readable instructions (e.g., that represent a program(s) and/or a program element(s), such as an operating system.
- Computer-storage media may include, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by computing device 600 .
- computer storage media does not comprise signals per se.
- the communication media may embody computer-readable instructions, data structures, program applications, and/or other data types in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
- modulated data signal may refer to a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
- the communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer-readable media.
- the CPU(s) 606 may be configured to execute the computer-readable instructions to control one or more components of the computing device 600 to perform one or more of the methods and/or processes described herein.
- the CPU(s) 606 may each include one or more cores (e.g., one, two, four, eight, twenty-eight, seventy-two, etc.) that are capable of handling a multitude of software threads simultaneously.
- the CPU(s) 606 may include any type of processor, and may include different types of processors depending on the type of computing device 600 implemented (e.g., processors with fewer cores for mobile devices and processors with more cores for servers).
- the processor may be an ARM processor implemented using Reduced Instruction Set Computing (RISC) or an x 86 processor implemented using Complex Instruction Set Computing (CISC).
- the computing device 600 may include one or more CPU(s) 606 in addition to one or more microprocessors or supplementary co-processors, such as math co-processors.
- the GPU(s) 608 may be used by the computing device 600 to render graphics (e.g., 3D graphics).
- the GPU(s) 608 may include hundreds or thousands of cores that are capable of handling hundreds or thousands of software threads simultaneously.
- the GPU(s) 608 may generate pixel data for output images in response to rendering commands (e.g., rendering commands from the CPU(s) 606 received via a host interface).
- the GPU(s) 608 may include graphics memory, such as display memory, for storing pixel data.
- the display memory may be included as part of the memory 604 .
- the GPU(s) 608 may include two or more GPU(s) operating in parallel (e.g., via a link).
- each GPU 608 may generate pixel data for different portions of an output image or for different output images (e.g., a first GPU for a first image and a second GPU for a second image).
- Each GPU may include its own memory, or may share memory with other GPUs.
- the CPU(s) 606 may be used to render graphics and/or process data.
- the communication interface 610 may include one or more receivers, transmitters, and/or transceivers that enable the computing device 600 to communicate with other computing devices via an electronic communication network, included wired and/or wireless communications.
- the communication interface 610 may include components and functionality to enable communication over any of a number of different networks, such as wireless networks (e.g., Wi-Fi, Z-Wave, Bluetooth, Bluetooth LE, ZigBee, etc.), wired networks (e.g., communicating over Ethernet), low-power wide-area networks (e.g., LoRaWAN, SigFox, etc.), and/or the Internet.
- wireless networks e.g., Wi-Fi, Z-Wave, Bluetooth, Bluetooth LE, ZigBee, etc.
- wired networks e.g., communicating over Ethernet
- low-power wide-area networks e.g., LoRaWAN, SigFox, etc.
- the I/O ports 612 may enable the computing device 600 to be logically coupled to other devices including the I/O components 614 , the presentation component(s) 618 , and/or other components, some of which may be built in to (e.g., integrated in) the computing device 600 .
- Illustrative I/O components 614 include a microphone, mouse, keyboard, joystick, game pad, game controller, satellite dish, scanner, printer, wireless device, etc.
- the I/O components 614 may provide a natural user interface (NUI) that processes air gestures, voice, or other physiological inputs generated by a user. In some instances, inputs may be transmitted to an appropriate network element for further processing.
- NUI natural user interface
- a NUI may implement any combination of speech recognition, stylus recognition, facial recognition, biometric recognition, gesture recognition both on screen and adjacent to the screen, air gestures, head and eye tracking, and touch recognition (as described in more detail below) associated with a display of the computing device 600 .
- the computing device 600 may be include depth cameras, such as stereoscopic camera systems, infrared camera systems, RGB camera systems, touchscreen technology, and combinations of these, for gesture detection and recognition. Additionally, the computing device 600 may include accelerometers or gyroscopes (e.g., as part of an inertia measurement unit (IMU)) that enable detection of motion. In some examples, the output of the accelerometers or gyroscopes may be used by the computing device 600 to render immersive augmented reality or virtual reality.
- IMU inertia measurement unit
- the power supply 616 may include a hard-wired power supply, a battery power supply, or a combination thereof.
- the power supply 616 may provide power to the computing device 600 to enable the components of the computing device 600 to operate.
- the presentation component(s) 618 may include a display (e.g., a monitor, a touch screen, a television screen, a heads-up-display (HUD), other display types, or a combination thereof), speakers, and/or other presentation components.
- the presentation component(s) 618 may receive data from other components (e.g., the GPU(s) 608 , the CPU(s) 606 , etc.), and output the data (e.g., as an image, video, sound, etc.).
- the disclosure may be described in the general context of computer code or machine-useable instructions, including computer-executable instructions such as program applications, being executed by a computer or other machine, such as a personal data assistant or other handheld device.
- program applications including routines, programs, objects, components, data structures, etc., refer to code that perform particular tasks or implement particular abstract data types.
- the disclosure may be practiced in a variety of system configurations, including hand-held devices, consumer electronics, general-purpose computers, more specialty computing devices, etc.
- the disclosure may also be practiced in distributed computing environments where tasks are performed by remote-processing devices that are linked through a communications network.
- element A, element B, and/or element C may include only element A, only element B, only element C, element A and element B, element A and element C, element B and element C, or elements A, B, and C.
- at least one of element A or element B may include at least one of element A, at least one of element B, or at least one of element A and at least one of element B.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Human Computer Interaction (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Business, Economics & Management (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Game Theory and Decision Science (AREA)
- Medical Informatics (AREA)
- Aviation & Aerospace Engineering (AREA)
- Radar, Positioning & Navigation (AREA)
- Remote Sensing (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
In various examples, access to VM memory by virtualization software is secured using a trusted firmware of a host controller to validate one or more of a command to read a VM's memory and/or the data read from VM memory in order to protect against improper access to data in VM memory. If validation fails, the firmware may refrain from reading the data and/or from providing the virtualization software with access to the data. The data may include a request command from a VM regarding establishing or modifying a connection using the host controller to another entity, such as another device within or outside of the virtualization environment. The virtualization software may use the request command to facilitate the connection. The host controller may provide an eXtensible Host Controller Interface (xHCI) or a different type of interface for the connection.
Description
- This application is a continuation of U.S. application Ser. No. 16/530,323, filed Aug. 2, 2019, which claims priority to and the benefit of U.S. patent application Ser. No. 62/714,634 filed on Aug. 3, 2018, which is incorporated herein by reference in its entirety.
- Virtualization allows multiple Virtual Machine (VMs)—often used to host Operating System Instances (OSI)—to run concurrently within a single host system. A default interface (without virtualization of the interface) presented by a host controller to the host system may include a Physical Function (PF), or host controller interface. Examples of host controller interfaces include those used for Universal Serial Bus (USB), FireWire, Bluetooth, Ethernet, Peripheral Component Interconnect (PCI), or other types of communications. For example, an eXtensible Host Controller Interface (xHCI) may be used to support USB communications. Virtualization of the host controller interface enables multiple Virtual Functions (VF) to share a PF. To minimize hardware requirements, the physical interface presented by a VF typically includes only a subset of that presented by the corresponding PF and relies on virtualization software to emulate portions of the VF interface to fill in the gaps.
- Conventionally, the virtualization software may be used to facilitate a connection between a VM and another entity using a VF, such as another entity within the host system (e.g., another VM), or an entity external to the host system (e.g., a hardware device). For example, the virtualization software may assist the VM in establishing a connection using the VF, or modifying an existing connection using the VF. To facilitate the connection, the virtualization software may read data from the memory of the VM which indicates information requested by the VM, such as connection properties. In the example of xHCI, the data may be Command Transfer Request Block (TRB) data used to request device properties of a newly connected device. This poses a security risk in that if the virtualization software becomes compromised, it may be possible for a malicious actor to read the memory allocated to any VM through the host controller interface. For example, a component of the virtualization software responsible for mapping VM memory may manipulate the mapping to access unauthorized locations in memory.
- The present disclosure relates, in part, to securing access to VM memory by virtualization software to facilitate a connection between a VM and another entity using a VF. In contrast to conventional approaches, a trusted firmware of a host controller may validate one or more of a command to read a VM's memory and/or the data read from VM memory in order to protect against improper access to data in VM memory. If validation fails, the firmware may refrain from reading the data and/or from providing the virtualization software with access to the data. Thus, if virtualization software becomes compromised, a malicious actor may be prevented from arbitrarily accessing VM memory.
- To read the data, one or more virtual machine managers (VMMs) of the virtualization software may send a read command to trusted firmware of the host controller that indicates memory locations to read in order to access the data. The host controller firmware may validate the read command and/or the data read from VM memory. For example, the host controller firmware may confirm that the read command matches a doorbell event for a corresponding VM's command ring, confirm that it sent a doorbell event to the VMM prior to receiving the read command, and/or check that a memory size specified by command is valid. As further examples, the host controller firmware may read the data and confirm the data is of a proper format and/or includes proper information or parameters. The host controller may refrain from providing the VMM to access the data if the command and/or the data is not validated (e.g., determined to be invalid).
- The present systems and methods for secure access of virtual machine memory is described in detail below with reference to the attached drawing figures, wherein:
-
FIG. 1 is a diagram of an example of an operational environment for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure; -
FIG. 2 is a flow diagram of an example of a process for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure; -
FIG. 3 is a flow diagram of an example of a method for validating data read from VM memory in response to a read command from virtualization software, in accordance with some embodiments of the present disclosure; -
FIG. 4 is a flow diagram of an example of a method for validating a command from virtualization software to read VM memory, in accordance with some embodiments of the present disclosure; -
FIG. 5 is a flow diagram of an example of a method for virtualization software to read data from VM memory using a host controller firmware, in accordance with some embodiments of the present disclosure; and -
FIG. 6 is a block diagram of an example computing environment suitable for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure. - Systems and methods are disclosed related to using trusted firmware of a host controller to validate one or more of a command to read a VM's memory (e.g., system memory dedicated or allocated to a VM) and/or the data read from VM memory in order to protect against improper access to data in system memory. As a result, if virtualization software becomes compromised, a malicious actor may be prevented from arbitrarily accessing VM memory.
- In various embodiments, one or more virtual machine managers (VMM(s)) of virtualization software and a VF may be used to facilitate a connection between a VM and another entity (e.g., an external VM, an external device), such as another entity within the host system (e.g., another VM), or an entity external to the host system. The VMM(s) may or may not include a hypervisor of a host system. To facilitate the connection, the VM may receive a notification from the VMM regarding the entity. For example, a user may connect a USB device to an xHCI controller, and the xHCI controller may notify the VMM of the new device, which in turn notifies the appropriate VM. In response to the notification, the VM may provide a command intended for the VMM that it stores as data in the memory of the underlying system or device designated for the VM. To read the data, the VMM may send a read command to the trusted firmware of the host controller that indicates memory locations to read in order to access the data.
- In some aspects of the present disclosure, the host controller firmware may validate the read command. For example, the host controller firmware may confirm that the read command matches a doorbell event for a corresponding VM's command ring. As another example, the host controller firmware may confirm that it sent a doorbell event to the VMM (e.g., to indicate to the VMM to help process commands in the VM's command ring) prior to receiving the command. As another example, the host controller firmware may check that a memory size specified by a command is valid (e.g., a TRB may be 16 bytes and a larger or smaller size may indicate an invalid command). If the command is not validated, the host controller firmware may refrain from reading the memory locations and/or from providing the VMM(s) with access to data read from the memory locations.
- In further aspects of the present disclosure, in addition to or instead of the host controller firmware validating the command, the host controller firmware may validate data read from the memory locations. For example, the host controller firmware may read the data and confirm the data is of a proper format and/or includes proper information or parameters. This may include checking that a request type field has a valid value, one or more reserved fields has an expected value, a Slot Identifier (ID) is within a predetermined range, and/or the data is in a predefined format. In the example of an xHCI interface, this may include checking that a TRB type field is within a valid range, one or more reserved fields are equal to zero, the Slot ID is within a predetermined range, and/or the data is in a TRB format. If the data that is read is not validated, the host controller firmware may refrain from providing the VMM(s) with access to data read from the memory locations.
- In any example, if the command and/or the data is not validated (e.g., determined to be invalid), the firmware may provide a command completion event (e.g., CCode=0) to the VMM(s) indicating a failure of the command. If the command and/or the data is validated, the host controller firmware may provide the VMM(s) with access to the data, such as by copying the data to VMM memory. Further, the host controller firmware may provide a command completion event (e.g., CCode=1) to the VMM(s) indicating a success of the command. This may indicate to the VMM that it may read the data from the VMM memory.
- Now referring to
FIG. 1 ,FIG. 1 is a diagram of an example of anoperational environment 100 for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure. It should be understood that this and other arrangements described herein are set forth only as examples. Other arrangements and elements (e.g., machines, interfaces, functions, orders, groupings of functions, etc.) may be used in addition to or instead of those shown, and some elements may be omitted altogether. Further, many of the elements described herein are functional entities that may be implemented as discrete or distributed components or in conjunction with other components, and in any suitable combination and location. Various functions described herein as being performed by entities may be carried out by hardware, firmware, and/or software. For instance, various functions may be carried out by a processor executing instructions stored in memory. - The
operational environment 100 may include among other things, a host system(s) 102, and an external device(s) 130. Theoperational environment 100 may, for example, be implemented using one ormore computing devices 600 ofFIG. 6 . Thehost system 102 may include aVMM 104, a host controller firmware/hardware 106 (also referred as “host controller 106” or “host controller firmware 106”), aVM 108, aVM 110, aVM 114, aVM 116, and amemory 118. TheVMM 104 may include aVMM memory 134, aninterface manager 136, acommunications processor 138, and amemory mapper 140. Thehost controller firmware 106 may include avalidator 142, acommunications processor 144, and aninterface manager 146. Thememory 118 may include aVM memory 120, aVM memory 122, aVM memory 124, and aVM memory 126. - The host system(s) 102 may be configured to host one or more virtualized environments. The virtualized environments may be managed by virtualization software, an example of which may include the one or
more VMMs 104. The VMM(s) 104 may or may not include a hypervisor of thehost system 102. The hypervisor may create and run any number of VMs, such as theVMs - The
VMM 104 may, amongst other potential functionalities, be configured to facilitate (e.g., using an xHCI compliant server) a connection between any of the VMs, such as theVM 108, and another entity via thehost controller 106 using a VF. Examples of the other entity include an entity within the host system 102 (e.g., the VM 116), or an entity external to the host system (e.g., the external device 130). Theinterface manager 136 of theVMM 104 may be configured to manage communications to and from theVMM 104. Thecommunications processor 138 of theVMM 104 may be configured to generate communications, such as read commands to read VM memory, and/or to process received communications, such as doorbell events or request commands in theVMM memory 134 from VMs. Thememory mapper 140 of theVMM 104 may be configured to map data corresponding to a VF or VM to a corresponding memory address in the memory 118 (e.g., theVM memory 120 for the VM 108) for a read command to read data from the VM's memory. - The
host controller 106, amongst other potential functionalities, may be configured to provide an interface for the connections between VMs and other entities, as well as validate the reads commands from theVMM 104 and/or data read from VM memory. For example, theinterface manager 146 of thehost controller 106 may be configured to manage communications to and from thehost controller 106. Thecommunications processor 144 of thehost controller 106 may be configured to process received communications, such as doorbell events from VMs, the read commands from theVMM 104, and/or data read from VM memory based on the read commands, such as request commands from VMs. Thecommunications processor 144 of thehost controller 106 may also be configured to generate communications, such as doorbell events for theVMM 104. At least some of the processing performed by thecommunications processor 144 may use thevalidator 142 of thehost controller 106 to validate a read command and/or the data read from VM memory of a VM, as described herein. Once validated, theinterface manager 146 of thehost controller 106 may provide the data to theVMM memory 134 for use in establishing and/or modifying a connection between the VM and another entity. Theinterface manager 146 may then communicate directly with the VM and the other entity to host the connection without requiring use of the VMM 104 (e.g., for data transfer related work). - The
host system 102 may be implemented on one or more Integrated Circuits (ICs) that may include, but is not limited to, one or more System-on-Chip (SoCs) and/or Graphics Processing Units (GPUs). Thehost system 102 may generally be used in any application in which a VM communicates with another entity using a host controller interface. In some examples, thehost system 102 may form at least a portion of an embedded system, such as an Electronic Control Unit (ECU). Thehost system 102 may be incorporated into, for example, non-autonomous vehicles, semi-autonomous vehicles (e.g., in one or more advanced driver assistance systems (ADAS)), robots, warehouse vehicles, off-road vehicles, flying vessels, boats, and/or other vehicle types. Thehost system 102 may use theVM - Each of the
VMs host system 102 may be a virtual computing device. Each of theVMs memory 118. For example, theVMs VM memory 120, theVM memory 122, theVM memory 124, and theVM memory 126 respectively. Thememory 118 may refer to one or more physical memory devices and the hypervisor and/or theVMM 104 may be responsible for supporting the ability of theVMs VMM 104. - One or more of the
VMs host controller 106. Examples of theexternal device 130 include any device capable of communicating with a VM over a host controller interface, such as an ECU, a USB drive, a camera, a smartphone, a VM, a laptop, a personal computer, a network device, a peripheral device, a client device, etc. Each VM may comprise an OSI, such as a guest OS, examples of which include deployments of Linux, Android, GENIVI, QNX, etc. As a specific example for autonomous driving implementations, one of the guest OSes may control an In-Vehicle Infotainment (IVI) system, another a vehicle cluster, another a Heads-Up-Display (HUD) system, and yet another an ADAS and/or autonomous driving system. Any number of communications used to implement this functionality may be provided over the interface provided by thehost controller 106. - In various examples, each of the
VMs memory 118. For example, theVM 108 may provide a command to theVM memory 120 that is assigned to theVM 108. An example of such a command includes a request command, which a VM may use to request information regarding a connection and/or device capabilities (e.g., of the external device 130) in order to establish and/or modify a connection to another device, such as theexternal device 130 or another VM or logical device or component. TheVMM 104 and/or the hypervisor may use the request command to modify and/or establish the connection. As an example, if theexternal device 130 is a digital camera, a request command may indicate what formats or transfers the digital camera supports. - The request command may be in different formats and/or may contain different types of information depending on the controller interface implemented by the
host controller 106 and/or other connection criteria. For example, where the controller interface is based on xHCI, the command may include TRB data. The TRB data may be in the form of a data structure constructed in the memory and be representative of such information as a TRB type field, one or more reserved fields, and a Slot ID. Each VF (and VM) may be assigned a slot using a slot ID. The slot may have a slot context address including a slot context data structure containing information that relates to a device as a whole or affects all endpoints of a device. TheVMM 104 may read this slot context address and program in PFs in a slot context. - For enhanced security, the
VMM 104 and/or the hypervisor may not have the capability to directly read the VM's memory for command ring handling. For example, if the virtualization software becomes compromised, theVMM 104 could be able to read from an arbitrary location in thememory 118 and/or within a particular VM's memory. Instead, to read a request command from a VM, theinterface manager 136 of theVMM 104 may provide a read command to thehost controller 106 and theinterface manager 146 of thehost controller 106 may receive the read command, and in response use one or more controller direct memory accesses (DMAs) to read the data from the VM memory. Theinterface manager 146 of thehost controller 106 may further provide theVMM 104 with access to the data, such as by providing (e.g., writing) the data to theVMM memory 134, which can be read by theinterface manager 136 of theVMM 104. TheVMM 104 may then use thecommunications processor 138 to process the command and facilitate the connection. TheVMM memory 134 is shown as within theVMM 104 but may be external to theVMM 104. Further theVMM memory 134 may be included in thememory 118 and/or in various other components of thehost system 102. TheVMM memory 134 may generally refer to memory locations that are accessible to theinterface manager 136 of theVMM 104. - The
VMM 104 may be configured to provide at least some virtualization services to each of theVMs VMM 104 trapping the capabilities and operational register space of each of theVMs VMM 104 is configured to perform root port level virtualization of theVMs VMM 104 may also manage the physical function and the command ring of each of theVMs VMM 104 may get notified via theinterface manager 136 whenever a VF is trying to access capabilities and operational register space of thehost controller 106. PF command and event rings of theVMM 104 may be configured to process VF commands using thecommunications processor 138 and to receive event TRBs from thehost controller 106 using theinterface manager 136. Theinterface manager 136 of theVMM 104 may also receive pad interrupts for all ports associated with thehost controller 106 which theinterface manager 136 may then forward to a respective VM in the form of an Inter VM Communications (IVC) message. - The
host controller firmware 106 may be a trusted entity of thehost system 102 that is signed and authenticated when loaded by thehost system 102 through the system's chain of trust. Thehost controller firmware 106 may support any of a variety of host controller interfaces, such as those used for Universal Serial Bus (USB), FireWire, Bluetooth, Ethernet, Peripheral Component Interconnect (PCI), Near-Field Communication (NFC), Vehicle-to-everything (V2X), Car2Car, Cellular, Wireless Fidelity (WiFi), or other types of communications. - The
host controller firmware 106 may determine what to access in thememory 118, how to do it securely, and how the results are made available to other components of thehost system 102. To this effect, thehost controller 106 may use thevalidator 142 to validate the read commands from theVMM 104 and/or data read from thememory 118 in response to the read commands in order to regulate access to the data. To validate a read command from the VM, thevalidator 142 may confirm that the read command matches a doorbell event for a corresponding VM's command ring. For example, when theVM 108 writes a request command to theVM memory 120, it may provide a doorbell event that is received by theinterface manager 146 of thehost controller firmware 106. If such a doorbell event was not received from theVM 108, but theinterface manager 146 of thehost controller firmware 106 has received a read command that requests that thehost controller firmware 106 read from theVM memory 120, thevalidator 142 may determine that the read command is invalid. - As another example, the
validator 142 may confirm that theinterface manager 146 of thehost controller 106 sent a doorbell event to theVMM 104 prior to receiving the read command. For example, in some embodiments, in response to receiving the doorbell event from theVM 108, theinterface manager 146 of thehost controller firmware 106 may provide a corresponding doorbell event to theVMM 104. The doorbell event to theVMM 104 may indicate to theVMM 104 to use thememory mapper 140 to determine a memory address for theVM 108 and provide the memory address or other indicator of one or more memory locations in the read command to thehost controller 106. If such a doorbell event was not provided by theinterface manager 146 of thehost controller 106 to theVMM 104, but a read command is received that requests that thehost controller firmware 106 read from theVM memory 120, thevalidator 142 may determine that the read command is invalid. - In any example, the
validator 142 of thehost controller 106 may use information in the read command to determine whether the read command is valid. For example, the read command may comprise one or more of a slot ID, a VF ID, a memory address to read from, or a memory size to read. In some examples, thevalidator 142 of thehost controller 106 may determine that a read command is invalid if the VF ID does not match the ID of a VF provided to thehost controller firmware 106 by theVM 108 in the doorbell event. Also in some examples, thevalidator 142 of thehost controller 106 may determine that a read command is invalid if the slot ID does not match the ID of a slot provided to thehost controller firmware 106 by theVM 108 in the doorbell event. - As another example, the
validator 142 of thehost controller 106 may validate the read command based on the memory size specified by the read command. This may include determining that the memory size is within a predetermined range and/or is of a predetermined size (which may vary based on other factors). For example, a TRB may be 16 bytes and a larger or smaller size may indicate an invalid command. Thus, if thevalidator 142 determines the memory size is not equal to 16 bytes, thevalidator 142 may determine the read command is invalid. If the read command is not validated by thevalidator 142, thehost controller firmware 106 may refrain from using theinterface manager 146 to read the memory locations indicated by the read command and/or from providing theVMM 104 with access to data read from the memory locations. - In addition to or instead of the
validator 142 of thehost controller 106 validating the read command, thevalidator 142 may validate the data read from the memory locations indicated by a read command. For example, thevalidator 142 may read the data and confirm the data is of a proper format and/or includes proper information or parameters. This may include thevalidator 142 checking that a request type field has a valid value, one or more reserved fields has an expected value, a Slot ID is within a predetermined range, and/or the data is in a predefined format. The expected value and/or the predetermined range may have static values or may be dynamically generated. Further, either may be predetermined or defined by thehost controller firmware 106 such as coded to thehost controller firmware 106. For example, any of the values may be hard-coded or computed by code at run-time and/or predetermined by thehost controller firmware 106. In the example of an xHCI interface, this may include checking that a TRB type field is within a valid range, one or more reserved fields are equal to zero, the Slot ID is within a predetermined range, and/or the data is in a TRB format. If thevalidator 142 does not validate the data (e.g., determines the data is invalid), theinterface manager 146 of thehost controller firmware 106 may refrain from providing theVMM 104 with access to data read from the memory locations. - Referring now to
FIG. 2 ,FIG. 2 depicts a flow diagram of an example of aprocess 200 for validating access by virtualization software to data in memory, in accordance with some embodiments of the present disclosure. Theexample process 200 is illustrated using theVM 108 and theVM memory 120 ofFIG. 1 , by way of example. However, theprocess 200 may similarly be formed for the VMs and VM memory, such as theVMs VM 116 ofFIG. 1 and theVM memories FIG. 1 are not intended to be limited byFIG. 2 , and may vary in some embodiments. Although theprocess 200 is depicted with blocks and arrows, this is not intended to limit all embodiments of theprocess 200 to a particular order, or to particular operations. - At 202 of the
process 200, theinterface manager 136 of theVMM 104 may send a notification to theVM 108 of a connection related event. The notification may, for example, indicate to theVM 108 that a logical or physical device/entity (e.g., the external device 130) has connected to a port (e.g., a root port) and/or the device/entity is requesting a new or modified connection to theVM 108. For example, prior to theprocess 200, theVMM 104 may optionally detect the connection related event over a VF. In some embodiments, this may include theinterface manager 136 of theVMM 104 receiving a pad interrupt for the port associated with theVM 108. Theinterface manager 136 of theVMM 104 may then forward the notification comprising corresponding information (e.g., interrupt information) to theVM 108 at 202 in the form of an Inter VM Communications (IVC) message. - Based on receiving the notification at 202, the
VM 108 may, at 204A, theVM 108 write a request command to theVM memory 120. For example, theVM 108 may write the request command to the command ring of theVM 108. The request command may be based on the notification and may include, for example, a request for connection and/or device properties (e.g., for the connected device). While a request command is described the request command may correspond to any number of commands (e.g., multiple request commands). - Also based on receiving the notification at 202, the
VM 108 may, at 204B, notify thehost controller firmware 106 about the command stored at 204A. For example, after, during, or prior to 204A, theVM 108 may send a doorbell event to thehost controller firmware 106 to ring the doorbell of thehost controller firmware 106. Theinterface manager 146 of thehost controller firmware 106 may receive the notification and at 206 may send a request to theVMM 104 based on receiving the notification at 204B. In some examples, this includes forwarding the doorbell event to theVMM 104. In some examples, thecommunications processor 144 records information regarding the notification from theVM 108, which thevalidator 142 may use to validate read requests received from theVMM 104. This may include, for example, a number of notifications received from theVM 108 and/or any VM, a number of requests sent to theVMM 104 based on notifications received from theVM 108 and/or any VM, and/or a VM ID (e.g., VF ID) of theVM 108. - The request (e.g., a forwarded doorbell event) may be received by the
interface manager 136 of theVMM 104 and indicate to theVMM 104 to help process the request command(s) in the VM memory 120 (e.g., to help process one or more commands in the command ring of the VM 108). Thecommunications processor 144 of theVMM 104 may process the request from 206 and use thememory mapper 140 to map the request to one or more memory locations. Thecommunications processor 144 may use the one or more memory locations to generate a read command and theinterface manager 136 of theVMM 104 may provide the read command to thehost controller 106 at 208. As discussed herein, the read command may indicate the one or more memory locations for thehost controller firmware 106 to read, such as using a memory address in thememory 118 and a memory size for the read. The read command may also include a slot ID or VF ID of theVM 108. - The
interface manager 146 of thehost controller firmware 106 may receive the read command(s) from theVMM 104 and thecommunications processor 144 may use information in the read command(s) to read the request command(s) (e.g., command TRB data) at 210A that were stored to theVM memory 120 by theVM 108 at 204A. For example, thecommunications processor 144 may use the slot ID or VF ID to determine the unique stream ID for theVM 108. Theinterface manager 146 of thehost controller firmware 106 may use the stream ID, the memory address, and the memory size to read from theVM memory 120. In thehost system 102, stream IDs may be separately programmed in another hardware register by the hypervisor and used for memory access security with different stream IDs being assigned to different VFs/VMs. - Prior to, during, and/or after 210A, the
communications processor 144 may use thevalidator 142 to validate one or more of the read command(s) from 208 and/or the data read at 210A. For example, in some embodiments, if thevalidator 142 determines the read command is invalid, 210A may not be performed. In other examples, thevalidator 142 may still read the data at 210A even if the read command is found to be invalid. Also, thevalidator 142 may or may not analyze the data to determine if the data is valid. In some examples, thevalidator 142 will always read the data without validation, if possible, then perform the validation on the data. - After the data is read at 210A, the
interface manager 146 of thehost controller firmware 106 may provide the data and/or information represented by the data to theVMM 104. In the example shown, theinterface manager 146 may do so by storing the information (e.g., the command TRB data) in theVMM memory 134 at 210B. Also, at 212, theinterface manager 146 of thehost controller firmware 106 may provide a notification(s) to theVMM 104. The notification(s) may indicate to theVMM 104 that the information from 210B is in theVMM memory 134, the read command(s) from 208 were found valid by thevalidator 142, and/or the data read at 210A was found valid by thevalidator 142. The notification may be referred to, for example, as a command completion event. In some embodiments, the command completion event may include a CCode=1 indicating a success in validating the data and/or the read command. Had the data and/or the read command not been found valid by thevalidator 142, the command completion event (e.g., CCode) may indicate that one or more of the data and/or the read command were found to be invalid. For example, the command completion event may include a CCode=0, indicating a failure in validating the data and/or the read command. Further, the information may not have been stored to theVMM memory 134 at 210B were one or more of the data and/or the read command were found to be invalid. - The
interface manager 136 of theVMM 104 may receive the notification from 212 from thehost controller firmware 106 and based on the notification, read the information from theVMM memory 134. For example, thecommunications processor 144 may determine that the read command from 208 succeeded (e.g., by identifying CCode=1 in the command completion event) and based on the determination, read the information at 214. Had the read command failed, theVMM 104 may not attempt to read the information, and may optionally perform some other action. For example, theVMM 104 may notify theVM 108 regarding the failure. Where theVMM 104 successfully receives the information regarding the request command from theVM 108 at 214, thecommunications processor 138 may process the information and send the results (e.g., the requested information) to the VM 108 (e.g. in a command completion event TRB). Subsequently, the connection to the device/entity may be established and/or modified based on the results. - Now referring to
FIGS. 3-5 , each block ofmethods methods methods methods host system 102 ofFIG. 1 . However, thesemethods methods process 200 ofFIG. 2 . - Referring now to
FIG. 3 ,FIG. 3 depicts a flow diagram of an example of a method for validating data read from VM memory in response to a read command from virtualization software, in accordance with some embodiments of the present disclosure. Themethod 300, at block B302, includes receiving a command indicating a memory address of a virtual machine. For example, theinterface manager 146 of thehost controller firmware 106 ofFIG. 1 may receive a command (e.g., a read command) from theVMM 104. The command may indicate a memory address of theVM 108. - The
method 300, at block B304, includes reading data from the memory address. For example, theinterface manager 146 of thehost controller firmware 106 may read data from the memory address in theVM memory 120 based on the receiving of the command. - The
method 300, at block B306, includes validating the data read from the memory address. For example, thevalidator 142 of thehost controller firmware 106 may validate the data read from the memory address. - The
method 300, at block B308, includes providing a VMM with access to the data read. For example, theinterface manager 146 of thehost controller firmware 106 may provide theVMM 104 with access to the data read from the memory address based on the validation (e.g., via the VMM memory 134). - The
method 300, at block B310, includes sending a command completion event. For example, theinterface manager 146 of thehost controller firmware 106 may send a command completion event to theVMM 104 indicating the data read from the memory address is validated. - Had the data not be validated at block B306, at least block B308 may not be performed. Also, in some embodiments, had the data not be validated at block B306, the command completion event at block B310 may indicate the data was not validated (e.g., found to be invalid).
- Referring to
FIG. 4 ,FIG. 4 depicts is a flow diagram of an example of amethod 400 for validating a command from virtualization software to read VM memory, in accordance with some embodiments of the present disclosure. In some examples, themethod 400 may be incorporated into themethod 300. In other examples, themethod 400 and themethod 300 may be independent from one another. - The
method 400, at block B402, includes receiving a command indicating a memory address of a virtual machine. For example, theinterface manager 146 of thehost controller firmware 106 ofFIG. 1 may receive a command (e.g., a read command) from theVMM 104. The command may indicate a memory address of theVM 108. - The
method 400 at block B404 may include validating the command. For example, thecommunications processor 144 may use thevalidator 142 to validate the command received from theVMM 104. - The
method 400 at block B406 includes reading data from the memory address. For example, theinterface manager 146 of thehost controller firmware 106 may read data from the memory address in theVM memory 120 based on the receiving of the command. In some embodiments, the reading of the data from the memory address may be based on thevalidator 142 validating the command. In other examples, the data may be read regardless of whether the command is determined to be valid. - The
method 400, at block B408, includes providing a VMM with access to the data read. For example, theinterface manager 146 of thehost controller firmware 106 may provide theVMM 104 with access to the data read from the memory address based on the validation (e.g., via the VMM memory 134). - The
method 400, at block B410, includes sending a command completion event. For example, theinterface manager 146 of thehost controller firmware 106 may send a command completion event to theVMM 104 indicating the data read from the memory address is validated. - Had the command not been validated at block B404, at least block B408 may not be performed. Also, in some embodiments, had the data not been validated at block B404, the command completion event at block B410 may indicate the command was not validated (e.g., found to be invalid) and/or block B406 may not be performed. Further in some cases, block B406 may be performed prior to block B404.
- Referring to
FIG. 5 ,FIG. 5 depicts is a flow diagram of an example of amethod 500 for virtualization software to read data from VM memory using a host controller firmware, in accordance with some embodiments of the present disclosure. In some examples, themethod 500 may be incorporated into one or more of themethod 300 or themethod 400. For example, themethod 500 may correspond to themethod 300 and/or themethod 400 from a perspective of a VMM. In other examples, themethod 500 and themethod 300 or themethod 400 may be independent from one another. - The
method 500, at block B502, includes sending a command indicating a memory address of a virtual machine. For example, theinterface manager 136 of theVMM 104 ofFIG. 1 may send a command (e.g., a read command) to thehost controller firmware 106. The command may indicate a memory address of theVM 108. In some embodiments, block B502 may be based on theinterface manager 136 of theVMM 104 receiving a doorbell event from thehost controller 106, as described herein. - The
method 500, at block B504, includes receiving a command completion event indicating a validation of the data read from the memory address, the command, or both. For example, theinterface manager 136 of theVMM 104 may receive a command completion event from thehost controller firmware 106. The command completion event may indicate (e.g., via a CCode as described herein) a validation, by thehost controller firmware 106, of the command, the data read from the memory address based on the command, or both. - The
method 500, at block B506, includes reading the data read from the memory address. For example,interface manager 136 of theVMM 104 may read the data read from the memory address. -
FIG. 6 is a block diagram of an example computing environment suitable for validating access by virtualization software to data in memory in some implementations of the present application.Computing device 600 may include abus 602 that directly or indirectly couples the following devices:memory 604, one or more central processing units (CPU) 606, one or more graphics processing units (GPU) 608, acommunication interface 610, input/output (I/O)ports 612, input/output components 614, apower supply 616, and one or more presentation components 618 (e.g., display(s)). - Although the various blocks of
FIG. 6 are shown as connected via thebus 602 with lines, this is not intended to be limiting and is for clarity only. For example, in some embodiments, apresentation components 618, such as a display device, may be considered an I/O component 614 (e.g., if the display is a touch screen). As another example, the CPU(s) 606 and/or GPU(s) 608 may include memory (e.g., thememory 604 may be representative of a storage device in addition to the memory of the GPU(s) 608, the CPU(s) 606, and/or other components). In other words, the computing device ofFIG. 6 is merely illustrative. Distinction is not made between such categories as “workstation,” “server,” “laptop,” “desktop,” “tablet,” “client device,” “mobile device,” “hand-held device,” “game console,” “electronic control unit (ECU),” “virtual reality system,” and/or other device or system types, as all are contemplated within the scope of the computing device ofFIG. 6 . - The
bus 602 may represent one or more busses, such as an address bus, a data bus, a control bus, or a combination thereof. Thebus 602 may include one or more bus types, such as an industry standard architecture (ISA) bus, an extended industry standard architecture (EISA) bus, a video electronics standards association (VESA) bus, a peripheral component interconnect (PCI) bus, a peripheral component interconnect express (PCIe) bus, and/or another type of bus. - The
memory 604 may include any of a variety of computer-readable media. The computer-readable media may be any available media that may be accessed by thecomputing device 600. The computer-readable media may include both volatile and nonvolatile media, and removable and non-removable media. By way of example, and not limitation, the computer-readable media may comprise computer-storage media and communication media. - The computer-storage media may include both volatile and nonvolatile media and/or removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program applications, and/or other data types. For example, the
memory 604 may store computer-readable instructions (e.g., that represent a program(s) and/or a program element(s), such as an operating system. Computer-storage media may include, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by computingdevice 600. As used herein, computer storage media does not comprise signals per se. - The communication media may embody computer-readable instructions, data structures, program applications, and/or other data types in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” may refer to a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, the communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer-readable media.
- The CPU(s) 606 may be configured to execute the computer-readable instructions to control one or more components of the
computing device 600 to perform one or more of the methods and/or processes described herein. The CPU(s) 606 may each include one or more cores (e.g., one, two, four, eight, twenty-eight, seventy-two, etc.) that are capable of handling a multitude of software threads simultaneously. The CPU(s) 606 may include any type of processor, and may include different types of processors depending on the type ofcomputing device 600 implemented (e.g., processors with fewer cores for mobile devices and processors with more cores for servers). For example, depending on the type ofcomputing device 600, the processor may be an ARM processor implemented using Reduced Instruction Set Computing (RISC) or an x86 processor implemented using Complex Instruction Set Computing (CISC). Thecomputing device 600 may include one or more CPU(s) 606 in addition to one or more microprocessors or supplementary co-processors, such as math co-processors. - The GPU(s) 608 may be used by the
computing device 600 to render graphics (e.g., 3D graphics). The GPU(s) 608 may include hundreds or thousands of cores that are capable of handling hundreds or thousands of software threads simultaneously. The GPU(s) 608 may generate pixel data for output images in response to rendering commands (e.g., rendering commands from the CPU(s) 606 received via a host interface). The GPU(s) 608 may include graphics memory, such as display memory, for storing pixel data. The display memory may be included as part of thememory 604. The GPU(s) 608 may include two or more GPU(s) operating in parallel (e.g., via a link). When combined together, eachGPU 608 may generate pixel data for different portions of an output image or for different output images (e.g., a first GPU for a first image and a second GPU for a second image). Each GPU may include its own memory, or may share memory with other GPUs. - In examples where the
computing device 600 does not include the GPU(s) 608, the CPU(s) 606 may be used to render graphics and/or process data. - The
communication interface 610 may include one or more receivers, transmitters, and/or transceivers that enable thecomputing device 600 to communicate with other computing devices via an electronic communication network, included wired and/or wireless communications. Thecommunication interface 610 may include components and functionality to enable communication over any of a number of different networks, such as wireless networks (e.g., Wi-Fi, Z-Wave, Bluetooth, Bluetooth LE, ZigBee, etc.), wired networks (e.g., communicating over Ethernet), low-power wide-area networks (e.g., LoRaWAN, SigFox, etc.), and/or the Internet. - The I/
O ports 612 may enable thecomputing device 600 to be logically coupled to other devices including the I/O components 614, the presentation component(s) 618, and/or other components, some of which may be built in to (e.g., integrated in) thecomputing device 600. Illustrative I/O components 614 include a microphone, mouse, keyboard, joystick, game pad, game controller, satellite dish, scanner, printer, wireless device, etc. The I/O components 614 may provide a natural user interface (NUI) that processes air gestures, voice, or other physiological inputs generated by a user. In some instances, inputs may be transmitted to an appropriate network element for further processing. A NUI may implement any combination of speech recognition, stylus recognition, facial recognition, biometric recognition, gesture recognition both on screen and adjacent to the screen, air gestures, head and eye tracking, and touch recognition (as described in more detail below) associated with a display of thecomputing device 600. Thecomputing device 600 may be include depth cameras, such as stereoscopic camera systems, infrared camera systems, RGB camera systems, touchscreen technology, and combinations of these, for gesture detection and recognition. Additionally, thecomputing device 600 may include accelerometers or gyroscopes (e.g., as part of an inertia measurement unit (IMU)) that enable detection of motion. In some examples, the output of the accelerometers or gyroscopes may be used by thecomputing device 600 to render immersive augmented reality or virtual reality. - The
power supply 616 may include a hard-wired power supply, a battery power supply, or a combination thereof. Thepower supply 616 may provide power to thecomputing device 600 to enable the components of thecomputing device 600 to operate. - The presentation component(s) 618 may include a display (e.g., a monitor, a touch screen, a television screen, a heads-up-display (HUD), other display types, or a combination thereof), speakers, and/or other presentation components. The presentation component(s) 618 may receive data from other components (e.g., the GPU(s) 608, the CPU(s) 606, etc.), and output the data (e.g., as an image, video, sound, etc.).
- The disclosure may be described in the general context of computer code or machine-useable instructions, including computer-executable instructions such as program applications, being executed by a computer or other machine, such as a personal data assistant or other handheld device. Generally, program applications including routines, programs, objects, components, data structures, etc., refer to code that perform particular tasks or implement particular abstract data types. The disclosure may be practiced in a variety of system configurations, including hand-held devices, consumer electronics, general-purpose computers, more specialty computing devices, etc. The disclosure may also be practiced in distributed computing environments where tasks are performed by remote-processing devices that are linked through a communications network.
- As used herein, a recitation of “and/or” with respect to two or more elements should be interpreted to mean only one element, or a combination of elements. For example, “element A, element B, and/or element C” may include only element A, only element B, only element C, element A and element B, element A and element C, element B and element C, or elements A, B, and C. In addition, “at least one of element A or element B” may include at least one of element A, at least one of element B, or at least one of element A and at least one of element B.
- The subject matter of the present disclosure is described with specificity herein to meet statutory requirements. However, the description itself is not intended to limit the scope of this disclosure. Rather, the inventors have contemplated that the claimed subject matter might also be embodied in other ways, to include different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies. Moreover, although the terms “step” and/or “block” may be used herein to connote different elements of methods employed, the terms should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described.
Claims (20)
1. A method comprising:
recording information indicating receipt, by a host controller, of a notification that a virtual machine (VM) has stored data in memory allocated to the VM;
validating, by the host controller using the information indicating the receipt of the notification, a command from a virtual machine manager (VMM) to read the data in the memory; and
providing the VMM with access to the data read from the memory based at least on the command being validated by the host controller.
2. The method of claim 1 , wherein the notification is sent by the VM responsive to the VM storing the data in the memory.
3. The method of claim 1 , wherein the information corresponds to a quantity of at least one of:
one or more notifications received by the host controller from the VM, wherein the validating is based at least on the quantity of notifications received by the host controller from the VM; or
one or more requests sent by the host controller to the VMM responsive to at least the notification from the VM, wherein the validating is based at least on the quantity of requests sent by the host controller to the VMM.
4. The method of claim 1 , wherein the host controller is comprised in at least one of:
a control system for an autonomous or semi-autonomous machine;
a perception system for an autonomous or semi-autonomous machine;
a system for generating or presenting virtual reality (VR) content;
a system for generating or presenting augmented reality (AR) content;
a system implemented using a robot; or
a system incorporating one or more virtual machines (VMs).
5. The method of claim 1 , wherein the notification comprises one or more commands from the VM, and the method further includes sending, in response to the receipt of the notification, a request to the VMM to cause the VMM to perform processing of the one or more commands from the VM, wherein the command is sent from the VMM as part of the processing.
6. The method of claim 1 , wherein the information represents a virtual function identifier (VF ID), and the validating includes comparing, using the information, the VF ID to an identifier received in the command.
7. The method of claim 1 , wherein the information represents a slot identifier (ID), and the validating includes comparing, using the information, the slot ID to an identifier received in the command.
8. The method of claim 1 , wherein the command is a read command generated by the VMM and comprises a memory address and a data size to be read using the memory address, and the validating includes determining the data size matches a memory size indicated by the information.
9. The method of claim 1 , wherein the data comprises a request by the VM for connection capabilities of an entity based at least on a connection of the entity to the host controller, and the notification represents a doorbell event for the request.
10. One or more processors comprising:
one or more circuits to:
generate, using a host controller, a record of an event, the event corresponding a virtual machine (VM) storing data in memory allocated to the VM;
validating, using the host controller corresponding to the record, a command from a virtual machine manager (VMM) to access the data from the memory; and
providing the WM with access to the data based at least on the command being validated using the host controller.
11. The one or more processors of claim 10 , wherein the generating of the record is in response to receiving a notification sent by the VM responsive to the storing of the data in the memory.
12. The one or more processors of claim 10 , wherein the record corresponds to a quantity of at least one of:
one or more notifications of storage events received by the host controller from the VM, wherein the validating is based at least on the quantity of notifications of storage events received by the host controller from the VM; or one or more requests sent by the host controller to the WM for the WM to process one or more commands from the VM, wherein the validating is based at least on the quantity of requests sent by the host controller to the VMM.
13. The one or more processors of claim 10 , wherein the one or more circuits are comprised in at least one of:
a control system for an autonomous or semi-autonomous machine;
a perception system for an autonomous or semi-autonomous machine;
a system for generating or presenting virtual reality (VR) content;
a system for generating or presenting augmented reality (AR) content;
a system implemented using a robot; or
a system incorporating one or more virtual machines (VMs).
14. The one or more processors of claim 10 , wherein the validating is based at least on the host controller determining at least one of a virtual function identifier in the record or a slot identifier in the record matches the command.
15. The one or more processors of claim 10 , wherein the data comprises a request by the VM for connection capabilities of an entity based at least on a connection of the entity to the host controller, and the record is generated in response to a doorbell event for the request.
16. A system comprising:
one or more processing units to provide a virtual machine manager (VMM) with access to data in memory allocated to a virtual machine (VM) based at least on using a host controller to validate a command from the VMM to access the data, wherein the host controller validates the command using information that includes a record of the VM storing the data in the memory.
17. The system of claim 16 , wherein the information is generated in response to the host controller receiving a notification sent by the VM responsive to the storing of the data in the memory.
18. The system of claim 16 , wherein the information corresponds to a quantity of at least one of:
one or more notifications of storage events received by the host controller from the VM, wherein the validating is based at least on the quantity of notifications of storage events received by the host controller from the VM; or
one or more requests sent by the host controller to the VMM for the VMM to process one or more commands from the VM, wherein the validating is based at least on the quantity of requests sent by the host controller to the VMM.
19. The system of claim 16 , wherein the system comprises at least one of:
a control system for an autonomous or semi-autonomous machine;
a perception system for an autonomous or semi-autonomous machine;
a system for generating or presenting virtual reality (VR) content;
a system for generating or presenting augmented reality (AR) content;
a system implemented using a robot; or
a system incorporating one or more virtual machines (VMs).
20. The system of claim 16 , wherein the data comprises a request by the VM for connection capabilities of an entity based at least on a connection of the entity to the host controller, and the information is generated in response to a doorbell event for the request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/898,904 US20220413892A1 (en) | 2018-08-03 | 2022-08-30 | Secure access of virtual machine memory suitable for ai assisted automotive applications |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201862714634P | 2018-08-03 | 2018-08-03 | |
US16/530,323 US11429419B2 (en) | 2018-08-03 | 2019-08-02 | Secure access of virtual machine memory suitable for AI assisted automotive applications |
US17/898,904 US20220413892A1 (en) | 2018-08-03 | 2022-08-30 | Secure access of virtual machine memory suitable for ai assisted automotive applications |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/530,323 Continuation US11429419B2 (en) | 2018-08-03 | 2019-08-02 | Secure access of virtual machine memory suitable for AI assisted automotive applications |
Publications (1)
Publication Number | Publication Date |
---|---|
US20220413892A1 true US20220413892A1 (en) | 2022-12-29 |
Family
ID=69229674
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/530,323 Active 2039-10-01 US11429419B2 (en) | 2018-08-03 | 2019-08-02 | Secure access of virtual machine memory suitable for AI assisted automotive applications |
US17/898,904 Pending US20220413892A1 (en) | 2018-08-03 | 2022-08-30 | Secure access of virtual machine memory suitable for ai assisted automotive applications |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/530,323 Active 2039-10-01 US11429419B2 (en) | 2018-08-03 | 2019-08-02 | Secure access of virtual machine memory suitable for AI assisted automotive applications |
Country Status (5)
Country | Link |
---|---|
US (2) | US11429419B2 (en) |
JP (1) | JP7384900B2 (en) |
CN (1) | CN112740180B (en) |
DE (1) | DE112019003920T5 (en) |
WO (1) | WO2020028782A1 (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102018205204A1 (en) * | 2018-04-06 | 2019-10-10 | Robert Bosch Gmbh | Method for providing application data of at least one application executable on a control device of a vehicle, method for calibrating a control device, control device and evaluation device |
US11656775B2 (en) | 2018-08-07 | 2023-05-23 | Marvell Asia Pte, Ltd. | Virtualizing isolation areas of solid-state storage media |
US11074013B2 (en) | 2018-08-07 | 2021-07-27 | Marvell Asia Pte, Ltd. | Apparatus and methods for providing quality of service over a virtual interface for solid-state storage |
US11010314B2 (en) | 2018-10-30 | 2021-05-18 | Marvell Asia Pte. Ltd. | Artificial intelligence-enabled management of storage media access |
US11481118B2 (en) | 2019-01-11 | 2022-10-25 | Marvell Asia Pte, Ltd. | Storage media programming with adaptive write buffer release |
US11836035B2 (en) * | 2021-08-06 | 2023-12-05 | Western Digital Technologies, Inc. | Data storage device with data verification circuitry |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7334076B2 (en) * | 2005-03-08 | 2008-02-19 | Microsoft Corporation | Method and system for a guest physical address virtualization in a virtual machine environment |
US9058183B2 (en) * | 2009-12-29 | 2015-06-16 | Advanced Micro Devices, Inc. | Hypervisor isolation of processor cores to enable computing accelerator cores |
US8627112B2 (en) * | 2010-03-30 | 2014-01-07 | Novell, Inc. | Secure virtual machine memory |
EP2652623B1 (en) * | 2010-12-13 | 2018-08-01 | SanDisk Technologies LLC | Apparatus, system, and method for auto-commit memory |
US8356120B2 (en) * | 2011-01-07 | 2013-01-15 | Red Hat Israel, Ltd. | Mechanism for memory state restoration of virtual machine (VM)-controlled peripherals at a destination host machine during migration of the VM |
WO2012135192A2 (en) * | 2011-03-28 | 2012-10-04 | Mcafee, Inc. | System and method for virtual machine monitor based anti-malware security |
US20120254993A1 (en) | 2011-03-28 | 2012-10-04 | Mcafee, Inc. | System and method for virtual machine monitor based anti-malware security |
US9753738B2 (en) * | 2011-10-21 | 2017-09-05 | Hewlett-Packard Development Company, L.P. | Providing a function of a basic input/output system (BIOS) in a privileged domain |
US8583920B1 (en) * | 2012-04-25 | 2013-11-12 | Citrix Systems, Inc. | Secure administration of virtual machines |
US9785576B2 (en) * | 2014-03-27 | 2017-10-10 | Intel Corporation | Hardware-assisted virtualization for implementing secure video output path |
JP6162652B2 (en) * | 2014-06-20 | 2017-07-12 | 株式会社東芝 | Memory management apparatus, program, and method |
JP6584823B2 (en) * | 2014-06-20 | 2019-10-02 | 株式会社東芝 | Memory management apparatus, program, and method |
US9262197B2 (en) * | 2014-07-16 | 2016-02-16 | Dell Products L.P. | System and method for input/output acceleration device having storage virtual appliance (SVA) using root of PCI-E endpoint |
US9916263B2 (en) * | 2015-08-06 | 2018-03-13 | International Business Machines Corporation | Access of virtual machines to storage area networks |
CN107209681B (en) * | 2015-10-21 | 2020-07-07 | 华为技术有限公司 | Storage device access method, device and system |
US11163597B2 (en) | 2016-01-20 | 2021-11-02 | Unisys Corporation | Persistent guest and software-defined storage in computing fabric |
US10503922B2 (en) * | 2017-05-04 | 2019-12-10 | Dell Products L.P. | Systems and methods for hardware-based security for inter-container communication |
-
2019
- 2019-08-02 CN CN201980061719.7A patent/CN112740180B/en active Active
- 2019-08-02 DE DE112019003920.2T patent/DE112019003920T5/en active Pending
- 2019-08-02 JP JP2021505835A patent/JP7384900B2/en active Active
- 2019-08-02 WO PCT/US2019/044858 patent/WO2020028782A1/en active Application Filing
- 2019-08-02 US US16/530,323 patent/US11429419B2/en active Active
-
2022
- 2022-08-30 US US17/898,904 patent/US20220413892A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
US11429419B2 (en) | 2022-08-30 |
DE112019003920T5 (en) | 2021-05-20 |
JP7384900B2 (en) | 2023-11-21 |
JP2021532495A (en) | 2021-11-25 |
CN112740180A (en) | 2021-04-30 |
US20200042341A1 (en) | 2020-02-06 |
CN112740180B (en) | 2024-06-25 |
WO2020028782A1 (en) | 2020-02-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220413892A1 (en) | Secure access of virtual machine memory suitable for ai assisted automotive applications | |
US9507619B2 (en) | Virtualizing a host USB adapter | |
WO2017066944A1 (en) | Method, apparatus and system for accessing storage device | |
EP2843552B1 (en) | Method and system for executing callback functions delivered via a communication between a user-space application and the operating system kernel | |
EP3539046B1 (en) | Electronic device and method for managing data in electronic device | |
CN111783106B (en) | System and method for detecting file system modifications via multi-tier file system states | |
US9507617B1 (en) | Inter-virtual machine communication using pseudo devices | |
KR102719620B1 (en) | Electronic device for executing a plurality of operating systems and controlling method thereof | |
EP3207458A1 (en) | Input signal emulation | |
US11392512B2 (en) | USB method and apparatus in a virtualization environment with multi-VM | |
US20220109617A1 (en) | Latency determinations for human interface devices | |
EP3123388B1 (en) | Virtualization based intra-block workload isolation | |
WO2017045272A1 (en) | Virtual machine migration method and device | |
US10552225B2 (en) | Virtual device migration or cloning based on device profiles | |
EP4044058A1 (en) | Capability management method and computer device | |
US9589126B2 (en) | Lock control method and electronic device thereof | |
US9684529B2 (en) | Firmware and metadata migration across hypervisors based on supported capabilities | |
KR20180110437A (en) | Tethering method and electronic device implementing the same | |
US20220335109A1 (en) | On-demand paging support for confidential computing | |
US11836503B2 (en) | Electronic device for executing heterogeneous operating systems and method therefor | |
US20230259464A1 (en) | Preventing unauthorized memory access using a physical address access permissions table | |
US20240061699A1 (en) | Securing content from guest virtual machines from unauthorized access by host operating systems | |
US12124842B1 (en) | Systems and methods for launching multiple software virtual appliances inside a single virtual environment | |
US11880481B2 (en) | Secure modular devices | |
US20240370260A1 (en) | Constant memory segmentation for parallel processors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
AS | Assignment |
Owner name: NVIDIA CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUPTA, AJAY KUMAR;TAMMINEEDI, VENKAT;LIM, DAVID;AND OTHERS;SIGNING DATES FROM 20190802 TO 20190812;REEL/FRAME:061862/0430 |