System and method for I/O port assignment and security policy application in a client hosted virtualization system

摘要

A client hosted virtualization system includes a processor and non-volatile memory with BIOS code and virtualization manager code. The virtualization manager initializes the client hosted virtualization system, authenticates a virtual machine image, launches the virtual machine based on the image, and implements a policy manager. The policy manager determines a policy for the virtual machine, receives a request to access a device from the virtual machine, determines if the virtual machine is permitted to access the device based upon the policy, and if so, permits the virtual machine to access the device. If not, the policy manager denies the virtual machine access to the device. The client hosted virtualization system is configurable to execute the BIOS or the virtualization manager.

主权项

1. A client hosted virtualization system (CHVS) comprising:
a hardware processor configured to execute code; and a non-volatile memory including:
first code to implement a basic input/output system configured to:
initialize the CHVS; andlaunch a virtual machine on the CHVS; andsecond code to implement a virtualization manager configured to:
initialize the CHVS;authenticate a first virtual machine image associated with a first virtual machine;launch the first virtual machine on the CHVS based on the first virtual machine image; andimplement a policy manager configured to:determine a first policy for the first virtual machine;receive a first request to access the first device of the CHVS from the first virtual machine;determine when the first virtual machine is permitted to access the first device based upon the first policy;permit the first virtual machine to access the first device in response to determining that the first virtual machine is permitted to access the first device;deny the first virtual machine access to the first device in response to determining that the first virtual machine is not permitted to access the first device;determine when the first virtual machine is permitted to conditionally access the first device based upon the first policy;determine when a condition is satisfied by the first request; andpermit the first virtual machine conditional access to the first device in response to determining that the condition is satisfied; wherein the processor is configured to:
determine when the first code is selected;execute the first code in response to determining that the first code is selected; andexecute the second code in response to determining that the first code is not selected.