Protection of virtual machines executing on a host device

摘要

Technology is described for protection of virtual machines executing on a host device having host processors and host memory. The system can include a hypervisor configured to enable the virtual machines to execute concurrently on the host device. An emancipated partition can be provided with a communication channel to the hypervisor. A primary partition can be configured to interface with the emancipated partition through the communication channel via the hypervisor. In addition, an emancipated memory space and virtual register state for the emancipated partition can be protected from direct access by the primary partition.

主权项

1. A method for protection of virtual machines in an execution environment, comprising:
enabling the virtual machines to execute concurrently in guest partitions on a host device as managed by a hypervisor on the host device, the host device comprising host processors and host memory, wherein the virtual machines execute concurrently in the guest partitions external to the hypervisor; allocating an emancipated partition containing a virtual machine and a communication channel between the emancipated partition and the hypervisor, the emancipated partition being a guest partition that is emancipated from direct access by any other partition based on a request from the guest partition, the any other partition including a primary partition; configuring the primary partition to interface with the emancipated partition through the hypervisor's input/output communication channel to the emancipated partition; and protecting emancipated memory space and virtual register state from direct access by the primary partition except a portion of the emancipated memory space as designated by the emancipated partition and the hypervisor for input and output.