| 发明名称 |
TOTAL HYPERVISOR ENCRYPTOR |
| 摘要 |
Embodiments are directed towards providing cryptographic services to protect guest operating system (OS) images in virtualized computing environments. A hypervisor may trap privileged operations initiated by guest OS images. These trapped operations may be intercepted by a cryptographic module. A hypervisor may trap a write operation made by a guest OS image, and cryptographic module may encrypt the write buffer and return it the hypervisor. A hypervisor may trap a read operation made by a guest OS image, and provide the encrypted data to the cryptographic module for decrypting. If the data is decrypted, the cryptographic module may provide the decrypted data to the hypervisor which provides the decrypted data to the guest OS image. Also, guest OS image context information may be decrypted and encrypted as the guest OS image is scheduled and de-scheduled on physical CPU(s). Further, if necessary entire guest OS images may be encrypted. |
| 申请公布号 |
US2014258716(A1) |
申请公布日期 |
2014.09.11 |
| 申请号 |
US201313791742 |
申请日期 |
2013.03.08 |
| 申请人 |
DARK MATTER LABS INC. |
发明人 |
MacMillan Jeffrey Earl;Offrey Jason Arthur |
| 分类号 |
G06F21/60 |
主分类号 |
G06F21/60 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for protecting a guest operating system (OS) image within a virtualized computing environment with a network device that is operative to perform actions, comprising:
employing at least one hypervisor to trap at least one privileged action associated with each guest OS image; and if a guest OS image associated with the trapped at least one privileged action is also designated for protection, performing further actions, comprising:
if at least one cryptographic key is absent for performing a cryptographic operation on data associated with the at least one privileged action, retrieving the at least one cryptographic key from at least one remotely located cryptographic service provider;storing the at least one cryptographic key in at least one cache;if at least one cryptographic module is operative to perform the cryptographic operation on the data associated with the at least one privileged action and also the cryptographic operation is valid, enabling a cryptographic module to employ the at least one cryptographic key to perform the cryptographic operation on the data associated with the at least one privileged action; andif memory storing at least an inactive portion of the guest OS image associated with the trapped at least one privileged action is determined to be dirty, encrypting the at least inactive portion of the guest OS image stored in memory, wherein the hypervisor stores the at least encrypted inactive portion of the guest OS image. |
| 地址 |
Victoria CA |
