Systems, methods, and apparatus for securing virtual machine control structures

US 10,691,482 B2
Filed: 08/22/2018
Issued: 06/23/2020
Est. Priority Date: 08/11/2016
Status: Active Grant

First Claim

Patent Images

1. A processor with technology to secure a virtual machine control data structure, the processor comprising:

virtualization technology that enables the processor to;

execute host software in root mode; and

execute guest software in non-root mode in a virtual machine (VM), wherein the VM is based at least in part on a virtual machine control data structure (VMCDS) for the VM; and

a root security profile that specifies access restrictions to be imposed when the host software attempts to read the VMCDS in root mode.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system with technology to secure a VMCS comprises random access memory (RAM) and a processor in communication with the RAM. The processor comprises virtualization technology that enables the processor to (a) execute host software in root mode and (b) execute guest software from the RAM in non-root mode in a virtual machine (VM) that is based at least in part on a virtual machine control data structure (VMCDS) for the VM. The processor also comprises a root security profile to specify access restrictions to be imposed when the host software attempts to read the VMCDS in root mode. Other embodiments are described and claimed.

15 Citations

20 Claims

1. A processor with technology to secure a virtual machine control data structure, the processor comprising:
- virtualization technology that enables the processor to;
  
  execute host software in root mode; and
  
  execute guest software in non-root mode in a virtual machine (VM), wherein the VM is based at least in part on a virtual machine control data structure (VMCDS) for the VM; and
  
  a root security profile that specifies access restrictions to be imposed when the host software attempts to read the VMCDS in root mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A processor according to claim 1, wherein the root security profile provides for a first access restriction for a first part of the VMCDS and a second access restriction for a second part of the VMCDS.
  - 3. A processor according to claim 1, wherein the access restrictions in the root security profile disallow reading of a guest state area of the VMCDS in root mode.
  - 4. A processor according to claim 1, further comprising:
    - security control logic to;
      
      allow the host software in root mode to read a second-level address translation (SLAT) table for the VM; and
      
      prevent the host software in root mode from reading user data for the VM.
  - 5. A processor according to claim 1, further comprising:
    - an instruction decoder that recognizes a VMCDS read (VRead) instruction that identifies part of the VMCDS; and
      
      wherein processor is configured to process a given VRead instruction from the host software by returning an error if the root security profile indicates that the identified part of the VMCDS is not allowed to be read in root mode.
  - 6. A processor according to claim 1, further comprising:
    - a key-identifier (KeyID) controller to enable the processor to establish a key domain (KD) for the guest software, wherein the KD comprises an area of random access memory (RAM) that a memory manager protects by encrypting data with a key domain key (KDK) before storing that data to that area of RAM.
  - 7. A processor according to claim 6, wherein the KeyID controller enables the data processing system to:
    - store the VMCDS for the VM in the KD;
      
      launch the VM in the KD; and
      
      execute the host software outside of the KD.
  - 8. A processor according to claim 6, wherein the KeyID controller comprises security control logic to:
    - allow the host software in root mode to read a second-level address translation (SLAT) table for the VM from the KD; and
      
      prevent the host software in root mode from reading user data for the VM from the KD.

9. A data processing system with technology to secure a virtual machine control data structure, the data processing system comprising:
- random access memory (RAM);
  
  a processor in communication with the RAM;
  
  virtualization technology in the processor that enables the processor to;
  
  execute host software in root mode; and
  
  execute guest software from the RAM in non-root mode in a virtual machine (VM), wherein the VM is based at least in part on a virtual machine control data structure (VMCDS) for the VM; and
  
  a root security profile in the processor to specify access restrictions to be imposed when the host software attempts to read the VMCDS in root mode.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A data processing system according to claim 9, further comprising:
    - a memory manager in communication with the RAM; and
      
      an encryption engine in the memory manager, wherein the encryption engine enables the processor to establish a key domain (KD) for the guest software, wherein the KD comprises an area of RAM that the memory manager protects by encrypting data with a key domain key (KDK) before storing that data to that area of RAM.
  - 11. A data processing system according to claim 10, wherein the data processing system does not allow the host software to access the KDK.
  - 12. A data processing system according to claim 10, wherein the processor enables the data processing system to:
    - store the VMCDS for the VM in the KD;
      
      launch the VM in the KD; and
      
      execute the host software outside of the KD.
  - 13. A data processing system according to claim 10, further comprising security control logic in the processor to:
    - allow the host software in root mode to read a second-level address translation (SLAT) table for the VM from the KD; and
      
      prevent the host software in root mode from reading user data for the VM from the KD.
  - 14. A data processing system according to claim 13, wherein the security control logic allows the processor is to use a key identifier (KeyID) for the KDK when the host software reads the SLAT table for the VM from the KD.
  - 15. A data processing system according to claim 9, wherein the root security profile provides for a first access restriction for a first part of the VMCDS and a second access restriction for a second part of the VMCDS.
  - 16. A data processing system according to claim 9, wherein the access restrictions in the root security profile disallow reading of a guest state area of the VMCDS in root mode.

17. A method for securing a virtual machine control data structure in a data processing system, the method comprising:
- establishing a key domain (KD) in random access memory (RAM) of a data processing;
  
  loading a virtual machine control data structure (VMCDS) for a virtual machine (VM) into the KD;
  
  executing guest software in the VM in the KD in non-root mode;
  
  receiving a request from a virtual machine monitor (VMM) executing in root mode in the data processing system, wherein the request involves accessing the VMCDS;
  
  in response to receiving the request from the VMM in root mode, automatically using a root security profile to determine whether or not to allow the VMM to access the VMCDS.
- View Dependent Claims (18, 19, 20)
- - 18. A method according to claim 17, wherein the VM comprises a guest VM, the method further comprising:
    - determining, at the VMM, that the VMCDS for the guest VM should be modified; and
      
      in response to determining, at the VMM, that the VMCDS for the guest VM should be modified, automatically using an agent VM that executes in the KD to write to the VMCDS for the guest VM, on behalf of the VMM.
  - 19. A method according to claim 18, further comprising:
    - automatically using a non-root security profile to determine whether or not to allow the agent VM to write to the VMCDS.
  - 20. A method according to claim 19, further comprising:
    - using a key identifier (KeyID) for the KD to allow the VMM to read a second-level address translation (SLAT) table for the VM from the KD.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Cong, Kai, Grewal, Karanvir, Durham, David M.
Primary Examiner(s)
Dada, Beemnet W

Application Number

US16/108,395
Publication Number

US 20180357093A1
Time in Patent Office

671 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/109   for multiple virtual addres...

G06F 12/1408   by using cryptography for d...

G06F 12/145   the protection being virtua...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/6281   at program execution time, ...

G06F 2212/1052   Security improvement

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45558   Hypervisor-specific managem...

Systems, methods, and apparatus for securing virtual machine control structures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods, and apparatus for securing virtual machine control structures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links