Mechanism to transition control between components in a virtual machine environment

US 20070169120A1
Filed: 12/30/2005
Published: 07/19/2007
Est. Priority Date: 12/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

a privileged system layer in a virtualization enabled platform enabling a communication portal for executing a service requested by a first component, between the first and a second component of the platform, wherein the first component executes in a first virtual machine on the platform and the second component executes in a second virtual machine on the platform;

performing validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component; and

validating by the privileged system layer that the second component is authorized to execute the requested service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention efficiently manages, sets up, controls and performs communication between isolated components using portals. In a platform having virtualization architecture, a component in a first virtual machine requests a service to be performed by a component in a second virtual machine. A privileged system layer validates the ability to create a communication portal between the two components. The validation is a two-level validation to ensure that a portal is permitted between the two components and that the requested activity is also permitted. Other embodiments are described and claimed.

35 Citations

View as Search Results

19 Claims

1. A method comprising:
- a privileged system layer in a virtualization enabled platform enabling a communication portal for executing a service requested by a first component, between the first and a second component of the platform, wherein the first component executes in a first virtual machine on the platform and the second component executes in a second virtual machine on the platform;
  
  performing validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component; and
  
  validating by the privileged system layer that the second component is authorized to execute the requested service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, further comprising:
    - requesting a portal connection by the first component to a service in the second component; and
      
      when the privileged system layer validates the portal communication, executing the requested service by the second component.
  - 3. The method as recited in claim 1, wherein performing validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component comprises:
    - retrieving a portal index and local name for the second component from an outbound portal connector descriptor of the first component;
      
      translating the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged system layer;
      
      retrieving an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component;
      
      translating the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged system layer;
      
      comparing the translated global name for the source component to the global name for the first component to ensure a match, and wherein validating by the privileged system layer that the second component is authorized to execute the requested service comprises;
      
      comparing a portal validator to an activity descriptor to ensure that the requested service is authorized.
  - 4. The method as recited in claim 3, wherein the activity description comprises a range descriptor.
  - 5. The method as recited in claim 1, wherein each component has access to a data structure comprising authorized inbound and outbound portal descriptors, wherein the outbound portal descriptor further comprises a local destination component name and an index, the local destination component name and index corresponding to an inbound portal descriptor in a source component, and wherein the inbound portal descriptor further comprises a local source component name and a portal validator, the local source component name corresponding to an authorized source component and the portal validator corresponding to an authorized activity.
  - 6. The method as recited in claim 5, wherein the performing validation by the privileged system layer, further comprises translating both the source and destination local names using a name translation table, the name translation table being inaccessible to deprivileged components.

7. A system comprising:
- a virtualization enabled platform having a privileged component, the platform to run a plurality of non-privileged components, each of the plurality of components to run in a virtual machine (VM) on the platform;
  
  a plurality of data structures stored in memory, each data structure accessible to the privileged component and to a corresponding non-privileged component to describe authorized communication portals for the corresponding non-privileged component; and
  
  a name translation table stored in memory, the name translation table accessible to the privileged component and inaccessible to the non-privileged components, wherein the privileged component is to perform a 2-level validation of a requested communication portal between a first component and a second component.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system as recited in claim 7, wherein the 2-level validation comprises:
    - a first validation that the first component and second component have an authorized communication portal; and
      
      a second validation that a service requested of the second component, by the first component, is an authorized service request for the authorized communication portal.
  - 9. The system as recited in claim 8, wherein to perform the first validation, the privileged component is to retrieve a portal index and local name for the second component from an outbound portal connector descriptor of the first component, translate the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged component, retrieve an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component, translate the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged component, and compare the translated global name for the source component to the global name for the first component to ensure a match.
  - 10. The system as recited in claim 8, wherein to perform the second validation, the privileged component is to compare a portal validator to an activity descriptor to ensure that the requested service is authorized.
  - 11. The system as recited in claim 10, wherein the activity description comprises a range descriptor.
  - 12. The system as recited in claim 7, wherein the description of authorized communication portals in the data structure for the corresponding non-privileged component comprises authorized inbound and outbound portal descriptors, wherein the outbound portal descriptor further comprises a local destination component name and an index, the local destination component name and index corresponding to an inbound portal descriptor in a source component, and wherein the inbound portal descriptor further comprises a local source component name and a portal validator, the local source component name corresponding to an authorized source component and the portal validator corresponding to an authorized activity.
  - 13. The system as recited in claim 7, wherein the 2-level validation to be performed by the privileged component further comprises translating both a source local name and a destination local name using the name translation table.

14. A machine readable medium having instructions that when executed by a privileged system layer in a virtualization enabled platform cause the platform to:
- enable a communication portal for executing a service requested by a first component, between the first and a second component of the platform, wherein the first component executes in a first virtual machine on the platform and the second component executes in a second virtual machine on the platform;
  
  perform validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component; and
  
  validate by the privileged system layer that the second component is authorized to execute the requested service.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The medium as recited in claim 14, further comprising instructions that when executed in response to a request for portal connection by the first component to a service in the second component, cause the platform to:
    - validate the portal communication; and
      
      initiate execution of the requested service by the second component.
  - 16. The medium as recited in claim 14, wherein performing validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component comprises instructions that cause the platform to:
    - retrieve a portal index and local name for the second component from an outbound portal connector descriptor of the first component;
      
      translate the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged system layer;
      
      retrieve an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component;
      
      translate the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged system layer; and
      
      compare the translated global name for the source component to the global name for the first component to ensure a match, and wherein validating by the privileged system layer that the second component is authorized to execute the requested service comprises instructions that cause the platform to compare a portal validator to an activity descriptor to ensure that the requested service is authorized.
  - 17. The medium as recited in claim 16, wherein the activity description comprises a range descriptor.
  - 18. The medium as recited in claim 14, wherein each component has access to a data structure comprising authorized inbound and outbound portal descriptors, wherein the outbound portal descriptor further comprises a local destination component name and an index, the local destination component name and index corresponding to an inbound portal descriptor in a source component, and wherein the inbound portal descriptor further comprises a local source component name and a portal validator, the local source component name corresponding to an authorized source component and the portal validator corresponding to an authorized activity.
  - 19. The medium as recited in claim 18, wherein the performing validation by the privileged system layer, further comprises instructions to translate both the source and destination local names using a name translation table, the name translation table being inaccessible to non-privileged components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Schoenberg, Sebastian, Uhlig, Volkmar

Granted Patent

US 7,840,964 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 9/45533 Hypervisors; Virtual machin...

Mechanism to transition control between components in a virtual machine environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Mechanism to transition control between components in a virtual machine environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others