Configuration Space Virtualization
First Claim
Patent Images
1. A computer implemented method for installing and operating an I/O device on a virtual machine, comprising:
- constructing a first representation of configuration space for the I/O device, the first representation being usable by the computer to indicate which portions of the configuration space can be placed under the control of a non-privileged authority;
constructing a second representation of memory mapped I/O (MMIO) space and configuration space, the second representation indicative of pages to be included, excluded, or pre-populated in the virtual machine;
constructing a map comprising indications of operations on memory that, when performed by a non-privileged authority, are permitted, denied, or translated; and
controlling access to said I/O device based on said map and said first and second representations.
1 Assignment
0 Petitions
Accused Products
Abstract
Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.
11 Citations
20 Claims
-
1. A computer implemented method for installing and operating an I/O device on a virtual machine, comprising:
-
constructing a first representation of configuration space for the I/O device, the first representation being usable by the computer to indicate which portions of the configuration space can be placed under the control of a non-privileged authority; constructing a second representation of memory mapped I/O (MMIO) space and configuration space, the second representation indicative of pages to be included, excluded, or pre-populated in the virtual machine; constructing a map comprising indications of operations on memory that, when performed by a non-privileged authority, are permitted, denied, or translated; and controlling access to said I/O device based on said map and said first and second representations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for managing communications between a virtual machine and a device, comprising:
-
at least one processor; and at least one memory communicatively coupled to said at least one processor, the memory having stored therein computer-executable instructions that, when executed on the processor, cause the processor to perform operations comprising; constructing a representation of configuration space for the device, the representation being usable by the system to indicate which parts of the configuration space can be placed under the control of a non-privileged authority; constructing a representation of memory mapped I/O (MMIO) space and configuration space, the representation of MMIO space and configuration space indicative of pages to be included, excluded, or pre-populated in the virtual machine; constructing a map comprising indications of operations on memory that, when performed by a non-privileged authority, are permitted, denied, or translated; and controlling access to said device based on said map and said representation of MMIO space and configuration space. - View Dependent Claims (13, 14)
-
-
15. A computer readable storage medium storing thereon computer executable instructions for controlling access to a device communicatively coupled to a physical machine that hosts virtual machines, comprising instructions for:
-
constructing a representation of configuration space for the device, the representation of configuration space indicative of which locations in the configuration space can be placed under the control of a non-privileged authority; constructing a representation of memory mapped I/O (MMIO) space and configuration space, the representation of MMIO space and configuration space indicative of pages to be included, excluded, or pre-populated in the virtual machine; constructing a map comprising indications of which operations on memory that, when performed by a non-privileged authority, are to be permitted, denied, or translated; and controlling access to said device based on said map and said representation of MMIO space and configuration space. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification