Configuration Space Virtualization

US 20120144071A1
Filed: 02/08/2012
Published: 06/07/2012
Est. Priority Date: 10/03/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for installing and operating an I/O device on a virtual machine, comprising:

constructing a first representation of configuration space for the I/O device, the first representation being usable by the computer to indicate which portions of the configuration space can be placed under the control of a non-privileged authority;

constructing a second representation of memory mapped I/O (MMIO) space and configuration space, the second representation indicative of pages to be included, excluded, or pre-populated in the virtual machine;

constructing a map comprising indications of operations on memory that, when performed by a non-privileged authority, are permitted, denied, or translated; and

controlling access to said I/O device based on said map and said first and second representations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.

11 Citations

View as Search Results

20 Claims

1. A computer implemented method for installing and operating an I/O device on a virtual machine, comprising:
- constructing a first representation of configuration space for the I/O device, the first representation being usable by the computer to indicate which portions of the configuration space can be placed under the control of a non-privileged authority;
  
  constructing a second representation of memory mapped I/O (MMIO) space and configuration space, the second representation indicative of pages to be included, excluded, or pre-populated in the virtual machine;
  
  constructing a map comprising indications of operations on memory that, when performed by a non-privileged authority, are permitted, denied, or translated; and
  
  controlling access to said I/O device based on said map and said first and second representations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer implemented method according to claim 1, wherein said constructing a first representation further comprises associating bits within said first representation with at least one read and write operation.
  - 3. The computer implemented method according to claim 1, wherein for memory excluded from said first representation or for memory excluded from said second representation, populating the memory with data representative of said I/O device.
  - 4. The computer implemented method according to claim 2, wherein said at least one read and write operation comprises at least one of:
    - read-only, always zero on read, always one on read, read-write, write of one clears/write of zero leaves alone, write of one sets/write of zero leaves alone, write of zero clears/write of one leaves alone, write of zero sets/write of one leaves alone, clear to zero after first read, and set to one after first read.
  - 5. The computer implemented method according to claim 3, further comprising:
    - defining bits within pages for the excluded memory, wherein said controlling access comprises using pages with the defined bits.
  - 6. The computer implemented method according to claim 1, further comprising receiving a description of the I/O device, the description indicative of the operations that are to be permitted, denied, or translated.
  - 7. The computer implemented method according to claim 6, wherein said description is received in a file provided by a vendor of said I/O device, and wherein said constructing the first and second representations comprises constructing the first and second representations in accordance with said description.
  - 8. The computer implemented method according to claim 1, wherein said controlling is performed by a virtualizing layer.
  - 9. The computer implemented method according to claim 6, further comprising:
    - constructing a third representation of I/O space;
      
      populating said third representation of I/O space based on said description; and
      
      controlling access to said I/O device in accordance with said third representation.
  - 10. The computer implemented method according to claim 6, further comprising populating said first and second representations based on the received description.
  - 11. The computer implemented method according to claim 1, further comprising excluding I/O space from said virtual machine.

12. A system for managing communications between a virtual machine and a device, comprising:
- at least one processor; and
  
  at least one memory communicatively coupled to said at least one processor, the memory having stored therein computer-executable instructions that, when executed on the processor, cause the processor to perform operations comprising;
  
  constructing a representation of configuration space for the device, the representation being usable by the system to indicate which parts of the configuration space can be placed under the control of a non-privileged authority;
  
  constructing a representation of memory mapped I/O (MMIO) space and configuration space, the representation of MMIO space and configuration space indicative of pages to be included, excluded, or pre-populated in the virtual machine;
  
  constructing a map comprising indications of operations on memory that, when performed by a non-privileged authority, are permitted, denied, or translated; and
  
  controlling access to said device based on said map and said representation of MMIO space and configuration space.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12 wherein bits within said representation of configuration space comprises at least one of the following properties:
    - read-only, always zero on read, always one on read, read-write, write of one clears/write of zero leaves alone, write of one sets/write of zero leaves alone, write of zero clears/write of one leaves alone, write of zero sets/write of one leaves alone, clear to zero after first read, or set to one after first read.
  - 14. The system according to claim 12, further comprising receiving a description of the device, the description indicative of the operations that are to be permitted, denied, or translated, wherein the description is received via an installation file.

15. A computer readable storage medium storing thereon computer executable instructions for controlling access to a device communicatively coupled to a physical machine that hosts virtual machines, comprising instructions for:
- constructing a representation of configuration space for the device, the representation of configuration space indicative of which locations in the configuration space can be placed under the control of a non-privileged authority;
  
  constructing a representation of memory mapped I/O (MMIO) space and configuration space, the representation of MMIO space and configuration space indicative of pages to be included, excluded, or pre-populated in the virtual machine;
  
  constructing a map comprising indications of which operations on memory that, when performed by a non-privileged authority, are to be permitted, denied, or translated; and
  
  controlling access to said device based on said map and said representation of MMIO space and configuration space.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage medium of claim 15 wherein bits within said map or a page associated with the map contains one of the following attributes:
    - read-only, always zero on read, always one on read, read-write, write of one clears/write of zero leaves alone, write of one sets/write of zero leaves alone, write of zero clears/write of one leaves alone, write of zero sets/write of one leaves alone, clear to zero after first read, or set to one after first read.
  - 17. The computer readable storage medium of claim 15 wherein for memory excluded from said representation of configuration space or for memory excluded from said representation of memory mapped I/O space, populating said memory with predetermined data.
  - 18. The computer readable storage medium of claim 17 wherein said predetermined data corresponds to a predetermined device.
  - 19. The computer readable storage medium of claim 17, further comprising instructions for:
    - defining bits within pages for the excluded memory, wherein said controlling comprises using pages with the defined bits.
  - 20. The computer readable storage medium of claim 15, receiving a description of the device, the description indicative of the operations that are to be permitted, denied, or translated, wherein the description is received via an installation file provided by a vendor of said device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Oshins, Jacob, Allsop, Brandon, Thornton, Andrew John

Granted Patent

US 8,700,816 B2
Time in Patent Office

Days
Field of Search
US Class Current

710/8
CPC Class Codes

G06F 2009/45579   I/O management, e.g. provid...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

G06F 9/5077   Logical partitioning of res...

Configuration Space Virtualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Configuration Space Virtualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links