ASYNCHRONOUS ENCRYPTION AND DECRYPTION OF VIRTUAL MACHINE MEMORY FOR LIVE MIGRATION

US 20150381589A1
Filed: 06/26/2015
Published: 12/31/2015
Est. Priority Date: 06/28/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a memory area associated with a computing device, said memory area storing memory blocks; and

a processor programmed to;

encrypt, at a first host, one or more memory blocks associated with a source virtual machine (VM);

transfer the one or more encrypted memory blocks to the one or more second hosts; and

decrypt, on-demand and opportunistically, at the one or more second hosts, the one or more encrypted memory blocks.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples perform asynchronous encrypted live migration of virtual machines (VM) from a source host to a destination host. The encryption of the memory blocks of the VM is performed optionally before a request for live migration is received or after said request. The more resource intensive decryption of the memory blocks of the VM is performed by the destination host in a resource efficient manner, reducing the downtime apparent to users. Some examples contemplate decrypting memory blocks of the transmitted VM on-demand and opportunistically, according to a pre-determined rate, or in accordance with parameters established by a user.

53 Citations

View as Search Results

20 Claims

1. A system comprising:
- a memory area associated with a computing device, said memory area storing memory blocks; and
  
  a processor programmed to;
  
  encrypt, at a first host, one or more memory blocks associated with a source virtual machine (VM);
  
  transfer the one or more encrypted memory blocks to the one or more second hosts; and
  
  decrypt, on-demand and opportunistically, at the one or more second hosts, the one or more encrypted memory blocks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the processor is programmed to:
    - receive a request associated with one or more first memory blocks of the one or more encrypted memory blocks; and
      
      selectively decrypt, at the one or more second hosts, the one or more first memory blocks after receiving the request during a first phase of a plurality of phases.
  - 3. The system of claim 2, wherein the processor is programmed to decrypt, at the one or more second hosts, one or more second memory blocks of the one or more encrypted memory blocks at a predetermined rate during a second phase of the plurality of phases.
  - 4. The system of claim 1, wherein the processor is programmed to decrypt, at the one or more second hosts, the one or more encrypted memory blocks at a predetermined rate.
  - 5. The system of claim 1, wherein the processor is programmed to:
    - identify one or more first memory blocks of the one or more memory blocks associated with a first priority of a plurality of priorities;
      
      identify one or more second memory blocks of the one or more memory blocks associated with a second priority of the plurality of priorities;
      
      decrypt, at the one or more second hosts, the one or more first memory blocks associated with the first priority before the one or more second memory blocks associated with the second priority are decrypted.
  - 6. The system of claim 1, wherein the processor is programmed to:
    - associate the one or more memory blocks with a flag after encrypting the one or more memory blocks; and
      
      disassociate the one or more memory blocks from the flag after decrypting the one or more encrypted memory blocks.
  - 7. The system of claim 1, wherein the processor is further programmed to:
    - determine whether one or more first memory blocks of the one or more memory blocks are encrypted with a first parameter; and
      
      when the one or more first memory blocks are determined to be encrypted with the first parameter, encrypt, at the first host, the one or more first encrypted memory blocks with a second parameter.
  - 8. The system of claim 1, wherein the processor is further programmed to:
    - calculate one or more hashes of the memory blocks;
      
      encrypt the one or more calculated hashes;
      
      transfer the one or more encrypted hashes to one or more destination hosts; and
      
      decrypt the one or more hashes at the one or more destination hosts.

9. A method for encrypting memory blocks, said method comprising:
- encrypting one or more memory blocks associated with a source host with a first parameter;
  
  transferring the one or more encrypted memory blocks to one or more destination hosts; and
  
  decrypting the one or more encrypted memory blocks on-demand and opportunistically.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising:
    - identifying one or more first memory blocks of the one or more memory blocks associated with a first priority of a plurality of priorities;
      
      identifying one or more second memory blocks of the one or more memory blocks associated with a second priority of the plurality of priorities, wherein decrypting the one or more encrypted memory blocks comprises decrypting the one or more first memory blocks associated with the first priority, and decrypting the one or more second memory blocks associated with the second priority after the one or more first memory blocks are decrypted.
  - 11. The method of claim 9, further comprising identifying a pattern associated with the encryption of the one or more memory blocks, wherein decrypting the one or more encrypted memory blocks comprises decrypting the one or more encrypted memory blocks based on the pattern.
  - 12. The method of claim 9, further comprising determining whether one or more first memory blocks of the one or more memory blocks are encrypted with a second parameter, wherein encrypting one or more memory blocks comprises, when the one or more first memory blocks are determined to be encrypted with the second parameter, encrypting the one or more first encrypted memory blocks with the first parameter, such that the encryption with the first parameter and the encryption with the second parameter are nested.
  - 13. The method of claim 9, further comprising receiving a request associated with one or more first memory blocks of the one or more encrypted memory blocks, wherein decrypting the one or more encrypted memory blocks comprises selectively decrypting the one or more first memory blocks after receiving the request during a first phase of a plurality of phases.
  - 14. The method of claim 13, wherein decrypting the one or more encrypted memory blocks comprises decrypting one or more second memory blocks of the one or more encrypted memory blocks at a predetermined rate during a second phase of the plurality of phases.
  - 15. The method of claim 9, wherein transferring the one or more memory blocks further comprises:
    - optionally downgrading locks on one or more disks of a source host from an exclusive mode to a non-exclusive mode, wherein a destination hosts opens the disks in non-exclusive mode while the source host is executing;
      
      suspending execution of the source host;
      
      transferring virtual memory of the source host to the destination host, wherein the destination host begins execution after restoration of the virtual memory at the destination host; and
      
      optionally closing the disks on the source host, wherein the destination host upgrades the locks from the non-exclusive mode to the exclusive mode.
  - 16. The method of claim 15, wherein transferring the virtual memory further comprises pre-copying the virtual memory from the source host to the destination host after downgrading the locks.

17. One or more computer-readable storage media including computer-executable instructions that, when executed, cause at least one processor to:
- encrypt, at a first host, one or more memory blocks associated with a first parameter;
  
  transfer the one or more encrypted memory blocks to one or more destination hosts; and
  
  decrypt, at one or more second hosts, the one or more encrypted memory blocks on-demand and opportunistically.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more computer-readable storage media of claim 17, wherein the computer-executable instructions, when executed, cause at least one processor to:
    - receive a request associated with one or more first memory blocks of the one or more encrypted memory blocks;
      
      selectively decrypt, at the one or more second hosts, the one or more first memory blocks after receiving the request during a first phase of a plurality of phases; and
      
      decrypt, at the one or more second hosts, one or more second memory blocks of the one or more encrypted memory blocks at a predetermined rate during a second phase of the plurality of phases.
  - 19. The one or more computer-readable storage media of claim 17, wherein the computer-executable instructions, when executed, cause at least one processor to:
    - identify one or more first memory blocks of the one or more memory blocks associated with a first priority of a plurality of priorities;
      
      identify one or more second memory blocks of the one or more memory blocks associated with a second priority of the plurality of priorities;
      
      decrypt, at the one or more second hosts, the one or more first memory blocks associated with the first priority before the one or more second memory blocks associated with the second priority are decrypted.
  - 20. The one or more computer-readable storage media of claim 17, wherein the computer-executable instructions, when executed, cause at least one processor to:
    - determine whether one or more first memory blocks of the one or more memory blocks are encrypted with a second parameter before the one or more first memory blocks are encrypted with the first parameter; and
      
      when the one or more first memory blocks are determined to be encrypted with the second parameter, encrypt the one or more first encrypted memory blocks with the first parameter, such that the encryption with the first parameter and the encryption with the second parameter are nested.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
TARASUK-LEVIN, Gabriel, GRANT, Reilly

Granted Patent

US 10,671,545 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0428   wherein the data content is...

ASYNCHRONOUS ENCRYPTION AND DECRYPTION OF VIRTUAL MACHINE MEMORY FOR LIVE MIGRATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ASYNCHRONOUS ENCRYPTION AND DECRYPTION OF VIRTUAL MACHINE MEMORY FOR LIVE MIGRATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links