SECURING CODE LOADING IN A VIRTUAL ENVIRONMENT
First Claim
Patent Images
1. A method for code loading, the method comprising:
- providing, by a hypervisor, a virtual machine that includes a guest operating system;
sending, by the guest operating system, one or more symbol entries, a signed code module and one or more relocation entries corresponding to the signed code module;
receiving, at the hypervisor, the one or more symbol entries, the signed code module and the one or more relocation entries;
verifying, by the hypervisor, the signed code module;
applying, using the one or more symbol entries, one or more relocations of the one or more relocation entries to the signed code module; and
after verifying the signed code module, allowing the guest operating system to execute the signed code module.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products are included for loading a code module. A method includes providing, by a hypervisor, a virtual machine that includes a guest operating system. The code module and a signature corresponding to the code module are sent by the guest operating system to the hypervisor. One or more relocations are applied to the code module. The hypervisor verifies the signature corresponding to the code module. After verifying the signature, the hypervisor allows the guest operating system to execute the code module.
-
Citations
20 Claims
-
1. A method for code loading, the method comprising:
-
providing, by a hypervisor, a virtual machine that includes a guest operating system; sending, by the guest operating system, one or more symbol entries, a signed code module and one or more relocation entries corresponding to the signed code module; receiving, at the hypervisor, the one or more symbol entries, the signed code module and the one or more relocation entries; verifying, by the hypervisor, the signed code module; applying, using the one or more symbol entries, one or more relocations of the one or more relocation entries to the signed code module; and after verifying the signed code module, allowing the guest operating system to execute the signed code module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
-
providing, by a hypervisor, a virtual machine that includes a guest operating system; communicating, from the guest operating system to the hypervisor, a code module, a signature corresponding to the code module, a decryption key, and a symbol entry; verifying, by the hypervisor, the code module; after verifying the code module, applying a relocation to the code module, wherein the relocation is at least partly based on an address provided by the symbol entry; and after applying the relocation, allowing the guest operating system to execute the code module. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A code loading system comprising:
-
a non-transitory computer readable medium that stores a signed code module; a processor that executes a hypervisor to provide a virtual machine that includes a guest operating system; the guest operating system to send, to the hypervisor, one or more symbol entries, the signed code module, a key corresponding to the signed code module, and one or more relocation entries corresponding to the signed code module; the hypervisor to; receive the one or more symbol entries, the signed code module, the key, and the one or more relocation entries; verify, using the key, the signed code module; after verifying the signed code module, apply a relocation to the signed code module, wherein the relocation corresponds at least in part to an address provided by the one or more symbol entries; and after applying the relocation, provide the guest operating system with access to execute the code module.
-
Specification