Method and system for providing a hardware machine function in a protected virtual machine

US 6,253,224 B1
Filed: 03/24/1998
Issued: 06/26/2001
Est. Priority Date: 03/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system including a hardware machine having an operating system which supervises a plurality of virtual-machine sessions, a method for protecting the operating environment of one or more of said virtual-machine sessions, the method comprising the steps of:

defining a plurality of session types for said virtual-machine sessions, including a session type of protected virtual-machine sessions, said protected virtual-machine sessions including program code for implementing a service in support of a defined set of interactions, and a session type of corresponding interacting virtual-machine sessions, said interacting virtual-machine sessions being permitted to interact with said protected virtual-machine sessions to request said service therefrom;

defining one or more of said protected virtual-machine sessions within the operating system;

defining one or more of said corresponding interacting virtual-machine sessions within the operating system;

supervising and enabling the occurrence of said interactions between said defined protected virtual-machine sessions and said defined interacting virtual-machine sessions through the operating system; and

interrogating the operating environment of said defined protected virtual-machine sessions if said service is requested therefrom to verify the continued integrity of said operating environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention describes a method and system for virtualizing an internal capability of a computing system; specifically, the invention describes a method and system for establishing a virtual machine containing a programmed hardware-machine function that is normally executed natively as proprietary internal code in its own hardware environment, a Central Electronics Complex (CEC) or logical partition of a CEC. The code resides in a separate hardware domain of the CEC called the Service Element (SE). The IBM VM/ESA (VM) operating system requests the SE to transfer a copy of the code into a virtual machine that VM has initialized, where the machine function is provided (in the current embodiment) as an isolated and encapsulated part of a virtual Parallel Sysplex system comprising multiple virtual CECs in a testing environment.

Citations

27 Claims

1. In a computer system including a hardware machine having an operating system which supervises a plurality of virtual-machine sessions, a method for protecting the operating environment of one or more of said virtual-machine sessions, the method comprising the steps of:
- defining a plurality of session types for said virtual-machine sessions, including a session type of protected virtual-machine sessions, said protected virtual-machine sessions including program code for implementing a service in support of a defined set of interactions, and a session type of corresponding interacting virtual-machine sessions, said interacting virtual-machine sessions being permitted to interact with said protected virtual-machine sessions to request said service therefrom;
  
  defining one or more of said protected virtual-machine sessions within the operating system;
  
  defining one or more of said corresponding interacting virtual-machine sessions within the operating system;
  
  supervising and enabling the occurrence of said interactions between said defined protected virtual-machine sessions and said defined interacting virtual-machine sessions through the operating system; and
  
  interrogating the operating environment of said defined protected virtual-machine sessions if said service is requested therefrom to verify the continued integrity of said operating environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method according to claim 1 wherein each of said plurality of virtual-machine sessions may be defined as a protected virtual-machine session, or an interacting virtual-machine session, or as both.
  - 3. A method according to claim 1 wherein the step of defining said interacting virtual-machine sessions further includes the step of designating the types of interactions which may be had with the protected virtual-machine sessions.
  - 4. A method according to claim 1 wherein user logon to the defined protected virtual-machine session may be permitted or denied.
  - 5. A method according to claim 4 wherein if user logon to the defined protected virtual-machine session is permitted, the logged-on user may be restricted to a limited set of commands on the defined protected virtual-machine session.
  - 6. A method according to claim 3 wherein said corresponding defined interacting virtual-machine sessions may be granted or denied access to the defined protected virtual-machine sessions.
  - 7. A method according to claim 6 wherein if said corresponding defined interacting virtual-machine sessions are granted access to the defined protected virtual-machine sessions, access may be had to the defined protected virtual-machine sessions via user input commands on the corresponding defined interacting virtual-machine sessions or by requests from programs running on the corresponding defined interacting virtual-machine sessions or by both.
  - 8. A method according to claim 7 wherein the access granted to the defined protected virtual-machine sessions may be restricted to a limited set of commands or requests on the defined protected virtual-machine sessions.
  - 9. A method according to claim 8 wherein any of said corresponding defined interacting virtual-machine sessions may be granted access to one or more of said defined protected virtual-machine sessions and wherein the type of access granted to the one or more defined protected virtual-machine sessions may be different for each one of said one or more defined protected virtual-machine sessions.
  - 10. A method according to claim 9 wherein the services performed by each of said defined protected virtual-machine sessions and the interactions permitted for each of said corresponding defined interacting virtual-machine sessions are stored in a directory.
  - 11. A method according to claim 1 further including the step of defining a set of rules for maintaining the continued integrity of the operating environment for said defined protected virtual-machine sessions.
  - 12. A method according to claim 11 wherein said defined set of rules include rules for permitting or denying user logon to the defined protected virtual-machine sessions and rules regarding whether any portions of the operating environment may be altered.
  - 13. A method according to claim 12 wherein said interrogating step further includes the step of determining if said defined set of rules have been violated.
  - 14. A method according to claim 13 wherein if it is determined that said defined set of rules has been violated, the method further includes the step of restricting all access to all of said defined protected virtual-machine sessions.
  - 15. A method according to claim 13 wherein if it is determined that said defined set of rules has been violated then the method further includes the step of restricting all access to the defined protected virtual-machine session from which service has been requested.

16. In a computer system including a hardware machine having an operating system which supervises a plurality of virtual-machine sessions, an apparatus for protecting the operating environment of one or more of said virtual-machine sessions, the apparatus comprising:
- means for defining a plurality of session types for said virtual-machine sessions, including a session type of protected virtual-machine sessions, said protected virtual-machine sessions including program code for implementing a service in support of a defined set of interactions, and a session type of corresponding interacting virtual-machine sessions, said interacting virtual-machine sessions being permitted to interact with said protected virtual-machine sessions to request said service therefrom;
  
  means for defining one or more of said protected virtual-machine sessions within the operating system;
  
  means for defining one or more of said corresponding interacting virtual-machine sessions within the operating system;
  
  means for supervising and enabling the occurrence of said interactions between said defined protected virtual-machine sessions and said defined interacting virtual-machine sessions through the operating system; and
  
  means for interrogating the operating environment of said defined protected virtual-machine sessions if said service is requested therefrom to verify the continued integrity of said operating environment.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. An apparatus according to claim 16 wherein each of said plurality of virtual-machine sessions may be defined as a protected virtual-machine session, or an interacting virtual-machine session, or as both.
  - 18. An apparatus according to claim 16 wherein the means for defining said interacting virtual-machine sessions further includes means for designating the types of interactions which may be had with the protected virtual-machine sessions.
  - 19. An apparatus according to claim 16 wherein user logon to the defined protected virtual-machine session may be permitted or denied and wherein if user logon to the defined protected virtual-machine session is permitted, the logged-on user may be restricted to a limited set of commands on the defined protected virtual-machine session.
  - 20. An apparatus according to claim 18 further including means whereby said corresponding defined interacting virtual-machine sessions may be granted or denied access to the defined protected virtual-machine sessions and wherein if said corresponding defined interacting virtual-machine sessions are granted access to the defined protected virtual-machine sessions, access may be had to the defined protected virtual-machine sessions via user input commands on the corresponding defined interacting virtual-machine sessions or by requests from programs running on the corresponding defined interacting virtual-machine sessions or by both.
  - 21. An apparatus according to claim 20 wherein the access granted to the defined protected virtual-machine sessions may be restricted to a limited set of commands or requests on the defined protected virtual-machine sessions.
  - 22. An apparatus according to claim 21 wherein any of said corresponding defined interacting virtual-machine sessions may be granted access to one or more of said defined protected virtual-machine sessions and wherein the type of access granted to the one or more defined protected virtual-machine sessions may be different for each one of said one or more defined protected virtual-machine sessions.
  - 23. An apparatus according to claim 22 wherein the services performed by each of said defined protected virtual-machine sessions and the interactions permitted for each of said corresponding defined interacting virtual-machine sessions are stored in a directory.
  - 24. An apparatus according to claim 16 further including means for defining a set of rules for maintaining the continued integrity of the operating environment for said defined protected virtual-machine sessions.
  - 25. An apparatus according to claim 24 wherein said means for interrogating determine if said defined set of rules have been violated.
  - 26. An apparatus according to claim 25 wherein if it is determined that said defined set of rules has been violated, all access to all of said defined protected virtual-machine sessions is restricted.
  - 27. An apparatus according to claim 25 wherein if it is determined that said defined set of rules has been violated all access to the defined protected virtual-machine session from which service has been requested is restricted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brice, Frank W. Jr., Tarcza, Richard P., Hefferon, Eugene P., Scalzi, Casper A.
Primary Examiner(s)
COURTENAY III, ST JOHN

Application Number

US09/046,912
Time in Patent Office

1,190 Days
Field of Search

709/1, 709/100-108, 711/203-209
US Class Current

718/1
CPC Class Codes

G06F 2009/45562 Creating, deleting, cloning...

G06F 9/45558 Hypervisor-specific managem...

Method and system for providing a hardware machine function in a protected virtual machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing a hardware machine function in a protected virtual machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links