Mechanism to transition control between components in a virtual machine environment

US 7,840,964 B2
Filed: 12/30/2005
Issued: 11/23/2010
Est. Priority Date: 12/30/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

a privileged system layer in a virtualization enabled platform enabling a communication portal for executing a service requested by a first component, between the first and a second component of the platform, wherein the first component executes in a first virtual machine on the platform and the second component executes in a second virtual machine on the platform;

performing validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component, further comprising;

retrieving a portal index and local name for the second component from an outbound portal connector descriptor of the first component,translating the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged system layer,retrieving an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component,translating the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged system layer,comparing the translated global name for the source component to the global name for the first component to ensure a match; and

validating by the privileged system layer that the second component is authorized to execute the requested service, further comprising;

comparing a portal validator to an activity descriptor to ensure that the requested service is authorized, wherein the activity descriptor comprises a range descriptor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention efficiently manages, sets up, controls and performs communication between isolated components using portals. In a platform having virtualization architecture, a component in a first virtual machine requests a service to be performed by a component in a second virtual machine. A privileged system layer validates the ability to create a communication portal between the two components. The validation is a two-level validation to ensure that a portal is permitted between the two components and that the requested activity is also permitted. Other embodiments are described and claimed.

Citations

12 Claims

1. A method comprising:
- a privileged system layer in a virtualization enabled platform enabling a communication portal for executing a service requested by a first component, between the first and a second component of the platform, wherein the first component executes in a first virtual machine on the platform and the second component executes in a second virtual machine on the platform;
  
  performing validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component, further comprising;
  
  retrieving a portal index and local name for the second component from an outbound portal connector descriptor of the first component,translating the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged system layer,retrieving an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component,translating the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged system layer,comparing the translated global name for the source component to the global name for the first component to ensure a match; and
  
  validating by the privileged system layer that the second component is authorized to execute the requested service, further comprising;
  
  comparing a portal validator to an activity descriptor to ensure that the requested service is authorized, wherein the activity descriptor comprises a range descriptor.
- View Dependent Claims (2, 3, 4)
- - 2. The method as recited in claim 1, further comprising:
    - requesting a portal connection by the first component to a service in the second component; and
      
      when the privileged system layer validates the portal communication, executing the requested service by the second component.
  - 3. The method as recited in claim 1, wherein each component has access to a data structure comprising authorized inbound and outbound portal descriptors,wherein the outbound portal descriptor further comprises a local destination component name and an index, the local destination component name and index corresponding to an inbound portal descriptor in a source component, andwherein the inbound portal descriptor further comprises a local source component name and a portal validator, the local source component name corresponding to an authorized source component and the portal validator corresponding to an authorized activity.
  - 4. The method as recited in claim 3, wherein the performing validation by the privileged system layer, further comprises translating both the source and destination local names using a name translation table, the name translation table being inaccessible to deprivileged components.

5. A system comprising:
- at least one processor residing on a virtualization enabled platform, the platform having a privileged component, the platform to run a plurality of non-privileged components, each of the plurality of components to run in a virtual machine (VM) on the platform;
  
  a plurality of data structures stored in memory, each data structure accessible to the privileged component and to a corresponding non-privileged component to describe authorized communication portals for the corresponding non-privileged component; and
  
  a name translation table stored in memory, the name translation table accessible to the privileged component and inaccessible to the non-privileged components,wherein the privileged component is to perform a 2-level validation of a requested communication portal between a first non-privileged component and a second non-privileged component, wherein the 2-level validation further comprises;
  
  a first validation that the first component and second component have an authorized communication portal, anda second validation that a service requested of the second component, by the first component, is an authorized service request for the authorized communication portal,wherein to perform the second validation, the privileged component is to compare a portal validator to an activity descriptor to ensure that the requested service is authorized, and wherein the activity description comprises a range descriptor.
- View Dependent Claims (6, 7, 8)
- - 6. The system as recited in claim 5, wherein to perform the first validation, the privileged component is to retrieve a portal index and local name for the second component from an outbound portal connector descriptor of the first component, translate the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged component, retrieve an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component, translate the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged component, and compare the translated global name for the source component to the global name for the first component to ensure a match.
  - 7. The system as recited in claim 5, wherein the description of authorized communication portals in the data structure for the corresponding non-privileged component comprises authorized inbound and outbound portal descriptors, wherein the outbound portal descriptor further comprises a local destination component name and an index, the local destination component name and index corresponding to an inbound portal descriptor in a source component, and wherein the inbound portal descriptor further comprises a local source component name and a portal validator, the local source component name corresponding to an authorized source component and the portal validator corresponding to an authorized activity.
  - 8. The system as recited in claim 5, wherein the 2-level validation to be performed by the privileged component further comprises translating both a source local name and a destination local name using the name translation table.

9. A machine readable storage medium having instructions stored thereon that when executed by a privileged system layer running on a processor in a virtualization enabled platform cause the platform to:
- enable a communication portal for executing a service requested by a first component, between the first and a second component of the platform, wherein the first component executes in a first virtual machine on the platform and the second component executes in a second virtual machine on the platform;
  
  perform validation by the privileged system layer that the second component is authorized to execute at least one service on behalf of the first component, further comprising instructions to;
  
  retrieve a portal index and local name for the second component from an outbound portal connector descriptor of the first component,translate the local name for the second component into a global name for the second component using a using a name translation table maintained by the privileged system layer,retrieve an inbound portal connector descriptor comprising a local name for a source component from the second component, the second component associated with the portal index and translated global name for the second component,translate the local name for the source component into a global name for the source component using a using a name translation table maintained by the privileged system layer,compare the translated global name for the source component to the global name for the first component to ensure a match; and
  
  validate by the privileged system layer that the second component is authorized to execute the requested service, further comprising instructions to;
  
  compare a portal validator to an activity descriptor to ensure that the requested service is authorized, wherein the activity description comprises a range descriptor.
- View Dependent Claims (10, 11, 12)
- - 10. The machine readable storage medium as recited in claim 9, further comprising instructions that when executed in response to a request for portal connection by the first component to a service in the second component, cause the platform to:
    - validate the portal communication; and
      
      initiate execution of the requested service by the second component.
  - 11. The machine readable storage medium as recited in claim 9, wherein each component has access to a data structure comprising authorized inbound and outbound portal descriptors,wherein the outbound portal descriptor further comprises a local destination component name and an index, the local destination component name and index corresponding to an inbound portal descriptor in a source component, andwherein the inbound portal descriptor further comprises a local source component name and a portal validator, the local source component name corresponding to an authorized source component and the portal validator corresponding to an authorized activity.
  - 12. The machine readable storage medium as recited in claim 11, wherein the performing validation by the privileged system layer, further comprises instructions to translate both the source and destination local names using a name translation table, the name translation table being inaccessible to non-privileged components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Uhlig, Volkmar, Schoenberg, Sebastian
Primary Examiner(s)
Tang; Kenneth

Application Number

US11/322,455
Publication Number

US 20070169120A1
Time in Patent Office

1,789 Days
Field of Search

718/1, 711/6, 711/202, 713/166
US Class Current

718/1
CPC Class Codes

G06F 9/45533 Hypervisors; Virtual machin...

Mechanism to transition control between components in a virtual machine environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism to transition control between components in a virtual machine environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links