Virtualization hardware for device driver isolation
First Claim
Patent Images
1. A method for isolating a kernel extension in a computer system with hardware virtualization support, the method comprising:
- executing a kernel in a first hardware protection domain, including calling to a first kernel extension, a first set of computer resource privileges being allowed for code executing in the first hardware protection domain;
executing the first kernel extension in a second hardware protection domain, a second set of computer resource privileges being allowed for code executing in the second hardware protection domain, the first set of computer resource privileges being different from the second set of computer resource privileges, wherein each hardware protection domain is determined at least in part by events described in a virtual machine control data structure provided by the hardware virtualization support;
wherein the kernel and the first kernel extension execute in a common execution privilege level, the common execution privilege level being a special execution privilege level allowing execution of instructions that are not allowed in other execution privilege levels; and
wherein no virtualization hypervisor or emulation layer is interposed between hardware of the computer system and either the kernel or the first kernel extension.
2 Assignments
0 Petitions
Accused Products
Abstract
Hardware virtualization support is used to isolate kernel extensions. A kernel and various kernel extensions are executed in a plurality of hardware protection domains. Each hardware protection domain defines computer resource privileges allowed to code executing in that hardware protection domain. Kernel extensions execute with appropriate computer resource privileges to complete tasks without comprising the stability of the computer system.
7 Citations
52 Claims
-
1. A method for isolating a kernel extension in a computer system with hardware virtualization support, the method comprising:
-
executing a kernel in a first hardware protection domain, including calling to a first kernel extension, a first set of computer resource privileges being allowed for code executing in the first hardware protection domain; executing the first kernel extension in a second hardware protection domain, a second set of computer resource privileges being allowed for code executing in the second hardware protection domain, the first set of computer resource privileges being different from the second set of computer resource privileges, wherein each hardware protection domain is determined at least in part by events described in a virtual machine control data structure provided by the hardware virtualization support; wherein the kernel and the first kernel extension execute in a common execution privilege level, the common execution privilege level being a special execution privilege level allowing execution of instructions that are not allowed in other execution privilege levels; and wherein no virtualization hypervisor or emulation layer is interposed between hardware of the computer system and either the kernel or the first kernel extension. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A non-transitory computer-readable medium containing computer program code for configuring a computer system to perform a method for isolating a kernel extension in a computer system with hardware virtualization support, the method comprising:
-
executing a kernel in a first hardware protection domain, the kernel comprising executable code for calling to a first kernel extension, a first set of computer resource privileges being allowed for code executing in the first hardware protection domain; executing the first kernel extension in a second hardware protection domain, a second set of computer resource privileges being allowed for code executing in the second hardware protection domain, the first set of computer resource privileges being different from the second set of computer resource privileges, wherein each hardware protection domain is determined at least in part by events described in a virtual machine control data structure provided by the hardware virtualization support; wherein the kernel and the first kernel extension execute in a common execution privilege level, the common execution privilege level being a special execution privilege level allowing execution of instructions that are not allowed in other execution privilege levels; and wherein no virtualization hypervisor or emulation layer is interposed between hardware of the computer system and either the kernel or the first kernel extension. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
Specification