Configuration space virtualization
First Claim
Patent Images
1. A computer implemented method for installing and operating an I/O device on a virtual machine, comprising:
- receiving a description of the I/O device;
constructing a first representation of configuration space for the I/O device, the first representation indicative of which portions of the configuration space can be placed under control of a non-privileged authority, wherein the first representation is constructed based at least in part on said description;
constructing a second representation of memory mapped I/O (MMIO) space and configuration space, the second representation indicative of pages to be included or excluded in the virtual machine, wherein the second representation is constructed based at least in part on said description;
determining which operations have effects that impact functionality of other virtual machines;
based on said determining, constructing a map comprising information indicative of an association between a memory location and information indicative of a translation from a first operation on the memory location to a second operation on the memory location, wherein the second operation has benign consequences on functionality of other virtual machines; and
controlling access to said I/O device based on said map and said first and second representations.
1 Assignment
0 Petitions
Accused Products
Abstract
Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.
45 Citations
19 Claims
-
1. A computer implemented method for installing and operating an I/O device on a virtual machine, comprising:
-
receiving a description of the I/O device; constructing a first representation of configuration space for the I/O device, the first representation indicative of which portions of the configuration space can be placed under control of a non-privileged authority, wherein the first representation is constructed based at least in part on said description; constructing a second representation of memory mapped I/O (MMIO) space and configuration space, the second representation indicative of pages to be included or excluded in the virtual machine, wherein the second representation is constructed based at least in part on said description; determining which operations have effects that impact functionality of other virtual machines; based on said determining, constructing a map comprising information indicative of an association between a memory location and information indicative of a translation from a first operation on the memory location to a second operation on the memory location, wherein the second operation has benign consequences on functionality of other virtual machines; and controlling access to said I/O device based on said map and said first and second representations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for managing communications between a virtual machine and a device, comprising:
-
at least one processor; and at least one memory communicatively coupled to said at least one processor, the memory having stored therein computer-executable instructions that, when executed on the processor, cause the processor to perform operations comprising; receiving a description of the device; constructing a representation of configuration space for the device, the representation of configuration space indicative of which parts of the configuration space can be placed under control of a non-privileged authority, wherein the representation of configuration space is constructed based at least in part on said description; constructing a representation of memory mapped I/O (MMIO) space and configuration space, the representation of MMIO space and configuration space indicative of pages to be included or excluded in the virtual machine, wherein the representation of MMIO space and configuration space is constructed based at least in part on said description; populating excluded pages with data representative of the device; constructing a map comprising indications of operations on memory locations that, when requested by the non-privileged authority, are replaced by different operations on the memory locations; and controlling access to said device based on said map and said representations of MMIO space and configuration space. - View Dependent Claims (12, 13)
-
-
14. A computer readable storage device storing thereon computer executable instructions for controlling access to a device communicatively coupled to a physical machine that hosts virtual machines, comprising instructions for:
-
receiving a description of the device; constructing a representation of memory mapped I/O (MMIO) space and configuration space, the representation of MMIO space and configuration space indicative of pages to be included, excluded, or pre-populated in the virtual machine, wherein the representation of MMIO space and configuration space is constructed based at least in part on said description; constructing a representation of configuration space comprising an association between at least one memory location within the configuration space to one or more translations from a first operation on the at least one memory location to a second operation on the at least one memory location, wherein the representation of configuration space is constructed based at least in part on said description; and controlling access to said device based on said representation of MMIO space and configuration space and said representation of configuration space. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification