Systems and methods for memory management for nested virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor, wherein the Level 1 hypervisor manages a Level 2 virtual machine, wherein the Level 2 virtual machine is associated with a Peripheral Component Interconnect (PCI) device; generating, by the Level 0 hypervisor, a Level 1 page table by combining records from the guest page table with records from a host page table maintained by the Level 0 hypervisor; generating a Level 2 page table comprising a plurality of Level 2 page table entries; and causing a device driver of the Level 2 virtual machine to use the Level 2 page table for second level address translation.

A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

An apparatus comprises a processing device configured to receive, at a host operating system of a virtual machine host, a request to execute a virtual machine and to obtain, from a virtual trusted platform module running on the virtual machine host, credentials for logging in to a guest operating system of the virtual machine. The processing device is further configured to provide, to pre-boot authentication software associated with the virtual machine, the credentials obtained from the virtual trusted platform module, and to automatically log in to the guest operating system of the virtual machine utilizing the pre-boot authentication software and the provided credentials.

A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.

In an embodiment, a guest operating system (OS) running on a virtual machine (VM) detects a VM migration, where the embodiment comprises storing, by the guest OS, a VM identifier (VMID) provided by the VM and a first host identifier (HID) provided by a host computer system in a computer memory. The embodiment also comprises determining, by the guest OS, that the VM performs migrations that are transparent to the guest OS. The embodiment further comprises detecting, by the guest OS, that the VM has been migrated based on a comparison of the first HID to a second HID provided to the guest OS in response to an HID request from the guest OS.

Remote desktop services are accessed by a remote desktop from a pool of remote desktops. When the remote desktop detects a user request to launch an application and determines that the application to be launched is from another remote desktop, the remote desktop establishes a connection with the other remote desktop to launch and display the application seamlessly. In addition, the remote desktop retrieves drive configuration data indicating drives or folders that are shared by each of the remote desktops in the pool and creates a mapping of the shared drives and folders based on the drive configuration data. In response to a user request to open a shared drive or folder of the second remote desktop, the remote desktop establishes a connection between the first remote desktop and the second remote desktop to acquire contents of the shared drive or folder.

A virtualized system is provided. The virtualized system includes: a memory device; a processor configured to provide a virtualization environment; a direct memory access device configured to perform a function of direct memory access to the memory device; and a memory management circuit configured to manage a core access of the processor to the memory device and a direct access of the direct memory access device to the memory device. The processor is further configured to provide: a plurality of guest operating systems that run independently from each other on a plurality of virtual machines of the virtualization environment; and a hypervisor configured to control the plurality of virtual machines in the virtualization environment and control the memory management circuit to block the direct access when a target guest operating system controlling the direct memory access device, among the plurality of guest operating systems is rebooted.

An interrupt signal is provided to an operating system executed using one or more processors of a plurality of processors. A bus attachment device receives an interrupt signal with an interrupt target ID identifying a processor assigned for use as a target processor for handling the interrupt signal. The bus attachment device translates the received interrupt target ID to a processor ID using an interrupt table entry and forwards the interrupt signal to the target processor for handling. The processor ID is used to address the target processor directly.

A processing device, operatively coupled with a memory component, is configured to provide a plurality of virtual memory controllers and to provide a plurality of physical functions, wherein each of the plurality of physical functions corresponds to a different one of the plurality of virtual memory controllers. The processing device further presents the plurality of physical functions to a host computing system over a peripheral component interconnect express (PCIe) interface, wherein each of the plurality of physical functions corresponds to a different virtual machine running on the host computing system, and manages input/output (IO) operations received from the host computing systems and directed to the plurality of physical functions, as well as background operations performed on the memory component, in view of class of service parameters associated with the plurality of physical functions.

A computing system providing virtual computing services may maintain a fleet of servers that host virtual machine instances having a wide variety of types and configurations. A service provider may rent processor and memory capacity by defining and offering various virtual machine instances to clients. Each virtual machine instance may include one or more virtual CPUs and a fixed amount of virtualized memory allocated to each virtual CPU, dependent on a predefined ratio between virtual CPU capacity and virtualized memory capacity for the instance type. Each server may include a custom, non-standard sized physical memory module containing memory devices of multiple technologies, types, or sizes on the same printed circuit board. By including custom memory modules, rather than relying only on standard memory modules, the service provider system may implement virtual machines having finer grained options for processor and memory capacity combinations, and may avoid stranding rentable resources.