Operation of a non-volatile memory (NVM) storage module may comprise receiving a plurality of commands as associated with a plurality of priority-based queues from a host-memory. A received command is evaluated in accordance with a priority associated with the queue storing the command and a size of the command. The evaluated command is split into a plurality of sub-commands, each of the sub-commands having a size determined in accordance with the evaluation. A predetermined number of hardware resources are allocated for each of the evaluated command based on at least the size of each of the sub-commands to thereby enable a processing of the evaluated command based on the allocated resources. Quality of service (QoS) for the evaluated-command may thus be augmented.

Example methods are provided for virtual machine introspection in which a guest monitoring mode (GMM) module monitors the execution of guest calls by an agent that resides in a virtual machine (VM). The GMM module sets a bit in bit mask that corresponds to a guest call that the agent needs to execute, and inserts an invisible breakpoint in the code of the guest call. If the GMM module detects that despite the setting of the bit in the bit mask, the agent does not complete the execution of the code (due to the invisible breakpoint not being triggered), then the GMM module considers this condition as a potential hijack of the VM by malicious code.

A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.

A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

An example virtualized computing system includes a host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs, the pod VMs including container engines supporting execution of containers in the pod VMs; and an orchestration control plane integrated with the virtualization layer, the orchestration control plane including a master server configured to manage the pod VMs and first VMs of the VMs. The virtualized computing system further includes a guest cluster executing in the first VMs and managed by the orchestration control plane, the guest cluster including a guest master server configured to, in cooperation with the master server, deploy first pods in the pod VMs.

A system including a guest virtual machine with one or more virtual machine measurement points configured to collect virtual machine operating characteristics metadata and a hypervisor control point configured to receive virtual machine operating characteristics metadata from the virtual machine measurement points. The hypervisor control point is further configured to send the virtual machine operating characteristics metadata to a hypervisor associated with the guest virtual machine. The system further includes the hypervisor configured to receive the virtual machine operating characteristics metadata and to forward the virtual machine operating characteristics metadata to a hypervisor device driver in a virtual vault machine. The system further includes the virtual vault machine configured to determine a classification for the guest virtual machine based on the virtual machine operating characteristics metadata and to send the determined classification to a vault management console.

An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; sending the attestation report from the security module to a trust authority; receiving, in response to verification of the attestation report by the trust authority, a secret from the trust authority at the security module; and providing the secret from the security module to the guest.

A memory sharing method of virtual machines through the combination of KSM and pass-through, including: a virtual machine manager judging whether operating systems of guests use IOMMU, if not, not participating in shared mapping of a KSM technology; if yes, judging memory pages of each guest to confirm whether the pages are mapping pages, if yes, remain the mapping pages into a host; and if not, on the premise of keeping the properties of Pass-through, using the KSM technology for all non-mapping pages to merge the memory pages with same contents among various virtual machines and perform write protection processing simultaneously. The guest memory pages are divided into those special for DMA and those for non-DMA purpose, then the KSM technology is only selectively applied to the non-DMA pages, and on the premise of keeping the properties of Pass-through, the object of saving memory resources is achieved simultaneously.

The present disclosure provides new and innovative methods and systems for guest status collection in a virtual environment. An example method includes accessing a hypervisor media library and booting an information collection guest from the hypervisor media library. The method may also include exposing the information collection guest to a memory of a virtual machine, detecting a first guest status of the virtual machine, generating an information message based on the first guest status, and sending the information message to a message display agent.

A method of resizing a block storage volume for a virtual machine includes executing the virtual machine and attaching a virtual storage device to the virtual machine. The virtual storage device exposes the block storage volume on memory hardware to the virtual machine. The block storage volume includes a first storage capacity. The method also includes mounting the block storage volume to the virtual machine and resizing the block storage volume while the virtual machine continues to execute. The block storage volume is resized without attaching an additional virtual storage device to the virtual machine or mounting an additional block storage volume to the virtual machine.