| CPC G06F 12/0292 (2013.01) [G06F 9/45558 (2013.01); G06F 2009/45583 (2013.01); G06F 2212/152 (2013.01)] | 24 Claims |
|
1. A computer-implemented method comprising:
maintaining a plurality of sets of page tables for a computer system executing a microkernel hypervisor with host privileges, the microkernel hypervisor hosting a plurality of guest virtual machines (VMs) executing with guest privileges, each guest VM of the plurality of guest VMs having guest VM memory corresponding to a dedicated portion of computer system physical memory for guest VM execution, wherein the plurality of sets of page tables comprise, for each guest VM of the plurality of guest VMs and each hypervisor application of a plurality of hypervisor applications, a respective set of page tables corresponding to the combination of that guest VM and that hypervisor application, wherein, for any guest VM of the plurality of guest VMs and any hypervisor application of the plurality of hypervisor applications, there is a corresponding set of page tables of the plurality of sets of page tables that maps guest virtual memory to computer system physical memory and the corresponding set of page tables includes mappings to at most a subset of the guest VM memory to thereby limit an amount of the guest VM memory that is accessible when the corresponding set of page tables is presented for executing software; and
controlling presentation of the plurality of sets of page tables for hypervisor processing, wherein the controlling presentation selectively presents just one of the sets of page tables at any given time during hypervisor application execution to provide access to guest VM memory, wherein access to guest VM memory and the corresponding portion of the computer system physical memory is controlled by controlling a page table base address presented in hardware of the computer system, and wherein the controlling presentation comprises, based on a request for hypervisor processing for a guest VM of the plurality of guest VMs:
identifying a hypervisor application of the plurality of hypervisor applications to service the request for hypervisor processing;
identifying the set of page tables, of the plurality of sets of page tables, that corresponds to the combination of the identified hypervisor application and the guest VM for which the hypervisor processing was requested; and
presenting the identified set of page tables for guest VM memory access by the identified hypervisor application and the microkernel hypervisor by indicating a page table address of the identified set of page tables as the page table base address in hardware for the hypervisor application and the microkernel hypervisor to use in accessing guest VM memory, wherein presenting the identified set of page tables limits the amount of guest VM memory, of that guest VM, that is accessible by that hypervisor application and the microkernel hypervisor to at most the subset of the guest VM memory.
|