| CPC G06F 21/53 (2013.01) [G06F 21/602 (2013.01); G06F 21/79 (2013.01); G06F 9/45533 (2013.01); G06F 9/45558 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45595 (2013.01); G06F 11/301 (2013.01)] | 19 Claims |
|
1. A method, implemented in a host computer system that includes a processor, for securely assigning a direct memory access (DMA) physical device associated with the host computer system to a confidential virtual machine (VM) executing at the host computer system, comprising:
creating a guest partition at the host computer system, the guest partition corresponding to a confidential VM and comprising a first guest privilege context and a second guest privilege context, wherein the second guest privilege context executes a guest operating system (OS) and is restricted from accessing memory associated with the first guest privilege context; and
in the first guest privilege context, enabling DMA access by the confidential VM to the physical device, including:
partitioning a guest physical address space of the guest partition into a private physical address space region that is inaccessible by a host OS of the host computer system and a shared physical address space region that is accessible by the host OS;
identifying a direct assignment of the physical device to the guest partition;
determining, based on a policy, that the physical device is allowed to be directly assigned to the guest partition and to be accessible to the guest partition via DMA;
exposing the physical device on a virtual bus used by the second guest privilege context; and
facilitating communication between the physical device and the second guest privilege context via the shared physical address space region, including forwarding interrupts between the guest OS and the physical device.
|