| CPC G06F 9/45558 (2013.01) [G06F 9/5077 (2013.01); G06F 12/1054 (2013.01); G06F 2009/45583 (2013.01); G06F 2212/7201 (2013.01)] | 20 Claims |
|
1. A method, implemented at a computer system that includes a processor, for isolating resources of a virtual machine (VM) guest from a host operating system (OS), the method comprising:
receiving an acceptance request from a guest partition corresponding to an isolated VM guest, the acceptance request identifying:
a guest memory page that is mapped into a guest physical address (GPA) space of the guest partition, and
a memory page visibility class, wherein the memory page visibility class is an exclusive visibility class;
determining that a physical memory page that is mapped to the guest memory page meets the memory page visibility class, including:
verifying, via a guest second-level address translation table (SLAT), that the physical memory page is exclusively mapped to the guest memory page; and
verifying, via a host OS SLAT, that the host OS is denied access to the physical memory page;
setting a page acceptance indication for the guest memory page from an unaccepted state to an accepted state based on the physical memory page that is mapped to the guest memory page meeting the memory page visibility class;
receiving a visibility change request from the guest partition, the visibility change request including an indication of the guest memory page; and
updating the host OS SLAT to grant physical memory page access to the host OS.
|