What technology area does this patent fall under?

Primary CPC classification H04L9/083. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue May 10 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Supporting migration of virtual machines containing enclaves

US11327782B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11327782-B2
Application number	US-201916561051-A
Country	US
Kind code	B2
Filing date	Sep 5, 2019
Priority date	Jul 19, 2019
Publication date	May 10, 2022
Grant date	May 10, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The present disclosure provides an approach for migrating the contents of an enclave, together with a virtual machine comprising the enclave, from a source host to a destination host. The approach provides a technique that allows the contents of the enclave to remain secure during the migration process, and also allows the destination host to decrypt the contents of the enclave upon receiving the contents and upon receiving the VM that includes the enclave. The approach allows for the VM to continue execution on the destination host. The enclave retains its state from source host to destination host. Applications using the enclave in the source host are able to continue using the enclave on the destination host using the data migrated from the source host to the destination host.

First claim

Opening claim text (preview).

What is claimed is: 1. A method of migrating a virtual machine (VM) from a first host to a second host, the VM comprising a first enclave within a memory of the first host, the VM further comprising an application running within the VM, the VM running on a virtualization software that abstracts hardware of the first host, the method comprising: calling, by the application, an eviction entry point located within the first enclave, wherein the calling comprises providing an identifier associated with the second host to the eviction entry point; requesting, by the eviction entry point, an encryption key from a key management service, wherein requesting the encryption key comprises providing the identifier associated with the second host to the key management service; encrypting, by the eviction entry point, persistent data of the first enclave using the encryption key requested from the key management service; placing the encrypted persistent data outside of the first enclave; migrating the VM and the encrypted persistent data to the second host; creating a second enclave within the second host; requesting, by a restoration entry point located within the second enclave, a decryption key from the key management service based on the identifier associated with the second host; decrypting, by the restoration entry point located within the second enclave, the encrypted persistent data using the decryption key requested from the key management service; and adding to the second enclave, by the restoration entry point, the decrypted persistent data. 2. The method of claim 1 , the method further comprising: notifying the application, by the virtualization software, of initiation of a migration process of the VM; and based at least in part on the notifying, performing the calling, by the application, of the eviction entry point located within the first enclave. 3. The method of claim 2 , wherein the second host comprises a second virtualization software, the method further comprising: notifying the application, by the second virtualization software, of completion of the migration process of the VM; and based at least in part on the notifying, performing the creating the second enclave within the second host. 4. The method of claim 1 , further comprising: determining by the application that the first enclave is a stateful enclave; and based at least in part on the determining, performing the calling, by the application, the eviction entry point located within the first enclave. 5. The method of claim 1 , wherein the key management service is executing on a third host. 6. A non-transitory computer readable medium comprising instructions to be executed in a processor of a computer system, the instructions when executed in the processor cause the computer system to carry out a method of migrating a virtual machine (VM) from a first host to a second host, the VM comprising a first enclave within a memory of the first host, the VM further comprising an application running within the VM, the VM running on a virtualization software that abstracts hardware of the first host, the method comprising: calling, by the application, an eviction entry point located within the first enclave, wherein the calling comprises providing an identifier associated with the second host to the eviction entry point; requesting, by the eviction entry point, an encryption key from a key management service, wherein requesting the encryption key comprises providing the identifier associated with the second host to the key management service; encrypting, by the eviction entry point, persistent data of the first enclave using the encryption key requested from the key management service; placing the encrypted persistent data outside of the first enclave; migrating the VM and the encrypted persistent data to the second host; creating a second enclave within the second host; requesting, by a restoration entry point located within the second enclave, a decryption key from the key management service based on the identifier associated with the second host; decrypting, by the restoration entry point located within the second enclave, the encrypted persistent data using the decryption key requested from the key management service; and adding to the second enclave, by the restoration entry point, the decrypted persistent data. 7. The non-transitory computer readable medium of claim 6 , the method further comprising: notifying the application, by the virtualization software, of initiation of a migration process of the VM; and based at least in part on the notifying, performing the calling, by the application, of the eviction entry point located within the first enclave. 8. The non-transitory computer readable medium of claim 7 , wherein the second host comprises a second virtualization software, the method further comprising: notifying the application, by the second virtualization software, of completion of the migration process of the VM; and based at least in part on the notifying, performing the creating the second enclave within the second host. 9. The non-transitory computer readable medium of claim 6 , wherein the method further comprises: determining by the application that the first enclave is a stateful enclave; and based at least in part on the determining, performing the calling, by the application, the eviction entry point located within the first enclave. 10. The non-transitory computer readable medium of claim 6 , wherein the key management service is executing on a third host. 11. A computer system comprising: a first host comprising a memory, a virtualization software, a hardware, and a virtual machine (VM); a second host; and at least one processor, wherein the at least one processor is programmed to carry out a method of migrating the VM from the first host to the second host, the VM comprising a first enclave within the memory of the first host, the VM further comprising an application running within the VM, the VM running on the virtualization software that abstracts the hardware of the first host, the method comprising: calling, by the application, an eviction entry point located within the first enclave, wherein the calling comprises providing an identifier associated with the second host to the eviction entry point; requesting, by the eviction entry point, an encryption key from a key management service, wherein requesting the encryption key comprises providing the identifier associated with the second host to the key management service; encrypting, by the eviction entry point, persistent data of the first enclave using the encryption key requested from the key management service; placing the encrypted persistent data outside of the first enclave; migrating the VM and the encrypted persistent data to the second host; creating a second enclave within the second host; requesting, by a restoration entry point located within the second enclave, a decryption key from the key management service based on the identifier associated with the second host; decrypting, by the restoration entry point located within the second enclave, the encrypted persistent data using the decryption key requested from the key management service; and adding to the second enclave, by the restoration entry point, the decrypted persistent data. 12. The computer system of claim 11 , the method further comprising: notifying the application, by the virtualization software, of initiation of a migration process of the VM; and based at least in part on the notifying, performing the calling, by the application, of the eviction entry point located within the first enclave.

Assignees

Vmware Inc

Inventors

Classifications

G06F9/455
Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines · CPC title
G06F2009/4557
Distribution of virtual machine instances; Migration and load balancing · CPC title
G06F11/1438
Restarting or rejuvenating · CPC title
G06F2009/45587
Isolation or security of virtual machine instances · CPC title
H04L9/0894
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title

Patent family

Related publications grouped by family.

View patent family 74343846

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11327782B2 cover?: The present disclosure provides an approach for migrating the contents of an enclave, together with a virtual machine comprising the enclave, from a source host to a destination host. The approach provides a technique that allows the contents of the enclave to remain secure during the migration process, and also allows the destination host to decrypt the contents of the enclave upon receiving t…
Who is the assignee on this patent?: Vmware Inc
What technology area does this patent fall under?: Primary CPC classification H04L9/083. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue May 10 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).