1. A method, comprising: storing, by one or more processors, confidential data in a confidential section of virtual memory, wherein storing the confidential data in the confidential section of virtual memory comprises: mapping the confidential section of virtual memory to an address space in a first physical memory device; storing the confidential data in the first physical memory device; and marking the address space in the first physical memory device as having confidential data; receiving a request to copy data stored in the address space in the first physical memory device to a second physical memory device, wherein the second physical memory device has more capacity and slower memory access speed than the first physical memory device; determining that the address space in the first physical memory device has been marked as having confidential data; and denying the request to copy in response to determining that the address space in the first physical memory device has been marked as having confidential data.
2. The method of claim 1, wherein the request to copy data stored in the address space in the first physical memory device is received as a result of a power-saving operation.
3. The method of claim 2, the operations further comprising: copying data stored in non-confidential sections of the virtual memory to the second physical device; completing the power-saving operation; and upon resuming from the power-saving operation: determining one or more processes had been using the confidential data; and providing a warning to the one or more processes that the confidential data was not copied to the second physical memory device.
4. The method of claim 2, the operations further comprising: copying data stored in non-confidential sections of the virtual memory to the second physical device; completing the power-saving operation; and upon resuming from the power-saving operation: determining one or more processes had been using the confidential data; and terminating the one or more processes
Inventors: Van Riel; Henri Han; (Nashua, NH); Cox; Alan; (Surrey Resgarch Park, GB) Assignee: Red Hat, Inc. SUMMARY
[0008] In accordance with one embodiment of the invention, a method of protecting confidential data is provided. When a request to allocate space in a virtual memory for confidential data is received, a portion of the virtual memory is marked as confidential. It is determined if a portion of a physical memory has been assigned for the confidential portion of the virtual memory. The portion of the physical memory that has been assigned for the confidential portion of the virtual memory is then marked as having confidential data.
[0009] In accordance with another embodiment of the invention, a method of protecting data allocated to a confidential area of virtual memory that is stored in physical memory is provided. When contents of the physical memory are being written to another location, contents of the physical memory that correspond to data allocated to the confidential area of the virtual memory are identified. The identified contents of the physical memory are then protected.
[0010] Additional embodiments of the present invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
And then
1. A method for reducing the number of calls from an operating system to an application program, comprising the steps of: associating in the operating system at least one indicia with a first request to access hardware, the indicia indicating a type of notification to be provided by the operating system to the application program upon completion of the first request; receiving from the application program a second request; and based on the second request, de-associating one or more of the at least one indicia from the first request so that notification no longer needs to be provided by the operating system to the application program upon completion of the first request.
2. The method according to claim 1, wherein the notification comprises an operating system call.
3. The method according to claim 1, wherein the first request and the second request comprise input-output requests received from the application program.
4. The method according to claim 1, wherein the first request and the second request comprise a linked list.
5. The method according to claim 1, wherein the first request and the second request comprise a table.
6. The method according to claim 1, wherein the indicia comprises a flag.
Inventors: Cox; Alan; (Swansea, GB) Correspondence Address: WILMERHALE / RED HAT, INC. 60 STATE STREET BOSTON MA 02109 US
Assignee: Red Hat, Inc.
Raleigh
NC[0011] In one embodiment of the present invention, a task can be added to the kernel input/output (I/O) queue while that queue of asynchronous I/O is being processed. The kernel can provide or set indicia, such as a flag, that is readable, for the example, by the application program. The flag can indicate whether or not the kernel is processing any I/O for a particular process (task). For example, while the I/O queue is being processed, the operating system kernel can receive, from an application program can, pertinent data (such as, for example, the file being written to, the data that is to be written to a file, and whether the application is to be notified upon completion of the write operation). The request is written atomically to the kernel I/O queue. When the process has a next kernel I/O request, the process examines the flag to determine if the kernel has completed I/O for the process. If the flag indicates that the I/O queue is completed for the process, the kernel receives a system call. If the flag indicates that the I/O queue is not completed, then the application program need not make a system call. When the I/O is completed, the kernel can check for race conditions. If another request is present in the I/O queue due to a race condition, the kernel can dispatch the request by using a kernel interrupt handler, rather than waiting for the application program to issue a system call to the kernel.