Abstract: In an example, a computing device includes a processor which in a reimaging operation of the computing device, may determine if a backup image to be used in the reimaging operation is available from a memory device connected to a local area network of the computing device. When the backup image is available from the memory device, the processor may acquire the backup image over the local area network. When the backup image is not available from the memory device, the processor may determine if a backup image is available from a wide area network of the computing device.

Abstract: In an example, a computing device is described. The computing device comprises a memory to store a set of states and a corresponding set of non-overlapping time intervals. The computing device further comprises a timing unit to indicate a time at which a signature is to be produced. The computing device further comprises a processor to: identify which time interval of the set of non-overlapping time intervals includes the indicated time; generate a signing key based on a state associated with the identified time interval; and produce a signature, under a stateful signature scheme, with the signing key.

Abstract: In an example, a computing device is described. The computing device comprises a processor. The processor is to generate a key using a value as an input to generate the key. The processor is further to, in response to generating the key, exclude the value from future use as the input. The processor is further to store an indication of a subsequent value to use as the input to generate a subsequent key. The indication is cryptographically associated with an entity to control third-party access to the indication.

Abstract: In an example, a computing device is described. The computing device comprises an interface to receive a request from a signer for a state. The state is to be used as an input to generate a key under a stateful signature scheme. The computing device further comprises a processor. The processor is to identify an available state that the signer is authorized to use in response to the request received via the interface. The available state is identified from a set of states that can be used by the signer to maintain statefulness of the stateful signature scheme. The processor is further to instruct a reply to be sent to the signer via the interface. The reply comprises an indication of the state that the signer is authorized to use.

Abstract: In an example, a computing device is described. The computing device comprises a communication interface and a processor. The processor is to determine whether a signature, produced by a signer, is derived from a free state under a stateful signature scheme. The free state is a state that has not been used as an input to generate a signing key. The signature is encrypted by the signer. The processor is further to, in response to determining that the signature is derived from a free state, decrypt the encrypted signature. The processor is further to transmit the decrypted signature to a recipient via the communication interface.

Abstract: An example computing device includes a user interface, a network interface, a non-volatile memory, a processor coupled to the user interface, the network interface, and the non-volatile memory, and a set of instructions stored in the non-volatile memory. The set of instructions, when executed by the processor, is to perform a hardware initialization of the computing device according to a setting, establish a local trust domain and a remote trust domain, use a local-access public key to issue a challenge via the user interface to grant local access to the setting, and use a remote-access public key to grant remote access via the network interface to remote access to the setting.

Abstract: In an example, an apparatus is described. The apparatus comprises processing circuitry comprising a control module. The control module is to protect information regarding a machine learning model owned by a third party. The information is protected in a memory communicatively coupled to the control module. In response to receiving an indication that a computing device under control of the control module complies with a third party policy associated with the machine learning model, the control module is to release the information to the computing device.

Abstract: In an example, an apparatus is described. The apparatus comprises processing circuitry comprising a control module. The control module determines whether a computing device communicatively coupled to the control module is in a specified state for executing a machine learning model controlled by a third party entity. In response to determining that the computing device is in the specified state, the control module is to send, to an attestation module in a data processing pipeline associated with the computing device, an indication that the computing device is in the specified state.

Abstract: In an example, an apparatus is described. The apparatus comprises processing circuitry comprising a generating module, a signing module and an interfacing module. The generating module is to generate a statement comprising: a control plane indicator to indicate a control plane state of a computing device used to execute a machine learning model. The statement further comprises information regarding the machine learning model. The signing module is to generate a signature for the statement using an attestation key associated with the apparatus. The interfacing module is to send the statement and the signature to a requesting entity.

Abstract: In an example, an apparatus is described. The apparatus comprises a processor to interface with a computing system and a memory device comprising a set of logical cells. A logical cell of the set of logical cells indicates a data value by an amount of charge stored in a physical cell of the logical cell. Charge leakage between the physical cell and an adjacent physical cell of the logical cell is to occur at a rate that at least partially depends on a relative amount of charge stored in the physical cell and the adjacent physical cell. The apparatus further comprises a machine-readable medium storing instructions readable and executable by the processor to cause the processor to process a request issued via the computing system for the processor to cause a memory operation to be performed in the memory device.

Abstract: In an example, an apparatus is described. The apparatus comprises a memory device comprising a set of logical cells. A logical cell of the set of logical cells indicates a data value by an amount of charge stored in a physical cell of the logical cell. Charge leakage between the physical cell and an adjacent physical cell of the logical cell is to occur at a rate that at least partially depends on a relative amount of charge stored in the physical cell and the adjacent physical cell. A set of data values indicated by the set of logical cells is to change over time due to the charge leakage. The set of data values indicated by the set of logical cells is representative of information that is valid over an estimated period of time, which is based on the rate of charge leakage.

Abstract: Instructions may be provided to cause a computing device to receive authorisation data, the authorisation data indicating a policy; output a cryptographic challenge, the cryptographic challenge associated with the computing device and the policy; receive a response to the cryptographic challenge; receive an indication that a hardware change has occurred or a cover of the computing device has been opened; and in response to a determination, based on the received response, that the cryptographic challenge is passed, react to the indication according to the policy.

Abstract: An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

Abstract: The present disclosure relates to a neural network. The neural network may comprise a first portion, comprising a plurality of layers of the neural network, to perform a first cryptographic operation on input data. The neural network may further comprise a second portion, comprising a plurality of layers of the neural network, to perform processing on the data. The neural network may further comprise a third portion, comprising a plurality of layers of the neural network, to perform a second cryptographic operation on the processed data.

Abstract: In an example, a method is described. The method comprises receiving a log comprising information about a computing system. The log is sent by a computing device associated with the computing system. The computing device comprises a first identity bound to a third identity of a certificate authority (CA) and a second identity bound to the first identity. The method further comprises receiving a signature for the log. The method further comprises verifying a certificate indicative of the second identity having been certified. The method further comprises verifying the received signature.

Abstract: In an example there is provided a method, comprising generating a token in response to an interaction between a user device associated to a user and a service device associated to a service. The token comprises record data indicative of the interaction and verification data to verify the record data. The token is communicated to the user device. The token is stored at the service device. The verification data is generated on the basis of the record data and identification data associated to the user.

Abstract: In an example there is provided a method for initiating an auxiliary access protocol in an authentication session. The method comprises providing attestation data attesting to a cause of an outcome of an authentication attempt in an authentication session, accessing a policy to initiate an auxiliary access protocol, determining if the attestation data fulfils a criterion according to the policy and initiating the auxiliary access protocol on the basis of said determination.

Abstract: In some examples, a method for data management, the method comprises booting a trusted diskless operating system image via a device firmware component, accessing a non-volatile storage of the device using the trusted diskless operating system image; and retrieving user data from the non-volatile storage of the device, and/or writing user data received from a remote location to the non-volatile storage of the device.

Abstract: In some example, a method for accessing a cryptographic recovery key of an encryption system of a device comprises mapping a device identity received at a key management system to a recovery key stored in the key management system, specifying at least one device-related operation to which the recovery key is linked, generating an encrypted message for the device, the encrypted message comprising the recovery key, and transmitting the encrypted message and a signed message to the device.

Abstract: In some examples, a method for performing an out-of-band security inspection of a device comprises generating a snapshot of the state of the device, storing data representing the snapshot to a non-volatile storage of the device, and storing a hash of the snapshot in a device BIOS, transitioning the power state of the device, triggering boot of a trusted diskless operating system image, providing the data representing the snapshot and the hash of the snapshot to the trusted diskless operating system image, and executing a script selected on the basis of a trigger event and the hash of the snapshot to analyse at least a portion of the non-volatile storage of the device.