Abstract: Embodiments are generally directed apparatuses, methods, techniques and so forth to receive a sled manifest comprising identifiers for physical resources of a sled, receive results of an authentication and validation operations performed to authenticate and validate the physical resources of the sled, determine whether the results of the authentication and validation operations indicate the physical resources are authenticate or not authenticate. Further and in response to the determination that the results indicate the physical resources are authenticated, permit the physical resources to process a workload, and in response to the determination that the results indicate the physical resources are not authenticated, prevent the physical resources from processing the workload.

Abstract: Technologies for generating manifest data for a sled include a sled to generate manifest data indicative of one or more characteristics of the sled (e.g., hardware resources, firmware resources, a configuration of the sled, or a health of sled components). The sled is also to associate an identifier with the manifest data. The identifier uniquely identifies the sled from other sleds. Additionally, the sled is to send the manifest data and the associated identifier to a server. The sled may also detect a change in the hardware resources, firmware resources, the configuration, or component health of the sled. The sled may also generate an update of the manifest data based on the detected change, where the update specifies the detected change in the hardware resources, firmware resources, the configuration, or component health of the sled. The sled may also send the update of the manifest data to the server.

Abstract: Technologies for generating manifest data for a sled include a sled to generate manifest data indicative of one or more characteristics of the sled (e.g., hardware resources, firmware resources, a configuration of the sled, or a health of sled components). The sled is also to associate an identifier with the manifest data. The identifier uniquely identifies the sled from other sleds. Additionally, the sled is to send the manifest data and the associated identifier to a server. The sled may also detect a change in the hardware resources, firmware resources, the configuration, or component health of the sled. The sled may also generate an update of the manifest data based on the detected change, where the update specifies the detected change in the hardware resources, firmware resources, the configuration, or component health of the sled. The sled may also send the update of the manifest data to the server.

Abstract: Technologies for attesting a deployment of a workload using a blockchain includes a compute engine that receives a request from a remote device to validate one or more parameters of a managed node composed of one or more sleds. The compute engine retrieves a blockchain associated with the managed node. The blockchain includes one or more blocks, each block including information about the parameters of the managed node. The compute engine validates the blockchain and sends an indication that the blockchain is valid to the requesting device.

Abstract: Technologies for attesting a deployment of a workload using a blockchain includes a compute engine that receives a request from a remote device to validate one or more parameters of a managed node composed of one or more sleds. The compute engine retrieves a blockchain associated with the managed node. The blockchain includes one or more blocks, each block including information about the parameters of the managed node. The compute engine validates the blockchain and sends an indication that the blockchain is valid to the requesting device.

Abstract: Embodiments are generally directed apparatuses, methods, techniques and so forth to receive a sled manifest comprising identifiers for physical resources of a sled, receive results of an authentication and validation operations performed to authenticate and validate the physical resources of the sled, determine whether the results of the authentication and validation operations indicate the physical resources are authenticate or not authenticate. Further and in response to the determination that the results indicate the physical resources are authenticated, permit the physical resources to process a workload, and in response to the determination that the results indicate the physical resources are not authenticated, prevent the physical resources from processing the workload.

Abstract: Technologies for attesting a deployment of a workload using a blockchain includes a compute engine that receives a request from a remote device to validate one or more parameters of a managed node composed of one or more sleds. The compute engine retrieves a blockchain associated with the managed node. The blockchain includes one or more blocks, each block including information about the parameters of the managed node. The compute engine validates the blockchain and sends an indication that the blockchain is valid to the requesting device.

Abstract: Embodiments are generally directed apparatuses, methods, techniques and so forth to receive a sled manifest comprising identifiers for physical resources of a sled, receive results of an authentication and validation operations performed to authenticate and validate the physical resources of the sled, determine whether the results of the authentication and validation operations indicate the physical resources are authenticate or not authenticate. Further and in response to the determination that the results indicate the physical resources are authenticated, permit the physical resources to process a workload, and in response to the determination that the results indicate the physical resources are not authenticated, prevent the physical resources from processing the workload.

Abstract: Technologies for fabric security include one or more managed network devices coupled to one or more computing nodes via high-speed fabric links. A managed network device enables a port and, while enabling the port, securely determines the node type of the link partner coupled to the port. If the link partner is a computing node, management access is not allowed at the port. The managed network device may allow management access at certain predefined ports, which may be connected to one of more management nodes. Management access may be allowed for additional ports in response to management messages received from the management nodes. The managed network device may check and verify data packet headers received from a compute node at each port. The managed network device may rate-limit management messages received from a compute node at each port. Other embodiments are described and claimed.

Abstract: An apparatus and method for hardware protection of a virtual machine monitor (VMM) runtime integrity watcher is described. A set of one or more hardware range registers that protect a contiguous memory space that is to store the VMM runtime integrity watcher. The set of hardware range registers are to protect the VMM runtime integrity watcher from being modified when loaded into the contiguous memory space. The VMM runtime integrity watcher, when executed, performs an integrity check on a VMM during runtime of the VMM.

Abstract: Technologies for generating manifest data for a sled include a sled to generate manifest data indicative of one or more characteristics of the sled (e.g., hardware resources, firmware resources, a configuration of the sled, or a health of sled components). The sled is also to associate an identifier with the manifest data. The identifier uniquely identifies the sled from other sleds. Additionally, the sled is to send the manifest data and the associated identifier to a server. The sled may also detect a change in the hardware resources, firmware resources, the configuration, or component health of the sled. The sled may also generate an update of the manifest data based on the detected change, where the update specifies the detected change in the hardware resources, firmware resources, the configuration, or component health of the sled. The sled may also send the update of the manifest data to the server.

Abstract: Embodiments are generally directed apparatuses, methods, techniques and so forth to receive a sled manifest comprising identifiers for physical resources of a sled, receive results of an authentication and validation operations performed to authenticate and validate the physical resources of the sled, determine whether the results of the authentication and validation operations indicate the physical resources are authenticate or not authenticate. Further and in response to the determination that the results indicate the physical resources are authenticated, permit the physical resources to process a workload, and in response to the determination that the results indicate the physical resources are not authenticated, prevent the physical resources from processing the workload.

Abstract: Technologies for fabric security include one or more managed network devices coupled to one or more computing nodes via high-speed fabric links. A managed network device enables a port and, while enabling the port, securely determines the node type of the link partner coupled to the port. If the link partner is a computing node, management access is not allowed at the port. The managed network device may allow management access at certain predefined ports, which may be connected to one of more management nodes. Management access may be allowed for additional ports in response to management messages received from the management nodes. The managed network device may check and verify data packet headers received from a compute node at each port. The managed network device may rate-limit management messages received from a compute node at each port. Other embodiments are described and claimed.

Abstract: An apparatus and method for hardware protection of a virtual machine monitor (VMM) runtime integrity watcher is described. A set of one or more hardware range registers that protect a contiguous memory space that is to store the VMM runtime integrity watcher. The set of hardware range registers are to protect the VMM runtime integrity watcher from being modified when loaded into the contiguous memory space. The VMM runtime integrity watcher, when executed, performs an integrity check on a VMM during runtime of the VMM.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for tracking per-virtual machine (“VM”) resource usage independent of a virtual machine monitor (“VMM”). In various embodiments, a first logic unit may associate one or more virtual central processing units (“vCPUs”) operated by one or more physical processing units of a computing device with a first VM of a plurality of VMs operated by the computing device, and collect data about resources used by the one or more physical processing units to operate the one or more vCPUs associated with the first VM. In various embodiments, a second logic unit of the computing device may determine resource-usage by the first VM based on the collected data. In various embodiments, the first and second logic units may perform these functions independent of a VMM of the computing device.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for tracking per-virtual machine (“VM”) resource usage independent of a virtual machine monitor (“VMM”). In various embodiments, a first logic unit may associate one or more virtual central processing units (“vCPUs”) operated by one or more physical processing units of a computing device with a first VM of a plurality of VMs operated by the computing device, and collect data about resources used by the one or more physical processing units to operate the one or more vCPUs associated with the first VM. In various embodiments, a second logic unit of the computing device may determine resource-usage by the first VM based on the collected data. In various embodiments, the first and second logic units may perform these functions independent of a VMM of the computing device.