Abstract: Various embodiments of systems and methods are provided to bind a system identifier that uniquely identifies an information handling system (IHS) to the system platform, so that the identity of the IHS can be cryptographically verified. More specifically, the present disclosure provides methods to bind a unique system identifier to an IHS platform, and methods to cryptographically verify the identity of the IHS using the unique system identifier and a plurality of keys generated and stored with a Trusted Platform Module (TPM) of the IHS. Systems are provided herein to perform such methods. As such, the systems and methods disclosed herein enable system identity to be irrefutably verified, thereby preventing theft and misuse of system identity.

Abstract: Systems and methods are provided that may be implemented to provide a basic input/output system (BIOS) with the ability to authenticate and then execute one-time unique instructions that are previously left behind (i.e., stored) in public memory of an information handling system by a containerized computing environment session that is no longer executing on the information handling system. The disclosed systems and methods may be so implemented to share with the system BIOS privileged instructions to identify which executables are authorized for execution on a targeted information handling system. The privileged instructions may be previously created and optionally stored together with an executable code in system public memory, and these instructions may provide instructions on how to execute the executable code.

Abstract: Methods and systems are provided that may be implemented to methods and systems may be implemented to automatically identify types and status of vulnerabilities in identified software or firmware components (e.g., libraries), and then automatically deploy security vulnerability fixes (e.g., patches or updates) in these identified components across different affected software or firmware applications. In one example, the disclosed methods and systems may operate to dynamically and automatically aggregate identified third party software and/or firmware vulnerabilities into a centralized repository, and may be further implemented to automatically handle the roll out and deployment of vulnerability fixes to patch or update third party libraries to solve any security vulnerability reported on these third party libraries.

Abstract: The present disclosure provides various embodiments of systems and related methods to track and cryptographically verify system configuration changes. More specifically, systems and methods are disclosed herein to track an original system configuration of an information handling system (IHS) as the system was built by a manufacturing facility, and any system configuration changes that are made to the original system configuration after the IHS leaves the manufacturing facility. Once a user takes ownership of the IHS, systems and methods disclosed herein may be used to cryptographically verify a current system configuration of the IHS. In doing so, the present disclosure provides a way to authenticate or validate system configuration changes that may occur after the IHS leaves the manufacturing facility.

Abstract: A method may include, during execution of a basic input/output system comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted and/or powered on and execute prior to execution of an operating system of the information handling system, executing a hardware attestation verification application configured to: (i) read a platform certificate comprising information associated with one or more information handling resources of the information handling system recorded during creation of the platform certificate; (ii) perform hardware attestation of the information handling system by comparing information associated with the one or more information handling resources and the information stored within the platform certificate; and (iii) generate a log indicative of the results of the hardware attestation.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, during a boot of the information handling system, determine whether a BIOS configuration change has been made during a current boot session of the information handling system, and responsive to determining that a BIOS configuration change has been made during the current boot session, store an indication of the BIOS configuration change to a non-volatile memory.

Abstract: A method may include, during execution of a basic input/output system comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted and/or powered on and execute prior to execution of an operating system of the information handling system, executing a hardware attestation verification application configured to: (i) read a platform certificate comprising information associated with one or more information handling resources of the information handling system recorded during creation of the platform certificate; (ii) perform hardware attestation of the information handling system by comparing information associated with the one or more information handling resources and the information stored within the platform certificate; and (iii) generate a log indicative of the results of the hardware attestation.

Abstract: A system for a time-based one-time password security system operating at a provisioning server may comprise transmitting one or more first locally generated random-string numbers for generation of a first time-based one-time password to a remotely connected internet of things sensor and a remotely connected internet of things sensor hub. The system may also comprise executing code instructions to associate the internet of things sensor with a first client key in a table stored in a memory operatively connected to the processor, associate the internet of things sensor hub with a second client key in the table, and associate the internet of things sensor and internet of things sensor hub with the one or more first locally generated random-string numbers in the table. Further the first remotely generated random-string numbers may identify a first preset function for generation of a first session key used in encrypting and decrypting sensor data records.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, during a boot of the information handling system, determine whether a BIOS configuration change has been made during a current boot session of the information handling system, and responsive to determining that a BIOS configuration change has been made during the current boot session, store an indication of the BIOS configuration change to a non-volatile memory.

Abstract: The present disclosure provides various embodiments of systems and related methods to track and cryptographically verify system configuration changes. More specifically, systems and methods are disclosed herein to track an original system configuration of an information handling system (IHS) as the system was built by a manufacturing facility, and any system configuration changes that are made to the original system configuration after the IHS leaves the manufacturing facility. Once a user takes ownership of the IHS, systems and methods disclosed herein may be used to cryptographically verify a current system configuration of the IHS. In doing so, the present disclosure provides a way to authenticate or validate system configuration changes that may occur after the IHS leaves the manufacturing facility.

Abstract: Various embodiments of systems and methods are provided to bind a system identifier that uniquely identifies an information handling system (IHS) to the system platform, so that the identity of the IHS can be cryptographically verified. More specifically, the present disclosure provides methods to bind a unique system identifier to an IHS platform, and methods to cryptographically verify the identity of the IHS using the unique system identifier and a plurality of keys generated and stored with a Trusted Platform Module (TPM) of the IHS. Systems are provided herein to perform such methods. As such, the systems and methods disclosed herein enable system identity to be irrefutably verified, thereby preventing theft and misuse of system identity.

Abstract: A system for a time-based one-time password security system operating at a provisioning server may comprise transmitting one or more first locally generated random-string numbers for generation of a first time-based one-time password to a remotely connected internet of things sensor and a remotely connected internet of things sensor hub. The system may also comprise executing code instructions to associate the internet of things sensor with a first client key in a table stored in a memory operatively connected to the processor, associate the internet of things sensor hub with a second client key in the table, and associate the internet of things sensor and internet of things sensor hub with the one or more first locally generated random-string numbers in the table. Further the first remotely generated random-string numbers may identify a first preset function for generation of a first session key used in encrypting and decrypting sensor data records.

Abstract: A system for a time-based one-time password security system operating at a provisioning server may comprise transmitting one or more first locally generated random-string numbers for generation of a first time-based one-time password to a remotely connected internet of things sensor and a remotely connected internet of things sensor hub. The system may also comprise executing code instructions to associate the internet of things sensor with a first client key in a table stored in a memory operatively connected to the processor, associate the internet of things sensor hub with a second client key in the table, and associate the internet of things sensor and internet of things sensor hub with the one or more first locally generated random-string numbers in the table. Further the first remotely generated random-string numbers may identify a first preset function for generation of a first session key used in encrypting and decrypting sensor data records.

Abstract: A system for a time-based one-time password security system operating at a provisioning server may comprise transmitting one or more first locally generated random-string numbers for generation of a first time-based one-time password to a remotely connected internet of things sensor and a remotely connected internet of things sensor hub. The system may also comprise executing code instructions to associate the internet of things sensor with a first client key in a table stored in a memory operatively connected to the processor, associate the internet of things sensor hub with a second client key in the table, and associate the internet of things sensor and internet of things sensor hub with the one or more first locally generated random-string numbers in the table. Further the first remotely generated random-string numbers may identify a first preset function for generation of a first session key used in encrypting and decrypting sensor data records.

Abstract: Systems and methods for securely passing user authentication data between a Pre-Boot Authentication (PBA) environment and an Operating System (OS) are described. In some embodiments, an Information Handling System (IHS) may include a processor; and a Basic I/O System (BIOS) coupled to the processor, the BIOS having program instructions stored thereon that, upon execution by the processor, cause the computer system to: identify an encrypted Single-Sign-On (SSO) token and a Trusted Platform Module (TPM) key pair provisioned by an Operating System (OS) and stored in an OS registry; extract a TPM public key from the TPM key pair; encrypt a PBA private key generated by a PBA application with the TPM public key; and store the encrypted PBA private key, the TPM key pair, and the encrypted SSO token in a shadow partition of a self-encrypting hard drive coupled to the IHS.

Abstract: A method includes storing a credential object for a user to an encrypted silo on an information handling system. The credential object operates to authenticate the user to use an application. The method also includes copying the encrypted silo from the information handling system to a second information handling system, retrieving at the second information handling system the credential object from the copy of the encrypted silo, and authenticating the user to use the application on the second information handling system using the credential object.

Abstract: A method includes storing a credential object for a user to an encrypted silo on an information handling system. The credential object operates to authenticate the user to use an application. The method also includes copying the encrypted silo from the information handling system to a second information handling system, retrieving at the second information handling system the credential object from the copy of the encrypted silo, and authenticating the user to use the application on the second information handling system using the credential object.

Abstract: A computer system includes at least one processor, at least one memory, and a device for performing a prescribed continuity and integrity check of a memory bus channel having a serial topology. In one embodiment, basic input output system (BIOS) firmware is stored in memory and includes instructions for causing the processor to perform the prescribed continuity and integrity check of the memory bus channel having a serial topology.