Abstract: Applying a firmware update, including: receiving a firmware update package, the firmware update package including multiple payloads and a firmware update duration map; verifying an integrity of the firmware update duration map, and in response, extracting the firmware update duration map from the firmware update package; determining, at a first time, a first power required to apply a first payload of the firmware update package based at least on the firmware update duration map and a health of a battery; comparing a current power capacity of the battery with the first power required to apply the first payload of the firmware update package; determining that the current power capacity of the battery is greater than the first power required to apply the first payload, and in response: obtaining the first payload of the firmware update package; updating firmware by applying the first payload to the firmware

Abstract: A system and method for resolving (BIOS) firmware issues affecting one or more information handling systems, includes: responsive to receiving information indicative of the BIOS firmware issue, developing one or more executable scripts for resolving the BIOS firmware issue without modifying the BIOS firmware. The executable scripts include a first script for collecting data pertaining to the BIOS firmware issue, which is pushed to at least one affected information handling system. The first script includes processor-executable instructions that the affected information handling system executes in a pre-boot state to perform operations including establishing a secure and privileged pre-boot session, collecting data associated with the BIOS firmware issue from within the secure and privileged pre-boot session, and sending the data associated with the BIOS issue to a support resource.

Abstract: Systems and methods provide isolated workspaces operating on an IHS (Information Handling System) with use of pre-boot resources of the IHS that are not directly accessible by the workspaces. Upon notification of a workspace initialization, a segregated variable space, such as a segregated memory utilized by a UEFI (Unified Extensible Firmware Interface) of the IHS, is specified for use by the workspace. The segregated variable space is initialized and populated with pre-boot variables, such as UEFI variables, that are allowed for configuration by the workspace. Upon a workspace issuing a request to configure a pre-boot variable, the segregated variable space is identified that was mapped for use by the workspace. The requested pre-boot variable configuration is allowed based on whether the pre-boot variable is populated in the segregated variable space. When the requested pre-boot variable configuration is allowed, the pre-boot variable is configured on behalf of the workspace.

Abstract: An information handling system may include a processor and a basic input/output system communicatively coupled to the processor and embodied by executable instructions embodied in non-transitory computer readable media, the instructions configured to, when executed by the processor, in a pre-operating system environment of the information handling system: determine contextual information associated with the information handling system and based on the contextual information, select a baseline container image to be executed by an operating system of the information handling system.

Abstract: A system for protecting an information handling system from alterations in chain sequencing uses a root of trust to secure transition points between entities in a sequence according to a chain of trust stored in a chain of trust database. Before transitioning control from a first entity transferring control to a second entity receiving control, the root of trust validates the transferring entity and the receiving entity. Failure to validate both entities results in the root of trust stopping the boot process to prevent malicious code from interfering with the BIOS executing the correct steps in the process.

Abstract: A method for binding applications to a platform root of trust includes pre-provisioning application binding components in an information handling system. An application requesting OS access sends its access control list (ACL)and application metadata to the BIOS, which performs initial checks. The BIOS responds with platform metadata and a first nonce. The application communicates the metadata, the first nonce and a second nonce to a server. The server checks the nonces and metadata, creates a third nonce and an application binding object (ABO). The application checks the nonces and sends a binding certificate to the BIOS. The BIOS checks the nonces, creates a binding certificate, verifies the binding certificate and sends a binding session credential (BSC) to the application. The application binds the BSC with platform credentials.

Abstract: A method may comprise, on a basic input/output system (BIOS), executing a hardware attestation verification application configured to: (a) during a first boot session of the information handling system comprising the BIOS, execute a first stage of an update to the information handling system and securely record a platform state record associated with beginning of execution of a second stage of the update; and (b) during a second boot session of the information handling system: (i) obtain the platform state record; (ii) compare the platform state record to an actual platform state during boot process of the second boot session; and (iii) if the platform state record matches the actual platform state during boot process of the second boot session, permit execution of the second state of the update.

Abstract: A BIOS may include a plurality of BIOS attributes associated with the information handling system, each attribute of the plurality of BIOS attributes having metadata defining a priority for such attribute. The BIOS may also include an attribute engine configured to execute a preboot process prior to booting of an operating system of the information handling system, wherein the preboot process is configured to identify boot-critical attributes of the plurality of BIOS attributes based on the metadata and load the boot-critical attributes. The attribute engine may also execute a steady-state process after booting of the operating system of the information handling system, wherein the steady-state process is configured to load attributes of the plurality of BIOS attributes other than the boot-critical attributes in an order based on the metadata.

Abstract: An information handling system may include at least one processor, a memory, and an embedded controller (EC). The information handling system may be configured to, prior to initialization of an operating system of the information handling system: execute memory reference code configured to test selected regions of the memory; transmit results of the memory reference code to the EC; store, at the EC, information indicative of respective likelihoods that particular regions of the memory are bad; and upon a subsequent boot, select a region of the memory having a low likelihood of being bad for loading a Basic Input/Output System (BIOS) of the information handling system.

Abstract: An information handling system may include at least one processor, a memory, and an embedded controller (EC). The information handling system may be configured to, prior to initialization of an operating system of the information handling system: execute memory reference code configured to test selected regions of the memory; transmit results of the memory reference code to the EC; store, at the EC, information indicative of respective likelihoods that particular regions of the memory are bad; and upon a subsequent boot, select a region of the memory having a low likelihood of being bad for loading a Basic Input/Output System (BIOS) of the information handling system.

Abstract: A diagnostics optimization platform employs cloud-based resources, including a diagnostics repository that accumulates health data from managed endpoints, and machine learning (ML) resources that generate endpoint-specific diagnostic plans based on the accumulated health data. The ML resources may be configured to generate diagnostic plans that prioritize any appropriate diagnostic testing parameter or objective including, as a non-limiting example, a reduction in diagnostic testing execution time and/or diagnostic testing frequency. The ML resources may maintain a continually updated training database derived from the collected health data to develop endpoint-specific data collection and diagnostic testing models. The ML resources may include a diagnostics optimization module to develop diagnostic testing models and provide corresponding endpoint-specific diagnostic plans to each endpoint.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted or powered on, the BIOS configured to, during boot of the information handling system: (i) read a predefined measurement of an order of loading of BIOS drivers configured to execute during execution of the BIOS, such predefined measurement made during build of the BIOS; (ii) perform a runtime measurement of an order of loading of the BIOS drivers during actual runtime of the information handling system; (iii) compare the predefined measurement to the runtime measurement; and (iv) responsive to a mismatch between the predefined measurement and the runtime measurement, respond with a remedial action.

Abstract: An SMI task to be completed across multiple SMI events. An OS agent can be employed to determine a current load on a computing device. Based on the load, the OS agent can create an SMI message that specifies a maximum duration for an SMI event and that segments the SMI data for the SMI task. The OS agent can provide the SMI message to BIOS as part of requesting that the SMI task be performed. During the resulting SMI event, the BIOS can reassemble the segmented SMI data and then perform the SMI task. If this processing cannot be completed within the specified maximum duration for an SMI event, the BIOS can pause its processing and cause a subsequent SMI event to occur during which the processing can be resumed. In this way, the SMI task can be completed across multiple SMI events while ensuring that no single SMI event exceeds the specified maximum duration.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: A system for secure processing of intra-processor data comprising firmware configured to operate on a processor. An operating system configured to operate on the processor. Payload configured to operate on the processor. An embedded controller coupled to the firmware, the operating system and the payload, wherein the embedded controller is configured to enable messaging between the firmware, the operating system and the payload.

Abstract: An information handling system may include a processor and a basic input/output system configured to identify, test, and/or initialize information handling resources of the information handling system, and further configured to predict a volume of incoming telemetry data collected by a preboot driver of the basic input/output system and based on the volume predicted, manage storage of the telemetry data among memory associated with the basic input/output system.

Abstract: Firmware updates are packaged in a manner that enables a firmware update utility to be executed to provide control functionality for deployment of the firmware updates while leveraging an operating system provided update framework to deliver the firmware updates to pre-boot environment. Accordingly, control over the deployment of the firmware updates is provided without difficulties and security risks of employing a custom kernel-mode driver to deliver the firmware updates.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: An information handling system may include a processor, non-transitory computer readable media communicatively coupled to the processor and having stored thereon a primary operating system of the information handling system and a secondary operating system of the information handling system, and a basic input/output system communicatively coupled to the processor and having provisioned thereon a signed signature of the secondary operating system signed with a private key of a public-private key pair and a public key of the public-private key pair. The basic input/output system is configured to, responsive to a determination to boot to the secondary operating system in lieu of booting to the primary operating system of the information handling system verify the secondary operating system using the signed signature of the secondary operating system and the public key and responsive to verifying the secondary operating system, allow the information handling system to boot to the secondary operating system.

Abstract: An information handling system includes a non-volatile memory (NVRAM) and a processor. The NVRAM stores a plurality of NVRAM variables and a basic input/output system (BIOS) of the information handling system. The BIOS includes system BIOS variable services. The processor executes the system BIOS variable services. While executing the system BIOS variable services, the processor determines whether a holding area of a first NVRAM variable of the NVRAM variables is completely used. In response to the storage being completely used, the processor calculates a new size of the holding area based on metadata of the first NVRAM variable, and creates a new storage area for the first NVRAM variable. The size of a second holding area of the new storage area equals the new size.