Abstract: Best known configurations can be automatically created for particular platforms. An update tool can be installed on end user devices and can include a health monitor engine that creates health reports for drivers and/or firmware installed on the corresponding end user device. The health reports generated on the end user devices can be provided to a best known configuration engine that can evaluate them to calculate a best known configuration for each platform. The best known configurations can then be distributed to the update tool on the end user devices to cause them to configure the end user devices to match the corresponding best known configuration.

Abstract: An information handling system includes a basic input/output system having a virtual advanced configuration and power interface device. A processor may download a device driver for a particular virtual advanced configuration and power interface device, wherein the device driver includes a code for a security feature and a signed file that includes a list of identifiers of compromised information handling systems. The processor may determine whether the information handling system is compromised based on the list of identifiers of compromised information handling systems in the signed file, and execute the code for the security feature.

Abstract: Information handling systems (IHS) and methods are provided to automatically synchronize operating system (OS) and boot firmware languages. In one embodiment, a method may detect a change in an active OS language from a first language pack to a second language pack, notify the boot firmware that the active OS language was changed, and provide an identity of the second language pack to the boot firmware during OS runtime. When the IHS is subsequently rebooted, the active boot firmware language may be synchronized to the active OS language. In another embodiment, the method may detect a change in an active boot firmware language from a first language pack to a second language pack, notify the OS that the active boot firmware language was changed, and provide an identity of the second language pack to the OS during a pre-boot phase. When the OS is subsequently booted, the active OS language may be synchronized to the active boot firmware language.

Abstract: An information handling system may include a processor and a program of instructions embodied in non-transitory computer-readable media and configured to, when read and executed by the processor: in response to a request to write a variable to a solid state device, store the variable to a memory location of the solid state device, the variable including variable data and a variable status indicative of a validity of the variable data, the variable status having a plurality of bits wherein each of the plurality of bits are set to an initial value and in response to a request to modify the variable, modify the variable status by changing one of the plurality of bits from the initial value to a logical complement of the initial value to change the validity of the variable data. The validity of the variable data may be based on whether an even number or odd number of the plurality of bits are equal to the complement of the initial value.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: A system for sequencing firmware updates comprising a sequenced payload creation system operating on a processor and configured to receive two or more firmware payload sets and to generate a payload sequence for the two or more firmware payload sets. A BIOS payload system operating on the processor and configured to receive the two or more firmware payload sets and the payload sequence and to generate a basic input/output system (BIOS) payload. A BIOS locking system operating on the processor and configured to receive the BIOS payload and to generate a secure BIOS executable.

Abstract: A system for sequencing firmware updates comprising a sequenced payload creation system operating on a processor and configured to receive two or more firmware payload sets and to generate a payload sequence for the two or more firmware payload sets. A BIOS payload system operating on the processor and configured to receive the two or more firmware payload sets and the payload sequence and to generate a basic input/output system (BIOS) payload. A BIOS locking system operating on the processor and configured to receive the BIOS payload and to generate a secure BIOS executable.

Abstract: A system for secure processing of intra-processor data comprising firmware configured to operate on a processor. An operating system configured to operate on the processor. Payload configured to operate on the processor. An embedded controller coupled to the firmware, the operating system and the payload, wherein the embedded controller is configured to enable messaging between the firmware, the operating system and the payload.

Abstract: Systems and methods are disclosed herein that may implement an information handling system including a gateway and a peripheral device monitor. The gateway may interface peripheral devices and control access of host resources of the information handling system by any of the peripheral devices. The peripheral device monitor may detect connection of an unverified peripheral device to the gateway, perform a trust verification process with the unverified peripheral device, control the gateway to enable access of the host resources by the unverified peripheral device when the unverified peripheral device becomes verified, and control the gateway to prevent access to the host resources by the unverified peripheral device when the unverified peripheral device fails the trust verification process. The trust verification process may include validating a device certificate and verifying a digest of boot code of the peripheral device.

Abstract: Systems and methods are provide that may be implemented to modify boot operation for an information handling system using commands of a script that is detected and authenticated by boot code of the information handling system. The script may include at least one command that modifies a boot operation of the information handling system when performed by the processor. The boot code may be executed by the processor during startup, to detect and authenticate the script, and to process the at least one command after the script is authenticated. Multiple commands may be defined including triggerless actions or trigger actions which are performed in response to a trigger event. A trigger event may be a hardware interaction, such as the pressing of a button.

Abstract: In some examples, a boot process of a computing device may be initiated. The computing device may include a plurality of hardware components. The process may select a component of the plurality of hardware components, read a firmware of the component, calculate a measurement (e.g., hash) of the firmware, and perform a comparison of the measurement with a pre-determined measurement stored in a table of approved firmware. The table may be stored in a basic input output system (BIOS) of the computing device. The process may determine, based on the comparison, that the measurement does not match the pre-determined measurement stored in the table, acquiring a new table from a server, verify an authenticity of the new table, determine that the measurement does not match a current measurement stored in the new table, and perform one or more remedial actions based on a policy.

Abstract: Systems and methods are provided that may be implemented to detect and optionally recover corrupted system configuration data written to non-volatile random access memory (NVRAM). The disclosed systems and methods may be implemented by writing a copy of the NVRAM data to volatile system memory (e.g., RAM) while the system is active. Error correction code (ECC) data may written to the NVRAM when the system enters a lower power state. When the system resumes from the low power state, the copy of data is made in system RAM from the NVRAM, and the ECC data is used to determine whether there are errors in NVRAM data, in which case the ECC data may be used to correct data in the copy on RAM before writing the corrected data to NVRAM from the system RAM.

Abstract: In some examples, a boot process of a computing device may be initiated. The computing device may include a plurality of hardware components. The process may select a component of the plurality of hardware components, read a firmware of the component, calculate a measurement (e.g., hash) of the firmware, and perform a comparison of the measurement with a pre-determined measurement stored in a table of approved firmware. The table may be stored in a basic input output system (BIOS) of the computing device. The process may determine, based on the comparison, that the measurement does not match the pre-determined measurement stored in the table, acquiring a new table from a server, verify an authenticity of the new table, determine that the measurement does not match a current measurement stored in the new table, and perform one or more remedial actions based on a policy.

Abstract: Systems and methods are provided that that may be implemented to detect and optionally recover corrupted data written to non-volatile random access memory (NVRAM), e.g., such as corrupted system configuration data (e.g., UEFI variables) stored in the NVRAM. The disclosed systems and methods may be implemented by writing a copy of the NVRAM data to volatile system memory (e.g., RAM) while the system is active, and satisfying requests to read data from the copy maintained in volatile RAM. Error correction code (ECC) data may written to the NVRAM when the system enters a lower power state. When the system resumes from the low power state, the copy of data is made in system RAM from the NVRAM, and the ECC data is used to determine whether there are errors in NVRAM data, in which case the ECC data may be used to correct data in the copy on RAM before writing the corrected data to NVRAM from the system RAM.

Abstract: Configuration options to be displayed at a basic input/output system (BIOS) setup interface of an information handling system are specified using a software application executed at the system. The configuration options are communicated to a software agent, and the software agent updates BIOS firmware based on the configuration option.

Abstract: In accordance with embodiments of the present disclosure, an article of manufacture may include a non-transitory computer readable medium and computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to receive software code for an executable file, receive a configuration file, output an executable file based on the software code and the configuration file, the executable file comprising one or more integrity windows of code embedded within the software code and not affecting operation of software code within the executable file, and output a map file setting forth metadata regarding the integrity windows.

Abstract: A BIOS delivery installation package includes a basic input/output system (BIOS) update payload including a BIOS image. The BIOS delivery installation package also includes a first hash corresponding to a portion of the BIOS image.

Abstract: In accordance with embodiments of the present disclosure, an article of manufacture may include a non-transitory computer readable medium and computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to receive software code for an executable file, receive a configuration file, output an executable file based on the software code and the configuration file, the executable file comprising one or more integrity windows of code embedded within the software code and not affecting operation of software code within the executable file, and output a map file setting forth metadata regarding the integrity windows.

Abstract: A BIOS delivery installation package includes a basic input/output system (BIOS) update payload including a BIOS image. The BIOS delivery installation package also includes a first hash corresponding to a portion of the BIOS image.

Abstract: Configuration options to be displayed at a basic input/output system (BIOS) setup interface of an information handling system are specified using a software application executed at the system. The configuration options are communicated to a software agent, and the software agent updates BIOS firmware based on the configuration option.