Abstract: A method and system are disclosed for placing a computer in a safe and secure lock down state from a remote location using a remote command device such as a cellular telephone. The method and system includes optional security provisions before restarting the computer.

Abstract: A method and apparatus are disclosed for sharing an integrity security module in a dual-environment computing device. The apparatus include an integrity security module, one or more processors, a detection module and a regeneration module. The one or more processors may have access to the integrity security module and may operate in two distinct operating environments of a dual-environment computing device. The detection module may detect, during an initialization sequence, a power state transition of an operating environment of the dual-environment computing device. The regeneration module may regenerate one or more integrity values from a stored integrity metric log in response to detecting the power state transition of the operating environment of the dual-environment computing device.

Abstract: An apparatus, system, and method are disclosed for securely authorizing changes to a transaction restriction. A security module securely stores encryption keys for a payment instrument. The payment instrument electronically transacts payments and includes a transaction restriction. An authentication module receives an authentication from a user of the payment instrument. The security module validates the authentication with a first encryption key. In addition, the security module authorizes a change to the transaction restriction using a second encryption key if the authentication is valid. The security module resides on a computer that the user designates as authorized to validate the authentication.

Abstract: Apparatus, systems, and methods provide digital voice call redirection. A configuration module associates a phone number with a first identifier of a first voice terminal device and a second identifier of a second voice terminal device provided by an address module. A location module determines whether the first device is within a predefined proximity to the second device, such as by detecting connectivity between the devices, over a personal area network (“PAN”). A routing module redirects a digital voice call to a call module of the first device using the first identifier when the first device is not within the predefined proximity to the second device. Otherwise the routing module directs the call to a call module of the second device using the second identifier.

Abstract: A system, method, and program product is provided that establishes a shared secret between a computer system and a peripheral device such as a removable nonvolatile storage device or a printer. After establishing the shared secret, the peripheral device is locked. After the peripheral device is locked, an unlock request is received and the shared secret is sent to the peripheral device. The peripheral device then attempts to verify the shared secret. If the shared secret is successfully verified, then the peripheral device is unlocked allowing use of the device by using an encryption key that is made available by the verified shared secret. On the other hand, if the shared secret is not verified, then the peripheral device remains locked and use of the device is prevented.

Abstract: A method computer usable medium and computer system circuitry are disclosed for starting or “booting up” a computer from a remote location using a remote command device such as a cellular telephone. The method and system includes a secure means for remotely storing and transmitting security passwords.

Abstract: An approach is provided that receives a user identifier from a user of the information handling system. The user identifier can include a username as well as a user authentication code, such as a password. Hardware settings that correspond to the user identifier are retrieved from a nonvolatile memory. Hardware devices, such as ports (e.g., USB controller), network interfaces, storage devices, and boot sequences, are configured using the retrieved hardware settings. After the hardware devices have been configured to correspond to the identified user, an operating system is booted.

Abstract: An Internet appliance has added hardware and software functionality to allow communication where a dialing action request is authorization is verified using a personal identification means (PIM). A user first selects a communication access number by requesting a dialing action on a actual or a virtual keypad or by clicking a “hot spot” on a Web page. Selecting an access number (e.g., dialing of a telephone number), alerts the user of the Internet appliance of the selection process whether the user instigates or the selection is attempted from a remote device using the Internet appliance facilities. Either method will trigger software commands that prompt the user to enter a PIM either to authorize his own use or another one's use of the Internet appliance. The PIM may comprise, but is not limited to, keying in a personal identification number (PIN), a biometric identification, or a smart card stored number.

Abstract: A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

Abstract: An apparatus, system, and method are disclosed for authentication of a core root of trust measurement chain. The apparatus for authentication of a CRTM chain is provided with a plurality of modules configured to carry out the steps of retrieving a decryption key from a predetermined location on the device selected for authentication, decrypting an authentication signal using the decryption key, and communicating the decrypted authentication signal to a user. In the described embodiments, these modules include a retrieval module, a decryption module, and a communication module. Beneficially, such an apparatus, system, and method would reliably verify that a link in the CRTM chain has not been corrupted, modified, or infected with a computer virus. Specifically, such an apparatus, system, and method would enable verification that the hypervisor has not been corrupted, modified, or infected with a computer virus.

Abstract: An apparatus, system, and method are disclosed for pre-boot policy modification. A key module exchanges a key with a server in a secure environment. A communication module receives a policy encoded with the key. A decode module decodes the encoded policy using the key and saves the policy setting prior to booting an operating system on the computer. An update module boots the computer using the policy.

Abstract: A system, method, and program product is provided that initializes a counter maintained in a nonvolatile memory of a security module to an initialization value. The security module receives requests for a secret from requesters. The security module releases the secret to the requesters and the released secrets are stored in memory areas allocated to the requesters. A counter is incremented when the secret is released. Requestors send notifications to the security module indicating that the requestor has removed the secret from the requestor's memory area. The security module decrements the counter each time a notification is received. When the computer system is rebooted, if the counter is not at the initialization value, the system memory is scrubbed erasing any secrets that remain in memory.

Abstract: A system, method, and program for managing a user key used to sign a message for a data processing system having an encryption chip are disclosed. A user is assigned a user key. In order to encrypt and send messages to a recipient(s), the messages are encrypted with the user key. The user key, in turn, is encrypted with an associated key. The associated key is further encrypted using an encryption chip key stored on the encryption chip. The encrypted messages are communicated to a recipient to validate an association of the user with the encrypted messages. The associated key is decrypted with the encryption chip key. The user key is decrypted with the associated key, and the messages are decrypted with the user key. Thereafter, validation of the association of messages with the user is removed by revoking the associated key. In a preferred embodiment, encryption resources are centralized in a server system having the encryption chip.

Abstract: A method, apparatus, and system are disclosed of forward caching for a managed client. A storage module stores a software image on a storage device of a backend server. The backend server provides virtual disk storage on the storage device through a first intermediate network point for a plurality of diskless data processing devices. Each diskless data processing device communicates directly with the first intermediate network point. The storage module caches an image instance of the software image at the first intermediate network point. A tracking module detects an update to the software image on the storage device. The storage module copies the updated software image to the first intermediate network point as an updated image instance.

Abstract: An apparatus, system, and method are disclosed for computer system power management. A control module 602 is activated on a computer 200 in response to an event and enters 818 a standby state if the computer 200 is not already 814 in the standby state. A policy module 604 detects 904 a power source of a predetermined type connected to the computer 200 and dictates 908 one or more processors 302 of higher power consumption for a more abundant type of power source such as an AC adapter 314, or one or more processors 304 of lower power consumption for a less abundant type of power source such as a battery 318. A configuration module 606, activated by the control module 602, switches 1004 the computer 200 to one or more processors 302 and 304 of a predetermined power consumption as dictated and exits 1016 the standby state.

Abstract: An apparatus, system, and method are disclosed for granting hypervisor privileges. An installation module installs a monitor hypervisor wherein only the monitor hypervisor is granted the hypervisor privileges by the computer. An authentication module authenticates a second hypervisor. An eviction module evicts the monitor hypervisor if the second hypervisor is authenticated. The installation module further installs the second hypervisor after the monitor hypervisor is evicted so that only the second hypervisor is granted hypervisor privileges by the computer.

Abstract: A system, method, and program product is provided that has a virtualized environment provided by a hypervisor. In the virtualized environment, one or more guest operating systems operate simultaneously with a privileged operating system. One of the guest operating systems identifies a device software update, such as a device driver or firmware update, corresponding to a hardware device that is attached to the computer system. The hypervisor is used to notify the privileged operating system of the device software update. When the privileged operating system is notified of the update, the privileged operating system uses one or more techniques to deny the guest operating systems access to the device. The privileged operating system then updates the device software update. After the device software update has been applied, the privileged operating system resumes access between the guest operating systems and the hardware device.

Abstract: A system, method, and program product is provided that uses environments to control access to encryption keys. A request for an encryption key and an environment identifier is received. If the encryption key is not associated with the environment identifier, the request is denied. If they are associated, the system receives user-supplied environment authentication data items from a user. Examples of environment authentication data include passwords, user identifiers, user biometric data (e.g., fingerprint scan, etc.), smart cards, and the like. The system retrieves stored environment authentication data items from a secure (e.g., encrypted) storage location. The retrieved stored environment authentication data items correspond to the environment identifier that was received. The received environment authentication data items are authenticated using the retrieved stored environment authentication data items.

Abstract: An apparatus, system, and method are disclosed for quiescing a boot environment. A reservation module reserves a portion of a first storage device. A store module stores an update boot image to the reserved portion. A detection module detects the update boot image stored on the first storage device when the computer boots and executes the update boot image in place of a standard boot image in response to detecting the update boot image. The update boot image places a computer in a known quiescent state.

Abstract: A system, method, and program product is provided that executes a start sequence of an information handling system that includes a hardware based TPM. Multiple PCRs are stored in the TPM and are initialized to a predetermined state when the start sequence commences. During execution of the start sequence, software modules, including a hypervisor, are loaded the system's memory. PCR values resulting from the loading of the software modules are calculated. The resulting PCR values are compared with expected PCR values. If the PCR values match the expected PCR values, then a virtual environment is created under the hypervisor. The virtual environment includes a VM and a virtual trust platform module (vTPM) that is used by the virtual machine to satisfy the virtual machines TPM requests.