Abstract: A computer-implemented method of operating a device is provided. The method comprises operating a sensor to capture a data input, individuating an element of the data input, tagging an individuated element with metadata, matching the metadata with an associated permission set, and applying a restricting function defined in the associated permission set to the individuated element during a process flow to produce augmented reality output data restricted as required by the associated permission set. A device is also provided, comprising a sensor, an individuating component to individuate an element of sensor data from the sensor, a tagging component to tag the individuated element, a matching component to match a tag of the individuated element with a permission of a permission set, and a restricting function component to restrict an application's interaction with the individuated element.

Abstract: Aspects of the present disclosure relate to an apparatus comprising TEE circuitry configured to maintain a list of trusted devices, and interface circuitry to provide communication between the TEE of the apparatus and TEE circuitry of a device communicatively coupled to the apparatus. The TEE circuitry of the apparatus is configured to perform, with the TEE circuitry of the device, a remote attestation in respect of the TEE circuitry of the device. Responsive to a positive outcome of the remote attestation, the device is added to the list of trusted devices. The TEE of the apparatus receives, from the TEE circuitry of the device, an indication of one or more further devices which are trusted by the device, and adds said one or more further devices to the list of trusted devices.

Abstract: Briefly, example methods, apparatuses, and/or articles of manufacture are disclosed that may be implemented, in whole or in part, using one or more processing devices to facilitate and/or support participation in computing activities by multiple parties having limited mutual trust. In one embodiment, computation may occur in a secure processing environment (SPE) while one or more untrusted parties reside outside of the SPE.

Abstract: Aspects of the present disclosure relate to an apparatus comprising first interface circuitry to communicate with relying party circuitry, the first interface circuitry being configured to receive, from the relying party circuitry, an attestation request in respect of a processing operation requested by attester circuitry to be performed by the relying party circuitry; second interface circuitry to communicate with the attester circuitry, the second interface circuitry being configured to: transmit the attestation request to the attester circuitry; and receive, from the attester circuitry, evidence data associated with the processing operation, and third interface circuitry to communicate with verifier circuitry, the third interface circuitry being configured to: transmit the evidence data to the verifier circuitry; and receive, from the verifier circuitry, attestation result data indicative of a verification of the evidence data, wherein the first interface circuitry is configured to transmit the attestation

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

Abstract: Aspects of the present disclosure relate to an apparatus comprising secure enclave circuitry and document owner circuitry. The document owner circuitry is configured to determine a document to be shared, generate a plurality of share data units, transmit each share data unit of the plurality of share data units to a corresponding shareholder device, and provision the secure enclave circuitry with data indicative of the document to be shared. The secure enclave circuitry is configured to receive putative share data units from at least one of the corresponding shareholder devices, determine whether the received putative share data units satisfy a sharing policy, and responsive to the received putative share data units satisfying the sharing policy and based on the data indicative of the document to be shared, provide the document to be shared to said at least one of the corresponding shareholder devices.

Abstract: There is provided a data processing system and method. The system includes challenge circuitry for issuing a challenge to a service device and for receiving a response to the challenge. Forwarding circuitry forwards at least part of the response to a selected one of a plurality of attestation systems and receives a success indication from the selected one of the plurality of attestation systems regarding whether the service device has been attested by the selected one of the plurality of attestation systems. Request circuitry receives a request to provide an attestation of the service device, and to provide the attestation in dependence on the success indication.

Abstract: Aspects of the present disclosure relate to an apparatus comprising first interface circuitry to communicate with relying party circuitry, the first interface circuitry being configured to receive, from the relying party circuitry, an attestation request in respect of a processing operation requested by attester circuitry to be performed by the relying party circuitry; second interface circuitry to communicate with the attester circuitry, the second interface circuitry being configured to: transmit the attestation request to the attester circuitry; and receive, from the attester circuitry, evidence data associated with the processing operation, and third interface circuitry to communicate with verifier circuitry, the third interface circuitry being configured to: transmit the evidence data to the verifier circuitry; and receive, from the verifier circuitry, attestation result data indicative of a verification of the evidence data, wherein the first interface circuitry is configured to transmit the attestation

Abstract: An apparatus comprises memory storage circuitry comprising a plurality of memory storage locations to store data; an interface to receive an address from a requester; decryption circuitry to obtain a decrypted address by decrypting, based on a decryption key, an address received from the requester; and access control circuitry to select, based on the decrypted address obtained by the decryption circuitry, a memory storage location of the memory storage circuitry to be accessed.

Abstract: An apparatus comprises memory storage circuitry comprising a plurality of memory storage locations to store data; an interface to receive an address from a requester; decryption circuitry to obtain a decrypted address by decrypting, based on a decryption key, an address received from the requester; and access control circuitry to select, based on the decrypted address obtained by the decryption circuitry, a memory storage location of the memory storage circuitry to be accessed.

Abstract: Briefly, example methods, apparatuses, and/or articles of manufacture are disclosed that may be implemented, in whole or in part, using one or more processing devices to facilitate and/or support participation in computing activities by multiple parties having limited mutual trust. In one embodiment, computation may occur in a secure processing environment (SPE) while one or more untrusted parties reside outside of the SPE.

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

Abstract: A device is provisioned and authorized for use on a network. The device may be required to generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

Abstract: A multi-tenant trusted platform module (MTTPM) is attached to a communication bus of a virtualization host. The MTTPM includes a plurality of per-guest-virtual-machine (per-GVM) memory location sets. In response to an indication of a first trusted computing request (TCR) associated with a first GVM of a plurality of GVMs instantiated at the virtualization host, a first memory location of a first per-GVM memory location set is accessed to generate a first response indicative of a configuration of the first GVM. In response to an indication of a second TCR associated with a second GVM, a second memory location of a second-per-GVM memory location set is accessed to generate a second response, wherein the second response is indicative of a different configuration of the second GVM.

Abstract: A computing device has a processor and a first memory, e.g., a fuse-based memory, storing a first cryptographic key. The processor is configured to receive information related to a second cryptographic key from a cryptographic key provisioning system. The processor derives the second cryptographic key from the information related to a second cryptographic key. The first cryptographic key has fewer bits than the second cryptographic key. The processor is also configured to encrypt the second cryptographic key using the first cryptographic key, and store the encrypted second cryptographic key in a second memory, e.g., a flash memory.

Abstract: A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current key version indicators. Each of the current key version indicators is associated with a corresponding secondary public key, and the one or more current key version indicators are used by the processor to determine the trust of the corresponding secondary public key.

Abstract: A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current certificate version indicators, each associated with a corresponding digital certificate, and the version indicator is used by the processor to determine the trust of the corresponding digital certificate.

Abstract: In a cloud environment, each host computer can have its own security service processor with an independent network interface for communicating with a remote server over a network. The security service processor can provide remote management and security functionalities for various devices connected using different buses on a platform in each host computer. The security service processor can provide a centralized mechanism to verify and authenticate firmware updates for various devices using different buses. A hardware interface can allow the security service processor to provide remote debugging and diagnostic capabilities. The security service processor can also provide some of the typical functionalities of a baseboard management controller or can be used in addition to the baseboard management controller.

Abstract: A computing device has a processor and a persistent memory, e.g., a fuse-based memory, storing two or more reduced sets of information. The processor is configured to derive a first cryptographic key using a first reduced set of information, e.g., prime numbers, and to use the first cryptographic key for performing cryptographic operations. The processor is also configured to detect a trigger event and, in response to the detected trigger event, derive a second cryptographic key using a second reduced set of information. The processor can then use the second cryptographic key for performing cryptographic operations.

Abstract: The performing of virtual machine (VM)-based secure operations is enabled using a trusted co-processor that is able to operate in a secure mode to perform operations in a multi-tenant environment that are protected from other VMs and DOM-0, among other domains and components. A customer VM can contact a VM manager (VMM) to perform an operation with respect to sensitive data. The VMM can trigger secure mode operation, whereby memory pages are marked and access blocked to entities outside a trusted enclave. The trusted co-processer can measure the VMM and compare the result against an earlier result to ensure that the VMM has not been compromised. Once the operations are performed, the trusted co-processor can return the results, and the VMM can exit the secure mode such that access to the marked pages and customer data is restored.