Abstract: An apparatus is configured to protect the privacy of shared objects by loading shared object into a user memory of a rich execution environment. The shared object has an encrypted segment and metadata. A request for decryption is sent to a trusted execution environment and the encrypted segment is decrypted based on the metadata and a predetermined platform key to produce a decrypted segment. The decrypted segment is written into the shared object. A request to lock the shared object is sent and a memory occupied by the shared object is locked or set to execute only. The lock of the memory region occupied by the decrypted shared object maps the memory region to be non-readable and non-writable to applications executing at a first privilege level and to the operating system kernel executing at a second privilege level.

Abstract: A device with key attestation features comprises an operating system stored in its memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory of the device. The trusted application is configured to handle key pair generation requests and key pair attestation requests to read an indication of a preferred device certificate. An attestation certificate that is generated in response to the key pair attestation request is then signed using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.

Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.

Abstract: In a method for secure provisioning of data to a client device, a non-trusted manufacturing facility is equipped with a secure server device to establish a secure data provisioning channel from the secure server device to trusted hardware in client devices without the secure server device and the client devices needing to have a shared secret.

Abstract: A device with key attestation features comprises an operating system stored in its memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory of the device. The trusted application is configured to handle key pair generation requests and key pair attestation requests to read an indication of a preferred device certificate. An attestation certificate that is generated in response to the key pair attestation request is then signed using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.

Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.