Abstract: Example implementations relate a system and method for storing configuration files of a host computing device in a secure storage of a Baseboard Management Controller (BMC). The secure storage includes configuration files associated with the host computing device. The BMC is communicatively connected to the host computing device using a communication link. The secure storage is emulated as a storage device to the host computing device. The BMC monitors the secure storage to detect changes in the configuration files. When there is a change in a configuration file, the BMC performs a security action in the host computing device.

Abstract: A management controller of a computer platform, determines whether an ownership history of management firmware for the management controller represents multiple owners. The management controller includes a set of one-time programmable elements that represent a first secret. The management controller manages use of the first secret based on the ownership history. The management includes, responsive to determining, by the management controller, that the ownership history represents multiple owners, generating, by the management controller, a second secret to replace the first secret. The management further includes, responsive to determining, by the management controller, that the ownership history represents multiple owners, storing, by the management controller, the second secret in a non-volatile memory and generating, by the management controller, cryptographic keys based on the second secret.

Abstract: An apparatus includes a host and a baseboard management controller. The baseboard management controller includes a semiconductor package; and the semiconductor package includes a memory, a security hardware processor; and a main hardware processor. The main hardware processor causes the baseboard management controller to serve as an agent that, independently from the host, responds to communications with a remote management entity to manage the host. The security hardware processor manages the storage of a secret of the host in the memory.

Abstract: Examples described herein relate to configuring access to management interface of a storage system. Examples may obtain network adapter information of the host devices coupled to the storage system using credentials of a management controller of the host devices. Examples may create an allow-list or deny-list containing the network adapter information of the host devices. Examples may allow or deny connections to the management interface from the host devices based on the allow-list or deny-list. Examples may allow dynamic updating of the allow-list and deny-list based on a change in a network adapter of the host device.

Abstract: Examples disclosed herein relate to security dominion of a computing device. A management controller of the computing device can access a physical owner token pertaining to a physical owner of the computing device. The management controller can access a security dominion owner token pertaining to a security dominion owner of the computing device. The security dominion owner token tracks accountability for a security feature of the computing device. A security dominion owner associated with the security dominion owner token is initially set to a first entity.

Abstract: Examples disclosed herein relate to a computing device that includes a central processing unit, a management controller separate from the central processing unit, and a security co-processor. The management controller is powered using an auxiliary power rail that provides power to the management controller while the computing device is in an auxiliary power state. The security co-processor includes device unique data. The management controller receives the device unique data and stores a representation at a secure location. At a later time, the management controller receives endorsement information from an expected location of the security co-processor. The management controller determines whether to perform an action on the computing device based on an analysis of the endorsement information and the stored representation of the device unique data.

Abstract: Example implementations relate to a method and system for provisioning an identity certificate for a BMC of a platform. Based on the certificate signing request (CSR) received from the BMC, a certificate authority (CA) associated with the platform manufacturer may verify the identity of the security processor and private key of BMC. A cryptographic audit session log between a provisioning service of the platform and the security coprocessor of the platform is received along with the CSR at the CA implemented in a cloud system. The CA verifies the signature on the received cryptographic audit session log. After verification, validation tools at the cloud system determine a first time and second time associated with the security coprocessor. When the difference between the first time and the second time is below an expected time of cryptographic communication, the CSR is considered as a valid request and an identity certificate for the BMC is generated and transmitted to the platform.

Abstract: A method for assembling a computing device including initiating a board management controller of the computing device, the board management controller having at least one fuse, forming data to control a video display operatively connected to the computing device to show an image of a watermark, and modifying the computing device. The method also includes blowing the at least one fuse in response to modifying the computing device and adjusting the watermark in response to blowing the at least one fuse.

Abstract: Example implementations relate to a method and system for provisioning an identity certificate for a BMC of a platform. Based on the certificate signing request (CSR) received from the BMC, a certificate authority (CA) associated with the platform manufacturer may verify the identity of the security processor and private key of BMC. A cryptographic audit session log between a provisioning service of the platform and the security coprocessor of the platform is received along with the CSR at the CA implemented in a cloud system. The CA verifies the signature on the received cryptographic audit session log. After verification, validation tools at the cloud system determine a first time and second time associated with the security coprocessor. When the difference between the first time and the second time is below an expected time of cryptographic communication, the CSR is considered as a valid request and an identity certificate for the BMC is generated and transmitted to the platform.

Abstract: A method for assembling a computing device including initiating a board management controller of the computing device, the board management controller having at least one fuse, forming data to control a video display operatively connected to the computing device to show an image of a watermark, and modifying the computing device. The method also includes blowing the at least one fuse in response to modifying the computing device and adjusting the watermark in response to blowing the at least one fuse.

Abstract: In some examples, a scanner that is to verify a device includes a scanner input/output (I/O) interface to physically and communicatively connect to a device I/O interface of the device. The scanner includes a processor to send an input through the scanner I/O interface to the device, receive, at the scanner I/O interface, an output responsive to the input from the device, the output comprising a cryptographic value based on a cryptographic operation applied on data of the input, and determine whether the device is an authorized device based on the received output.

Abstract: A technique includes a baseboard management controller receiving, from a requestor, a request for a security function to be performed, where the request is directed to a physical security device other than the baseboard management controller. The technique includes, the baseboard management controller responding to the request to emulate a response to the security device to the request.

Abstract: Examples disclosed herein relate to determining malware using firmware of a computing device. Firmware can be used to determine that an indication is present that malware is present on the computing device. The firmware can be executed to perform a security action in response to the indication that malware is present on the computing device.

Abstract: In some examples, a system for determining whether an operating system fault has occurred includes data storage and a processing system. The data storage may store image data indicative of a computing system display output. The processing system may access the stored image data. The processing system may determine that the computing system display output corresponds to a fault display output associated with a fault state of an operating system, which determination may include the processing system determining an extent of similarity between the accessed image data and a reference image associated with the fault display output. The processing system may generate a fault indication responsive to determining that the computing system display output corresponds to the fault display output.

Abstract: An example computing system in accordance with an aspect of the present disclosure includes a first controller and a second controller. The first controller is to verify integrity of a first root of trust (ROT), and generate an integrity signal indicating the results. The second controller is to verify integrity of a second ROT, write the firmware image to the first controller, and verify integrity of the written firmware image.

Abstract: Example implementations relate to a server including a platform controller hub (PCH), where the PCH includes a peripheral device manager, a management processor coupled to the peripheral device manager, and a peripheral device interface to couple with a peripheral device and provide out of band access of the peripheral device via the management processor and peripheral device manager to a memory of the server.

Abstract: Examples disclosed herein relate to determining malware using firmware of a computing device. Firmware can be used to determine that an indication is present that malware is present on the computing device. The firmware can be executed to perform a security action in response to the indication that malware is present on the computing device.

Abstract: In some examples, a system for determining whether an operating system fault has occurred includes data storage and a processing system. The data storage may store image data indicative of a computing system display output. The processing system may access the stored image data. The processing system may determine that the computing system display output corresponds to a fault display output associated with a fault state of an operating system, which determination may include the processing system determining an extent of similarity between the accessed image data and a reference image associated with the fault display output. The processing system may generate a fault indication responsive to determining that the computing system display output corresponds to the fault display output.

Abstract: An example computing system in accordance with an aspect of the present disclosure includes a first controller and a second controller. The first controller is to verify integrity of a first root of trust (ROT), and generate an integrity signal indicating the results. The second controller is to verify integrity of a second ROT, write the firmware image to the first controller, and verify integrity of the written firmware image.

Abstract: Example implementations relate to a server including a platform controller hub (PCH), where the PCH includes a peripheral device manager, a management processor coupled to the peripheral device manager, and a peripheral device interface to couple with a peripheral device and provide out of band access of the peripheral device via the management processor and peripheral device manager to a memory of the server.