Abstract: A communication system personality provisioning system includes a communication system included in a computing system and coupled to a management system. The communication system stores authentication information in a UEFI database of a UEFI system in the communication system. The communication system receives a first operating software image and application/service from the management system, authenticates the first operating software image and application/service via first secure initialization operations performed by the UEFI system using the authentication information and, in response, installs the first operating software image and application/service on the communication system.

Abstract: Systems and methods are provided for validating components of an Information Handling System (IHS). During factory provisioning of the IHS, an owner certificate is stored that specifies an identity of a motherboard installed during manufacture of the IHS. The owner certificate is signed by a certificate authority of an owner of the IHS that retains capabilities for specifying the use of boot code provided by successive renters of the IHS. A renter certificate is also stored that specifies an identity of a chassis to which the motherboard is installed during manufacture of the IHS. Upon a transfer of control or ownership of the IHS, boot code operations by the security processor identify a motherboard and chassis in use by the IHS and utilize the motherboard and chassis certificates to validate that the identified motherboard and chassis are the same motherboard and chassis installed during manufacture of the IHS.

Abstract: Embodiments of systems and methods for indicating a type of secure boot to endpoint devices by a security processor are described. In some embodiments, a security processor may include: a core and a memory coupled to the core, the memory having program instructions stored thereon that, upon execution by the core, cause the security processor to: identify a type of secure boot last performed to bootstrap an Information Handling System (IHS); and make an indication of the type of secure boot available to a host processor or Baseboard Management Controller (BMC) of the IHS.

Abstract: Techniques are provided for protecting devices having multi-port hardware components. One method comprises obtaining a configuration of a command from a user to an enabled state or a disabled state on a port (e.g., an in-band port or an out-of-band port) of a hardware component of a processing device; automatically sharing credentials of the user with a basic input/output system of the processing device using a secure channel, in response to the obtained configuration; and initiating processing of a given command from a user, associated with a particular port of the hardware component, responsive to an evaluation of the shared user credentials and the given command being in the enabled state on the particular port. Changes with respect to a current enabled state or a current disabled state of a given command may be locked or unlocked.

Abstract: Techniques are provided for identity-based verification of software code layers. One method comprises obtaining, by a current layer of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer, wherein the identity key of the current layer is based on a value generated during a provisioning of the security sub-system, wherein the value is based on a firmware image of at least one layer of the software code; obtaining an encrypted secure boot public key of a next layer; decrypting the encrypted secure boot public key of the next layer using the obtained identity key of the current layer; verifying the next layer using the decrypted secure boot public key of the next layer; and executing the next layer based at least in part on a result of the verifying.

Abstract: Techniques are provided for dynamic transitioning among device security states based on server availability. One method comprises configuring a processing device to be in a first one of multiple security states, wherein the first security state comprises user authentication factors administered by one or more servers; transitioning the processing device to a different security state, in response to detecting a change in an availability status of a given one of the servers, wherein the different security state comprises a different user authentication factor administered by a different server than the given server; and initiating processing of a user request to perform a privileged action based on a result of an authentication performed using the different user authentication factor of the different security state. The first state and the different state may be associated with a different stage of a product lifecycle and/or with a different designated threat level.

Abstract: Techniques are provided for provisioning multiple platform root of trust (PRoT) entities using role-based identity certificates. One method comprises obtaining a designation of a PRoT entity of a hardware device as a PRoT leader associated with a leader role; recording the leader role as a role attribute in an identity certificate; and providing the identity certificate to the hardware device during a provisioning of the hardware device, wherein the given PRoT entity assumes the leader role of the hardware device and initiates security actions of the PRoT leader upon an initiation of the hardware device. Leader responsibilities can be assigned to the PRoT leader and the one or more leader responsibilities of the PRoT leader may be recorded as a leader responsibility attribute in the identity certificate.

Abstract: Techniques are provided for security key integrity verification using inventory certificates. One method comprises receiving a user request to perform an action: obtaining an inventory certificate associated with a device; extracting a security key identifier from a security key corresponding to the device; validating the security key by comparing the extracted security key identifier to a security key identifier in the inventory certificate; and authorizing a performance of the action based on a result of the comparison. A validity of the inventory certificate may be evaluated (e.g., by evaluating a signature associated with the inventory certificate). The inventory certificate may be stored in a secure memory of the device prior to a delivery of the device to a purchaser of the device.

Abstract: An information handling system includes a protected memory that stores identifiers of locked down devices. The system receives a firmware update package for a device within the information handling system. The firmware update package includes a firmware update for the device. The system determines whether an identifier for the device is located within protected memory. If the identifier for the device is located within the protected memory, then the system prevents the firmware update for the device.

Abstract: Embodiments provide methods for validating secure delivery of an IHS (Information Handling System) by confirming that the packages by which the IHS was delivered include only the packages used to ship the IHS from a factory or other trusted entity. During factory provisioning of the IHS, a shipping certificate is uploaded to the IHS, where the certificate includes shipping identifiers that are each associated with a package used to ship the IHS. Upon receiving packages by which the IHS has been shipped, shipping identifiers, such as bar codes and RFID codes, are collected from the received packages. The shipping identifiers collected from the received packages are compared against the shipping identifiers from the shipping certificate in order to validate the plurality of received packages as the same packages that were used to ship the IHS.

Abstract: A system for providing computer implemented services using information handling systems includes persistent storage and a system control processor manager. The system control processor manager instantiates composed information handling systems using the information handling systems; monitors, using system control processors of the composed information handling systems, operation of the composed information handling systems to obtain operation information; makes a determination, based on the operation information, that the computing implemented services provided by the composed information handling systems are substandard; and in response to the determination: manages operation of the composed information handling systems to provide standards compliant computer implemented services by modifying a composition of at least one of the composed information handling systems using a system control processor of the system control processors.

Abstract: Systems and procedures are provided for validating an IHS (Information Handling System) as operating using only factory-provisioned firmware. During factory provisioning of the IHS, a signed inventory certificate is uploaded to the IHS that includes an inventory identifying firmware for use in the operation of the IHS. Upon delivery and initialization of the IHS, the inventory certificate is retrieved by a pre-boot validation process. An inventory of firmware used by hardware components of the IHS is then collected. The validation process compares the collected inventory of firmware against the inventory of factory-provisioned firmware from the inventory certificate in order to validate the IHS is operating using only factory-provisioned firmware. A validation failure is signaled when the comparison indicates that a hardware component is not operating using the factory-provisioned firmware specified in the inventory certificate.

Abstract: A platform root-of-trust system includes a System Control Processor (SCP) subsystem coupled to a central processing subsystem, a BIOS subsystem, and an I/O device. In response to an initialization instruction, the SCP subsystem begins initialization operations prior to the beginning of initialization operations for the central processing subsystem, the BIOS subsystem, and the I/O device. As part of SCP initialization operations, the SCP subsystem validates SCP subsystem initialization information to provide validated SCP subsystem initialization information, and uses the validated SCP subsystem initialization information to complete the SCP initialization operations.

Abstract: Various embodiments provide methods for validating hardware modifications of an IHS (Information Handling System) by confirming that a hardware modification corresponds to a hardware component supplied for installation in the IHS by a trusted entity. During factory provisioning of an IHS, an inventory certificate that specifies the factory installed IHS hardware is uploaded to the IHS and is also stored for ongoing support of the IHS. Upon a hardware component being supplied for installation in the IHS by a trusted entity, the inventory of the stored inventory certificate is updated to identify the supplied component and the updated certificate is transmitted to the IHS. An inventory of detected hardware components of the IHS is compared against the inventory from the updated inventory certificate in order to validate the detected hardware of the IHS includes the component, supplied by the trusted entity, that is identified in the updated inventory certificate.

Abstract: An information handling system includes multiple components including a first component. The first component includes a protected memory and a basic input/output system (BIOS). The protected memory stores a revoked versions list. The BIOS initializes a firmware update for a firmware image having a firmware version. The BIOS scans the revoked versions list for the firmware version of the firmware image. In response to the firmware version not being located within the revoked versions list, the BIOS completes the firmware update, and determines whether a revoked firmware version is included in the firmware update. In response to the revoked firmware version being included in the firmware update, the BIOS adds an entry in the revoked versions list. The entry is associated with the revoked firmware version included in the firmware update.

Abstract: Systems and methods for securing Accounts of Last Resort (ALRs) are described. In an illustrative, non-limiting embodiment, an IHS may include a processor and a memory coupled to the processor, the memory having program instructions that, upon execution, cause the IHS to receive a credential from one of a plurality of users to log onto an ALR, where the credential is shared among the plurality of users, and log the user onto the ALR in response to verification of a signed digital certificate provided by the user.

Abstract: Systems and methods for factory management of regional cryptographic algorithms in an Information Handling System (IHS) are described. In an embodiment, an IHS may include: a host processor; a security processor coupled to the host processor; and a memory coupled to the security processor, the memory having program instructions stored thereon that, upon execution, cause the security processor to: generate a Cryptographic Algorithm Identity (CAI) key pair comprising a CAI public key and a CAI private key; issue a CAI Certificate Signing Request (CSR) to a factory IHS, where the CAI CSR comprises the CAI public key; receive a signed CAI certificate from the factory IHS, where the signed CAI certificate is usable to activate a selected set of regional cryptographic algorithms among a superset of regional cryptographic algorithms stored, during manufacturing of the IHS, in a firmware of the security processor; and store the signed CAI certificate.

Abstract: Embodiments of systems and methods for power throttling of High Performance Computing (HPC) components are described. In some embodiments, an HPC platform may include: a system Baseboard Management Controller (BMC), and an accelerator tray comprising a tray BMC coupled to a plurality of managed subsystems and to the system BMC, where the system BMC is configured to: in response to a power excursion event, instruct the tray BMC to throttle a first managed subsystem by a first amount and to throttle a second managed subsystem by a second amount.

Abstract: Systems and procedures are provided for validating an IHS (Information Handling System) as operating using only factory-provisioned lockable devices. During factory provisioning of the IHS, a signed inventory certificate is uploaded to the IHS that includes an inventory of factory-provisioned lockable devices and also includes encrypted code(s) for accessing the lockable devices. Upon delivery and initialization of the IHS, the inventory certificate is retrieved by a pre-boot validation process. An inventory of detected lockable devices of the IHS is then collected. The validation process compares the collected inventory of detected lockable devices against the inventory of factory-provisioned lockable devices from the inventory certificate in order to validate the IHS is operating using only factory-provisioned lockable devices.

Abstract: A method of reducing execution jitter includes a processor having several cores and control logic that receives core configuration parameters. Control logic determines if a first set of cores are selected to be disabled. If none of the cores is selected to be disabled, the control logic determines if a second set of cores is selected to be jitter controlled. If the second set of cores is selected to be jitter controlled, the second set of cores is set to a first operating state. If the first set of cores is selected to be disabled, the control logic determines a second operating state for a third set of enabled cores. The control logic determines if the third set of enabled cores is jitter controlled, and if the third set of enabled cores is jitter controlled, the control logic sets the third set of enabled cores to the second operating state.