Abstract: There is presented mechanisms for profile handling of a communications device (300). A method is performed by a local profile assistant (200a) of a proxy device (200). The method comprises obtaining an indication of handling a profile of the communications device (300). The method comprises establishing a first secure communications link with a local profile assistant of the communications device. The method comprises establishing a second secure communications link with a subscription management entity (430) of the communications device. The method comprises receiving information pertaining to handling of the profile by the local profile assistant of the communications device, the information being received from the subscription management entity over the second secure communications link. The method comprises providing the information to the local profile assistant of the communications device over the first secure communications link.

Abstract: There is provided mechanisms for handling subscription profiles for a set of wireless devices. A method is performed by an MNO entity. The method includes obtaining a single request for handling subscription profiles for the set of wireless devices. The method includes performing, with a profile provisioning server, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.

Abstract: A method performed by a virtual trusted platform module, vTPM on an execution platform, comprises the steps of obtaining (S11) encrypted information (encvTPMContext) and a first identifier (Salt), both associated with a virtual machine, VM to be executed; retrieving (S14), using the identifier from a trusted launch authority, TLA, at least a first secret portion (SlaKeystart), the first secret portion (SlaKeystart) being dynamically linked to the VM and dependant on at least a property of the VM; and decrypting (S16) the encrypted information (encvTPMContext) with a decryption key (EncKeystart) derived from at least the first secret portion (SlaKeystart) and a first measurement result (VmDigeststart) of at least the VM.

Abstract: There is provided mechanisms for enabling secure communication between a first communications device and a second communications device. A method is performed by the first communications device. The method comprises performing a network attachment procedure with an authentication server. The method comprises establishing, during the network attachment procedure, a shared secret between the first communications device and the authentication server. The shared secret is established by running an authentication and key agreement protocol as part of the network attachment procedure with a network access identity of the first communications device as input. The method comprises deriving an application level shared key for the first communications device from the shared secret. The shared key is to be used for secure communication between the first communications device and the second communications device.

Abstract: There is provided mechanisms for handling subscription profiles for a set of wireless devices. A method is performed by an MNO entity. The method includes obtaining a single request for handling subscription profiles for the set of wireless devices. The method includes performing, with a profile provisioning server, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.

Abstract: There is provided mechanisms for enabling secure communication between a first communications device and a second communications device. A method is performed by the first communications device. The method comprises performing a network attachment procedure with an authentication server. The method comprises establishing, during the network attachment procedure, a shared secret between the first communications device and the authentication server. The shared secret is established by running an authentication and key agreement protocol as part of the network attachment procedure with a network access identity of the first communications device as input. The method comprises deriving an application level shared key for the first communications device from the shared secret. The shared key is to be used for secure communication between the first communications device and the second communications device.

Abstract: There is presented mechanisms for profile handling of a communications device (300). A method is performed by a local profile assistant (200a) of a proxy device (200). The method comprises obtaining an indication of handling a profile of the communications device (300). The method comprises establishing a first secure communications link with a local profile assistant of the communications device. The method comprises establishing a second secure communications link with a subscription management entity (430) of the communications device. The method comprises receiving information pertaining to handling of the profile by the local profile assistant of the communications device, the information being received from the subscription management entity over the second secure communications link. The method comprises providing the information to the local profile assistant of the communications device over the first secure communications link.

Abstract: A method performed by a virtual trusted platform module, vTPM on an execution platform, comprises the steps of obtaining (S11) encrypted information (encvTPMContext) and a first identifier (Salt), both associated with a virtual machine, VM to be executed; retrieving (S14), using the identifier from a trusted launch authority, TLA, at least a first secret portion (SlaKeystart), the first secret portion (SlaKeystart) being dynamically linked to the VM and dependant on at least a property of the VM; and decrypting (S16) the encrypted information (encvTPMContext) with a decryption key (EncKeystart) derived from at least the first secret portion (SlaKeystart) and a first measurement result (VmDigeststart) of at least the VM.

Abstract: There is provided mechanisms for verifying setup of encryption of a block of data. The method is performed by a client node. A method comprises obtaining an indication to encrypt the block of data. The method comprises providing a first message to a compute node indicating a setup request of a block storage volume, V, to be encrypted, wherein the first message comprises a nonce, N. The method comprises obtaining a second message from the compute node, wherein the second message comprises the nonce, N, and provides validation that a key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node. There is also provide such a client node. There is further provided a compute node and a method performed by the compute node. There is further provided a key management node and a method performed by the key management node.

Abstract: Methods and apparatus for verifying that an electronic device has been disabled are disclosed. An exemplary electronic device includes a communications interface, a secure memory, storing a secret key, and a cryptographic circuit configured to calculate a verification token from the secret key, using a first cryptographic operation. The cryptographic circuit is further configured to calculate an identification token from the verification token, using a second cryptographic operation. The cryptographic circuit is further configured to output the identification token in response to a first command received via the communications interface. The verification token is output to the communications interface only if a predetermined functionality of the electronic device has been disabled. The electronic device may further comprise a disabling circuit configured to disable the predetermined functionality in response to a disable command.

Abstract: Methods and apparatus for verifying that an electronic device has been disabled are disclosed. An exemplary electronic device includes a communications interface, a secure memory, storing a secret key, and a cryptographic circuit configured to calculate a verification token from the secret key, using a first cryptographic operation. The cryptographic circuit is further configured to calculate an identification token from the verification token, using a second cryptographic operation. The cryptographic circuit is further configured to output the identification token in response to a first command received via the communications interface. The verification token is output to the communications interface only if a predetermined functionality of the electronic device has been disabled. The electronic device may further comprise a disabling circuit configured to disable the predetermined functionality in response to a disable command.