Abstract: An exemplary apparatus includes one or more processors; memory; circuitry configured to hash a value associated with core root of trust measurement code and system management code; store the hash in a secure register; load an operating system; validate a certificate associated with the core root of trust measurement code and validate a certificate associated with the system management code; based on the validated certificates, provide an expected hash associated with the core root of trust measurement code and the system management code; decide if the expected hash matches the hash stored in the register; and, if the expected hash matches the hash stored in the register, commence a dynamic root of trust measurement session. Various other apparatuses, systems, methods, etc., are also disclosed.

Abstract: Systems, methods and products are described that provide secure boot with a minimum number of re-boots. One aspect provides a method including receiving an indication to boot from a power off state at a computing device; responsive to authenticating a user at one or more input devices, releasing a value derived from authenticating the user at the one or more input devices; responsive to releasing the value, unlocking one or more encrypted drives with a previously established alternate credential; and thereafter proceeding to boot from the power off state. By not having to call the non-BIOS software each boot, this minimizes the number of reboots for each boot cycle.

Abstract: Systems, methods and products are described that provide secure resume for encrypted drives. One aspect provides a method including: receiving an indication to resume from a suspended state at a computing device; responsive to authenticating a user at one or more input devices, accessing a value in a BIOS derived from authenticating the user at the one or more input devices; responsive to accessing the value, releasing a credential for unlocking one or more encrypted drives; and thereafter proceeding to resume from the suspend state.

Abstract: The invention broadly contemplates a security solution for storage devices that is inexpensive and robust. The invention allows a store of system specific data to be used to release the hard disk key of full-disk encryption (FDE) drives. This system specific data is passed to the FDE drives and used to calculate the actual encryption key. This allows for safe disposal of an FDE drive containing confidential data, as the lack of available system specific decryption data makes decryption virtually impossible.

Abstract: Hypervisors are a new technology in the industry that enable multiple Operating Systems to co-exist on a single client. The use of a hypervisor provides a novel approach to thermal fan control. The hypervisor is able to fire up a maintenance Operating System on demand or have it running from the powering of the computer. The maintenance Operating System continuously monitors the status of the user Operating System and determines if the system is within the desired fan noise profile by measuring noise levels using means well known in the art. If the system seems to be drifting out of the desired profile, the maintenance Operating System will determine what type of action is required and choose the most appropriate course of action. These actions can be performed by either the maintenance Operating System or the hypervisor, as appropriate.

Abstract: In a system with a main memory, a network adapter, and a display, a transaction security module in communication with the network adapter. The transaction security module acts to: establish a secure identification item with an entity which positively identifies the entity; accept an application OS of the entity; and initiate a guest OS with the entity; the network adapter acting to connect with the entity subsequent to initiation of a guest OS; and the display acting to display the secure identification item subsequent to connection with the entity.

Abstract: The employment of a process of applying user-defined defaults to a management engine or analogous arrangement, wherein a system BIOS calls or recalls such defaults, as needed, from NVRAM responsive to the need for a reset of defaults.

Abstract: Arrangements which permit the employment of dedicated user-access management architecture with more than text-based access. Particularly contemplated herein are arrangements for accepting user identifiers that are then communicated to an intermediate user-delineating architecture (i.e., architecture configured for permitting access to encrypted data or sections of a computer on a user-specific basis) in a manner to permit the user-delineating architecture to perform its own task of unlocking data or sections of a computer.

Abstract: A method for controlling file access on computer systems is disclosed. Initially, a virtual machine manager (VMM) is provided in a computer system. In response to a write request, the VMM determines whether or not a location field is valid. If the location field is not valid, then the VMM writes the write request information to a storage device; but if the location field is valid, then the VMM encrypts the write request information before writing the write request information to the storage device. In response to a read request, the VMM again determines whether or not a location field is valid. If the location field is not valid, then the VMM sends the read request information to a read requester; but, if the location field is valid, then the VMM decrypts the read request information before sending the read request information to the read requester.

Abstract: Methods and arrangements for facilitating and streamlining patch management in “road warrior” and analogous contexts. Particularly, there are broadly contemplated herein, in accordance with at least one presently preferred embodiment of the present invention, methods and arrangements for facilitating determinations of suitable times for enabling system updates and/or downloads.

Abstract: An exemplary method includes transmitting, via a network interface, at least a currency amount in an attempt to confirm a financial transaction; responsive to the transmitting, receiving a confirmation indicator for the financial transaction; storing at least the currency amount in non-volatile memory; hashing at least the currency amount to generate a hash and storing the hash in a secure non-volatile memory; hashing at least the currency amount stored in the non-volatile memory to generate a verification hash; and in an attempt to verify at least the financial transaction, comparing the verification hash to the hash stored in the secure non-volatile memory. Various other apparatuses, systems, methods, etc., are also disclosed.

Abstract: An exemplary apparatus includes one or more processors; memory; circuitry configured to hash a value associated with core root of trust measurement code and system management code; store the hash in a secure register; load an operating system; validate a certificate associated with the core root of trust measurement code and validate a certificate associated with the system management code; based on the validated certificates, provide an expected hash associated with the core root of trust measurement code and the system management code; decide if the expected hash matches the hash stored in the register; and, if the expected hash matches the hash stored in the register, commence a dynamic root of trust measurement session. Various other apparatuses, systems, methods, etc., are also disclosed.

Abstract: Embodiments of the invention implement one or more power management policies on one or more devices in order intelligently to manage the finite amount of battery power available while maximizing synchronization between connected devices.

Abstract: A method, computer program product and system for enabling a client device in a client device/data center environment to resume from sleep state more quickly. The resource in the server blade used for suspending the activity of the computing state of the client device in order to enter the client device in a sleep state is not reallocated for a period of time. If the client device indicates to the server blade to resume the client device from sleep state prior to the ending of that period of time, then the server blade reinitializes the computing state using the same resource as used in suspending the computing state of the client device. By using the same resource, steps traditionally implemented in resuming the client device from sleep state are avoided thereby reducing the time in resuming the client device from sleep state.

Abstract: A mobile device, such as a laptop or notebook computer, capable of booting from at least two environments. If a remote environment is present, the mobile device may boot from the remote environment. The mobile device may also boot from the local environment.

Abstract: A method for providing a secure single sign-on to a computer system is disclosed. Pre-boot passwords are initially stored in a secure storage area of a smart card. The operating system password, which has been encrypted to a blob, is stored in a non-secure area of the smart card. After the smart card has been inserted in a computer system, a user is prompted for a Personal Identification Number (PIN) of the smart card. In response to a correct smart card PIN entry, the blob stored in the non-secure storage area of the smart card is decrypted to provide the operating system password, and the operating system password along with the pre-boot passwords stored in the secure storage area of the smart card are then utilized to log on to the computer system.

Abstract: A method for preventing unauthorized modifications to a rental computer system is disclosed. During boot up of the rental computer system, a determination is made whether or not a time-day card is bound to the rental computer system. If the time-day card is bound to the rental computer system, another determination is made whether or not a time/date value on the time-day card is less than a secure time/date value stored in a secure storage location during the most recent power down. If the time/date value on the time-day card is not less than the secure time/date value, yet another determination is made whether or not the secure time/date value is less than an end time/date rental value. If the secure time/date value is less than the end time/date rental value, the rental computer system continues to boot.

Abstract: A method for protecting Security Accounts Manager (SAM) files within a Windows® operating system is disclosed. A SAM file encryption key is generated by encrypting a SAM file via a syskey utility provided within the Windows® operating system. The SAM file encryption key is then stored in a virtual floppy disk by selecting an option to store SAM file encryption key to a floppy disk under the syskey utility. A blob is generated by performing a Trusted Platform Module (TPM) Seal command against the SAM file encryption key along with a value stored in a Performance Control Register and a TPM Storage Root Key. The blob is stored in a non-volatile storage area of a computer.

Abstract: The invention broadly contemplates a security solution for storage devices that is inexpensive and robust. The invention allows a store of system specific data to be used to release the hard disk key of full-disk encryption (FDE) drives. This system specific data is passed to the FDE drives and used to calculate the actual encryption key. This allows for safe disposal of an FDE drive containing confidential data, as the lack of available system specific decryption data makes decryption virtually impossible.

Abstract: Executable files are extended with a file signature containing a header containing validation data. This header may be added to an existing executable and linking format (ELF) header, added as a new section, or placed in a file's extended attribute store. The header contains results of all previous validation checks that have been performed. The file signature is inserted, with a date stamp, into the file attributes. On execution, the system checks the previously-created file signature against a current file signature, instead of creating the file signature for every file during the execution process. Checks to ensure that the file signature is secure, and is valid and up to date, are also implemented. Only if the file signature is not valid and up-to-date does the execution program create a new file signature at the time of execution.