Abstract: A security verification system may acquire first authorization information, wherein the first authorization information defines an access right to store data in a trusted platform module (TPM) of the computing device. A system may generate an index of an allocated memory location of the TPM and second authorization information using the first authorization information, wherein the second authorization information defines an access right associated with the index. A system may receive a request from a hypervisor to initiate a virtual machine. A system may transmit the second authorization information to the hypervisor. A system may store an initial state of the virtual machine at the index using the second authorization information.

Abstract: In an example, a computing device is described. The computing device comprises a component to perform a crypto-graphic operation and store an indication of a measured state of the computing device obtained during booting of the computing device. The computing device further comprises a processor to obtain a secret for use by the component, install an administration credential in a firmware of the computing device and transmit the secret to the component via the firmware.

Abstract: A security verification system may acquire first authorization information, wherein the first authorization information defines an access right to store data in a trusted platform module (TPM) of the computing device. A system may generate an index of an allocated memory location of the TPM and second authorization information using the first authorization information, wherein the second authorization information defines an access right associated with the index. A system may receive a request from a hypervisor to initiate a virtual machine. A system may transmit the second authorization information to the hypervisor. A system may store an initial state of the virtual machine at the index using the second authorization information.

Abstract: In an example, a computing device is described. The computing device comprises a communication interface and a processor. The processor is to determine whether a signature, produced by a signer, is derived from a free state under a stateful signature scheme. The free state is a state that has not been used as an input to generate a signing key. The signature is encrypted by the signer. The processor is further to, in response to determining that the signature is derived from a free state, decrypt the encrypted signature. The processor is further to transmit the decrypted signature to a recipient via the communication interface.

Abstract: Examples relate to verifying network elements. In one example, a computing device may: receive, from a client device, a request for attestation of a back-end network, the request including back-end configuration requirements; obtain, from a network controller that controls the back-end network, a controller configuration that specifies each network element included in the back-end network; provide each network element included in the back-end network with a request for attestation of a network element configuration of the network element; receive, from each network element, response data that specifies the network element configuration of the network element; verify that the response data received from each network element meets the back-end configuration requirements included in the request for attestation of the back-end network; and provide the client device with data verifying that the back-end network meets the back-end configuration requirements.

Abstract: Examples relate to Input/Output (I/O) data encryption and decryption. In an example, an encryption/decryption engine on an Integrated Circuit (IC) of a computing device obtains at least one plaintext data. Some examples determine, by the encryption/decryption engine, whether the at least one plaintext data is to be sent to a memory in the computing device or to an I/O device. Some examples apply, when the at least one plaintext data is to be sent to the I/O device and by the encryption/decryption engine, an encryption primitive of a block cipher encryption algorithm to the at least one plaintext data to create output encrypted data, wherein an initialization vector that comprises a random number is applied to the encryption primitive.

Abstract: Example implementations relate to non-volatile storage of management data. In example implementations, a system is disclosed, the system including a plurality of computing devices, a management device, and a non-volatile memory including a plurality of management spaces corresponding to the plurality of computing devices. In example implementations, at least one of the plurality of management spaces is to be accessible by the management device and by the corresponding computing device, be inaccessible by computing devices other than the corresponding computing device, and store management data associated with the corresponding computing device.

Abstract: A computing device having instructions that when executed by a processor may: receive, from a verifier, a request for attestation of a current network configuration of the computing device; identify network configuration rules, each network configuration rule specifying an action to be taken by the computing device in response to receiving a particular type of network traffic; generate, for each network configuration rule, a rule abstraction that represents the network configuration rule; provide data representing each rule abstraction to a trusted component; receive, from the trusted component, response data comprising i) data representing each rule abstraction, and ii) a digital signature; and provide the response data to the verifier as attestation proof of the current network configuration of the computing device.

Abstract: In one example in accordance with the present disclosure, a method may include retrieving, at a memory management unit (MMU), encrypted data from a memory via direct memory access and determining, at the MMU, a peripheral that is the intended recipient of the encrypted data. The method may also include accessing an application key used for transmission between an application and the peripheral, wherein the application key originates from the application and decrypting, at the MMU, the encrypted data using the application key and transmitting the decrypted data to the peripheral.

Abstract: In one example in accordance with the present disclosure, a system comprises a first memory module and a first memory integrity monitoring processor, embedded to the first memory module, to receive a second hash corresponding to a second memory module. The second hash includes a second sequence number for reconstruction of a final hash value and the second hash is not sequentially a first number in a sequence for reconstruction of the final hash value. The first processor may receive a third hash corresponding to a third memory module. The third hash includes a third sequence number for reconstruction of the final hash value and the third hash is received after the second hash. The first processor may determine if the second hash can be combined with the third hash, combine the second hash and third hash into a partial hash reconstruct the final hash value using the partial hash.

Abstract: Examples described herein include a computing device with a processing resource to execute beginning booting instructions of the computing device. The beginning booting instructions may include a first booting instruction. The computing device also includes an access line to access the first booting instruction, a measuring engine to duplicate the first booting instruction and to generate a first integrity value associated with the first booting instruction, and a measurement register to store the first integrity value. The measuring engine may be operationally screened from the processing resource and the measurement register may be inaccessible to the processing resource.

Abstract: Examples relate to Input/Output (I/O) data encryption and decryption. In an example, an encryption/decryption engine on an Integrated Circuit (IC) of a computing device obtains at least one plaintext data. Some examples determine, by the encryption/decryption engine, whether the at least one plaintext data is to be sent to a memory in the computing device or to an I/O device. Some examples apply, when the at least one plaintext data is to be sent to the I/O device and by the encryption/decryption engine, an encryption primitive of a block cipher encryption algorithm to the at least one plaintext data to create output encrypted data, wherein an initialization vector that comprises a random number is applied to the encryption primitive.

Abstract: In one example in accordance with the present disclosure, a system comprises a first memory module and a first memory integrity monitoring processor, embedded to the first memory module, to receive a second hash corresponding to a second memory module. The second hash includes a second sequence number for reconstruction of a final hash value and the second hash is not sequentially a first number in a sequence for reconstruction of the final hash value. The first processor may receive a third hash corresponding to a third memory module. The third hash includes a third sequence number for reconstruction of the final hash value and the third hash is received after the second hash. The first processor may determine if the second hash can be combined with the third hash, combine the second hash and third hash into a partial hash reconstruct the final hash value using the partial hash.

Abstract: Examples relate to a network endpoint device of a first network infrastructure that facilitates remote attestation of the network endpoint device. In same examples, the network endpoint device comprises a trusted platform module and a processor that implements machine readable instructions that cause the network endpoint device to: receive a connection request from a computing device residing a second network infrastructure external to the first network infrastructure, the request comprising s security challenge; determine, based on a configuration of the network endpoint device, whether it can access information stored in the trusted platform module; and responsive to determining that information in the trusted platform module can be accessed, facilitate connection of the computing device to the network endpoint device by accessing the information and responding to the security challenge.

Abstract: An example method for migrating a live operating system from a first computing device to a second computing device is provided. The example method comprises (a) providing register values of a processor of a first computing device to a second computing device which is in communication with the first computing device; (b) providing contents of a dynamic random access memory, DRAM, of the first computing device to the second computing device; (c) storing the register values in a protected memory of the second computing device, wherein the protected memory is separate from a memory used by the second computing device during normal operation of the second computing device; (d) storing the contents of the DRAM of the first computing device in a DRAM of the second computing device; and (e) loading the register values from the protected memory to registers of a processor of the second computing device.

Abstract: Examples described herein include a computing device with a processing resource to execute beginning booting instructions of the computing device. The beginning booting instructions may include a first booting instruction. The computing device also includes an access line to access the first booting instruction, a measuring engine to duplicate the first booting instruction and to generate a first integrity value associated with the first booting instruction, and a measurement register to store the first integrity value. The measuring engine may be operationally screened from the processing resource and the measurement register may be inaccessible to the processing resource.

Abstract: In one example in accordance with the present disclosure, a method may include retrieving, at a memory management unit (MMU), encrypted data from a memory via direct memory access and determining, at the MMU, a peripheral that is the intended recipient of the encrypted data. The method may also include accessing an application key used for transmission between an application and the peripheral, wherein the application key originates from the application and decrypting, at the MMU, the encrypted data using the application key and transmitting the decrypted data to the peripheral.

Abstract: Techniques for storing hypervisor messages in a network packet are described. In one aspect, a hypervisor of a computing device obtains a network packet generated by a virtual machine. The hypervisor may then identify available space within the network packet that can store data relating to a hypervisor message. The hypervisor may then store the hypervisor message in the available space within the network packet. The hypervisor may cause a physical network interface controller to transmit the network packet to a destination device through a network path that includes a message logging device.

Abstract: Example implementations relate to non-volatile storage of management data. In example implementations, a system is disclosed, the system including a plurality of computing devices, a management device, and a non-volatile memory including a plurality of management spaces corresponding to the plurality of computing devices. In example implementations, at least one of the plurality of management spaces is to be accessible by the management device and by the corresponding computing device, be inaccessible by computing devices other than the corresponding computing device, and store management data associated with the corresponding computing device.

Abstract: Examples relate to verifying network elements. In one example, a computing device may: receive, from a client device, a request for attestation of a back-end network, the request including back-end configuration requirements; obtain, from a network controller that controls the back-end network, a controller configuration that specifies each network element included in the back-end network; provide each network element included in the back-end network with a request for attestation of a network element configuration of the network element; receive, from each network element, response data that specifies the network element configuration of the network element; verify that the response data received from each network element meets the back-end configuration requirements included in the request for attestation of the back-end network; and provide the client device with data verifying that the back-end network meets the back-end configuration requirements.