Abstract: Apparatuses, systems, and techniques are presented to configure computing resources to perform various tasks. In at least one embodiment, an approach presented herein can be used to verify whether a network of computing nodes is properly configured based, at least in part, on one or more expected data strings generated by the network of computing nodes.

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

Abstract: The technology disclosed herein enables an auxiliary device to run a service that can access and analyze data of a Trusted Execution Environment (TEE). The auxiliary device may establish an auxiliary TEE in the auxiliary device and establish a trusted communication link between the auxiliary TEE and the TEE (i.e., primary TEE). The primary TEE may execute a target program using the primary devices of a host device (e.g., CPU) and the auxiliary TEE may execute a security program using the auxiliary device (e.g., DPU). In one example, the primary and auxiliary TEEs may be established for a cloud consumer and the auxiliary TEE may execute a security service that can monitor data of the primary TEE even though the data is inaccessible to all other software executing external to the primary TEE (e.g., inaccessible to host operating system and hypervisor).

Abstract: The technology disclosed herein enables a Trusted Execution Environment (TEE) to be extended to an auxiliary device that handles persistently storing data in a security enhanced manner. Extending the trusted computing base to the auxiliary device may involve establishing an auxiliary TEE in the auxiliary device and a trusted communication link between the primary and auxiliary TEEs. The primary TEE may include the computing resources of the primary devices (e.g., CPU and host memory) and the auxiliary TEE may include the computing resources of the auxiliary devices (e.g., hardware accelerators and auxiliary memory). The trusted communication link may enable the auxiliary TEE to access data of the primary TEE that is otherwise inaccessible to all software executing external to the primary TEE (e.g., host operating system and hypervisor). The auxiliary device may use the auxiliary TEE to process the data to avoid compromising the security enhancements provided by the primary TEE.

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

Abstract: Technologies for system call trace reconstruction are described. A method includes determining, by one or more processors, a set of memory locations of a kernel memory structure. The set of memory locations stores data indicating one or more parameters of a user-associated process. The method further includes determining that a first value of a first of the set of memory location has changed. The method further includes determining an execution of a first system call associated with the user-associated process and the kernel memory structure. The method further includes retrieving one or more values corresponding to individual memory location of the set of memory location associated with the first system call. The method further includes providing an output identifying the first system call based on the one or more values corresponding to the individual memory locations.

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.