Abstract: Trust of a secure workspace that has multiple layers with distributed ownership can be verified. A management service can maintain a repository of layers for secure workspaces and a certificate vault storing certificates of the owners of the layers. The management service can also maintain workspace metadata defining secure workspaces that pertain to a particular user and the layers that form the secure workspaces. When a secure workspace is to be deployed on a user computing device, the management service can send the layers that form the secure workspace and the workspace metadata for the secure workspace to a host agent on the user computing device. The host agent can then leverage the certificates of the owners of the layers to verify the trust of each layer and, if trust is verified for all layers that form the secure workspace, can deploy the secure workspace on the user computing device.

Abstract: Methods and systems for managing a data processing system are disclosed. A management controller of the data processing system may provide a sanitization request to a policy management server using an out-of-band communication channel. The management controller may obtain a response to the sanitization request from the policy management server via the out-of-band communication channel. The response may indicate whether performance of a sanitization process is authorized. The authorization may be based on a sanitization policy that governs sanitizations for the data processing system. If performance of the sanitization process is authorized, then the management controller may initiate and/or perform an action set based on the sanitization policy in order to complete the sanitization process, thereby placing the data processing system in a safe state.

Abstract: Methods and systems for registering a management controller of a data processing system with a server and an orchestrator are disclosed. To do so, a key pair may be generated by the management controller and a private key of the key pair may be kept secret by the management controller. Previously established trust between a trusted platform module of the data processing system and a manufacturer of the data processing system may be leveraged to register the management controller with the server. Hardware resources of the data processing system may register a public key of the key pair with the server and may request registration of the management controller with the orchestrator. The management controller may obtain a challenge from an internet of things hub associated with the orchestrator and may respond to the challenge, via an out of band communication channel, to complete the registration of the management controller.

Abstract: Methods and systems for registering a management controller of a data processing system with a server are disclosed. To register a management controller, an identifier for the management controller may be cryptographically signed using a private key of a public private key pair kept secret by a trusted platform module (TPM). The signed identifier may be provided to the server and the sever may utilize a public key of the public private key pair to verify the signed identifier was signed by a trusted entity. If the signed identifier is verified by the server, the server may register the management controller as associated with the data processing system and as a trusted entity to manage operation of hardware resources of the data processing system. The management controller may subsequently utilize an out of band communication channel to interact with the server to manage the operation of the data processing system.

Abstract: Methods and systems for securing communications between management controllers and message brokers are provided. The communications may be secured using pre-provisioned secrets to encrypt and decrypt messages. The secrets may be pre-provisioned using keypairs established during registration of the management controller with other systems. The keypair may be used to provide the management controllers with access to the secrets. Once obtained, the secrets may be used to encrypt communications without establishing sessions keys or other data structures.

Abstract: Methods and systems for managing data processing systems are disclosed. The data processing systems may be managed by verifying the integrity of the data processing systems. The integrity may be verified as a prerequisite to use of the data processing systems. The integrity may be verified, at least in part, by verifying that the hardware component loadout of a data processing system is as expected. If the actual hardware component loadout diverges from an expected hardware component loadout, then remedial activity may be performed to address the differences between the actual and expected hardware component loadout.

Abstract: In one or more embodiments, a first information handling system may: receive a chained cryptographic hash value determined by a trusted platform module (TPM) of a second information handling system; receive multiple patch identities associated with multiple updated firmware installed on multiple components of the second information handling system; receive an event log associated with output of the TPM as the TPM determined the chained cryptographic hash value; retrieve multiple layered endorsements respectively associated with the multiple patch identities; determine multiple hash values from multiple signatures stored in the multiple layered endorsements; compare the chained cryptographic hash value with the event log; compare multiple event information with the multiple hash values; and determine that the second information handling system has booted into a trusted state based at least on comparing the chained cryptographic hash value with the event log and comparing the multiple event information with the

Abstract: A virtual BIOS engine may be configured to, during runtime of an operating system, in response to an operating system event for updating firmware, load onto an isolated compute domain of the processor to emulate firmware update processes of a non-transitory computer-readable media with a virtual non-transitory computer-readable media and emulate the firmware update processes of the cryptoprocessor with a virtual cryptoprocessor, extract a firmware payload to the virtual non-transitory computer-readable media, and execute a virtual trust chain to measure the firmware payload in the virtual non-transitory computer-readable media.

Abstract: Resource enablers of a secure workspace can be selectively validated and enabled. Resource enablers can be configured to selectively allow an application hosted in a secure workspace to access an external resource based on a trust of the application and/or of the external resource. As a result, the security of the secure workspace can be maintained without having to restrict all access to external resources.

Abstract: Trust of a secure workspace that has multiple layers with distributed ownership can be verified. A management service can maintain a repository of layers for secure workspaces and a certificate vault storing certificates of the owners of the layers. The management service can also maintain workspace metadata defining secure workspaces that pertain to a particular user and the layers that form the secure workspaces. When a secure workspace is to be deployed on a user computing device, the management service can send the layers that form the secure workspace and the workspace metadata for the secure workspace to a host agent on the user computing device. The host agent can then leverage the certificates of the owners of the layers to verify the trust of each layer and, if trust is verified for all layers that form the secure workspace, can deploy the secure workspace on the user computing device.

Abstract: A field replaceable unit can be verified before replacement. An integrity plugin on a customer device can be configured to compute a hash of each field replaceable unit on the customer device. The integrity plugin can share these hashes with an integrity service which can use the hashes to generate an integrity status of the field replaceable units. The integrity service can maintain the integrity status of the field replaceable units in an integrity database. When the customer requests replacement of a field replaceable unit, a technician device can interface with the integrity plugin to obtain a computed hash of the field replaceable unit. The integrity status for the field replaceable unit can then be used to evaluate the computed hash to thereby verify the integrity of the field replaceable unit. If the verification fails, the technician can forego replacing the field replaceable unit under a support or warranty plan.

Abstract: A virtual BIOS engine may be configured to, during runtime of an operating system, in response to an operating system event for updating firmware, load onto an isolated compute domain of the processor to emulate firmware update processes of a non-transitory computer-readable media with a virtual non-transitory computer-readable media and emulate the firmware update processes of the cryptoprocessor with a virtual cryptoprocessor, extract a firmware payload to the virtual non-transitory computer-readable media, and execute a virtual trust chain to measure the firmware payload in the virtual non-transitory computer-readable media.

Abstract: In one or more embodiments, a first information handling system (IHS) may: encrypt a document utilizing a symmetric encryption key to produce an encrypted document; and encrypt a metadata file, which includes the symmetric encryption key, utilizing a session encryption key to produce a first encrypted metadata file. In one or more embodiments, a second IHS may: decrypt the first encrypted metadata file utilizing the session encryption key to produce the metadata file; and encrypt the metadata file utilizing a public encryption key associated with a second TPM associated with a third IHS to produce a second encrypted metadata file. In one or more embodiments, the third information handling system may: decrypt the second encrypted metadata file utilizing a private encryption key associated with the second TPM to produce the metadata file; and decrypt the encrypted document utilizing the symmetric encryption key, from the metadata file, to produce the document.

Abstract: In one or more embodiments, a first information handling system may: receive a chained cryptographic hash value determined by a trusted platform module (TPM) of a second information handling system; receive multiple patch identities associated with multiple updated firmware installed on multiple components of the second information handling system; receive an event log associated with output of the TPM as the TPM determined the chained cryptographic hash value; retrieve multiple layered endorsements respectively associated with the multiple patch identities; determine multiple hash values from multiple signatures stored in the multiple layered endorsements; compare the chained cryptographic hash value with the event log; compare multiple event information with the multiple hash values; and determine that the second information handling system has booted into a trusted state based at least on comparing the chained cryptographic hash value with the event log and comparing the multiple event information with the

Abstract: In one or more embodiments, a first information handling system (IHS) may: encrypt a document utilizing a symmetric encryption key to produce an encrypted document; and encrypt a metadata file, which includes the symmetric encryption key, utilizing a session encryption key to produce a first encrypted metadata file. In one or more embodiments, a second IHS may: decrypt the first encrypted metadata file utilizing the session encryption key to produce the metadata file; and encrypt the metadata file utilizing a public encryption key associated with a second TPM associated with a third IHS to produce a second encrypted metadata file. In one or more embodiments, the third information handling system may: decrypt the second encrypted metadata file utilizing a private encryption key associated with the second TPM to produce the metadata file; and decrypt the encrypted document utilizing the symmetric encryption key, from the metadata file, to produce the document.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may: create a manifest that includes inventory information for components of a first information handling system (IHS); encrypt, with a first private encryption key, a hash value of the manifest to produce a signature of the manifest; provide, to a second IHS, a certificate signing request that includes the manifest, the signature of the manifest, and a first public encryption key; decrypt, utilizing the first public encryption key, the signature of the manifest to obtain the hash value of the manifest; determine name-value pairs from the manifest as attributes; encrypt, with a second private encryption key, a hash value of the attributes to produce a signature of the attributes; create an attribute certificate that includes the attributes and the signature of the attributes; and provide the attribute certificate to the first IHS.

Abstract: Validation of entitlements to software is provided with a Trusted Platform Module (TPM) platform hierarchy private key created at manufacture of an information handling system and an associated public key. At initiation of an entitlement request, such as to install a software application, a verification signature associated with the request is verified by the TPM to ensure that the information handling system is entitled to run the software.

Abstract: Validation of entitlements to software is provided with a Trusted Platform Module (TPM) platform hierarchy private key created at manufacture of an information handling system and an associated public key. At initiation of an entitlement request, such as to install a software application, a verification signature associated with the request is verified by the TPM to ensure that the information handling system is entitled to run the software.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and a computer-readable medium communicatively coupled to the processor.

Abstract: Systems and methods for securely passing user authentication data between a Pre-Boot Authentication (PBA) environment and an Operating System (OS) are described. In some embodiments, an Information Handling System (IHS) may include a processor; and a Basic I/O System (BIOS) coupled to the processor, the BIOS having program instructions stored thereon that, upon execution by the processor, cause the computer system to: identify an encrypted Single-Sign-On (SSO) token and a Trusted Platform Module (TPM) key pair provisioned by an Operating System (OS) and stored in an OS registry; extract a TPM public key from the TPM key pair; encrypt a PBA private key generated by a PBA application with the TPM public key; and store the encrypted PBA private key, the TPM key pair, and the encrypted SSO token in a shadow partition of a self-encrypting hard drive coupled to the IHS.