Abstract: A basic input/output system (BIOS) determine whether an automated recovery mechanism is enabled in response to a detection of a data corruption. An embedded controller may extract recovery data from a storage device upon confirmation that the automated recovery mechanism is enabled. In response to verification that the recovery data is valid, the controller may decrypt a BIOS firmware data in the recovery data and push the BIOS firmware data into a non-volatile random access memory, and decrypt an embedded controller firmware data in the recovery data and push the embedded controller firmware data into the non-volatile random access memory.

Abstract: Disclosed methods and system feature or perform operations including monitoring, within an operating system (OS) environment of an information handling system, telemetry data indicative of values for one or more hardware status parameters and generating any of one or more anomaly alerts responsive to identifying any of one or more anomalous conditions. Responsive to detecting an anomaly alert, an OS-context configuration may be determined based on the hardware status parameters monitored during a timebox associated with the anomaly alert. Responsive to detecting a reset of the information handling system, preboot operations may be performed wherein the pre-boot operations may include configuring the information handling system in accordance with the OS-context configuration and performing one or more hardware diagnostic routines while the information handling system is configured in accordance with the OS-context configuration.

Abstract: An information handling system includes a memory and a processor. The memory stores a basic input/output system (BIOS). The processor monitors the BIOS for a unified extensible firmware interface (UEFI) event. In response to a detection of the UEFI event, the processor reads a preauthorized event callback order. The processor compares a callback order for the UEFI event with the preauthorized event callback order. Based on the callback order for the UEFI event not matching the preauthorized event callback order, the processor detects a potential vulnerability in the UEFI event. In response to the detected potential vulnerability in the UEFI event, the processor dispatches one or more callback functions from the preauthorized event callback order.

Abstract: A system for protecting an information handling system from alterations in chain sequencing uses a root of trust to secure transition points between entities in a sequence according to a chain of trust stored in a chain of trust database. Before transitioning control from a first entity transferring control to a second entity receiving control, the root of trust validates the transferring entity and the receiving entity. Failure to validate both entities results in the root of trust stopping the boot process to prevent malicious code from interfering with the BIOS executing the correct steps in the process.

Abstract: Systems and methods provide isolated workspaces operating on an IHS (Information Handling System) with use of pre-boot resources of the IHS that are not directly accessible by the workspaces. Upon notification of a workspace initialization, a segregated variable space, such as a segregated memory utilized by a UEFI (Unified Extensible Firmware Interface) of the IHS, is specified for use by the workspace. The segregated variable space is initialized and populated with pre-boot variables, such as UEFI variables, that are allowed for configuration by the workspace. Upon a workspace issuing a request to configure a pre-boot variable, the segregated variable space is identified that was mapped for use by the workspace. The requested pre-boot variable configuration is allowed based on whether the pre-boot variable is populated in the segregated variable space. When the requested pre-boot variable configuration is allowed, the pre-boot variable is configured on behalf of the workspace.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: An information handling system includes a processor and an embedded controller. The processor executes operations while the information handling system is in an active power state. The embedded controller communicates with the processor. While the information handling system is in the active power state, the embedded controller detects a trigger event. In response to the trigger event, the embedded controller provides a ping command to the processor. Based on a response to the ping command not being received, the embedded controller determines a processor freeze, stores forensic data associated with the processor freeze, and stores an indication to perform a processor freeze recovery during a next boot operation.

Abstract: Applying a firmware update, including: receiving a firmware update package, the firmware update package including multiple payloads and a firmware update duration map; verifying an integrity of the firmware update duration map, and in response, extracting the firmware update duration map from the firmware update package; determining, at a first time, a first power required to apply a first payload of the firmware update package based at least on the firmware update duration map and a health of a battery; comparing a current power capacity of the battery with the first power required to apply the first payload of the firmware update package; determining that the current power capacity of the battery is greater than the first power required to apply the first payload, and in response: obtaining the first payload of the firmware update package; updating firmware by applying the first payload to the firmware.

Abstract: A diagnostics optimization platform employs cloud-based resources, including a diagnostics repository that accumulates health data from managed endpoints, and machine learning (ML) resources that generate endpoint-specific diagnostic plans based on the accumulated health data. The ML resources may be configured to generate diagnostic plans that prioritize any appropriate diagnostic testing parameter or objective including, as a non-limiting example, a reduction in diagnostic testing execution time and/or diagnostic testing frequency. The ML resources may maintain a continually updated training database derived from the collected health data to develop endpoint-specific data collection and diagnostic testing models. The ML resources may include a diagnostics optimization module to develop diagnostic testing models and provide corresponding endpoint-specific diagnostic plans to each endpoint.

Abstract: An information handling system includes a memory and a processor. The memory stores a basic input/output system (BIOS). The processor monitors the BIOS for a unified extensible firmware interface (UEFI) event. In response to a detection of the UEFI event, the processor reads a preauthorized event callback order. The processor compares a callback order for the UEFI event with the preauthorized event callback order. Based on the callback order for the UEFI event not matching the preauthorized event callback order, the processor detects a potential vulnerability in the UEFI event. In response to the detected potential vulnerability in the UEFI event, the processor dispatches one or more callback functions from the preauthorized event callback order.

Abstract: An information handling system may include a processor and a basic input/output system configured to identify, test, and/or initialize information handling resources of the information handling system, and further configured to predict a volume of incoming telemetry data collected by a preboot driver of the basic input/output system and based on the volume predicted, manage storage of the telemetry data among memory associated with the basic input/output system.

Abstract: A BIOS may include a plurality of protocol drivers and a protocol notification manager configured to receive a protocol notification registration from a consumer driver of the plurality of protocol drivers, receive a unique key associated with the consumer driver, receive a pre-authorized list from a producer driver of the plurality of protocol drivers, the pre-authorized list comprising one or more signed consumer identifiers, each of the one or more signed consumer identifiers identifying a respective one of the plurality of protocol drivers authorized to receive a protocol notification from the producer driver, determine if the unique key successfully decrypts a signed consumer identifier associated with the consumer driver, and perform access control of protocol notification from the producer driver to the consumer driver based on whether the unique key successfully decrypts the signed consumer identifier associated with the consumer driver.

Abstract: A method may include, during a PEI phase BIOS, responsive to a flag being set in a previous boot session of an information handling system to test a first designated region of a memory of the information handling system: testing the first designated region for a memory fault; in response to detecting the memory fault, mapping out the first designated region and designating an additional region of the memory as a designated region for SMRAM and repeating testing of additional designated regions, mapping out of failed additional designated regions, and designating new additional regions of the memory until a designated region passes testing without memory fault; and in response to detecting passage of testing without memory fault of a designated region comprising either of the first designated region or an additional region of the memory, configuring the designated region for use as the SMRAM for the information handling system.

Abstract: Systems and methods are disclosed herein that may implement an information handling system including a gateway and a peripheral device monitor. The gateway may interface peripheral devices and control access of host resources of the information handling system by any of the peripheral devices. The peripheral device monitor may detect connection of an unverified peripheral device to the gateway, perform a trust verification process with the unverified peripheral device, control the gateway to enable access of the host resources by the unverified peripheral device when the unverified peripheral device becomes verified, and control the gateway to prevent access to the host resources by the unverified peripheral device when the unverified peripheral device fails the trust verification process. The trust verification process may include validating a device certificate and verifying a digest of boot code of the peripheral device.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted or powered on, the BIOS configured to, during boot of the information handling system: (i) read a predefined measurement of an order of loading of BIOS drivers configured to execute during execution of the BIOS, such predefined measurement made during build of the BIOS; (ii) perform a runtime measurement of an order of loading of the BIOS drivers during actual runtime of the information handling system; (iii) compare the predefined measurement to the runtime measurement; and (iv) responsive to a mismatch between the predefined measurement and the runtime measurement, respond with a remedial action.

Abstract: Determining utilization of a computing component, including: determining, of the power limits of the respective registers, a lowest power limit; determining an instantaneous power use of the computing component; determining a power-based utilization of the computing component based on i) the instantaneous power use of the computing component and ii) the lowest power limit indicated by the registers; identifying an instantaneous temperature and temperature limit of the computing component, and an ambient temperature of an environment of the computing component; determining a temperature-based utilization of the computing component based on the instantaneous temperature and the temperature limit of the computing component, and the ambient temperature of the environment; determining the utilization of the computing component based on a greater of the power-based utilization of the computing component and the temperature-based utilization of the computing component, and in response, adjusting execution of compute

Abstract: A method for binding applications to a platform root of trust includes pre-provisioning application binding components in an information handling system. An application requesting OS access sends its access control list (ACL) and application metadata to the BIOS, which performs initial checks. The BIOS responds with platform metadata and a first nonce. The application communicates the metadata, the first nonce and a second nonce to a server. The server checks the nonces and metadata, creates a third nonce and an application binding object (ABO). The application checks the nonces and sends a binding certificate to the BIOS. The BIOS checks the nonces, creates a binding certificate, verifies the binding certificate and sends a binding session credential (BSC) to the application. The application binds the BSC with platform credentials.

Abstract: A method may comprise, on a basic input/output system (BIOS), executing a hardware attestation verification application configured to: (a) during a first boot session of the information handling system comprising the BIOS, execute a first stage of an update to the information handling system and securely record a platform state record associated with beginning of execution of a second stage of the update; and (b) during a second boot session of the information handling system: (i) obtain the platform state record; (ii) compare the platform state record to an actual platform state during boot process of the second boot session; and (iii) if the platform state record matches the actual platform state during boot process of the second boot session, permit execution of the second state of the update.

Abstract: A method may include receiving telemetry data from an information handling system communicatively coupled to the information handling system and store the telemetry data based on uniquely identifying information of the information handling system, generating a firmware recovery image for the information handling system based on the telemetry data, storing the recovery image in a recovery image database indexed by the uniquely identifying information, responsive to a condition for initiating firmware recovery of the information handling system, retrieving the firmware recovery image for the information handling system from the recovery image database, and communicating the firmware recovery image to a companion device associated with the information handling system, such that preboot firmware of the information handling system may load and execute the firmware recovery image from the companion device to restore the information handling system.

Abstract: Applying a firmware update, including: receiving a firmware update package, the firmware update package including multiple payloads and a firmware update duration map; verifying an integrity of the firmware update duration map, and in response, extracting the firmware update duration map from the firmware update package; determining, at a first time, a first power required to apply a first payload of the firmware update package based at least on the firmware update duration map and a health of a battery; comparing a current power capacity of the battery with the first power required to apply the first payload of the firmware update package; determining that the current power capacity of the battery is greater than the first power required to apply the first payload, and in response: obtaining the first payload of the firmware update package; updating firmware by applying the first payload to the firmware