Abstract: A method is described for enforcing a secure print policy, the method comprising providing a security policy, cryptographically binding the security policy to a print job to generate a secure print job, verify security properties of at least one of: a printer and an intermediary device using the security policy and a remote attestation protocol, and provided the security properties are verified, releasing the print job to the printer.

Abstract: Example implementations relate to operational verification. In an example, operational verification includes a processor, a shared non-volatile memory storing updated system, and an embedded controller (EC) to operationally verify the updated system instructions based on comparison of a length of time associated with a BIOS boot of the computing system using the updated system instructions to a boot time threshold.

Abstract: A system and method for authentication are described herein. An authentication downrequest is received at a combiner proxy (350). The combiner proxy (350), is arranged to receive a user authentication request, receive one or more share values from one or more communications devices (330A, . . . , 330N) where each of the communications devices (330A, . . . 330N) stores at least one share value of a set of share values and determine if one or more share values that have been received from the communications devices (330A, . . . , 330N) meet a quantitative criteria. The combiner proxy (350) is arranged to authenticate the user if the received share values meet the quantitative criteria.

Abstract: Example implementations relate to operational verification. In an example, operational verification includes a processor, a shared non-volatile memory storing updated system, and an embedded controller (EC) to operationally verify the updated system instructions based on comparison of a length of time associated with a BIOS boot of the computing system using the updated system instructions to a boot time threshold.

Abstract: A system and method for authentication are described herein. An authentication request is received at a combiner proxy (350). The combiner proxy (350), is arranged to receive a user authentication request, receive one or more share values from one or more communications devices (330A, . . . , 330N) where each of the communications devices (330A, . . . 330N) stores at least one share value of a set of share values and determine if one or more share values that have been received from the communications devices (330A, . . . , 330N) meet a quantitative criteria. The combiner proxy (350) is arranged to authenticate the user if the received share values meet the quantitative criteria.

Abstract: Examples herein disclose monitoring an expected functionality upon execution of a system management mode (SMM) code. The examples detect whether a change has occurred to the SMM code based on the monitoring of the expected functionality. The change indicates that the SMM code is compromised.

Abstract: One example includes a display device. The display device includes an electronic paper display imageable by receiving charges on an imaging surface of the electronic paper display. The display device includes an embedded chip to enable writing to the electronic paper display based on a successful authentication.

Abstract: Examples herein disclose monitoring an expected functionality upon execution of a system management mode (SMM) BIOS code. The examples detect whether a change has occurred to the SMM BIOS code based on the monitoring of the expected functionality. The change indicates that the SMM BIOS code is compromised.

Abstract: A computing system and a method of handling a system management request. The computing system includes a virtual high-privilege mode in a trusted domain managed by the virtual machine monitor. The virtual high-privilege mode handles the system management request.

Abstract: A system and method for authentication are described herein. An authentication request is received at a combiner proxy (350). The combiner proxy (350), is arranged to receive a user authentication request, receive one or more share values from one or more communications devices (330A, . . . ,330N) where each of the communications devices (330A, . . . 330N) stores at least one share value of a set of share values and determine if one or more share values that have been received from the communications devices (330A, . . . ,330N) meet a quantitative criteria. The combiner proxy (350) is arranged to authenticate the user if the received share values meet the quantitative criteria.

Abstract: Examples associated with basic input/output system (BiOS) security are described. One example includes detecting a mismatch between an active BiOS setting and a saved BIOS setting. An update previously applied to the active BiOS setting is validated. The update Is applied to the saved BIOS setting creating an updated BIOS setting. The saved BIOS setting is updated when the updated BIOS setting and the active BIOS setting match. The saved BIOS setting is updated to the active BIOS setting. A security action is taken when the updated BiOS setting and the active BiOS setting differ.

Abstract: An environment manager in a computer executes multiple environments concurrently. A user management framework (UMF) virtual machine on the computer runs an authentication domain that supports user profile management of the multiple environments.

Abstract: An example non-transitory computer-readable medium includes instructions that, when executed by a processor, cause the processor to receive a request for data. The instructions also cause the processor to determine a region containing the data based on the metadata. The instructions cause the processor to traverse a tree in the metadata to determine key generation information relating a decryption key for the region to a root key.

Abstract: In an example, a method includes pairing a first electronic device and a data relay apparatus associated with a second electronic device to establish a secure wireless communication link therebetween. Each of the first electronic device and the data relay apparatus may be associated with an identifier and a verifier, each verifier being to verify the identifier of the other of the first electronic device or data relay apparatus. The pairing may include mutual verification of an identifier using the verifier, establishing shared key data and using the shared key data to establish a shared secret value for use in determining a derived key.

Abstract: Example implementations relate to operational verification. In an example, operational verification includes a processor, a shared non-volatile memory storing updated system, and an embedded controller (EC) to operationally verify the updated system instructions based on comparison of a length of time associated with a BIOS boot of the computing system using the updated system instructions to a boot time threshold.

Abstract: Examples of systems and methods for device-type content management are described herein. In an example, at least one of a community policy and a community-device type policy may be generated. The community policy may be generated for a community defined for an enterprise and may be enforced on a plurality of user devices registered with the community. Further, the device-community policy may be enforced on a user device, from among the plurality of user devices, based on a device-type of the user device. The device-community policy may indicate a management service to be used to realize the community policy. Further, a management service agent (MS agent) may be provided to the user device, based on the management service indicated by the device-community policy. The MS agent may provide for managing enterprise content on the user device as indicated by the community policy.

Abstract: Examples associated with distributed authentication are described. One example includes generating a paired public key and private key associated with a user. The private key is split into a set of shares, which are distributed to a set of devices associated with the user. A challenge is generated to authenticate the user to grant the user access to a resource upon receiving an authenticating response to the challenge. The challenge is distributed to members of the set of devices. Partial responses are received from members of the set of devices and combined into a group signature. The group signature serves as an authenticating response to the challenge when generated from partial responses received from a threshold number of members of the set of devices.

Abstract: Examples associated with certificate analysis are disclosed. One example periodically analyzing a secure socket layer certificate chain between a client device and a server device. The client device may perform this periodic analysis. In response to detecting an unexpected certificate in the secure socket layer certificate chain, a responsive action is taken.

Abstract: An electronic device for management of cryptographic keys, and a corresponding method implemented in a computing device comprising a physical processor, transmit feature data of the device to a key generation module, wherein the feature data comprises information corresponding to an identifier or an attribute of the device, and receive, by the device from the key generation module, a digital signature of the transmitted feature data. The device installs the received digital signature as a cryptographic private key for communication, and performs a cryptographic operation using the installed digital signature as the cryptographic private key.

Abstract: A secure communication channel is established between a virtual trusted runtime basic input output system (BIOS) and a virtual machine that includes a virtual BIOS. The virtual trusted runtime BIOS communicates with the virtual machine according to a web-based protocol over the secure communication channel using a secure socket layer.