Abstract: An operating system kernel receives a request from an application to access a secret, the application and the operating system kernel executing in a first trust domain; and an attestation-based secrets manager receives the request from the operating system kernel, validates the request using remote attestation, gets the secret from a secure storage in the second trust domain when the request is validated, and sends the secret from the second trust domain to the operating system kernel, the attestation-based secrets manager executing in a second trust domain; wherein the operating system kernel then sends the secret to the application.

Abstract: Briefly, in accordance with one embodiment of the invention, a method of updating BIOS using an externally provided module may include the following. In this context, the term externally provided means that the module resides in a device other than that used to hold the firmware code, such as a magnetic storage device, typically with a lower cost per bit of information. In this embodiment, the BIOS, while in control of or being executed by a processor, applies a one-way hash process to a portion of the externally provided module. The computed hash of the module portion is compared with the pre-computed hash value included with the BIOS code. The external module is then invoked as a subprogram if and only if the hash values compare as equal. The module, while executing, may then validate the remainder of the update using more sophisticated cryptographic techniques and/or perform the update directly.

Abstract: A method and apparatus for booting an operating system having at least one boot component comprising the steps of accessing an ordered list identifying the at least one boot component; accessing each of the at least one boot component using the ordered list; computing a first hash value from the at least one boot component; accessing a second hash value, the second hash value being secure; comparing the first hash value to the second hash value; and booting the operating system if the first hash value matches the second hash value.