Abstract: A system that includes a graphics processing unit (GPU) that includes: at least one processor and circuitry to: based on failure of the GPU to load boot firmware, operate as a survivability agent to allow for the GPU to boot to a configuration wherein a host system is to communicate with the GPU to determine the failure of the GPU to load boot firmware and to load second boot firmware for access by the GPU. In some examples, the GPU includes an input output (IO) subsystem and to boot to the configuration, the circuitry is to provide the host system with access to an indicator of failure of the GPU and access to the host system to load the second boot firmware into a boot storage accessible to the GPU.

Abstract: Dynamic integrity verification of shaders for processing of workloads is described. An example of an apparatus includes one or more processors including a GPU, the GPU including circuitry for dynamic verification of shaders; and a memory for storage of data, including data for one or more workloads of the GPU, the one or more processors to identify one or more shaders that can operate on protected content in the one or more workloads; transfer binary blocks of the one or more shaders to a trusted execution environment of the GPU to authenticate the one or more shaders; load hashes for the binary blocks of the one or more shaders into memory; and send a hardware command that points to a first shader of the one or more shaders for dynamic verification of the first shader.

Abstract: An apparatus, system, and method for are provided. A device includes a first tunable replica circuit configured to detect an undervoltage and overclocking event, a second tunable replica circuit configured to detect an overvoltage and underclocking event, and a countermeasures component configured to alter a circuit of the device responsive to detection of the undervoltage and overclocking event or the overvoltage and underclocking event.

Abstract: An integrated circuit (IC) die comprises a sensor, which includes a pulse generator and a pulse expander. The pulse generator comprises gate circuits coupled to each other in an in-series arrangement. An input of the pulse generator is coupled to receive a voltage and the pulse generator is to generate a first signal based on the voltage. The pulse generator is to generate a first pulse of the first signal based on an event wherein radiation from a laser is incident upon the pulse generator. The pulse expander is coupled to receive the first signal from the pulse generator and to generate a second signal based on the first signal, wherein a second pulse of the second signal is based on the first pulse. A first duration of the first pulse is less than a second duration of the second pulse.

Abstract: An integrated circuit (IC) die comprises a sensor, which includes a pulse generator and a pulse expander. The pulse generator comprises gate circuits coupled to each other in an in-series arrangement. An input of the pulse generator is coupled to receive a voltage and the pulse generator is to generate a first signal based on the voltage. The pulse generator is to generate a first pulse of the first signal based on an event wherein radiation from a laser is incident upon the pulse generator. The pulse expander is coupled to receive the first signal from the pulse generator and to generate a second signal based on the first signal, wherein a second pulse of the second signal is based on the first pulse. A first duration of the first pulse is less than a second duration of the second pulse.

Abstract: Device memory protection for supporting trust domains is described. An example of a computer-readable storage medium includes instructions for allocating device memory for one or more trust domains (TDs) in a system including one or more processors and a graphics processing unit (GPU); allocating a trusted key ID for a TD of the one or more TDs; creating LMTT (Local Memory Translation Table) mapping for address translation tables, the address translation tables being stored in a device memory of the GPU; transitioning the TD to a secure state; and receiving and processing a memory access request associated with the TD, processing the memory access request including accessing a secure version of the address translation tables.

Abstract: Connectionless trusted computing base recovery is described. An example of a system includes one or more processors to process data; hardware including a hardware RoT (root of trust); and firmware including a firmware TCB (trusted computing base), the firmware including the credentials including one or more certificates and one or more keys, wherein the one or more processors are to determine that the firmware TCB is compromised and that the hardware RoT is intact; issue new credentials by the hardware RoT to mutable firmware based on a version number or security version number (SVN) of the firmware; and revoke old versions of the credentials for the firmware.

Abstract: An apparatus, system, and method for are provided. A device includes a first tunable replica circuit configured to detect an undervoltage and overclocking event, a second tunable replica circuit configured to detect an overvoltage and underclocking event, and a countermeasures component configured to alter a circuit of the device responsive to detection of the undervoltage and overclocking event or the overvoltage and underclocking event.

Abstract: An example includes detecting receiving a bus turn-around (BTA) sequence after detecting a voltage level; sending a BTA acknowledgement in response to the BTA sequence; and sending a configuration command to a peripheral device after the interface is initialized based on the BTA acknowledgement.

Abstract: Security and support for trust domain operation is described. An example of a method includes processing, at an accelerator, one or more compute workloads received from a host system; upon receiving a notification that a trust domain has transitioned to a secure state, transition an original set of privileges for the accelerator to a downgraded set of privileges; upon receiving a command from the host system for the trust domain, processing the command in accordance with the trust domain; and upon receiving a request from the host system to access a register, for a register included in an allowed list of registers for access, allow access to the register, and, for a register that is not within the allowed list of registers for access, disallowing access to the register.

Abstract: Device memory protection for supporting trust domains is described. An example of a computer-readable storage medium includes instructions for allocating device memory for one or more trust domains (TDs) in a system including one or more processors and a graphics processing unit (GPU); allocating a trusted key ID for a TD of the one or more TDs; creating LMTT (Local Memory Translation Table) mapping for address translation tables, the address translation tables being stored in a device memory of the GPU; transitioning the TD to a secure state; and receiving and processing a memory access request associated with the TD, processing the memory access request including accessing a secure version of the address translation tables.

Abstract: An apparatus is disclosed. The apparatus comprises a trusted device including a first integrated circuit (IC) die comprising a first plurality of hardware devices and a second IC die comprising a second plurality of hardware devices and cryptographic processor to operate as a root of trust to manage an input/output (I/O) functional state of each of the hardware devices.

Abstract: Connectionless trusted computing base recovery is described. An example of a system includes one or more processors to process data; hardware including a hardware RoT (root of trust); and firmware including a firmware TCB (trusted computing base), the firmware including the credentials including one or more certificates and one or more keys, wherein the one or more processors are to determine that the firmware TCB is compromised and that the hardware RoT is intact; issue new credentials by the hardware RoT to mutable firmware based on a version number or security version number (SVN) of the firmware; and revoke old versions of the credentials for the firmware.

Abstract: An example method for initializing an interface includes driving a low voltage signal on data lanes and clock lanes. The method further includes performing a reset sequence and an initialization of a link configuration register. The method also includes driving a high voltage signal to the clock lanes and the data lanes. The method further includes driving a bus turn-around (BTA) sequence on the data lanes. The method also includes detecting that the BTA is acknowledged by a host controller.

Abstract: An embodiment of a graphics apparatus may include a graphics processor including a kernel executor, and a security engine communicatively coupled to the graphics processor. The security engine may be configured to create a kernel security key, encrypt an executable kernel for the kernel executor in accordance with the kernel security key, and share the kernel security key with the graphics processor.

Abstract: An example includes detecting receiving a bus turn-around (BTA) sequence after detecting a voltage level; sending a BTA acknowledgement in response to the BTA sequence; and sending a configuration command to a peripheral device after the interface is initialized based on the BTA acknowledgement.

Abstract: Technologies for provisioning cryptographic keys include hardcoding identical cryptographic key components of a Rivest-Shamir-Adleman (RSA) public-private key pair to each compute device of a plurality of compute devices. A unique cryptographic exponent that forms a valid RSA public-private key pair with cryptographic key components hardcoded into each compute device is provided to each compute device so that each compute device has a unique public key. The public key of each compute device may be used to provision unique secrets to the corresponding compute device.

Abstract: In one embodiment, an apparatus comprises a first processor to generate a first cryptographic key in response to a request from a software application; receive a second cryptographic key generated by a second processor; encrypt the first cryptographic key using the second cryptographic key; and provide the encrypted first cryptographic key for use by the software application.

Abstract: In embodiments, an apparatus for microcontroller (?C) or system-on-chip (SoC) computing includes a set of fuses disposed in a ?C or a SoC to store a seed value and M pairs of loop counter values (LCVs) with which to locally generate M private keys from the seed value on the microcontroller or SoC, where M is a positive integer, each private key to decrypt data encrypted with a pre-defined public key cryptosystem, wherein each private key includes two prime numbers p and q (p,q), the LCVs being a number of iterations of a key derivation function (KDF) needed to respectively obtain p and q from the seed value; and a key decoder, disposed in the (?C) or the SoC, and coupled to the set of fuses, to read the seed value and the M pairs of LCVs, and, for each of the M private keys to: respectively generate (p,q) from the seed value by respectively iterating the KDF by the LCVs for that key.

Abstract: An example method for initializing an interface includes driving a low voltage signal on data lanes and clock lanes. The method further includes performing a reset sequence and an initialization of a link configuration register. The method also includes driving a high voltage signal to the clock lanes and the data lanes. The method further includes driving a bus turn-around (BTA) sequence on the data lanes. The method also includes detecting that the BTA is acknowledged by a host controller.