Abstract: An apparatus may include a root of trust for measurement (RTM) module coupled to a verified platform security property policy module and a comparison module. The comparison module may operate to prevent transfer of control to an operating system (and/or halt the boot process) if a policy included in the platform security property policy module is violated. A system may include a memory coupled to a processor, a platform security property policy module, and a comparison module. The memory may include an RTM. A method may include beginning execution at an entry point within an RTM, determining that the RTM is trustworthy, determining that a main initialization code associated with a platform is trustworthy and transferring control to the main initialization code, and otherwise, refraining from transferring control to the main initialization code.

Abstract: Methods, apparatus and machine-readable medium are described that attempt to protect secrets from sleep attacks. In some embodiments, the secrets are encrypted and a security enhanced environment dismantled prior to entering a sleep state. Some embodiments further re-establish a security enhanced environment and decrypt the secrets in response to a wake event.

Abstract: A system is initialized for operation in a protected operating environment by executing authenticated code that prepares various portions of the hardware for protection from non-trusted software. In one embodiment, initialization includes identifying and locking down specified areas of memory for protected processing, then placing trusted software into the specified areas of memory and validating the trusted software. In a particular embodiment, initialization may also include deriving and protectively storing identifying characteristics of the trusted software.

Abstract: A system and method for permitting the execution of system management mode (SMM) code during secure operations in a microprocessor system is described. In one embodiment, the system management interrupt (SMI) may be first directed to a handler in a secured virtual machine monitor (SVMM). The SMI may then be re-directed to SMM code located in a virtual machine (VM) that is under the security control of the SVMM. This redirection may be accomplished by allowing the SVMM to read and write the system management (SM) base register in the processor.

Abstract: In one embodiment, a method comprises generating a cryptographic key pair associated with a data center. The method also includes storing a private key of the cryptographic key pair within a platform. The private key is used to sign a value stored in the platform for validation of inclusion of the platform into the data center. In an embodiment, the private key is revoked upon determining that the platform has been compromised. In one embodiment, the private key may be revoked in each of the platforms of the data center.

Abstract: A method and apparatus to communicate with a token using a previously reserved binary number in the start field of a cycle, wherein the cycle is not echoed on any bus other than the bus through which the communication is received.

Abstract: Methods, apparatus and computer readable medium are described that attempt to protect secrets from system reset attacks. In some embodiments, the memory is locked after a system reset and secrets removed from the memory before the memory is unlocked.

Abstract: Methods and arrangements to register code are described. Many embodiments may comprise determining an identity such as a hashed identity, digest value, digital signature, or the like, and registering resident code that defines a secure environment, to provide a basis for a system trustworthiness evaluation by another secure environment within the system, a secure environment within another system, a remote system, or the like. Some embodiments comprise transmitting an instruction to store the identity in a repository or memory inaccessible to insecure or untrustworthy hardware and/or software. Several embodiments may comprise verifying a request to access the identity. Other embodiments may comprise storing the identity in a temporary register, such as a register in a hub and/or in memory coupled with an input/output (I/O) hub or within a memory controller hub.

Abstract: A method and apparatus for resetting and modifying special registers in a security token is described. In one embodiment, a register may be reset when a reset flag is true when a special transmission on a bus demonstrates the mutual locality of the associated processor and chipset. A modify flag may also be used to indicate whether the register contents may be modified. Modifications may also be dependent upon demonstration of mutual locality.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: Methods, apparatus and computer readable medium are described for sealing objects to two or more tokens. Further, methods, apparatus and computer readable medium are described for unsealing objects that have been sealed to two or more tokens.

Abstract: A processor loads, authenticates, and/or initiates execution of authenticated code modules in response to executing launch authenticated code instructions.

Abstract: Apparatus and method load, authenticate, and/or execute authenticated code modules stored in a private memory.

Abstract: An authenticated code module comprises a value that attests to the authenticity of the module. The value is encrypted with a key corresponding to a key of a computing device that is to execute the module.

Abstract: Credentials may by issued to virtual tokens of a computing device based upon a credential issued to physical token of the computing device thus tying the virtual token credential to the physical token credential.

Abstract: A method and system for protecting data on a computer is presented. A computer is provided that has a pre-operating system (pre-OS) space and an operating system-present (OS-present) space. Protected storage is accessed from pre-OS space via a trusted platform module (TPM). Similarly, protected storage is accessed from OS-present space via the TPM. As such, from both pre-OS space and OS-present space, a computer may prevent unauthorized users from gaining access to data stored in protected storage.

Abstract: In general, a method of securely transmitting data features an operation of authenticating a user of a platform during a Basic Input/Output System (BIOS) boot process. In response to authenticating the user, a first keying material is released from a token communicatively coupled to the platform. The first keying material is combined with a second keying material internally stored within the platform in order to produce a combination key. This combination key is used to decrypt a second BIOS area to recover a second segment of BIOS code.

Abstract: In general, one embodiment of the invention features a method comprising operations performed internally within a device. A first operation involves generating data for permanent storage in a protected area of internal memory of the device. This prevents subsequent modification of the data. A second operation involves producing a secret value being a combination of both the data and a short term value generated in response to a periodic event such as a power-up sequence of a platform employing the device.

Abstract: In one embodiment, a platform comprises a processor, an input/output control hub (ICH), and a trusted platform module (TPM). Coupled to the ICH, the TPM comprises an internal memory, and an asymmetric key generation unit. The symmetric key generation unit produces an ephemeral asymmetric key pair including an ephemeral asymmetric public key and an ephemeral asymmetric private key. Both the ephemeral asymmetric public key and the ephemeral asymmetric.