Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.

Abstract: The disclosed technology is generally directed to IoT technology. In one example of the technology, the following actions are performed for each module of a plurality of modules on a first edge device. An identification message that includes information associated with identification of the module is received. The validity of the module is then verified. After the module is verified, based at least in part on the identification message, an IoT support service is selected from a plurality of IoT support services. The module is then caused to be registered with the selected IoT support service. The plurality of modules are compositable together into an application for the first edge device. The modules of the plurality of modules are capable of being used interoperably with other modules without altering the other modules.

Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.

Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.

Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.

Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.

Abstract: A digital twin may be configured to perform blockchain transactions on behalf of a device with limited memory, limited compute power, and/or limited internet connectivity. A method for performing such a blockchain transaction includes hosting a digital twin for the capability limited device that has a unique identifier matching a unique identifier of the digital twin such that actions performed by the digital twin are attributable to the capability limited device. The method further includes receiving input for a set of blockchain operations at the system capable of performing the blockchain operations, from the capability limited device. The method further includes performing the set of blockchain operations at the system capable of performing the blockchain operations using the digital twin and the unique device identifier, such that performance of the set of blockchain operations is attributed to the capability limited device.

Abstract: A root of trust is established between a cloud and an edge device that communicates with the cloud. The root of trust may be embodied as a secret device key securely stored by the edge device and the cloud. The edge device receives arbitrary cloud modules (workloads) that include guest/tenant code that may communicate with the cloud and possibly local/leaf devices connected to or included with the edge device. The edge device extends or diversifies the root of trust to the cloud modules based on the device key. New keys are derived from the device key. The new keys are used to sign credentials (e.g. tokens or certificates) for the respective cloud modules. This provides each cloud module with its own trusted unique cloud identity that can be verified by the cloud using the cloud's copy of the device key.

Abstract: Creating a certificate for a software module. A method includes obtaining a public key for a software module. The method includes obtaining a public key for a software module implemented on a hardware device. The method further includes creating a certificate using the public key by signing the public key using a hardware protected key and hardware protected compute elements. The hardware protected key is protected by a protected portion of the hardware device, and not accessible outside of the protected portion of the hardware device.

Abstract: The disclosed technology is generally directed to IoT technology. In one example of the technology, the following actions are performed for each module of a plurality of modules on a first edge device. An identification message that includes information associated with identification of the module is received. The validity of the module is then verified. After the module is verified, based at least in part on the identification message, an IoT support service is selected from a plurality of IoT support services. The module is then caused to be registered with the selected IoT support service. The plurality of modules are compositable together into an application for the first edge device. The modules of the plurality of modules are capable of being used interoperably with other modules without altering the other modules.

Abstract: The disclosed technology is generally directed to IoT technology. In one example of the technology, the following actions are performed for each module of a plurality of modules on a first edge device. An identification message that includes information associated with identification of the module is received. The validity of the module is then verified. After the module is verified, based at least in part on the identification message, an IoT support service is selected from a plurality of IoT support services. The module is then caused to be registered with the selected IoT support service. The plurality of modules are compositable together into an application for the first edge device. The modules of the plurality of modules are capable of being used interoperably with other modules without altering the other modules.

Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.

Abstract: A root of trust is established between a cloud and an edge device that communicates with the cloud. The root of trust may be embodied as a secret device key securely stored by the edge device and the cloud. The edge device receives arbitrary cloud modules (workloads) that include guest/tenant code that may communicate with the cloud and possibly local/leaf devices connected to or included with the edge device. The edge device extends or diversifies the root of trust to the cloud modules based on the device key. New keys are derived from the device key. The new keys are used to sign credentials (e.g. tokens or certificates) for the respective cloud modules. This provides each cloud module with its own trusted unique cloud identity that can be verified by the cloud using the cloud's copy of the device key.

Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.

Abstract: The disclosed technology provides for processing a secure cloud workload with an associated unique workload identifier received from a workload provisioning service including one or more workload provisioning servers at an edge device. A unique device identifier is provided to the one or more workload provisioning servers. The unique device identifier is associated with the edge device. A packaged secure cloud workload is received from the one or more workload provisioning servers and is encrypted by the one more workload provisioning servers using a unique packaging key generated by the one or more workload provisioning servers based on the unique device identifier, the unique workload identifier, and a nonce. The edge device cryptographically generates the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The packaged secure cloud workload is decrypted using the generated unique packaging key cryptographically generated by the edge device.

Abstract: Performing blockchain operations on behalf of a capability limited device that is unable to perform the blockchain operations. The method includes hosting a digital twin for the capability limited device on a system capable of performing the blockchain operations. The capability limited device includes a unique device identifier. The digital twin also includes the unique device identifier, such that actions performed by the digital twin are attributable to the capability limited device. The method further includes receiving input for a set of blockchain operations at the system capable of performing the blockchain operations, from the capability limited device. The method further includes performing the set of blockchain operations at the system capable of performing the blockchain operations using the digital twin and the unique device identifier, such that performance of the set of blockchain operations is attributed to the capability limited device.

Abstract: Creating a certificate for a software module. A method includes obtaining a public key for a software module. The method includes obtaining a public key for a software module implemented on a hardware device. The method further includes creating a certificate using the public key by signing the public key using a hardware protected key and hardware protected compute elements. The hardware protected key is protected by a protected portion of the hardware device, and not accessible outside of the protected portion of the hardware device.

Abstract: The disclosed technology is generally directed to IoT technology. In one example of the technology, the following actions are performed for each module of a plurality of modules on a first edge device. An identification message that includes information associated with identification of the module is received. The validity of the module is then verified. After the module is verified, based at least in part on the identification message, an IoT support service is selected from a plurality of IoT support services. The module is then caused to be registered with the selected IoT support service. The plurality of modules are compositable together into an application for the first edge device. The modules of the plurality of modules are capable of being used interoperably with other modules without altering the other modules.

Abstract: Systems and techniques for single-wire communications are described. A described system includes a host device, and a slave device coupled with the host device via a single-wire bus. The host device can be configured to transmit synchronization information based on transitions over the single-wire bus. The slave device can be configured to detect the transitions on the single-wire bus, determine timing information of the host device based on a first transition of the transitions and a second transition of the transitions, determine a predicted start time of a host sampling window based on the timing information, and determine, based on a predicted charging duration, whether to perform a charge operation before the predicted start time or after a predicted end time of the host sampling window. The charge operation can include drawing power from the single-wire bus to charge the device.

Abstract: Systems and techniques for single-wire communications are described. A described system includes a host device, and a slave device coupled with the host device via a single-wire bus. The host device can be configured to transmit synchronization information based on transitions over the single-wire bus. The slave device can be configured to detect the transitions on the single-wire bus, determine timing information of the host device based on a first transition of the transitions and a second transition of the transitions, determine a predicted start time of a host sampling window based on the timing information, and determine, based on a predicted charging duration, whether to perform a charge operation before the predicted start time or after a predicted end time of the host sampling window. The charge operation can include drawing power from the single-wire bus to charge the device.