Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may receive a request for a secure memory region with fault resiliency from first processor instructions being executed at a first processor privilege level; allocate a first enclave, in which the first enclave protects at least one of second processor instructions and data from being read by and from being altered by third processor instructions executing at a second processor privilege level; allocate a second enclave, in which the second enclave protects the at least one of the second processor instructions and the data from being read by and from being altered by the second processor instructions; store the at least one of the second processor instructions and the data in the first enclave; and mirror the at least one of the second processor instructions and the data in the second enclave.

Abstract: An information handling system may include at least one processor; and a memory coupled to the at least one processor. The information handling system may be configured to: execute an application on the at least one processor, wherein at least a portion of data of the application is stored encrypted in a secure enclave region of the memory; and securely transfer execution of the application to a second information handling system by: transmitting platform configuration register (PCR) measurement data to the second information handling system; and transmitting the data of the application to the second information handling system; wherein the PCR measurement data is usable by the second information handling system to perform a remote attestation, the remote attestation including verification of the PCR measurement data to confirm that the data of the application has not been changed.

Abstract: Methods, systems, and computer programs encoded on computer storage medium, for identifying storage devices of an IHS, wherein a BIOS of the IHS is associated with a first enumeration order of the storage devices; enumerating the storage devices such that a particular storage device of the storage devices is enumerated as the first enumerated storage device for both the BIOS and an OS of the IHS, including: determining that an OS installation mode is enabled, and in response, i) exposing only the particular storage device, and ii) disabling the remaining storage devices to; determining that a LUN is set by the BIOS as the first enumerated storage device, including setting an unique identifier (UID) for the particular storage device, and in response fetching data associated with the LUN based on the UID; parsing the LUN data; assigning, based on the parsing, the LUN as the first enumerated storage device.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may determine that an application executable by a processor of an information handling system is to be executed via an enclave; determine that the application has been compiled without an ability to execute within the enclave; store an enclave application in the enclave; store the application in the enclave; establish communications between the application and the enclave application; receive, by the enclave application, first information from the application in the enclave; call, by the enclave application, a first subroutine outside the enclave based at least on the first information; execute, by the enclave application, a second subroutine inside the enclave, in which the second subroutine receives second information from outside the enclave; and provide, by the enclave application, third information, based at least on the second information, to the application.

Abstract: An information handling system includes a first memory having a trusted memory region, wherein the trusted memory region is an area of execution that is protected from processes running in the information handling system outside the trusted memory region. A secure cryptographic module may receive a request to create the trusted memory region from a dependent application, and create a mapping of the trusted memory region along with an enhanced page cache address range mapped to a non-uniform memory access (NUMA) node. The module may also detect a NUMA migration event of the dependent application, identify the trusted memory region corresponding to the NUMA migration event, and migrate the trusted memory region from the NUMA node to another NUMA node.

Abstract: An information handling system includes a host bus adaptor (HBA) that receives a secured media device, and a processor that executes an operating system. In response to the operating system being booted, the baseboard management controller detects a hot plug insertion of the secure media device into the information handling system. The baseboard management controller retrieves a key for the secured media device. In response to the retrieving of the key, the baseboard management controller unlocks the secured media device. The baseboard management controller triggers an enumeration of the secured media device. In response to the trigger, a host bus adaptor driver of the processor enumerates the secured media device.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may determine that an application executable by a processor of an information handling system is to be executed via an enclave; determine that the application has been compiled without an ability to execute within the enclave; store an enclave application in the enclave; store the application in the enclave; establish communications between the application and the enclave application; receive, by the enclave application, first information from the application in the enclave; call, by the enclave application, a first subroutine outside the enclave based at least on the first information; execute, by the enclave application, a second subroutine inside the enclave, in which the second subroutine receives second information from outside the enclave; and provide, by the enclave application, third information, based at least on the second information, to the application.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may receive a request for a secure memory region with fault resiliency from first processor instructions being executed at a first processor privilege level; allocate a first enclave, in which the first enclave protects at least one of second processor instructions and data from being read by and from being altered by third processor instructions executing at a second processor privilege level; allocate a second enclave, in which the second enclave protects the at least one of the second processor instructions and the data from being read by and from being altered by the second processor instructions; store the at least one of the second processor instructions and the data in the first enclave; and mirror the at least one of the second processor instructions and the data in the second enclave.

Abstract: An information handling system includes a host bus adaptor (HBA) that receives a secured media device, and a processor that executes an operating system. In response to the operating system being booted, the baseboard management controller detects a hot plug insertion of the secure media device into the information handling system. The baseboard management controller retrieves a key for the secured media device. In response to the retrieving of the key, the baseboard management controller unlocks the secured media device. The baseboard management controller triggers an enumeration of the secured media device. In response to the trigger, a host bus adaptor driver of the processor enumerates the secured media device.

Abstract: An information handling system may include at least one processor; and a memory coupled to the at least one processor. The information handling system may be configured to: execute an application on the at least one processor, wherein at least a portion of data of the application is stored encrypted in a secure enclave region of the memory; and securely transfer execution of the application to a second information handling system by: transmitting platform configuration register (PCR) measurement data to the second information handling system; and transmitting the data of the application to the second information handling system; wherein the PCR measurement data is usable by the second information handling system to perform a remote attestation, the remote attestation including verification of the PCR measurement data to confirm that the data of the application has not been changed.

Abstract: An information handling system may include a persistent memory module and a basic input/output system (BIOS). The information handling system may be configured to: prior to initialization of an operating system, receive, at a configuration application of the BIOS, configuration information regarding the persistent memory module; in response to the configuration information, allocate a first portion of the persistent memory module to volatile system memory of the information handling system, a second portion of the persistent memory module to non-volatile storage of the information handling system, and a third portion of the persistent memory module to a dynamic memory area; and after initialization of the operating system, execute a memory manager configured to alter sizes of the first portion, the second portion, and the third portion, wherein the altering is carried out without performing a reboot of the information handling system.

Abstract: Methods, systems, and computer programs encoded on computer storage medium, for identifying storage devices of an IHS, wherein a BIOS of the IHS is associated with a first enumeration order of the storage devices; enumerating the storage devices such that a particular storage device of the storage devices is enumerated as the first enumerated storage device for both the BIOS and an OS of the IHS, including: determining that an OS installation mode is enabled, and in response, i) exposing only the particular storage device, and ii) disabling the remaining storage devices to; determining that a LUN is set by the BIOS as the first enumerated storage device, including setting an unique identifier (UID) for the particular storage device, and in response fetching data associated with the LUN based on the UID; parsing the LUN data; assigning, based on the parsing, the LUN as the first enumerated storage device.

Abstract: An information handling system may include one or more processors, a memory system communicatively coupled to the one or more processors, and a program of instructions embodied in non-transitory computer readable media and configured to, when read and executed by the one or more processors, create operating system level-mirroring of address spaces for data associated with one or more processes executing on the one or more processors and dynamically reallocate address spaces used for mirroring of the data for a process of the one or more processes from a first address space to a second address space responsive to a determination that a number of correctable bit errors of a memory page associated with the first address space exceeds a threshold.

Abstract: An information handling system may include one or more processors, a memory system communicatively coupled to the one or more processors, and a program of instructions embodied in non-transitory computer readable media and configured to, when read and executed by the one or more processors, create operating system level-mirroring of address spaces for data associated with one or more processes executing on the one or more processors and dynamically reallocate address spaces used for mirroring of the data for a process of the one or more processes from a first address space to a second address space responsive to a determination that a number of correctable bit errors of a memory page associated with the first address space exceeds a threshold.

Abstract: In accordance with embodiments of the present disclosure, a management controller configured to provide management-domain management of an information handling system may include a processor and a key management utility embodied in non-transitory computer-readable media. The key management utility may be configured to issue one or more commands to a cryptoprocessor for storing and sealing a key encryption key on the cryptoprocessor, wherein the key encryption key is for decrypting a media encryption key for encrypting and decrypting data stored to a storage resource of a host domain of the information handling system. The key management utility may also be configured to issue one or more commands to the cryptoprocessor for unsealing and retrieving the key encryption key from the cryptoprocessor.

Abstract: Systems and methods are disclosed for securing an information handling system. A method for securing an information handling system may include securing the information handling system in an enclosure with a locking mechanism of a bezel; receiving a request to unlock the bezel at a baseboard management controller (BMC), the BMC communicatively coupled to the bezel; retrieving a first artifact stored in a trusted platform module (TPM) in response to the request; attempting to authorize the request using the first artifact; and unlocking the locking mechanism if the request is authorized.

Abstract: Systems and methods are disclosed for securing an information handling system. A method for securing an information handling system may include securing the information handling system in an enclosure with a locking mechanism of a bezel; receiving a request to unlock the bezel at a baseboard management controller (BMC), the BMC communicatively coupled to the bezel; retrieving a first artifact stored in a trusted platform module (TPM) in response to the request; attempting to authorize the request using the first artifact; and unlocking the locking mechanism if the request is authorized.

Abstract: Methods and systems for efficient boot from a connected device are described. In an embodiment, a method for efficient boot from a connected device may include initializing a base processor device for boot and configuration of an information handling system from a connected device. The method may also include initializing at least one secondary processor for parallel processing of one or more initialization functions. Additionally, the method may include offloading one or more initialization functions to the one or more secondary processors in response to a predetermined trigger event.

Abstract: In accordance with embodiments of the present disclosure, a management controller configured to provide management-domain management of an information handling system may include a processor and a key management utility embodied in non-transitory computer-readable media. The key management utility may be configured to issue one or more commands to a cryptoprocessor for storing and sealing a key encryption key on the cryptoprocessor, wherein the key encryption key is for decrypting a media encryption key for encrypting and decrypting data stored to a storage resource of a host domain of the information handling system. The key management utility may also be configured to issue one or more commands to the cryptoprocessor for unsealing and retrieving the key encryption key from the cryptoprocessor.

Abstract: Methods and systems for efficient boot from a connected device are described. In an embodiment, a method for efficient boot from a connected device may include initializing a base processor device for boot and configuration of an information handling system from a connected device. The method may also include initializing at least one secondary processor for parallel processing of one or more initialization functions. Additionally, the method may include offloading one or more initialization functions to the one or more secondary processors in response to a predetermined trigger event.