Abstract: A computer program product includes one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions include program instructions to authenticate an application as authorized to perform encryption and program instructions to receive data at an authenticated encryption layer. The program instructions include program instructions to encrypt the data using an encryption key, wherein the encryption key is not available to the application, and program instructions to generate a watermark token of the encrypted data. The program instructions include program instructions to generate a watermark of the encrypted data using the watermark token and a watermark key and program instructions to send the encrypted data, the watermark token, and the watermark to a storage system. The storage system is configured to verify the encrypted data for storage using the watermark key.

Abstract: A computer-implemented method includes receiving, by a transcoder, second encrypted data. The second encrypted data is data that has been encrypted in a first key to create first encrypted data that is then encrypted in a second key to create the second encrypted data. The method includes receiving the second key and decrypting the second encrypted data using the second key to obtain the first encrypted data. The method includes encrypting the first encrypted data using a third key to create third encrypted data, and sending the third encrypted data to a destination node. A computer-implemented method includes receiving, by a transcoder, a second encrypted key. The second encrypted key is a key that has been encrypted in a first key to create a first encrypted key that is then encrypted in a second key to create the second encrypted key.

Abstract: A system includes an authenticated encryption layer comprising logic configured to encrypt data received at the authenticated encryption layer from an authorized application at a source node. The data is encrypted using a first key to obtain first encrypted data. The logic is configured to encrypt the first encrypted data using a second key to obtain second encrypted data and generate a watermark for the first encrypted data and/or a watermark for the second encrypted data. The logic is configured to generate a watermark token for the first encrypted data and/or a watermark token for the second encrypted data.

Abstract: A single input/output (I/O) controller for both secure partitionable endpoints (PEs) and non-secure PEs is enabled in a trusted execution environment (TEE) where secure memory portions are isolated from non-secure PEs. Security attributes for certain endpoints indicate secure memory access privilege of owning entities of the certain endpoints. A security monitor has exclusive access to the address translation control tables (TCE) stored in secure memory associated with a secure endpoint. When owning entity reassignment occurs, the endpoints are reinitialized to support a change in ownership from an outgoing owning entity having secure memory access and an incoming owning entity not having secure memory access.

Abstract: A processor receives, from a requestor, a first request containing a virtual address. Based on the first request, the processor determines a real address corresponding to the virtual address, encrypts at least a portion of the real address to obtain a cryptographic secure real address, and returns the cryptographic secure real address to the requestor. Based on receiving a second request specifying a request address, the processor decrypts the request address to validate the request address as the cryptographic secure real address. Based on validating the request address as the cryptographic secure real address, the processor allows access to a resource of the data processing system identified by the real address.

Abstract: A service processor is provided that includes a processor, a memory coupled to the processor and having instructions for executing an operating system kernel having an integrity management subsystem, secure boot firmware, and a tamper-resistant secure trusted dedicated microprocessor. The secure boot firmware performs a secure boot operation to boot the operating system kernel of the service processor. The secure boot firmware records first measurements of code executed by the secure boot firmware when performing the boot operation, in one or more registers of the tamper-resistant secure trusted dedicated microprocessor. The operating system kernel enables the integrity management subsystem. The integrity management subsystem records second measurements of software executed by the operating system kernel, in the one or more registers of the tamper-resistant secure trusted dedicated microprocessor.

Abstract: Various embodiments are provided for securing data compression in a computer environment are presented. Encryption cycles of a data compression stream may be optimized by applying a first type of encryption on a first section and a last section of compressed data and a second type of encryption on a middle section of compressed data, the first type of encryption containing key information relating to the middle section of the compressed data.

Abstract: The present disclosure relates to a process-based virtualization system comprising a data processing unit. The system comprises a computer readable storage media, wherein a first memory component of the computer readable storage media is configured for access by an OS, secure and non-secure applications and the firmware, and wherein a second memory component of the computer readable storage media is configured for access by the firmware and not by the OS and the non-secure application. The data processing unit is configured to operate in a first mode of operation that executes a non-secure application process using the OS, and to operate in a second mode of operation that executes the secure application using the firmware, thereby executing application code using the second memory component.

Abstract: A computer program product includes one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions include program instructions to authenticate an application as authorized to perform encryption and program instructions to receive data at an authenticated encryption layer. The program instructions include program instructions to encrypt the data using an encryption key, wherein the encryption key is not available to the application, and program instructions to generate a watermark token of the encrypted data. The program instructions include program instructions to generate a watermark of the encrypted data using the watermark token and a watermark key and program instructions to send the encrypted data, the watermark token, and the watermark to a storage system. The storage system is configured to verify the encrypted data for storage using the watermark key.

Abstract: A computer-implemented method includes receiving, by a transcoder, second encrypted data. The second encrypted data is data that has been encrypted in a first key to create first encrypted data that is then encrypted in a second key to create the second encrypted data. The method includes receiving the second key and decrypting the second encrypted data using the second key to obtain the first encrypted data. The method includes encrypting the first encrypted data using a third key to create third encrypted data, and sending the third encrypted data to a destination node. A computer-implemented method includes receiving, by a transcoder, a second encrypted key. The second encrypted key is a key that has been encrypted in a first key to create a first encrypted key that is then encrypted in a second key to create the second encrypted key.

Abstract: A computer-implemented method includes, receiving, by a source node, a request from a destination node for data stored in a region of shared memory controlled by the source node. The data is encrypted in a local key of the source node. The method includes decrypting, by the source node, the locally encrypted data using the local key and encrypting, by the source node, the decrypted data using a first key for generating first encrypted data. The method also includes encrypting, by the source node, the first encrypted data using a second key for generating second encrypted data, and sending, by the source node, the second encrypted data to the destination node. A computer program product includes one or more computer readable storage media and program instructions collectively stored on the one or more computer readable storage media. The program instructions includes program instructions to perform the foregoing method.

Abstract: A method, system and apparatus for provisioning a computation into a trusted execution environment, including verifying the trusted execution environment, generating integrity information of the computation, generating sealed data, sending information of the computation, the sealed data, and integrity information to the trusted execution environment, confirming the sealed data, and verifying integrity of the computation information from the integrity information and the computation information.

Abstract: A method, system and apparatus for generating a computation such that it will execute in a target trusted execution environment (TEE), including selecting the target TEE, generating an authorization that is satisfied by a TEE, associating the authorization with the computation that executes in the TEE that is authorized, and generating the computation with the associated authorization.

Abstract: Mechanisms for booting a service processor are provided. With these mechanisms, the service processor executes a secure boot operation of secure boot firmware to boot an operating system kernel of the service processor. The secure boot firmware records first measurements of code executed by the secure boot firmware when performing the boot operation, in one or more registers of a tamper-resistant secure trusted dedicated microprocessor of the service processor. The operating system kernel executing in the service processor enables an integrity management subsystem of the operating system kernel which records second measurements of software executed by the operating system kernel, in the one or more registers of the tamper-resistant secure trusted dedicated microprocessor.

Abstract: The present disclosure relates to a process-based virtualization system comprising a data processing unit. The system comprises a computer readable storage media, wherein a first memory component of the computer readable storage media is configured for access by an OS, secure and non-secure applications and the firmware, and wherein a second memory component of the computer readable storage media is configured for access by the firmware and not by the OS and the non-secure application. The data processing unit is configured to operate in a first mode of operation that executes a non-secure application process using the OS, and to operate in a second mode of operation that executes the secure application using the firmware, thereby executing application code using the second memory component.

Abstract: Various embodiments are provided for securing data compression in a computer environment are presented. Encryption cycles of a data compression stream may be optimized by applying a first type of encryption on a first section and a last section of compressed data and a second type of encryption on a middle section of compressed data, the first type of encryption containing key information relating to the middle section of the compressed data.

Abstract: A secure cloud computing environment protects the confidentiality of application code from a customer while simultaneously protecting the confidentiality of a customer's data from intentional or inadvertent leaks by the application code. This result is accomplished without the need to trust the application code and without requiring human surveillance or intervention. A client secure virtual machine (SVM) is accessible by a client who supplies commands, operand data and application data. An appliance SVM has the application code loaded therein and includes an application program interface that accesses a memory area shared by both SVMs. All access to the appliance SVM is initially revoked by an ultravisor, except for the shared memory and an encrypted persistent storage. The appliance SVM stores the application data in the persistent storage. The ultravisor manages an SVM by maintaining exclusive control over a device tree used by the operating system of the SVM.

Abstract: An embodiment of the invention may include a method, computer program product, and computer system for monitoring a computing device. The embodiment includes retrieving data from physical components of the method. The embodiment includes converting the data to at least one spectral format. The embodiment includes analyzing the converted data with a spectral detector. The embodiment includes performing a remediation action of the code anomaly based on detecting a code anomaly by the spectral detector.

Abstract: A system, a method, and a computer program product for secure memory implementation for secure execution of virtual machines are provided. Data is processed in a first mode and a second mode, and commands are sent to a chip interconnect bus using real addresses, wherein the chip interconnect bus transports a number of bits for the real addresses. A memory controller is operatively coupled to a memory component. A secure memory range is specified by using range registers. If the real address is detected to be in the secure memory range to match a memory component address, a real address bit is set. If the real address is in the memory address hole, a security access violation is detected. If the real address is not in the secure address range and the real address bit is set, the security access violation is detected.

Abstract: Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.