Abstract: Briefly, one embodiment of a platform for generating and utilizing a protected audit log is described. The platform comprises a system memory and a memory to contain an audit log. The audit log includes a plurality of single-write, multiple read entries. At least one of the entries of the audit log includes stored data integrity information loaded into the system memory during its power cycle.

Abstract: A method and apparatus is described herein for supporting direct memory accesses between peer I/O devices. It is determined whether a guest physical address (GPA) referenced by an access generated from an I/O device, is within a range of GPAs associated with local I/O devices based at least in part on a GPA base and a GPA window size. If the GPA is within the window, then the GPA is translated to an HPA based at least in part on a base HPA associated with a local device and then forwarded to that local device. However, if the GPA is not within the window, then the access is forwarded upstream.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: In one embodiment, a method comprises generating a cryptographic key pair associated with a data center. The method also includes storing a private key of the cryptographic key pair within a platform. The private key is used to sign a value stored in the platform for validation of inclusion of the platform into the data center. In an embodiment, the private key is revoked upon determining that the platform has been compromised. In one embodiment, the private key may be revoked in each of the platforms of the data center.

Abstract: In one embodiment, a method for utilizing a pseudonym to protect the identity of a platform and its user is described. The method comprises producing a pseudonym that includes a public pseudonym key. The public pseudonym key is placed in a certificate template. Hash operations are performed on the certificate template to produce a certificate hash value, which is transformed from the platform. Thereafter, a signed result is returned to the platform. The signed result is a digital signature for the transformed certificate hash value. Upon performing an inverse transformation of the signed result, a digital signature of the certificate hash value is recovered. This digital signature may be used for data integrity checks for subsequent communications using the pseudonym.

Abstract: A method and apparatus for resetting and modifying special registers in a security token is described. In one embodiment, a register may be reset when a reset flag is true when a special transmission on a bus demonstrates the mutual locality of the associated processor and chipset. A modify flag may also be used to indicate whether the register contents may be modified. Modifications may also be dependent upon demonstration of mutual locality.

Abstract: An apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment are described. The method includes disregarding a received load secure region instruction when a currently active load secure region operation is detected. Otherwise, a memory protection element is directed, in response to the received load secure region instruction, to form a secure memory environment. Once directed, unauthorized read/write access to one or more protected memory regions are prohibited. Finally, a cryptographic hash value of the one or more protected memory regions is stored within a digest information repository as a secure software identification value. Once stored, outside agents may request access to a digitally signed software identification value in order to establish security verification of secure software within the secure memory environment.

Abstract: A method and system of deadlock free bus protection of memory and I/O resources during secure execution. A bus cycle initiates entry of a bus agent into a secure execution mode. The chipset records an identifier of the secure mode processor. Thereafter, the chipset intercedes if another bus agent attempts a security sensitive bus cycle before the secure mode processor exits the secure mode.

Abstract: In an embodiment of the present invention, a technique is provided for remote attestation. An interface maps a device via a bus to an address space of a chipset in a secure environment for an isolated execution mode. The secure environment is associated with an isolated memory area accessible by at least one processor. The at least one processor operates in one of a normal execution mode and the isolated execution mode. A communication storage corresponding to the address space allows the device to exchange security information with the at least one processor in the isolated execution mode in a remote attestation.

Abstract: A chipset is initialized in a secure environment for an isolated execution mode by an initialization storage. The secure environment has a plurality of executive entities and is associated with an isolated memory area accessible by at least one processor. The at least one processor has a plurality of threads and operates in one of a normal execution mode and the isolated execution mode. The executive entities include a processor executive (PE) handler. PE handler data corresponding to the PE handler are stored in a PE handler storage. The PE handler data include a PE handler image to be loaded into the isolated memory area after the chipset is initialized. The loaded PE handler image corresponds to the PE handler.

Abstract: In one embodiment, a method for certifying an attestation key comprises generating a remote attestation key pair within a platform and producing a certificate. The certificate includes a public attestation key to attest that a private attestation key, corresponding to the public attestation key, is stored in hardware-protected memory.

Abstract: A processor includes a feature control unit to enable or disable one or more processor features individually in response to a user selectable setting. The feature control unit is adapted to disable the processor feature(s) if the user setting has not been updated in accordance with an input regardless of the value of the user setting prior to the update and to enable or disable the processor feature(s) in accordance with the updated user setting after it has been updated. The feature control unit may also include a lock unit to prevent changes to the updated user setting and a software feature selection unit to enable or disable processor features in response to a software feature selection setting and, optionally, only enable or disable processor features whose corresponding updated user setting is user enabled. The feature control unit may also include mechanisms to detect illegal feature selection conditions.

Abstract: A system and method for secure distribution of a video card public key. The method provides for loading an authentication code module into a processor, authenticating the authentication code module, and executing the authentication code module. Executing the authentication module causes the authentication code module to assert a hardware indicator to access at least one address in a special protected page on a chipset. Receipt of the hardware indicator by the chipset causes a specific reference to be sent via a dedicated port to a circuit card to retrieve a public key from the circuit card.

Abstract: In one embodiment, a method of remote attestation for a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing each of a plurality of IsoX software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving a remote attestation request from a remotely located platform. Then, the retrieved audit log is digitally signed to produce a digital signature for transfer to the remotely located platform.

Abstract: Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored on a protected on-liner server accessible by the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated encrypted data structure from the protected on-line server using a secure protocol.

Abstract: Secure storage and retrieval of a unique value associated with a device to/from a memory of a processing system. In at least one embodiment, the device needs to be able to access the unique value across processing system resets, and the device does not have sufficient non-volatile storage to store the unique value itself. Instead, the unique value is stored in the processing system memory in such a way that the stored unique value does not create a unique identifier for the processing system or the device. A pseudo-randomly or randomly generated initialization vector may be used to vary an encrypted data structure used to store the unique value in the memory.

Abstract: In one embodiment, a method of remote attestation for a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing each of a plurality of IsoX software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving a remote attestation request from a remotely located platform. Then, the retrieved audit log is digitally signed to produce a digital signature for transfer to the remotely located platform.

Abstract: Delivering a Direct Proof private key in a signed group of keys to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored along with a group number in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored in a signed group of keys (e.g., a signed group record) on a removable storage medium (such as a CD or DVD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system.

Abstract: Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting-encrypted data structure is stored on a removable storage medium (such as a CD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated encrypted data structure from the removable storage medium.

Abstract: In one embodiment, a method for utilizing a pseudonym to protect the identity of a platform and its user is described. The method comprises producing a pseudonym that includes a public pseudonym key. The public pseudonym key is placed in a certificate template. Hash operations are performed on the certificate template to produce a certificate hash value, which is transformed from the platform. Thereafter, a signed result is returned to the platform. The signed result is a digital signature for the transformed certificate hash value. Upon performing an inverse transformation of the signed result, a digital signature of the certificate hash value is recovered. This digital signature may be used for data integrity checks for subsequent communications using the pseudonym.