Abstract: Various embodiments provide apparatuses, systems, and methods for establishing, by a data object exchange (DOE entity) of a peripheral component interconnect express (PCIe) device, a first session for communication between a first host entity of a host device and a first PCIe entity of the PCIe device, and a second session for communication between a second host entity of the host device and a second PCIe entity of the PCIe device. The first session may have a first security policy and be a session of a first connection between the PCIe device and the host device. The second session may have a second security policy and be a session of a second connection between the PCIe device and the host device. Other embodiments may be described and claimed.

Abstract: Examples include techniques to implement confidential computing with a remote device via use of trust domains. Examples are described of establishing secure communication sessions between a trust domain supported by a hardware processor core on a first host platform and an input/output (I/O) device resident on a second host platform.

Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.

Abstract: Examples include techniques to implement mutual authentication for confidential computing. Examples are described of implementing mutual authentication for confidential computing that includes use of local attestation.

Abstract: A system management mode (SMM) runtime resiliency manager (SRM) augments computing resource protection policies provided by an SMM policy shim. The SMM shim protects system resources by deprivileging system management interrupt (SMI) handlers to a lower level of privilege (e.g., ring 3 privilege) and by configuring page tables and register bitmaps (e.g., I/O, MSR, and Save State register bitmaps). SRM capabilities include protecting the SMM shim, updating the SMM shim, protecting a computing system during SMM shim update, detecting SMM attacks, and recovering attacked or faulty SMM components.

Abstract: A system includes memory circuitry to store a secure shared memory buffer (SSMB) and instructions; and a processor to create the SSMB in the memory circuitry and assign ownership of the SSMB to an SSMB owner, the SSMB owner being a trusted execution environment virtual machine running on the computing system; configure access permissions for the SSMB by the SSMB owner to allow one or more SSMB users to access the SSMB, the one or more SSMB users being trusted execution environment virtual machines running on the computing system; allocate memory by the SSMB owner from the SSMB owner's private memory space in the memory circuitry for the SSMB; and allowing secure access by the one or more SSMB users to the SSMB in response to successfully verifying authorization of the one or more SSMB users based at least in part on the access permissions.

Abstract: A method comprises establishing, in a trusted security manager of a trusted execution environment, a device update pre-authentication policy for a device communicatively coupled to the trusted execution manager, providing the device update pre-authentication policy to the device, receiving, from the device, a pre-authentication event signal, and providing, to the device, a pre-authentication event response comprising an update indicator to indicate to the device whether a runtime update may be performed.

Abstract: A method and system for implementing software trusted platform module (swTPM) for a virtual machine (VM). A guest VM is set up in the system. A tenant trust domain (TTD) or a Software Guard Extension (SGX) enclave is also set up in the system, and a swTPM for the guest VM is executed within the TTD or the SGX enclave. The tenant workload and the guest VM may be measured, and the measurements may be extended into Platform Configuration Registers (PCRs) in the swTPM via a swTPM interface in the guest VM. TPM secrets may be stored in a secure storage in the SGX enclave. The TTD may take runtime measurements of the tenant workload, the guest VM, and/or the swTPM.

Abstract: Methods and apparatus for seamless SMM (System Management Mode) global driver update base on SMM Root-of-Trust. Mechanisms are provided to load and replace SMM drivers at runtime in a secure manner, without requiring an SMM firmware update and platform reset. SMM code is executed by BIOS during boot in a hidden area of memory called SMRAM space. Seamless update using an SMM Global Driver Update provides a method to load and replace all SMM drivers (including SMM infrastructure) on an already shipped platform production for purposes such as bug fixes. The principles and teachings may also be applied to update other types of secure execution mode code in addition to SMM code.

Abstract: Systems, methods, and apparatuses for implementing a trusted execution environment security manager are described. In one example, hardware processor includes a hardware processor core comprising a trust domain manager to manage one or more hardware isolated virtual machines as a respective trust domain, a coupling between the hardware processor core and an input/output device, and a secure startup service circuit separate from the trust domain manager to, in response to a request from the trust domain manager, generate a secure communication session between the trust domain manager and the input/output device.

Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.

Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.

Abstract: Systems, methods, and apparatuses for implementing device security manager architecture for trusted execution environment input/output (TEE-IO) capable system-on-a-chip integrated devices are described. In one example, a system includes a hardware processor core configurable to implement a trust domain manager to manage one or more virtual machines as a respective trust domain isolated from a virtual machine monitor, and an input/output device coupled to the hardware processor core and comprising a device security manager circuit, wherein the device security manager circuit is to, in response to an trusted request from the trust domain manager to a control interface of the device security manager circuit, access a state of a trusted device interface of the input/output device for a trust domain of the trust domain manager, and provide a corresponding response to the trust domain manager.

Abstract: A system management mode (SMM) runtime resiliency manager (SRM) augments computing resource protection policies provided by an SMM policy shim The SMM shim protects system resources by deprivileging system management interrupt (SMI) handlers to a lower level of privilege (e.g., ring 3 privilege) and by configuring page tables and register bitmaps (e.g., I/O, MSR, and Save State register bitmaps). SRM capabilities include protecting the SMM shim, updating the SMM shim, protecting a computing system during SMM shim update, detecting SMM attacks, and recovering attacked or faulty SMM components.

Abstract: Various embodiments provide apparatuses, systems, and methods for establishing, by a data object exchange (DOE entity) of a peripheral component interconnect express (PCIe) device, a first session for communication between a first host entity of a host device and a first PCIe entity of the PCIe device, and a second session for communication between a second host entity of the host device and a second PCIe entity of the PCIe device. The first session may have a first security policy and be a session of a first connection between the PCIe device and the host device. The second session may have a second security policy and be a session of a second connection between the PCIe device and the host device. Other embodiments may be described and claimed.

Abstract: A disclosed example apparatus includes memory; and at least one processor to execute first instructions, the first instructions obtained from first encrypted firmware, the at least one processor to: encrypt handoff data with an original equipment manufacturer key to generate encrypted handoff data; decrypt second encrypted firmware based on the original equipment manufacturer key to generate second instructions; and provide access to the encrypted handoff data to the second instructions, the second instructions to perform initialization of a computer based on the handoff data obtained from the encrypted handoff data.

Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.

Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.

Abstract: Methods and apparatus for seamless system management mode (SMM) code injection. A code injection listener is installed in BIOS during booting of the computer system or platform. During operating system (OS) runtime operation a secure execution mode code injection image comprising injected code is received and delivered to the BIOS. The processor execution mode is switched to a secure execution mode such as SMM, and while in the secure execution mode the injected code is accessed and executed on the processor to effect one or more changes such as patching processor microcode, a profile or policy reconfiguration, and a security fix. The solution enables platform changes to be effected during OS runtime without having to reboot the system.

Abstract: The present disclosure is directed to controlled customization of silicon initialization. A device may comprise, for example, a boot module including a memory on which boot code is stored, the boot code including at least an initial boot block (IBB) module that is not customizable and a global platform database (GPD) module including customizable data. The IBB module may include a pointer indicating GPD module location. The customizable data may comprise configurable parameters and simple configuration language (SCL) to cause the device to execute at least one logical operation during execution of the boot code. The GPD module may further comprise a pointer indicating SCL location. The boot code may be executed upon activation of the device, which may cause the IBB module to load an interpreter for executing the SCL. The interpreter may also verify access request operations in the SCL are valid before executing the access request operations.