Abstract: An apparatus comprises a processing device configured to determine, utilizing a firmware-based agent running in firmware, a boot flag status during a boot process of the processing device. The processing device is also configured to execute, responsive to the boot flag status being a first value, a system update handler of the firmware-based agent configured for provisioning of a secured runtime operating system on the processing device, wherein the provisioning comprises digitally signing an image of the secured runtime operating system utilizing a hardware-based root of trust key. The processing device is further configured to execute, responsive to the boot flag status being a second value, a secured operating system boot handler of the firmware-based agent configured for validating and loading secured runtime operating system, wherein the validation comprises performing attestation of a signature of the image of the secured runtime operating system utilizing the hardware-based root of trust key.

Abstract: An information handling system may validate a connection request received from a trusted platform module (TPM)-virtual (vTPM) module according to a policy, wherein the connection request originated from a virtual machine associated with the TPM-vTPM module which consumes services from a clustered vTPM domain service. In response to determining that the connection request is valid based on the policy, the system may determine the vTPM domain service associated to the TPM-vTPM module, and determine whether to route or redirect the connection request according to policy. In response to determining that the connection request is to be redirected, the system may transmit a response to the TPM-vTPM module, wherein the response includes redirect information to the vTPM domain service. In response to determining that the connection request is to be routed, the system may route the connection request to the vTPM domain service.

Abstract: An information handling system includes a virtual trusted platform module (TPM) consumer associated with a virtual machine. The virtual TPM (vTPM) consumer may consume TPM services from a clustered vTPM domain service and determine the connection information of the vTPM domain service. The vTPM consumer transmits a connection request for a TPM operation request to the vTPM domain service, wherein the connection request includes a payload in addition to the connection information. The consumer may also receive a response associated with the TPM operation request from the vTPM domain service.

Abstract: An apparatus comprises a processing device configured to receive, at a web browser from a web-based service running on a web server, a request for signature of one or more messages using at least one cryptographic key pair comprising a public key made accessible to the web-based service running on the web server and a private key maintained in secure storage accessible to the web browser. The processing device is also configured to generate, at the web browser, one or more interface features permitting a given user to accept or deny the request for signature and, responsive to the given user accepting the request for signature of a given message, digitally signing the given message utilizing the private key of the cryptographic key pair. The processing device is further configured to provide, from the web browser to the web-based service, a response comprising the digital signature of the given message.

Abstract: An information handling system may determine a personality flag value during a boot process, and execute a system update handler configured for connecting to a control plane. The system may also provision a software application in a current operating system environment or erase the existing operating system and provisional new environment including receiving the software application responsive to a secure profile and validating the software application prior to loading.

Abstract: An information handling system may determine a personality flag value during a boot process and execute, responsive to detecting that the information handling system entered a secure environment and based on the personality flag value, a system update handler configured for discovering and connecting to a control plane. The system may also provision a secure ephemeral operating system, including receiving an image of the secure ephemeral operating system from the control plane responsive to a secure profile and validating the image prior to loading the secure ephemeral operating system to a random access memory.

Abstract: An apparatus comprises a processing device configured to determine, utilizing a firmware-based agent running in firmware, a boot flag status during a boot process of the processing device. The processing device is also configured to execute, responsive to the boot flag status being a first value, a system update handler of the firmware-based agent configured for provisioning of a secured runtime operating system on the processing device, wherein the provisioning comprises digitally signing an image of the secured runtime operating system utilizing a hardware-based root of trust key. The processing device is further configured to execute, responsive to the boot flag status being a second value, a secured operating system boot handler of the firmware-based agent configured for validating and loading secured runtime operating system, wherein the validation comprises performing attestation of a signature of the image of the secured runtime operating system utilizing the hardware-based root of trust key.