Abstract: A method of certifying a state of a platform includes receiving one or more software elements of a software stack of the platform by an authentication module and performing a hash algorithm on the software stack to generate one or more hash values. The software stack uniquely determines a software state of the platform. The method includes generating creation data, a creation hash, and a creation ticket, corresponding to the hash values and sending the creation ticket to the platform. The method also includes receiving the creation ticket by the authentication module and certifying the creation data and the creation hash based on the creation ticket. The method further includes generating a certified structure based on the creation data and performing the hash algorithm on the certified structure to generate a hash of the certified structure. The certified structure uniquely determines the software state of the platform.

Abstract: Examples set out herein provide a method comprising using first cryptographic key data specific to a computing device to verify a package of machine readable instructions to run on the computing device. The verified package may be executed to generate a random number using a true random number generator of the computing device, and to store the generated random number. Second cryptographic key data may be generated by a pseudorandom number generator of the computing device based on a seed comprising a combination of the random number as a first seed portion and a second seed portion. A portion of the second cryptographic key data may be sent to a certifying authority. The method may further comprising receiving a certification value based on the sent portion of the second cryptographic key data from the certifying authority and storing the certification value.

Abstract: A method for secure data protection includes generating a firmware digital certificate for a layer of firmware. The firmware operates a hardware component of a compute node. The firmware digital certificate is an attribute certificate. The firmware digital certificate includes a cumulative hash of the layer of firmware and a nonce. The cumulative hash includes a concatenation of a hash of the layer of firmware and a hash of each one or more lower layers of the firmware. The method includes authenticating the layer of firmware using a trusted data store. The trusted data store includes a binary image of an expected layer of firmware and a certificate chain comprising the hardware digital certificate and the firmware digital certificate.

Abstract: Secure management of computing code is provided herein. The computing code corresponds to computing programs including firmware and software that are stored in the memory of a computing device. When a processor attempts to read or execute computing code, a security controller measures that code and/or corresponding program, thereby generating a security measurement value. The security controller uses the security measurement value to manage access to the memory. The security measurement value can be analyzed together with integrity values of the computing programs, which are calculated while holding the reset of the processor. The integrity values indicate the validity or identity of the stored computing programs, and provide a reference point with which computing programs being read or executed can be compared. The security controller can manage access to memory based on the security measurement value by hiding or exposing portions of the memory to the processor.

Abstract: Examples relate to packet tagging in Software Defined Networks (SDN). In an example, at least one SDN switch of an SDN marks a packet passing through the SDN switch with a packet tag, wherein the packet tag comprises an identifier of the SDN switch and a digest of a set of network forwarding rules of the SDN switch. Some examples generate, by a verifier, a verifier tag comprising the identifier of the at least one SDN switch and the digest of the set of network forwarding rules of the at least one SDN switch obtained from a network rules table and a network topology table stored in the verifier. Some examples receive, at a particular network element and from a verifier of the SDN, a request for attestation of the packet. Some examples check, by a verification engine, the packet tag against the verifier tag.

Abstract: A computing device having instructions that when executed by a processor may: receive, from a verifier, a request for attestation of a current network configuration of the computing device; identify network configuration rules, each network configuration rule specifying an action to be taken by the computing device in response to receiving a particular type of network traffic; generate, for each network configuration rule, a rule abstraction that represents the network configuration rule; provide data representing each rule abstraction to a trusted component; receive, from the trusted component, response data comprising i) data representing each rule abstraction, and ii) a digital signature; and provide the response data to the verifier as attestation proof of the current network configuration of the computing device.

Abstract: A method comprising: launching, by a pre-boot environment, a pre-boot launch enclave (LE); creating, by the pre-boot LE, a launch token for a pre-boot quoting enclave (QE); authenticating, by the pre-boot LE, the launch token; launching, by the pre-boot environment with the launch token in response to the authentication, the pre-boot QE; generating, by the pre-boot QE, a public provisioning key, a private provisioning key, and an attestation key; verifying, by the pre-boot QE with a public key, authenticity of a device; securing, by the pre-boot QE with the public provisioning key, private provisioning key, and the public key, a communication channel with the device; encrypting, by the pre-boot QE with a system specific seal key, the public provisioning key, the private provisioning key, and the attestation key; and storing, by the pre-boot QE, the encrypted public provisioning key, the encrypted private provisioning key, and the encrypted attestation key in the device.

Abstract: Examples relate to integrity reports. In an implementation, an entity for executing a function is launched, the entity operating one or more files for executing the function. In response to the entity being launched, an entity image integrity report is generated comprising, for one or more files operated by the entity, a reference to the file measurement in a first integrity report the first integrity report containing measurements of a plurality of files operable in one or more entities. Alternatively, in response to the entity being launched, an entity integrity report is generated comprising a file measurement for each of the files operated by the entity.

Abstract: A system comprising an inner kernel of an operating system (OS) running at a higher privilege level than an outer kernel of the OS, the inner kernel to measure a data structure in a memory; a device including a measurement engine to measure the data structure in the memory, wherein the device operates independently of the OS; and a trusted execution environment including an application to compare measurements from the inner kernel and the measurement engine.

Abstract: Examples described herein include a computing device with a processing resource to execute beginning booting instructions of the computing device. The beginning booting instructions may include a first booting instruction. The computing device also includes an access line to access the first booting instruction, a measuring engine to duplicate the first booting instruction and to generate a first integrity value associated with the first booting instruction, and a measurement register to store the first integrity value. The measuring engine may be operationally screened from the processing resource and the measurement register may be inaccessible to the processing resource.

Abstract: Examples relate to packet tagging in Software Defined Networks (SDN). In an example, at least one SDN switch of an SDN marks a packet passing through the SDN switch with a packet tag, wherein the packet tag comprises an identifier of the SDN switch and a digest of a set of network forwarding rules of the SDN switch. Some examples generate, by a verifier, a verifier tag comprising the identifier of the at least one SDN switch and the digest of the set of network forwarding rules of the at least one SDN switch obtained from a network rules table and a network topology table stored in the verifier. Some examples receive, at a particular network element and from a verifier of the SDN, a request for attestation of the packet. Some examples check, by a verification engine, the packet tag against the verifier tag.

Abstract: Examples set out herein provide a method comprising using first cryptographic key data specific to a computing device to verify a package of machine readable instructions to run on the computing device. The verified package may be executed to generate a random number using a true random number generator of the computing device, and to store the generated random number. Second cryptographic key data may be generated by a pseudorandom number generator of the computing device based on a seed comprising a combination of the random number as a first seed portion and a second seed portion. A portion of the second cryptographic key data may be sent to a certifying authority. The method may further comprising receiving a certification value based on the sent portion of the second cryptographic key data from the certifying authority and storing the certification value.

Abstract: Examples described herein include a computing device with a processing resource to execute beginning booting instructions of the computing device. The beginning booting instructions may include a first booting instruction. The computing device also includes an access line to access the first booting instruction, a measuring engine to duplicate the first booting instruction and to generate a first integrity value associated with the first booting instruction, and a measurement register to store the first integrity value. The measuring engine may be operationally screened from the processing resource and the measurement register may be inaccessible to the processing resource.

Abstract: In an example, memory address encryption is facilitated for transactions between electronic circuits in a memory fabric. An electronic circuit may obtain a transaction integrity key and a transaction encryption key. The electronic circuit may encrypt an address using the transaction encryption key and a compute a truncated message authentication code (MAC) using the transaction integrity key.

Abstract: Examples relate to verifying network elements. In one example, a computing device may: receive, from a client device, a request for attestation of a back-end network, the request including back-end configuration requirements; obtain, from a network controller that controls the back-end network, a controller configuration that specifies each network element included in the back-end network; provide each network element included in the back-end network with a request for attestation of a network element configuration of the network element; receive, from each network element, response data that specifies the network element configuration of the network element; verify that the response data received from each network element meets the back-end configuration requirements included in the request for attestation of the back-end network; and provide the client device with data verifying that the back-end network meets the back-end configuration requirements.

Abstract: Examples relate to verifying a network configuration. In one example, a computing device may: receive, from a verifier, a request for attestation of a current network configuration of the computing device; identify network configuration rules, each network configuration rule specifying an action to be taken by the computing device in response to receiving a particular type of network traffic; generate, for each network configuration rule, a rule abstraction that represents the network configuration rule; provide data representing each rule abstraction to the trusted component; receive, from the trusted component, response data comprising i) data representing each rule abstraction, and ii) a digital signature; and provide the response data to the verifier as attestation proof of the current network configuration of the computing device.