Abstract: Methods and apparatus to allocating and/or configuring persistent memory are described. In an embodiment, memory controller logic configures non-volatile memory into a plurality of partitions at least in part based on one or more attributes. One or more volumes (visible to an application or operating system) are formed from one or more of the plurality of partitions. Each of the one or more volumes includes one or more of the plurality of partitions having at least one similar attribute from the one or more attributes. In another embodiment, memory controller logic configures a Non-Volatile Memory (NVM) Dual Inline Memory Module (DIMM) into a persistent region and a volatile region. Other embodiments are also disclosed and claimed.

Abstract: Technologies for secure offline activation of hardware features include a target computing device having a platform controller hub (PCH) including a converged security and manageability engine (CSME) and a number of in-field programmable fuses (IFPs). During assembly of the target computing device by an original equipment manufacturer (OEM), the CSME is provided a list of hardware features to be activated. The CSME configures the IFPs to enable the requested features, generates a digital receipt including the activated features and a unique device ID, and signs the receipt using a unique device key. Signed receipts may be periodically submitted to a vendor computing device, which verifies the signed receipts, extracts the active feature list, and bills the OEM for activated features of the PCHs. The vendor computing device may bill the OEM a maximum price for PCHs for which there is no associated signed receipt. Other embodiments are described and claimed.

Abstract: Platform controller, computer-readable storage media, and methods associated with initialization of a computing device. In embodiments, a platform controller may comprise a boot controller and one or more non-volatile memory modules, coupled with the boot controller. In embodiments, the one or more non-volatile memory modules may have first instructions and second instructions stored thereon. The first instructions may, when executed by a processor of a computing device hosting the platform controller, cause initialization of the computing device. The second instructions, when executed by the boot controller, may cause the boot controller to monitor at least a portion of the execution of the first instructions by the computing device and may generate a trace of the monitored portion of the execution of the first instructions. In embodiments, the trace may be stored in the one or more non-volatile memory modules. Other embodiments may be described and/or claimed.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for tracking per-virtual machine (“VM”) resource usage independent of a virtual machine monitor (“VMM”). In various embodiments, a first logic unit may associate one or more virtual central processing units (“vCPUs”) operated by one or more physical processing units of a computing device with a first VM of a plurality of VMs operated by the computing device, and collect data about resources used by the one or more physical processing units to operate the one or more vCPUs associated with the first VM. In various embodiments, a second logic unit of the computing device may determine resource-usage by the first VM based on the collected data. In various embodiments, the first and second logic units may perform these functions independent of a VMM of the computing device.

Abstract: Apparatus, systems, and methods to implement a secure data partition in memory systems are described. In one example, a controller comprises logic to receive, in a system management mode mailbox, a memory partition creation request from a system management mode interface, wherein the memory partition creation request comprises at least one characteristic of a memory partition, authenticate the partition creation request and create a memory partition in a memory coupled to the controller in accordance with the at least one characteristic. Other examples are also disclosed and claimed.

Abstract: Methods and apparatus for tunneling platform management messages through inter-processor interconnects. Platform management messages are received from a management entity such as a management engine (ME) at a management component of a first processor targeted for a managed device operatively coupled to a second processor. Management message content is encapsulated in a tunnel message that is tunneled from the first processor to a second management component in the second processor via a socket-to-socket interconnect link between the processors. Once received at the second management component the encapsulated management message content is extracted and the original management message is recreated. The recreated management message is then used to manage the targeted device in a manner similar to if the ME was directly connected to the second processor. The disclosed techniques enable management of platform devices operatively coupled to processors in a multi-processor platform via a single management entity.

Abstract: Memory channel training parameters are function of electrical characteristics of memory devices, processor(s) and memory channel(s). Training steps can be skipped if the BIOS can determine that the memory devices, motherboard and processor have not changed since the last boot. Memory devices contain a serial number for tracking purposes and most motherboards contain a serial number. Many processors do not provide a mechanism by which the BIOS can track the processor. Described herein are techniques that allow the BIOS to track a processor and detect a swap without violating privacy/security requirements.

Abstract: Various embodiments are generally directed to the provision and use of various hardware and software components of a computing device to monitor the state of layered virtual machine (VM) monitoring software components. An apparatus includes a first processor element; and logic to receive an indication that a first timer has reached an end of a first period of time, monitor execution of a VMM (virtual machine monitor) watcher by a second processor element, determine whether the second processor element completes execution of the VMM watcher to verify integrity of a VMM before a second timer reaches an end of a second period of time, and transmit an indication of the determination to a computing device. Other embodiments are described and claimed.

Abstract: Methods and systems to perform platform security in conjunction with hardware-base root of trust logic are presented. In one embodiment, a method includes determining whether a status from an authenticated code module is indicative of an error or not. The method further includes determining whether the hardware-based root of trust logic is enabled based on content in a non-volatile memory location. If the hardware-based root of trust is enabled and the status is indicative of an error, the method further includes writing to the non-volatile memory location to disable hardware-based root of trust logic during a next boot sequence. In one embodiment, a platform initializes and uses the trusted platform module in conjunction with the hardware-based root of trust logic or with a platform-based root of trust logic.

Abstract: In one embodiment, the present invention provides an ability to handle an error occurring during a memory migration operation in a high availability system. In addition, a method can be used to dynamically remap a memory page stored in a non-mirrored memory region of memory to a mirrored memory region. This dynamic remapping may be responsive to a determination that the memory page has been accessed more than a threshold number of times, indicating a criticality of information on the page. Other embodiments are described and claimed.

Abstract: Methods and apparatus for tunneling platform management messages through inter-processor interconnects. Platform management messages are received from a management entity such as a management engine (ME) at a management component of a first processor targeted for a managed device operatively coupled to a second processor. Management message content is encapsulated in a tunnel message that is tunneled from the first processor to a second management component in the second processor via a socket-to-socket interconnect link between the processors. Once received at the second management component the encapsulated management message content is extracted and the original management message is recreated. The recreated management message is then used to manage the targeted device in a manner similar to if the ME was directly connected to the second processor. The disclosed techniques enable management of platform devices operatively coupled to processors in a multi-processor platform via a single management entity.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for tracking per-virtual machine (“VM”) resource usage independent of a virtual machine monitor (“VMM”). In various embodiments, a first logic unit may associate one or more virtual central processing units (“vCPUs”) operated by one or more physical processing units of a computing device with a first VM of a plurality of VMs operated by the computing device, and collect data about resources used by the one or more physical processing units to operate the one or more vCPUs associated with the first VM. In various embodiments, a second logic unit of the computing device may determine resource-usage by the first VM based on the collected data. In various embodiments, the first and second logic units may perform these functions independent of a VMM of the computing device.

Abstract: A method is described that includes detecting that a memory access of system management mode program code is attempting to reach program code outside of a protected region of memory by comparing a target memory address of a memory access instruction of the system management program code again information that defines confines of the protection region. The method also includes raising an error signal in response to the detecting.

Abstract: In one embodiment, the present invention includes a processor that has an on-die storage such as a static random access memory to store an architectural state of one or more threads that are swapped out of architectural state storage of the processor on entry to a system management mode (SMM). In this way communication of this state information to a system management memory can be avoided, reducing latency associated with entry into SMM. Embodiments may also enable the processor to update a status of executing agents that are either in a long instruction flow or in a system management interrupt (SMI) blocked state, in order to provide an indication to agents inside the SMM. Other embodiments are described and claimed.

Abstract: An apparatus and method for hardware protection of a virtual machine monitor (VMM) runtime integrity watcher is described. A set of one or more hardware range registers that protect a contiguous memory space that is to store the VMM runtime integrity watcher. The set of hardware range registers are to protect the VMM runtime integrity watcher from being modified when loaded into the contiguous memory space. The VMM runtime integrity watcher, when executed, performs an integrity check on a VMM during runtime of the VMM.

Abstract: In one embodiment, the present invention provides an ability to handle an error occurring during a memory migration operation in a high availability system. In addition, a method can be used to dynamically remap a memory page stored in a non-mirrored memory region of memory to a mirrored memory region. This dynamic remapping may be responsive to a determination that the memory page has been accessed more than a threshold number of times, indicating a criticality of information on the page. Other embodiments are described and claimed.

Abstract: In one embodiment, the present invention provides an ability to handle an error occurring during a memory migration operation in a high availability system. In addition, a method can be used to dynamically remap a memory page stored in a non-mirrored memory region of memory to a mirrored memory region. This dynamic remapping may be responsive to a determination that the memory page has been accessed more than a threshold number of times, indicating a criticality of information on the page. Other embodiments are described and claimed.

Abstract: Systems and methods for enabling Reliability, Availability & Serviceability features after launching a secure environment under the control of LaGrande Technology (LT), or comparable security technology, without compromising security are provided. In one embodiment, the method comprises adding at least one specific capability to a processor to enable at least one of CPU hot-plug, CPU migration, CPU hot removal and capacity on demand.

Abstract: Methods and systems to perform platform security in conjunction with hardware-base root of trust logic are presented. In one embodiment, a method includes determining whether a status from an authenticated code module is indicative of an error or not. The method further includes determining whether the hardware-based root of trust logic is enabled based on content in a non-volatile memory location. If the hardware-based root of trust is enabled and the status is indicative of an error, the method further includes writing to the non-volatile memory location to disable hardware-based root of trust logic during a next boot sequence. In one embodiment, a platform initializes and uses the trusted platform module in conjunction with the hardware-based root of trust logic or with a platform-based root of trust logic.

Abstract: Multi-node and multi-processor security management is described in this application. Data may be secured in a TPM of any one of a plurality of nodes, each node including one or more processors. The secured data may be protected using hardware hooks to prevent unauthorized access to the secured information. Security hierarchy may be put in place to protect certain memory addresses from access by requiring permission by VMM, OS, ACM or processor hardware. The presence of secured data may be communicated to each of the nodes to ensure that data is protected. Other embodiments are described.