Abstract: Described are examples for authenticating a device including detecting an event related to communications with a trusted platform module (TPM) device, performing, in response to detecting the event, one or more security-related functions with the TPM device, such as generating and/or signing one or more digital certificates, which may be based on one or more keys on the TPM device.

Abstract: Methods and devices for creating a secure log of security events may include receiving a historical digest representing approved historical security events associated with a trusted network of devices. The methods and devices may include receiving one or more new security events. The methods and devices may include calculating, when a period of time has expired, a hash based on at least the historical digest and the one or more new security events and determining if a value of the hash is less than a value threshold. The methods and devices may include storing a new security event digest corresponding to a respective hash having a respective value less than the value threshold, wherein the new security event digest is confirmed by one or more trusted devices in the trusted network of devices.

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

Abstract: The techniques and systems described herein are directed to providing targeted, secure software deployment in a computing system. An identity of the computing device can be determined and verified using a trusted platform module (TPM) of the computing device, and a software update can be expressly configured to operate solely on the computing device. Further, a configuration of the computing device can be ascertained using platform configuration registers (PCRs) of the TPM to determine that the computing device has not been modified from a trusted configuration. For example, if malware or unauthorized software is operating on the computing device, the software update may be prevented from being installed. Further, the software update can be targeted for a particular computing device, such that when the software update is received at the computing device, the software update may not be duplicated and provided to an additional, unauthorized device.

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Abstract: Systems and methods for facilitating a trusted platform module (TPM) or other protector mechanism that provides a device with a trusted device capability store. To provide the device with a trusted device capability store, a fingerprint of an endorsement key that is associated with the TPM or other protector mechanism can be imprinted into firmware of the device. By imprinting the fingerprint into the firmware, the device can determine whether or not the TPM or other protector mechanism the device is communicating with is the TPM or other protector mechanism associated with the device. The TPM or other protector mechanism can include the endorsement key, the trusted device capability store, and an access policy. The trusted device capability store can include one or more capabilities associated with the device. The access policy can indicate both unauthorized read access and authorized write access associated with the TPM or other protector mechanism.

Abstract: Techniques are provided to ensure isolation of trusted input/output devices using a Secure Crypto-Processor. Secure IO lines may be used to drive devices that have a higher integrity requirement and to do attestation of sensor readings. Enhanced authorization policies may be used to enforce policies on interaction with IO devices. A bus master controller may also be provided in a Secure Crypto-Processor. Individual devices on an isolated Secure Crypto-Processor bus may be mapped to Indices so that read and write operations can be associated with Secure-Crypto-Processor-enforced authorization policies. The Secure Crypto-Processor may further provide means of attestation for complex data read from an input/output device that may be signed with the device identity to show strong origination proof of that data.

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Abstract: Described are examples for authenticating a device including detecting an event related to communications with a trusted platform module (TPM) device, performing, in response to detecting the event, one or more security-related functions with the TPM device, such as generating and/or signing one or more digital certificates, which may be based on one or more keys on the TPM device.

Abstract: Methods and devices for creating a secure log of security events may include receiving a historical digest representing approved historical security events associated with a trusted network of devices. The methods and devices may include receiving one or more new security events. The methods and devices may include calculating, when a period of time has expired, a hash based on at least the historical digest and the one or more new security events and determining if a value of the hash is less than a value threshold. The methods and devices may include storing a new security event digest corresponding to a respective hash having a respective value less than the value threshold, wherein the new security event digest is confirmed by one or more trusted devices in the trusted network of devices.

Abstract: The techniques and systems described herein are directed to providing targeted, secure software deployment in a computing system. An identity of the computing device can be determined and verified using a trusted platform module (TPM) of the computing device, and a software update can be expressly configured to operate solely on the computing device. Further, a configuration of the computing device can be ascertained using platform configuration registers (PCRs) of the TPM to determine that the computing device has not been modified from a trusted configuration. For example, if malware or unauthorized software is operating on the computing device, the software update may be prevented from being installed. Further, the software update can be targeted for a particular computing device, such that when the software update is received at the computing device, the software update may not be duplicated and provided to an additional, unauthorized device.

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

Abstract: Systems and methods for facilitating a trusted platform module (TPM) or other protector mechanism that provides a device with a trusted device capability store. To provide the device with a trusted device capability store, a fingerprint of an endorsement key that is associated with the TPM or other protector mechanism can be imprinted into firmware of the device. By imprinting the fingerprint into the firmware, the device can determine whether or not the TPM or other protector mechanism the device is communicating with is the TPM or other protector mechanism associated with the device. The TPM or other protector mechanism can include the endorsement key, the trusted device capability store, and an access policy. The trusted device capability store can include one or more capabilities associated with the device. The access policy can indicate both unauthorized read access and authorized write access associated with the TPM or other protector mechanism.

Abstract: Techniques are provided to ensure isolation of trusted input/output devices using a Secure Crypto-Processor. Secure IO lines may be used to drive devices that have a higher integrity requirement and to do attestation of sensor readings. Enhanced authorization policies may be used to enforce policies on interaction with IO devices. A bus master controller may also be provided in a Secure Crypto-Processor. Individual devices on an isolated Secure Crypto-Processor bus may be mapped to Indices so that read and write operations can be associated with Secure-Crypto-Processor-enforced authorization policies. The Secure Crypto-Processor may further provide means of attestation for complex data read from an input/output device that may be signed with the device identity to show strong origination proof of that data.

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.