Abstract: This document describes systems and techniques for deriving identity and root keys for embedded systems. In aspects, a boot process and key manager of an embedded system may implement a secure or trusted boot process for embedded systems in which code of next-level boot loader or software image is verified using root keys or other protected information before execution of the boot process is passed to the next stage in the boot process. Alternatively or additionally, the key manager may enable sealing and attestation of various levels of root and identity keys to enable respective verification of software or hardware throughout a life cycle of a device to prevent unauthorized access to protected or private code of an embedded system. By so doing, the described aspects may enable an embedded system with a secure boot process and robust identity and root key management system.

Abstract: This document describes techniques and apparatuses for reliable Flash storage, which may enable reliable read, write, and erase operations for Flash storage. In aspects, data may be stored in a Flash memory device through the use of two or more pages. A primary page may be determined from the two or more pages as an appropriate page to perform storage operations. An empty entry may be determined within the primary page and data may be stored within the empty entry. After data is written to an entry, previous entries may be invalidated, such as to prevent the access or attempted use of invalid or deprecated data. In doing so, prior entries may only be altered once a new entry has been stored within the Flash device. Accordingly, the described techniques and apparatuses may enable reliable Flash storage.

Abstract: This document describes systems and techniques for deriving identity and root keys for embedded systems. In aspects, a boot process and key manager of an embedded system may implement a secure or trusted boot process for embedded systems in which code of next-level boot loader or software image is verified using root keys or other protected information before execution of the boot process is passed to the next stage in the boot process. Alternatively or additionally, the key manager may enable sealing and attestation of various levels of root and identity keys to enable respective verification of software or hardware throughout a life cycle of a device to prevent unauthorized access to protected or private code of an embedded system. By so doing, the described aspects may enable an embedded system with a secure boot process and robust identity and root key management system.

Abstract: Aspects of hardened encoded message check systems and methods for RSA signature verification are described. In one implementation, an encoded message is received that includes an array of words. Each of the words in the encoded message are processed using an expected value and a share associated with each word. A verification value is calculated based on the array of words in the encoded message, the expected value, and the share associated with each word. A determination is performed regarding whether the verification value is correct and, if the verification value is correct, a hardware device is unlocked.

Abstract: This document discloses aspects of secure chip-wide communication. In some aspects, a host of a system generates integrity metadata for a command payload issued to a destination over an interconnect of the system. The integrity metadata can be generated based on respective values of bits that form the command payload, such as plaintext data bits. The destination validates the integrity of the command payload based on the integrity metadata before consuming the command payload. In some cases, the destination stores the integrity metadata with data of the command payload, which may be returned to the host along the data when requested. By so doing, the host and destinations of the system can use the integrity metadata to implement secure-chip wide communication, which may prevent fault injection attacks on the command payloads or response data during transit or at temporal storage locations within the system.

Abstract: This document describes techniques and systems for providing trusted computing for digital devices. The techniques and systems may use cryptographic algorithms to provide trusted computing and processing. By doing so, the techniques help ensure authentic computation and prevent nefarious acts. For example, a method is described that receives a signature associated with a designee and validates the signature. The signature may be associated with a designee of a host computing device, and the signature may be generated according to firmware associated with an integrated circuit of the host computing device and a first private key of a first asymmetric key pair. Signature validation may be based on a second asymmetric key pair having a second private key and a second public key, the second private key stored in write-once memory of the host computing device.

Abstract: This document describes systems and techniques for deriving identity and root keys for embedded systems. In aspects, a boot process and key manager of an embedded system may implement a secure or trusted boot process for embedded systems in which code of next-level boot loader or software image is verified using root keys or other protected information before execution of the boot process is passed to the next stage in the boot process. Alternatively or additionally, the key manager may enable sealing and attestation of various levels of root and identity keys to enable respective verification of software or hardware throughout a life cycle of a device to prevent unauthorized access to protected or private code of an embedded system. By so doing, the described aspects may enable an embedded system with a secure boot process and robust identity and root key management system.