Abstract: Techniques are provided for identity-based verification of software code layers. One method comprises obtaining, by a current layer of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer, wherein the identity key of the current layer is based on a value generated during a provisioning of the security sub-system, wherein the value is based on a firmware image of at least one layer of the software code; obtaining an encrypted secure boot public key of a next layer; decrypting the encrypted secure boot public key of the next layer using the obtained identity key of the current layer; verifying the next layer using the decrypted secure boot public key of the next layer; and executing the next layer based at least in part on a result of the verifying.

Abstract: Systems and methods for factory management of regional cryptographic algorithms in an Information Handling System (IHS) are described. In an embodiment, an IHS may include: a host processor; a security processor coupled to the host processor; and a memory coupled to the security processor, the memory having program instructions stored thereon that, upon execution, cause the security processor to: generate a Cryptographic Algorithm Identity (CAI) key pair comprising a CAI public key and a CAI private key; issue a CAI Certificate Signing Request (CSR) to a factory IHS, where the CAI CSR comprises the CAI public key; receive a signed CAI certificate from the factory IHS, where the signed CAI certificate is usable to activate a selected set of regional cryptographic algorithms among a superset of regional cryptographic algorithms stored, during manufacturing of the IHS, in a firmware of the security processor; and store the signed CAI certificate.

Abstract: An information handling system may include a host system comprising a host system processor, a logic device configured to perform a functionality of the information handling system in accordance with code stored on non-transitory computer-readable media of the logic device, and a management controller communicatively coupled to the host system processor and the logic device and configured to perform out-of-band management of the information handling system. The management controller may be further configured to: during a boot of the management controller, perform an initial authentication of the code via an immutable interface of the logic device, after the initial authentication and prior to completion of boot of the management controller, enable a hardware lock to prevent write access to the logic device via the immutable interface, and in response to a power on request of the host system, perform a second authentication of the code via a mutable interface of the logic device.

Abstract: An information handling system may include a host system comprising a processor and a management controller comprising a main processor and a trusted integrated processor configured to perform secured boot services and run-time security functions of the management controller. The information handling system may also include a legacy communications bus interfaced between the host system and the main processor and a secure communications bus interfaced between the host system and the main processor. The trusted integrated processor is further configured to implement a secure attestation channel to the host system via the secure communications bus in order to provide access by the host system to security services owned by the management controller.

Abstract: An information handling system may include a host system comprising a host system processor, a logic device configured to perform a functionality of the information handling system in accordance with code stored on non-transitory computer-readable media of the logic device, and a management controller communicatively coupled to the host system processor and the logic device and configured to perform out-of-band management of the information handling system. The management controller may be further configured to: during a boot of the management controller, perform an initial authentication of the code via an immutable interface of the logic device, after the initial authentication and prior to completion of boot of the management controller, enable a hardware lock to prevent write access to the logic device via the immutable interface, and in response to a power on request of the host system, perform a second authentication of the code via a mutable interface of the logic device.