Abstract: Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system.

Abstract: Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system.

Abstract: Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system.

Abstract: A method may include generating a first shared secret for a present boot session of the information handling system and determining if a second shared secret existed for a prior boot session of the information handling system. If the second shared secret existed for the prior boot session, the method may include encrypting the first shared secret with the second shared secret and communicating the first shared secret encrypted by the second shared secret from a first information handling resource to a second information handling resource. If the second shared secret did not exist for the prior boot session, the method may include communicating the first shared secret unencrypted from the first information handling resource to the second information handling resource. The method may additionally include securely communicating between the first information handling resource and the second information handling resource using the first shared secret for encryption and decryption.

Abstract: A computer-implemented method comprises a service processor: establishing a kill switch encryption key (KSEK) to provide data security for data within storage devices of configurable components within a system; automatically encrypting, with the KSEK, data that is written to one of the storage devices; configuring the configurable components to prevent access to the stored data unless a valid copy of the KSEK is received from the service processor along with the request for the data; automatically decrypting, with the KSEK, the KSEK-encrypted data that is read from storage device; and in response to receiving a verified request to decommission the system, performing the decommissioning by deleting/erasing the KSEK from a secure storage at which the only instance of the KSEK is maintained. Deletion of the KSEK results in a permanent loss of access to the stored encrypted data within the system because the stored encrypted data cannot be decrypted without the KSEK.

Abstract: In accordance with the present disclosure, a system and method for multilayered authentication of trusted platform updates is described. The method may include storing first cryptographic data in a personality module of an information handling system, with the first cryptographic data corresponding to a verified firmware component. A second cryptographic data may also be determined, with the second cryptographic data corresponding to an unverified firmware component. The unverified firmware component may be stored in a memory element of the information handling system, and the second cryptographic data may be determined using a processor of the information handling system.

Abstract: A method may include generating a first shared secret for a present boot session of the information handling system and determining if a second shared secret existed for a prior boot session of the information handling system. If the second shared secret existed for the prior boot session, the method may include encrypting the first shared secret with the second shared secret and communicating the first shared secret encrypted by the second shared secret from a first information handling resource to a second information handling resource. If the second shared secret did not exist for the prior boot session, the method may include communicating the first shared secret unencrypted from the first information handling resource to the second information handling resource. The method may additionally include securely communicating between the first information handling resource and the second information handling resource using the first shared secret for encryption and decryption.

Abstract: A method may include generating a first shared secret for a present boot session of the information handling system and determining if a second shared secret existed for a prior boot session of the information handling system. If the second shared secret existed for the prior boot session, the method may include encrypting the first shared secret with the second shared secret and communicating the first shared secret encrypted by the second shared secret from a first information handling resource to a second information handling resource. If the second shared secret did not exist for the prior boot session, the method may include communicating the first shared secret unencrypted from the first information handling resource to the second information handling resource. The method may additionally include securely communicating between the first information handling resource and the second information handling resource using the first shared secret for encryption and decryption.

Abstract: Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system.

Abstract: A computer-implemented method comprises a service processor: establishing a kill switch encryption key (KSEK) to provide data security for data within storage devices of configurable components within a system; automatically encrypting, with the KSEK, data that is written to one of the storage devices; configuring the configurable components to prevent access to the stored data unless a valid copy of the KSEK is received from the service processor along with the request for the data; automatically decrypting, with the KSEK, the KSEK-encrypted data that is read from storage device; and in response to receiving a verified request to decommission the system, performing the decommissioning by deleting/erasing the KSEK from a secure storage at which the only instance of the KSEK is maintained. Deletion of the KSEK results in a permanent loss of access to the stored encrypted data within the system because the stored encrypted data cannot be decrypted without the KSEK.

Abstract: Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system.

Abstract: In accordance with additional embodiments of the present disclosure, a method may include storing information regarding one or more components of the information handling system to a database, the database stored on a basic input/output system (BIOS) of the information handling system prior to shipment of an information handling system. The method may also include, between the time of shipment of the information handling system to receipt of the information handling system by an intended customer of the information handling system: logging events associated with one or more components of the information handling system, and storing information associated with the events in the database. The method may further include interfacing with an authorized user of the information associated with the events to allow the authorized user to access the information associated with the events.

Abstract: In accordance with the present disclosure, a system and method for multilayered authentication of trusted platform updates is described. The method may include storing first cryptographic data in a personality module of an information handling system, with the first cryptographic data corresponding to a verified firmware component. A second cryptographic data may also be determined, with the second cryptographic data corresponding to an unverified firmware component. The unverified firmware component may be stored in a memory element of the information handling system, and the second cryptographic data may be determined using a processor of the information handling system.

Abstract: A method may include generating a first shared secret for a present boot session of the information handling system and determining if a second shared secret existed for a prior boot session of the information handling system. If the second shared secret existed for the prior boot session, the method may include encrypting the first shared secret with the second shared secret and communicating the first shared secret encrypted by the second shared secret from a first information handling resource to a second information handling resource. If the second shared secret did not exist for the prior boot session, the method may include communicating the first shared secret unencrypted from the first information handling resource to the second information handling resource. The method may additionally include securely communicating between the first information handling resource and the second information handling resource using the first shared secret for encryption and decryption.

Abstract: An information handling system includes a processor, an authentication detection module, a user input device, and encoding module, and a buffer. The authentication detection module determines whether the information handling system is operating in an authenticated network communication session, The user input device receives user input data from a user, and the encoding module receives the user input data from the user input device and encodes the received user input data into a suitable format. The buffer logs the encoded user input data for later retrieval if the authentication detection module determines that the information handling system is not operating in an authenticated network communication session.

Abstract: A method of enforcing an encryption policy in an information handling system for receiving a request for access to data, automatically identifying from a plurality of encryption policies a particular encryption policy associated with the requested data, selecting an available encryption implementation module capable of enforcing the identified encryption policy, and initiating an encryption or decryption of the requested data using the selected encryption implementation module.

Abstract: Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system.

Abstract: Information handling system errors are presented at a display with the information handling system graphics subsystem inoperative by communicating an identified error to the display through an auxiliary channel and generating a presentation of the error information with a microcontroller of the display. For example, errors determined by BIOS firmware running on a chipset are communicated through a DDC or I2C channel from the chipset to the display so that textual error messages are generated at the display without the use of the information handling system's graphic processor to generate an error message image.

Abstract: Denial of service attacks on information handling system processing components having password protection, such as a hard disk drive, are prevented by automatically setting a password on the processing component during start-up of the information handling system if a password is not set. The automatically set password prevents a malicious program from illicitly setting a password on the processing component during operation of the information handling system. At power down, the automatically set password is removed to avoid interference with operation of the processing component during a subsequent start-up. In the event of an abnormal power down that fails to remove the automatically set password, the start-up process includes an attempt to unlock the processing component with the automatically set password.

Abstract: Information handling system battery monitoring tracks battery usage for warranty coverage. A timer state machine running on the battery tracks time expired from initiation of a warranty period, such as the first non-manufacture boot of the information handling system or detection of a new battery interfaced with the information handling system. The expired warranty period and a unique identifier stored on the battery are communicated by a battery manager running on the information handling system to battery warranty site. The manufacturer of the information handling system applies the expired warranty period and unique identifier to determine warranty coverage for the battery.