Abstract: Examples herein relate to an interface selectively providing access to a memory region for a work request from an entity by providing selective access to a physical address of the memory region and selective access to a cryptographic key for use by a memory controller to access the memory region. In some examples, providing selective access to a physical address conversion is based on one or more of: validation of a certificate received with the work request and an identifier of the entity being associated with a process with access to the memory region. Access to the memory region can be specified to be one or more of: create, read, update, delete, write, or notify. A memory region can be a page or sub-page sized region. Different access rights can be associated with different sub-portions of the memory region, wherein the access rights comprise one or more of: create, read, update, delete, write, or notify.

Abstract: Methods and apparatus for identity and access management on networked machines are disclosed herein. An example non-transitory machine readable storage medium includes instructions to cause programmable circuitry to at least grant first permission to form a connection between a remote compute device and a local compute device based on a first identity of a first account, the connection to enable the first account to operate the local compute device by impersonating a second user, the second user associated with a second identity, access a request to execute a command on the remote compute device from the first account, and determine, based on the first identity of the first account and the second identity of the second user, whether second permission is to be granted to execute the command.

Abstract: Technologies for providing dynamic selection of edge and local accelerator resources includes a device having circuitry to identify a function of an application to be accelerated, determine one or more properties of an accelerator resource available at the edge of a network where the device is located, and determine one or more properties of an accelerator resource available in the device. Additionally, the circuitry is to determine a set of acceleration selection factors associated with the function, wherein the acceleration factors are indicative of one or more objectives to be satisfied in the acceleration of the function. Further, the circuitry is to select, as a function of the one or more properties of the accelerator resource available at the edge, the one or more properties of the accelerator resource available in the device, and the acceleration selection factors, one or more of the accelerator resources to accelerate the function.

Abstract: Examples described herein relate to a network interface device. In some examples, the network interface device includes a network interface, a direct memory access (DMA) circuitry, a host interface, memory, one or more processors, and circuitry to: based on a configuration of operation specifying a standalone operation, cause the network interface device to operate in standalone to execute one or more applications and based on a configuration of operation specifying a companion operation, cause the network interface device to operate in companion to provide at least one host system with access to one or more hardware resources accessible by the network interface device.

Abstract: Techniques and mechanisms for determining an operation to be performed with a direct memory access (DMA) request. An inspection unit (105) is coupled between an input-output memory management unit (IOMMU) (120) and an endpoint device (118). The inspection unit (105) stores a registry (330) comprising entries (332) which each correspond to a respective address, and a respective one or more resources of the endpoint device (118). A given entry (332) of the registry (330) is created based on a message from the IOM MU (120) which indicates the successful completion of an address translation to facilitate a DMA request. The endpoint device (118) performs a search, based on a DMA request, to determine if any registry (330) entry (332) indicates a combination of an address and an endpoint resource, where said combination matches a corresponding combination indicated by the DMA request. Communication of the DMA request to the IOMMU (120) is contingent on a result of the search.

Abstract: An embodiment of an integrated circuit may comprise memory to store respective resource control descriptors in correspondence with respective identifiers, and an input/output (JO) memory management unit (IOMMU) communicatively coupled to the memory, the IOMMU including circuitry to determine resource control information for an IO transaction based on a resource control descriptor stored in the memory that corresponds to an identifier associated with the IO transaction, and control utilization of one or more resources of the IOMMU based on the determined resource control information. Other embodiments are disclosed and claimed.

Abstract: Technologies for function as a service (FaaS) arbitration include an edge gateway, multiple endpoint devices, and multiple service providers. The edge gateway receives a registration request from a service provider that is indicative of an FaaS function identifier and a transform function. The edge gateway verifies an attestation received from the service provider and registers the service provider. The edge gateway receives a function execution request from an endpoint device that is indicative of the FaaS function identifier. The edge gateway selects the service provider based on the FaaS function identifier, programs an accelerator with the transform function, executes the transform function with the accelerator to transform the function execution request to a provider request, and submits the provider request to the service provider. The service provider may be selected based on an expected service level included in the function execution request. Other embodiments are described and claimed.

Abstract: Examples described herein relate to a network interface device that includes a network interface, one or more processors, and circuitry to: register the network interface device and based on selection as an attestation device by the management controller from among multiple candidate network interface devices, receive attestation information and perform attestation of one or more devices.

Abstract: Methods and apparatus for secured information transfer are disclosed. An example apparatus includes programmable circuitry to execute instructions to determine characteristics of an asset associated with a first entity that utilizes a first type of decentralized security, assign the asset to a carrier for transport to a second entity that utilizes a second type of decentralized security, obtain attested information for the asset from the carrier, and transmit the attested information to the second entity via a first gateway, the first gateway to transmit the attested information for the asset to a second gateway of the second entity.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to facilitate information exchange using publish-subscribe with blockchain. An example apparatus includes a security manager to integrate a security service with an instruction execution flow in a distributed device environment. The security manager is to include a processor. The processor is to be configured to implement at least an executable hierarchical state machine to provide credential management and access management in conjunction with instruction execution according to an execution plan. The executable hierarchical state machine is to generate a security context for the execution plan to implement a guard condition governing a transition from a first state to a second state in accordance with the execution plan.

Abstract: Examples herein relate to an interface selectively providing access to a memory region for a work request from an entity by providing selective access to a physical address of the memory region and selective access to a cryptographic key for use by a memory controller to access the memory region. In some examples, providing selective access to a physical address conversion is based on one or more of: validation of a certificate received with the work request and an identifier of the entity being associated with a process with access to the memory region. Access to the memory region can be specified to be one or more of: create, read, update, delete, write, or notify. A memory region can be a page or sub-page sized region. Different access rights can be associated with different sub-portions of the memory region, wherein the access rights comprise one or more of: create, read, update, delete, write, or notify.

Abstract: Technologies for fast launch of trusted containers include a computing device having a trusted platform module (TPM). The computing device measures a container runtime with the TPM and executes the container runtime in response to the measurement. The computing device establishes a trust relationship between the TPM and a virtual platform credential, provisions the virtual platform credential to a virtual TPM, and executes a guest environment in response to provisioning the virtual platform credential. The computing device measures a containerized application with the virtual TPM and executes the containerized application in response to the measurement. The computing device may perform a trusted computing operation in the guest environment with the virtual TPM. The virtual TPM and the containerized application may be protected with multi-key total memory encryption (MKTME) support of the computing device. State of the virtual TPM may be encrypted and persisted. Other embodiments are described and claimed.

Abstract: Technologies for key management of internet-of-things (IoT) devices include an IoT device, an authority center server, and a group management server. The IoT device is configured to authenticate with an authority center server via an offline communication channel, receive a group member private key as a function of the authentication with the authority center server, and authenticate with a group management server via a secure online communication channel using the group member private key. The IoT device is further configured to receive a group shared key as a function of the authentication with the group management server, encrypt secret data with the group shared key, and transmit the encrypted secret data to the group management server. Other embodiments are described herein.

Abstract: Methods and apparatus to execute a workload in an edge environment are disclosed. An example apparatus includes a node scheduler to accept a task from a workload scheduler, the task including a description of a workload and tokens, a workload executor to execute the workload, the node scheduler to access a result of execution of the workload and provide the result to the workload scheduler, and a controller to access the tokens and distribute at least one of the tokens to at least one provider, the provider to provide a resource to the apparatus to execute the workload.

Abstract: Technologies for hybrid field-programmable gate array (FPGA) application-specific integrated circuit (ASIC) code acceleration are described. In one example, the computing device includes a FPGA comprising: algorithm circuitry to: perform one or more algorithm tasks of an algorithm, wherein the algorithm to perform a service request that is offloaded to the FPGA; and determine a primitive task associated with an algorithm task of the one or more algorithm tasks; primitive offload circuitry to encapsulate the primitive task in a buffer of the FPGA, wherein the buffer is accessible by an ASIC of the computing device; and result circuitry to return one or more results of the service request responsive to performance of the primitive task by the ASIC.

Abstract: Methods, apparatus, systems and articles of manufacture to train a model using attestation data are disclosed. An example apparatus includes memory, instructions, and at least one processor to execute machine readable instructions to at least access training data originating from an edge device, the training data including telemetry information and attestation information, determine a weighting value to be used for the telemetry information based on the attestation information associated with the edge device, and train a machine learning model based on the telemetry information and the weighting value.

Abstract: Methods and apparatus for opportunistic memory pools. The memory architecture is extended with logic that divides and tracks the memory fragmentation in each of a plurality of smart devices in two virtual memory partitions: (1) the allocated-unused partition containing memory that is earmarked for (allocated to), but remained un-utilized by the actual workloads running, or, by the device itself (bit-streams, applications, etc.); and (2) the unallocated partition that collects unused memory ranges and pushes them in to an Opportunistic Memory Pool (OMP) which is exposed to the platform's memory controller and operating system. The two partitions of the OMP allow temporary utilization of otherwise unused memory. Under alternate configurations, the total amount of memory resources is presented as a monolithic resource or two monolithic memory resources (unallocated and allocated but unused) available for utilization by the devices and applications running in the platform.

Abstract: Methods, apparatus, systems and articles of manufacture to determine provenance for data supply chains are disclosed. Example instructions cause a machine to at least, in response to data being generated, generate a local data object and object metadata corresponding to the data; hash the local data object; generate a hash of a label of the local data object; generate a hierarchical data structure for the data including the hash of the local data object and the hash of the label of the local data object; generate a data supply chain object including the hierarchical data structure; and transmit the data and the data supply chain object to a device that requested access to the data.

Abstract: Technologies for providing deduplication of data in an edge network includes a compute device having circuitry to obtain a request to write a data set. The circuitry is also to apply, to the data set, an approximation function to produce an approximated data set. Additionally, the circuitry is to determine whether the approximated data set is already present in a shared memory and write, to a translation table and in response to a determination that the approximated data set is already present in the shared memory, an association between a local memory address and a location, in the shared memory, where the approximated data set is already present. Additionally, the circuitry is to increase a reference count associated with the location in the shared memory.

Abstract: In a multitenant environment, confidential containers for the tenant having a trusted execution environment (TEE) which have security attested, can share data within the pod or between pods. The ability to share data for confidential containers of the same tenant eliminates the need to have multiple copies for different confidential containers. Thus, a storage device can store shared data specific to a tenant of the multitenant environment, and a caching service backed by protected hardware can manage access to the shared data. Management of the shared data can include attesting a key for a confidential container to verify that the confidential container is part of the TEE for a pod for the tenant, and access the shared data from the storage device for the confidential container based on the attested key.