Abstract: Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

Abstract: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

Abstract: Methods and systems to authenticate and load a plurality of boot logic modules in corresponding access protected memory regions of memory, and to maintain the access protections in run-time environments. Access protection may be implemented with access control list (ACL) policies expressed in terms of page boundaries to distinguish between read, write, and execute access requests.

Abstract: In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a full disk encryption disk in a pre-boot environment, executing the PBA using a chipset to obtain user credential information, authorizing the user based on the user credential information and stored credential information, and storing the user credential information in a PBA metadata region of the disk. Other embodiments are described and claimed.

Abstract: Systems, methods and machine readable media for configuring virtual platform modules are disclosed. One method includes launching a virtual machine monitor, and determining, with the virtual machine monitor, whether a configuration policy that defines a configuration for a virtual trusted platform module is trusted. The method further includes configuring the virtual trusted platform module per the configuration policy in response to the virtual machine monitor determining that the configuration policy is trusted. The method also includes launching, via the virtual machine monitor, a virtual machine associated with the virtual trusted platform module.

Abstract: Machine readable media, methods, and computing devices are disclosed which establish a protected memory channel between an operating system loader of a user partition and services of a management partition. One computing device includes protected storage, read only memory, firmware, a storage device and a processor. The storage device is to store the virtual machine monitor and an operating system having an operating system loader. The virtual machine monitor is to establish a protected memory channel between the one or more integrity services of a management partition and the operating system loader of a user partition in response to measuring and verifying the operating system loader based upon the manifest. The processor is to execute the code of the read only memory, the firmware, the virtual machine monitor, the operating system, the operating system loader, the management partition, and the user partition.

Abstract: A method, apparatus and system for a trusted platform module accepting a customized integrity policy provisioned to a virtual machine monitor, verifying the security of a first policy object, for example, including the customized integrity policy, by comparing a counter associated with the first policy object with a counter associated with a second policy object, and customizing a virtual trusted platform module of the virtual machine monitor according to the first policy object, for example, when the first policy object is verified. The customized integrity policy may include user specified configurations for implementing a customized virtual environment. Other embodiments are described and claimed.

Abstract: Methods and apparatus are disclosed to perform a secure boot of a computer system. An example method disclosed herein receives an initialization routine having at least one sub-routine, measures the initialization routine to compute a hash value, and compares the computed hash value with a core root of trust hash value to verify the initialization routine. The example method disclosed herein also establishes trust to the initialization routine when the computed hash value matches the core root of trust hash value and hands-off platform hardware to an operating system in response to successful verification of the initialization routine. Other embodiments are described and claimed.

Abstract: Management of reference data to be used for verification of platform is described herein. The reference data may be in the form of reference integrity metrics (RIM) records that describe trusted platform components.

Abstract: A method includes generating a chain of trust for a virtual endpoint. The virtual endpoint is associated with a layered architecture that includes layers, which include a physical layer. For each layer, a code image of a process of the layer is measured before the process is loaded to form a node of the chain of trust.

Abstract: A technique includes providing a virtual machine within a first enclave and a second enclave. A virtual machine is used as a proxy to negotiate a connection between the first enclave and the second enclave.

Abstract: A method and apparatus for dynamic provisioning of an access control policy in an input/output (I/O) controller hub are described. In one embodiment, the method includes the establishment of a control channel during evaluation stages of a network access request. In one embodiment, the control channel enables resource enumeration of a hardware platform while disabling data read/write processing of the hardware platform. Once resource enumeration is completed, conditional control settings for each enumerated platform resource are sent to a network policy decision point. Once transmitted, if the conditional control settings identify the hardware platform as having a non-compliant configuration, conditional control settings for at least one enumerated resource of the hardware platform are modified according to a received access control policy to provide compliance of the hardware platform configuration to enable network access. Other embodiments are described and claimed.

Abstract: In a processor based system comprising a plurality of logical machines, selecting a logical machine of the system to serve as a host; the host communicating with a policy decision point (PDP) of a network to provision a data channel interconnecting the processor based system and the network and to provision a logical data channel interconnecting each logical machine of the system to the network.

Abstract: A method, apparatus and system enable security keys to be processed in a dedicated partition on a secure wireless platform. Specifically, embodiments of the present invention may utilize a secure processing area (i.e., a dedicated partition) to generate security keys and to utilize the security keys to perform a 4-way handshake to provide confidentiality and integrity protection for all data communication between the wireless node and an access point.

Abstract: A method, apparatus and system enable a secure wireless platform. Specifically, embodiments of the present invention may utilize a secure processing area to enforce security mechanisms on the wireless platform, thus isolating the security measures (e.g., security keys) from the host operating system on the wireless node.

Abstract: Embodiments of the invention are generally directed to systems, methods, and apparatuses for controlling a network connection based, at least in part, on dual-switching. In an embodiment, a tunnel proxy is coupled with a host execution environment. The tunnel proxy includes logic to provide a security protocol client and logic to provide a security protocol server. In one embodiment, the tunnel proxy provides a proxy for a policy decision point to the host execution environment. Other embodiments are described and claimed.

Abstract: Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

Abstract: Methods and apparatus to perform associated extensions for negotiated channel security protocols are disclosed. A disclosed method to extend a security protocol comprises exchanging identifying information between a first and a second endpoint, determining a secret based on the exchanged identifying information, determining a first master secret based on the determined secret and a second master secret determined in a prior protocol exchange block, and deriving a session key based on the first master secret.

Abstract: Apparatus and systems, as well as methods and articles, may operate to distribute a cryptographic key across a physically protected communication channel coupling a first trusted platform module (TPM) to a second TPM.

Abstract: A system and method for secure distribution of a video card public key. The method provides for loading an authentication code module into a processor, authenticating the authentication code module, and executing the authentication code module. Executing the authentication module causes the authentication code module to assert a hardware indicator to access at least one address in a special protected page on a chipset. Receipt of the hardware indicator by the chipset causes a specific reference to be sent via a dedicated port to a circuit card to retrieve a public key from the circuit card.