Abstract: Methods and systems for securing data processing systems are disclosed. A data processing system may be operably connected to other devices via ports. When operably connected, some devices connected via the ports may cause undesired actions to be performed. To limit physical access to the ports, a security apparatus may be used to lock the ports. The security apparatus may transition between states where it may be inserted into openings for the ports and may be locked to the openings for the ports. When so locked, physical access to the ports may be limited.

Abstract: Various embodiments of systems and methods are provided to bind a system identifier that uniquely identifies an information handling system (IHS) to the system platform, so that the identity of the IHS can be cryptographically verified. More specifically, the present disclosure provides methods to bind a unique system identifier to an IHS platform, and methods to cryptographically verify the identity of the IHS using the unique system identifier and a plurality of keys generated and stored with a Trusted Platform Module (TPM) of the IHS. Systems are provided herein to perform such methods. As such, the systems and methods disclosed herein enable system identity to be irrefutably verified, thereby preventing theft and misuse of system identity.

Abstract: An information handling system housing is secured against unauthorized access with a security device integrated in the housing that selectively enables and disables screw movement relative to threads disposed in the housing. For instance, a freewheeling nut in the housing interfaces with an actuator that selectively releases or holds the freewheeling nut relative to the housing. When released, a screw coupled to the freewheeling nut cannot rotate relative to the threads of the freewheeling nut so that the screw maintains the housing secured until the freewheeling nut is held in position to allow removal of the screw.

Abstract: Systems and methods are provided that may be implemented to provide a basic input/output system (BIOS) with the ability to authenticate and then execute one-time unique instructions that are previously left behind (i.e., stored) in public memory of an information handling system by a containerized computing environment session that is no longer executing on the information handling system. The disclosed systems and methods may be so implemented to share with the system BIOS privileged instructions to identify which executables are authorized for execution on a targeted information handling system. The privileged instructions may be previously created and optionally stored together with an executable code in system public memory, and these instructions may provide instructions on how to execute the executable code.

Abstract: Workspace instantiations are monitored for potentially suspicious behavior. When a workspace is instantiated, a client endpoint computer creates a log of historical workspace instantiations. Each time the client endpoint computer requests, receives, or executes a workspace, the client endpoint computer adds and timestamps a new entry in the log of historical workspace instantiations. The log of historical workspace instantiations thus represents a rich database description of each workspace, its corresponding workspace definition file, and its corresponding timestamp. A workspace orchestration service may monitor how frequently the log of historical workspace instantiations is generated and flag or alert of unusual or anomalous counts. Any current workspace instantiation may thus be terminated as a security precaution.

Abstract: Workspace instantiations are monitored for potentially suspicious behavior. A client endpoint computer creates and maintains a log of historical events associated with a workspace instantiation. Each time the client endpoint computer processes an event associated with the workspace instantiation, the client endpoint computer adds and timestamps a new entry in the log of the historical events associated with the workspace instantiation. The log of the historical events thus represents a rich database description of the workspace instantiation, its corresponding workspace definition file, its corresponding workspace lifecycle events, and their corresponding timestamps. A workspace orchestration service (perhaps provided by a server) may monitor the log of historical events and flag or alert of any entries indicating suspicious behavior. Any current workspace instantiation may thus be terminated as a security precaution.

Abstract: Systems and methods for preventing content rendered by an Information Handling System (IHS) display from being captured or recorded (e.g., photographed, filmed, recorded, etc.) are described. In an embodiment, an IHS may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive an image from a camera; detect a device in the image; and in response to the detection, prevent content rendered by a display from being captured or recorded by the device.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: A virtual BIOS engine may be configured to, during runtime of an operating system, in response to an operating system event for updating firmware, load onto an isolated compute domain of the processor to emulate firmware update processes of a non-transitory computer-readable media with a virtual non-transitory computer-readable media and emulate the firmware update processes of the cryptoprocessor with a virtual cryptoprocessor, extract a firmware payload to the virtual non-transitory computer-readable media, and execute a virtual trust chain to measure the firmware payload in the virtual non-transitory computer-readable media.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: An information handling system is configured to support first and second boot sequences, which invokes first and second bootloaders respectively. The bootloaders may be stored in an NVMe storage boot partition. Each bootloader may be associated with a corresponding encryption key generated by a trusted platform module, which may seal the first and second keys in accordance with one or more measurements taken during the respective boot sequences. The system determines whether a boot sequence in progress comprises is to invoke the first or second bootloader. The system then unseals the appropriate encryption key to access the appropriate bootloader. The first bootloader may be a host OS bootloader and the second bootloader may be for a recovery resource invoked when the host OS fails to load. The recovery resource may enables BIOS to connect to a remote store and download an image via a HTTP mechanism.

Abstract: Establishing a diagnostic OS for an information handling system platform performing a UEFI BIOS boot to place the platform in a pre-OS state. Upon detecting a particular POST error and/or a platform configuration policy, an embedded OS kernel may be launched into a DRTM-authenticated measured launch environment (MLE). Additional objects for the diagnostic OS may be downloaded. The additional objects may include an initial ramdisk (initrd) module and one or more applications specific to the particular diagnostic OS. The diagnostic OS may be launched as follows: for each diagnostic OS application, launching the application and extending a measurement of the application into a DRTM PCR. Launching the diagnostic OS may include launching an initrd module and extending a measurement of the initrd module into the DRTM PCR. A measurement of embedded OS kernel may be extended into the TPM and the embedded OS kernel may validate the UEFI BIOS sequence.

Abstract: Systems and methods for securely deploying a collective workspace across multiple local management agents are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, at a workspace orchestration service from a first local management agent, first context information and a first split key; receive, at the workspace orchestration service from a second local management agent, second context information and a second split key; determining, by the workspace orchestration service, that the first and second context information match a collaborative workspace policy; in response to the determination, authenticate the first and second split keys; and in response to the authentication, transmit a collaborative workspace definition to the first and second local management agents.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Systems and methods for workspace deployment using a secondary trusted device are described. In some embodiments, a first Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the first IHS to: establish a first connection with a second IHS, where the second IHS is configured to establish a second connection with a workspace orchestration service, and where the workspace orchestration service is configured to: receive device identification information of the first IHS from the second IHS; and authenticate the device identification information against a database provided by a manufacturer of the first IHS; and in response to a successful authentication, establish a third connection with the workspace orchestration service.

Abstract: Methods and systems for securing data processing systems are disclosed. A data processing system may be operably connected to other devices via ports. When operably connected, some devices connected via the ports may cause undesired actions to be performed. To limit physical access to the ports, a security apparatus may be used to lock the ports. The security apparatus may transition between states where it may be inserted into openings for the ports and may be locked to the openings for the ports. When so locked, physical access to the ports may be limited.

Abstract: Systems and methods for off-host integrity verification of Trusted Execution Environments (TEEs) are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to obtain, by an Operating System (OS) agent, a measurement of contents of a selected area of a Non-Volatile Memory (NVM) used by a TEE coupled to the processor, transmit the measurement from the OS agent to another IHS configured to perform integrity verification of the TEE based, at least in part, upon the measurement, and receive, at the OS agent from the other IHS, an indication of a result of the integrity verification.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: Methods and systems for securing data processing systems are disclosed. A data processing system may be operably connected to other devices via ports. When operably connected, some devices connected via the ports may cause undesired actions to be performed. To limit physical access to the ports, a security apparatus may be used to lock the ports. The security apparatus may transition between states where it may be inserted into openings for the ports and may be locked to the openings for the ports. When so locked, physical access to the ports may be limited.