Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: Disclosed in some examples are devices, methods, and machine-readable mediums for reliable control of IR LEDs. In some examples, a microcontroller running firmware controls whether the LED is activated or not by use of a disable signal. The microcontroller enables or disables the operation of the LED based upon a user's proximity to the LED, a watchdog timer, and a confirmation that only trusted software is executing.

Abstract: A hardware platform includes a nonvolatile storage device that can store system firmware as well as code for the primary operating system for the hardware platform. The hardware platform includes a controller that determines the hardware platform lacks functional firmware to boot the primary operating system from the storage device. The controller accesses a firmware image from an external interface that interfaces a device external to the hardware platform, where the external device is a firmware image source. The controller provisions the firmware from the external device to the storage device and initiates a boot sequence from the provisioned firmware.

Abstract: Systems, apparatuses and methods may provide for verifying, from outside a trusted computing base of a computing system, an identity an enclave instance prior to the enclave instance being launched in the trusted computing base, determining a memory location of the enclave instance and confirming that the memory location is local to the computing system. In one example, the enclave instance is a proxy enclave instance, wherein communications are conducted with one or more additional enclave instances in the trusted computing base via the proxy enclave instance and an unencrypted channel.

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: One embodiment provides an apparatus. The apparatus includes an input output memory management unit (I/O MMU), a non-secure operating system (OS) driver, a secure OS driver and a virtual machine monitor (VMM). The I/OMMU is to couple an I/O Controller to a memory. The I/O Controller is coupled to a secure device and a non-secure device and has one I/O Controller identifier. The non-secure OS driver is associated with the non-secure device. The secure OS driver is associated with the secure device. The VMM is to allocate a secure address space to a secure OS and a non-secure address space to a non-secure OS. The secure address space is non-overlapping with the non-secure address space.

Abstract: Disclosed in some examples are devices, methods, and machine-readable mediums for reliable control of IR LEDs. In some examples, a microcontroller running firmware controls whether the LED is activated or not by use of a disable signal. The microcontroller enables or disables the operation of the LED based upon a user's proximity to the LED, a watchdog timer, and a confirmation that only trusted software is executing.

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: An apparatus is described herein. The apparatus includes a Universal Serial Bus (USB) component and a controller interface. The controller interface is to allocate register space for interfacing with the USB component and the USB component is virtualized into multiple instantiations. The apparatus also includes a secure environment, and the secure environment further virtualizes the multiple instantiations such that the multiple instantiations are owned by the secure environment.

Abstract: Disclosed in some examples are devices, methods, and machine-readable mediums for reliable control of IR LEDs. In some examples, a microcontroller running firmware controls whether the LED is activated or not by use of a disable signal. The microcontroller enables or disables the operation of the LED based upon a user's proximity to the LED, a watchdog timer, and a confirmation that only trusted software is executing.

Abstract: Systems and techniques for privacy protected input-output port control are described herein. In an example, an indication may be obtained that a protected port is disabled. A set of application attributes stored in a secure memory location may be compared to a set of attested application attributes to create a verification flag. At least one port attribute of the protected port may be obtained based on the verification flag. The protected port may be enabled using the at least one port attribute. Other examples, for controlling an input-output port using computer firmware and trusted execution techniques are further disclosed.

Abstract: One embodiment provides an apparatus. The apparatus includes an input output memory management unit (I/O MMU), a non-secure operating system (OS) driver, a secure OS driver and a virtual machine monitor (VMM). The I/OMMU is to couple an I/O Controller to a memory. The I/O Controller is coupled to a secure device and a non-secure device and has one I/O Controller identifier. The non-secure OS driver is associated with the non-secure device. The secure OS driver is associated with the secure device. The VMM is to allocate a secure address space to a secure OS and a non-secure address space to a non-secure OS. The secure address space is non-overlapping with the non-secure address space.

Abstract: This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates.

Abstract: Embodiments are directed to managing access to input/output devices by virtual machines (VMs). A first VM and a second VM are implemented. An I/O device controller driver has a first driver portion in the first VM and a second driver portion in the second VM. The first driver portion includes a configuration engine to configure the I/O device controller with I/O device-VM mappings, where a first I/O device is mapped exclusively to the first VM, and a second I/O device is mapped to at least the second VM. The second VM includes a general processing engine to call for I/O devices via the second driver portion, and in response to a call by the general processing engine for access to the first I/O device the second driver portion is to send an access request to the first driver portion.

Abstract: A repair engine for a computing platform is separate from the repeatedly-rewritten storage components for software and firmware. For example, the repair engine may reside in ROM or hardware logic. Through dedicated connections to one or more controllers, the repair engine detects when any of the platform's dual-role ports (e.g., on-the-go USB ports) is connected to a host device. The repair engine responds by opening firmware-independent communication with the host device and supporting the downloading and execution (DnX) of a firmware image from the host. Because the communication is initiated independently of the firmware, even a catastrophic firmware failure is repairable without requiring a user to identify and use a specially modified port.

Abstract: Provided are a system, memory controller, and method for using counters and a table to protect data in a storage device. Upon initiating operations to modify a file in the storage device, a storage write counter is incremented in response to initiating the operations to modify the file. In response to incrementing the storage write counter, write table operations are initiated including setting a table write counter to a storage write counter and setting a table commit counter to the storage commit counter plus a value. The operation to modify the file in response to completing the write table operations. The system commit counter is incremented by the value in response to completing the operation to modify the file.

Abstract: A hardware platform includes a nonvolatile storage device that can store system firmware as well as code for the primary operating system for the hardware platform. The hardware platform includes a controller that determines the hardware platform lacks functional firmware to boot the primary operating system from the storage device. The controller accesses a firmware image from an external interface that interfaces a device external to the hardware platform, where the external device is a firmware image source. The controller provisions the firmware from the external device to the storage device and initiates a boot sequence from the provisioned firmware.

Abstract: Embodiments are directed to managing access to input/output devices by virtual machines (VMs). A first VM and a second VM are implemented. An I/O device controller driver has a first driver portion in the first VM and a second driver portion in the second VM. The first driver portion includes a configuration engine to configure the I/O device controller with I/O device-VM mappings, where a first I/O device is mapped exclusively to the first VM, and a second I/O device is mapped to at least the second VM. The second VM includes a general processing engine to call for I/O devices via the second driver portion, and in response to a call by the general processing engine for access to the first I/O device the second driver portion is to send an access request to the first driver portion.

Abstract: Systems, apparatuses and methods may provide for verifying, from outside a trusted computing base of a computing system, an identity an enclave instance prior to the enclave instance being launched in the trusted computing base, determining a memory location of the enclave instance and confirming that the memory location is local to the computing system. In one example, the enclave instance is a proxy enclave instance, wherein communications are conducted with one or more additional enclave instances in the trusted computing base via the proxy enclave instance and an unencrypted channel.

Abstract: Systems and techniques for privacy protected input-output port control are described herein. In an example, an indication may be obtained that a protected port is disabled. A set of application attributes stored in a secure memory location may be compared to a set of attested application attributes to create a verification flag. At least one port attribute of the protected port may be obtained based on the verification flag. The protected port may be enabled using the at least one port attribute. Other examples, for controlling an input-output port using computer firmware and trusted execution techniques are further disclosed.