Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) or a virtual PUF key are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instance of a single instruction having a field for an opcode to indicate that execution circuitry is to encrypt at least encrypt secret information from an input data structure with either a physical unclonable function (PUF) generated encryption key or a virtual PUF key, bind the wrapped secret information to an identified target, update the input data structure, generate a MAC over the updated data structure, store the MAC in the input data structure to generate a wrapped output data structure, store the wrapped output data structure having the encrypted secret information and an indication of the target.

Abstract: A method of handling a firmware update for a device is disclosed, comprising: determining a device to be in an updatable state; setting the device into an updating state after determining the updatable state; and after the device is in the updating state, writing a firmware update to memory for the device. After writing the firmware update, the device is switchable to a working state in which the device operates based on the firmware update.

Abstract: Systems and methods are provided for implementing a cluster-wide root secret (“CWRS”) key for distributed node clusters. In a multi-node cluster, a leader node has a leader node security system that generates the CWRS key, which is a common secret key for all workloads (e.g., containers or VMs) in the multi-node cluster. The leader node security system encrypts the generated CWRS key using a public key and/or a bootstrap key received from a non-leader node that requests the CWRS key. In examples, the leader node security system signs the encrypted CWRS key using its private key for subsequent verification, by the requesting non-leader node, that the CWRS key was generated by the leader node security system. The CWRS thus encrypted can be securely sent to the requesting non-leader node for subsequent encryption or decryption of secret data by the security system of the non-leader node.

Abstract: Examples of the present disclosure describe systems and methods for improved security in hybrid infrastructure. A signing authority verifies its identity to an identity and access management (IAM) service and verify that it is running on a healthy node to the IAM service before the IAM service issues an intermediate signing certificate to the signing authority. A workload verifies its identity to the signing authority and verifies that the workload is running on a healthy node to the signing authority before the signing authority issues a token to the workload. Additionally, the signing authority binds the token to the edge infrastructure associated with the provider of the token request. Workloads, storage, or other cloud endpoints verify the identity of other workloads and verify the health of the node that the other workloads are running on before granting access.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Methods and apparatus relating to a Converged Cryptographic Engine (CCE) for storage encryption are described. In an embodiment, decode circuitry decodes an instruction to determine whether Converged Cryptographic Engine (CCE) circuitry is enabled. Execution circuitry executes the instruction to program a plurality of keys in response to the CCE circuitry being enabled. The CCE circuitry performs all encryption and all decryption of data to be transferred between a memory and a storage device based at least in part on at least one of the plurality of keys. Other embodiments are also disclosed and claimed.

Abstract: Examples of the present disclosure describe systems and methods for improved security in hybrid infrastructure. A signing authority verifies its identity to an identity and access management (IAM) service and verify that it is running on a healthy node to the IAM service before the IAM service issues an intermediate signing certificate to the signing authority. A workload verifies its identity to the signing authority and verifies that the workload is running on a healthy node to the signing authority before the signing authority issues a token to the workload. Additionally, the signing authority binds the token to the edge infrastructure associated with the provider of the token request. Workloads, storage, or other cloud endpoints verify the identity of other workloads and verify the health of the node that the other workloads are running on before granting access.

Abstract: Apparatus and method for secure instruction set execution, emulation, monitoring, and prevention. A processor embodiment includes registers, evaluator, and execution unit. The registers are to store rules which specify actions to be taken with respect to one or more instructions. The evaluator is to detect a request to execute a first instruction and to evaluate the first instruction based on the rules stored in the one or more registers. The evaluator is further to block execution of the first instruction when a first rule corresponding to the first instruction specifies that execution of the first instruction is prohibited, and to allow execution of the first instruction when there is no rule in the one or more registers specifying that the execution of the first instruction is prohibited. The execution unit is to execute the first instruction when the evaluator allows execution of the first instruction.

Abstract: Techniques for memory assisted inline encryption/decryption are described. An example includes an encryption data structure engine to provide a key, data, and a tweak to the encryption/decryption engine, wherein the encryption data structure engine is to: read an index value from an encryption data structure lookup data structure entry using an address, the entry to include the index value and a guest page physical address (GPPA), retrieve, based on the index value, an entry from the encryption data structure, the entry to include a logical block address (LBA) base, a key identifier, and at least one GPPA in a sequence of GPPAs, generate a LBA using a position of the GPPA from the encryption data structure lookup data structure entry in the sequence of GPPAs, and retrieve a key based on the key identifier, wherein the encryption engine to encrypt data using the retrieved key, and the generated LBA.

Abstract: Examples of the present disclosure describe devices, systems, and methods for dynamically validating a device's firmware. In examples, an attestation system receives from a platform an attestation report populated with information about components in the platform. The attestation system parses the attestation report to identify web service endpoints associated with a component of the components and initializes a connection with an endpoint of the endpoints. The attestation service receives over the connection a response from the endpoint that includes a code to evaluate the validity of firmware in the component. The attestation service evaluates and confirms the validity of the firmware and transfers the response to the component.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Systems and methods are provided for implementing a cluster-wide root secret (“CWRS”) key for distributed node clusters. In a multi-node cluster, a leader node has a leader node security system that generates the CWRS key, which is a common secret key for all workloads (e.g., containers or VMs) in the multi-node cluster. The leader node security system encrypts the generated CWRS key using a public key and/or a bootstrap key received from a non-leader node that requests the CWRS key. In examples, the leader node security system signs the encrypted CWRS key using its private key for subsequent verification, by the requesting non-leader node, that the CWRS key was generated by the leader node security system. The CWRS thus encrypted can be securely sent to the requesting non-leader node for subsequent encryption or decryption of secret data by the security system of the non-leader node.

Abstract: Methods, apparatuses and system provide for technology that interleaves a plurality of verification commands with a plurality of copy commands in a command buffer, wherein each copy command includes a message authentication code (MAC) derived from a master session key, wherein one or more of the plurality of verification commands corresponds to a copy command in the plurality of copy commands, and wherein a verification command at an end of the command buffer corresponds to contents of the command buffer. The technology may also add a MAC generation command to the command buffer, wherein the MAC generation command references an address of a compute result.

Abstract: The disclosed embodiments are generally directed to inline encryption of data at line speed at a chip interposed between two memory components. The inline encryption may be implemented at a System-on-Chip (“SOC” or “SOC”). The memory components may comprise Non-Volatile Memory express (NVMe) and a dynamic random access memory (DRAM). An exemplary device includes an SOC to communicate with a Non-Volatile Memory NVMe circuitry to provide direct memory access (DMA) to an external memory component. The SOC may include: a cryptographic controller circuitry; a cryptographic memory circuitry in communication with the cryptographic controller, the cryptographic memory circuitry configured to store instructions to encrypt or decrypt data transmitted through the SOC; and an encryption engine in communication with the crypto controller circuitry, the encryption engine configured to encrypt or decrypt data according to instructions stored at the crypto memory circuitry. Other embodiments are also disclosed and claimed.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: An apparatus to facilitate permissions at a computing system platform is disclosed. The apparatus includes a plurality of agents, each including a non-volatile memory storing firmware executed to perform a function associated with the agent and attestation hardware to detect an update at the computing system platform, generate a cryptographic key associated with each of the plurality of agents, perform an attestation with a relying party using the generated cryptographic keys and receive a tuple associated with each of the plurality of agents, wherein a tuple includes one or more permissions indicating platform resources an agent is permitted to access.

Abstract: Systems and methods are provided for implementing a cluster-wide root secret (“CWRS”) key for distributed node clusters. In a multi-node cluster, a leader node has a leader node security system that generates the CWRS key, which is a common secret key for all workloads (e.g., containers or VMs) in the multi-node cluster. The leader node security system encrypts the generated CWRS key using a public key and/or a bootstrap key received from a non-leader node that requests the CWRS key. In examples, the leader node security system signs the encrypted CWRS key using its private key for subsequent verification, by the requesting non-leader node, that the CWRS key was generated by the leader node security system. The CWRS thus encrypted can be securely sent to the requesting non-leader node for subsequent encryption or decryption of secret data by the security system of the non-leader node.

Abstract: Validating proof of possession (POP) of a private key by a device. A computer system generates a provisioning package for a device catalog. The provisioning package including a POP challenge. After generating the provisioning package, the computer system receives a device activation request for a device. The device activation request includes a public key, a device identifier, and a signature. The computer system validates POP of a private key corresponding to the public key, including using the public key, the device identifier, and the POP challenge to cryptographically verify the signature. The computer system establishes a trust relationship with the device, including registering the public key and the device identifier into the device catalog.

Abstract: Systems, methods, and apparatuses for providing chiplet binding to a disaggregated architecture for a system on a chip are described. In one embodiment, system includes a plurality of physically separate dies, an interconnect to electrically couple the plurality of physically separate dies together, a first die-to-die communication circuit, of a first die of the plurality of physically separate dies, comprising a transmitter circuit and an encryption circuit having a link key to encrypt data to be sent from the transmitter circuit into encrypted data, and a second die-to-die communication circuit, of a second die of the plurality of physically separate dies, comprising a receiver circuit and a decryption circuit having the link key to decrypt the encrypted data sent from the transmitter circuit to the receiver circuit.

Abstract: The disclosed embodiments are generally directed to inline encryption of data at line speed at a chip interposed between two memory components. The inline encryption may be implemented at a System-on-Chip (“SOC” or “SOC”). The memory components may comprise Non-Volatile Memory express (NVMe) and a dynamic random access memory (DRAM). An exemplary device includes an SOC to communicate with a Non-Volatile Memory NVMe circuitry to provide direct memory access (DMA) to an external memory component. The SOC may include: a cryptographic controller circuitry; a cryptographic memory circuitry in communication with the cryptographic controller, the cryptographic memory circuitry configured to store instructions to encrypt or decrypt data transmitted through the SOC; and an encryption engine in communication with the crypto controller circuitry, the encryption engine configured to encrypt or decrypt data according to instructions stored at the crypto memory circuitry. Other embodiments are also disclosed and claimed.