Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: An apparatus to verify firmware in a computing system, comprising a non-volatile memory, including firmware memory to store agent firmware associated with each of a plurality of interconnect protocol (IP) agents and version memory to store security version numbers (SVNs) included in the agent firmware, a security controller comprising verifier logic to verify an integrity of the version memory by applying a hash algorithm to contents of the version memory to generate a SVN hash, and a trusted platform module (TPM) to store the SVN hash.

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

Abstract: According to examples, an apparatus may include a processor that may send, to a measurements manager (MM), a first measurement for the processor, cause a hardware and/or a software to send a second measurement to the MM, and cause a virtual machine (VM) to send a third measurement to the MM. The processor may also cause the MM to accumulate the first measurement, the second measurement, and the third measurement and cause the MM to output the accumulated measurements from the MM for attestation of the processor, the hardware and/or the software, the VM, or a combination thereof.

Abstract: An apparatus to collect firmware measurement data at a computing system is disclosed. The apparatus includes a plurality of agents, each including a non-volatile memory storing firmware executed to perform a function associated with the agent, verification logic to generate measurement data by verifying the integrity of the firmware and a register to store the measurement data, and a processor to execute an instruction to collect firmware measurement data from each of the plurality of agents.

Abstract: Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack.

Abstract: Methods and apparatus relating to cryptographic protection of memory attached over interconnects are described. In an embodiment, memory stores data and a processor having execution circuitry executes an instruction to program an inline memory expansion logic and a host memory encryption logic with one or more cryptographic keys. The inline memory expansion logic encrypts the data to be written to the memory and decrypts encrypted data to be read from the memory. The memory is coupled to the processor via an interconnect endpoint of a system fabric. Other embodiments are also disclosed and claimed.

Abstract: An apparatus to facilitate permissions at a computing system platform is disclosed. The apparatus includes a plurality of agents, each including a non-volatile memory storing firmware executed to perform a function associated with the agent and attestation hardware to detect an update at the computing system platform, generate a cryptographic key associated with each of the plurality of agents, perform an attestation with a relying party using the generated cryptographic keys and receive a tuple associated with each of the plurality of agents, wherein a tuple includes one or more permissions indicating platform resources an agent is permitted to access.

Abstract: Validating proof of possession (POP) of a private key by a device. A computer system generates a provisioning package for a device catalog. The provisioning package including a POP challenge. After generating the provisioning package, the computer system receives a device activation request for a device. The device activation request includes a public key, a device identifier, and a signature. The computer system validates POP of a private key corresponding to the public key, including using the public key, the device identifier, and the POP challenge to cryptographically verify the signature. The computer system establishes a trust relationship with the device, including registering the public key and the device identifier into the device catalog.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: Methods and apparatus relating to cryptographic protection of memory attached over interconnects are described. In an embodiment, memory stores data and a processor having execution circuitry executes an instruction to program an inline memory expansion logic and a host memory encryption logic with one or more cryptographic keys. The inline memory expansion logic encrypts the data to be written to the memory and decrypts encrypted data to be read from the memory. The memory is coupled to the processor via an interconnect endpoint of a system fabric. Other embodiments are also disclosed and claimed.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: In one example, a system for asymmetric device attestation includes a physically unclonable function (PUF) configured to generate a response to a challenge. A pseudo-random number generator generates a set of random numbers based on the response. A key generator determines co-prime numbers in the set of random numbers and generates a key pair using the co-prime numbers, wherein the public key is released to a manufacturer of the component for attestation of authenticity of the component. Through extending the PUF circuitry with a pseudo-random number generator, the present techniques are able to withstand unskilled and skilled hardware attacks, as the secret derived from the PUF is immune to extraction.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a graphics processor; and a graphics driver to facilitate access to the graphics processor, the graphics driver including: an authenticator to establish a trusted channel between the graphics driver and an application driver via mutual authentication of the graphics driver and the application driver; an offloader to offload a computing task to the graphics processor via the trusted channel, the computing task associated with the application driver; and a hypervisor to monitor memory associated with the offloaded computing task for an unauthorized access attempt.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: An apparatus to implement an IP independent secure firmware load into an IP agent without a ROM to establish hardware root of trust is disclosed. The apparatus includes a plurality of agents, at least one agent including an isolated memory region accessible only to a trusted entity of the at least one agent and a main memory, and a processor to allocate a section of the isolated memory region of the at least one agent, verify a first stage firmware module, the first stage firmware module comprising instructions to enable the at least one agent to load and verify a second stage firmware module, place the first stage firmware module into memory of the at least one agent without a ROM to establish the hardware root of trust.

Abstract: Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value.

Abstract: Methods and apparatus relating to Organic Light Emitting Diode (OLED) compensation based on protected content are described. In an embodiment, secure memory stores data that is only accessible by trusted logic. Display controller logic circuitry updates pixel values to be stored in the secure memory based on a plurality of frames. The display controller logic circuitry allows access by untrusted software to the updated pixel values after a first number of updates to the pixel values stored in the secure memory. Other embodiments are also disclosed and claimed.

Abstract: An apparatus and method for efficient microcode patching.