Abstract: Embodiments detailed herein relate to techniques which enable the creation of secure point-to-point interconnect communication channels between hardware components which may be independently manufactured and arbitrarily paired with one another in a computer system. Also detailed herein is instruction support for dynamically enabling and disabling the security of a point-to-point interconnect link.

Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.

Abstract: In embodiments, an apparatus to enforce secure display view for trusted transactions may include a first input interface to receive from an application, via a trusted execution environment (TEE), viewport size data and an identifier of a display associated with a secure display of a trusted transaction; and a second input interface to receive from the application, via an untrusted execution environment, an encrypted transaction bitmap associated with the trusted transaction, to be securely displayed on the display; and an enforcement engine coupled to the first input interface and the second input interface, to verify that the size and location of the transaction bitmap are within the viewport to ensure the secure display of the transaction bitmap. In embodiments, after verification of the size and location of the transaction bitmap being within the viewport, the transaction bitmap may be displayed.

Abstract: Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack.

Abstract: Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value.

Abstract: Apparatuses, methods and storage mediums associated with updating firmware of a component of a computer platform, are disclosed herein. In some embodiments, a processor includes an instruction decoder; and a storage having microcode arranged to implement an instruction to verify updates to firmware of a component of a computer platform hosting the processor and the component. The computer platform may include a component firmware update manager. The firmware of a component may include a firmware update plug-in. Other embodiments are also described, and may be claimed.

Abstract: A data processing system with technology to secure a virtual machine control data structure (VMCDS) comprises random access memory (RAM) and a processor in communication with the RAM. The processor comprises virtualization technology that enables the processor to run a virtual machine monitor (VMM) in the data processing system and to run guest software in a virtual machine (VM) that is managed by the VMM. The VM is based at least in part on a VMCDS for the VM. An instruction decoder in the processor recognizes and dispatches a set-mask instruction. The set-mask instruction specifies access restrictions to be imposed on the VMM with respect to the VMCDS of the VM. The processor also comprises a mask enforcer to automatically enforce the access restrictions specified by the set-mask instruction, in response to an attempt by the VMM to access the VMCDS of the VM. Other embodiments are described and claimed.

Abstract: Technologies disclosed herein provide an apparatus comprising a sensor including a first processor configured to execute first instructions to identify, based on an index, a first encrypted key of a first set of encrypted keys, identify, based on the index, a second encrypted key of a second set of encrypted keys, and extract a first trusted symmetric key from the first encrypted key using a first decryption algorithm and a first decryption key. The apparatus further comprises a computing platform coupled to the sensor and including a memory element and a processor configured to execute second instructions stored in the memory element to receive the second encrypted key from the sensor and extract a second trusted symmetric key from the second encrypted key using a second decryption algorithm and a second decryption key, where the first trusted symmetric key matches the second trusted symmetric key.

Abstract: The present disclosure is directed to secure processing and display of protected content. The use of a trusted execution environment (TEE) to handle authentication and session key negotiation in accordance with a selected content protection protocol may reduce any trusted computing base (TCB) needed for such operations, and thereby present a smaller target for potential attackers. Techniques are presented in which a session key negotiated via such a TEE is securely provided to output circuitry such as a display controller, which may encrypt protected content that has been requested for viewing on a protocol-compliant display device communicatively coupled to a device comprising the TEE and/or the output circuitry. The output circuitry may then provide the encrypted protected content to the protocol-compliant display device, such as for compliant display of the protected content.

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

Abstract: Embodiments of an invention for an interface between a device and a secure processing environment are disclosed. In one embodiment, a system includes a processor, a device, and an interface plug-in. The processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to create a secure processing environment. The execution unit is to execute an application in the secure processing environment. The device is to execute a workload for the application. The interface plug-in is to provide an interface for the device to enter the secure processing environment to execute the workload.

Abstract: Technologies for protecting virtual machine memory of a compute device include a virtual machine (VM) instantiated on the compute device, a virtual machine monitor (VMM) established on the compute device to control operation of the VM, a secured memory, and a memory manager. The memory manager receives a memory access request that includes a virtual linear address (LA) from the VM and performs a translation of the LA to a translated host physical address (HPA) of the compute device using one or more page tables associated with the VM and VMM. The memory manager determines whether a secured translation mapping of LA-to-HPA that corresponds to the LA is locked. If the mapping is locked, the memory manager verifies the translation based on a comparison of the translated HPA to a HPA translated using the secured translation mapping and, if verified, performs the memory access request using the translated HPA.

Abstract: A method for speaker recognition, an electronic device and a speaker recognition system are disclosed. An example method includes receiving speech data corresponding to one or more utterances from a plurality of speakers that include a plurality of voice features. A plurality of variability factors is extracted from the speech data. The dimensionality of the plurality of variability factors is reduced using a non parametric analysis, thereby generating dimensionality reduced features. A score space is defined based at least on the dimensionality reduced features.

Abstract: Technologies for dynamically protecting memory of the mobile compute device include a main memory, a location sensor that produces sensor data indicative of a present location of the mobile compute device, a sensor hub communicatively coupled to the location sensor, and a security engine communicatively coupled to the sensor hub. The sensor hub determines a present location security zone of the mobile compute device based on the present location of the mobile compute device and a geofence policy, which maps locations to location security zones. The security engine encrypts the main memory of the mobile compute device and determines whether the present location security zone has changed relative to a most-previous location security zone of the mobile compute device. If the present location security zone has changed to a safe zone, the security engine decrypts the main memory.

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.

Abstract: Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.