Abstract: Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.

Abstract: Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.

Abstract: Embodiments are directed to trusted local memory management in a virtualized GPU. An embodiment of an apparatus includes one or more processors including a trusted execution environment (TEE); a GPU including a trusted agent; and a memory, the memory including GPU local memory, the trusted agent to ensure proper allocation/deallocation of the local memory and verify translations between graphics physical addresses (PAs) and PAs for the apparatus, wherein the local memory is partitioned into protection regions including a protected region and an unprotected region, and wherein the protected region to store a memory permission table maintained by the trusted agent, the memory permission table to include any virtual function assigned to a trusted domain, a per process graphics translation table to translate between graphics virtual address (VA) to graphics guest PA (GPA), and a local memory translation table to translate between graphics GPAs and PAs for the local memory.

Abstract: Embodiments are directed to enhanced protections against adversarial machine learning threats utilizing cryptography and hardware assisted monitoring in hardware accelerators. An embodiment of a system includes one or more processors including a trusted execution environment (TEE), the TEE including a machine learning (ML) service enclave, the ML service enclave including monitoring software; a hardware accelerator including a cryptographic engine and metering hardware, the hardware accelerator to perform processing related to an ML model and the metering hardware to generate statistics regarding data transfers; and an interface with one or more data owners, the ML service enclave to provide access control and data protection for ML data related to the ML model, including establishing secret encryption keys with the data owners and the hardware accelerator; and the monitoring software to analyze the statistics to identify suspicious patterns in the data transfers.

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.

Abstract: A method comprises receiving, in a trusted execution environment (TEE), an attestation public key and one or more endorsement credentials for a trusted platform module, inspecting the one or more endorsement credentials for the trusted platform module, generating an attestation that the attestation public key resides within the trusted platform module identified by the one or more endorsement credentials, the attestation comprising at least a portion of the public attestation key, encrypting, in the trusted execution environment, at least a component of the attestation to generate an attestation key activation blob, forwarding the attestation key activation blob to the platform module, and receiving, from the platform module, a response that varies based on whether at least a portion of the public attestation key in the attestation key activation blob matches a public attestation key on the platform module.

Abstract: Technologies for USB controller state integrity protection are disclosed. A computing device reserves an isolated memory region in system memory and programs a base address register of a USB controller with the address of the isolated memory region. The computing device locks the base address register from further chances. The USB controller may store controller state data in a scratchpad buffer located within the isolated memory region. Software executed by a processor may read controller state data from the scratchpad buffer. Secure routing hardware of the computing device controls access to the isolated memory region. The secure routing hardware may allow read and write access by the USB controller and read-only access by software executed by the processor. After storing the controller state data, the computing device may power down the I/O controller. Other embodiments are described and claimed.

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.

Abstract: An Internet-of-Things (IoT) device platform to communicate in a trusted portion of an IoT network is disclosed. The trusted IoT platform can include a secure IoT system-on-chip (SoC) and can be integrated into various devices such that each of the devices may implement “roots of trust” to establish a trusted portion, or a trusted backbone, of the IoT network.

Abstract: Technologies for trusted I/O (TIO) include a computing device with a cryptographic engine and one or more I/O controllers. The computing device executes a TIO core service that has a cryptographic engine programming privileged granted by an operating system. The TIO core service receives a request from an application to protect a DMA channel. The TIO core service requests the operating system to protect the DMA channel, and the operating system verifies the cryptographic engine programming privilege of the TIO core service in response. The operating system programs the cryptographic engine to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the TIO core service. If a privileged delegate determines that a user has confirmed termination of protection of the DMA channel, the TIO core service may unprotect the DMA channel. Other embodiments are described and claimed.

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

Abstract: Various system configurations and methods for maintaining, accessing, and utilizing secure data of a web browser in a hardware-managed secure data store are disclosed herein. In an example, operations for management of sensitive data such as passwords may be provided with the use of secure enclaves operating in a trusted execution environment. For example, such secure enclaves may be used for sealing and persisting sensitive data associated with a remote service, and transmitting the sensitive data to the remote service, while an unsealed form of the sensitive data is not accessible outside of the trusted execution environment. In further examples, operations for generating a password, storing or updating existing passwords, and replacing web browser input fields with secure data are disclosed.

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.

Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.

Abstract: Technologies for secure enumeration of USB devices include a computing device having a USB controller and a trusted execution environment (TEE). The TEE may be a secure enclave protected secure enclave support of the processor. In response to a USB device connecting to the USB controller, the TEE sends a secure command to the USB controller to protect a device descriptor for the USB device. The secure command may be sent over a secure channel to a static USB device. A driver sends a get device descriptor request to the USB device, and the USB device responds with the device descriptor. The USB controller redirects the device descriptor to a secure memory buffer, which may be located in a trusted I/O processor reserved memory region. The TEE retrieves and validates the device descriptor. If validated, the TEE may enable the USB device for use. Other embodiments are described and claimed.

Abstract: In one embodiment, an apparatus includes a wireless controller, which may include a byte stream parser to receive a stream of data from one or more wireless devices and parse the stream of data to identify a first data packet associated with a first channel identifier associated with a trusted application, and a cryptographic engine coupled to the byte stream parser to encrypt a payload portion of the first data packet in response to the identification of the first data packet associated with the first channel identifier. Other embodiments are described and claimed.

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes one or more trusted execution environments (TEEs). A TEE generates a request to program the cryptographic engine with respect to a DMA channel. The computing device may verify a signed manifest that indicates the TEEs permitted to program DMA channels and, if verified, determine whether the TEE is permitted to program the requested DMA channel. The computing device may record the TEE for a request to protect the DMA channel and may determine whether the programming TEE matches the recorded TEE for a request to unprotect a DMA channel. The computing device may allow the request to unprotect the DMA channel if the programming TEE matches the recorded TEE. Other embodiments are described and claimed.

Abstract: Technologies for secure I/O data transfer includes a compute device, which includes a processor to execute a trusted application, an input/output (I/O) device, and an I/O subsystem. The I/O subsystem is configured to establish a secured channel between the I/O subsystem and a trusted application running on the compute device, and receive, in response to an establishment of the secured channel, I/O data from the I/O device via an unsecured channel. The I/O subsystem is further configured to encrypt, in response to a receipt of the I/O data, the I/O data using a security key associated with the trusted application that is to process the I/O data and transmit the encrypted I/O data to the trusted application via the secured channel, wherein the secured channel has a data transfer rate that is higher than a data transfer rate of the unsecured channel between the I/O device and the I/O subsystem.