Abstract: According to aspect of the disclosure, there are provided methods and apparatus for connecting a peripheral device to a computer system, including an apparatus for interfacing with a peripheral device, the apparatus comprising a port configured to couple to the peripheral device, a processor, a memory coupled to the processor and comprising a software module comprising instructions that when executed on the processor protect the device from a peripheral device coupled to the port, and a hardware security controller coupled to the port, the hardware security controller configured to monitor execution of the software module by the processor and to disable the port in response to determining that the software module is not executing.

Abstract: According to aspects of the present disclosure, there is provided a non-transitory computer-readable storage medium comprising instructions that when executed cause a processor of a computing device to: send, to a remote device and via a first message queue on a cloud messaging service, a current Basic Input/Output System (BIOS) setting value; receive, from the remote device and via a second message queue on a cloud messaging service, an updated BIOS setting value and a cryptographic value; decrypt an encrypted private key of a public-private key pair stored in a memory of the computing device using the cryptographic value, wherein the public key of the public-private key pair is associated with a BIOS of the computing device; sign the updated BIOS setting value using the decrypted private key; provide the signed BIOS setting value to the BIOS of the computing device.

Abstract: In some examples, a computing device includes memory including system memory, and a processor in electronic communication with the memory. In some examples, the processor receives a system management interrupt. In some examples, the processor identifies trigger code that triggered the system management interrupt. In some examples, the processor executes code from the system memory when the trigger code is a virtualization program.

Abstract: An example storage medium includes instructions that, when executed, cause a processor of a computing device to read, during start-up of the computing device, first configuration data from a first storage device of the computing device; read second configuration data from a second storage device of the computing device; determine that there is an inconsistency between the first configuration data and the second configuration data; check a tamper status of the computing device; based on the tamper status and the determination that there is an inconsistency between the first configuration data and the second configuration data: (i) clear a secure storage location of the computing device, the secure storage location storing data to access protected data; or (ii) replace the first configuration data on the first storage device of the computing device based on second data and continue the start-up of the computing device.

Abstract: An example non-transitory machine-readable medium includes instructions that cause a processor of a computing device to create a first virtual machine using a hypervisor, execute a trusted basic input/output system (BIOS) in the first virtual machine, create a second virtual machine using the hypervisor, and execute an untrusted BIOS component in the second virtual machine. The first virtual machine is executed with a greater privilege to access a resource of the computing device than the second virtual machine.

Abstract: Examples of electronic devices are described herein. In some examples, an electronic device includes an operating system. In some examples, the electronic device includes a processor. In some examples, the processor is to generate a first code. In some examples, the processor is to encrypt the first code based on a public key to produce a second code. In some examples, the processor is to enter a locked state, where a booting of the operating system is blocked in the locked state. In some examples, the locked state is unlockable with the first code. In some examples, the electronic device includes a communication device to output the second code. In some examples, the communication device is to receive an authentication message in response to the second code. In some examples, the processor is to enter an unlocked state based on the authentication message.

Abstract: An example computing device includes a user interface, a network interface, a non-volatile memory, a processor coupled to the user interface, the network interface, and the non-volatile memory, and a set of instructions stored in the non-volatile memory. The set of instructions, when executed by the processor, is to perform a hardware initialization of the computing device according to a setting, establish a local trust domain and a remote trust domain, use a local-access public key to issue a challenge via the user interface to grant local access to the setting, and use a remote-access public key to grant remote access via the network interface to remote access to the setting.

Abstract: Examples of computing devices are described herein. In some examples, a computing device may include a controller to generate a key upon boot of the computing device. In some examples, the computing device may include a kernel driver. In some examples, the kernel driver may be to receive the key from a basic input/output system (BIOS) during operating system (OS) boot. In some examples, the kernel driver may be to receive an action request for a BIOS action from an application. In some examples, the kernel driver may be to sign the action request with the key in response to determining that the application is authorized to request the BIOS action. In some examples, the computing device may include the BIOS to perform the BIOS action in response to receiving the signed action request.

Abstract: Instructions may be provided to cause a computing device to receive authorisation data, the authorisation data indicating a policy; output a cryptographic challenge, the cryptographic challenge associated with the computing device and the policy; receive a response to the cryptographic challenge; receive an indication that a hardware change has occurred or a cover of the computing device has been opened; and in response to a determination, based on the received response, that the cryptographic challenge is passed, react to the indication according to the policy.

Abstract: An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

Abstract: In some examples, a computing device includes memory including system memory, and a processor in electronic communication with the memory. In some examples, the processor receives a system management interrupt. In some examples, the processor identifies trigger code that triggered the system management interrupt. In some examples, the processor executes code from the system memory when the trigger code is a virtualization program.

Abstract: An example computing device includes: a storage device; a first controller to retrieve basic input/output system (BIOS) instructions, including a set of filter criteria, from the storage device, and execute the BIOS instructions to: detect a command to change a set of BIOS variables associated with the BIOS instructions; store the command in a log; compare a payload of the command with the set of filter criteria; and accept or reject the change to the set of BIOS variables according to the comparison.

Abstract: An example storage medium includes instructions that, when executed, cause a processor of a computing device to read, during start-up of the computing device, first configuration data from a first storage device of the computing device; read second configuration data from a second storage device of the computing device; determine that there is an inconsistency between the first configuration data and the second configuration data; check a tamper status of the computing device; based on the tamper status and the determination that there is an inconsistency between the first configuration data and the second configuration data: (i) clear a secure storage location of the computing device, the secure storage location storing data to access protected data; or (ii) replace the first configuration data on the first storage device of the computing device based on second data and continue the start-up of the computing device.

Abstract: An example computing device includes a memory to store a cryptographic key, a processor coupled to the memory, and a set of instructions stored in the memory. The set of instructions, when executed by the processor, is to capture an encrypted passcode originating from a basic input/output system (BIOS) of a managed device as a challenge to grant local access to the BIOS and authenticate with a server using a user credential. When authentication with the server is successful, the set of instructions is to decrypt the encrypted passcode with the cryptographic key to obtain a decrypted passcode and output the decrypted passcode. When authentication with the server is unsuccessful, the set of instructions is to delete the cryptographic key.

Abstract: According to aspect of the disclosure, there are provided methods and apparatus for connecting a peripheral device to a computer system, including an apparatus for interfacing with a peripheral device, the apparatus comprising a port configured to couple to the peripheral device, a processor, a memory coupled to the processor and comprising a software module comprising instructions that when executed on the processor protect the device from a peripheral device coupled to the port, and a hardware security controller coupled to the port, the hardware security controller configured to monitor execution of the software module by the processor and to disable the port in response to determining that the software module is not executing.

Abstract: An example computing device includes a user interface, a network interface, a non-volatile memory, a processor coupled to the user interface, the network interface, and the non-volatile memory, and a set of instructions stored in the non-volatile memory. The set of instructions, when executed by the processor, is to perform a hardware initialization of the computing device according to a setting, establish a local trust domain and a remote trust domain, use a local-access public key to issue a challenge via the user interface to grant local access to the setting, and use a remote-access public key to grant remote access via the network interface to remote access to the setting.

Abstract: An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

Abstract: An example computing device includes a memory to store a cryptographic key, a processor coupled to the memory, and a set of instructions stored in the memory. The set of instructions, when executed by the processor, is to capture an encrypted passcode originating from a basic input/output system (BIOS) of a managed device as a challenge to grant local access to the BIOS and authenticate with a server using a user credential. When authentication with the server is successful, the set of instructions is to decrypt the encrypted passcode with the cryptographic key to obtain a decrypted passcode and output the decrypted passcode. When authentication with the server is unsuccessful, the set of instructions is to delete the cryptographic key.

Abstract: A profile store can include a guest profile. A converter can be in the control domain. The converter can convert a gesture detected on a touch input device to a domain input for the guest domain. The guest profile for the guest domain can be used for the conversion.

Abstract: A profile store can include a guest profile. A converter can be in the control domain. The converter can convert a gesture detected on a touch input device to a domain input for the guest domain. The guest profile for the guest domain can be used for the conversion.