Abstract: A system and method for resolving (BIOS) firmware issues affecting one or more information handling systems, includes: responsive to receiving information indicative of the BIOS firmware issue, developing one or more executable scripts for resolving the BIOS firmware issue without modifying the BIOS firmware. The executable scripts include a first script for collecting data pertaining to the BIOS firmware issue, which is pushed to at least one affected information handling system. The first script includes processor-executable instructions that the affected information handling system executes in a pre-boot state to perform operations including establishing a secure and privileged pre-boot session, collecting data associated with the BIOS firmware issue from within the secure and privileged pre-boot session, and sending the data associated with the BIOS issue to a support resource.

Abstract: Systems and methods are provided for supporting use of system BIOS components (e.g., such as BIOS debug messages, debugger firmware, UEFI drivers, etc.) that are stored separately from the remainder of system BIOS firmware for an information handling system. The system BIOS components may represent only a portion of the total BIOS firmware, and may be selectively retrieved and loaded from the separate storage into system memory when needed by the system BIOS for operating purposes (e.g., such as debugging operations).

Abstract: A set of security templates is maintained including first and second templates. The first template specifies time and location stamp authentication for a file, and contextual security conditions that must be met before the file can be accessed. The second template specifies the time and location stamp authentication, but not the contextual security conditions. One of the first or second security templates is applied to the particular file. When the second security template is applied, a GPS-crypto device adds a time and location stamp to the particular file. The particular file is signed using a private key associated with the GPS-crypto device to generate an authentication signature based on the time and location stamp. The authentication signature is added to the particular file to allow a recipient to verify the time and location stamp of the particular file using a public key corresponding to the private key.

Abstract: An information handling system may include memory circuitry comprising a BIOS and a database including a first set of one or more cryptographic keys usable to authenticate code executable by the BIOS; and a physical storage medium other than the memory circuitry, wherein the physical storage medium includes a custom database including a second set of one or more cryptographic keys usable to authenticate code executable by the BIOS. The information handling system is configured to load a BIOS extension into the BIOS by: determining that the first set of one or more cryptographic keys does not include any key usable to authenticate the BIOS extension; determining that the second set of one or more cryptographic keys includes a particular key usable to authenticate the BIOS extension; authenticating the BIOS extension via the particular key; and in response to the authenticating, loading and executing the BIOS extension.

Abstract: An information handling system may include a processor and a basic input/output system communicatively coupled to the processor and embodied by executable instructions embodied in non-transitory computer readable media, the instructions configured to, when executed by the processor: identify, for a firmware image, a secure boot certificate; identify, for the secure boot certificate, a certificate use policy; determine whether the certificate use policy permits verification of the firmware image using the secure boot certificate; and allow the firmware image to be verified with the secure boot certificate if the certificate use policy permits verification of the firmware image using the secure boot certificate.

Abstract: A method may comprise, on a basic input/output system (BIOS), executing a hardware attestation verification application configured to: (a) during a first boot session of the information handling system comprising the BIOS, execute a first stage of an update to the information handling system and securely record a platform state record associated with beginning of execution of a second stage of the update; and (b) during a second boot session of the information handling system: (i) obtain the platform state record; (ii) compare the platform state record to an actual platform state during boot process of the second boot session; and (iii) if the platform state record matches the actual platform state during boot process of the second boot session, permit execution of the second state of the update.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted or powered on, the BIOS configured to, during boot of the information handling system: (i) read a predefined measurement of an order of loading of BIOS drivers configured to execute during execution of the BIOS, such predefined measurement made during build of the BIOS; (ii) perform a runtime measurement of an order of loading of the BIOS drivers during actual runtime of the information handling system; (iii) compare the predefined measurement to the runtime measurement; and (iv) responsive to a mismatch between the predefined measurement and the runtime measurement, respond with a remedial action.

Abstract: An SMI task to be completed across multiple SMI events. An OS agent can be employed to determine a current load on a computing device. Based on the load, the OS agent can create an SMI message that specifies a maximum duration for an SMI event and that segments the SMI data for the SMI task. The OS agent can provide the SMI message to BIOS as part of requesting that the SMI task be performed. During the resulting SMI event, the BIOS can reassemble the segmented SMI data and then perform the SMI task. If this processing cannot be completed within the specified maximum duration for an SMI event, the BIOS can pause its processing and cause a subsequent SMI event to occur during which the processing can be resumed. In this way, the SMI task can be completed across multiple SMI events while ensuring that no single SMI event exceeds the specified maximum duration.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: Discovery of unique identifiers in firmware can be prevented. During the boot process on a computing system, and after the firmware has generated firmware tables containing unique identifiers, an anonymizer module of the firmware can generate an anonymized version of the firmware tables and cause the anonymized version of the firmware tables, rather than the original, system-unique firmware tables, to be accessible after the operating system is loaded. In this way, once the operating system is loaded, when a module attempts to read the firmware tables, the read will be performed against the anonymized version of the firmware tables thereby preventing the module from obtaining any of the computing system's unique identifiers. A copy of the firmware tables may be maintained separately from the anonymized version of the firmware tables to enable authorized utilities to obtain the computing system's unique identifiers.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, during a boot of the information handling system, determine whether a BIOS configuration change has been made during a current boot session of the information handling system, and responsive to determining that a BIOS configuration change has been made during the current boot session, store an indication of the BIOS configuration change to a non-volatile memory.

Abstract: A method includes issuing a suspend command to a data storage device at an information handling system. In response to receiving the suspend command, the data storage device generates a one-time password that is stored at the data storage device. The one-time password is provided to a process executing at the information handling system that stores the one-time password at a memory device at the information handling system. Operation of the data storage device is transitioned to an energy saving state.

Abstract: An information handling system may include a processor and a basic input/output system communicatively coupled to the processor and embodied by executable instructions embodied in non-transitory computer readable media, the instructions configured to, when executed by the processor: identify, for a firmware image, a secure boot certificate; identify, for the secure boot certificate, a certificate use policy; determine whether the certificate use policy permits verification of the firmware image using the secure boot certificate; and allow the firmware image to be verified with the secure boot certificate if the certificate use policy permits verification of the firmware image using the secure boot certificate.

Abstract: A system, method, and computer-readable medium are disclosed for performing a platform security operation, comprising: presenting a platform security user interface, the platform security user interface including a plurality of security blocks, each of the plurality of security blocks corresponding to a particular security policy function configuring a security policy via the platform security user interface, the configuring comprising combining a set of the security blocks according to a desired security function; converting the set of security blocks to information representing the security policy; and, deploying the security policy to an information handling system.

Abstract: An SMI task to be completed across multiple SMI events. An OS agent can be employed to determine a current load on a computing device. Based on the load, the OS agent can create an SMI message that specifies a maximum duration for an SMI event and that segments the SMI data for the SMI task. The OS agent can provide the SMI message to BIOS as part of requesting that the SMI task be performed. During the resulting SMI event, the BIOS can reassemble the segmented SMI data and then perform the SMI task. If this processing cannot be completed within the specified maximum duration for an SMI event, the BIOS can pause its processing and cause a subsequent SMI event to occur during which the processing can be resumed. In this way, the SMI task can be completed across multiple SMI events while ensuring that no single SMI event exceeds the specified maximum duration.

Abstract: Discovery of unique identifiers in firmware can be prevented. During the boot process on a computing system, and after the firmware has generated firmware tables containing unique identifiers, an anonymizer module of the firmware can generate an anonymized version of the firmware tables and cause the anonymized version of the firmware tables, rather than the original, system-unique firmware tables, to be accessible after the operating system is loaded. In this way, once the operating system is loaded, when a module attempts to read the firmware tables, the read will be performed against the anonymized version of the firmware tables thereby preventing the module from obtaining any of the computing system's unique identifiers. A copy of the firmware tables may be maintained separately from the anonymized version of the firmware tables to enable authorized utilities to obtain the computing system's unique identifiers.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, during a boot of the information handling system, determine whether a BIOS configuration change has been made during a current boot session of the information handling system, and responsive to determining that a BIOS configuration change has been made during the current boot session, store an indication of the BIOS configuration change to a non-volatile memory.

Abstract: Systems and methods are provide that may be implemented to modify boot operation for an information handling system using commands of a script that is detected and authenticated by boot code of the information handling system. The script may include at least one command that modifies a boot operation of the information handling system when performed by the processor. The boot code may be executed by the processor during startup, to detect and authenticate the script, and to process the at least one command after the script is authenticated. Multiple commands may be defined including triggerless actions or trigger actions which are performed in response to a trigger event. A trigger event may be a hardware interaction, such as the pressing of a button.

Abstract: A set of security templates is maintained including first and second templates. The first template specifies time and location stamp authentication for a file, and contextual security conditions that must be met before the file can be accessed. The second template specifies the time and location stamp authentication, but not the contextual security conditions. One of the first or second security templates is applied to the particular file. When the second security template is applied, a GPS-crypto device adds a time and location stamp to the particular file. The particular file is signed using a private key associated with the GPS-crypto device to generate an authentication signature based on the time and location stamp. The authentication signature is added to the particular file to allow a recipient to verify the time and location stamp of the particular file using a public key corresponding to the private key.