Abstract: A method includes issuing a suspend command to a data storage device at an information handling system. In response to receiving the suspend command, the data storage device generates a one-time password that is stored at the data storage device. The one-time password is provided to a process executing at the information handling system that stores the one-time password at a memory device at the information handling system. Operation of the data storage device is transitioned to an energy saving state.

Abstract: An information handling system may include a processor and a basic input/output system communicatively coupled to the processor and embodied by executable instructions embodied in non-transitory computer readable media, the instructions configured to, when executed by the processor: identify, for a firmware image, a secure boot certificate; identify, for the secure boot certificate, a certificate use policy; determine whether the certificate use policy permits verification of the firmware image using the secure boot certificate; and allow the firmware image to be verified with the secure boot certificate if the certificate use policy permits verification of the firmware image using the secure boot certificate.

Abstract: A system, method, and computer-readable medium are disclosed for performing a platform security operation, comprising: presenting a platform security user interface, the platform security user interface including a plurality of security blocks, each of the plurality of security blocks corresponding to a particular security policy function configuring a security policy via the platform security user interface, the configuring comprising combining a set of the security blocks according to a desired security function; converting the set of security blocks to information representing the security policy; and, deploying the security policy to an information handling system.

Abstract: An SMI task to be completed across multiple SMI events. An OS agent can be employed to determine a current load on a computing device. Based on the load, the OS agent can create an SMI message that specifies a maximum duration for an SMI event and that segments the SMI data for the SMI task. The OS agent can provide the SMI message to BIOS as part of requesting that the SMI task be performed. During the resulting SMI event, the BIOS can reassemble the segmented SMI data and then perform the SMI task. If this processing cannot be completed within the specified maximum duration for an SMI event, the BIOS can pause its processing and cause a subsequent SMI event to occur during which the processing can be resumed. In this way, the SMI task can be completed across multiple SMI events while ensuring that no single SMI event exceeds the specified maximum duration.

Abstract: Discovery of unique identifiers in firmware can be prevented. During the boot process on a computing system, and after the firmware has generated firmware tables containing unique identifiers, an anonymizer module of the firmware can generate an anonymized version of the firmware tables and cause the anonymized version of the firmware tables, rather than the original, system-unique firmware tables, to be accessible after the operating system is loaded. In this way, once the operating system is loaded, when a module attempts to read the firmware tables, the read will be performed against the anonymized version of the firmware tables thereby preventing the module from obtaining any of the computing system's unique identifiers. A copy of the firmware tables may be maintained separately from the anonymized version of the firmware tables to enable authorized utilities to obtain the computing system's unique identifiers.

Abstract: An information handling system may include a processor and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, during a boot of the information handling system, determine whether a BIOS configuration change has been made during a current boot session of the information handling system, and responsive to determining that a BIOS configuration change has been made during the current boot session, store an indication of the BIOS configuration change to a non-volatile memory.

Abstract: Systems and methods are provide that may be implemented to modify boot operation for an information handling system using commands of a script that is detected and authenticated by boot code of the information handling system. The script may include at least one command that modifies a boot operation of the information handling system when performed by the processor. The boot code may be executed by the processor during startup, to detect and authenticate the script, and to process the at least one command after the script is authenticated. Multiple commands may be defined including triggerless actions or trigger actions which are performed in response to a trigger event. A trigger event may be a hardware interaction, such as the pressing of a button.

Abstract: A set of security templates is maintained including first and second templates. The first template specifies time and location stamp authentication for a file, and contextual security conditions that must be met before the file can be accessed. The second template specifies the time and location stamp authentication, but not the contextual security conditions. One of the first or second security templates is applied to the particular file. When the second security template is applied, a GPS-crypto device adds a time and location stamp to the particular file. The particular file is signed using a private key associated with the GPS-crypto device to generate an authentication signature based on the time and location stamp. The authentication signature is added to the particular file to allow a recipient to verify the time and location stamp of the particular file using a public key corresponding to the private key.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: An indication is received to export a file from a host having an authentication device. A memory buffer is allocated for a signature region, a header region, and a content region. A location stamp and a time stamp are calculated for content of the file. The location and time stamps are copied to the header region. An authentication signature is generated using a private key associated with the authentication device. The authentication signature is based on the header and content regions, which include the copied location stamp and timestamp, and content of the file. The authentication signature is copied to the signature region. The memory buffer is written to a new file, the new file being a signed version of the file and including the signature region having the authentication signature, the header region having the location and time stamps, and the content region having the content of the file.

Abstract: Methods, systems, and computer programs for receiving, by an embedded controller (EC), an EC firmware update from a central processing unit (CPU); storing the EC firmware update into a buffer region of a flash memory medium via a first bus, the first bus communicatively coupling the EC and the flash memory medium; verifying the EC firmware update stored in the buffer region of the flash memory medium; and in response to verifying the EC firmware update: storing the verified EC firmware update into a primary region of the flash memory medium; and loading the verified EC firmware update from the primary region into an EC memory medium of the EC via the first bus.

Abstract: A method includes issuing a suspend command to a data storage device at an information handling system. In response to receiving the suspend command, the data storage device generates a one-time password that is stored at the data storage device. The one-time password is provided to a process executing at the information handling system that stores the one-time password at a memory device at the information handling system. Operation of the data storage device is transitioned to an energy saving state.

Abstract: Systems and methods are disclosed herein that may implement an information handling system including a gateway and a peripheral device monitor. The gateway may interface peripheral devices and control access of host resources of the information handling system by any of the peripheral devices. The peripheral device monitor may detect connection of an unverified peripheral device to the gateway, perform a trust verification process with the unverified peripheral device, control the gateway to enable access of the host resources by the unverified peripheral device when the unverified peripheral device becomes verified, and control the gateway to prevent access to the host resources by the unverified peripheral device when the unverified peripheral device fails the trust verification process. The trust verification process may include validating a device certificate and verifying a digest of boot code of the peripheral device.

Abstract: Methods, systems, and computer programs for receiving, by an embedded controller (EC), an EC firmware update from a central processing unit (CPU); storing the EC firmware update into a buffer region of a flash memory medium via a first bus, the first bus communicatively coupling the EC and the flash memory medium; verifying the EC firmware update stored in the buffer region of the flash memory medium; and in response to verifying the EC firmware update: storing the verified EC firmware update into a primary region of the flash memory medium; and loading the verified EC firmware update from the primary region into an EC memory medium of the EC via the first bus.

Abstract: Systems and methods are provide that may be implemented to modify boot operation for an information handling system using commands of a script that is detected and authenticated by boot code of the information handling system. The script may include at least one command that modifies a boot operation of the information handling system when performed by the processor. The boot code may be executed by the processor during startup, to detect and authenticate the script, and to process the at least one command after the script is authenticated. Multiple commands may be defined including triggerless actions or trigger actions which are performed in response to a trigger event. A trigger event may be a hardware interaction, such as the pressing of a button.

Abstract: An indication is received to export a file from a host having an authentication device. A memory buffer is allocated for a signature region, a header region, and a content region. A location stamp and a time stamp are calculated for content of the file. The location and time stamps are copied to the header region. An authentication signature is generated using a private key associated with the authentication device. The authentication signature is based on the header and content regions, which include the copied location stamp and timestamp, and content of the file. The authentication signature is copied to the signature region. The memory buffer is written to a new file, the new file being a signed version of the file and including the signature region having the authentication signature, the header region having the location and time stamps, and the content region having the content of the file.

Abstract: Systems and methods are provided for supporting use of system BIOS components (e.g., such as BIOS debug messages, debugger firmware, UEFI drivers, etc.) that are stored separately from the remainder of system BIOS firmware for an information handling system. The system BIOS components may represent only a portion of the total BIOS firmware, and may be selectively retrieved and loaded from the separate storage into system memory when needed by the system BIOS for operating purposes (e.g., such as debugging operations).

Abstract: In some examples, a boot process of a computing device may be initiated. The computing device may include a plurality of hardware components. The process may select a component of the plurality of hardware components, read a firmware of the component, calculate a measurement (e.g., hash) of the firmware, and perform a comparison of the measurement with a pre-determined measurement stored in a table of approved firmware. The table may be stored in a basic input output system (BIOS) of the computing device. The process may determine, based on the comparison, that the measurement does not match the pre-determined measurement stored in the table, acquiring a new table from a server, verify an authenticity of the new table, determine that the measurement does not match a current measurement stored in the new table, and perform one or more remedial actions based on a policy.

Abstract: In one or more embodiments, one or more systems, methods, and/or processes may obtain first multiple samples of a signal conveyed via a coupling of a memory medium of an information handling system; may convert the first multiple samples to respective first multiple digital values; may determine an impedance based at least on the first multiple digital values; may compare the impedance with a baseline impedance; may determine an inconsistency based at least on comparing the impedance with the baseline impedance of the coupling of the memory medium; and may, in response to determining the inconsistency, shut down the information handling system.

Abstract: In some examples, a boot process of a computing device may be initiated. The computing device may include a plurality of hardware components. The process may select a component of the plurality of hardware components, read a firmware of the component, calculate a measurement (e.g., hash) of the firmware, and perform a comparison of the measurement with a pre-determined measurement stored in a table of approved firmware. The table may be stored in a basic input output system (BIOS) of the computing device. The process may determine, based on the comparison, that the measurement does not match the pre-determined measurement stored in the table, acquiring a new table from a server, verify an authenticity of the new table, determine that the measurement does not match a current measurement stored in the new table, and perform one or more remedial actions based on a policy.