Abstract: A method comprises receiving, in a trusted execution environment (TEE), an attestation public key and one or more endorsement credentials for a trusted platform module, inspecting the one or more endorsement credentials for the trusted platform module, generating an attestation that the attestation public key resides within the trusted platform module identified by the one or more endorsement credentials, the attestation comprising at least a portion of the public attestation key, encrypting, in the trusted execution environment, at least a component of the attestation to generate an attestation key activation blob, forwarding the attestation key activation blob to the platform module, and receiving, from the platform module, a response that varies based on whether at least a portion of the public attestation key in the attestation key activation blob matches a public attestation key on the platform module.

Abstract: Systems, apparatuses and methods may provide for verifying, from outside a trusted computing base of a computing system, an identity an enclave instance prior to the enclave instance being launched in the trusted computing base, determining a memory location of the enclave instance and confirming that the memory location is local to the computing system. In one example, the enclave instance is a proxy enclave instance, wherein communications are conducted with one or more additional enclave instances in the trusted computing base via the proxy enclave instance and an unencrypted channel.

Abstract: Methods and systems may provide for receiving at a secure element of a system, during a boot process of the system, a first pairing authentication value from a pairing agent. In addition, a pairing key may be received from the pairing agent, wherein the first pairing authentication value and the pairing key may be used to establish a trusted channel between the secure element and an input output (IO) device coupled to the system. In one example, the first pairing authentication value is accepted only if the first pairing authentication value is received prior to a predetermined stage of the boot process.

Abstract: Systems, apparatuses and methods may provide for verifying, from outside a trusted computing base of a computing system, an identity an enclave instance prior to the enclave instance being launched in the trusted computing base, determining a memory location of the enclave instance and confirming that the memory location is local to the computing system. In one example, the enclave instance is a proxy enclave instance, wherein communications are conducted with one or more additional enclave instances in the trusted computing base via the proxy enclave instance and an unencrypted channel.

Abstract: Methods and systems may provide for receiving at a secure element of a system, during a boot process of the system, a first pairing authentication value from a pairing agent. In addition, a pairing key may be received from the pairing agent, wherein the first pairing authentication value and the pairing key may be used to establish a trusted channel between the secure element and an input output (IO) device coupled to the system. In one example, the first pairing authentication value is accepted only if the first pairing authentication value is received prior to a predetermined stage of the boot process.

Abstract: A system comprises a guest graphics subsystem with a combined virtual graphics device that combines underlying emulated virtual graphics device and virtual function of a physical graphics device to support virtual machine migration. The VMM in the system may expose to the guest a single combined virtual PCIe graphics device that combines access to the virtual graphics device and the virtual function, and switches between the virtual graphics device and the virtual function for graphics acceleration without triggering a PnP event in the guest OS. In response to the switch, the guest graphics stack and applications may redraw their windows to provide a consistent user experience.

Abstract: A system comprises a guest graphics subsystem with a combined virtual graphics device that combines underlying emulated virtual graphics device and virtual function of a physical graphics device to support virtual machine migration. The VMM in the system may expose to the guest a single combined virtual PCIe graphics device that combines access to the virtual graphics device and the virtual function, and switches between the virtual graphics device and the virtual function for graphics acceleration without triggering a PnP event in the guest OS. In response to the switch, the guest graphics stack and applications may redraw their windows to provide a consistent user experience.

Abstract: Embodiments of the present invention may be provided as a computer program product that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer (or other electronic device) to perform a process according to one or more embodiments of the present invention. The machine-readable medium (i.e., non-transitory machine-readable medium) may include, but is not limited to, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs), and magneto-optical disks, read-only memories (ROMs), random access memories (RAMs), erasable programmable read-only memories (EPROMs), electrically erasable programmable read-only memories (EEPROMs), magnetic or optical cards, flash memory. There are other types of media suitable for storing instructions.

Abstract: Apparatus and methods are provided for estimating the location of a network client. In one embodiment, the present invention includes the network client establishing communication with a Local Area Network (LAN), the LAN including a plurality of infrastructure nodes each having a globally unique media access control (MAC) address. The network client then estimates the location of a network client using the MAC address of at least one of the plurality of infrastructure nodes or the MAC address of the network client.

Abstract: A method and apparatus for non-intrusive measurement of end-to-end properties of network flows uses a passive approach. An ingress monitor non-intrusively intercepts data units as they enter a network path through a network. Likewise an egress monitor non-intrusively intercepts the same data units as they leave the same network path. Each monitor generates a time stamp for each intercepted data unit using a common clock and derives a unique signature for each data unit such that the same data unit has the same signature at the entry as at the exit. Additionally each monitor counts the number of packets received from the network flow at the ingress and egress respectively. The signature, time stamp and packet counter value form an entry which is retained in an entry queue in each monitor. A data correlator coupled to an out-of-band network to which the monitors also are coupled periodically pulls a list of entries from each monitor and correlates the lists by matching signatures.

Abstract: Reverse playback of MPEG video from a random access source takes advantage of the symmetry of B frames within an IB data stream. The IB data stream is processed by a parsing algorithm to identify within the B frames during playback those bits associated with motion vector identification and values to develop a parsed B frame table. When the IB data stream is output from the storage source for reverse playback, the IB data stream is rearranged into a reversed IB data stream. As each B frame is processed prior to input to an MPEG decoder, the parsed B frame table is used to manipulate the appropriate bits within the B frames to turn forward motion vectors into backward motion vectors, and vice versa. Then when the B frame is decoded by the MPEG decoder the respective motion vectors are associated with the appropriate I frames within the reversed IB data stream to produce accurate decoding of the B frames during reverse playback.