Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register.

Abstract: In an embodiment, a system includes at least one core and a trusted execution environment (TEE) to conduct an identity authentication that includes a comparison of streamed video data with previously recorded image data. Responsive to establishment of a match of the streamed video data to the previously recorded image data via the comparison, the TEE is to generate an identity attestation that indicates the match. Other embodiments are described and claimed.

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register.

Abstract: In an embodiment, a system includes at least one core and a trusted execution environment (TEE) to conduct an identity authentication that includes a comparison of streamed video data with previously recorded image data. Responsive to establishment of a match of the streamed video data to the previously recorded image data via the comparison, the TEE is to generate an identity attestation that indicates the match. Other embodiments are described and claimed.

Abstract: In an embodiment, a system includes at least one core and a trusted execution environment (TEE) to conduct an identity authentication that includes a comparison of streamed video data with previously recorded image data. Responsive to establishment of a match of the streamed video data to the previously recorded image data via the comparison, the TEE is to generate an identity attestation that indicates the match. Other embodiments are described and claimed.

Abstract: A method, apparatus, machine-readable medium, and system are disclosed. In one embodiment the method includes a processor. The processor includes switching a platform firmware update mechanism located in a computer platform to a platform firmware armoring technology (PFAT) mode on a boot of the computer platform. The computer platform includes a platform firmware storage location that stores a platform firmware. The method then persistently locks the platform firmware storage location in response to the platform firmware update mechanism switching to the PFAT mode. When persistently locked, writes are only allowed to the platform firmware storage location by an Authenticated Code Module in the running platform and only after a platform firmware update mechanism unlocking procedure.

Abstract: A system for executing trusted applications with a reduced trusted computing base. In one embodiment, the system includes a processor to dynamically instantiate an application protection module in response to a request by a program to be executed under a trusted mode. The system further includes memory to store the program which is capable of interacting with a remote service for security verification. In one embodiment, the application protection module includes a processor-measured application protection service (P-MAPS) operable to measure and to provide protection to the application.

Abstract: A method, apparatus, method, machine-readable medium, and system are disclosed. In one embodiment the method includes is a processor. The processor includes switching a platform firmware update mechanism located in a computer platform to a platform firmware armoring technology (PFAT) mode on a boot of the computer platform. The computer platform includes a platform firmware storage location that stores a platform firmware. The method then persistently locks the platform firmware storage location in response to the platform firmware update mechanism switching to the PFAT mode. When persistently locked, writes are only allowed to the platform firmware storage location by an Authenticated Code Module in the running platform and only after a platform firmware update mechanism unlocking procedure.

Abstract: A method, apparatus, machine-readable medium, and system are disclosed. In one embodiment the method includes a processor. The processor includes switching a platform firmware update mechanism located in a computer platform to a platform firmware armoring technology (PFAT) mode on a boot of the computer platform. The computer platform includes a platform firmware storage location that stores a platform firmware. The method then persistently locks the platform firmware storage location in response to the platform firmware update mechanism switching to the PFAT mode. When persistently locked, writes are only allowed to the platform firmware storage location by an Authenticated Code Module in the running platform and only after a platform firmware update mechanism unlocking procedure.

Abstract: A method, apparatus, method, machine-readable medium, and system are disclosed. In one embodiment the method includes is a processor. The processor includes switching a platform firmware update mechanism located in a computer platform to a platform firmware armoring technology (PFAT) mode on a boot of the computer platform. The computer platform includes a platform firmware storage location that stores a platform firmware. The method then persistently locks the platform firmware storage location in response to the platform firmware update mechanism switching to the PFAT mode. When persistently locked, writes are only allowed to the platform firmware storage location by an Authenticated Code Module in the running platform and only after a platform firmware update mechanism unlocking procedure.

Abstract: A system for executing trusted applications with a reduced trusted computing base. In one embodiment, the system includes a processor to dynamically instantiate an application protection module in response to a request by a program to be executed under a trusted mode. The system further includes memory to store the program which is capable of interacting with a remote service for security verification. In one embodiment, the application protection module includes a processor-measured application protection service (P-MAPS) operable to measure and to provide protection to the application.

Abstract: Routing packets of information without proxies over a network having both private and public networks includes reviewing the destination address of a packet received a private network interface and rerouting the packet to a private client connected to the private network interface when the destination address of the packet is the public address of the private network.

Abstract: A first machine communicates with a second machine, using a protocol that sends the first machine's network configuration data in application data sent to the second machine, through a translating access point which translates network traffic from the first machine so as to originate from the access point. A network configuration server provides to the first machine network configuration data not subject to translation by the access point, which is sent to the second machine in the application data. The second machine communicates with the provided network configuration, and this communication is in turn made available to the first machine.

Abstract: A method and apparatus are provided for sending a data packet through a network. The network has public and private realms separated by an interface device. A client in the private realm performs the method. The method includes determining if a destination address of the data packet corresponds to the private realm or to the public realm and retrieving a source address for the client based on the destination address of the packet. The method also includes assigning a retrieved address to be the source address of the data packet.

Abstract: This invention uses network stack information to enforce context-based policies. The combination of policies, user/application context information and packet filtering is used to enable fine-grained control of network resources.

Abstract: A method of transmitting data, includes providing selectable data channels through a data forwarding device, at least two of the selectable data channels having different transmission characteristics, reserving one of the selectable data channels based on a received channel request message, and transmitting a data packet through the reserved data channel.