Abstract: A computer system is partitioned during a pre-boot phase of the computer system between a first partition and a second partition, wherein the first partition to include a first processing unit and the second partition to include a second processing unit. An Input/Output (I/O) operating system is booted on the first partition. A general purpose operating system is booted on the second partition. Network transactions are issued by the general purpose operating system to be performed by the I/O operating system. The network transactions are performed by the I/O operating system.

Abstract: Embodiments related to hardware configuration reporting and arbitration are disclosed herein. For example, an apparatus for hardware configuration reporting may include: a processing device having a trusted execution environment (TEE) and a non-trusted execution environment (non-TEE); request service logic, stored in the memory, to operate within the TEE to receive an indication of a request from arbiter logic, wherein the request represents a hardware configuration register; and reporting logic, stored in the memory, to operate within the TEE and to report an indicator of a value of the hardware configuration register represented by the request to the arbiter logic. Other embodiments may be disclosed and/or claimed.

Abstract: Methods and apparatus are disclosed to manage power consumption at a graphics engine. An example method to manage power usage of a graphics engine via an application level interface includes obtaining a policy directive for the graphics engine via the application level interface, the policy directive identifying a threshold corresponding to power consumed by the graphics engine operating in a first graphics state. The example method also includes determining a power consumed by the graphics engine during operation. The example method also includes comparing the power consumed to the threshold of the policy directive, and when the threshold is met, setting the graphics engine in a second graphics state to cause the graphics engine to comply with the policy directive.

Abstract: Various embodiments are generally directed to establishing trust in system management mode. An operating system management mode driver can invoke a system management mode and provide a signature to the system management mode to authenticate the driver with. Additionally, a hash value of the driver can be used to determine whether the driver is authorized to invoke system management mode or particular operations or features of system management mode.

Abstract: A point-of-sale device (“POS”) is described to include a secure transaction tunnel generator (“STG”). The STG may generate secure tunnels between peripherals attached to the POS and remote network resources. The secure tunnel may be generated using a trusted execution environment (“TEE”) of the POS. The STG may be alerted to the need to generate the secure tunnel based on an alert from the peripheral. The STG may execute under a protected environment and may generate two ends of a secure transaction tunnel using the TEE. The STG may also check the peripheral against whitelists and/or blacklists to determine whether the peripheral is allowed or not disallowed to participate in secure transactions. By generating the secure tunnel, the STG may facilitate performance of transactions in such a way that sensitive information is not available to unsecured processes in the POS. Other embodiments may be described and/or claimed.

Abstract: Technologies for transferring offloading or on-loading data or tasks between a processor and a coprocessor include a computing device having a processor and a sensor hub that includes a coprocessor. The coprocessor receives sensor data associated with one or more sensors and detects events associated with the sensor data. The coprocessor determines frequency, resource usage cost, and power state transition cost for the events. In response to an offloaded task request from the processor, the coprocessor determines an aggregate load value based on the frequency, resource usage cost, and power state transition cost, and determines whether to accept the offloaded task request based on the aggregate load value. The aggregate load value may be determined as an exponential moving average. The coprocessor may determine whether to accept the offloaded task request based on a principal component analysis of the events. Other embodiments are described and claimed.

Abstract: A dynamic firmware module loader loads one of a plurality of a firmware contexts or modules as needed in a containerized environment for secure isolated execution. The modules, called applets, may be loaded and unloaded in a firmware context. The loader may use a hardware inter process communication channel (IPC) to communicate with the secure engine. The modules may be designed to implement specific features desired by basic input/output system vendors, without the use of a system management mode. Designed modules may provide necessary storage and I/O access driver capabilities to be run in trusted execution environment containers.

Abstract: Methods and apparatus to provide dynamic messaging services are disclosed. An example method of displaying information on a display screen includes determining, using a virtual machine manager, supported dimensions for display of information on the display screen; generating, using the virtual machine manager, restricted dimensions that are less than the supported dimensions; providing the restricted dimensions to an operating system of a virtual machine supported by the virtual machine manager, wherein the restricted dimensions define a boundary between a first screen portion and a second screen portion; and using the virtual machine manager to display first information in the first screen portion, the virtual machine manager enforcing the presence of the first screen portion on the display screen.

Abstract: Technologies for fast low-power startup include a computing device with a processor having a power management integrated circuit. The computing device initializes platform components into a low-power state and determines, in a pre-boot firmware environment, the battery state of the computing device. The computing device determines a minimum-power startup (MPS) configuration that identifies platform components to be energized and determines whether the battery state is sufficient for the MPS configuration. If sufficient, the computing device energizes the platform components of the MPS configuration and boots into an MPS boot mode. In the MPS boot mode, the computing device may execute one or more user-configured application(s). If the battery state is sufficient for normal operation, the computing device may boot into a normal mode. In the normal mode, the user may configure the MPS configuration by selecting features for the future MPS boot mode. Other embodiments are described and claimed.

Abstract: Technologies for updating firmware in a pre-boot environment include a mobile computing device having a firmware environment and an operating system. In the pre-boot environment, the mobile computing device extracts a firmware update from a capsule previously generated by the operating system and determines a power consumption setting for a hardware component as a function of the firmware update. The mobile computing device configures the hardware component based on the power consumption setting and applies the firmware update in response to configuring the hardware component. The firmware update may include a firmware driver executable in the firmware environment. The hardware component may include a peripheral device or a device controller of the mobile computing device. The mobile computing device may determine a power policy as a function of the firmware update, and determine the power consumption setting as a function of the power policy. Other embodiments are described and claimed.

Abstract: Embodiments of multinode hubs for trust operations are disclosed herein. In some embodiments, a multinode hub may include a plurality of memory regions, a trapping module, and a trusted platform module (TPM) component. Each memory region may be associated with and receive trust operation data from a coherent computing node. The trapping module may generate trap notifications in response to accesses to the plurality of memory regions by the associated coherent computing nodes. The trap notifications may indicate which of the plurality of memory locations has been accessed, and the TPM component may process the trust operation data in a memory region indicated by a trap notification. Other embodiments may be disclosed and/or claimed.

Abstract: The present disclosure is directed to flexible bootstrap code architecture. A device may comprise equipment for operating the device and an operating system (OS) for operating the equipment. A boot module may also be included in the device to execute boot operations. At least one flexible boot (FB) module in the boot module may interact with the equipment and/or OS during the boot operations to cause the boot operations to become device-specific. An example boot module may comprise a plurality of FB modules. An example FB module may verify a device/chipset identification and may control the boot operations based on the identification. Other example FB modules may select resources to load based on an OS type, may provide a boot configuration table location for use in OS runtime boot configuration or may load variables from a preload variable directory for use in configuring boot operations.

Abstract: Computing devices, computer-readable storage media, and methods associated with providing an operating system (OS)-absent firmware sensor layer to support a boot process are disclosed herein. In embodiments, a computing device may include a processor and firmware to be operated on the processor. The firmware may include one or more modules and a sensor layer. The sensor layer may be configured to receive, in the OS-absent environment, sensor data produced by a plurality of sensors. The sensor layer may be further configured to selectively provide the sensor data to the one or more modules via an interface of the sensor layer that abstracts the plurality of sensors. Other embodiments may be described and/or claimed.

Abstract: An embodiment includes an apparatus comprising: an out-of-band cryptoprocessor including secure non-volatile storage that couples to a root index, having a fixed address, and comprises first and second variables referenced by the root index; and semiconductor integrated code (SIC) including embedded processor logic to initialize a processor and embedded memory logic to initialize a memory coupled to the processor; wherein (a) the SIC is to be executed responsive to resetting the processor and prior to providing control to boot code, and (b) the SIC is to perform pre-boot operations in response to accessing at least one of the first and second variables. Other embodiments are described herein.

Abstract: A method and apparatus is described herein for performing parallel memory migration, as well as execution of management tasks over a plurality of management windows. Handlers are dispatched to multiple resources, such as processing elements or threads, to determine a proper memory migration handler. Each resource, during a management mode, executes a designated memory migration handler or an instance of a memory migration handler to perform a portion of a memory migration task in parallel. A task data structure is capable of supporting tracking of portions of memory migrated. In addition the task data structure is potentially also capable of tracking management tasks through plurality of management windows to support servicing of management tasks through multiple management windows.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to include an authentication module. The authentication module can be configured to receiving a request to access an electronic device, where the electronic device is separate from the authentication module, collect authentication data, communicate the authentication data to a network element, receive an authentication key, and communicate the authentication key to the electronic device.

Abstract: Technologies for adaptive real-time media streaming include a computing device to determine, by a trusted execution environment of the computing device, a current workload of the computing device based on at least one activity counter. The at least one activity counter is to record counter data associated with performance of the computing device. Further, the computing device determines a residual workload capable of being supported by the computing device based on the determined current workload and a new content playback characteristics for streaming media content based on the determined residual workload. The computing device streams media content received from a trusted server based on the determined new content playback characteristics.

Abstract: Technologies for improving platform initialization on a computing device include beginning initialization of a platform of the computing device using a basic input/output system (BIOS) of the computing device. A security co-processor driver module adds a security co-processor command to a command list when a security processor command is received from the BIOS module. The computing device establishes a periodic interrupt of the initialization of the platform to query the security co-processor regarding the availability of a response to a previously submitted security co-processor command, forward any responses received by the security co-processor driver module to the BIOS module, and submit the next security co-processor command in the command list to the security co-processor.

Abstract: Technologies for verifying authorized operation includes an administration server to query a dual-headed identification device of a server for identification data indicative of an identity of the server. The dual-headed identification device includes a wired communication circuit, a wireless communication circuit, and a memory having the identification data stored therein. The administration server further obtains the identification data from the dual-headed identification device of the server, determines a context of the server, and determines whether boot of the server is authorized based on the context of the server, the identification data of the server, and a security policy of the server.

Abstract: The present application is directed to access isolation for multi-operating system devices. In general, a device may be configured using firmware to accommodate more than one operating system (OS) operating concurrently on the device or to transition from one OS to another. An access isolation module (AIM) in the firmware may determine a device equipment configuration and may partition the equipment for use by multiple operating systems. The AIM may disable OS-based equipment sensing and may allocate at least a portion of the equipment to each OS using customized tables. When transitioning between operating systems, the AIM may help to ensure that information from one OS is not accessible to others. For example, the AIM may detect when a foreground OS is to be replaced by a background OS, and may protect (e.g., lockout or encrypt) the files of the foreground OS prior to the background OS becoming active.