Abstract: Various embodiments are generally directed to authenticating a chain of components of boot software of a computing device. An apparatus comprises a processor circuit and storage storing an initial boot software component comprising instructions operative on the processor circuit to select a first set of boot software components of multiple sets of boot software components, each set of boot software components defines a pathway that branches from the initial boot software component and that rejoins at a latter boot software component; authenticate a first boot software component of the first set of boot software components; and execute a sequence of instructions of the first boot software component to authenticate a second boot software component of the first set of boot software components to form a chain of authentication through a first pathway defined by the first set of boot software components. Other embodiments are described and claimed herein.

Abstract: Systems and methods may provide for identifying a runtime behavioral pattern of an application and detecting an anomaly in the runtime behavioral pattern. In addition, a security event may be triggered in response to the anomaly. In one example, the anomaly is detected with regard to one or more of a library call count, a library call type, a library call argument configuration or a library call timing associated with a runtime operation of the application.

Abstract: A controller is used in a computer system to control access to an NVRAM. The computer system includes a processor coupled to a non-volatile random access memory (NVRAM). The NVRAM is byte-rewritable and byte-erasable. The NVRAM stores data to be used by a set of agents including in-band agents and an out-of-band agent. The in-band agents run on a processor having one or more cores, and the out-of-band agent that runs on a non-host processing element. When the controller receives an access request from the out-of-band agent, the controller determines, based on attributes associated with the out-of-band agent, whether a region in the NVRAM is shareable by the out-of-band agent and at least one of the in-band agents.

Abstract: Technologies for verifying hardware components of a computing device include retrieving platform identification data of the computing device, wherein the platform identification data is indicative of one or more reference hardware components of the computing device, accessing hardware component identification data from one or more dual-headed identification devices of the computing device, and comparing the platform identification data to the hardware component identification data to determine whether a hardware component of the computing device has been modified. Each of the one or more dual-headed identification devices is secured to a corresponding hardware component of the computing device, includes identification data indicative of an identity of the corresponding hardware component of the computing device, and is capable of wired and wireless communication.

Abstract: Various embodiments are directed to creating multiple device blocks associated with hardware devices, arranging the device blocks in an order indicative of positions of the hardware devices in a hierarchy of buses and bridges, and enabling access to the multiple device blocks from an operating system. An apparatus comprises a processor circuit and storage storing instructions operative on the processor circuit to create a device table comprising multiple device blocks, each device block corresponding to one of multiple hardware devices accessible to the processor circuit, the device blocks arranged in an order indicative of relative positions of the hardware devices in a hierarchy of buses and at least one bridge device; enable access to the device table by an operating system; and execute a second sequence of instructions of the operating system operative on the processor circuit to access the device table. Other embodiments are described and claimed herein.

Abstract: Apparatuses, methods and storage media associated with switching operating systems are disclosed herewith. In embodiments, an apparatus for computing may include one or more processors; and a virtual machine manager to be operated by the one or more processors to instantiate a first virtual machine with a first operating system in a background, and a second virtual machine with a second operating system in a foreground; wherein the virtual machine manager is further to place the first virtual machine, on instantiation, in background into a standby state. Other embodiments may be disclosed or claimed.

Abstract: In an embodiment, a system on a chip includes: a single core to execute a legacy instruction set, the single core configured to enter a system management mode (SMM) to provide a trusted execution environment to perform at least one secure operation; and a memory controller coupled to the single core, the memory controller to interface with a system memory, where a portion of the system memory comprises a secure memory for the SMM, and the single core is to authenticate and execute a boot firmware, and pass control to the SMM to obtain a key pair from a protected storage and store the key pair in the secure memory. Other embodiments are described and claimed.

Abstract: An embodiment includes a secure and stable method for sending information across a compute continuum. For example, the method may include executing an application (e.g., video player) on a first node (e.g., tablet) with a desire to perform “context migration” to a second node (e.g., desktop). This may allow a user to watch a movie on the tablet, stop watching the movie, and then resume watching the movie from the desktop. To do so in a secure and stable manner, the first node may request security and performance credentials from the second node. If both credential sets satisfy thresholds, the first node may transfer content (e.g., encrypted copy of a movie) and state information (e.g., placeholder indicating where the movie was when context transfer began). The second node may then allow the user to resume his or her movie watching from the desktop. Other embodiments are described herein.

Abstract: Methods, systems and computer program products are disclosed for enhanced system boot processing that is faster to launch an operating system, as certain devices such as user input hardware devices may not be initialized unless it is determined that a user-interruption to the boot process is likely. That is, although an interface for the devices is exposed, no initialization occurs unless a call to the interface occurs. Other embodiments are described and claimed.

Abstract: In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: Methods and arrangements to launch trusted, distinct, co-existing environments are disclosed. Embodiments may launch trusted, distinct, co-existing environments in pre-OS space with high assurance. A hardware-enforced isolation scheme may isolate the partitions to facilitate storage and execution of code and data. In many embodiments, the system may launch a partition manager to establish embedded and main partitions. Embedded partitions may not be visible to the main OS and may host critical operations. A main partition may host a general-purpose OS and user applications, and may manage resources that are not assigned to the embedded partitions. Trustworthiness in the launch of the embedded partition is established by comparing integrity metrics for the runtime environment against integrity measurements of a trusted runtime environment for the embedded partition, e.g., by sealing a cryptographic key with the integrity metrics in a trusted platform module. Other embodiments are described and claimed.

Abstract: An embodiment includes an apparatus comprising: an out-of-band cryptoprocessor coupled to secure non-volatile storage; and at least one storage medium having firmware instructions stored thereon for causing, during runtime and after an operating system for the apparatus has booted, the cryptoprocessor to (a) store a key within the secure non-volatile storage, (b) sign an object with the key, while the key is within the cryptoprocessor, to produce a signature, and (c) verify the signature. Other embodiments are described herein.

Abstract: A tracking station detects a mobile data processing system (DPS) within communication range of a short range wireless module of the tracking station. In response to detecting the mobile DPS, the tracking station obtains identification data for the mobile DPS from a security module of the mobile DPS. The tracking station uses the identification data to obtain credentials to access secure storage on the mobile DPS. The tracking station automatically generates security configuration data for the mobile DPS, based on multiple factors pertaining to the mobile DPS, such as identity of the mobile DPS, a location of the mobile DPS, capabilities of the mobile DPS, etc. The tracking station uses the credentials to write the security configuration data to the secure storage of the mobile DPS. The security configuration data calls for the mobile DPS to automatically disable or enable at least one component. Other embodiments are described and claimed.

Abstract: In an example, a system and method are disclosed for location-based security for devices such as portable devices. A portable device may be provided with a short-range transceiver (such as RIFD) that is detectable when a user enters or exits an area. The device may also include an encrypted storage divided into a plurality of discrete units. Upon entering an area, the devices identity and location are provided to a policy server. In response, the policy server may wirelessly provide security tokens to the portable device that enable decryption of specific storage units authorized for access in that area. When a user passes back through a portal to the area, the security tokens are revoked, so that access to secured units of the storage is restricted.

Abstract: Technologies for improving platform initialization on a computing device include beginning initialization of a platform of the computing device using a basic input/output system (BIOS) of the computing device. A security co-processor driver module adds a security co-processor command to a command list when a security processor command is received from the BIOS module. The computing device establishes a periodic interrupt of the initialization of the platform to query the security co-processor regarding the availability of a response to a previously submitted security co-processor command, forward any responses received by the security co-processor driver module to the BIOS module, and submit the next security co-processor command in the command list to the security co-processor.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for a Unified Extensible Firmware Interface (UEFI) with durable storage to provide memory write persistence, for example, in the event of power loss. The system may include a processor to host the firmware interface which may be configured to control access to system variables in a protected region of a volatile memory. The system may also include a power management circuit to provide power to the processor and further to provide a power loss indicator to the firmware interface. The system may also include a reserve energy storage module to provide power to the processor in response to the power loss indicator. The firmware interface is further configured to copy the system variables from the volatile memory to a non-volatile memory in response to the power loss indicator.

Abstract: An embodiment includes a secure and stable method for sending information across a compute continuum. For example, the method may include executing an application (e.g., video player) on a first node (e.g., tablet) with a desire to perform “context migration” to a second node (e.g., desktop). This may allow a user to watch a movie on the tablet, stop watching the movie, and then resume watching the movie from the desktop. To do so in a secure and stable manner, the first node may request security and performance credentials from the second node. If both credential sets satisfy thresholds, the first node may transfer content (e.g., encrypted copy of a movie) and state information (e.g., placeholder indicating where the movie was when context transfer began). The second node may then allow the user to resume his or her movie watching from the desktop. Other embodiments are described herein.

Abstract: Multiple operational contexts are called up from a Standby power state of a computing device. The operational contexts run on one or more operating systems of the computing device. When a desired operational context is chosen, such as by activation through a user initiated act or hot key, the operating system supporting the desired operational context is booted up from the Standby power state.

Abstract: Methods and apparatus are disclosed to manage power consumption at a graphics engine. An example method to manage power usage of a graphics engine via an application level interface includes obtaining a policy directive for the graphics engine via the application level interface, the policy directive identifying a threshold corresponding to power consumed by the graphics engine operating in a first graphics state. The example method also includes determining a power consumed by the graphics engine during operation. The example method also includes comparing the power consumed to the threshold of the policy directive, and when the threshold is met, setting the graphics engine in a second graphics state to cause the graphics engine to comply with the policy directive.

Abstract: In some embodiments, the invention involves using a dedicated service processor with out-of-band capabilities to enable a secure boot using biometric data to authenticate the user. In some embodiments, at least a secondary token is used enhance the secure boot. An off-line database may be accessed by the service processor during boot to store or retrieve biometric templates to compare with scanned, live, biometric data. Other embodiments are described and claimed.