Abstract: This disclosure is directed to firmware-related event notification. A device may comprise an operating system (OS) configured to operate on a platform. During initialization of the device a firmware module in the platform may load at least one globally unique identifier (GUID) into a firmware configuration table. When the platform notifies the OS, the firmware module may load at least one GUID into a platform notification table and may set a platform notification bit in a platform notification table status field. Upon detecting the notification, an OS management module may establish a source of the notification by querying the platform notification table. The platform notification bit may cause the OS management module to compare GUIDs in the platform notification table and the firmware configuration table. Services may be called based on any matching GUIDs. If no GUIDs match, the services may be called based on firmware variables in the device.

Abstract: The present disclosure is directed to secure sensor data transport and processing. End-to-end security may prevent attackers from altering data during the sensor-based security procedure. For example, following sensor data capture execution in a device may be temporarily suspended. During the suspension of execution, sensor interface circuitry in the device may copy the sensor data from a memory location associated with the sensor to a trusted execution environment (TEE) within the device. The TEE may provide a secure location in which the sensor data may be processed and a determination may be made as to whether to grant access to the secure resources. The TEE may comprise, for example, match circuitry to compare the sensor data to previously captured sensor data for users that are allowed to access the secured resources and output circuitry to grant access to the secured resources or to perform activities associated with a security exception.

Abstract: Methods and apparatus to provide isolated execution environments are disclosed. In some examples, the methods and apparatus identify a request from a host application. In some examples, the methods and apparatus, in response to identifying the request from the host application, load a microcode application into memory when excess micro operations exist in a host instruction set architecture, the microcode application being a fragment of code. In some examples, the methods and apparatus execute the microcode application. In some examples, the methods and apparatus, in response to completed execution of the microcode application, unload the microcode application from memory.

Abstract: In an embodiment, a system on a chip includes: a single core to execute a legacy instruction set, the single core configured to enter a system management mode (SMM) to provide a trusted execution environment to perform at least one secure operation; and a memory controller coupled to the single core, the memory controller to interface with a system memory, where a portion of the system memory comprises a secure memory for the SMM, and the single core is to authenticate and execute a boot firmware, and pass control to the SMM to obtain a key pair from a protected storage and store the key pair in the secure memory. Other embodiments are described and claimed.

Abstract: Technologies for verifying hardware components of a computing device include retrieving platform identification data of the computing device, wherein the platform identification data is indicative of one or more reference hardware components of the computing device, accessing hardware component identification data from one or more dual-headed identification devices of the computing device, and comparing the platform identification data to the hardware component identification data to determine whether a hardware component of the computing device has been modified. Each of the one or more dual-headed identification devices is secured to a corresponding hardware component of the computing device, includes identification data indicative of an identity of the corresponding hardware component of the computing device, and is capable of wired and wireless communication.

Abstract: Various embodiments are generally directed to authenticating a chain of components of boot software of a computing device. An apparatus comprises a processor circuit and storage storing an initial boot software component comprising instructions operative on the processor circuit to select a first set of boot software components of multiple sets of boot software components, each set of boot software components defines a pathway that branches from the initial boot software component and that rejoins at a latter boot software component; authenticate a first boot software component of the first set of boot software components; and execute a sequence of instructions of the first boot software component to authenticate a second boot software component of the first set of boot software components to form a chain of authentication through a first pathway defined by the first set of boot software components. Other embodiments are described and claimed herein.

Abstract: Technologies for improving platform initialization on a computing device include beginning initialization of a platform of the computing device using a basic input/output system (BIOS) of the computing device. A security co-processor driver module adds a security co-processor command to a command list when a security processor command is received from the BIOS module. The computing device establishes a periodic interrupt of the initialization of the platform to query the security co-processor regarding the availability of a response to a previously submitted security co-processor command, forward any responses received by the security co-processor driver module to the BIOS module, and submit the next security co-processor command in the command list to the security co-processor.

Abstract: Systems and methods for real-time emergency vehicle authentication at traffic signal and tollgates are disclosed. In certain example embodiments, a dispatch server can provide identifying credentials and time-bounded intersection tickets (TBIT) to traffic signals and tollgates for conducting authentication of emergency vehicles. The emergency vehicles can transmit a traffic light control message requesting expedited access through a traffic signal or tollgate. The traffic signal or tollgate can decrypt the message using the TBIT. It can further determine if the identifying credential received from the emergency vehicle is authorized for expedited access and if the message was received within a required time period. In response, the traffic signal or tollgate can determine its current signal or gate position and determine if a change needs to be made to provide expedited access to the emergency vehicle.

Abstract: A method, system and computer-readable storage medium with instructions to migrate full-disk encrypted virtual storage between blade servers. A key is obtained to perform an operation on a first blade server. The key is obtained from a virtual security hardware instance and provided to the first blade server via a secure out-of-band communication channel. The key is migrated from the first blade server to a second blade server. The key is used to perform hardware encryption of data stored on the first blade server. The data are migrated to the second blade server without decrypting the data at the first blade server, and the second blade server uses the key to access the data. Other embodiments are described and claimed.

Abstract: The present disclosure is directed to firmware block dispatch based on fusing. A device may determine firmware blocks to load during initialization of the device based on fuses set in a processing module in the device. A firmware module may comprise at least a nonvolatile (NV) memory including boot code and a firmware information table (FIT). During initialization the boot code may cause the processing module to read fuse information from a fuse module and to determine at least one firmware block to load based on the fuse information. For example, the fuse information may comprise a fuse string and the processing module may compare the fuse string to the FIT table, determine at least one pointer in the FIT table associated with the fuse string and load at least one firmware block based on a location (e.g., offset) in the NV memory identified by the at least one pointer.

Abstract: This disclosure is directed to firmware-related event notification. A device may comprise an operating system (OS) configured to operate on a platform. During initialization of the device a firmware module in the platform may load at least one globally unique identifier (GUID) into a firmware configuration table. When the platform notifies the OS, the firmware module may load at least one GUID into a platform notification table and may set a platform notification bit in a platform notification table status field. Upon detecting the notification, an OS management module may establish a source of the notification by querying the platform notification table. The platform notification bit may cause the OS management module to compare GUIDs in the platform notification table and the firmware configuration table. Services may be called based on any matching GUIDs. If no GUIDs match, the services may be called based on firmware variables in the device.

Abstract: Apparatuses, methods and storage medium associated with memory encryption exclusion are disclosed herein. In embodiments, an apparatus may include one or more processors, memory, and firmware to provide basic input/output services to an operating system. Additionally, the apparatus may include a memory controller to control access to the memory, wherein the memory controller includes an encryption engine to encrypt data, using an encryption key, before the data are stored into an encrypted area of the memory, wherein the encryption engine regenerates the encryption key on a reset transferring execution from the operating system operated by the one or more processors to a pre-boot phase of the firmware. Further, the apparatus may include one or more storage locations to store one or more memory parameters to set aside one or more ranges of the memory as one or more encryption excluded areas. Other embodiments may be described and/or claimed.

Abstract: Various embodiments are generally directed to techniques for supporting the distributed execution of a task routine among multiple secure controllers incorporated into multiple computing devices. An apparatus includes a first processor component and first secure controller of a first computing device, where the first secure controller includes: a selection component to select the first secure controller or a second secure controller of a second computing device to compile a task routine based on a comparison of required resources to compile the task routine and available resources of the first secure controller; and a compiling component to compile the task routine into a first version of compiled routine for execution within the first secure controller by the first processor component and a second version for execution within the second secure controller by a second processor component in response to selection of the first secure controller. Other embodiments are described and claimed.

Abstract: Systems, apparatuses and methods may provide for receiving, from a host driver, factory data including one or more of calibration data, platform identifier data, manufacturer data or wireless carrier data, and verifying integrity of the factory data. Additionally, the factory data may be provisioned into non-volatile memory (NVM) in accordance with an operating system independent format managed by a platform root-of-trust such as a Trusted Execution Environment (TEE). In one example, provisioning the factory data includes defining one or more partitions in the NVM, initiating storage of the factory data to the NVM along the one or more partitions, and specifying a restriction profile for the one or more partitions, wherein the restriction profile includes one or more of read restrictions, write restrictions, time bound restrictions or location bound restrictions.

Abstract: Various embodiments are directed to creating multiple device blocks associated with hardware devices, arranging the device blocks in an order indicative of positions of the hardware devices in a hierarchy of buses and bridges, and enabling access to the multiple device blocks from an operating system. An apparatus comprises a processor circuit and storage storing instructions operative on the processor circuit to create a device table comprising multiple device blocks, each device block corresponding to one of multiple hardware devices accessible to the processor circuit, the device blocks arranged in an order indicative of relative positions of the hardware devices in a hierarchy of buses and at least one bridge device; enable access to the device table by an operating system; and execute a second sequence of instructions of the operating system operative on the processor circuit to access the device table. Other embodiments are described and claimed herein.

Abstract: Durable atomic transactions for non-volatile media are described. A processor includes an interface to a non-volatile storage medium and a functional unit to perform instructions associated with an atomic transaction. The instructions are to update data at a set of addresses in the non-volatile storage medium atomically. The functional unit is operable to perform a first instruction to create the atomic transaction that declares a size of the data to be updated atomically. The functional unit is also operable to perform a second instruction to start execution of the atomic transaction. The functional unit is further operable to perform a third instruction to commit the atomic transaction to the set of addresses in the non-volatile storage medium, wherein the updated data is not visible to other functional units of the processing device until the atomic transaction is complete.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to include an authentication module. The authentication module can be configured to receiving a request to access an electronic device, where the electronic device is separate from the authentication module, collect authentication data, communicate the authentication data to a network element, receive an authentication key, and communicate the authentication key to the electronic device.

Abstract: Methods and apparatus relating to pre-OS (pre Operating System) image rewriting to provide cross-architecture support, security introspection, and/or performance optimization are described. In an embodiment, logic rewrites a non-native firmware interface driver into a native firmware interface driver in response to a determination that sufficient space is available in an integrity cache storage device to store the native firmware interface driver. The logic rewrites the non-native firmware interface driver into the native firmware interface driver by performing one or more of its operations during operating system runtime. Other embodiments are also claimed and described.

Abstract: Methods and apparatuses for re-instantiating a firmware environment that includes one or more firmware functions available at pre-boot time when transitioning the computing device from a wake state to a sleep state. A network event received by the computing device while in a sleep state may be handled by the firmware environment independent of the operating system and without returning the entire computing device to the wake state.

Abstract: Embodiments of multinode hubs for trust operations are disclosed herein. In some embodiments, a multinode hub may include a plurality of memory regions, a trapping module, and a trusted platform module (TPM) component. Each memory region may be associated with and receive trust operation data from a coherent computing node. The trapping module may generate trap notifications in response to accesses to the plurality of memory regions by the associated coherent computing nodes. The trap notifications may indicate which of the plurality of memory locations has been accessed, and the TPM component may process the trust operation data in a memory region indicated by a trap notification. Other embodiments may be disclosed and/or claimed.