Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: In some embodiments, a first device performs ranging operations to allow a user to access the first device under one of several user accounts without providing device-access credentials. For example, when a second device is within a first distance of the first device, the first device determines that the second device is associated with a first user account under which a user can access (e.g., can log into) the first device. In response to the determination, the first device enables at least one substitute interaction (e.g., a password-less UI interaction) to allow the first device to be accessed without receiving access credentials through a user interface. In response to detecting an occurrence of the substitute interaction, the user is allowed to access the first device under the first user account. In some embodiments, the substitute interaction occurs while the first device is logged into under a second user account.

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.

Abstract: Techniques are disclosed concerning secure access to data in a computing device. In one embodiment, a computing device includes a communication interface, a memory, a memory controller, and a security processor. The communication interface may communicate with a different computing device. The security processor may generate a host key in response to a successful authentication of the different computing device, and then encrypt a memory key using the host key. The security processor may also send the encrypted memory key to the memory controller, and send the host key to the different computing device. The host key may be included by the different computing device in a subsequent memory request to access data in the memory. The memory controller may, in response to the subsequent memory request, use the included host key to decrypt the encrypted memory key and use the decrypted memory key to access the data.

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.

Abstract: Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.

Abstract: Some embodiments of the invention provide a method for authenticating a security device (e.g., a smart card or other highly secured device) to modify a security state (e.g., unlocking, decrypting, etc.) at a target device (e.g., laptop computers, mobile phones, tablets, etc.). In some embodiments, the security device does not have a volatile storage for storing volatile parameters for the particular device to use to perform the authentication process. The method of some embodiments sends an encrypted challenge to the security device, in which the encrypted challenge can only be decrypted by the security device. The method receives a response and modifies accessibility for the target device when the response is a valid response. The method of some embodiments determines that a response is valid based on the decrypted contents of the response and/or based on a period of time between the issuance of the challenge and the received response.

Abstract: Techniques are disclosed relating to data storage. In various embodiments, a computing device includes first and second processors and memory having stored therein a first encrypted operating system executable by the first processor and a second encrypted operating system executable by the second processor. The computing device also includes a secure circuit configured to receive, via a first mailbox mechanism of the secure circuit, a first request from the first processor for a first cryptographic key usable to decrypt the first operating system. The secure circuit is further configured to receive, via a second mailbox mechanism of the secure circuit, a second request from the second processor for a second cryptographic key usable to decrypt the second operating system, and to provide the first and second cryptographic keys.

Abstract: Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.

Abstract: Techniques are disclosed relating to securely storing data at a computing device that is managed by an external entity. In some embodiments, a computing device maintains a first file system volume having data that is accessible to a user of the computing device and that is not managed by an entity external to the computing device. The computing device receives, from the entity external, a first request to configure the computing device to store data that is accessible to the user and managed by the external entity. In response to the first request, the computing device creates a second distinct file system volume to store the data managed by the external entity. In response to a second request from the external entity, the computing device subsequently removes the second file system volume.

Abstract: Embodiments described herein enable multi-user storage volume encryption via a secure enclave processor. One embodiment provides for a computing device comprising a first processor to execute a first operating system having one or more user accounts; a second processor to execute a second operating system, the second processor including a secure enclave, the secure enclave to receive a first encrypted key from the first processor and decrypt a volume encryption key via a key encryption key derived from the first encrypted key, the first encrypted key derived via the secure enclave without user-provided entropy; and a non-volatile memory controller to access encrypted data within non-volatile memory using the volume encryption key.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: Techniques are disclosed concerning secure access to data in a computing device. In one embodiment, a computing device includes a communication interface, a memory, a memory controller, and a security processor. The communication interface may communicate with a different computing device. The security processor may generate a host key in response to a successful authentication of the different computing device, and then encrypt a memory key using the host key. The security processor may also send the encrypted memory key to the memory controller, and send the host key to the different computing device. The host key may be included by the different computing device in a subsequent memory request to access data in the memory. The memory controller may, in response to the subsequent memory request, use the included host key to decrypt the encrypted memory key and use the decrypted memory key to access the data.

Abstract: A system for provisioning credentials onto an electronic device is provided. The system may include a payment network subsystem, a service provider subsystem, and one or more user devices that can be used to perform mobile transactions at a merchant terminal. The user device may communicate with the service provider subsystem in order to obtained commerce credentials from the payment network subsystem. The user device may include a secure element and a corresponding trusted processor. The trusted processor may generate a random authorization number and inject that number into the secure element. Mobile payments should only be completed if the random authorization number on the secure element matches the random authorization number at the trusted processor. The trusted processor may be configured to efface the previous random authorization number and generate a new random authorization number when detecting a potential change in ownership at the user device.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: In some embodiments, a first device performs ranging operations to allow a user to perform one or more operations on the first device without providing device-access credentials. For example, when a second device is within a first distance of the first device, the first device determines that the second device is associated with a first user account that is authorized to perform operations on the first device. In response to the determination, the first device enables at least one substitute interaction (e.g., a password-less UI interaction) to allow the operations to be performed on the first device to be accessed without receiving access credentials through a user interface. In response to detecting an occurrence of the substitute interaction, the operation is authorized on the first device.

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.