Abstract: The present disclosure is directed to controlled customization of silicon initialization. A device may comprise, for example, a boot module including a memory on which boot code is stored, the boot code including at least an initial boot block (IBB) module that is not customizable and a global platform database (GPD) module including customizable data. The IBB module may include a pointer indicating GPD module location. The customizable data may comprise configurable parameters and simple configuration language (SCL) to cause the device to execute at least one logical operation during execution of the boot code. The GPD module may further comprise a pointer indicating SCL location. The boot code may be executed upon activation of the device, which may cause the IBB module to load an interpreter for executing the SCL. The interpreter may also verify access request operations in the SCL are valid before executing the access request operations.

Abstract: The present disclosure is directed to controlled customization of silicon initialization. A device may comprise, for example, a boot module including a memory on which boot code is stored, the boot code including at least an initial boot block (IBB) module that is not customizable and a global platform database (GPD) module including customizable data. The IBB module may include a pointer indicating GPD module location. The customizable data may comprise configurable parameters and simple configuration language (SCL) to cause the device to execute at least one logical operation during execution of the boot code. The GPD module may further comprise a pointer indicating SCL location. The boot code may be executed upon activation of the device, which may cause the IBB module to load an interpreter for executing the SCL. The interpreter may also verify access request operations in the SCL are valid before executing the access request operations.

Abstract: The present disclosure is directed to controlled customization of silicon initialization. A device may comprise, for example, a boot module including a memory on which boot code is stored, the boot code including at least an initial boot block (IBB) module that is not customizable and a global platform database (GPD) module including customizable data. The IBB module may include a pointer indicating GPD module location. The customizable data may comprise configurable parameters and simple configuration language (SCL) to cause the device to execute at least one logical operation during execution of the boot code. The GPD module may further comprise a pointer indicating SCL location. The boot code may be executed upon activation of the device, which may cause the IBB module to load an interpreter for executing the SCL. The interpreter may also verify access request operations in the SCL are valid before executing the access request operations.

Abstract: Technologies for verification include storage with private keys, wherein each private key is associated with a group affiliation. The storage also includes characteristic information about an apparatus. The technologies also include a wireless interface configured to receive a request from a reader for verification of membership of the apparatus within a group affiliation. The technologies further include a controller with programmable logic for configuring the controller to determine whether to verify membership of the apparatus within a given group affiliation. The controller is also configured to verify membership of the apparatus within the given group affiliation by signing data with a private key associated with the given group affiliation. The signed data is sent to the reader. Membership within the given group affiliation conveys a subset of the characteristic information.

Abstract: Technologies for verification include storage with private keys, wherein each private key is associated with a group affiliation. The storage also includes characteristic information about an apparatus. The technologies also include a wireless interface configured to receive a request from a reader for verification of membership of the apparatus within a group affiliation. The technologies further include a controller with programmable logic for configuring the controller to determine whether to verify membership of the apparatus within a given group affiliation. The controller is also configured to verify membership of the apparatus within the given group affiliation by signing data with a private key associated with the given group affiliation. The signed data is sent to the reader. Membership within the given group affiliation conveys a subset of the characteristic information.

Abstract: The present disclosure is directed to controlled customization of silicon initialization. A device may comprise, for example, a boot module including a memory on which boot code is stored, the boot code including at least an initial boot block (IBB) module that is not customizable and a global platform database (GPD) module including customizable data. The IBB module may include a pointer indicating GPD module location. The customizable data may comprise configurable parameters and simple configuration language (SCL) to cause the device to execute at least one logical operation during execution of the boot code. The GPD module may further comprise a pointer indicating SCL location. The boot code may be executed upon activation of the device, which may cause the IBB module to load an interpreter for executing the SCL. The interpreter may also verify access request operations in the SCL are valid before executing the access request operations.

Abstract: Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform. In one example, the method may include using an authenticated code module to transfer a first encryption key from a first root of trust on a platform to a second root of trust on the platform, receiving a challenge response from the first root of trust at the second root of trust, and using the first encryption key to verify the challenge response.

Abstract: Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform.

Abstract: Systems, methods and machine readable media for configuring virtual platform modules are disclosed. One method includes launching a virtual machine monitor, and determining, with the virtual machine monitor, whether a configuration policy that defines a configuration for a virtual trusted platform module is trusted. The method further includes configuring the virtual trusted platform module per the configuration policy in response to the virtual machine monitor determining that the configuration policy is trusted. The method also includes launching, via the virtual machine monitor, a virtual machine associated with the virtual trusted platform module.

Abstract: In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

Abstract: In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

Abstract: In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

Abstract: A method and apparatus for group session key and establishment using a certified migration key are described. In one embodiment, the method includes exporting of a protected certified migration key (CMK) to a target platform. In one embodiment, exporting of the protected CMK requires that the target platform is authorized for participation in a group and has a storage key, including attributes that comply with the group security policy. Once the protected CMK is exported, in one embodiment, a group master key is encrypted with a public portion of the CMK to form a protected group master key. Subsequently, the protected group master key is transmitted to the target platform. In one embodiment, possession of the group master key enables the target platform to participate in a secure group communication session. Other embodiments are described and claimed.

Abstract: A virtual manufacturer authority is launched in a protected portion of a processing system. A key for the virtual manufacturer authority is created. The key is protected by a security coprocessor of the processing system, such as a trusted platform module (TPM). Also, the key is bound to a current state of the virtual manufacturer authority. A virtual security coprocessor is created in the processing system. A delegation request is transmitted from the processing system to an external processing system, such as a certificate authority (CA). After transmission of the delegation request, the key is used to attest to trustworthiness of the virtual security coprocessor. Other embodiments are described and claimed.

Abstract: According to one embodiment of the invention, a method comprises conducting a first integrity measurement to produce a first integrity measurement event. Thereafter, an integrity time stamp associated with the first integrity measurement event is created. The integrity time stamp is used to identify the actual time when the first integrity measurement event was produced.

Abstract: A system and method for secure distribution of a video card public key. The method provides for loading an authentication code module into a processor, authenticating the authentication code module, and executing the authentication code module. Executing the authentication module causes the authentication code module to assert a hardware indicator to access at least one address in a special protected page on a chipset. Receipt of the hardware indicator by the chipset causes a specific reference to be sent via a dedicated port to a circuit card to retrieve a public key from the circuit card.

Abstract: In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

Abstract: A system and method to support platform firmware as a trusted process. Measurement of a trusted portion of original firmware are measured by a core root of trust measurement (CRTM). The measurement is stored in a secure manner during pre-boot. During operating system (OS)-runtime, requests are made to access an unqualified current version of firmware corresponding to a secure execution mode. A portion of the current firmware analogous to the trusted portion is measured. The measurements of the trusted original portion and unqualified current portion are compared to verify they match. If they match, it indicates that the current portion and the trusted portion are one in the same. Thus, the current portion of firmware is trustworthy. Accordingly, the firmware may be executed as a trusted process. Embodiments employ locality to enforce the trusted process. The use of locality prevents unqualified users (i.e., software) from accessing data stored by trusted firmware.

Abstract: According to an embodiment of the invention, a method and apparatus for session key exchange are described. An embodiment of a method comprises requesting a service for a platform; certifying the use of the service for one or more acceptable configurations of the platform; and receiving a session key for a session of the service, the service being limited to the one or more acceptable configurations of the platform.