Abstract: In one embodiment, a secure challenge-response method includes requesting respective token challenges from devices, receiving the respective token challenges from the devices, providing the respective token challenges to a signing server, receiving from the signing server a signature of the respective token challenges signed with a private key of the signing server, and providing to a given device of the devices a request to perform an operation, the request including the signature and the respective token challenges.

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

Abstract: In one embodiment, a system includes data communication device including a network interface to receive a nonce supply request from a remote machine, processing core(s), processing circuitry to generate a nonce, sign the nonce with a private key of the data communication device yielding a first digital signature, provide the nonce and first digital signature to the remote machine, receive, from the remote machine, a secure reset request including a second digital signature of the nonce signed with a private key of the remote machine, verify the second digital signature with a public key of the remote machine to verify that the remote machine provided the secure reset request and that the nonce signed by the second digital signature is the same nonce provided to the remote machine, and issue a reset command to the processing core(s) to reboot responsively to the verification of the second digital signature.

Abstract: A compute node includes a network-connected device, and a baseboard management controller (BMC) that is connected to the network-connected device by a sideband interface. The network-connected device is configured to communicate with a network. The BMC is configured to configure the network-connected device, via the sideband interface, to engage in a debug session over the network with a remote debug device.

Abstract: A computing device includes a non-volatile memory (NVM) interface and a processor. The NVM interface is to communicate with an NVM. The processor is to store in the NVM at least a Type-Length-Value (TLV) record including one or more encrypted fields and one or more non-encrypted fields, the non-encrypted fields including at least a validity indicator of the TLV record, to read the TLV record from the NVM, and to invalidate the TLV record by modifying the validity indicator stored in the non-encrypted fields, without decryption of any of the encrypted fields.

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

Abstract: A computing device includes a non-volatile memory (NVM) interface and a processor. The NVM interface is configured to communicate with an NVM. The processor is configured to store in the NVM Type-Length-Value (TLV) records, each TLV record including one or more encrypted fields and one or more non-encrypted fields, the non-encrypted fields including at least respective validity indicators of the TLV records, to read the TLV records that include the encrypted fields and the non-encrypted fields from the NVM, and to invalidate selected TLV records by modifying the respective validity indicators of the selected TLV records that are stored in the non-encrypted fields.

Abstract: In one embodiment, a network interface card device includes communication interfaces to provide data connection with respective local devices configured to run respective clock synchronization clients, at least one network interface to provide data connection between a packet data network and ones of the local devices, and a hardware clock to maintain a time value, and serve the clock synchronization clients.

Abstract: Apparatuses, systems, and techniques that implement a unidirectional counter with one-time-programmable memory that prevents the counter from reversing direction. In at least one embodiment, a unidirectional counter is implemented with a base value represented as a binary number and an offset represented as a bit field where each bit represents an equal amount.

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

Abstract: A computing device includes a non-volatile memory (NVM) interface and a processor. The NVM interface is configured to communicate with an NVM. The processor is configured to store in the NVM Type-Length-Value (TLV) records, each TLV record including one or more encrypted fields and one or more non-encrypted fields, the non-encrypted fields including at least respective validity indicators of the TLV records, to read the TLV records that include the encrypted fields and the non-encrypted fields from the NVM, and to invalidate selected TLV records by modifying the respective validity indicators of the selected TLV records that are stored in the non-encrypted fields.

Abstract: A compute node includes a network-connected device, and a baseboard management controller (BMC) that is connected to the network-connected device by a sideband interface. The network-connected device is configured to communicate with a network. The BMC is configured to configure the network-connected device, via the sideband interface, to engage in a debug session over the network with a remote debug device.

Abstract: An electro-optical (EO) interconnect assembly includes an optical fiber, and first and second EO transceivers. The first and second EO transceivers, which are coupled to respective ends of the optical fiber, are configured to (i) connect to respective first and second network devices, (ii) exchange electrical signals with the first and second network devices, (iii) convert between the electrical signals and optical signals, and exchange the optical signals with one another over the optical fiber, and (iv) conduct with one another, over the optical fiber, a secure challenge-response transaction, and to initiate a responsive action upon failure of the challenge-response transaction.

Abstract: In one embodiment, a computer apparatus includes a first NIC including at least one network interface port to transfer data with a first packet-data network (PDN) including a master clock to provide a clock synchronization signal S1, a first physical hardware clock (PHC) to maintain a time value T1 responsively to S1, and a first clock controller to generate a clock synchronization signal S2 responsively to S1, S2 having a frequency set responsively to S1, and send S2 over a connection to a second NIC including at least one network interface port to transfer data with a second PDN, a second PHC, and a second clock controller to receive S2, update the second PHC with a time value T2 responsively to S2, send another clock synchronization signal to network nodes in the second PDN responsively to T2, the second NIC acting as a master clock in the second PDN.

Abstract: A network adapter includes one or more network ports, multiple bus interfaces and a processor. The network ports are configured to communicate with a communication network. The bus interfaces are configured to communicate with multiple respective CPUs of a multi-CPU device. The processor is included in the network adapter and is configured to support an Option-ROM functionality, in which the network adapter holds Option-ROM program instructions that are loadable and executable by the multi-CPU device during a boot process, to expose the support of the Option-ROM functionality to the multi-CPU device over only a single bus interface, selected from among the multiple bus interfaces, and, by loading the Option-ROM program instructions to the multi-CPU device, to cause the multi-CPU device to present to a user only a single, non-redundant set of commands for managing all the multiple bus interfaces of the network adapter via the single bus interface.

Abstract: In one embodiment, a network interface card device includes communication interfaces to provide data connection with respective local devices configured to run respective clock synchronization clients, at least one network interface to provide data connection between a packet data network and ones of the local devices, and a hardware clock to maintain a time value, and serve the clock synchronization clients.

Abstract: A network adapter includes one or more network ports, multiple bus interfaces and a processor. The network ports are configured to communicate with a communication network. The bus interfaces are configured to communicate with multiple respective CPUs of a multi-CPU device. The processor is included in the network adapter and is configured to support an Option-ROM functionality, in which the network adapter holds Option-ROM program instructions that are loadable and executable by the multi-CPU device during a boot process, to expose the support of the Option-ROM functionality to the multi-CPU device over only a single bus interface, selected from among the multiple bus interfaces, and, by loading the Option-ROM program instructions to the multi-CPU device, to cause the multi-CPU device to present to a user only a single, non-redundant set of commands for managing all the multiple bus interfaces of the network adapter via the single bus interface.

Abstract: A method for secure boot includes, in a processor, retrieving from a memory device a firmware boot code for bootstrapping a firmware of the processor. The firmware boot code is authenticated using an authentication key. In response to failing to authenticate the firmware boot code using the authentication key, an attempt is made to authenticate a recovery firmware code, which has reduced functionality relative to the firmware boot code, using a recovery key. Upon successfully authenticating the recovery firmware code using the recovery key, the firmware boot code is restored from a host, the restored firmware boot code is authenticated by executing the recovery firmware code, and the firmware is bootstrapped using the authenticated firmware boot code.

Abstract: Apparatus having a firmware memory storing firmware, a cache memory loading at least part of the firmware for execution by a processor, and a firmware checking engine having a defined syndrome storage location and performing the following iteratively on cache line entries associated with the firmware stored in the cache memory: choose a cache line entry; verify that an address mapped in the cache line entry maps to an address in the firmware memory, and when the cache line entry is locked and the address mapped in the cache line entry maps to an address in the firmware memory, compare a content of the cache line entry to a content of a corresponding address in the firmware stored in the firmware memory, and produce an integrity result indicating whether integrity of the apparatus has been compromised.

Abstract: Apparatus having a firmware memory storing firmware, a cache memory loading at least part of the firmware for execution by a processor, and a firmware checking engine having a defined syndrome storage location and performing the following iteratively on cache line entries associated with the firmware stored in the cache memory: choose a cache line entry; verify that an address mapped in the cache line entry maps to an address in the firmware memory, and when the cache line entry is locked and the address mapped in the cache line entry maps to an address in the firmware memory, compare a content of the cache line entry to a content of a corresponding address in the firmware stored in the firmware memory, and produce an integrity result indicating whether integrity of the apparatus has been compromised. The abstract is not meant to be limiting.