Abstract: In some implementations, the techniques described herein relate to a system including: an operating system; and a trusted execution environment including a controller and a write-protected storage area, wherein the controller is configured to: receive a command to modify access to trace functionality provided by the operating system, validate the command using a public key stored in the write-protected storage area, and update a register accessible by the operating system based on the command in response to validating the command, wherein the operating system is configured to allow or disallow access to trace functionality based on contents of the register.

Abstract: In some aspects, the techniques described herein relate to a device including: a processor; and a storage medium for tangibly storing thereon logic for execution by the processor, the logic including instructions for: storing a group digital certificate, the group digital certificate including a plurality of unique identifier (UID) values and a plurality of corresponding public keys; receiving onboarding data and a digital signature from a client device, the onboarding data including a UID of the client device and a public key of the client device and the digital signature generated using the onboarding data and a private key corresponding to the public key; validating the digital signature using the public key; confirming that the UID matches at least one UID in the group digital certificate; and onboarding the client device.

Abstract: The disclosed embodiments are directed to preventing the writing of malformed cryptographic keys to a memory device. In one embodiment, a system is disclosed comprising a storage array, the storage array storing a first cryptographic key; and a processor configured to: receive a command from a host processor, the command including a second cryptographic key, a first signature, a second signature, and at least one field, determine that the first signature is valid using the second cryptographic key and the at least one field, determine that the second signature is valid using the first cryptographic key, the first signature and the at least one field, and replace the first cryptographic key with the second cryptographic key after determining that both the first signature and second signature are valid.

Abstract: The disclosed embodiments relate to hardware security modules. In one embodiment, a method is disclosed comprising reading a random value from a physically unclonable function (PUF); generating a seed value from the random value; generating a cryptographic key using the seed value; and processing a cryptographic operation using the cryptographic key.

Abstract: The disclosed embodiments relate to securing operations accessing a non-volatile storage area of a memory device. In one embodiment, a method is disclosed comprising generating, by firmware of a memory device, a cryptographic key using a value of a physically unclonable function (PUF); writing, by the firmware, the cryptographic key to a volatile storage area; receiving, by the firmware, a command accessing a non-volatile storage area from a host processor; and processing, by the firmware, the command using the cryptographic key.

Abstract: An energy spectrum-dose measuring method and device is provided. The method includes: performing energy calibration on a spectrometer using a standard radiation source to obtain a conversion relation between a channel and an energy, where the conversion relation is represented by a calibration factor; measuring ray peaks of n radiation sources with different energies, and dividing energy of an obtained energy spectrum into n regions; performing spectrum collection on the n radiation sources according to the n regions to obtain n net energy spectra subjected to the energy calibration through the calibration factor; performing dose measurement on the n radiation sources sequentially to obtain n dose rates corresponding to the n net energy spectra; calculating a relationship between counting rates of the radiation sources in the n regions and corresponding dose rates; and calculating a full-spectrum dose rate according to a current dose rate of each region.

Abstract: In some aspects, the techniques described herein relate to a system including a key management server (KMS) configured to generate a first unique device secret (UDS) based on a server private key stored by the KMS; and a secure device configured to: generate a second UDS based on a device private key stored by the secure device, the second UDS equal to the first UDS; compute a TCB component identifier (TCI) based on a received TCB; generate a first cryptographic key using the TCI and the second UDS; generate a first digital certificate including the first cryptographic key; transmit the first digital certificate to the KMS which validates the first digital certificate based on a second cryptographic key generated using the first UDS; receive a second digital certificate from the KMS which is signed using a second server private key; and store the second digital certificate as a device certificate.

Abstract: Methods, systems, and devices for sharing keys with authorized users are described. In some cases, the first device may transmit, to the server, a request for a certificate for the first device to communicate with a memory device. The server may generate the certificate using a first private key of a first public-private key pair. The first device may receive the certificate and generate a content message that is signed by a second private key of a second public-private key pair. In some cases, the memory device may receive the content message and the certificate and validate the certificate using a first public key of the first public-private key pair. In such cases, the first device may establish a connection with the memory device in response to the memory device validating the certificate.

Abstract: The disclosed embodiments relate to authenticating devices to a cellular network. In one embodiment, a method is disclosed comprising reading a mobile identifier from a storage area of a memory device, the mobile identifier comprising a value associated with a subscriber of a cellular network; signing the mobile identifier using a private key to generate a digital signature, the private key generated using a physically unclonable function (PUF); transmitting the digital signature and a public key to a cellular network, the public key associated with the private key; and receiving, from the cellular network, a confirmation of access to the cellular network, the confirmation generated based on the public key and the digital signature.

Abstract: In some aspects, the techniques described herein relate to a device including: a debug port; a trusted execution environment (TEE), the TEE storing a public key; and a controller, the controller configured to: receive a command to access the debug port, the command including a signature generated using a private key corresponding to the public key; provide the command to the TEE, wherein the TEE validates the command by validating the signature using the public key to obtain a validation result; and modify access to the debug port based on the validation result.

Abstract: The disclosure relates to improvements in secure channel establishment. In some aspects, the techniques described herein relate to a method including: issuing, by a client device to a server, a request to establish a secure connection; receiving, by the client device, a response to the request to establish a secure connection from the server, the response including a digital certificate associated with a public key stored by the server, the public key used to establish a symmetric key; validating, by the client device, the digital certificate; and computing, by the client device, a shared secret using the public key stored by the server and a private key generated by the client device.

Abstract: Methods, systems, and devices for memory write access control are described. In some examples, memory systems may include storage that is access-protected (e.g., write access protected). To enable access to the protected storage, a server node may communicate a command to the memory system that is signed with a private key that is inaccessible to the memory system. They memory system may verify the command using a public key and may enable access to the protected storage. Access commands associated with the protected storage may be processed until access to the protected storage is disabled.

Abstract: The disclosed embodiments relate to hardware security modules. In one embodiment, a method is disclosed comprising reading a random value from a physically unclonable function (PUF); generating a seed value from the random value; generating a cryptographic key using the seed value; and processing a cryptographic operation using the cryptographic key.

Abstract: The example embodiments relate to improvements in managing boot code images. In an embodiment, a device is disclosed comprising a memory device, the memory device including a storage array, the storage array comprising a first partition and a second partition, wherein the first partition comprises a writeable partition and the second partition comprises a write-protected partition; and a processor configured to: load a golden boot image from the second partition, display a boot prompt after loading the golden boot image, receive an update boot image, the update boot image including a signature, read a public key from the second partition, validate the signature using the public key, and replace a current boot image stored in the first partition with the update boot image.

Abstract: The techniques described herein relate to a system including a simulator for instantiating a simulated device associated with a device public key and at least one generated device public key and generated device certificate. The system includes a server configured to receive the device public key, generate a server unique device secret (UDS) using the device public key and a server private key, generate at least one generated server key using the server UDS, generate at least one generated server certificate using the at least one generated server key, receive the at least one generated device key and at least one generated device certificate, and validate the at least one generated device key and generated device certificate by comparing the at least one generated device key and generated device certificate to the at least one generated server key and generated server certificate, respectively.

Abstract: In some aspects, the techniques described herein relate to a system including a key management server (KMS) configured to generate a first unique device secret (UDS) based on a server private key stored by the KMS; and a secure device configured to: generate a second UDS based on a device private key stored by the secure device, the second UDS equal to the first UDS; compute a TCB component identifier (TCI) based on a received TCB; generate a first cryptographic key using the TCI and the second UDS; generate a first digital certificate including the first cryptographic key; transmit the first digital certificate to the KMS which validates the first digital certificate based on a second cryptographic key generated using the first UDS; receive a second digital certificate from the KMS which is signed using a second server private key; and store the second digital certificate as a device certificate.

Abstract: Systems, apparatuses, and methods to secure identity chaining between software/firmware components of trusted computing base. A memory device includes a secure memory region having access control based on cryptography. The secure memory region stores component information about a second component configured to be executed after a first component during booting. Prior to using a component identity of the second component to generate a compound identifier of the first component, health of the second component to be executed is verified based on the component information stored in the secure memory region.

Abstract: Systems, apparatuses and methods may provide for technology that biases a word line of a block in NAND memory to a first voltage level, biases a source-side select gate and a drain-side select gate of the block to a second voltage level, and issues a discharge erase pulse to bitlines and a source of the block, wherein the discharge erase pulse is issued at a third voltage level, wherein the third voltage level is greater than the first voltage level and the second voltage level, and wherein the third voltage level is less than a fourth voltage level of a standard erase pulse. In one example, the discharge erase pulse injects holes into pillars of the block and bypasses an erase of cells in the pillars of the block.

Abstract: In some aspects, the techniques described herein relate to a device including: a debug port; a trusted execution environment (TEE), the TEE storing a public key; and a controller, the controller configured to: receive a command to access the debug port, the command including a signature generated using a private key corresponding to the public key; provide the command to the TEE, wherein the TEE validates the command by validating the signature using the public key to obtain a validation result; and modify access to the debug port based on the validation result.

Abstract: The example embodiments relate to improvements in managing boot code images. In an embodiment, a device is disclosed comprising a memory device, the memory device including a storage array, the storage array comprising a first partition and a second partition, wherein the first partition comprises a writeable partition and the second partition comprises a write-protected partition; and a processor configured to: load a golden boot image from the second partition, display a boot prompt after loading the golden boot image, receive an update boot image, the update boot image including a signature, read a public key from the second partition, validate the signature using the public key, and replace a current boot image stored in the first partition with the update boot image.