A BMC firmware security system includes a BMC coupled to a programmable circuit device and a first storage subsystem. In response to BMC initialization, the BMC uses a system identifier to verify that a license in the first storage subsystem authorizes the BMC to use BMC firmware in the BMC, uses branding identity information in the BMC to verify that the BMC is branded for the BMC firmware, determines that the programmable circuit device identifies the BMC firmware and, in response, the performs BMC initialization operations using the BMC firmware. A BIOS is coupled to the programmable circuit device and a second storage system. In response to BIOS initialization, the BIOS uses the branding identity information in the second storage subsystem to identify the BMC firmware, determines that the programmable circuit device identifies the BMC firmware and, in response, performs BIOS initialization operations.

A communication device. The communication device comprises a central processing unit (CPU), a graphics processing unit (GPU), and a non-transitory memory comprising executable instructions for a sharing application that when executed by at least one of the CPU or the GPU, causes the sharing application to transmit an executable of a trusted application to an endpoint communication device, begin execution of the sharing application in a trusted security execution zone (TSZ) execution mode for sharing media content, instantiate a trustlet application that begins execution by the CPU or the GPU in the TSZ execution mode, display a unit of media content on the communication device, determine whether the unit of media content comprises confidential information, and in response to a determination the unit of media content comprises confidential information, transmit commands to the trusted application to control one or more functions at the endpoint communication device.

A method for a computer to execute an item of software, the method comprising: the computer executing one or more security modules; the computer executing the item of software, said executing the item of software comprising, at at least one point during execution of the item of software at which a predetermined function is to be performed, attempting to perform the predetermined function by: sending, to an address system, a request for an address of instructions for carrying out the predetermined function, the request comprising an identifier of the predetermined function; receiving, from the address system in response to the request, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the one or more security modules; and continuing execution of the item of software at the address received from the address system.

A method for a computer to execute an item of software, the method comprising: the computer executing one or more security modules; the computer executing the item of software, said executing the item of software comprising, at at least one point during execution of the item of software at which a predetermined function is to be performed, attempting to perform the predetermined function by: sending, to an address system, a request for an address of instructions for carrying out the predetermined function, the request comprising an identifier of the predetermined function; receiving, from the address system in response to the request, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the one or more security modules; and continuing execution of the item of software at the address received from the address system.

Systems and methods for implementing a system architecture to support a trusted execution environment (TEE) with computational acceleration are provided. The method includes establishing a first trusted channel between a user application stored on an enclave and a graphics processing unit (GPU) driver loaded on a hypervisor. Establishing the first trusted channel includes leveraging page permissions in an extended page table (EPT) to isolate the first trusted channel between the enclave and the GPU driver in a physical memory of an operating system (OS). The method further includes establishing a second trusted channel between the GPU driver and a GPU device. The method also includes launching a unified TEE that includes the enclave and the hypervisor with execution of application code of the user application.

An example hardware accelerator for a computer system includes a programmable device and further includes kernel logic configured in a first programmable fabric of the programmable device, a shell circuit configured in a second programmable fabric of the programmable device, the shell circuit configured to provide an interface between a computer system and the kernel logic, and an intellectual property (IP) checker circuit in the kernel logic The IP checker circuit is configured to obtain a device identifier (ID) from the first programmable fabric and a signed whitelist, the signed whitelist including a list of device IDs and a signature, verify the signature of the signed whitelist, compare the device ID against the list of device IDs, and selectively assert or deassert an enable of the kernel logic in response to presence or absence, respectively, of the device ID in the list of device IDs and verification of the signature.

A system obtains a use condition for restricting use of an application in a first client device of a first user. The system obtains a use status of the application in the first client device. Responsive to the use status not satisfying the use condition, the system sends a notification to a second client device of a second user different from the first user, and/or restricts the use of the application in the first client device.

A system obtains a use condition for restricting use of an application in a first client device of a first user. The system obtains a use status of the application in the first client device. Responsive to the use status not satisfying the use condition, the system sends a notification to a second client device of a second user different from the first user, and/or restricts the use of the application in the first client device.

In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

An operating system, when having incorporated data, with a certificate attached, for limiting a function of copying a screen, limits the function of the operating system and when receiving a request for a result of an inspection to determine whether the incorporated data is valid, sends out the result of the inspection in response to the request. An application program makes a request to the operating system for the result of the inspection of the data incorporated in the operating system at startup or return from a background processing. When an inspection result sent from the operating system indicates that the data is invalid, the application program forbids a display control means to display a given screen and instructs the operating system to incorporate a valid data therein. When the inspection result indicates that the data is valid, the application program makes the display means display the given screen.