A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.

A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.

Various systems and methods are described for testing and deployment of containers on cloud and edge computing hardware. An example development platform may include capabilities for identifying, from a remote location, data to import a container software package. The development platform may store a container image, based on the data to import the container software package.

The development platform may perform a security evaluation of the container image, before execution of the container image. The development platform may store results of the security evaluation of the container image in a database accessible to the development platform. The development platform may add the container image into a registry of containers available for execution at the development platform, with execution of the container image being based on verification of the results of the security evaluation and use of the registry of containers.

A guest operating system executing on a virtual machine hosted by a host operating system may forward information about the state of the guest operating system to the host operating system for analysis regarding security threats. The host operating system may also forward information about the state of the host operating system to the guest operating system for analysis regarding security threats. One or both of the guest operating system and the host operating system may also forward the information about their state(s) to a remote server for analysis regarding security threats to the machine running the host operating system and hosting the virtual machine running the guest operating system. Security threats may be identified based on a detection of abnormal behavior. Abnormal behavior may be detected using machine-learning models. The machine-learning models may be trained/refined over time based on collected state information.

A guest operating system executing on a virtual machine hosted by a host operating system may forward information about the state of the guest operating system to the host operating system for analysis regarding security threats. The host operating system may also forward information about the state of the host operating system to the guest operating system for analysis regarding security threats. One or both of the guest operating system and the host operating system may also forward the information about their state(s) to a remote server for analysis regarding security threats to the machine running the host operating system and hosting the virtual machine running the guest operating system. Security threats may be identified based on a detection of abnormal behavior. Abnormal behavior may be detected using machine-learning models. The machine-learning models may be trained/refined over time based on collected state information.

An apparatus to facilitate scalable runtime validation for on-device design rule checks is disclosed. The apparatus includes a memory to store a contention set, one or more multiplexors, and a validator communicably coupled to the memory. In one implementation, the validator is to: receive design rule information for the one or more multiplexers, the design rule information referencing the contention set; analyze, using the design rule information, a user bitstream against the contention set at a programming time of the apparatus, the user bitstream for programming the one or more multiplexors; and provide an error indication responsive to identifying a match between the user bitstream and the contention set.

A host processing device (“host”) instructs a plurality of data processing (DP) accelerators to configure themselves for secure communications. The host generates an adjacency table of each of the plurality of DP accelerators (“DPAs”). The host is communicatively coupled to the plurality of DPAs via a switch. The host transmits, to the switch, a list of the DPAs and instructs the switch to generate an adjacency table of the DPAs that includes a unique identifier of each DPAs and a communication port of the switch associated with the DPA. The host establishes a session key communication with each DPA and sends the DPA a list of other DPAs that the DPA is to establish a session key with, for secure communications between the DPAs. The DPA establishes a different session key for each pair of the plurality of DPAs. When all DPAs have established a session key for communication with other DPAs, the host can assign work tasks for performance by a plurality of DPAs, each communicating over a separately secured communication channel.

A system is provided to perform secure operations. The system includes an I/O subsystem, a memory subsystem and processors. The processors are operative to execute processes in trusted execution environments (TEEs) and rich execution environments (REEs). Each of the TEEs and the REEs is identified by a corresponding access identifier (AID) and protected by a corresponding system resource protection unit (SRPU). The corresponding SRPU of a TEE includes instructions, when executed by a corresponding processor, cause the corresponding processor to control access to the TEE using a data structure including allowed AIDs and pointers to memory locations accessible by the allowed AIDs.

A system is provided to perform secure operations. The system includes an I/O subsystem, a memory subsystem and processors. The processors are operative to execute processes in trusted execution environments (TEEs) and rich execution environments (REEs). Each of the TEEs and the REEs is identified by a corresponding access identifier (AID) and protected by a corresponding system resource protection unit (SRPU). The corresponding SRPU of a TEE includes instructions, when executed by a corresponding processor, cause the corresponding processor to control access to the TEE using a data structure including allowed AIDs and pointers to memory locations accessible by the allowed AIDs.

Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.