A method comprises receiving, in a trusted execution environment (TEE), an attestation public key and one or more endorsement credentials for a trusted platform module, inspecting the one or more endorsement credentials for the trusted platform module, generating an attestation that the attestation public key resides within the trusted platform module identified by the one or more endorsement credentials, the attestation comprising at least a portion of the public attestation key, encrypting, in the trusted execution environment, at least a component of the attestation to generate an attestation key activation blob, forwarding the attestation key activation blob to the platform module, and receiving, from the platform module, a response that varies based on whether at least a portion of the public attestation key in the attestation key activation blob matches a public attestation key on the platform module.

A physical unclonable function (PUF) array includes a plurality of PUF transistor cells each of which includes at least one inverter. An input and an output of the at least one inverter are shorted to a first reference node. There is adjustment circuitry for adjusting a reference voltage of the first reference node, and measurement circuitry for measuring a trip point of the at least one inverter. If the trip point is close to the reference voltage then bits of the at least one inverter are defined as unstable.

Trusted client security factor-based authorizations at a server. The computer-implemented techniques allow the server to authorize client requested operations to access a protected resource or service based on trusted client security factors that are obtained at client machines and provided to the server. A level of trust by the server in the client security factors is established by requiring that the client machine be pre-registered in a trusted machine registry before the server allows requests from the client machine to access a protected service or a protected resource. The registration of the client machine in the machine registry may be made by way of a probabilistically difficult to predict machine registration digest that encompasses a digest of a client program installed on the client machine and a machine identifier of the client machine.

Embodiments disclosed herein describe systems and methods for tamper-resistant verification of firmware with a trusted platform module. Embodiments may be configured to ensure the integrity of computer system firmware while still allowing reprograming of nonvolatile storage devices with arbitrary information.

Methods, media, and systems for secure provisioning of servers within a cloud computing environment are provided for herein. In some embodiments, a management service can delegate provisioning of a server of the cloud computing environment to an imaging service. In response, the imaging service can generate an operating system image for the server and can utilize disk encryption to protect to operating system image. In embodiments, a volume encryption key of the disk encryption can be encrypted utilizing a public key of a trusted platform manager of the server, to produce an encrypted volume encryption key that is protected by the trusted platform module of the server. The encrypted operating system image and the encrypted volume encryption key can then be transmitted to the server to cause the server to be provisioned with the operating system image. Other embodiments may be described and/or claimed herein.

A method and apparatus prevents hacker code from infecting an application program by requiring decryption of the application program prior to running the application program on a computer. The method includes steps of: providing a storage device that is a separate unit from components necessary to operate the computer; storing a symmetric private key on the storage device; using the symmetric private key to produce an encrypted application program upon first installation; thereafter decrypting that part of the encrypted application program needed implement a command to run the application program; precluding the computer from running any part of the application program that has not been first encrypted with the symmetric private key; and, decrypting, on the fly, only those follow-on parts of the encrypted application program needed to perform functions called for during operation of the application program.

This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

Method, apparatus, and computer program product are provided for merging multiple compute nodes with trusted platform modules utilizing provisioned node certificates. In some embodiments, compute nodes are connected to be available for merger into a single multi-node system. Each compute node includes a trusted platform module (TPM) provisioned with a platform certificate and a signed attestation key (AK) certificate and is accessible to firmware on the compute node. One compute node is assigned the role of master compute node (MCN), with the other compute node(s) each assigned the role of slave compute node (SCN). A quote request is sent from the MCN to each SCN under control of firmware on the MCN. In response to receiving the quote request, a quote response is sent from each respective SCN to the MCN under control of firmware on the respective SCN, wherein the quote response includes the AK certificate of the respective SCN's TPM.

Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

A computing device stores code associated with a computing function in a protected computing environment, such as a trusted execution environment, wherein the computing function is attested by a code measurement service associated with the protected computing environment. The computing device links the computing function to a secret stored in a hardware security module (HSM), the secret to enable execution of the computing function in the protected computing environment.