In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

Described herein is a computing platform incorporating a trusted entity, which is controllable to perform cryptographic operations using selected ones of a plurality of cryptographic algorithms and associated parameters, the entity being programmed to record mode of operation information, which is characterized by the algorithms and associated parameters that are selected to perform an operation.

In accordance with embodiments of the present disclosure, a management controller configured to provide management-domain management of an information handling system may include a processor and a key management utility embodied in non-transitory computer-readable media. The key management utility may be configured to issue one or more commands to a cryptoprocessor for storing and sealing a key encryption key on the cryptoprocessor, wherein the key encryption key is for decrypting a media encryption key for encrypting and decrypting data stored to a storage resource of a host domain of the information handling system. The key management utility may also be configured to issue one or more commands to the cryptoprocessor for unsealing and retrieving the key encryption key from the cryptoprocessor.

Various technologies described herein pertain to a computing device that includes secure hardware (e.g., a TPM, a secure processor of a processing platform, protected memory that includes a software-based TPM, etc.). The secure hardware includes a shared secret, which is shared by the secure hardware and a server computing system. The shared secret is provisioned by the server computing system or a provisioning computing system of a party affiliated with the server computing system. The secure hardware further includes a cryptographic engine that can execute a cryptographic algorithm using the shared secret or a key generated from the shared secret. The cryptographic engine can execute the cryptographic algorithm to perform encryption, decryption, authentication, and/or attestation.

A field replaceable unit authentication system provides for a field replaceable unit device to be positioned in a chassis. A trusted platform module is included in the field replaceable unit device. A network operating system engine may be provided in the field replaceable unit device and coupled to the trusted platform module. The network operating system engine participates in a boot process with a booting subsystem to generate current boot metric data that is provided for storage in the trusted platform module. A platform management controller in the field replaceable unit device retrieves the current boot metric data from the trusted platform module, authenticates the trusted platform module, and compares the current boot metric data to previously stored boot metric data to determine whether to authenticate the network operating system engine. If authenticated, the network operating system engine then authenticates the platform management controller.

One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client roams to a second machine.

Techniques for security module endorsement are provided. An example method includes receiving a generalized endorsement key at a security module, wherein the security module is associated with a computing device and wherein the generalized endorsement key is independent of characteristics of the computing device, automatically extending integrity measurements stored in one or more registers of the security module with information characterizing the computing device, wherein the integrity measurements are based on one or more software processes at the computing device, digitally signing the extended integrity measurements with a digital signature, and generating a specialized endorsement credential as a combination of the digitally signed extended integrity measurements, the digital signature and the generalized endorsement key, wherein the specialized endorsement credential is used to validate authenticity of the security module.

Various configurations and methods for providing a secure transfer of data from computing device sensors to a Trusted Execution Environment (TEE) are disclosed. As disclosed, various data flows, data sequences, and configurations are provided to allow sensor data to maintain integrity and confidentiality while being accessed by trusted agents of a TEE. In an example, a microcontroller-based TEE is operated to communicate with a sensor hub via a secure hardware channel. The microcontroller-based TEE is configured to receive the sensor data via the secure hardware channel, and communicate the sensor data to other trusted agents in the computing system via secure communications. Other variations of secure communications among multiple sensors, trusted agents, TEEs, and third party services are also disclosed.

An embodiment includes an ultrasonic sensor system comprising: a backend material stack including a first metal layer between a substrate and a second metal layer with each of the first and second metal layers including a dielectric material; a ultrasonic sensor including a chamber, having a negative air pressure, that is sealed by first and second electrodes coupled to each other with first and second sidewalls; an interconnect, not included in the sensor, in the second metal layer; wherein (a) a first vertical axis intersects the substrate, the chamber, and the first and second electrodes, (b) a second vertical axis intersects the interconnect and the substrate, (c) a first horizontal axis intersects the chamber, the interconnect, and the first and second sidewalls, and (d) the first and second electrodes and the first and second sidewalls each include copper and each are included in the second metal layer.

Various technologies described herein pertain to a computing device that includes secure hardware (e.g., a TPM, a secure processor of a processing platform, protected memory that includes a software-based TPM, etc.). The secure hardware includes a shared secret, which is shared by the secure hardware and a server computing system. The shared secret is provisioned by the server computing system or a provisioning computing system of a party affiliated with the server computing system. The secure hardware further includes a cryptographic engine that can execute a cryptographic algorithm using the shared secret or a key generated from the shared secret. The cryptographic engine can execute the cryptographic algorithm to perform encryption, decryption, authentication, and/or attestation.