During factory provisioning of an Information Handling System (IHS), a key injection authorization certificate is stored that authorizes key injection by a renter of the IHS. An IHS owner retains capabilities for specifying the use of boot code of successive renters of the IHS. Upon a transfer of control or ownership of the IHS, a key injection request certificate provided by the renter is validated and use of the key injection request certificate is authorized for transferring cryptographic credentials to the IHS. The key injection authorization certificate specifies an identity of the IHS that is authorized for key injection by the renter and the key injection request certificate specifies an identity of the IHS that is requested for key injection by the renter. Transfer of credentials is authorized when the two certificates are both valid and the identity of the IHS specified in the two certificates is the same.

Systems and methods are provided for validating components of an Information Handling System (IHS). During factory provisioning of the IHS, an owner certificate is stored that specifies an identity of a motherboard installed during manufacture of the IHS. The owner certificate is signed by a certificate authority of an owner of the IHS that retains capabilities for specifying the use of boot code provided by successive renters of the IHS. A renter certificate is also stored that specifies an identity of a chassis to which the motherboard is installed during manufacture of the IHS. Upon a transfer of control or ownership of the IHS, boot code operations by the security processor identify a motherboard and chassis in use by the IHS and utilize the motherboard and chassis certificates to validate that the identified motherboard and chassis are the same motherboard and chassis installed during manufacture of the IHS.

Embodiments of systems and methods for deriving independent symmetric encryption keys based upon a type of secure boot using a security processor are described. In some embodiments, a security processor may include: a core; and a memory coupled to the core, the memory having program instructions stored thereon that, upon execution by the core, cause the security processor to: identify a type of secure boot performed to bootstrap an Information Handling System (IHS); and derive a symmetric encryption key based upon the type of secure boot.

A method for managing licenses for soft IP on a partially reconfigurable hardware system, in particular an FPGA, wherein a license manager is provided in the non-configurable part of the hardware system, or is accessible only for the non-configurable part of the hardware system, where the license manager has exclusive access to a non-volatile memory in which license data having a time restriction of the useful life of at least one soft IP is stored, where before activating a particular soft IP, the license manager checks whether the useful life has expired, where the license manager only releases use of the soft IP if the useful life has not yet expired, where the license data is changed using a key, which is stored in a non-volatile memory for license data, and where a new key is stored and the preceding key is deleted when the license data is changed.

An integrated-circuit device comprises a processor, a hardware key-storage system, and a key bus. The hardware key-storage system comprises a non-volatile key storage memory, which includes a key register, for storing a cryptographic key, and an address register, for storing a destination memory address for the cryptographic key. The hardware key-storage system further comprises output logic for sending the cryptographic key over the key bus to the destination memory address, and write-once logic for preventing an address being written to the address register unless the address register is in an erased state.

Systems, methods, and apparatuses to support encrypted remote direct memory access for live migration of a virtual machine are described. In one embodiment, a first computer system includes an encryption circuit in a hardware processor of the first computer system to encrypt data, a memory controller circuit, of the first computer system, comprising a port to couple to a network interface controller circuit, a direct memory access engine circuit of the first computer system to access a memory in the first computer system, and the hardware processor to, for a request to perform a live migration of a virtual machine from the first computer system to a second computer system via the network interface controller circuit: encrypt code and data of the virtual machine from the memory with an encryption key by the encryption circuit of the hardware processor, store the encrypted code and data of the virtual machine within a migration buffer of the memory of the first computer system by the direct memory access engine circuit, and cause the network interface controller circuit to send the encrypted code and data of the virtual machine from the migration buffer to the second computer system via the network interface controller circuit without the network interface controller circuit performing an additional encryption.

Aspects of the present disclosure relate to encrypted data processing (EDAP). Encrypted data from a cache to be loaded into a register file can be accessed. The encrypted data can be decrypted to receive cleartext data. The cleartext data can be written to the register file. The cleartext data can be processed using at least one functional unit to receive cleartext computation results. The cleartext computation results can then be written back to the register file.

One or more pieces of data are received. The one or more pieces of data are anonymized. The one or more pieces of data are encrypted. The anonymized one or more pieces of data and the encrypted one or more pieces of data are stored.

An apparatus comprises a processing device configured to receive, at a host operating system of a virtual machine host, a request to execute a virtual machine and to obtain, from a virtual trusted platform module running on the virtual machine host, credentials for logging in to a guest operating system of the virtual machine. The processing device is further configured to provide, to pre-boot authentication software associated with the virtual machine, the credentials obtained from the virtual trusted platform module, and to automatically log in to the guest operating system of the virtual machine utilizing the pre-boot authentication software and the provided credentials.

A device includes at least one first and one second module configured to cooperate to solve a task and/or are configured to communicate with a higher-level apparatus, a certification module configured to issue a cryptographic signature for each of the at least one first and second module, and an identity generation module configured to form a first code as an identity of the first module from a signature of the first module, to form a second code as an identity of the second module from a signature of the second module, and to form an overall code from the first and the second codes. The certification module is further configured to sign the overall code with a key in order to issue a unique certificate for the device, which biuniquely identifies the device.