BACKGROUND

[0001] Computing devices, such as desktop computers, notebook computer, smartphones, etc., include firmware stored in memory. Firmware may include hardware-initialization firmware, such as Basic Input/ Output System (BIOS) firmware and Unified Extensible Firmware Interface (UEFI) firmware, which initializes hardware of a computing device and starts runtime services that may be used by an operating system or application executed by the computing device.

BRIEF DESCRIPTION OF THE DRAWINGS

[0002] Many aspects of the disclosure can be better understood with reference to the following drawings. While several examples are described in connection with these drawings, the disclosure is not limited to the examples disclosed herein.

[0003] Figure 1 illustrates a block diagram of a computing system for decrypting a configuration setting using a remote network connection, according to an example;

[0004] Figure 2 illustrates a flow diagram of a process to decrypt a configuration setting using a remote network connection, according to an example;

[0005] Figure 3 illustrates a block diagram of a non-transitory storage medium storing machine-readable instructions to decrypt a configuration setting using a remote network connection, according to an example;

[0006] Figure 4 illustrates an operational architecture of a system for decrypting a configuration setting using a remote network connection, according to another example; [0007] Figure 5 illustrates a sequence diagram for a process to decrypt a configuration setting using a remote network connection, according to another example; and

[0008] Figure 8 illustrates a biock diagram of a computing system for decrypting a configuration setting using a remote network connection, according to some examples.

DETAILED DESCRIPTION

[0009] Computing devices may be engineered with a variety of hardware- enforced security features to prevent sensitive information from being read from a hard drive in the event that the computing device is lost or stolen. One such hardware-enforced security feature includes a network uniock of the hard drive in which a centralized administration of encryption keys and access controls are retrieved to decrypt the hard drive of the computing system. However, authorization servers maintaining the encryption keys and access controls are often located on a private network, such as at a corporate network. This results in the computing devices being geo-fenced where the computing devices may need to directly connect to the authorization server over the corporate network to receive the encryption keys for unlocking the hardware-enforced security features.

[0010] While geo-fencing may be desirable for companies to prohibit device usability when not connected directly to the company’s authentication servers, geo- fencing may not always be a feasible solution when enforcing hard drive security of computing devices by employees off of the company office site. With the increased demand for employees to work from home or travel for work, employees may be working away from corporate offices increasingly more often.

[0011] Therefore, accommodations may be implemented to overcome limitations in accessing a company’s corporate/private network to retrieve encryption keys from an authorization server located at a company site. One such accommodation companies have used is to implement less secure variants where the uniock key is stored directly on the device, in this scenario, the user may be prompted to enter a Personal identification Number (PIN) to unlock the device to unlock the computer during bootup of the firmware, or in even some scenario, opt out of the PIN completely, in these scenarios, the hardware-enforced security feature may be easily circumvented. Therefore, there may be a desire for an alternative approach to balance the security provided by using geo-fencing to unlock hardware-enforced security features and the convenience of unlocking the computing device with a PIN or with no security condition when not located on a private network.

[0012] The disclosure described herein presents a computing device comprising a processor operatively coupied with a computer readable storage media and program instructions stored on the computer readable storage media that, when read and executed by the processor, direct the processor to receive a request to boot a firmware configuration setting stored on the computer readable storage media of the computing device. The firmware configuration setting is encrypted. The program instructions direct the processor to connect to a Virtual Private Network (VPN) server over a remote connection to a restricted network in response to determining that a direct connection to the restricted network is inaccessible. The program instructions obtain a key from an authentication server to decrypt the firmware configuration setting when the computing device is authorized by the VPN server. The program instructions then boot the firmware configuration setting in response to decrypting the firmware configuration setting using the key.

[0013] in another example a method may include initiating a decryption of a firmware configuration setting stored on a computing device, ft is then determined whether a local connection to a restricted network is accessible. In response to determining that the local connection to the restricted network is inaccessible, the method connects to a VPN server hosted by the restricted network over a remote connection to the restricted network. The method also includes authorizing, by the VPN server, the decryption of the firmware configuration setting. In response to the VPN server granting an authorization to decrypt the firmware configuration setting, the method includes receiving a private key from an authentication server to decrypt the firmware configuration setting. [0014] in yet another example, a machine-readabie storage medium comprises executable instructions, that when executed cause a processor to receive an instruction to perform a booting process for a computing device. The executabie instructions cause the processor to detect that a Basis input/ Output {BIOS) is prohibited from initializing the booting process. The executabie instructions cause the processor to establish a remote connection to a remote private network and query an authorization server hosted in the remote private network for a private key to enable the BIOS to initialize the booting process, in response to an authorization by the authorization server hosted in the remote private network, the executabie instructions cause the processor to receive a certificate from the authentication server to enable the BIOS to initialize the booting process.

[001 S] Referring to the Figures, Figure 1 illustrates a block diagram of a computing system for decrypting a firmware configuration setting using a remote network connection, according to an example. Computing device 100 depicts communication interface 102, processor 104, memory 106, and storage medium 108. As an example of computing device 100 performing its operations, storage medium 108 may include instructions 110, 112, 114, and 118 that are executable by processor 104. Thus, storage medium 108 can be said to store program instructions that, when executed by processor 104, implement the components of computing device 100.

[0016] in particular, the executable instructions stored in storage medium 108 include, as an example, instructions to receive a request to boot a firmware configuration setting (110) and instructions to connect to a VPN server (112). The executabie instructions stored in storage medium 108 also include, as an example, instructions to obtain a key to decrypt the firmware configuration setting (114} and instructions to decrypt and boot the firmware configuration seting (116).

[0017] The instructions to receive the request to boot the firmware configuration setting (110} represent program instructions that, when executed by processor 104, cause computing device 100 to receive a request to boot ioad firmware for the computing device. The firmware configuration setting is encrypted on the computer readable storage media of the computing device. [0018] The request to boot the firmware configuration setting may include computing device 100 being powered on and receiving a command to begin boot-up processes by a firmware of computing device 100. The firmware may include hardware-initialization firmware, such as 8iOS firmware and/or Unified Extensible Firmware Interface (UEF!) firmware, which initializes hardware of computing deice 100 and begins runtime services that may be used by an operating system or application executed by computing device 100.

[0019] As used herein, a BIOS refers to hardware or hardware and instructions to initialize, control, or operate a computing device prior to execution of an operating system of the computing device. Instructions included within a BIOS may be software, firmware, microcode, or other programming that defines or controls functionality or operation of a BIOS. In one example, a BIOS may be implemented using instructions, such as platform firmware of a computing device, executable by a processor. A BIOS may operate or execute prior to the execution of the operating system of a computing device. A BIOS may initialize, control, or operate components such as hardware components of a computing device and may load or boot the operating system of computing device.

[0020] in some examples, a BIOS may provide or establish an interface between hardware devices or platform firmware of the computing device and an operating system of the computing device, by which the operating of the computing device may control or operate hardware devices or platform firmware of the computing device.

In some examples, a BIOS may implement the UEF! specification or another specification or standard for initializing, controlling, or operating a computing device.

[0021] Another example of firmware includes a management firmware subsystem which may perform boot protection, remote access or management services, monitor/controi of device physical properties (e.g., cooling fan speed, CPU/motherboard temperature, CPU/motherboard voltage, etc.}, network functionality, security functionality, copy protection, digital rights management, and similar. The firmware may be configured to perform processes based on the selection of various firmware configuration settings for computing device 100. [0022] The decryption of the firmware configuration settings may be determined based on an administration policy for a private network. The administration policy for the private network may be set by an administrator of the private network and may be changed locally or remotely,

[0023] The Instructions to connect to a VPN over the remote connection (112) represent program instructions that, when executed by processor 104, cause computing device 100 to connect to a VPN server over a remote connection to the restricted network in response to determining that the direct connection to the restricted network is inaccessible, wherein VPN server may authorize the decryption of the firmware configuration setting.

[0024] The remote connection may indude communication interface 102 connecting to a private home network which may then enable computing device 100 to connect to the restricted network. Tbe restricted network may include a VPN server which may remotely authorize computing device 100. The restricted network may also include an authentication server which stores keys to decrypt the firmware configuration _: setting for computing device 100,

[0025] A direct connection to the corporate server may only be accessible when computing device 100 Is located within a physical proximity of a restricted (i.e., corporate) networking range. The corporate server may maintain unlock keys to decrypt the firmware configuration setting for computing device 100, In this example, computing device 100 is not physically located within a proximity of the restricted networking range. Therefore, computing device 100 cannot directly connect to the restricted network to receive a key which can unlock the firmware configuration setting of computing device 100.

[0025] The VPN server may remotely authorize computing device 100 by evaluating administrative policies stored on the VPN server. The administration policies may be modified and updated by an administrator of the restricted network. This provides a convenient way for an administrator to manage access to hardware computing resources by computing device 100 until a remote authentication is complete. So as Song as the system administrator blocks access to the VPN on the server side if computing device 100 is stolen or compromised, then an unauthorized user wi be unable to access the computing resources of computing device 100,

[0027] in some example scenarios, the instructions to remotely connect to the VPN server over the restricted network may be triggered in response to an entrance of a valid VPN Persona! Identification Number (PIN), in other examples, the instructions to remotely connect to the VPN over the remote connection to the restricted network may be triggered in response to a submission of a secure certificate. The secure certificate is configured by an administrator and may be used in place of a PIN , The secure certificate may allow the VPN server to automatically authenticate computing device 100 without user entry of pin. It should be noted that either the PIN or the secure certificate may be time sensitive and be renewed after a specified period of time has lapsed.

[0028] The instruction to obtain a key to decrypt the firmware configuration setting{114) represent program instructions that, when executed by processor 104, cause computing device 100 to obtain a key from an authentication server to decrypt the firmware configuration setting in response to an authorization of computing device 100 by the VPN server. As previously indicated, the authentication server may maintain a database of keys to decrypt the hardware on computing devices, such as computing device 100. Like the VPN server, the authentication server may be hosted by the restricted network. The key may be a private key that may be used one time to unlock or decrypted the firmware configuration setting for computing device 100.

[0829] The instruction to decrypt and boot the firmware configuration setting (118) represent program instructions that, when executed by processor 104, cause computing device 100 user the key obtained from the authorization server to unlock the firmware configuration setting and boot ioad the firmware for computing device 100, Once the firmware configuration setting has been decrypted and the firmware has been booted, computing device 100 may then proceed to ioad operating system configuration settings and other application data.

[0830] This allows the VPN server to be remotely implemented into the firmware of computing device 100. The VPN server may allow pseudo-direct access to the restricted network. This also allows the hard drive on computing device 100 to be authenticaied and decrypted as though computing device 100 is directly connected to the restricted network.

[0031] in some examples, the VPN server may deny authorization to decrypt the firmware configuration setting for computing device 100. in this example, computing device 100 may receive, via communication interface 102, an instruction to permanently remove data stored on the computer readable storage media 108 of computing device 100 in response to receiving the denial of authorization.

[0032] The instruction may be received from the VPN server or the authorization server in the restricted network. However, in other scenarios, computing device 100 may merely receive a notification that authorization to decrypt the firmware configuration seting for computing device 100 was denied. There may further be a fotiow-up instruction to perform some other authorization procedure, or to contact the administrator of the restricted network to obtain the key for the firmware configuration setting decryption.

[0033] in yet another example the instructions may further direct the processor to generate the key using a Trusted Platform Module (TPM) when the remote connection to the restricted network is unavailable. The key using the TPM may expire after a singular use.

[0034] Storage medium 108 represents any number of memory components capable of storing instructions that can be executed by processor 104. As a result, memory 108 may be implemented in a single device or distributed across devices. Likewise, processor 104 represents any number of processors capable of executing instructions stored by storage medium 108. Processor 104 may be fully or partiaily integrated in the same device as processor 104, or processor may be separate but accessible to that device and processor 104.

[0033] Figure 2 illustrates a flow diagram of method 200 to decrypt a configuration seting using a remote network connection, according to an example. Some or all of the steps of method 200 may be implemented in program instructions in the context of a component or components of an application used to carry out the firmware decryption feature for a computing device, such as computing device 100 form Figure 1 or a computing device to execute instructions of a non-transitory storage medium, such as non-transitory storage medium 300 in Figure 3,

[0036] Although the flow diagram of Figure 2 shows a specific order of execution, the order of execution may differ from that which is depicted. For example, the order of execution of two of more blocks shown in succession by be executed concurrently or with partial concurrence. All such variations are within the scope of the present disclosure.

[0037] Referring parenthetically to the steps in Figure 2, method 200 includes initiating a decryption of a firmware configuration setting stored on a computing device, at 201. Method 200 also includes determining whether a local connection to a restricted network is accessible, at 202. Furthermore, method 200 includes connecting to a VPN server hosted by the restricted network over a remote connection to the restricted network in response to determining that the local connection to the restricted network is inaccessible, at 203. The decryption of the firmware configuration setting Is then authorized and in response to the VPN server granting an authorization to decrypt the firmware configuration setting, method 200 includes receiving a private key from an authentication server to decrypt the firmware configuration setting, at 204.

[0038] Figure 3 illustrates a block diagram of a non-transitory storage medium 300 storing machine-readable instructions to decrypt a configuration setting using a remote network connection, according to an example. Storage medium is non- transitory in the sense that is does not encompass a transitory signal but instead is made up of at least one memory component configured to store the relevant instructions.

[0033] The machine-readable instructions include instructions to receive an instruction to perform a booting process for a computing device (302). The machine- readable instructions also include instructions to detect that a BIOS is prohibited from initializing the booting process (304) and instructions to establish a remote connection to a remote private network (306). Furthermore, the machine-read able instructions include instructions to query an authorization server hosted in the remote private network for a private key to enable the BIOS to initialize the booting process (308) and instructions to receive a certificate from the authentication server to enable the BIOS to initialize the booting process in response to an authorization by the authorization server hosted in the remote private network (310).

[0040] in one example, program instructions 302-310 can be part of an installation package that when installed can be executed by a processor to implement the components of a computing device. In this case, non-transitory storage medium 300 may be a portable medium such as a CD, DVD, or a flash drive, Non-transitory storage medium 300 may also be maintained by a server from which the installation package can be downloaded and Installed. In another example, the program instructions may be part of an application or applications already installed. Here non-transitory storage medium 300 can include integrated memory, such as a hard drive, solid state drive, and the like.

[0041] Figure 4 illustrates an operational architecture of a system for decrypting a configuration setting using a remote network connection, according to another example. Figure 4 illustrates operational scenario 400 that relates to what occurs when a computing device remotely connects to a private network to unlock a hardware-enforced security feature. Operational scenario 400 includes public network 401 and private network 402. As indicated in Figure 4, computing device 410 is located in public network 401. Private network 402 includes VPN server 412 and authentication server 414. Computing device 410 includes BIOS bootloader 422 and operating system bootloader 424.

[0042] Computing device 410 is representative of any device capable of booting up the BIOS bootloader using a decryption key from a corporate network, such as private network 402, Examples of computing device 410 include, but are not limited to, persona! computers, mobile phones, tablet computers, desktop computers, laptop computers, wearable computing devices, or any other form factor, such as computing device 100. Computing device 410 may include various hardware- enforced security features in a supporting architecture suitable for performing process 500. One such representative architecture is illustrated in Figure 6 with respect to computing system 601. [0043] VPN server 412 includes software and storage components capable of authenticating a computing device in accordance with the processes described herein. The software application may be implemented as a natively installed and executed application, a web application hosted in the context of a browser, a streamed or streaming application, a mobile application, or any variation or combination thereof. Authentication server 414 includes software and storage components capable of providing an encryption key to a remotely connected computing device in response to the computing device being authenticated by VPN server 414.

[0044] BIOS boctioader 422 Includes firmware code that may be used to initialize the booting up process for hardware components of computing device 410.

Operating system bootioader 424 may be used to initialize the booting process for an operating system of computing device 410. For purposes of this example, BIOS bootioader 422 is encrypted and may be decrypted by obtaining a key from private network 402.

[0045] Figure 5 is a fiow diagram illustrating a process for decrypting a BIOS bootloader using a remote network connection, according to another example. Some or ail of the steps of process 500 may be implemented in program instructions in the context of a component or components of an application used to carry out the user authentication feature. Although the flow diagram of Figure 5 shows a specific order of execution, the order of execution may differ from that which is depicted. For example, the order of execution of two of more blocks shown In succession by be executed concurrently or with partial concurrence. AS! such variations are within the scope of the present disclosure.

[004S] In operation, computing device 410 receives an instruction to boot up BIOS bootioader 422, at 501, As indicated above in Figure 4, program instructions to boot BIOS bootioader 422 are decrypted. Computing device 410 then determines whether a direct connection to private network 402 is available (te., whether computing device 410 is located within private network 402), at 502. When computing device 410 is located in and has a direct connection to private network 402, computing device 410 obtains the encryption key from authentication server 414, at 503.

[0047] When computing device 410 is located in public network 401 and does not have a direct connection to private network 402, then computing device 410 remotely connects to VPN server 412 in private network 402, at 504. in response to the connection, computing device 410 queries VPN server 412 for the encryption key, at 505. It is then determined whether computing device 410 is authenticated, at 506,

[0048] If computing device 410 is not authenticated by VPN server 412, then authentication server 414 sends computing device 410 an instruction to block the boot-up of BIOS bootloader 422, at 507. in this example, authentication server 414 aiso sends computing device 410 an instruction to wipe device data off of the hardware when computing device 410 is authenticated, at 508.

[0049] if computing device 410 is authenticated by VPN server 412, then computing device 410 obtains the encryption key from authentication server 414, at 509. The program instructions to initiate BIOS bootloader 422 may then be decrypted using the encryption key, at 510. Once the program instructions for BIOS bootloader 422 are decrypted, BiOS bootloader 422 boots up the firmware for computing device 410, at 511. After BiOS bootioader 422 boots up, operating system bootioader 424 may aiso begin booting up, at 512.

[0050] Figure 8 illustrates a block diagram of a computing system for decrypting a configuration setting using a remote network connection, according to some examples. Figure 6 illustrates computing system 801 , which is representative of any system or visual representation of systems in which the various applications, services, scenarios, and processes disclosed herein may be implemented.

Examples of computing system 601 include, but are not limited to, server computers, rack servers, web servers, cioud computing platforms, and data center equipment, as well as any other type of physical or virtual server machine, container, and any variation or combination thereof. Other examples may include smart phones, laptop computers, tablet computers, desktop computers, hybrid computers, gaming machines, virtual reality devices, smart televisions, smart watches and other wearable devices, as well as any variation or combination thereof. [0051] Computing system 601 may be implemented as a single apparatus, system, or device or may be implemented in a distributed manner as multiple apparatuses, systems, or devices. Computing system 601 includes, but is not limited to, processing system 602, storage system 603, software 605, communication interface system 607, and user interface system 609. Processing system 602 is operatively coupled with storage system 603, communication interface system 607, and user interface system 609.

[0052] Processing system 602 loads and executes software 605 from storage system 603, Software 605 includes process 606, which is representative of the processes discussed with respect to the preceding Figures 1-5, including process 200. When executed by processing system 602 to enhance an application, software 605 directs processing system 602 to operate as described herein for at least the various processes, operational scenarios, and sequences discussed in the foregoing examples. Computing system 601 may optionally include additional devices, features, or functionality not discussed for purposes of brevity.

[0053] Referring stiil to Figure 6, processing system 602 may comprise a microprocessor and other circuitry that retrieves and executes software 605 from storage system 603. Processing system 602 may be implemented within a single processing device but may also be distributed across multipie processing devices or subsystems that cooperate in executing program instructions. Examples of processing system 602 include general purpose central processing units, graphical processing unites, application specific processors, and logic devices, as well as any other type of processing device, combination, or variation.

[0054] Storage system 603 may comprise any computer readable storage media readable by processing system 602 and capable of storing software 605. Storage system 603 may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. Examples of storage media include random access memory, read only memory, magnetic disks, optical disks, flash memory, virtual memory and non-virtuaS memory, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or other suitable storage media, except for propagated signals. Storage system 603 may be implemented as a single storage device but may also be implemented across multiple storage devices or sub-systems co~located or distributed relative to each other. Storage system 603 may comprise additional elements, such as a controller, capable of communicating with processing system 602 or possibly other systems.

[GO 55] Software 605 may be implemented in program instructions and among other functions may, when executed by processing system 602, direct processing system 602 to operate as described with respect to the various operational scenarios, sequences, and processes illustrated herein. Software 605 may include program instructions for implementing method 200,

[0056] In particular, the program instructions may include various components or modules that cooperate or otherwise interact to carry out the various processes and operationai scenarios described herein. The various components or modules may be embodied in compiled or interpreted instructions, or in some other variation or combination of instructions. The various components or modules may be executed in a synchronous or asynchronous manner, serially or in parallel, in a single threaded environment or multi-threaded, or in accordance with any other suitable execution paradigm, variation, or combination thereof. Software 605 may include additional processes, programs, or components, such as operating system software, virtual machine software, or other application software, in addition to or that include process 606. Software 605 may also comprise firmware or some other form of machine- readabie processing instructions executable by processing system 602.

[0057] in general, software 805 may, when loaded into processing system 602 and executed, transform a suitable apparatus, system, or device (of which computing system 601 is representative) overall from a general-purpose computing system into a special-purpose computing system to enhance canvas service for graphically organizing content in a user interface, indeed, encoding software 605 on storage system 603 may transform the physical structure of storage system 603. The specific transformation of the physical structure may depend on various factors in different examples of this description. Such factors may include, but are not limited to, the technology used to implement the storage media of storage system 603 and whether the computer-storage media are characterized as primary or secondary storage, as well as other factors.

£0058] If the computer readable storage media are implemented as semiconductor-based memory, software 605 may transform the physical state of the semiconductor memory when the program instructions are encoded therein, such as by transforming the state of transistors, ca pacitors, or other discrete circuit elements constituting the semiconductor memory, A similar transformation may occur with respect to magnetic or optica! media. Other transformations of physical media are possible without departing from the scope of the present description, with the foregoing examples provided oniy to facilitate the present discussion.

[6059] Communication interface system 607 may include communication connections and devices that allow for communication with other computing systems (not shown) over communication networks (not shown). Examples of connections and devices that together allow for inter-system communication may include network interface cards, antennas, power amplifiers, RF circuitry, transceivers, and other communication circuitry. The connections and devices may communicate over communication media to exchange communications with other computing systems or networks of systems, such as metal, glass, air, or any other suitable communication media. The aforementioned media, connections, and devices are well known and need not be discussed at length here.

[0060] User Interface system 609 may include a keyboard, a mouse, a voice input device, a touch input device for receiving a touch gesture from a user, a motion input device for detecting non-touch gestures and other motions by a user, and other comparable input devices and associated processing elements capable of receiving user input from a user. Output devices such as a display, speakers, haptic devices, and other types of output devices may also be included in user interface system 609, in some cases, the input and output devices may be combined in a single device, such as a display capable of displaying images and receiving touch gestures. The aforementioned user input and output devices are well known in the art and need not be discussed at iength here, User interface system 609 may also include associated user interface software executable by processing system 602 in support of the various user input and output devices discussed above,

[0061] Communication between computing system 601 and other computing systems (not shown), may occur over a communication network or networks and in accordance with various communication protocols, combinations of protocols, or variations thereof. Examples include intranets, internets, the internet, local area networks, wide area networks, wireless networks, wired networks, virtual networks, software defined networks, data center buses, computing backplanes, or any other type of network, combination of network, or variation thereof. The aforementioned communication networks and protocols are we!i known and need not be discussed at length here,

[0062] Certain inventive aspects may be appreciated from the foregoing disclosure, of which the foliowing are various examples.

[0063] The functional block diagrams, operational scenarios and sequences, and fiow diagrams provided in the Figures are representative of exemplary systems, environments, and methodologies for performing novel aspects of the disclosure. Whi!e, for purposes of simplicity of explanation, methods included herein may be in the form of a functional diagram, operational scenario or sequence, or fiow diagram, and may be described as a series of acts, it is to be understood and appreciated that the methods are not limited by the order of acts, as some acts may, in accordance therewith, occur in a different order and/or concurrently with other acts from that shown and described herein. Those skied in the art will understand and appreciate that a method could alternatively be represented as a series of interrelated states or events, such as in a state diagram. Moreover, not all acts illustrated in a methodology may be required for a novei example.

[0064] it is appreciated that examples described may inciude various components and features, it is also appreciated that numerous specific details are set forth to provide a thorough understanding of the examples. However, it is appreciated that the examples may be practiced without limitations to these specific details, in other instances, weiS known methods and structures may not be described in detail to avoid unnecessarily obscuring the description of the examples. Also, the examples may be used in combination with each other.

[0065] Reference in the specification to “an example ¹ ' or similar language means that a particular feature, structure, or characteristic described in connection with the example is included in at least one example, but not necessarily in other examples. The various instances of the phrase “in one example ¹¹ or simiiar phrases in various places in the specification are not necessarily all referring to the same example.