When a processing system boots, it may retrieve an encrypted version of a cryptographic key from nonvolatile memory to a processing unit, which may decrypt the cryptographic key. The processing system may also retrieve a predetermined authentication code for software of the processing system, and the processing system may use the cryptographic key to compute a current authentication code for the software. The processing system may then determine whether the software should be trusted, by comparing the predetermined authentication code with the current authentication code. In various embodiments, the processing unit may use a key stored in nonvolatile storage of the processing unit to decrypt the encrypted version of the cryptographic key, a hashed message authentication code (HMAC) may be used as the authentication code, and/or the software to be authenticated may be boot firmware, a virtual machine monitor (VMM), or other software. Other embodiments are described and claimed.