Dell Command Secure BIOS Configuration Support with Dell Command Configure
Podsumowanie: This article provides details on Dell Command I Secure BIOS Configuration (DCSBC) and how to use it with Dell Command I Configure (DCC) to achieve certificate-based authentication for BIOS configuration. ...
Instrukcje
Affected Products:
- Dell Command | Secure BIOS Configuration
- Dell Command | Configure
Table of Contents:
- Introduction:
- Dell Command | Secure BIOS Configuration Architecture in DCC
- Dell Command | Configure Implementation
- Prerequisites to Utilize HSM Signing Method for Dell Command Secure BIOS Configuration workflows
- FAQs
Introduction:
Manageability interfaces rely on open interfaces, or password-authenticated commands. Password authentication is vulnerable to brute-force or dictionary attack, hence less secure compared to key based authentication. A better authenticated manageability interface is needed to provide integrity and confidentiality protections of the data and commands. A more secure interface also allows other technologies to build on the protected interface, such as password management, platform configuration mirroring, Factory Tools, for example. DCSBC is an approach to move away from authenticating DACI commands with BIOS passwords. DCSBC provides a trusted communication by creating an interface that uses PKI authentication mechanisms, and encrypted channels to pass messages between the platform and a client. This approach also provides both integrity and confidentiality to protect customer data.
Dell Command | Secure BIOS Configuration Architecture in DCC
LEGEND: DCC — Dell Command Configure CLI - DCC Client (Pipeline) DHE — Ephemeral Diffie-Hellman OTB - On the Box SCE - Self Contained Executable Console — MECM, Intune, WorkspaceONE
The solution is to create an interface that uses PKI authentication mechanisms, and encrypted channels to pass messages between the platform and a client.
Session-based command references to Diffie-HeIIman type key exchange.
Replay protection in part is accomplished by using a sequence of single-use random numbers (nonce) attached to the DCSBC messages.
The use of nonces allow the receiver of the message to ensure that the message is unique, thus not reused, and that the sequence of operation is maintained. This is especially true for session-based commands. Each transaction involves the Client generating a new nonce and sharing the nonce value with the receiver in the clear, and hashing the nonce value within the message, either as part of the signature, or a message authentication code.
As part of this, DCSBC with DCC follows a Server-Client model, where DCSBC server can be used to create Self-Contained Executables for different workflows. These Self-Contained Executables (SCEs) can then be deployed to IT managed endpoints using configuration tools like SCCM/Microsoft Intune.
There is no requirement for the user to install DCC on the clients/endpoints. Once the SCE is run on the endpoint, it places requests to the DCSBC server to get payloads for BIOS configurations and performs those operations on the endpoint BIOS.
Using this flow, zero trust (on client/endpoint) policy is achieved and the trust only exists between the BIOS and the DCSBC server.
Dell Command | Configure Implementation
In DCC, the SCE for DCSBC is created for the Provisioning Workflow and the BIOS Configuration Workflow. Workflow operations are classified based on the provisioning operations and BIOS configuration operations:
- Provisioning Workflow - This allows the users to create Provisioning Certificate to authenticate secure connectivity with the client for provisioning. Adding, deleting, or clearing provisioning keys, and signing the SCE package, which is part of the workflow.
- BIOS Configuration Workflow - This flow allows the users to create a Command Certificate to configure BIOS settings in the client using provisioning. Selecting BIOS configurations and signing the BIOS configuration SCE package, which is part of the workflow.
To achieve the above workflows, there are two types of key controls defined in DCC:
- Provisioning Key — This key/certificate can be used to sign payloads for the Provisioning workflow where you want to Add(provision) new keys/ Delete existing keys/ Clear all provisioned keys.
- Command Key — This key/certificate can be used to sign payloads for the BIOS Configuration Change flow.
- At any given instances, only one provisioning key can be added or provisioned on the client machine
- Seven Command Keys can be added/provisioned on a client machine at any given instance.
- Deleting provisioning workflow is only applicable to the Command keys. To remove a provisioning key from the client, select the Clear Provisioning workflow option.
Installing and Setting up Dell Command Secure BIOS Configuration Server with DCC
For details on how to install and setup DCSBC with DCC reference to the DCC 5.0 Install Guide > Installing Dell Command | Configure 5.0 for Dell Command Secure BIOS Configuration (https://www.dell.com/support/home/product-support/product/command-configure/docs)
Configuring the Dell Command Secure BIOS Configuration Server with HTTPS
Configuring the Dell Command Secure BIOS Configuration Server with HTTPS For details on how to configure the DCSBC server with https reference to the DCC 5.0 Installation Guide > Configuring the Dell Command Secure BIOS Configuration Server using HTTPS here: (https://www.dell.com/support/home/product-support/product/command-configure/docs)
Creating Self-Contained Executables for DCSBC Workflows on the DCSBC Server using DCC UI
For details on how to create SCEs to perform provisioning for DCSBC Configuration certificates reference to the DCC User’s Guide > Perform Provisioning for Dell Command Secure BIOS Configuration Certificates here: (https://www.dell.com/support/home/product-support/product/command-configure/docs)
Configure BIOS Settings with Dell Command Secure BIOS Configuration:
For details on how to create SCEs to configure BIOS settings with DCSBC reference to the DCC User’s Guide > Export SCE for Certificate-Based BIOS Authentication here: (https://www.dell.com/support/home/product-support/product/command-configure/docs)
Prerequisites to Utilize HSM Signing Method for Dell Command Secure BIOS Configuration workflows
DCSBC with DCC allows you to use any HSM vendor to sign the DCSBC payloads. However, to use this method of signing payloads DCC requires a few prerequisites to be met which are listed below:
- Dell Technologies recommends OpenSSL as the open source signing tool which can be used along with the HSM provider that you have setup in your environment, to allow DCC to use signatures generated from the HSM signing method.
- Based on the HSM provider you are using, update the HSMSigning.bat file present at the following location C:\Program Files (x86)\DeII\Command Configure\X86 64\HSMSigning.bat
In this file, update the signature generation command on line 12 that is compatible for your HSM setup. By default, the command used is:
"%Openss1Path%\openss1.exe" dgst -sha256 -sign "%ObfuscatedKeyPath%\%PrivateKeyName%" -out "%outlocat%\blobsignature.txt" %1
The provided command here should ensure that the signature should be generated to the same path as mentioned in the default command including the filename to be set as blobsignature.txt.
Also, ensure to not modify the last option (for example, "%1") in this command as it allows the signature command to accept the payload file to be signed which DCC generates during runtime.
FAQs
- I want to use DCC to perform BIOS configurations using BIOS Password Authentication. What should I do?
- DCC can generate SCE packages for BIOS configurations using BIOS password-based authentication. The DCC UI maintains the control flow for creating SCE packages with BIOS password-based authentication.
- I do not have an HSM service provider setup on my Dell Command Secure BIOS Configuration server. How can I resolve this?
- Local signing method can be used to sign SCE packages for DCSBC.
Note: This method uses locally generated private keys to sign SCE packages. To secure the private keys, DCC offers the capability to manage these keys using the Microsoft Certification store and hence there is no need to save the private key files on disk.
- Local signing method can be used to sign SCE packages for DCSBC.
- I want to install and set up my Dell Command I Configure with Dell Command Secure BIOS Configuration Server on a Virtual Machine. What should I do?
- You can use a Virtual Machine to set up the DCC with the DCSBC server. On the DCC platform with the DCSBC server, you can create self-contained executables for both provisioning and BIOS configuration tasks. This setup ensures that you can manage and secure BIOS configurations, even on a virtual environment.