iDRAC9 Security Configuration Guide

Signed Firmware Updates

Enhanced firmware authentication is embedded within many third-party devices which provide signature validation using their own Root-of-Trust mechanisms. This prevents the possible use of a compromised third-party update tool from being used to load malicious firmware into, for example, a NIC or storage drive (and bypassing the use of signed Dell update packages). Many of the third-party PCIe and storage devices that are shipped with PowerEdge servers use a hardware Root-of-Trust to validate their respective firmware updates.

PowerEdge servers have used digital signatures on firmware updates for several generations to assure that only authentic firmware is running on the server platform. We digitally sign all our firmware packages using SHA-256 hashing with 2048-bit RSA encryption for the signature for all key server components including firmware for iDRAC, BIOS, PERC, I/O adapters and LOMs, PSUs, storage drives, CPLD, and backplane controllers. iDRAC scans firmware updates and compares their signatures to what is expected using the silicon-based Root-of-Trust; any firmware package that fails validation is aborted and an error message is logged into the Lifecycle Controller Log (LCL) to alert IT administrators.

If any firmware in any device is suspected of malicious tampering, IT administrators can rollback many of the platform firmware images to a prior trusted version stored in iDRAC. We keep two versions of device firmware on the server - the existing production version ("N") and a prior trusted version ("N-1").