- Notes, cautions, and warnings
- Overview
- Built in iDRAC and PowerEdge Security
- Securely Configuring iDRAC Web Server
- Securely Using TLS/SSL Certificate
- Federal Information Processing Standards (FIPS)
- Secure Shell (SSH)
- Network Security Configuration
- Interfaces and Protocols to Access iDRAC
- iDRAC Port Configuration
- IPMI and SNMP Security Best Practices
- Secure Enterprise Key Manager (SEKM) Security
- iDRAC9 Group Manager
- Virtual Console and Virtual Media Security
- VNC Security
- User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
- System Lockdown Mode
- Securely Configuring BIOS System Security
- Secure Boot Configuration
- Securely Erasing Data
- LCD Panel
- Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Security Events Lifecycle Log
- Default Configuration Values
- Network Vulnerability Scanning
- Security Licensing
- Field Service Debug (FSD)
- Best Practices
- Appendix - White papers
iDRAC9 Security Configuration Guide
Silicon-based Root-of-Trust
14th generation PowerEdge servers (both Intel or AMD-based) now use an immutable, silicon-based Root-of Trust to cryptographically attest to the integrity of BIOS and iDRAC firmware. This Root-of-trust is based on one-time programmable, read-only public keys that provide protection against malware tampering. The BIOS boot process leverages Intel Boot Guard technology or AMD Root-of-Trust technology which verifies that the digital signature of the cryptographic hash of the boot image matches the signature that is stored in silicon by Dell as part of the manufacturing process. As part of the manufacturing process, a failure to verify the boot image results in a shutdown of the server, user notification in the Lifecycle Controller Log, and the BIOS recovery process can then be initiated by the user. If Boot Guard validates the boot image successfully, the rest of the BIOS modules are validated by using a chain of trust procedure until control is handed off to the OS or hypervisor.
- Let us look at the chain of trust in more detail. Each BIOS module contains a hash of the next module in the chain. The key modules in BIOS are the IBB (Initial Boot Block), SEC (Security), PEI (Pre-EFI Initialization), MRC (Memory Reference Code), DXE (Driver Execution Environment), and BDS (Boot Device Selection). If Intel Boot Guard authenticates the IBB (Initial Boot Block), and then the IBB validates SEC+PEI before handing control to it. SEC+PEI then validates PEI+MRC which further validates the DXE+BDS modules. At this point, control is handed over to UEFI Secure Boot as explained in later sections. Similarly, for Dell PowerEdge servers based on AMD EPYC, AMD Secure Root-of-Trust technology ensures that servers boot only from trusted firmware images.
- Also, AMD Secure Run Technology is designed to encrypt main memory, keeping it private from malicious intruders having access to the hardware. No application modifications are needed to use this feature, and the security processor never exposes the encryption keys outside of the processor.
From 15th generation PowerEdge servers with iDRAC9 versions 4.10.10.10 and above for AMD platforms / 4.40.20.00 and above for Intel platforms, iDRAC first boots with chain of trust authentication, and then verifies BIOS integrity. iDRAC takes on the role of hardware-based security technologies as well.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\