iDRAC10 Security Configuration Guide

PDF

Securely Configuring BIOS System Security

iDRAC allows the user to configure the options under System Security in the BIOS such as power, system or setup passwords, and secure boot policies.

NOTE:This is a BIOS option. iDRAC can also configure BIOS settings.

To update System Security Settings:

  1. Go to Configuration > BIOS Settings > System Security.
  2. Select the necessary security configurations and set to required values.
  3. Click Apply.

The following System Security settings can be configured:

Table 1. BIOS Security SettingsThe following table describes the BIOS security settings:
Menu Item Option Description
System Password N/A Enables you to set the system password which is the password that you must enter to allow the system to boot to an operating system. This option is read-only if the password switch (PWRD_DIS) is off. A password has up to a maximum of 32 characters. Enable a Setup Password using SHA256 hash and salt.
Setup Password N/A Enables you to set the Setup password. The Setup password is the one you must enter to change any BIOS settings, except for the System password, which can be changed without entering the correct Setup password. This option is read-only if the password switch (PWRD_DIS) is off. A password must have up to a maximum of 32 characters. Enable a System Password using SHA256 hash and salt.
Password Status Unlocked/Locked Locks the system password. To prevent the system password from being modified, set this option to locked and enable Setup password. This field also prevents the system password from being disabled by the user while the system is booting. Set the password status to “Locked”.
Power Button Enabled/Disabled When set to Disabled, this blocks someone from pressing the power button to shut down the system, however, the system can still be powered on. This is a security setting as it protects from accidental or malicious powering off the system.
UEFI Variable Access Standard/Controlled This field provides varying degrees of securing UEFI variables. When set to Standard, UEFI variables are accessible in the operating system based on the UEFI specification. When set to Controlled, selected UEFI variables are protected in the environment and new UEFI boot option entries are forced to be appended to the end of the current boot order.
In-Band Manageability Interface Enabled/Disabled When set to Disabled, this setting hides the Management Engine's (ME) HECI devices and the system's IPMI devices from the operating system. This prevents the operating system from changing the ME power capping settings, and blocks access to all in-band management tools. All management functions must be managed by using the out-of-band techniques.
NOTE:BIOS update requires HECI devices to be operational, and DUP updates require IPMI interface to be operational. This setting must be set to Enabled to avoid update errors.
Secure Boot Enabled/Disabled Allows you to enable Secure Boot, where the BIOS authenticates each component that is performed during the boot process using the certificates in the Secure Boot Policy. The following components are validated in the boot process:
  • UEFI drivers that are loaded from PCIe cards.
  • UEFI drivers and executables from mass storage devices
  • Operating System boot loaders
NOTE:A Setup password is recommended to be enabled for Secure Boot.
Secure Boot Policy. Standard/Custom When Secure Boot Policy is Standard, the BIOS uses the system manufacturer’s key and certificates to authenticate pre-boot images. When Secure Boot Policy 33 Setting up BIOS on 14th Generation (14G) Dell PowerEdge Servers is set to Custom, the BIOS uses the user-customized key and certificates.
NOTE:If Custom mode is selected, the Secure Boot Custom Policy Settings menu is displayed.
NOTE:Changing the default security certificate may cause the system to fail booting from certain boot options.
Secure Boot Mode. User Mode/Deploy Mode
  • Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, and dbx). In Setup Mode and Audit Mode, PK is not present, and BIOS does not authenticate programmatic updates to the policy objects. In User Mode and Deployed Mode, PK is present, and BIOS performs signature verification on programmatic attempts to update policy objects.
  • Deployed Mode is the most secure mode. Use Setup, Audit, or User Mode when provisioning the system, then use Deployed Mode for normal operation. Available mode transitions depend on the current mode and PK presence. For more information about transitions between the four modes, see Figure 77 in the UEFI 2.6 specification.
  • In Audit Mode, the BIOS performs signature verification on pre-boot images and logs the results in the Image Execution Information Table but performs the images whether they pass or fail verification. Audit Mode is useful for programmatically determining a working set of policy objects.
Secure Boot Policy Settings. N/A Enables you to configure the Secure Boot Custom Policy. A user can enroll and delete the PK, KEK, db, and dbx entries.

For a complete list of BIOS settings, see the Set up BIOS on 17th Generation Dell PowerEdge Servers whitepaper.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\