- Notes, cautions, and warnings
- Overview
- Built in iDRAC and PowerEdge Security
- Securely Configuring iDRAC Web Server
- Securely Using TLS/SSL Certificate
- Federal Information Processing Standards (FIPS)
- Secure Shell (SSH)
- Network Security Configuration
- Interfaces and Protocols to Access iDRAC
- iDRAC Port Configuration
- IPMI and SNMP Security Best Practices
- Secure Enterprise Key Manager (SEKM) Security
- iDRAC9 Group Manager
- Virtual Console and Virtual Media Security
- VNC Security
- User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
- System Lockdown Mode
- Securely Configuring BIOS System Security
- Secure Boot Configuration
- Securely Erasing Data
- LCD Panel
- Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Security Events Lifecycle Log
- Default Configuration Values
- Network Vulnerability Scanning
- Security Licensing
- Field Service Debug (FSD)
- Best Practices
- Appendix - White papers
Bienvenue
Bienvenue dans l’univers Dell
Mon compte
- Passer des commandes rapidement et facilement
- Afficher les commandes et suivre l’état de votre expédition
- Profitez de récompenses et de remises réservées aux membres
- Créez et accédez à une liste de vos produits
- Gérer vos sites, vos produits et vos contacts au niveau des produits Dell EMC à l’aide de la rubrique Gestion des informations de l’entreprise.
iDRAC9 Security Configuration Guide
Secure Boot Configuration
UEFI Secure Boot is a technology that eliminates a major security void that may occur during a handoff between the UEFI firmware and UEFI operating system (OS). In UEFI Secure Boot, each component in the chain is validated and authorized against a specific certificate before it can load or run. Secure Boot removes the threat and provides software identity checking at every step of the boot— Platform firmware, Option Cards, and OS BootLoader.
The Unified Extensible Firmware Interface (UEFI) Forum—an industry body that develops standards for pre-boot software—defines Secure Boot in the UEFI specification. Computer system vendors, expansion card vendors, and operating system providers collaborate on this specification to promote interoperability. As a portion of the UEFI specification, Secure Boot represents an industry-wide standard for security in the pre-boot environment.
When enabled, UEFI Secure Boot prevents the unsigned UEFI device drivers from being loaded, displays an error message, and does not allow the device to function. You must disable Secure Boot to load the unsigned device drivers.
On the Dell 14th generation and later versions of PowerEdge servers, you can enable or disable the Secure Boot feature by using different interfaces (RACADM, WSMAN, REDFISH, and LC-UI).
The Secure Boot Settings feature can be accessed by clicking System Security under System BIOS Settings from the iDRAC web interface or by pressing <F2> when the company logo is displayed during POST and navigating to System BIOS Settings,
- By default, Secure Boot is Disabled, and the Secure Boot policy is set to Standard. To configure the Secure Boot Policy, you must enable Secure Boot.
- When the Secure Boot mode is set to Standard, it indicates that the system has default certificates and image digests, or hash loaded from the factory. This caters to the security of standard firmware, drivers, option-roms, and boot loaders.
- To support a new driver or firmware on a server, the respective certificate must be enrolled into the database of Secure Boot certificate store. Secure Boot Policy must be configured to Custom.
When the Secure Boot Policy is configured as Custom, it inherits the standard certificates and image digests that are loaded in the system by default, which you can modify. Secure Boot Policy configured as Custom allows you to perform operations such as View, Export, Import, Delete, Delete All, Reset, and Reset All. Using these operations, you can configure the Secure Boot Policies.
Configuring the Secure Boot Policy to Custom enables the options to manage the certificate store by using various actions such as Export, Import, Delete, Delete All, Reset, and Rest All on PK, KEK, DB, and DBX. You can select the policy (PK / KEK / DB / DBX) on which you want to make the change and perform appropriate actions by clicking the respective link. Each section has links to perform the Import, Export, Delete, and Reset operations. Links are enabled based on what is applicable, which depends on the configuration at the time. Delete All and Reset All are the operations that have impact on all the policies. Delete All deletes all the certificates and image digests in the Custom policy and Reset all restores all the certificates and image digests from Standard or Default certificate store.
Configuring Secure Boot is discussed in detail in the whitepaper - https://downloads.dell.com/solutions
| Policy Component | Acceptable File Formats | Acceptable File Extensions | Max records allowed |
|---|---|---|---|
|
PK |
X.509 Certificate (binary DER format only) |
|
1 |
|
KEK |
X.509 Certificate (binary DER format only) Public Key Store |
|
More than 1 |
|
DB and DBX |
X.509 Certificate (binary .DER format only) EFI image (system BIOS calculates and imports the image digest) |
|
More than 1 |
Veuillez attribuer une note (1 à 5 étoiles).
Veuillez attribuer une note (1 à 5 étoiles).
Veuillez attribuer une note (1 à 5 étoiles).
Veuillez indiquer si l’article a été utile ou non.
Les commentaires ne doivent pas contenir les caractères spéciaux : <>()\