Connectivity Guide

ManualsBrandsDell ManualsConverged InfrastructureSecurity Solution Resources

PowerEdge Product Group

Direct from

Development

their respective owners

*According to National Institute of Standards and Technology (NIST) document Special Publication 800-147

CYBER-RESILIENCY IN CHIPSET AND BIOS

Tech Note by:

Wei Liu

Seamus Jones

SUMMARY

New BIOS Features introduced

in Dell EMC 14

generation of

PowerEdge servers offer unique

resiliency to malicious intent or

user error.

Specific features outlined are:

 Intel Boot Guard

Integration

 BIOS Recovery

These features enable

customers to deploy routine

BIOS updates without worry or

risk of catastrophic corruption,

ensuring the benefits of updated

platforms for the full product

lifecycle.

Basic Input Output System (BIOS) is implicitly a critical element of any

solution stack and since the BIOS persists between power cycles it poses

a potentially attractive target for malicious attacks. The CIH, also known

as Chernobyl or Spacefiller virus was the first large scale industry wide

virus that attacked a system BIOS.* First seen in 1998 it impacted over

60 million IT systems from multiple manufacturers and demonstrated how

important it is to consider BIOS security and recovery.

Today, because of Dell EMC BIOS innovations and partnerships with

chipset manufacturers, corruption incidents like this are extremely low.

Due to the critical nature of the BIOS and the perceived risks of updating,

some customers hesitate to perform scheduled updates during a server

lifecycle. This can leave a platform or organization exposed to even

further threat or performance issue. For this reason we have implemented

multiple new features, the two outlined here are Boot Guard and BIOS

Recovery. These ensure that the server is immune to compromise of OS,

BIOS, System Management Mode (SMM), or Intel Management Engine

(ME).

Protection at the Chipset

The Dell EMC 14

generation of PowerEdge servers support Intel Boot

Guard verified boot feature. The Boot Guard extends the platform root of

trust to the Platform Controller Hub (PCH). The PCH contains One-Time-

Programmable (OTP) fuses that is burned by Dell EMC factory during the

manufacturing process with selected Boot Guard policy and the hash of

the Master Public Key.

Figure 1: Intel Boot Guard process

Summary of content (2 pages)

PAGE 1
Direct from Development PowerEdge Product Group CYBER-RESILIENCY IN CHIPSET AND BIOS Tech Note by: Wei Liu Seamus Jones SUMMARY New BIOS Features introduced in Dell EMC 14th generation of PowerEdge servers offer unique resiliency to malicious intent or user error.
PAGE 2
The Key Manifest on the BIOS SPI flash is signed by the Dell EMC Master OEM key, and delegates authority to the Boot Policy Manifest key. Then the Boot Policy Manifest authorizes the Initial Boot Block (IBB), which is the first BIOS code module to execute at reset vector. If the IBB fails authentication, Boot Guard will shut down the system and not allow it to boot. Each BIOS module contains a hash value of the next module in the chain, and uses the hash value to validate the next module.