White Papers
PowerEdge Product Group
Direct from
Development
© 2018 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries
PowerEdge MX Secure Chassis Management
Tech Note by:
Josh Pennell
Michael Brown
SUMMARY
This paper is a discussion of the
innovative new security features
that are built-into the new Dell
EMC MX7000 chassis.
We will cover the secure boot
features built into the
Management Modules and
iDRAC, the ground-up security
design incorporating SELinux
and least-privilege processes,
and our new mechanisms that
ensure the security of all
management traffic inside the
chassis by authenticating and
authorizing every component in
the chassis, as well as the
encryption for all internal
management network traffic.
The intent of all of this work is to
make a more secure system for
customers, one that customers
can trust and rely on, and is
secured using the best available
security techniques against
hacking.
Secure Boot
The first principle of security of an embedded management controller is
answering the question of what code is running on that management controller.
Is the code running on the management controller authentic code from Dell, or
has the device been attacked or
compromised in any way? The way
that we have comprehensively
addressed this question for the
MX7000 Management Module is our
secure boot and chain of trust. Using
these techniques, explained below,
we can ensure that the Management
Module is running unmodified code
that has been authenticated by Dell,
and that there is no way an attacker has tampered with or replaced any code,
either through a supply-chain attack, or through any kind of online attack.
The technique that we use to secure the Management Module is based on the
“Chain of Trust” concept. In this concept, each stage of the boot process uses
digital signatures to cryptographically verify that the next stage of boot is signed
properly before jumping to the next stage.
The beginning of this chain of trust starts in the factory, when the iDRACs and
Management Modules that make up the MX7000 are being built. Our hardware
is programed with keys, fused to the device, that allow the processor to verify
the bootloader prior to starting, the bootloader in turn has its own keys to verify
the verify the kernel. Once booted the Kernel runs on a read only file system,
further preventing tampering. Each Management Module and iDRAC is also
programmed with device unique Identity certificates, which are a public/private
keypair used by the device to identify itself as authentic Dell to others. These
are signed by the Dell Certificate Authority, are unique to the device and stored
encrypted by the devices Hardware Root Key, described below. So each layer
of the system verifies that the next is authentic and has not been modified,
creating a complete chain of trust from hardware to running code.
One critical part of the secure boot process is the presence of a unique-per-
machine Hardware Root Key (HRK). This symmetric encryption key is
physically fused into the microprocessor during manufacturing. This HRK is
never visible or extractable from the OS or applications running on the
management controller, however, applications can make cryptographic requests
to the hardware crypto accelerator to encrypt or decrypt information using this
key. More importantly to our security design, access to this HRK can be
disabled at runtime in a manner that cannot be re-enabled without a power
cycle. If at any point in the boot process the system detects that it is running
non-Dell code, the HRK is disabled. Why this is important will be explained a
little bit later.