White paper Improved security with iDRAC9 via Root of Trust and BIOS Live Scanning Maintaining best in class security on Dell EMC PowerEdge servers running iDRAC9 4.10.10.10 Abstract iDRAC9 4.10.10.10 provides an improved Root of Trust mechanism that helps reduce the risk of malware infiltration into sensitive server areas. For newer AMD platforms, additional BIOS live scanning checks to ensure that no unauthorized changes occur.
Introduction Revisions Date Description June 2020 Initial release Acknowledgements This paper was produced by the following members of the Dell EMC storage engineering team: Author: • • • • Aniruddha Herekar Doug Iler Murali Somarouthu Prashanth Giri The information in this publication is provided “as is.” Dell Inc.
Introduction Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 Table of contents ......................................................................................................
Introduction Executive summary Security is critical to the operational success of any data center. Dell EMC is committed to continually improve the code to provide the most secure solution to its customers. The iDRAC9 4.10.10.10 firmware release delivers by leveraging the role of hardware-based security technologies and checks the BIOS for integrity. Additionally, BIOS image scanning can be initiated using both schedule and on-demand features.
Introduction 1 Introduction Today, even a flashed firmware in a Read Only Memory is susceptible for exploitation by hackers who commonly try to expose the system to malicious activities. Even though UEFI Secure Boot is effective in providing host security, it fails if the flashed firmware is compromised. Hacker could gain physical access to the system, and maliciously tamper with the BIOS image.
Dell EMC Root of Trust and BIOS live scanning 2 Dell EMC Root of Trust and BIOS live scanning 2.1 Root of Trust Dell EMC takes security seriously and has adopted Boot Guard technology on its new generation of PowerEdge servers to counter BIOS tampering issues. On the latest AMD Dell EMC PowerEdge servers with iDRAC9, iDRAC first boots with chain of trust authentication, and then verifies BIOS integrity.
Dell EMC Root of Trust and BIOS live scanning 2.1.1 Platforms and iDRAC version support Platforms, iDRAC versions and Features support Platforms iDRAC9 versions supported R6525, C6525 3.42.42.42 and above R6525, C6525 and R7525 4.10.10.10 and above Features BIOS Integrity check at host boot BIOS Integrity check at host boot and live scanning of BIOS image Note: iDRAC9 hardware RoT and BIOS live scanning feature support is available only with the new generation of AMD platforms.
Dell EMC Root of Trust and BIOS live scanning 2.2.2 Scheduling a scan using the racadm interface Usage: racadm biosscan -s #racadm help biosscan Racadm biosscan -- Performs BIOS Live Scanning Usage: racadm biosscan -s -s 0 - Never schedule.
Dell EMC Root of Trust and BIOS live scanning iii. iv. } } To schedule scanning Monthly { "Payload":{ "TargetUri": "/redfish/v1/Systems/System.Embedded.1/Bios/Actions/Oem/Dell Bios.RunBIOSLiveScanning" }, "Schedule": { "EnabledDaysOfMonth":[24] (Day of the date from which you prefer to schedule monthly) } } To schedule scanning Yearly { "Payload":{ "TargetUri": "/redfish/v1/Systems/System.Embedded.1/Bios/Actions/Oem/Dell Bios.
Conclusion 3 Conclusion Maintaining the highest levels of server security is a must in today’s world. With advances in technology, malicious activities are advancing, too, and they pose a great challenge to system security. iDRAC9 4.10.10.10 now has the capability to check BIOS integrity and adds extended security with the implementation of BIOS live scanning at your discretion. Using iDRAC9 4.10.10.10 ensures that host BIOS booting is secure on select PowerEdge AMD iDRAC9 systems.
Troubleshooting A Troubleshooting 1. When logged into iDRAC, a SEL event notifies the user that iDRAC has failed to verify BIOS, but host booted successfully. • This is part of iDRAC HW RoT. Even after a failed BIOS image verification, iDRAC performs a recovery operation to bring good BIOS image. 2. The host is booted to the operating system, but it took longer, and host has no network access.
Glossary B Glossary Component Description ID 390 BIOS Basic Input/ Output System, also known as the System BIOS, ROM BIOS or PC BIOS. FCH Fusion Controller Hub iDRAC Integrated Dell Remote Access Controller LED Light Emitting Diode, is a semiconductor light source that emits light when current flows through it.
Technical support and resources C Technical support and resources Dell.com/support is focused on meeting customer needs with proven services and support. Storage technical documents and videos provide expertise that helps to ensure customer success on Dell Technologies storage platforms. C.1 Related resources Document Name (Document Link) Document Description https://github.com/corna/me_cleaner/wiki/Intel-Boot-Guard Intel Boot Guard https://edk2-docs.gitbooks.