HP Integrated Lights-Out Security, 7th edition
5
During a firmware flash process, the iLO boot block performs the following steps to validate a new
flash image:
1. The flash routine analyzes the incoming data stream, looking for a viable image.
2. If viable, iLO flashes the image into the Management ROM at the next available address.
Normally, the iLO boot block finds the main image first, and iLO flashes it into the area just past the
boot block. The flash process continues until iLO detects no more viable images in the incoming data
stream.
iLO and iLO 2 flash the boot block only if the firmware flash happens while you have the iLO Security
Override jumper set (disabled). For maximum security, you should not set the Security Override
jumper unless you intend to update the boot block. We do not expect that the boot block will require
updating, but we provide this mechanism in case you need it. iLO 3 flashes the entire image,
including the boot block.
The management ROM uses a temporary ROM data path to the PCI bus on the server (see Figure 1).
After the host processor locates iLO and transfers the management ROM code to the host memory, the
iLO firmware closes the temporary ROM data path to the host PCI bus. Under normal operating
circumstances, there is no chance for the server to flash the management ROM without permission.
The host PCI connection remains open only if you access the iLO device in safe mode (by setting the
iLO Security Override jumper) or if the iLO firmware does not execute properly. This allows the server
to flash the management ROM directly through the host PCI bus if the iLO ROM is corrupted.
Firewall logic
iLO includes firewall and bridge logic to control information flow between the server and the
management console (Figure 1). The firewall logic protects against unauthorized access through the
server’s PCI bus. It shields keys and data stored in memory and firmware.
Memory
iLO contains three classes of memory registers:
• General registers that the server can access through the PCI bus. These PCI registers contain only
non-sensitive information. iLO does not secure or try to hide these registers from the server.
• Protected registers where iLO can lock write access. These registers restrict unwanted behavior,
such as flashing rogue firmware, but they do not restrict information. They are unlocked in safe
mode. Once iLO locks these registers, the server cannot regain control through the PCI bus.
• Secure registers that secure sensitive information such as the configuration data and user
passwords. No server application can write to these registers, regardless of the state of the server.
The server can only read the areas of iLO memory that iLO exposes. Applications on the PCI bus can
only access the memory that iLO permits, such as the general registers and the protected registers
under certain conditions, and cannot change the configuration of any shared memory region.
Non-volatile data storage
The server OS and applications running on the system PCI bus can only read the exposed areas of
NVRAM. That includes the integrated management log and server configuration information. An
application on the PCI bus cannot change the iLO configuration by means of the exposed NVRAM.