White Paper Improved security with iDRAC9 using Root of Trust and BIOS Live Scanning Maintaining best in class security on Dell EMC PowerEdge servers running iDRAC9 4.10.10.10 and 4.40.20.00 Abstract iDRAC9 4.10.10.10 (AMD platforms) and 4.40.20.00 (Intel platforms) provides an improved Root of Trust mechanism that helps reduce the risk of malware infiltration into sensitive server areas. For newer Intel and AMD platforms, additional BIOS live scanning checks to ensure that no unauthorized changes occur.
Introduction Revisions Date Description April 2020 Initial release August 2021 Updated with Intel platforms Acknowledgments Authors: • • • • • Aniruddha Herekar Arun Muthaiyan Doug Iler Murali Somarouthu Prashanth Giri The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Introduction Table of contents Revisions............................................................................................................................................................................. 2 Table of contents ................................................................................................................................................................ 3 Executive summary.................................................................................................
Introduction Executive summary Security is critical to the operational success of any data center. Dell EMC is committed to continually improve the code to provide the most secure solution to its customers. The iDRAC9 4.10.10.10 (AMD platforms) and 4.40.20.00 (Intel platforms) firmware release leverages the role of hardware-based security technologies and checks the BIOS for integrity. Also, BIOS image scanning can be initiated using both schedule and on-demand features.
Introduction 1 Introduction Today, even a flashed firmware a Read Only Memory is susceptible for exploitation by hackers. Hackers try to find a way to modify, tamper, or expose a system to malicious activities. While UEFI Secure Boot Mechanism is effective in providing host security, it is not effective avoiding an attack if flashed firmware is compromised. A malicious hacker who has physical access to a system can tamper with the BIOS image.
Dell EMC Root of Trust and BIOS live scanning 2 Dell EMC Root of Trust and BIOS live scanning 2.1 Root of Trust Dell EMC takes security seriously and has adopted Boot Guard technology on its new generation of PowerEdge servers to counter BIOS tampering issues. On the latest Dell EMC PowerEdge servers with iDRAC9, iDRAC first boots with chain of trust authentication, and then verifies BIOS integrity. iDRAC takes on the role of hardware-based security technologies as well.
Dell EMC Root of Trust and BIOS live scanning 3. Using RACADM command. a. RACADM command: racadm recover BIOS.Setup.1-1 2.1.1 Platforms and iDRAC version support Platforms, iDRAC versions, and Features support Platforms iDRAC9 versions supported R6525, C6525 3.42.42.42 and above R6525, C6525, and 4.10.10.10 and above R7525 Dell’s 15th Generation Intel 4.40.20.
Dell EMC Root of Trust and BIOS live scanning BIOS live scanning options in iDRAC UI. 2.2.2 Scheduling a scan using the RACADM interface Usage: racadm biosscan -s #racadm help biosscan Racadm biosscan -- Performs BIOS Live Scanning Usage: racadm biosscan -s -s 0 - Never schedule.
Dell EMC Root of Trust and BIOS live scanning https:///redfish/v1/Systems/System.Embedded.1/Bios/Actions/Oem/DellBios.RunBIOSLiveS canning • Post operation (https:///redfish/v1/JobService/Jobs) with payload mentioning the schedule details in the body. i. ii. iii. iv. To schedule scanning Now (immediately) { "Payload":{ "TargetUri": "/redfish/v1/Systems/System.Embedded.1/Bios/Actions/Oem/Dell Bios.
Dell EMC Root of Trust and BIOS live scanning iDRAC product manuals support site iDRAC support site www.dell.com/idracmanuals www.dell.com/support/idrac Note: Dell Technologies recommends updating the iDRAC firmware and other firmware such as BIOS, network card, and so on, to the latest versions. Updating the firmware provides the security benefits that are described in this white paper.
Conclusion 3 Conclusion Maintaining the highest levels of server security is a given in the world today. With advances in technology, malicious activities are advancing, too, and they pose a great challenge to system security. iDRAC9 4.10.10.10 and higher checks BIOS integrity and offers regular BIOS live scanning. The iDRAC9 ensures that host BIOS booting is secure on select new PowerEdge Intel and AMD iDRAC9 systems.
Troubleshooting A Troubleshooting 1. When customer logs in to an iDRAC, a SEL event is found mentioning that iDRAC has failed to verify BIOS, but host booted successfully. • This event is part of iDRAC HW RoT, even after a failed BIOS image verification, iDRAC performs a recovery operation to bring good BIOS image. 2. Host is booted to operating system, but the host has no network access to due to a timeout.
Glossary B ID 501 Glossary Component Description BIOS Basic Input/ Output System, also known as the System BIOS, ROM BIOS FCH Fusion Controller Hub iDRAC Integrated Dell Remote Access Controller LED Light Emitting Diode, is a semiconductor light source that emits light when current flows through it. ME Intel Management Engine OS Operating System PCH Platform Controller Hub - It controls certain data paths and support functions that are used with Intel CPUs.
Technical support and resources C Technical support and resources Dell.com/support is focused on meeting customer needs with proven services and support. Storage technical documents and videos provide expertise that helps to ensure customer success on Dell Technologies storage platforms. C.1 Related resources Document Name (Document Link) Document Description https://github.com/corna/me_cleaner/wiki/Intel-Boot-Guard Intel Boot Guard https://edk2-docs.gitbooks.