Intel Optane DC Persistent Memory - Configuration and Setup White Paper
5TECHNICAL WHITE PAPER
CONTENTS & NAVIGATION
Unsupported usages
• Legacy Boot Mode is not supported; only UEFI Boot Mode is supported.
• System Boot from the DCPMM modules is not supported.
• Dual Mode (conguring both Storages and Memory Modes at the same time on a single system) is not supported.
DCPMM SECURITY
OVERVIEW
This section provides an overview of DCPMM security features. Details are available in Appendix E.
• DCPMM uses full-time hardware encryption, even in Memory Mode. The encryption algorithm is XTS-AES256,
a common choice for self-encrypting drives (SEDs). Encryption on each DCPMM uses an internal symmetric key
that cannot be read by the workstation.
°
In Memory Mode, a new key is created at every reset, and deleted at every power o, so that contents cannot
be retrieved across resets or power cycles, or by removing the memory modules. DCPMM passphrases
are not used in this mode.
°
In App Direct Mode and Storage Mode, the key is non-volatile and can be tied to a passphrase, so that
entering the passphrase instructs the DCPMM controller to unseal the key and unlock the DCPMM.
The passphrase is also stored on the DCPMM and is unique to the module. As shipped, the DCPMMs
do not have a passphrase set and on-device encryption is invisible to the rest of the computer (it applies
to data at rest only).
°
This single-passphrase model of DCPMM diers from traditional disk security (e.g. HP DriveLock) where distinct
user and admin passwords can be used. In order to make DCPMM security management consistent with other
storage devices, HP has added a new feature, “Transparent Unlock”, that lets both the user and admin unlock the
DCPMMs, using their respective BIOS passwords, without having to know any of the passphrases. The actual
DCPMM passphrases are generated by the workstation BIOS, set in the DCPMMs, and copies are stored
on the motherboard using a separate layer of encryption, managed by the TPM.
When an authorized user enters correct the BIOS power-on or admin password, the BIOS retrieves the
passphrase copies, decrypts them using the TPM, and sends them to the individual DCPMMs to unlock them.
This mechanism also avoids having to reuse identical passphrases across multiple DCPMMs.
°
Users can still enter per-DCPMM passphrases when Transparent Unlock is enabled, for instance when adding
new DCPMMs to an existing set.
°
Transparent Unlock requires:
– Secure Boot
– TPM 2.0
– The power-on BIOS password must be set (the administrator password may also be set)
• Migration
°
To simplify DCPMM migration between workstations, the BIOS includes a passphrase import/export feature,
that can save the passphrases to a text le on a USB stick. The le itself can be independently encrypted
using a user-supplied passphrase, so that theft or loss of the stick does not result in a security breach.
• Secure Erase
°
HP has also extended the BIOS Secure Erase feature to cover DCPMMs. Secure Erase rst erases the internal
encryption key on the DCPMM so that the contents cannot be decrypted, then erases the actual DCPMM
media contents for reuse. Secure Erase follows NIST SP 800-88 rev.1 and ISO-IEC 27040.
• DCPMM security settings can be managed like other BIOS settings, through the F10 Setup Menu interface, and
remotely using WMI tools including BiosCongUtility.exe for Windows, and hp-repsetup for Linux. (Some NVDIMM
management settings are only available through F10 Setup).
SYSTEM REQUIREMENTS
• Processor Support
°
Not all processors support DCPMM. See Z6 G4 and Z8 G4 QuickSpecs for list of processors that support
DCPMM.
°
Processor Memory Limits.
There are limits on the total amount of system memory capacity supported per processor.
– Memory Mode:
> For purpose of meeting the processor limitations, the system memory capacity is dened
1
Introduction
5
DCPMM Security
Overview
System Requirements
6
System Setup Overview
8
Appendices