A hardware-validated boot process from an immutable source.

Intel Boot Guard verifies the integrity of the Initial Boot Block, executed from the Management Engine (ME), a chipset-integrated co-processor.

The AMD Secure Processor is also a co-processor that validates BIOS firmware, executing before the main CPU cores are live.

The OEM generates a private 2048-bit verification key for the initial boot block that corresponds to a public key programmed into field programmable fuses during the manufacturing process. These fuses cannot be updated once written.

A custom boot loader certificate not signed by Microsoft may be used, and uploaded using the iDRAC API for authentication. The NSA recommends using this feature to mitigate Grub2 vulnerabilities.

Each update image includes a private key provided by a Certificate Authority that is verified against a public key as apart of Public Key Infrastructure.

A preventative intervention against drift or malicious execution. Restricts admin privileges to read-only access, while keeping operational power management, health monitoring, virtual console access, and hypervisor functions. The server workload uptime is unaffected.

The following are wiped or reset :

• Hardware Cache e.g. PERC NVCache
• vFlash SD Cards
• Self-Encrypting Drives (SED)
• Instant Secure Erase (ISE) Drives
• Non-Volatile Devices (NVDIMMS)
• BIOS
• iDRAC
• iDRAC Service Module
• Lifecycle Controller
• Embedded Diagnostics
• OS Driver Packs
• SupportAssist Collection Reports

To assure supply chain security, a factory-generated certificate details component IDs unique to the paired system that is encrypted and stored on iDRAC. The SCV application compares the certificate and system inventory, generating a report of valid and invalid components.

Secure iDRAC access with TLS 1.3 and 256-bit encryption from a choice of seven ciphers.

The cryptographic suite that underpins Cipher Select, including :

• AES 256
• Elliptic Curve Diffie-Hellman (ECDH)
• Elliptic Curve Digital Signature Algorithm (ECDSA)
• P-384 curve

Also known as Full Disk Encryption (FDE).

Includes Self-Encrypting drives (SED) and Instant Erase (ISE) drives.

Most major manufacturers make SEDs, and primarily to the Opal SSC (Security Subsystem Class) specification published by the Trusted Computing Group Storage Workgroup.

The encryption standard of choice is AES 128-bit or 256-bit.

In addition to self-encryption, an ISE drive will then destroy the associated cipher key.

A dedicated, external server manages storage-locking keys that can only be retrieved by authenticated iDRACs. Availability can be scaled and redundancy possible through clustering. The industry standard protocol, KMIP, is supported, allowing compatible devices to be integrated. In the event of server compromise, non-transferring drives are instantly protected.

With a Datacenter licence, SSL/TSL Certificates can be manually or automatically updated using the Simple Certificate Enrolment Protocol (SCEP) via a dedicated client.

A flexible alternative to simplified 2 Factor Authentication (2FA). The service provides MFA, Tokens, Risk-Based, OTP, and Passwordless means by which to authenticate a user.

A physical switch linked between enclosure and motherboard, logging an event if the enclosure has been opened, notifying the operator.

At host power on, the BIOS image in ROM is verified for authenticity and integrity.

Host machines are associated with and monitored against a compliance template described by operator criteria. Deviation from the baseline is logged, the machine tagged as non-compliant, and the operator notified.

Logs that may reside in a dedicated data store that can include events regarding hardware, firmware, software, and other details.

System Event Logs and SupportAssist Collections detail :

• System - Tag#, OS, Host Name, Timestamp
• Inventory - CPU, RAM, NIC, RAID Controller, Disks, PSU
• Firmware - BIOS, CPLD, iDRAC, NIC, RAID, Disks, PSU
• Virtual Disk Config - per drive
• System Board - BIOS, CPLD, Sockets, DIMM Slots, PCIe Slots, Part#, PPID
• Processors - Index, Model, Clock Rate, Cores, Threads, Cache Sizes, Features
• RAM - Index, Vendor, Model, Size, Clock Rate, Rank, Serial#, Manufacture Date

Logs normally relevant to either critical components or accounts and policies. Alerts ensure administrators and operators are aware and informed at first notice.

The Lifecycle Log details audits and policies.

In the event of BIOS corruption, a backup image can be loaded from iDRAC, either automatically initiated by BIOS, or by an operator via the RACADM CLI command.

Where a new version conflicts, corrupts, or otherwise renders a device partially or fully inoperable, the firmware can be reverted, or downgraded, to the previous version.

A clean OS image is stored on an internal SD Card, SATA device, M.2 Drive, or USB host that is disabled and hidden from the boot list and OS. In the event of corruption, the device can be enabled, revealed and loaded.