An explainer on the game-changing security feature inside every new PowerEdge server.
As part of the PowerEdge server team, we use the words Root of Trust frequently. It’s such an important concept rooted in the foundational security and protection of each PowerEdge server. And, it is a key component in our Cyber Resilient Architecture. But, do you understand what it means and how it works? I didn’t. So, I sought out experts here at Dell and researched it online. Here’s what I learned and how I would explain it to my friends who aren’t engineers.
What is Root of Trust?
Root of Trust is a concept that starts a chain of trust needed to ensure computers boot with legitimate code. If the first piece of code executed has been verified as legitimate, those credentials are trusted by the execution of each subsequent piece of code. If you are saying “Huh?” then let me describe the process using a physical-world scenario. Stay with me – it will be much easier to understand in a paragraph or two.
When you travel by plane in the United States, the first layer of security is the TSA checkpoint. Think of this as your Root of Trust. Once you get past TSA, the gate agent just needs your boarding pass because they trust that you have already been checked, scanned, and verified by TSA. And because you got onto the plane, the pilot and the flight attendants trust that the gate agent validated that you are supposed to be on the flight. This eliminates the need for the gate agent, pilots, or anyone else to check you out again. You are trusted because the TSA validated that you are trustworthy. They scanned your belongings to ensure that you aren’t carrying anything harmful. Then, the gate agent validated that you have a ticket. At the airport, there is a physical chain of trust.
Almost an identical process happens when a computer boots (or powers up). Before the first bit of code is run (BIOS), the code is checked by the virtual equivalent of the TSA (the chip) to ensure that it’s legitimate. The checks happen similarly to the TSA agent checking your passport to ensure you are who you say you are, and your credentials haven’t been forged or tampered with. Once the BIOS is validated, its code is run. Then, when it’s time for the OS code to run, it trusts the BIOS. Thus, a chain of trust.
How we ensure Root of Trust is trustworthy
If an attacker could replace the server’s BIOS with a corrupted version of the BIOS, they would have vast access, control, and visibility into almost everything happening on the server. This scenario would pose a massive threat. This type of compromise would be difficult to detect as the OS would trust that the system checked the BIOS. So, it’s important that the authenticity of the BIOS is fully verified before it is executed. The server has the responsibility to check the credentials of the BIOS to ensure it’s legitimate. How does this happen?
Let’s go back to the airport and continue the analogy. A hijacker may try to impersonate a legitimate person by using their passport. Or, the more sophisticated attackers may try to use a fake passport. The TSA has backend systems in place that help prevent this from happening. Plus, the TSA agents are well-trained and can spot tampering, fakes, and misuse of all types of identification.
On a server, the chip (silicon) acts to validate that the BIOS is legitimate by checking its passport (encrypted signature). This encrypted signature (a Dell EMC encryption key) is burned into silicon during the manufacturing process and cannot be changed – it’s immutable. This is the only way to make Root of Trust truly immutable – do it in hardware. We burn read-only encryption keys into PowerEdge servers at the factory. These keys cannot be changed or erased. When the server powers on, the hardware chip verifies the BIOS code is legitimate (from Dell EMC) using the immutable key burned into silicon in the factory.
Serious protection that’s built-in, not bolted on
Our servers are designed so that unauthorized BIOS and firmware code is not run. So, if the code is somehow replaced with malware, the server won’t run it. A failure to verify that the BIOS is legitimate results in a shutdown of the server and user notification in the log. The BIOS recovery process can then be initiated by the user. All new PowerEdge servers use an immutable, silicon-based Root of Trust to attest to the integrity of the code running. If the Root of Trust is validated successfully, the rest of the BIOS modules are validated by using a chain of trust procedure until control is handed off to the OS or hypervisor.
The Value of a Secure Server Infrastructure is a researched-based paper from IDC that expands on the topic of hardware security. And when you are ready for a more technical explanation of security, this white paper on the Cyber Resilient Security in PowerEdge servers is the perfect reference.