System Security
Use this window to control the security features of the system.
NOTE: The help page may include information about features and values that are not supported on your system. Server Administrator displays only the features and values that are supported on your system.
|
User Privileges
Selection | View | Manage |
---|---|---|
System Security | Administrator, Elevated Administrator (Linux only) | Administrator, Elevated Administrator (Linux only) |
NOTE: For more details on user privilege levels, see
Privilege Levels In The Server Administrator GUI.
|
NOTE: Based on the available hardware, dependencies may exist between the various attributes for settings. For example, setting an attribute value may change the state of the dependent attributes to noneditable or editable, as the case may be. For example, changing the
Password Status setting to
Locked does not allow you to configure the
System Password.
|
NOTE: Based on the processor type of the system, the
TPM and
TCM options are available.
|
CPU AES-NI
Indicates the status of the Processor AES-NI feature. AES-NI improves the speed of applications by performing encryption and decryption using the Advanced Encryption Standard Instruction Set.System Password
The System Password is the password entered that allows the system to boot to an operating system. Changes to the system password take effect immediately. The password is read-only if the password jumper (PWRD_EN) is not installed in the system.
NOTE: Upper case letters are valid on the PowerEdge servers.
|
Setup Password
The Setup Password is the password that is entered to change any BIOS settings. However, the system password can be changed without entering the correct setup password when Password Status is set to Unlocked. Changes to setup password take effect immediately. The password is read-only if the password jumper (PWRD_EN) is not installed in the system.
NOTE: Upper case letters are valid on the PowerEdge servers.
|
Password Status
Unlocked | When the option is set to Unlocked, the System Password can be changed without entering the Setup Password. It allows an administrator to maintain a setup password to protect against unauthorized BIOS Setup changes, while a user can freely change the system password. |
Locked | When the option is set to Locked, the Setup Password must be entered to change the System Password. To prevent the system password from being modified without providing the setup password, set this option to Locked and enable the Setup Password. |
NOTE: Instructions: To lock a system password and system password, reboot the system and click
Locked under
Password Status attribute.
|
TPM Information
Displays the type of Trusted Platform Module, if present.
Intel(R) AES-NI
Displays the status of Intel(R) Processor AES-NI feature.
TPM Security
Controls the reporting of the Trusted Platform Module (TPM) in the system.
Off (default) | Presence of the TPM is not reported to the operating system. |
On with Preboot Measurements | BIOS stores TCG-compliant measurements to the TPM during POST. |
On without Preboot Measurements | BIOS bypasses preboot measurements. |
NOTE: A system or setup password is recommended with this TPM Security setting.
|
TPM Firmware
Displays the TPM's firmware version.
TPM Hierarchy
It allows enabling, disabling, or clearing the storage and endorsement hierarchies. When the option is set to Enabled, the storage and endorsement hierarchies are enabled, when disabled the storage and endorsement hierarchies cannot be used. When set to clear the storage and endorsement values get cleared if any.
TPM Activation
It allows the user to change the operational state of the Trusted Platform Module (TPM). This field is Read only when TPM Security is set to Off.
Activate | The TPM is enabled and activated. |
Deactivate | The TPM is disabled and deactivated. |
No Change | The operational state of the TPM remains unaltered. |
NOTE: This feature is not available for PowerEdge servers.
|
TPM Status
Displays the status of the TPM.
TPM Clear
CAUTION: Clearing the TPM causes the loss of all keys in the TPM. It could affect the booting of the operating system.
|
When set to Yes, all the contents of the TPM is cleared. This field is Read only when TPM Security is set to Off.
NOTE: It feature is not available for 13G Platforms or later.
|
TCM Security
Controls the reporting of the Trusted Cryptography Module (TCM) in the system.
Off (default) | Presence of the TCM is not reported to the operating system. |
On | Presence of the TCM is reported to the operating system. |
NOTE: This feature is not available for PowerEdge servers.
|
TCM Activation
TCM Activation allows the user to change the operational state of the Trusted Cryptography Module (TCM). This field is Read only when TCM Security is set to Off.
Activate | The TCM is enabled and activated. |
Deactivate | The TCM is disabled and deactivated. |
No Change | The operational state of the TCM remains unaltered. |
NOTE: This feature is not available for 13G Platforms or later.
|
TCM Clear
CAUTION: Clearing the TCM causes loss of all keys in the TCM. This could affect the booting of the operating system.
|
When set to Yes, all the contents of the TCM is cleared. This field is Read only when TCM Security is set to Off.
NOTE: This feature is not available for 13G Platforms or later.
|
TPM Command
It allows the user to control the Trusted Platform Module (TPM). This field is Read only when TPM Security is set to Off. The action requires an additional reboot before it can take effect.
Activate | The TPM is enabled and activated. |
Deactivate | The TPM is disabled and deactivated. |
None | No command is sent to the TPM when set to none. |
Clear | All the contents of the TPM is cleared when set to clear. |
CAUTION: Clearing the TPM causes the loss of all keys in the TPM. It could affect booting to the operating system.
|
NOTE: This feature is not available for PowerEdge servers.
|
Intel(R) TXT
It enables or disables Trusted Execution Technology. To enable Intel TXT, Virtualization Technology must be Enabled, TPM Security must be set to On with preboot measurements, and TPM Status must be Enabled, Activated. When TPM2 is used, the hash algorithm must be set to SHA256.
TME Encryption Bypass
It allows to bypass the Intel Total Memory Encryption.
Memory Encryption
It enables or disables the Intel Total Memory Encryption and MultiTenant (Intel TME-MT).
Multiple Keys | BIOS enables the TME-MT technology. |
Single Key | BIOS enables the TME technology. |
Disable | BIOS disables both TME and TME-MT technology. |
Intel(R) SGX
It enables or disables the Intel Software Guard Extension (SGX) Technology. To enable Intel SGX, certain platform requirements must be met. The CPU must be SGX capable. SGX supports RDIMM memory configuration only. SGX supports ECC DIMMs only. Memory population must be compatible. (Minimum config: x8 identical DIMM1 to DIMM8 per CPU socket. DIMM number may vary per platform design). SGX only supports the same type memory configuration across all CPUs.SGX only support same interleaving mode across all CPUs. Memory Settings> Node Interleaving option must be Disabled. Memory Settings> Memory Operating Mode option must be Optimizer Mode. System Security> Memory Encryption option must be Enabled when TME Bypass for SGX is not supported.
Off | BIOS disables the SGX technology. |
On | BIOS enables the SGX technology. |
Software (if available) | It allows the application to enable the SGX technology. |
AC Power Recovery
It specifies how the system will react after AC power has been restored to the system. It is especially useful when systems are turned off with a power strip.
Last | The system turns on if the system was on when AC was lost. The system remains off when the system was off when AC was lost. |
On | The system turns on after AC is restored. |
Off | The system stays off after AC is restored. |
AC Power Recovery Delay
It specifies how the system will support the staggering of power-up after AC power has been restored to the system.
Immediate | There is no delay for power-up. |
Random | The system creates a random delay for power-up. |
User Defined | The system delays power up by that amount. The system supported user-defined power-up delay range is from 60 s to 600 s. |
User-Defined Delay (60 s to 600 s)
It controls the duration for which the power-on process is delayed after the AC power supply is restored. The value is only effective if AC Power Recovery Delay is set to User Defined The valid range is 60 s to 600 s.
UEFI Variable Access
UEFI variable access provides varying degrees of securing UEFI variables.
Standard (default) | The UEFI variables are accessible in the operating system as per the UEFI specification. |
Controlled | The UEFI variables are protected in the operating system environment and new UEFI boot entries are forced to be at the end of the current boot order. |
In-Band Manageability Interface
When the option is set to Disabled, this setting hides the Management Engine's (ME) HECI devices and the system's IPMI devices from the operating system. This prevents the operating system from changing the ME power capping settings, and blocks access to all in-band management tools. All managements must be managed using out-of-band.
NOTE: BIOS update requires HECI devices to be operational, and DUP updates require IPMI interface to be operational. This setting must be set to
Enabled to avoid update errors.
|
SMM Security Mitigation
The option enables or disables additional UEFI SMM Security Mitigation protections. This option is available only in UEFI boot mode. The operating system can use this feature to help protect the secure environment that is created by virtualization-based security. Enabling this feature provides additional UEFI SMM Security Mitigation protections. However, this feature may cause compatibility issues or loss of functionality with some legacy tools or applications.
Secure Boot
It allows enabling of Secure Boot, where the BIOS authenticates each component that is executed during the boot process using the certificates in the Secure Boot Policy. The following components are validated in the boot process:
- UEFI drivers that are loaded from PCIe cards.
- UEFI drivers and executables from mass storage devices
- Operating system boot loaders
NOTE: Secure Boot is not available unless the
Boot Mode (in the Boot Settings menu) is set to
UEFI.
|
NOTE: Secure Boot is not available unless the Load Legacy Video Option ROM setting (in the Miscellaneous Settings menu) is
Disabled.
|
NOTE: Create a setup password if you enable Secure Boot.
|
When the Secure Boot feature is enabled in the System BIOS Settings page, the feature cannot be disabled from the Server Administrator UI or CLI. To disable the Secure Boot feature, do the following:
- During the system reboot, press F2 to enter BIOS Setup utility.
- On the System Security tab, click Disable under the Secure Boot feature.
Secure Boot Mode
It configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx). In Setup Mode and Audit Mode, PK is not present, and BIOS does not authenticate programmatic updates to the policy objects. In User Mode and Deployed Mode, PK is present, and BIOS performs signature verification on programmatic attempts to update policy objects. Deployed Mode is the most secure mode. Use Setup, Audit, or User Mode, when provisioning the system, and then use Deployed Mode for normal operation. Available mode transitions depend on the current mode and PK presence.
Audit Mode is useful for programmatically determining a working set of policy objects. In Audit Mode, the BIOS performs signature verification on preboot images and logs the results in the Image Execution Information Table, but executes the images whether they pass or fail verification. For more information about transitions between the four modes, see the Secure Boot Modes in the UEFI specification .
Secure Boot Policy
It sets the Secure Boot Policy.
Standard | When the option is set to Standard, the BIOS uses the key and certificates from the system manufacturer to authenticate preboot images. |
Custom | When the option is set to
Custom, the BIOS uses the user-customized key and certificates.
|
Authorize Device Firmware
When the option is set to Enabled, this field adds the SHA-256 hash of each third-party device firmware to the Secure Boot Authorized Signature Database. After the hashes are added, the field automatically reverts to Disabled.
NOTE: This field is read-only unless Secure Boot is
Enabled and Secure Boot Policy is
Custom. This field is available only in secure system management consoles.
|
BIOS Update Control
It allows or prevents the BIOS update using DOS or UEFI shell-based flash utilities. For environments not requiring local BIOS updates, it is recommended to set this field to Disabled.
NOTE: The BIOS updates using Update Package are not affected by this setup option.
|
Unlocked | It allows all BIOS update. | ||
Limited | It prevents local BIOS updates from DOS or UEFFI shell-based flash utilities, or from Lifecycle Controller User Interface.
|