Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManageriDRAC7 Version 1.10.10
1234567
New Security Features in the Integrated Dell Remote Access Controller 7
4
The build process: signing the firmware
IDRAC7 firmware signing and verification use industry standard cryptographic hashing and
private/public key encryption technologies. The iDRAC7 firmware contains the public (verification) key.
The engineering team that designs and builds the iDRAC7 includes a group known as PG Release
Engineering (PGRE). The PGRE team, while small, supports a wide variety of engineering activities. In
particular, the team supports a single-purpose signing server. The signing server accepts unsigned
firmware images, signs them with the private (signing) key, and returns the signed image. During this
process, the private key never leaves the signing server. Because the signing server is maintained by a
small group, the private key is only accessible to a handful of trusted individuals.
In addition to the actual iDRAC7 firmware, a number of other binary images that the iDRAC7 Lifecycle
Controller technology manages are also signed. These other signed components are the driver pack
(used during OS deployments), embedded diagnostics, and the iDRAC7 user interface that is accessible
during boot (formerly known as the Unified Server Configurator).
Field update: verifying the firmware signature
As part of applying a field update of iDRAC7, the existing firmware performs the cryptographic inverse
of the signing operation, using the public key that is built into the existing firmware’s image. If the
signature verification fails, the update process is aborted.
Firmware downgrades
The firmware signing scheme allows firmware downgrades as long as the downgraded version is signed
with the same key that the existing firmware is verifying against. In the unlikely event of a
compromised private key (see following section), firmware downgrades are not allowed.
At Dell, we realize that allowing firmware downgrades can be viewed as a security weakness. We have
deliberately chosen to allow downgrades in order to maintain ease-of-use and supportability. If the
threat landscape or customer demands require it, we may change this behavior in a future version.
In the unlikely event of a compromised private key
iDRAC7’s signing scheme allows a new firmware signing key to be introduced if the existing key is
compromised. A new signing key is introduced by creating a version of iDRAC7 that:
Has the new signing key built into the image, and
Is signed by the existing key
Because the new firmware is signed with the existing key, existing systems will determine that it is
authentic; but subsequently, it will only allow firmware versions to be signed with the new key.
Built-in unique Hidden Root Key
Each iDRAC7 contains a unique binary value “burned” into the silicon. This 256-bit unique value cannot
be read by the iDRAC7 firmware or any other software component. iDRAC7 also contains several
cryptographic acceleration engines, one of which is a 128/256 bit AES engine. (The other cryptographic
engines are: ECC 160/256, RSA 1024/2048, DES/TDES, random number generator, SHA1 and SHA-256.)
The iDRAC7 firmware can program the AES 256 engine to use this unique value for