White Papers
Figure 1: AMD EPYC Secure Boot Process
An AMD ‘Secure Processor’ loads an on-chip, Boot ROM which includes a signing key (a key that is embedded
in the AMD Secure Processor).
The Boot ROM then loads and authenticates, via the signing key, an off-chip “OS Boot Loader’.
This OS Boot Loader then authenticates the BIOS before the x86 cores start executing the BIOS code.
Once the BIOS is authenticated, the OS Boot Loader loads the OS or Hypervisor.
The OS Boot Loader also authenticates/loads code for the AMD Secure Processor to perform secure key management.
Leveraging capabilities of the AMD EPYC processor, the PowerEdge R6415, R7415 and R7425 servers also ensure
that “data at work” (data that is in main system memory) stays safe via AMD’s ‘Secure Memory Encryption’ or SME. Like
Secure Boot, the AMD Secure Processor enables this by generating a single key that is used to encrypt everything in
system memory. An added benefit is that this can be enabled with no changes to applications or the OS/hypervisor.
In-depth technical explanations of the above can be found in the Direct from Development tech note, ‘AMD CPU
Security Features in PowerEdge Servers.’
Conclusion
There are many security aspects to address when implementing a VDI environment. While it may seem sufficient to
implement end-point and/or software-based security solutions, security concerns associated with the underlying
hardware must also be addressed. The Dell PowerEdge R6415, R7415, and R7425 servers, based on AMD EPYC
processors, provide Secure Boot and Secure Operation security capabilities that prevent accidental or malicious
alteration or corruption of BIOS, firmware and data in memory. In doing so, these features implement security at the
hardware level, and should be seriously considered for implementation in servers that support VDI environments.
© 2018 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries