Users Guide
Table Of Contents
- Dell Update Packages User's Guide
- Getting Started
- What’s new in this release
- DUP event viewer
- Zip pack elimination
- Slot information for hard drive
- Dependency
- Supported Operating Systems
- Prerequisites
- Prerequisites And Features For Systems Running Linux
- Prerequisites and Features for Systems Running Windows
- Downloading DUPs
- Downloading DUPs through Repository Manager
- Installing Device Drivers
- Installation Order of DUPs
- Best practices for using DUPs
- Other Documents You May Need
- Contacting Dell
- Using Dell Update Packages
- Update and Rollback in Lifecycle Controller Enabled Server
- Command Line Interface Reference
- Linux Troubleshooting
- Known Issues
- Diagnostic Tasks Will Not Run While a DUP Reboot is Pending
- Abnormal Termination of a DUP
- Error While Loading Shared Libraries
- Insufficient Free Physical Memory to Load the BIOS Image
- Kernel Panic While Running Storage Controller Firmware Update Packages
- Loss of Functionality While Renaming Linux DUPs
- DUPs Fail on 64-bit Red Hat Enterprise Linux Operating System
- DUP Update of Firmware Might Fail While Running in the UEFI Mode
- Messages
- DUP Message Logs
- Known Issues
- Troubleshooting for Systems Running Windows
- Trusted Platform Module and BitLocker Support
- Microsoft Windows Server 2008 User Account Control
- Frequently Asked Questions
Trusted Platform Module and BitLocker
Support
A Trusted Platform Module (TPM) is a secure microcontroller with cryptographic capabilities designed to provide basic security‑related
functions involving encryption keys. It is installed on the motherboard of the system, and communicates with the rest of the system using
a hardware bus. You can establish ownership of the system and its TPM using the BIOS setup commands.
TPM stores the platform configuration as a set of values in a set of Platform Configuration Registers (PCRs). Thus one such register may
store, for example, the motherboard manufacturer; another, the processor manufacturer; a third, the firmware version for the platform,
and so on. Systems that incorporate a TPM create a key that is tied to platform measurements. The key can only be unwrapped when
those platform measurements have the same values that they had when the key was created. This process is called sealing the key to the
TPM. Decrypting is called unsealing. When a sealed key is first created, the TPM records a snapshot of configuration values and file
hashes. A sealed key is only unsealed or released when those current system values match the ones in the snapshot. BitLocker uses
sealed keys to detect attacks against the integrity of the system. Data is locked until specific hardware or software conditions are met.
BitLocker mitigates unauthorized data access by combining two major data‑protection procedures:
• Encrypting the entire Windows operating system volume on the hard disk: BitLocker encrypts all user files and system files in
the operating system volume.
• Checking the integrity of early boot components and the boot configuration data: On systems that have a TPM version 1.2,
BitLocker leverages the enhanced security capabilities of the TPM and ensures that the data is accessible only if the boot components
of the system are unaltered and the encrypted disk is located in the original system.
BitLocker is designed for systems that have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM. A
compatible BIOS supports the TPM and the Static root of Trust Measurement. BitLocker seals the master encryption key in the TPM and
only allows the key to be released when code measurements have not changed from a previous secure boot. It forces you to provide a
recovery key to continue boot if any measurements have changed. A one‑to‑many BIOS update scenario results in BitLocker halting the
update and requesting a recovery key before completing boot.
BitLocker protects the data stored on a system through full volume encryption and secure startup. It ensures that data stored on a
system remains encrypted even if the system is tampered with when the operating system is not running and prevents the operating
system from booting and decrypting the drive until you present the BitLocker key.
TPM interacts with BitLocker to provide protection at system startup. TPM must be enabled and activated before it can be used by
BitLocker. If the startup information has changed, BitLocker enters recovery mode, and you need a recovery password to regain access to
the data.
NOTE:
For information on how to turn on BitLocker, see the Microsoft TechNet website. For instructions on how to
activate TPM , see the documentation included with the system. A TPM is not required for BitLocker; however, only a
system with a TPM can provide the additional security of startup system integrity verification. Without TPM, BitLocker
can be used to encrypt volumes but not a secure startup.
NOTE: The most secure way to configure BitLocker is on a system with a TPM version 1.2 and a Trusted Computing
Group (TCG) compliant BIOS implementation, with either a startup key or a PIN. These methods provide additional
authentication by requiring either an additional physical key (a USB flash drive with a system‑readable key written to it)
or a PIN set by the user.
NOTE: For mass BIOS updates, create a script that disables BitLocker, installs the update, reboots the system and then
re‑enables BitLocker. For one‑to‑one Dell Update Package (DUP) deployments, manually disable BitLocker and then
re‑enable it after rebooting the system.
NOTE: In addition to BIOS DUP, execution of firmware DUP for U320, Serial Attached SCSI (SAS) 5, SAS 6, Expandable
RAID Controller (PERC) 5, PERC 6, and Cost Effective RAID Controller (CERC) 6 controllers is blocked on a system
having a TPM version 1.2 chip, TPM Security set at
ON with pre
‑
boot measurement,
and TPM Activation set at
Enabled
if you enable BitLocker (TPM or TPM with USB or TPM with PIN).
7
36 Trusted Platform Module and BitLocker Support