Specifications
QSSC-S4R Technical Product Specification BIOS Role in Server Management
231
20.6 Security
20.6.1 BIOS Setup Password Protection
The BIOS uses passwords to prevent unauthorized tampering with the server setup. Passwords can restrict entry to
the BIOS Setup, restrict use of the Boot Popup menu, and suppress automatic USB device reordering.
Both User and Administrator passwords are supported by the BIOS. An Administrator password must be entered in
order to set the User password. The maximum length of a password is seven characters. A password can only have
alphanumeric (a-z, A-Z, 0-9) characters and it is case sensitive.
Once set, a password can be cleared by changing it to a null string. This requires the Administrator password.
Alternatively, the passwords can be cleared using a jumper if necessary (see Section 20.6.2 for more details).
Entering the User password allows the user to modify only the time, date, and User password. Other setup fields can
be modified only if the Administrator password is entered. If only one password is set, this password is required to
enter the BIOS setup.
The Administrator has control over all fields in the BIOS setup, including the ability to clear the user password.
In addition to restricting access to most Setup fields to viewing only when a User password is entered, defining a User
password imposes restrictions on booting the system. In order to simply boot in the defined boot order, no password is
required. However, the F6 Boot popup menu (see Section 17.1.1 for details) prompts for a password, and can only be
used with the Administrator password. Also, when a User password is defined, it suppresses the USB Reordering (see
Section 19.1.2 for details) that occurs, if enabled, when a new USB boot device is attached to the system. A User is
restricted from booting in anything other than the Boot Order defined in the Setup by an Administrator.
As a security measure, if a User or Administrator enters an incorrect password three times in a row during the boot
sequence, the system is placed into a halt state. A system reset is required to exit out of the halt state. This feature
makes it more difficult to guess or break a password.
In addition, on the next successful reboot, the Error Manager displays a Major Error code 0048, which also logs a SEL
event to alert the authorized user or administrator that a password access failure has occurred.
20.6.2 Password Clear Jumper
If the user and/or administrator password is lost or forgotten, both passwords may be cleared by moving the Password
Clear jumper into the clear position. The BIOS determines if the Password Clear jumper is in the clear position during
BIOS POST and clears any passwords if required. The Password Clear jumper must be restored to its original position
for the new password to stay set.
20.6.3 Trusted Platform Module (TPM) Security
Trusted Platform Module (TPM) is a hardware-based security device that addresses the growing concern on boot
process integrity and offers better data protection. TPM protects the system startup process by ensuring that it is
tamper-free before releasing system control to the OS. A TPM device provides secured storage to store data essential
to system integrity, such as security keys and passwords. In addition, a TPM device has encryption and hash functions.
IntelĀ® 7500 Chipset implements TPM as per TPM PC Client specifications, Revision 1.2 developed by the Trusted
Computing Group (TCG).
A TPM device is affixed to the server board of the server and is secured from external software attacks and physical
theft. A pre-boot environment, such as the BIOS and OS loader can use the TPM to collect and store unique
measurements from multiple factors within the boot process to create a system fingerprint. This unique fingerprint
remains the same unless the pre- boot environment is tampered with. Therefore, it is used to compare to future
measurements to verify the integrity of the booting process.
After the BIOS completes the measurement of its boot process, it hands off control to the OS loader and in turn to the
OS. If the OS is TPM enabled, it compares the BIOS TPM measurements to those of previous boots to make sure that
the system has not been tampered with before continuing the OS boot process. Once the OS is in operation, it
optionally uses TPM to provide additional system and data security (for example, Microsoft Vista* supports BitLocker*
drive encryption).
20.6.3.1 TPM Security BIOS
The BIOS TPM support conforms to the TPM PC Client Implementation Specification for Conventional BIOS, version
1.2, and to the TPM Interface Specification and the Microsoft Vista* BitLocker Requirement. The role of the BIOS for
TPM security includes the following: