PowerMax 2500/8500 arrays use an immutable, silicon-based Hardware Root of Trust (HWRoT) to cryptographically affirm the integrity of BIOS and BMC firmware. This HWRoT is based on one-time programmable, read-only public keys provisioned by Dell in the factory to provide protection against malware tampering.
The BIOS boot process uses Intel Boot Guard technology, which verifies that the digital signature of the cryptographic hash of the boot image matches the signature stored in silicon by Dell in the factory. If Boot Guard successfully validates the signature, a chain of trust procedure validates the rest of the BIOS firmware modules until control is handed off to the operating system or hypervisor.
Each BIOS module contains a hash of the next module in the chain. The key modules in the BIOS are the Initial Boot Block (IBB), Security (SEC), Pre-EFI Initialization (PEI), Memory Reference Code (MRC), Driver Execution Environment (DXE), and Boot Device Selection (BDS). If Intel Boot Guard authenticates the IBB, the IBB validates SEC+PEI before handing control to it. SEC+PEI then validates PEI+MRC, which further validates the DXE+BDS modules. Validation of the DXE+BDS modules results in control being handed over to Unified Extensible Firmware Interface (UEFI) Secure Boot.
Rapid recovery to a trusted image is implemented on the PowerMax platform when authentication fails. The rapid recovery is essential within the HWRoT implementation and is automatically initiated by the BMC to guarantee maximum security and maintained uptime.