A malicious hacker who has physical access to a system can tamper with the BIOS. A tampered BIOS code poses a high security threat and makes the system vulnerable to further attacks. With the Secured-core feature, OMIMSWAC ensures that your cluster boots only using the software that is trusted by Dell.
Secured-core feature is supported on the following configurations:
- AMD processor types:
- AMD Milan with cluster nodes BIOS version must be 2.3.6 or above.
- Intel processor types:
Note: The following Intel processor types are not supported for Secured-core feature:
- Cluster nodes BIOS version must be 1.3.8 or above.
- E-23 series and Pentium SKUs such as G6605, G6505, G6505T, G6405, and G6405T.
- OS versions:
- Azure Stack HCI OS 22H2.
- TPM V2.0 module must be installed with firmware 220.127.116.11 or above.
- OMIWAC Premium License must be installed on each cluster node.
Secured-core feature includes enabling BIOS and OS security features. Both Dell Technologies and Microsoft recommend enabling BIOS security features and OS security features respectively to protect infrastructure from external threats. In Windows Admin Center, use Dell OpenManage Integration with Microsoft Windows Admin Center extension to enable BIOS security features and use Security extension to enable OS security features. For more information about OS security features, see the Microsoft guidelines.
Enable BIOS security features as follows:
- Log in to Windows Admin Center and launch Dell OpenManage Integration with Microsoft Windows Admin Center extension.
- Select .
- From the drop-down menu, select Secured Core. Alternatively, go to the Action menu, under Security and select Secured Core.
- Specify Manage as credentials if prompted.
The Dell OpenManage Integration with Microsoft Windows Admin Center validates if the following prerequisites are fulfilled on the target or cluster nodes:
- The supported platform and processor types
- The supported BIOS version
- The supported OS version
- The OMIWAC Premium License is installed
For more information, see Prerequisites.
- If one or more prerequisites are not fulfilled, Dell OpenManage Integration with Microsoft Windows Admin Center displays the list of prerequisites and its overall status and recommendation. Review the recommendations with the status showing or and resolve the prerequisites. To see the prerequisites to be fulfilled for each cluster node, switch Show Node Level Details. After resolving the perquisites, go to again to display the overall status. If all the perquisites are met, OMIMSWAC displays the overall secured-core status for both BIOS and OS. The overall BIOS/OS status is the summary of all BIOS/OS feature configuration statuses for the entire cluster.
- If infrastructure lock is enabled, click Disable. You must disable the infrastructure lock before enabling the BIOS configurations.
- Review all the BIOS feature status and the corresponding OS feature status. A consolidated view of all BIOS/OS feature configuration status that is displayed in the Cluster level BIOS Features and Status and Cluster level OS Features and Status' sections.
The following table lists are of the BIOS and corresponding OS features with security functionalities:
Table 3. BIOS, OS feature, and security functionality BIOS Feature Security Function Corresponding OS Features Other Information Virtualization Technology Helps BIOS to enable processor virtualization features (such as protecting against exploits in user-mode drivers and applications) and provide virtualization support to the Operating System (OS) through the DMAR table.
- Hypervisor-Protected Code Integrity (HVCI)
- Virtualization-Based Security (VBS)
n/a Kernel DMA Protection When enabled, both BIOS and OS protects devices from Direct Memory Access attacks in early boot by leveraging the Input/Output Memory Management Unit (IOMMU). Boot DMA Protection n/a Secure Boot Secure Boot ensures that the device boots with trusted, Dell signed software. Secure Boot n/a Trusted Platform Module (TPM) 2.0
TPM PPI Bypass Provision
TPM PPI Bypass Clear
TPM2 Algorithm Selection
Trusted Platform Module (TPM) is a dedicated microprocessor that is designed to secure hardware by integrating cryptographic keys into devices. Software can use a TPM to authenticate hardware devices.
Note: To ensure proper functioning of the System Guard OS feature, ensure that the TPM Hierarchy under the System Security section is enabled in the BIOS settings.
- Trusted Platform Module (TPM) 2.0
- System Guard
Note: If TPM firmware version is less than the 18.104.22.168, Enable BIOS Configuration button is disabled. You must replace with a hardware that has TPM firmware version 22.214.171.124 or above.
Note: TPM2 Algorithm Selection is set to SHA256.
(AMD) Dynamic Root of Trust Measurement Enables AMD Dynamic Root of Trust Measurement (DRTM). Also enables AMD secure encryption features such as Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (SME). n/a This feature is available for AMD based processors. [Intel] Trusted Execution Technology Enhances platform security by using Virtualization Technology, TPM Security, and TPM2 Algorithm (must be SHA256). Intel TXT provides security against hypervisor, BIOS, firmware, and other pre-launch software-based attacks by establishing a root of trust' during the boot process. n/a This feature is available for Intel-based processors.
- To configure secured core for all BIOS attributes, click Enable BIOS Configuration.
- To apply the BIOS configuration, perform one of the following actions:
- Apply and Reboot Now: Applies the BIOS configuration changes in all cluster nodes and reboot the cluster using Cluster Aware Updating method (without impacting the workload).
- Apply at Next Reboot: Saves the changes and applies the BIOS configuration in all cluster nodes at the next reboot.
If you choose this option, ensure to exit the Dell OpenManage Integration with Microsoft Windows Admin Center extension and restart the cluster using the Windows Admin Center before performing any cluster management operations.
- When finished, click Apply.
The operation enables CredSSP. To improve the security, disable CredSSP after the operation is complete.
- Click View Details to see the status of the BIOS configuration changes at node level.