Dell servers uses an immutable, silicon-based Root-of-Trust to cryptographically attest to the integrity of BIOS, iDRAC, and other critical firmware. This Root-of-trust is based on onetime programmable, read-only public keys that provide protection against malware tampering. In contrast to Security Laggards, Dell works with extensively vetted silicon chip manufacturers to customize the chip and build in this root of trust technology.
Secure Boot checks the cryptographic signatures of UEFI drivers and other code loaded prior to the operating system running.
Dell servers use digital signatures on firmware updates to assure that only authentic firmware is running on the server platform. iDRAC will scan firmware updates and compare their signatures to what is expected using the silicon-based Root-of-Trust. Any firmware package that fails validation is aborted and an error message is logged into the Lifecycle Log (LCL) to alert IT administrators.
Dynamic System Lockdown which can be enabled without a server reboot by an IT administrator prevents users with lesser privileges from making changes to the server. By enabling lockdown mode, users can prevent configuration drift in their data centers when using Dell tools and agents, and protect against malicious attacks against embedded firmware when using Dell Update Packages.
TPM can also be used to enable the BitLocker™ hard drive encryption feature to address threats of data theft or exposure from lost, stolen, or inappropriately decommissioned systems.
Enterprise Key Management delivers a central key management solution to manage data-at-rest across the organization.
Security-Enhanced Linux operating system (SELinux) operates at the core kernel level on the iDRAC and does not need any input or configuration from users. SELinux logs security messages when an attack is detected. These log messages indicate when and how an attacker tried to break into the system.
Physical I/O ports such as USB inputs can be dynamically disabled using iDRAC. This permits the disablement of these ports for production use but also temporarily grants access for crash cart debugging without rebooting the server.
Shielded VMs are part of the core hypervisor and are protected against inspection, theft, and tampering from malware running on a Hyper-V host as well as the fabric admins administering it.