Dell PowerEdge 13G Servers now support UEFI Secure Boot A guide to enabling and deploying on Windows 2012, CentOS/RHEL 7, and SLES 12. Authors: Thomas Cantwell, Charles Rose, Aditi Satam, Michael Schroeder Dell PowerEdge 13G servers are the first Dell servers to provide support for UEFI Secure Boot. This enhances platform security and prevents unauthorized firmware from loading on the server during boot. What is UEFI Secure Boot? UEFI Secure Boot provides a new level of security for pre-operating system boot processes. The diagram below is overly simplistic, but prior to the advent of UEFI secure boot, there was no real protection for firmware. The promise brought by UEFI (a modern, standardized specification detailing the pre-boot environment) means that it is easier to attack, vs the “spaghetti code”/Assembly-language driven BIOS of the past. UEFI provides both a significant boost in capability and removes limitations that legacy bios has, and also offers up new opportunities for hackers. Methods of attacking and compromising a PC, via Rootkit and Bootkit, leave a PC vulnerable prior to the OS booting, and once the OS booted, there are no Dell - Internal Use - Confidential mechanisms to detect that the system had been compromised. UEFI Secure Boot addresses this vulnerability. Enabling UEFI Secure Boot on Dell PowerEdge 13G servers – The settings for UEFI Secure boot reside in system setup (press F2 during bootup). Once in system setup, go to System Security. At the bottom of the System Security page, you will find the settings to enable UEFI Secure Boot. Pay close attention to the two notes (UEFI Secure Boot is greyed out until those issues are resolved): 1) System must be set to UEFI Boot Mode. a. Important! You cannot switch from BIOS mode to UEFI mode and expect the current operating system to run. You must reinstall the OS when you make this setting change! 2) You must disable Legacy Video Option Rom. a. Legacy video option ROM is only applicable for operating systems that support UEFI, but do not support UEFI GOP (Graphics Output Protocol), such as Windows Server 2008 and 2008R2. Those OS do not support UEFI secure boot, so disabling this is not an issue. The Load Legacy Video Option Rom setting is off by default, so you may not see this note. Dell - Internal Use - Confidential Once you have made the setting changes, you can now enable UEFI Secure Boot. Dell - Internal Use - Confidential Once you enable UEFI Secure Boot, take a look at the Secure Boot Policy Summary. You will see the information for the PK, KEK, db, and dbx (these are standard UEFI Secure Boot terms) – for more detail on these, see the following Dell document from the Dell PowerEdge BIOS team http://en.community.dell.com/techcenter/extras/m/white_papers/20440707 And, that’s it! You have successfully enabled UEFI Secure Boot! If firmware is not signed (indicating it cannot be trusted) You will get the following error. The device and device name can be different, depending on which option ROM or firmware is not signed. Dell - Internal Use - Confidential Tracking down the offending device What is Integrated NIC1, Port 1, Partition 1? 1) Reboot the server and press F11 to go to the Boot Menu. i. This is important because you have to look in two locations for information on the device – Driver Health and System Setup 2) First, go to System Setup and choose Device Settings Dell - Internal Use - Confidential We now see “Integrated NIC 1”, but we only see ports 3 and 4 under device settings. Note: use of the word “integrated” in Dell nomenclature indicates this is an onboard device (in this instance, the Dell NDC – Network Daughter Card) So, where is Integrated NIC 1, port 1? Go back to the Boot Menu and let’s take a look at Driver Health (ignore the iDRAC settings: operation failed – this is a pre-production system). Driver Health is where you will see is the driver is “healthy” (in this case, this means, signed and able to support UEFI secure boot). Dell - Internal Use - Confidential While you do not see Integrated NIC 1, you do see Intel Pro/1000 (the NDC is an Intel NDC, with two 1 Gb ports and two 10 Gb ports). Now, review the device settings – notice that ports 3 and 4 are Gigabit ports? Now, we have a match – the two gigabit ports show as healthy and the two 10 Gb are not showing at all! Next Steps – fixing the issue Fixing this issue is as simple as downloading and installing the latest device firmware (as the server I was using was pre-production, I had older firmware). I updated the firmware and we now see the following – NIC1, Port 1 is now visible in device settings and driver health, and UEFI secure boot is fully functional (no more errors on startup). Dell - Internal Use - Confidential Under most circumstances, a Dell server shipping from Dell factory will have fully compliant (signed) firmware and UEFI drivers. There are some devices that will not, but will have a signed firmware update in a future release. The goal is to have all Dell devices with signed firmware. Operating Systems – how to tell if UEFI Secure Boot is enabled While UEFI Secure Boot is designed to protect the pre-boot environment, operating systems that are UEFI Secure Boot compliant usually have some method to tell if it is enabled and working. Microsoft Windows 2012/2012R2 – simply run MSInfo32 to bring up system information. The Secure Booot State will indicate either “on” or “off”. Checking Secure boot status in Red Hat Enterprise Linux 7 and CentOS 7 To check if secure boot is enabled, login as root at a console/terminal (during install time, Ctrl+Alt+F2) and enter: mokutil –sb-state This shows the status of secure boot as detected by the system. Further, the secure boot keys that the kernel has access to can be verified with cat /proc/keys”. Dell - Internal Use - Confidential Note the presence of keys that the kernel receives from the system: - “Microsoft Windows Production PCA 2011” and “Microsoft Corporation UEFI CA 2011” And the “Red Hat” keys that are added by shim and mok: - “Red Hat Enterprise Linux Driver Update Program (key 3)” o Used to verify kernel modules installed from KMP (Kernel Module Packages). “Red Hat Secure Boot (CA key 1)” o Used to verify Red Hat boot components like grub2. “Red Hat Enterprise Linux kernel signing key” o Used to verify kernel modules installed during kernel package installation. “Red Hat Enterprise Linux kpatch sining key” o Used for for kpatch verification. On CentOS7 the keys included by “shim” and “mok” will be different: Dell - Internal Use - Confidential Disabling Secure Boot After installing RHEL with UEFI Secure Boot enabled, if we disable secure boot in the Setup in: System BIOS Settings -> System Security: The message “UEFI0074” is displayed indicating a change in the system's Secure Boot state. RHEL 7 / CentOS 7 should boot as expected but with Secure boot disabled. Dell - Internal Use - Confidential Checking for secure boot should now indicate it as “disabled”; the UEFI secure boot keys from the platform should now be invisible to the kernel: Booting an OS that does not support Secure boot When Secure boot enabled in the System Setup and we attempt to boot an OS that does not support Secure boot will result in a “UEFI0073” message. Here is an example of what will be seen when we attempt to boot a RHEL 6.5 or CentOS 6.5 DVD. Pressing “d” will disable Secure boot for this boot session and proceed with booting the RHEL 6.5 install DVD. Pressing any other key will abort booting from the DVD and attempt to boot from the next device in the boot order. The “UEFI0073” message will be seen during each subsequent reboot until Secure boot is disabled in the System setup or the OS is upgraded to one that supports Secure boot. Dell - Internal Use - Confidential Check Secure boot status with SUSE Linux Enterprise Server 12 SLES 12 does not provide the “mokutil” utility during install time and is therefore not possible to use “mokutil –sb-state” to check if secure boot is enabled. Alternatively, the kernel logs can be searched to find the same information: 1. During install of SLES 12, switch to the text console with Ctrl+Alt+F2. 2. Search the kernel logs to see if secure boot was enabled with: a. # grep “Secure boot” /var/log/boot.msg 3. The keys detected by the kernel can also be seen in the kernel logs with a. # grep cert /var/log/boot.msg Dell - Internal Use - Confidential
© Copyright 2024