Dell PowerEdge 13G Servers now support UEFI

Dell PowerEdge 13G Servers now support
UEFI Secure Boot
A guide to enabling and deploying on Windows 2012, CentOS/RHEL 7,
and SLES 12.
Authors: Thomas Cantwell, Charles Rose, Aditi Satam, Michael Schroeder
Dell PowerEdge 13G servers are the first Dell servers to provide support for UEFI Secure Boot. This
enhances platform security and prevents unauthorized firmware from loading on the server during boot.
What is UEFI Secure Boot?
UEFI Secure Boot provides a new level of security for pre-operating system boot processes. The diagram
below is overly simplistic, but prior to the advent of UEFI secure boot, there was no real protection for
firmware.
The promise brought by UEFI (a modern, standardized specification detailing the pre-boot environment)
means that it is easier to attack, vs the “spaghetti code”/Assembly-language driven BIOS of the past.
UEFI provides both a significant boost in capability and removes limitations that legacy bios has, and also
offers up new opportunities for hackers. Methods of attacking and compromising a PC, via Rootkit and
Bootkit, leave a PC vulnerable prior to the OS booting, and once the OS booted, there are no
Dell - Internal Use - Confidential
mechanisms to detect that the system had been compromised. UEFI Secure Boot addresses this
vulnerability.
Enabling UEFI Secure Boot on Dell PowerEdge 13G servers –
The settings for UEFI Secure boot reside in system setup (press F2 during bootup).
Once in system setup, go to System Security.
At the bottom of the System Security page, you will find the settings to enable UEFI Secure Boot. Pay
close attention to the two notes (UEFI Secure Boot is greyed out until those issues are resolved):
1) System must be set to UEFI Boot Mode.
a. Important! You cannot switch from BIOS mode to UEFI mode and expect the current
operating system to run. You must reinstall the OS when you make this setting change!
2) You must disable Legacy Video Option Rom.
a. Legacy video option ROM is only applicable for operating systems that support UEFI, but
do not support UEFI GOP (Graphics Output Protocol), such as Windows Server 2008 and
2008R2. Those OS do not support UEFI secure boot, so disabling this is not an issue.
The Load Legacy Video Option Rom setting is off by default, so you may not see this
note.
Dell - Internal Use - Confidential
Once you have made the setting changes, you can now enable UEFI Secure Boot.
Dell - Internal Use - Confidential
Once you enable UEFI Secure Boot, take a look at the Secure Boot Policy Summary. You will see the
information for the PK, KEK, db, and dbx (these are standard UEFI Secure Boot terms) – for more detail
on these, see the following Dell document from the Dell PowerEdge BIOS team http://en.community.dell.com/techcenter/extras/m/white_papers/20440707
And, that’s it! You have successfully enabled UEFI Secure Boot!
If firmware is not signed (indicating it cannot be trusted) You will get the following error. The device and device name can be different, depending on which
option ROM or firmware is not signed.
Dell - Internal Use - Confidential
Tracking down the offending device What is Integrated NIC1, Port 1, Partition 1?
1) Reboot the server and press F11 to go to the Boot Menu.
i. This is important because you have to look in two locations for information on
the device – Driver Health and System Setup
2) First, go to System Setup and choose Device Settings
Dell - Internal Use - Confidential
We now see “Integrated NIC 1”, but we only see ports 3 and 4 under device settings. Note: use of the
word “integrated” in Dell nomenclature indicates this is an onboard device (in this instance, the Dell
NDC – Network Daughter Card)
So, where is Integrated NIC 1, port 1?
Go back to the Boot Menu and let’s take a look at Driver Health (ignore the iDRAC settings: operation
failed – this is a pre-production system). Driver Health is where you will see is the driver is “healthy” (in
this case, this means, signed and able to support UEFI secure boot).
Dell - Internal Use - Confidential
While you do not see Integrated NIC 1, you do see Intel Pro/1000 (the NDC is an Intel NDC, with two 1
Gb ports and two 10 Gb ports). Now, review the device settings – notice that ports 3 and 4 are Gigabit
ports? Now, we have a match – the two gigabit ports show as healthy and the two 10 Gb are not
showing at all!
Next Steps – fixing the issue Fixing this issue is as simple as downloading and installing the latest device firmware (as the server I was
using was pre-production, I had older firmware). I updated the firmware and we now see the following
– NIC1, Port 1 is now visible in device settings and driver health, and UEFI secure boot is fully functional
(no more errors on startup).
Dell - Internal Use - Confidential
Under most circumstances, a Dell server shipping from Dell factory will have fully compliant (signed)
firmware and UEFI drivers. There are some devices that will not, but will have a signed firmware update
in a future release. The goal is to have all Dell devices with signed firmware.
Operating Systems – how to tell if UEFI Secure Boot is enabled While UEFI Secure Boot is designed to protect the pre-boot environment, operating systems that are
UEFI Secure Boot compliant usually have some method to tell if it is enabled and working.
Microsoft Windows 2012/2012R2 – simply run MSInfo32 to bring up system information. The Secure
Booot State will indicate either “on” or “off”.
Checking Secure boot status in Red Hat Enterprise Linux 7 and CentOS 7
To check if secure boot is enabled, login as root at a console/terminal (during install time, Ctrl+Alt+F2)
and enter:
mokutil –sb-state
This shows the status of secure boot as detected by the system.
Further, the secure boot keys that the kernel has access to can be verified with cat /proc/keys”.
Dell - Internal Use - Confidential
Note the presence of keys that the kernel receives from the system:
-
“Microsoft Windows Production PCA 2011” and
“Microsoft Corporation UEFI CA 2011”
And the “Red Hat” keys that are added by shim and mok:
-
“Red Hat Enterprise Linux Driver Update Program (key 3)”
o Used to verify kernel modules installed from KMP (Kernel Module Packages).
“Red Hat Secure Boot (CA key 1)”
o Used to verify Red Hat boot components like grub2.
“Red Hat Enterprise Linux kernel signing key”
o Used to verify kernel modules installed during kernel package installation.
“Red Hat Enterprise Linux kpatch sining key”
o Used for for kpatch verification.
On CentOS7 the keys included by “shim” and “mok” will be different:
Dell - Internal Use - Confidential
Disabling Secure Boot
After installing RHEL with UEFI Secure Boot enabled, if we disable secure boot in the Setup in:
System BIOS Settings -> System Security:
The message “UEFI0074” is displayed indicating a change in the system's Secure Boot state. RHEL 7 /
CentOS 7 should boot as expected but with Secure boot disabled.
Dell - Internal Use - Confidential
Checking for secure boot should now indicate it as “disabled”; the UEFI secure boot keys from the
platform should now be invisible to the kernel:
Booting an OS that does not support Secure boot
When Secure boot enabled in the System Setup and we attempt to boot an OS that does not support
Secure boot will result in a “UEFI0073” message. Here is an example of what will be seen when we
attempt to boot a RHEL 6.5 or CentOS 6.5 DVD.
Pressing “d” will disable Secure boot for this boot session and proceed with booting the RHEL 6.5 install
DVD. Pressing any other key will abort booting from the DVD and attempt to boot from the next device
in the boot order. The “UEFI0073” message will be seen during each subsequent reboot until Secure
boot is disabled in the System setup or the OS is upgraded to one that supports Secure boot.
Dell - Internal Use - Confidential
Check Secure boot status with SUSE Linux Enterprise Server 12
SLES 12 does not provide the “mokutil” utility during install time and is therefore not possible to use
“mokutil –sb-state” to check if secure boot is enabled.
Alternatively, the kernel logs can be searched to find the same information:
1. During install of SLES 12, switch to the text console with Ctrl+Alt+F2.
2. Search the kernel logs to see if secure boot was enabled with:
a. # grep “Secure boot” /var/log/boot.msg
3. The keys detected by the kernel can also be seen in the kernel logs with
a. # grep cert /var/log/boot.msg
Dell - Internal Use - Confidential