Secured-core Servers Enabling Guide on Dell EMC PowerEdge servers
Summary: This document provides a guidance on enabling secured-core servers on selected Dell EMC PowerEdge servers.
This article applies to
This article does not apply to
Instructions
This Dell KB provides a guidance for product specific steps to configure Secured-core Servers AQ certified servers to a fully enabled state.
This can be obtained from Dell support page .
2. Secure Boot must be enabled
Secure Boot must be set at the BIOS settings at System BIOS Settings/System Security.
3. Server must have TPM 2.0 and it must be enabled with required settings as mention below.
4. DRTM (Dynamic Root of Trust for Measurement )must be enabled at BIOS. For Intel server, DRTM should be enabled, by enabling below BIOS Settings:-
For AMD server, DRTM should be enabled, by enabling below BIOS Settings.
5. IOMMU and Virtualization Extension must be enabled at BIOS. For Intel Server IOMMU and Virtualization Extension should be enabled by enabling “Virtualization Technology” at System BIOS Settings \Processor Settings.
For AMD Server, IOMMU and Virtualization Extension should be enabled with below BIOS settings:-
For the AMD server at the System BIOS Settings \Processor settings, enable Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (TSME). "
Enter the server model name, go to “Driver & Downloads” section, choose OS as Windows Server 2022 LTSC and look for chipset driver.
Example, For Poweredge R650, “Intel Lewisburg C62x Series Chipset Drivers” should be installed.
For Poweredge R6525, “AMD SP3 MILAN Series Chipset driver” should be installed.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
reg add “HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard” /v “Enabled” /t REG_DWORD /d 1 /f
For OS and SW issues, contact Microsoft support
Applicable Products
The configuration guidance applies to the following Dell EMC server products.- PowerEdge R750
- PowerEdge R750xa
- PowerEdge R650
- PowerEdge MX750c
- PowerEdge C6520
- PowerEdge R750xs
- PowerEdge R650xs
- PowerEdge R450
- PowerEdge R550
- PowerEdge T550
- PowerEdge XR11
- PowerEdge XR12
- PowerEdge R6525 (“EPYCTM 7003 series processors”)
- PowerEdge R7525 (“EPYCTM 7003 series processors”)
- PowerEdge C6525 (“EPYCTM 7003 series processors”)
- Dell EMC AX-7525 (EPYCTM 7003 series processors only)
- Dell EMC AX-750
- Dell EMC AX-650
BIOS Settings
Below is the minimum version of BIOS for specific platform to be used for enabling secure core.This can be obtained from Dell support page .
| Platform Name | Minimum BIOS Version |
| PowerEdge R750 | 1.3.8 |
| PowerEdge R750xa | 1.3.8 |
| PowerEdge R650 | 1.3.8 |
| PowerEdge MX750c | 1.3.8 |
| PowerEdge C6520 | 1.3.8 |
| PowerEdge R750xs | 1.3.8 |
| PowerEdge R650xs | 1.3.8 |
| PowerEdge R450 | 1.3.8 |
| PowerEdge R550 | 1.3.8 |
| PowerEdge R6525 | 2.3.6 |
| PowerEdge R7525 | 2.3.6 |
| PowerEdge C6525 | 2.3.6 |
| Dell EMC AX-7525 | 2.3.6 |
| Dell EMC AX-750 | 1.3..8 |
| Dell EMC AX-650 | 1.3.8 |
NOTE:System must be booted in the UEFI mode. UEFI mode should be set at the BIOS settings at System BIOS Settings/Boot Settings.
2. Secure Boot must be enabled
Secure Boot must be set at the BIOS settings at System BIOS Settings/System Security.
3. Server must have TPM 2.0 and it must be enabled with required settings as mention below.
- TPM Security at must be set as ON at System BIOS Settings\System Security
- Other Settings must be set at BIOS Settings\System Security\TPM Advanced Settings.
- TPM PPI Bypass and TPM PPI Bypass Clear must be enabled.
- TPM Algorithm Selection should be set as “SHA 256”
- Minimum FW Version of TPM:
- TPM 2.0 – 7.2.2.0
- CTPM 7.51.6405.5136
4. DRTM (Dynamic Root of Trust for Measurement )must be enabled at BIOS. For Intel server, DRTM should be enabled, by enabling below BIOS Settings:-
- Direct Memory Access Protection” at System BIOS Settings\Processor Settings.
- “Intel(R) TXT” at System BIOS Settings\System Security.
For AMD server, DRTM should be enabled, by enabling below BIOS Settings.
- “Direct Memory Access Protection” at System BIOS Settings\Processor Settings.
- “AMD DRTM” at System BIOS Settings\System Security
5. IOMMU and Virtualization Extension must be enabled at BIOS. For Intel Server IOMMU and Virtualization Extension should be enabled by enabling “Virtualization Technology” at System BIOS Settings \Processor Settings.
For AMD Server, IOMMU and Virtualization Extension should be enabled with below BIOS settings:-
- “Virtualization Technology” at System BIOS Settings \Processor Settings
- IOMMU Support at System BIOS Settings \Processor Settings.
For the AMD server at the System BIOS Settings \Processor settings, enable Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (TSME). "
OS Settings
Install platform specific drivers
For Intel Servers, chipset driver (version: 10.1.18793.8276 and above) should be installed. For AMD Servers, Chipset driver (version: 2.18.30.202 and above) should be installed. (AMD DRTM driver is part of this driver package.). These driver can be downloaded from https://www.dell.com/support/home/?app=products ->Enter the server model name, go to “Driver & Downloads” section, choose OS as Windows Server 2022 LTSC and look for chipset driver.
Example, For Poweredge R650, “Intel Lewisburg C62x Series Chipset Drivers” should be installed.
For Poweredge R6525, “AMD SP3 MILAN Series Chipset driver” should be installed.
Configure registry keys for VBS, HVCI and System Guard
Run the following from command prompt:-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
reg add “HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard” /v “Enabled” /t REG_DWORD /d 1 /f
NOTE:After Running these commands system should go for reboot cycle. Above Operations can be performed By Running Below PowerShell Script.
Confirm the Secured-core state
To confirm all the Secured-core features are properly configured and running, follow the steps below:TPM 2.0
Run get-tpm in a PowerShell and confirm the following:
Secure boot, Kernel DMA Protection, VBS, HVCI and System Guard
Launch msinfo32 from command prompt and confirm the following values:
- "Secure Boot State" is "On"
- “Kernel DMA Protection” is “On”
- “Virtualization-Based Security” is “Running”
- “Virtualization-Based Security Services Running” contains the value “Hypervisor enforced Code Integrity” and “Secure Launch”
Support
For HW and Firmware issues, contact Dell supportFor OS and SW issues, contact Microsoft support