Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Fail Secure Vs Fail Safe
AltaLink® and VersaLink® products are designed to fail secure.
When a security control is compromised, the control is no longer trustworthy, and a system is at risk of
further compromise. In such a scenario, security products may either fail safe [open] or fail secure
An example from physical security is a door. If power is lost the door may either:
Unlock and 'fail safe' to an open state (likely for safety reasons such as in a public building).
Lock and 'fail secure' for security reasons (such as a bank vault).
The BIOS used in AltaLink® and VersaLink® products is embedded and cannot be accessed directly.
Unlike devices such as Desktop and Laptop computers that have a BIOS that can be accessed via a
keystroke on startup, the BIOS of AltaLink® and VersaLink® products is not accessible.
Many devices can be cleared to factory defaults (including passwords and security settings) by
depressing a reset button using a paperclip or similar method. For security reasons, AltaLink® and
VersaLink® products do not offer such a method to clear or reset the BIOS. (Note that configuration
settings may be reset to factory defaults by an authorized administrator, however this does not impact
BIOS updates are applied by device firmware updates. Firmware is protected from tampering by use of
digital signatures (discussed later in this section).
The BIOS is designed to fail secure. An integrity check is performed immediately when power is applied.
If verification is successful, the system proceeds with OS kernel boot. If the integrity check fails, the
system will fail secure.
AES encryption is used to protect the system, user data, and configuration (including security settings)
from being retrieved or modified. Each device uses its own unique key that is securely generated.
Encryption is enabled by default. Media encryption and sanitization are discussed in Section
Boot Process Security
Unlike open operating systems such as servers and user workstations in which software may be installed
by users, Xerox products are based on embedded systems and the contents are managed by Xerox. The
only means of modifying the contents of a device is by applying a firmware update package.
Firmware updates use a special format and each firmware update is digitally signed to protect the
integrity of the contents. Firmware that is corrupt or has been illicitly modified will be rejected. This
security control cannot be disabled.
AltaLink® and VersaLink® products include a built-in firmware software validation. This is a file integrity
monitor that compares the security hashes of currently installed firmware to a secured whitelist that was
installed when the signed firmware was installed.