Table of Contents
Advertisement
Table 27. System Security details (continued)
Option
TME Encryption Bypass
Intel(R) SGX
Power Button
AC Power Recovery
AC Power Recovery Delay
User Defined Delay (120 s to
600 s)
UEFI Variable Access
In-Band Manageability
Interface
SMM Security Mitigation
Secure Boot
Secure Boot Policy
Secure Boot Mode
38
Pre-operating system management applications
Description
TME technology. When option is set to Multiple Keys, BIOS enables the TME-MT
technology. The default value is Disabled.
Allows the option to bypass the Intel Total Memory Encryption. The default value is
Disabled.
Enables you to set the Intel Software Guard Extension (SGX) option. To enable the
Intel SGX option, the following must be true:
● The processor must be SGX capable.
● Memory population must be compatible (minimum x8 identical DIMM1 to DIMM8
per CPU socket, not supported on persistent memory configuration),
● Memory operating mode must be set at optimizer mode.
● Memory encryption must be enabled.
● Node interleaving must be disabled.
The default value is Off. When this option is to Off, BIOS disables the SGX
technology. When this option is to On, BIOS enables the SGX technology.
Enables or disables the power button on the front of the system. The default value is
Enabled.
Sets how the system behaves after AC power is restored to the system. The default
value is Last.
NOTE:
Until iDRAC Root of Trust (RoT) is completed, host power-on occurs a
minimum of 90 seconds after the AC applied.
Sets the time delay for the system to power on after AC power is restored to the
system. The default value is Immediate. When this option is set to Immediate, there
is no delay for power-up. When this option is set to Random, the system creates
a random delay for power-up. When this option is set to User Defined, the system
delay time is manually configured.
Sets the User Defined Delay option when the User Defined option for AC Power
Recovery Delay is selected. The AC recovery time adds iDRAC Root of trust time
(around 50 s).
Provides varying degrees of securing UEFI variables. When set to Standard (the
default), UEFI variables are accessible in the operating system per the UEFI
specification. When set to Controlled, selected UEFI variables are protected in the
environment. New UEFI boot entries are forced to the end of the current boot order.
When set to Disabled, this setting hides the IPMI devices from the operating system
for the following: the Management Engine (ME), HECI devices, and the system.
Hiding the IPMI devices prevents the operating system from changing the ME power
capping settings, and blocks access to all in-band management tools. All management
functions should be done through out-of-band. The default value is Enabled.
BIOS update requires HECI devices to be operational. DUP updates require the IPMI
interface to be operational. This parameter must be set to Enabled to avoid updating
errors.
Enables or disables the UEFI SMM security mitigation protections. The default value is
Disabled.
Enables Secure Boot, where the BIOS authenticates each preboot image by using the
certificates in the Secure Boot Policy. The default value for Secure Boot is Disabled.
When Secure Boot policy is set to Standard, the BIOS uses the system manufacturer
key and certificates to authenticate preboot images. When Secure Boot policy is set
to Custom, the BIOS uses the user-defined key and certificates. The default value for
Secure Boot policy is Standard.
Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx).
Advertisement
Table of Contents
