Abstract: Systems and methods prevent nonsecure updates to firmware of an IHS (Information Handling System). During factory provisioning of the IHS, a manifest of firmware loaded for operating a hardware component of the IHS is digitally signed by a remote access controller of the IHS, and the signed manifest is stored to the IHS. Once the IHS has been deployed and during an interval where the IHS does not have access to external networks by which to validate a received firmware update, the signed manifest of loaded firmware is retrieved and used to determine whether the received firmware update is compatible with the loaded firmware of the hardware component. When the update is compatible with the loaded firmware, at least a portion of the loaded firmware is replaced with the firmware update and an updated manifest is digitally signed to reflect availability of the update for use by the hardware component.

Abstract: Centralized management of a Data Processing Unit (DPU) Baseboard Management Controller (BMC) through an integrated server remote access controller (iRAC) may include embedding a secure token in a communication from the iRAC to a BMC of a DPU, the secure token authorizing the iRAC to the DPU BMC and authorizing the DPU BMC to the iRAC. The secure token may include a first layer token authorizing the iRAC to the DPU and authorizing the DPU to the iRAC and a second layer token authorizing the DPU to the DPU BMC and authorizing the BMC to the DPU. Alternatively, the secure token may be generated by the iRAC generating an initial token authorizing the iRAC to the DPU and authorizing the DPU to the iRAC, the iRAC embedding the initial token in a request to the DPU for a resource of the DPU BMC and the DPU generating the secure token.

Abstract: Embodiments of the present disclosure provide a system and method for providing an input/output (I/O) attack prevention system and method for an Information Handling System (IHS) that is managed by a systems management console. One embodiment of the I/O device attack prevention system includes a systems manager in communication with multiple server IHSs configured in a data center. The IHS includes executable instructions to detect that an I/O device has been connected to an external I/O port of the IHS, and send information associated with the I/O device detection to the systems manager such that it determines whether the I/O device is authorized for use with the IHS. The IHS receives the results of the determination from the systems manager, and allows or disallows use of the I/O device with the IHS based on the results of the determination.

Abstract: An information handling system may include a processor, one or more storage resources communicatively coupled to the processor, including at least one of the one or more storage resources communicatively coupled to the processor via a storage interface, and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, in response to a request to perform a firmware update to the one or more storage resources, scan for storage resources communicatively coupled to the processor via the storage interface, register unique identifiers associated with the storage resources communicatively coupled to the processor via the storage interface, and perform a firmware update of the storage resources communicatively coupled to the processor via the storage interface based on the unique identifiers.

Abstract: An information handling system may include a management controller configured to provide out-of-band management of the information handling system. The management controller may be configured to: receive network traffic from a client information handling system, the network traffic relating to management of the information handling system; and transmit at least a portion of the network traffic to a traffic classifier. The traffic classifier may be configured to: determine a protocol associated with the network traffic; compare the network traffic with protocol-specific classification data based on the determined protocol; and determine, based on the comparison, a likelihood that the network traffic is malicious. Based on the determined likelihood exceeding a threshold, the management controller may be configured to execute a remedial action with respect to the network traffic.

Abstract: A system includes a management system, a managed system that is coupled to the management system through a network. The managed system comprises a managed device, a key identifier storage, a first managed device locking system coupled to the managed device and the key identifier storage, and a second managed device locking system coupled to the managed device, the key identifier storage, and the first managed device locking system. The first managed device locking system is configured to store a key identifier of the managed device in the key identifier storage and to provide access to a locking key of the managed device based upon the key identifier of the managed device, stored in a management system. The second managed device locking system is configured to monitor the managed device for an event that triggers unlocking the managed device, monitor operating status of the first managed device locking system.

Abstract: An information handling system may include a processor, one or more storage resources communicatively coupled to the processor, including at least one of the one or more storage resources communicatively coupled to the processor via a storage interface, and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, in response to a request to perform a firmware update to the one or more storage resources, scan for storage resources communicatively coupled to the processor via the storage interface, register unique identifiers associated with the storage resources communicatively coupled to the processor via the storage interface, and perform a firmware update of the storage resources communicatively coupled to the processor via the storage interface based on the unique identifiers.

Abstract: A system includes a management system, a managed system that is coupled to the management system through a network. The managed system comprises a managed device, a key identifier storage, a first managed device locking system coupled to the managed device and the key identifier storage, and a second managed device locking system coupled to the managed device, the key identifier storage, and the first managed device locking system. The first managed device locking system is configured to store a key identifier of the managed device in the key identifier storage and to provide access to a locking key of the managed device based upon the key identifier of the managed device, stored in a management system. The second managed device locking system is configured to monitor the managed device for an event that triggers unlocking the managed device, monitor operating status of the first managed device locking system.

Abstract: An information handling system includes a processor, a managed device that provides a function to the processor, wherein the function is managed in accordance with a Managed Object Format (MOF) file, and a management controller that receives the MOF file, converts the MOF file to a Management Information Base (MIB), and manages the function based upon the MIB.

Abstract: An information handling system includes a processor, a managed device that provides a function to the processor, wherein the function is managed in accordance with a Managed Object Format (MOF) file, and a management controller that receives the MOF file, converts the MOF file to a Management Information Base (MIB), and manages the function based upon the MIB.