Abstract: Systems and methods provide thermal monitoring during updates to firmware used by managed hardware of an Information Handling System (IHS). A remote access controller of the IHS, that operates separate from CPUs of the IHS, initiates a firmware update for a hardware component via a bus mastered by the remote access controller. Except for transmissions in support of the firmware update, communications on the bus are blocked. While communications on the bus are blocked, a request is detected for transmission of a portion of the firmware update to the hardware component. A time is determined for responding to the request. Prior to the time for responding, a second of the hardware components of the IHS that shares the bus mastered by the remote access controller is polled for thermal data. During the firmware update of the hardware component, closed-loop cooling of the IHS is provided using the thermal data.

Abstract: According to embodiments of the present disclosure, an Information Handling System (IHS), systems and methods for identifying firmware versions of a firmware image using SPDM alias certificates are disclosed. In one embodiment, an IHS includes a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification, and computer-executable instructions to receive a request to attest a firmware image, generate an alias certificate using a hash of the firmware and version information associated with the firmware in response to the request, and using the alias certificate, attest the version of the firmware image using the version information.

Abstract: According to one embodiment, a path obfuscation system includes first and second hardware devices, and first and second interfaces configured to provide communication between the first and second hardware devices using a security protocol and data model (SPDM) protocol. The first hardware device comprises computer-executable instructions to receive a message to be transmitted to the second hardware device, segment the message into multiple groups of packets, and randomly select either the first or second interface to transmit each group of packet to the second hardware device.

Abstract: Systems and methods provide for SPDM-enabled devices that conform to an SPDM specification. An SPDM-enabled device receives a request to provision a certificate chain on the device and sends an event notification message to a baseboard management controller. The event notification message indicates receipt of a request to provision a certificate chain in a slot on the SPDM-enabled device. The baseboard management controller evaluates the certificate chain against the device manufacturer's certificate profile policy. If the certificate chain is valid, then a validation successful message is sent to the SPDM-enabled device, which in turn sends a certificate provision response to a requesting device. If the certificate chain is not valid, then a validation failure message is sent to the SPDM-enabled device, which causes the SPDM-enabled device to enter a quarantine state.

Abstract: According to embodiments of the present disclosure, systems and methods to advertise Security Protocol and Data Model (SPDM) command timing requirements are provided. According to one embodiment, an Information Handling System (IHS) includes a requester and a responder conforming to a SPDM specification in which the responder is configured with computer-executable logic to, in response to a request from a requester, generate an estimated amount of time to process a SPDM command, and send the estimated amount of time to the requester in response to the request. The requester may then wait the estimated amount of time between sending each of multiple ensuing commands to the responder.

Abstract: According to embodiments of the present disclosure, systems and methods to provide pre-deployment assessment for device integrity are disclosed. The pre-deployment assessment systems and methods include computer-executable instructions to identify a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification, obtain one or more identifying parameters and one or more critical parameters from the SPDM-enabled device, and communicate with a server to obtain information about the SPDM-enabled device without sending any critical information to the server. The instructions then determine whether the SPDM-enabled device is authorized for use in the IHS by comparing the identifying parameters with the information obtained from the server, and when the SPDM-enabled device is authorized for use with the IHS, send the critical parameters to the server.

Abstract: According to embodiments of the present disclosure, systems and methods to manage Security Protocol and Data Model (SPDM) secure communication sessions are provided. According to one embodiment, an Information Handling System (IHS) includes a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification in which the SPDM-enabled device has a specified quantity of supported private communication sessions. The IHS also includes computer-executable instructions to, when an application requests use of one of the private communication sessions, determine whether one of the private communication sessions is available, and enable the application to communicate with the SPDM-enabled device through the one private communication session based on the determination.

Abstract: According to embodiments of the present disclosure, systems and methods for SPDM device and BMC pairing are provided. According to one embodiment, an Information Handling System (IHS) includes a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification, and a Baseboard Management Controller (BMC) configured with computer executable instructions to provision a SPDM identity certificate of the BMC in the SPDM-enabled device, verify that the BMC has been paired with the SPDM-enabled device using the SPDM identity certificate, and when the authentication of the SPDM-enabled device fails, inhibit operation of the SPDM-enabled device in the IHS.

Abstract: According to embodiments of the present disclosure, a certificate caching system and method is provided using Security Protocol and Data Model (SPDM)-enabled Baseboard Management Controller (BMC). The system time verification system and method include program instructions that may be executed on an Information Handling System (HIS) to obtain a certificate from a SPDM-enabled device configured in a target computing device, identify a cache associated with the target computing device, determine whether the certificate is a hardware bound certificate, and store the certificate in the cache based upon the determination.

Abstract: According to embodiments of the present disclosure, an Information Handling System (IHS) including multiple Security Protocol and Data Model (SPDM)-enabled devices is configured to perform collective attestation. The collective attestation is provided by computer-executable instructions that, when executed by a processor of the IHS, receive an attestation request from a requesting device and a device identity certificate from each of the devices. Using the device identity certificates, the instructions perform a cryptographic hash over the received device identity certificates, and send the cryptographic hash to the requesting device in response to the request.

Abstract: According to embodiments of the present disclosure, an Information Handling System (IHS), systems and methods for dynamic policy assignment of secure communication using Security Protocol and Data Model (SPDM) are disclosed. An Information Handling System (IHS) includes a first SPDM-enabled device conforming to a SPDM specification, receives a request to transmit data to a second SPDM-enabled device, obtain one or more policies associated with a corresponding one or more transmission criteria of the first SPDM-enabled device relative to the second SPDM-enabled device, and determine whether the data is to be encrypted based upon whether a transmission of the data meets the transmission criteria. Based upon the determination, encrypt the data prior to transmitting the data to the second SPDM-enabled device.

Abstract: According to embodiments of the present disclosure, a firmware cloning prevention system and method provided using Security Protocol and Data Model (SPDM)-enabled devices. The firmware cloning prevention system and method include program instructions that may be executed on a processing system to determine, by a first node configured in a certificate chain as specified by the SPDM specification, that a second node in the certificate chain possesses a private key stored on the ensuing node, perform a challenge-response verification to establish proof of possession of the private key, and inhibit operation of the ensuing node based upon the challenge-response verification. The second node is the next sequential node of the certificate chain.

Abstract: According to embodiments of the present disclosure, an Information Handling System (IHS), systems and methods for identifying firmware versions of a firmware image using SPDM alias certificates are disclosed. In one embodiment, an IHS includes a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification, and computer-executable instructions to receive a request to attest a firmware image, generate an alias certificate using a hash of the firmware and version information associated with the firmware in response to the request, and using the alias certificate, attest the version of the firmware image using the version information.

Abstract: According to embodiments of the present disclosure, a system time verification system and method provided using Security Protocol and Data Model (SPDM)-enabled Baseboard Management Controller (BMC). The system time verification system and method include program instructions that may be executed on a BMC to obtain a system time value stored in the BMC after being attested by a requester using a device security certificate associated with the BMC, sign the system time value using the device security certificate, and send the signed system time value to the requester.

Abstract: According to embodiments of the present disclosure, a firmware cloning system and method provided using Security Protocol and Data Model (SPDM)-enabled devices. The firmware cloning system and method include program instructions that may be executed on a processing system to mutually authenticate with a source IHS to generate shared security keys, and end a request to the source IHS to generate a server profile comprising information associated with a configuration of the source HIS. A source HIS is configured to generate the server profile in response to the request, encrypt the server profile using one of the security keys, and send the encrypted server profile to the target HIS. The target HIS then is configured to receive the encrypted server profile, decrypt the encrypted server profile using a source of the shared security keys, and configure the target IHS according to the decrypted server profile.

Abstract: According to embodiments of the present disclosure, a dynamic key distribution system is provided. The dynamic key distribution includes computer-executable instructions to encrypt, using a first Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification, an original Pre-Shared Key (PSK) with a SPDM identity certificate of the first SPDM-enabled device, wherein the original PSK is associated with a second SPDM-enabled device. The instructions are also configured to provision the encrypted PSK in the second SPDM-enabled device, and authenticate the second SPDM-enabled device by decrypting the encrypted PSK to obtain the original PSK using an SPDM protocol.

Abstract: According to embodiments of the present disclosure, trust scores and related recommendations may be generated for an Information Handling System (IHS) with multiple Security Protocol and Data Model (SPDM)-enabled devices. The trust scores and recommendations may be provided by computer-executable instructions that, when executed by a processor, receive a plurality of trust-based data elements from a plurality of Security Protocol and Data Model (SPDM)-enabled devices conforming to a SPDM specification, and derive an overall trust based score for the IHS based upon the received trust-based data elements. The SPDM-enabled devices are configured in a computing device. The trust-based data element are associated with a plurality of SPDM-based measurements performed on the SPDM-enabled devices.

Abstract: According to embodiments of the present disclosure, a Security Protocol and Data Model (SPDM)-enabled device uses a device identity to provide, among other things, a SPDM-based firmware protection system and method that, upon execution by computer-readable instructions, receive, from a requesting device, a request to update the SPDM-enabled device with a software package, and obtain the software package from an online portal. The computer-readable instructions further encrypt the software package with an encryption key, encrypt the encryption key with a device identity certificate of the requesting device, and send the encrypted software package and encrypted encryption key to the requesting device.

Abstract: According to embodiments of the present disclosure, a Security Protocol and Data Model (SPDM)-enabled device uses a device identity to provide, among other things, storing of warranty information, and a technique to uniquely identify the SPDM-enabled device so that its movement can be tracked. An Information Handling System (IHS) includes a processor and a memory coupled to the processor, the memory having program instructions that, upon execution, cause the IHS to obtain context information associated with the SPDM-enabled device conforming to a SPDM specification, generate an identity certificate including the context information, and store the certificate in a slot of the SPDM-enabled device.

Abstract: An Information Handling System (IHS) includes multiple hardware devices, and a baseboard Management Controller (BMC) in communication with the plurality of hardware devices. The BMC includes executable instructions for causing the one hardware device to be inhibited from functioning with the IHS when at least one of the hardware devices is powered on, and performing an authentication procedure with that hardware device. After that hardware device has been successfully authenticated, the instructions then enable the one hardware device to function with the IHS.