Abstract: A method, an information handling system (IHS) and a license file generating system for generating a license file. The method includes receiving, via a processor of a first information handling system (IHS), a plurality of input parameters associated with a product and generating license data at least partially based on the input parameters. The license data is transmitted to a hardware security module (HSM). The method further includes triggering the HSM to retrieve a certificate containing allowable use data. The allowable use data at least partially identifies a permitted installation of a license for the product. The HSM is triggered to embed a signer identifier within the certificate and the HSM is triggered to sign the certificate. The method further includes receiving a signed certificate from the HSM and generating a license file including the license data and the signed certificate. The license file is transmitted to a second IHS.

Abstract: Methods and systems for providing quality of service to an information handling system may involve generating a new transport encryption key for a management controller group, notifying nodes in the management controller group to negotiate for the new transport encryption key, and encrypting a first message to be sent to a first node in the management controller group using a current transport encryption key. The new transport encryption key for encrypted communications in the management controller group and to replace a current transport encryption key. The first message encrypted after notifying the nodes in the management controller group to negotiate for the new transport encryption key. The nodes of the management controller group including the first node.

Abstract: Methods and systems for account authentication in a distributed computing node group may involve sending a message to a member, the message having a first timestamp, increasing an authentication failure count, receiving a first key-exchange message from the member, the first key-exchange message having a second timestamp, evaluating the second timestamp, and determining whether to ignore the first key-exchange message based on an evaluation of the second timestamp. The first timestamp may be associated with a message received from the member prior to sending the message with the first timestamp to the member. The first key-exchange message may include a value computed by the member based on a group passcode shared with the member. The evaluation of the second timestamp may be based on at least one of a default value, the authentication failure count, or a timestamp associated with the group passcode.

Abstract: A verification for a secure boot process may include determining a determined signature for a compendium stored in a memory where the compendium includes a bootloader and an operating system, accessing a verification signature corresponding to the compendium, and comparing the verification signature with the determined signature where if the verification signature is the same as the determined signature, the compendium is verified as secure and a secure boot process is performed with the bootloader and operating system. The compendium may include one or more applications such that the applications may be verified as secure with the verification signature.

Abstract: An information handling system for providing comprehensive remote authorized access to multiple equipment in a datacenter. A mobile device security credential is first authenticated before access information is configured in the mobile device using a short-range wireless interface. The configured access information is mapped to the equipment and the corresponding access token and encryption keys from the equipment are received by the mobile device. The mobile device uses the access token and the encryption keys to simultaneously access the equipment through a long-range wireless interface. The simultaneous access includes parallel accessing of the equipment at a next accessing instance without requiring re-authentication. With the accessed equipment, the mobile device manages the accessed equipment based on the configured access information.

Abstract: In one or more embodiments, one or more systems, methods, and/or processes may receive a digital signature, signed by a signing authority, for a request for utilization of an information handling system firmware application programming interface (API) of the information handling system firmware, signed based at least on information associated with a certificate signed by a certificate authority; may determine that the signing authority is authorized for the request for utilization of the information handling system firmware API; may determine that the signing authority is authorized for the request for utilization of the information handling system firmware API on a platform model of the information handling system; may determine that the certificate is not on a certificate revocation list; and may permit utilization of the information handling system firmware API.

Abstract: Methods, systems, and computer programs encoded on computer storage medium, for identifying a power event of a chassis system; in response to identifying the power event, negotiating between a first and a second enclosure controller (EC) to place the one of the ECs in an active state, wherein the first and the second EC are redundant; in response to placing one of the ECs in the active state, performing, by a chassis orchestration engine, a sequence of actions, including: determining, by coordinating with a first daemon, whether a condition is present that would prevent safe activation of a power supply unit, activating, by coordinating with a second daemon, the power supply unit of the chassis system, activating, by coordinating with a third daemon, a cooling system of the chassis system after performing the sequence of actions, providing a signal to components indicating the active state of the first EC.

Abstract: Methods and systems for account authentication in a distributed computing node group may involve sending a message to a member, the message having a first timestamp, increasing an authentication failure count, receiving a first key-exchange message from the member, the first key-exchange message having a second timestamp, evaluating the second timestamp, and determining whether to ignore the first key-exchange message based on an evaluation of the second timestamp. The first timestamp may be associated with a message received from the member prior to sending the message with the first timestamp to the member. The first key-exchange message may include a value computed by the member based on a group passcode shared with the member. The evaluation of the second timestamp may be based on at least one of a default value, the authentication failure count, or a timestamp associated with the group passcode.

Abstract: Methods, systems, and computer programs encoded on computer storage medium, for verifying, by a mask ROM of a CPU of a first computing device and with fused keys included by the CPU, a boot loader that is included by a flash memory of the first computing device, in response to verifying the boot loader, verifying, by the boot loader and with boot loader keys included by the flash memory, a kernel included by the a memory device of the first computing device, in response to verifying the kernel, decrypting, by the kernel using a hidden root key (HRK) included by the CPU of the first computing device, a device unique certification (DUC) included by the flash memory, in response to decrypting the DUC, generating, by the first computing device, a proof-of-possession of the DUC.

Abstract: In one or more embodiments, one or more systems, methods, and/or process may allow a customer to install and boot their own firmware securely, without compromising secure boot. A baseboard management controller (BMC) may include a BMC firmware stored via a BMC partition of a non-volatile storage, a customer firmware image including a customer firmware and a signed customer boot block (CBB) file including a CBB, a hidden root key (HRK) hash of the CBB based on a HRK, and a manufacturer signature. The BMC firmware may, when an alternate path to boot the CBB is detected, verify the manufacturer signature on the CBB and the HRK hash, verify the HRK hash based on the unique HRK, and when the manufacturer signature and the HRK hash have been verified, hardware lock the BMC partition, disable the HRK, and transfer control to the CBB.

Abstract: Methods and systems for secure messaging may involve receiving an encrypted message from a node, decrypting the message using a default key, sending a message, rotating a group key, and distributing a key rotation message. The message received may be to discover a master of a group. The message sent may welcome the node into the group as a member. The welcome message may be encrypted with the default key and may include information to determine the group key. The group key may be rotated based on an expiration of a group key rotation window. The group key may become a prior group key and the rotated group key may be a current group key. The key rotation message may be encrypted with one of the default key or the prior group key and may include information to determine the current group key.

Abstract: Methods and systems for account authentication in a distributed computing node group may involve sending a message to a member, the message having a first timestamp, increasing an authentication failure count, receiving a first key-exchange message from the member, the first key-exchange message having a second timestamp, evaluating the second timestamp, and determining whether to ignore the first key-exchange message based on an evaluation of the second timestamp. The first timestamp may be associated with a message received from the member prior to sending the message with the first timestamp to the member. The first key-exchange message may include a value computed by the member based on a group passcode shared with the member. The evaluation of the second timestamp may be based on at least one of a default value, the authentication failure count, or a timestamp associated with the group passcode.

Abstract: A method may include, in a chassis configured to provide a common hardware infrastructure to one or more modular information handling systems inserted into the chassis: determining if a save operation is occurring at a time when one or more power supply units are capable of delivering power to the chassis; and delaying power sequencing of the one or more power supply units until the save operation has completed.

Abstract: Methods, systems, and computer programs encoded on computer storage medium, for identifying a power event of a chassis system; in response to identifying the power event, negotiating between a first and a second enclosure controller (EC) to place the one of the ECs in an active state, wherein the first and the second EC are redundant; in response to placing one of the ECs in the active state, performing, by a chassis orchestration engine, a sequence of actions, including: determining, by coordinating with a first daemon, whether a condition is present that would prevent safe activation of a power supply unit, activating, by coordinating with a second daemon, the power supply unit of the chassis system, activating, by coordinating with a third daemon, a cooling system of the chassis system after performing the sequence of actions, providing a signal to components indicating the active state of the first EC.

Abstract: An information handling system includes a processor and a baseboard management controller (BMC). The BMC receives a secure copy protocol (SCP) file including configuration information for the processor, determines whether the BMC is in a lockdown mode in response to receiving the SCP file, and applies the configuration information to change a configuration of the processor in response to determining that the information handling system is not in the lockdown mode.

Abstract: In one or more embodiments, one or more systems, methods, and/or processes may receive a digital signature, signed by a signing authority, for a request for utilization of an information handling system firmware application programming interface (API) of the information handling system firmware, signed based at least on information associated with a certificate signed by a certificate authority; may determine that the signing authority is authorized for the request for utilization of the information handling system firmware API; may determine that the signing authority is authorized for the request for utilization of the information handling system firmware API on a platform model of the information handling system; may determine that the certificate is not on a certificate revocation list; and may permit utilization of the information handling system firmware API.

Abstract: An information handling system includes a device, a controller, and a license manager subsystem. The controller is configured to determine whether the device has a license assigned and to extract a unique identification for the device in response to a request for information about the device. The license manager subsystem is configured to send the request for information about the device to the controller, to send the unique identification for the device to a license server as a request for the license for the device, to receive the license from the license server, and to assign the license to the device when the license is received.

Abstract: A method may include determining if both of two redundant operating system images for executing functionality of a chassis management controller were found during one or more previous boot sessions of the chassis management controller to be unsecure, wherein each operating system image comprises an integrated kernel and initial file root system stored in a respective first partition of a memory of the chassis management controller, verity hashes of a root file system of such operating system image, the verity hashes stored in a respective second partition of the memory, and the root file system of such operating system image stored in a respective third partition of the memory. The method may also include, in response to determining that one of the two redundant operating system images is secure, initiate verification of such operating system image to determine if such operating system image has indicia of tampering.

Abstract: A firmware update of multiple processing nodes in an information handling system may include writing updated firmware images to reserve memory partitions associated with each node, rolling all nodes back to the existing firmware images if writing of an updated firmware image fails, booting each node into the updated firmware image stored on its associated reserve memory partition if writing of updated firmware images succeeds, booting each node into the updated firmware image stored on its associated reserve memory partition, rolling all nodes back to the existing firmware images if booting of an updated firmware image fails, copying the updated firmware images from reserve memory partitions associated with each node to the respective working memory partition associated with each node if booting of updated firmware images succeeds.

Abstract: Methods and systems for account authentication in a distributed computing node group may involve sending a message to a member, the message having a first timestamp, increasing an authentication failure count, receiving a first key-exchange message from the member, the first key-exchange message having a second timestamp, evaluating the second timestamp, and determining whether to ignore the first key-exchange message based on an evaluation of the second timestamp. The first timestamp may be associated with a message received from the member prior to sending the message with the first timestamp to the member. The first key-exchange message may include a value computed by the member based on a group passcode shared with the member. The evaluation of the second timestamp may be based on at least one of a default value, the authentication failure count, or a timestamp associated with the group passcode.