Abstract: An information handling system includes a protected memory that stores identifiers of locked down devices. The system receives a firmware update package for a device within the information handling system. The firmware update package includes a firmware update for the device. The system determines whether an identifier for the device is located within protected memory. If the identifier for the device is located within the protected memory, then the system prevents the firmware update for the device.

Abstract: An information handling system includes a memory, a baseboard management controller (BMC), and a basic input/output system (BIOS). The memory stores a secure boot policy for a plurality of input/output (I/O) devices in the information handling system. The BMC performs a firmware update for a first I/O device of the I/O devices. In response to the firmware update being completed successfully, the BMC creates a system management task. During a next boot after the creation of the system management task, the BIOS detects the system management task. The BIOS calculates a new hash value for a firmware image of the firmware update. The BIOS replaces a previous hash value with the new hash value in the secure boot policy.

Abstract: An information handling system includes a memory and a baseboard management controller (BMC). The memory stores a secure boot policy for multiple input/output (I/O) devices in the information handling system. The BMC extracts a new firmware hash value from a firmware update package. The new firmware hash value is associated with a new firmware image of a first I/O device of the I/O devices. The BMC performs a firmware update for the first I/O device. In response to the firmware update being successfully completed, the BMC replaces an old firmware hash value with the new firmware hash value in the secure boot policy.

Abstract: An information handling system includes a memory and a basic input/output system (BIOS). The memory stores a lookup table to associate each of a plurality of device firmware hashes with a corresponding one of a plurality of device identification strings. The BIOS calculates the each of the device firmware hashes. Each device firmware hash is associated with a different device firmware. The BIOS creates the lookup table based on the calculated device firmware hashes and the device identification strings. Based on the lookup table, the BIOS displays a secure boot allowed devices database list on a display device.

Abstract: An information handling system includes multiple components including a first component. The first component includes a protected memory and a basic input/output system (BIOS). The protected memory stores a revoked versions list. The BIOS initializes a firmware update for a firmware image having a firmware version. The BIOS scans the revoked versions list for the firmware version of the firmware image. In response to the firmware version not being located within the revoked versions list, the BIOS completes the firmware update, and determines whether a revoked firmware version is included in the firmware update. In response to the revoked firmware version being included in the firmware update, the BIOS adds an entry in the revoked versions list. The entry is associated with the revoked firmware version included in the firmware update.

Abstract: A method and an information handling system (IHS) for authenticating unified extensible firmware interface (UEFI) images in an IHS. The method includes receiving, by a processor of the IHS, a request to authenticate an image. The method also includes determining a type of the image and retrieving, from an entry within a UEFI signature database, a certificate utilized to sign the image. The method further includes determining a verification entry of a verification database of the HIS that corresponds to the entry of the UEFI signature database and identifying, from the verification entry, a particular type of image which the certificate may be used to authenticate. The method further includes determining whether the type of the image is the particular type. In response to determining the type of the image is the particular type, the method includes authenticating the image using the certificate.

Abstract: A method, an information handling system (IHS) and a detection system for detecting runtime tampering of unified extensible firmware interface (UEFI) images in an IHS. The method includes retrieving, via a board management controller (BMC) from a first memory device, a first UEFI driver associated with a first component of the IHS. The method also includes generating a first hash of the first UEFI driver and retrieving, from a second memory device, a second hash associated with an initial first UEFI driver of the first component of the IHS. The method further includes determining if the first hash and the second hash match, and in response to the first hash and the second hash not matching, generating an error message that indicates detection of runtime tampering with the first UEFI driver and storing the error message to an error log.

Abstract: A method, information handling system (IHS) and a recovery system for recovering an IHS from a secure boot authentication failure. The method includes retrieving, via a processor from a first memory device, a first unified extensible firmware interface (UEFI) driver associated with a first component/device of the IHS. The method further includes determining, via a secure boot process, if the first UEFI driver is an authenticated UEFI driver. In response to determining that the first UEFI driver is not an authenticated driver, a previously validated UEFI driver corresponding to the first component/device is retrieved from a second memory device. The method further includes loading the previously validated UEFI driver.

Abstract: A method, an information handling system (IHS) and a detection system for detecting tampering of memory contents. The method includes retrieving, via a board management controller (BMC), from a first memory device, a first hash associated with current first data such as a firmware image stored on the first memory device and retrieving, from a second memory device, a previously stored second hash associated with initial first data. The method further includes determining if the first hash and the second hash match. In response to the first hash and the second hash not matching, an error message is generated which indicates that the current first data of the first memory device has been tampered with. The error message is stored to an error log. The error message identifies the specific current first data and/or firmware image that has been tampered with. The method repeats periodically during runtime.

Abstract: An information handling system includes a non-volatile memory device for storing basic input-output system (BIOS) firmware. The system also includes a service processor that is coupled to the first non-volatile memory. The service processor initiates access to the first non-volatile memory, and stores configuration information at the non-volatile memory device. The configuration information can include Unified Extensible Firmware Interface (UEFI) Human Interface Infrastructure (HII) strings.

Abstract: A method and an information handling system (IHS) for authenticating unified extensible firmware interface (UEFI) images in an IHS. The method includes receiving, by a processor of the IHS, a request to authenticate an image. The method also includes determining a type of the image and retrieving, from an entry within a UEFI signature database, a certificate utilized to sign the image. The method further includes determining a verification entry of a verification database of the HIS that corresponds to the entry of the UEFI signature database and identifying, from the verification entry, a particular type of image which the certificate may be used to authenticate. The method further includes determining whether the type of the image is the particular type. In response to determining the type of the image is the particular type, the method includes authenticating the image using the certificate.

Abstract: A method, an information handling system (IHS) and a detection system for detecting tampering of memory contents. The method includes retrieving, via a board management controller (BMC), from a first memory device, a first hash associated with current first data such as a firmware image stored on the first memory device and retrieving, from a second memory device, a previously stored second hash associated with initial first data. The method further includes determining if the first hash and the second hash match. In response to the first hash and the second hash not matching, an error message is generated which indicates that the current first data of the first memory device has been tampered with. The error message is stored to an error log. The error message identifies the specific current first data and/or firmware image that has been tampered with. The method repeats periodically during runtime.

Abstract: A method, an information handling system (IHS) and a detection system for detecting runtime tampering of unified extensible firmware interface (UEFI) images in an IHS. The method includes retrieving, via a board management controller (BMC) from a first memory device, a first UEFI driver associated with a first component of the IHS. The method also includes generating a first hash of the first UEFI driver and retrieving, from a second memory device, a second hash associated with an initial first UEFI driver of the first component of the IHS. The method further includes determining if the first hash and the second hash match and in response to the first hash and the second hash not matching, generating an error message that indicates detection of runtime tampering with the first UEFI driver and storing the error message to an error log. The matching of the first hash and the second hash indicates that no runtime tampering of the UEFI drivers and images has been detected.

Abstract: A method, information handling system (IHS) and a recovery system for recovering an IHS from a secure boot authentication failure. The method includes retrieving, via a processor from a first memory device, a first unified extensible firmware interface (UEFI) driver associated with a first component/device of the IHS. The method further includes determining, via a secure boot process, if the first UEFI driver is an authenticated UEFI driver. In response to determining that the first UEFI driver is not an authenticated driver, a previously validated UEFI driver corresponding to the first component/device is retrieved from a second memory device. The method further includes loading the previously validated UEFI driver.

Abstract: Systems and methods for managing dependencies for Human Interface Infrastructure (HII) devices are described. In some embodiments, an Information Handling System (IHS) may include a host processor and a Baseboard Management Controller (BMC) coupled to the host processor, the BMC having program instructions stored thereon that, upon execution by the BMC, cause the BMC to: receive, from another IHS remotely located with respect to the IHS, a request to change a value of a given attribute of a Human Interface Infrastructure (HII) device coupled to the IHS; and use a dependency matrix to determine how the change is affected by a current value of another attribute.

Abstract: Systems and methods for managing dependencies for Human Interface Infrastructure (HII) devices are described. In some embodiments, an Information Handling System (IHS) may include a host processor and a Baseboard Management Controller (BMC) coupled to the host processor, the BMC having program instructions stored thereon that, upon execution by the BMC, cause the BMC to: receive, from another IHS remotely located with respect to the IHS, a request to change a value of a given attribute of a Human Interface Infrastructure (HII) device coupled to the IHS; and use a dependency matrix to determine how the change is affected by a current value of another attribute.

Abstract: An information handling system includes a non-volatile memory device for storing basic input-output system (BIOS) firmware. The system also includes a service processor that is coupled to the first non-volatile memory. The service processor initiates access to the first non-volatile memory, and stores configuration information at the non-volatile memory device. The configuration information can include Unified Extensible Firmware Interface (UEFI) Human Interface Infrastructure (HII) strings.

Abstract: A solution to optimize system boot-up time by selectively collecting device inventory for only the devices that have configuration changes and for skipping for all other devices. More specifically, the solution includes a selective driver binding operation which in certain embodiments executes within an inventory application. After the selective driver binding operation gathers data for a certain device, the selective driver binding operation gathers data for that certain device again only when data relating to the particular device has changed. Instead of binding to every device, the selective driver binding operation selectively binds only to devices with changes, thus executing system management code only for specific devices and saving boot time.

Abstract: A solution to optimize system boot-up time by selectively collecting device inventory for only the devices that have configuration changes and for skipping for all other devices. More specifically, the solution includes a selective driver binding operation which in certain embodiments executes within an inventory application. After the selective driver binding operation gathers data for a certain device, the selective driver binding operation gathers data for that certain device again only when data relating to the particular device has changed. Instead of binding to every device, the selective driver binding operation selectively binds only to devices with changes, thus executing system management code only for specific devices and saving boot time.