Trusted Boot Module With the Ability of Remote Managing of Servers
Several technologies have recently been developed, which are standards in the field of embedded server management and maintenance systems. Some of them are based on the use of IPMI — Intelligent Platform Management Interface, designed for server monitoring and management. The IPMI specification was developed in 1998 by Intel Corporation and is used by many leading computer manufacturers .
The IPMI interface is designed for remote monitoring and management of functions built directly into the hardware and firmware of server platforms. This interface has, in particular, the following remote control and monitoring capabilities:
monitoring of some of technical parameters of the server, including the temperature of the main hardware units, voltage and status of power supplies, fan speed, the presence of errors on system buses etc.;
switching on/off and restarting the computer;
detection of out-of-range and anomalous states and their fixing for further investigation and prevention;
The hardware component of IPMI is a standalone controller built into the platform called BMC. It operates independently of the CPU, the basic input/output system (BIOS) and the operating system of the computer. BMC provides the server platform management, even when the server is turned off (just connected to the power supply). The controller has its own processor, memory and network interface.
The detailed description of the structure and functioning of IPMI, as well as the functions of the BMC controller on the server (providing control and monitoring of its state), are given, in particular, in the paper .
The experience has shown that the use of untrusted computer hardware and software components for critical information technologies, whose manufacturers do not give full information about their products, does not guarantee the absence of their undeclared capabilities. Therefore it does not make it possible to guarantee the required degree of protection against unauthorized access to the critical components of computer systems and their information resources.
This may be exacerbated by the use of inappropriate protection mechanisms. In particular, one-factor password authentication is usually performed in remote access systems based on IPMI. It is in contrast to trusted boot modules, which in general use two-factor authentication: in addition to the password, they require inserting a special authenticating user carrier. Besides, trusted boot modules allow creating a trusted environment in computer systems by integrating with the module various information security tools (including cryptographic hardware or software), into a comprehensive IT protection system.
Due to the fact that the IPMI interface, on the one hand, provides large-scale server management capabilities, and on the other, it uses weak one-factor authentication by password, it can be argued that this interface represents a potential danger of attacks on the server (including switched off) via the Internet, increasing the likelihood of unauthorized access to its resources.
We can also note that some of the information security experts pay attention to the fact that with the help of the BMC controller through the IPMI interface it is possible to control the servers hardware and software remotely. This gives the attacker almost unlimited opportunities for their unauthorized exposure in the event of gaining control over IPMI (see, for example, [3–5]).
This fact confirms the validity of the requirements for providing an additional protection of servers and workstations based on the use of trusted boot modules (TBM).
The main goals of trusted boot modules are to control and delimitate users’ access to computers and their hardware resources, to control the integrity of the software environment installed on the computer, and to perform a number of other protective functions.
Let us consider Crypton-Zamok devices by ANCUD Ltd. as an example of trusted boot modules. Crypton-Zamok is the series of devices that provide the following basic possibilities:
user identification and strong authentication before starting the computer operating system load;
the hardware protection against loading OS from removable media;
controlling the integrity of the software environment;
delimitation of access to computer resources;
creating several protection contours;
remote and centralized management and administration;
the ability to use different types of key carriers;
secure storage of their own trusted software and firmware in built-in flash memory;
the possibility of integrating with various information protection hardware and software.
Trusted boot modules of this series can be realized both in the form of an expansion board connected to the motherboard of the computer  and as a set of microchips integrated directly into the motherboard .
Equipping the trusted boot modules of this series with a set of additional hardware components and software modules providing remote server management functions allows the secure execution of remote management functions specific to the BMC.
Therefore, it is possible to develop a protected system based on this kind of trusted boot modules. At the top level the system includes the following two components (Fig. 1):
a managed server equipped with Crypton-Zamok device that includes components and modules for remote server management;
an administrator’s workstation equipped with a classic Crypton-Zamok device as well as specific software modules installed on the OS level that interact with the modules of the Crypton-Zamok device, installed on the managed server, and jointly provide strict remote authentication of the administrator and remote server management.
Let us describe the basic principles of functioning of the proposed remote server management system.
At the preliminary stage, the installation and configuration actions are performed, which include the following operations:
The managed server is equipped with a trusted boot module with the functions of remote server management (TBM-SM); in addition to the usual set of modules of the base Crypton-Zamok device, it includes the following software modules:
trusted connection module (TCM);
remote multifactor mutual authentication module (RMMAM);
remote management module (RMM); the RMMAM and RMM modules are executed in the trusted environment of the TBM-SM.
A classic trusted boot module is installed on the administrator’s workstation; one of the set of Crypton-Zamok devices can be used here (see, for example, [6, 7]).
The specific software modules are installed on the administrator’s workstation to provide the mutual authentication between the managed server and workstations, a secure communication channel between them and remote management of the server. These modules include RMMAM, TCM and administrator’s graphical user interface (GUI).
The trusted boot module installed on the administrator’s workstation performs the strict user authentication on the workstation and its trusted loading. This TBM is also used to check the integrity of the software components loaded to the workstation, including the RMMAM, TCM and administrator’s GUI.
In addition, the trusted boot module on the administrator’s workstation can be used to store the above-mentioned modules (the RMMAM, TCM and administrator’s GUI) in its own nonvolatile memory and to load them into the target operating system of the administrator’s workstation.
In the regular mode of operation, the remote server management system provides the following sequence of actions:
Two-factor mutual authentication of the administrator is performed. It is based both on the data read from the administrator’s authenticating carrier (AAC) on the administrator’s workstation and the data stored on the server during the registration of the administrator in the preliminary stage. The authentication is performed using the RMMAM software modules running on the server and on the administrator’s workstation. As mentioned above, it uses the data obtained during the administrator local authentication performed by the trusted boot module installed on the administrator’s workstation.
The TCM modules (on the server side and on the administrator’s workstation) provide a secure communication channel between the server and the administrator’s workstation. This protected channel is organized on the basis of Virtual Private Network (VPN) technology, which allows encapsulating the traffic of various protocols into the protected channel, including those used during the interaction via the IPMI interface.
The remote management modules on both sides allow transferring the control information between the administrator’s workstation and the managed server.
The functions of server administration can be carried out with the use of the administrator’s GUI, operating in the system of the administrator’s workstation.
If required, the managed server and the administrator’s workstation can be optionally equipped with Crypton-AncNet devices. This device is a cryptographic network adapter that performs pass-through encryption of data transmitted through it. Using Crypton-AncNet devices, an alternative cryptographically protected channel can be created to transfer data between the server and the administrator’s workstation.
The TBM-SM device has undergone significant changes in comparison with the base trusted boot module to perform a set of additional functions that provide remote management of servers. The scheme of the TBM-SM device is shown on Fig. 2.
The device consists of two main function blocks on a common board:
trusted boot unit that logically combines the basic functions usually inherent in the trusted boot modules;
resource management unit that integrates additional functions, including remote server management functions.
The trusted boot unit includes the following components:
local identification and authentication module that performs local user authentication and trusted computer loading;
power management module that controls the main power of the computer (regardless of the chipset of the computer’s motherboard) and locks the computer if the system detects violations;
unit of functional modules performing the main functions of trusted loading;
module of interaction with external (outside of the TBM-SM device) information security tools;
trusted environment software;
unit of settings of the TBM-SM device that contains a list of monitored hardware and software objects, settings and keys for centralized administration, as well as additional settings including the parameters of interconnection with the external information security hardware modules that are connected to the device;
log-file that contains the registered information about critical events and attempts of unauthorized access;
block with registered users credentials.
The unit of functional modules (that is part of the trusted boot unit) includes the following software modules:
integrity control module;
module of diagnostics of the device components state;
module for checking critical time intervals of the computer starting and loading procedure;
device configuration module;
computer motherboard model identification module;
random number generator.
The following modules can be used as modules of interaction with external information security tools:
module for loading key information into cryptographic information security software or hardware, including several types of encoders (for example, the mentioned above cryptographic network adapter Crypton-AncNet that can be installed into the managed server);
module of interaction with an access control system installed into the computer operating system;
module providing the single sign-on of users into the computer operating system;
module for supporting interaction with servers to provide the centralized administration;
module for performing the setup of the TBM-SM device in terms of its interaction with external devices.
All modules of the unit described above are optional. Their presence is required only if the according information security hardware or software is connected to the TBM-SM device or is installed into the computer operating system.
The trusted environment software includes the following software modules:
software for integrity check of program-controlled objects (it also provides the related GUI for administrators);
remote device management software;
trusted operating system.
The second of the main units of the TBM-SM device (the resource management unit) includes the following components:
trusted connection module;
remote management module;
remote multifactor mutual authentication module intended for performing the remote authentication of the user (administrator) on the managed server;
module that implements Ethernet network interface.
The TCM is a VPN server that participates in the provision of a secure communication channel along with the TCM module of the administrator’s workstation.
As stated above, the server and the administrator’s workstation can be equipped with Crypton-AncNet devices that form an alternative cryptographically protected channel for data transmission. In this case, the server and the administrator’s workstation are linked by two secure channels that are used as follows:
main communication channel created by the TCM modules and based on VPN connections with software protection of network traffic; it is used to provide the remote management of the server;
alternative communication channel formed by the Crypton AncNet devices with hardware pass-through encryption of network traffic; it is used for transmitting various information (for example, the contents of files stored on a managed server) as part of the information exchange between the server and the administrator’s workstation.
The RMM module is responsible for data exchange between the server and the administrator’s workstation during the remote management.
To provide performing both the main functions of the trusted boot module and the remote server management functions, the TBM-SM device has the following external interfaces:
various interfaces for communication with a computer, such as PCI, PCI Express (PCIe), USB, etc.;
interface for computer power management and its locking, which can be any wire interface;
various interfaces that provide the use of a variety of remote server management techniques, e.g.: serial-over-IP, KVM-over-IP, emulation of USB-devices and transmission of server components’ state sensors information via the Internet;
Ethernet network interface that allows building the channel of communication with the administrator’s workstation;
interface to AAC; its specific type depends on the type of authenticating carrier in use;
inter-module interface to the Crypton-AncNet device and other interfaces for interaction with external information security hardware; types of such interfaces depend on the hardware used; for example, the inter-module interface for loading encryption keys into hardware encoders, USB host (can also be used to connect external devices, in particular, smart card readers or USB tokens), asynchronous serial interface UART, for example, RS-232, etc.
The connectors of these interfaces can be placed both on the board of the TBM-SM device itself and on the motherboard of the computer in order to minimize the size of the device.
Several types of devices can be used as authenticating carriers, including i-Buttons, various types of smart cards, USB tokens and flash drives, various types of memory cards, etc. Also it is theoretically possible to use biometric attributes of users as additional authentication factors. Therefore, the reader must correspond to the type of media used:
connector for i-Buttons;
USB interface for USB tokens and flash drives;
contact or contactless (including the NFC (Near Field Communication) interface) reader for smart cards;
reader for biometric attributes, and so on.
The specific TBM-SM device may contain a subset of the above-mentioned units and software modules depending on the following factors:
technologies used in a particular computer system;
protection functions implemented by the device;
specific set of external information security tools in use.
Thus, it seems possible and promising to use the TBM-SM device (created on the basis of Crypton-Zamok device) that combines the functions usually performed by trusted boot modules (unauthorized access prevention, strict user authentication, integrity control of software modules and creation of a trusted operating environment), and functions providing remote management of servers over a secure communication channel between the managed server and the administrator’s workstation.
The main features of the server remote management system based on this device are the following:
providing reliable protection of a computer system and its components (including the server and administrator’s workstation) based on trusted boot modules and cryptographic devices or software;
use of remote two-factor mutual authentication;
implementation of remote management of servers over secure transparently encrypted channel that includes the traffic of any standard protocols on various platforms for information transmission and processing.
The use of the Crypton-Zamok device guarantees a trusted environment that provides an increase in the efficiency of protecting the computer from unauthorized actions at all stages of its operation, as well as the possibility of remote administration and remote authentication in computer networks with various data transfer protocols and used platforms.
Due to its wide functionality, as well as the fact that most critical operations on creating a trusted environment and implementing remote management are performed inside the device, the Crypton-Zamok device with remote server management functions has retained the advantages of the underlying trusted boot module, including the ability to perform backbone functions and the ability to build an integrated system for effective protection of computers and distributed systems in general. At the same time, this device provides the ability to administer and manage servers remotely while implementing reliable two-factor mutual authentication which increases the efficiency of protecting and managing functions.
It is advisable to use the Crypton-Zamok device with the functions of remote management of servers for servers meant for applications with increased requirements for information security.
The authors consider the following results of this paper to be novel:
The principles of creating systems for remote management of servers over cryptographically protected channels have been offered using mechanisms of strict user authentication before performing remote management.
The functional diagram of the TBM-SM device has been developed that combines the basic functions of trusted boot modules (such as identification and authentication of users, the organization of the trusted execution environment, control of the software modules integrity, access control to the resources of the protected computer, etc.) with the ability to remotely manage servers through a secure communication channel.
The prototypes of the TBM-SM device and the remote server management system have been developed.
At the moment, the technical solutions described above (the system for remote management of servers via a cryptographically protected channel and the TMB-SM device) are being patented [8, 9].
1. IPMI — Intelligent Platform Management Interface Specification Second Generation v2.0. — Document Revision 1.1, October 1, 2013 — Intel, Hewlett-Packard, NEC, Dell.
2. Minyard C. IPMI — A Gentle Introduction with OpenIPMI // http://openipmi.sourceforge.net — Montavista Software, 2006.
3. Schneier B. The Eavesdropping System in Your Computer // https://www.schneier.com — 2013.
4. Farmer D. IPMI: Freight Train to Hell or Linda Wu & The Night of the Leeches // http://fish2.com — Version 2.0.3 — August 22nd, 2013.
5. Farmer D. Sold Down the River // http://fish2.com — June 23rd, 2014.
6. Dudarev D. A., Poletaev V. M., Poltavtsev A. V., Romanets Y. V., Syrchin V. K. Apparatus for Creating Trusted Environment for Computers of Information Computer Systems. Patent RU 2538329 — “ANCUD” Ltd., 2014. (In Russian).
7. Dudarev D. A., Kravtsov A. Y., Pole¬ta¬¬ev V. M., Pol¬tav¬tsev A. V., Ro¬ma¬nets Y. V., Syr¬chin V. K. Device to Create Trusted Execution Environment for Special Purpose Computers. Patent RU 2569577 — “ANCUD” Ltd., Kraftway Corporation PLC, 2015. (In Russian).
8. Setevye shifratory «KRIPTON AncNet». // http://www.ancud.ru.
9. Dudarev D. A., Panasenko S. P., Pu¬zy¬rev D. V., Romanets Y. V., Syrchin V. K. Computer System with Remote Control by Server and Device for Creating Trusted Environment and Method for Implementation of Remote Control. Patent RU 2633098 — “ANCUD” Ltd., 2017. (In Russian).
10. Bychkov I. N., Dudarev D. A., Mol¬chanov I. A., Orlov M. V., Panasenko S. P., Puzyrev D. V., Romanets Y. V., Syr¬chin V. K. Computer System with Remote Control by Server and Device for Creating Trusted Environment. Patent Application RU 2017103816 — “ANCUD” Ltd., PJSC “Brook INEUM”, 2017. (In Russian).