SPDM Security

SPDM Security

Cisco UCS M6, M7, and M8 servers can contain mutable components that could provide vectors for attack against a device itself or use of a device to attack another device within the system. To defend against these attacks, the Security Protocol and Data Model (SPDM) Specification enables a secure transport implementation that challenges a device to prove its identity and the correctness of its mutable component configuration.

SPDM defines messages, data objects, and sequences for performing message exchanges between devices over a variety of transport and physical media. It orchestrates message exchanges between Baseboard Management Controllers (BMC) and end-point devices over a Management Component Transport Protocol (MCTP). Message exchanges include authentication of hardware identities accessing the BMC. The SPDM enables access to low-level security capabilities and operations by specifying a managed level for device authentication, firmware measurement, and certificate management. Endpoint devices are challenged to provide authentication. and BMC authenticates the endpoints and only allows access for trusted entities.

The UCS Manager optionally allows uploads of external security certificates to BMC. A maximum of 40 SPDM certificates is allowed, including native internal certificates. Once the limit is reached, no more certificates can be uploaded. User uploaded certificates can be deleted but internal/default certificates cannot.

A SPDM security policy allows you to specify one of three Security level settings. Security can be set at one of the three levels listed below:

  • Full Security:

    This is the highest MCTP security setting. When you select this setting, a fault is generated when any endpoint authentication failure or firmware measurement failure is detected. A fault will also be generated if any of the endpoints do not support either endpoint authentication or firmware measurements.

  • Partial Security (default):

    When you select this setting, a fault is generated when any endpoint authentication failure or firmware measurement failure is detected. There will NOT be a fault generated when the endpoint doesn’t support endpoint authentication or firmware measurements.

  • No Security

    When you select this setting, there will NOT be a fault generated for any failure (either endpoint measurement or firmware measurement failures).

You can also upload the content of one or more external/device certificates into BMC. Using a SPDM policy allows you to change or delete security certificates or settings as desired. Certificates can be deleted or replaced when no longer needed.

Certificates are listed in all user interfaces on a system.

Creating a SPDM Security Policy

This step creates a SPDM policy.


Note

You can upload up to 40 SPDM certificates (including native certificates).

Procedure

Step 1

In the Navigation pane, click Servers.

Step 2

Go to Policies. Expand the root node.

Step 3

Right-click SPDM Certificate Policies and select Create SPDM Policy.

Step 4

Enter a name for this policy and select a Fault Alert Setting for the security level: Disabled, Partial, or Full.

Full—If you select this option, then a fault is generated when there is any endpoint authentication failure for both supported and unsupported endpoints.

Partial—If you select this option then a fault is generated when there is any endpoint authentication failure to only supported endpoints. No fault is generated when the endpoint does not support authentication.

Disabled—If you select this option then no fault is generated for endpoint authentication failure for both supported and unsupported endpoints.

The default is Partial.

Note

 

To perform SPDM re-authentication and update the faults, Cisco IMC reboot or host reboot is required when the fault alert value is changed for an associated profile.

Step 5

Click on Add in the Create Policy window. The Add SPDM Certificate window will open.

Step 6

Name the certificate.

UCS Manager supports only Pemcertificates.

Step 7

Paste the contents of the certificate into the Certificate field.

Step 8

Click OK to add the certificate and return to the Create SPDM Policy window.

You can add up to 40 certificates.

Step 9

In the Create SPDM Policy menu, click Okay.

After the SPDM policy is created, it will be listed immediately, along with its Alert setting, when you select SPDM Certificate Policy under the Server root Policies.

What to do next

Assign the Certificate to a Service Profile. The Service Profile must be associated with a server for it to take effect.

Associating the Security Policy with a Server

Before you begin

Create the SPDM security policy.

Procedure

Step 1

In the Navigation pane, click Servers.

Step 2

Go to Service Profiles. Expand the root node.

Step 3

Select the Service Profile you want to associate with the Policy you created.

  1. On the Policies tab, scroll down and expand SPDM Certificate Policy. In the SPDM Certificate Policy dropdown, select the desired policy to associate with this Service Profile.

Step 4

Click OK.

The SPDM Policy will now be associated with the service profile.

What to do next

Check the fault alert level to make sure it is set to the desired setting.

Viewing the Fault Alert Settings

You can view the Fault Alert setting associated with a specific chassis.

Before you begin

Create a policy and associate it with a Service Profile.

Procedure

Step 1

In the Navigation pane, click Equipment.

Step 2

Select a Rack-Mount Server.

Step 3

On the Inventory tab, select CIMC. .

User uploaded certificates are listed and information for specific certificates can be selected and viewed.