1. Field of the Invention
The present invention relates in general to the field of information handling system security, and more particularly to a system and method for safe information handling system boot.
2. Description of the Related Art
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Increased use of information handling systems by enterprises and individuals has resulted in storage of large quantities of sensitive data and increased need for ready access to the data. Naturally, valuable data has garnered the interest of hackers and thieves who have sought to invade datacenters with attacks of increasing sophistication. In response, enterprises and individuals have employed a variety of authentication solutions to limit access to data and to protect networks and information handling systems from malicious attacks. Many authentication solutions seek to protect the perimeters around stored data while others protect data at an operating system level or with dedicated appliances. Increasingly sophisticated hardware solutions have come to market, such as hardware encrypting storage drives, encrypting RAID controllers and encrypting chipsets. One difficulty with these solutions is that datacenter topologies typically store secrets and credentials to protect data on the platform that stores the data, in which case having access to the physical position of the platform renders the security steps largely useless. Another difficulty is that rouge systems that have been successfully attacked a datacenter can boot onto a controlled network, thus putting the network at risk.
To avoid infiltration by malicious software, industry has developed a number of physical systems that are protected from access by external software, such as software communicated through a network. For example, a Trusted Platform Module (TPM) uses a special purpose service processor integrated in an information handling system's chipset to protect the boot process of the information handling system. A service processor is essentially a secondary information handling system integrated within a primary information handling system used for management of the primary information handling system, such as performing monitoring, configuration and update functions. The service processors perform system management functions, such as coordination of remote power-up and power-down events through an out-of-band network interface. For example, service processors are baseboard management controllers (BMC), integrated management controllers (IMC), an integrated Dell Remote Access controller (DRAC) or Active Management Technology (AMT). In addition to these physical techniques, corporate networks also use third party authentication services to provide authentication for computer systems within a domain. A user provides credentials to the information handling system that the user is attempting to access. The credentials are provided to a third party authentication service to authenticate the access from a centralized database of identities rather than a local identity. Absent authentication, the end user is not allowed access to the information handling system.