Secure boot

The system supports hardware root of trust and secure boot operations, which protects against unauthorized physical access to the hardware and prevents malicious software from running on the system.

The system provides secure boot by pairing each boot drive with Trusted Platform Module (TPM). TPM provides a secure cryptographic processor that performs verification of hardware and prevents unauthorized access to hardware and the operating system. On the system, TPM protects secure boot to ensure the code images installed are signed, trusted, and unchanged.

As the system boots, the TPM acquires hash values from each part of the boot (software and configuration settings) in a process known as measuring. If a particular set of hash values reach the right values, TPM secures and locks this information into the TPM. This process is known as sealing information into the TPM. After this information is sealed within the TPM, it can only be unsealed if the boot arrives at the correct hash values. TPM verifies each of these hash values and only unlocks the operating system during a boot operation when these values are correct. The system supports dual boot drives that are paired with TPM. During remove and replacing procedures, both the boot drive and the TPM must be removed and replaced together to ensure cryptographic integrity.