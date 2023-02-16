The latest IBM Cloud Bare Metal Servers for VPC features are focused squarely on security by providing customers with the ability to enable Secure Boot and to use a Trusted Platform Module (TPM 2.0).

Secure Boot and TPM are software- and hardware-based mechanisms used to validate and enforce trust for all software that is to be loaded onto a system. Secure Boot enforces firmware and kernel signatures that are loaded during the boot process, while the TPM provides a secure hardware-based crypto-processor that is often used to validate system integrity measurements.

Secure Boot verifies the integrity of the system’s firmware and operating system throughout the boot process. This is done by confirming all firmware and OS images loaded on the system are signed by a central Certificate Authority whose private key is stored in the UEFI firmware. Anything not signed by the Microsoft Corporation UEFI CA 2011, Microsoft Windows Production PCA 2011 or SUPERMICRO Product CA 2018 will not be executed on VPC Bare Metal Servers with Secure Boot enabled. The public keys are stored in an authorized signature database in the UEFI firmware, and each step in the boot chain validates the signatures of the next step using these keys. Formerly trusted keys that have been breached are stored in a disallowed signature database in the UEFI firmware. Anything signed with these keys will not execute on the system. This process helps prevent malicious software and malware from being loaded onto the server during the boot process.

TPM, on the other hand, is a microcontroller that securely stores and manages cryptographic keys. These keys are used to guarantee data, network connections and other sensitive information are secure. Typically, the TPM is used to attest to platform integrity and is often used in a process called Measured Boot. This is different from Secure Boot as it is simply collecting measurements of the software loaded in a secure way that other software can then interpret. The TPM can also be used to generate and store keys used to encrypt a hard drive, sign firmware images and more. Attestation is also supported by the TPM. Attestation uses a unique endorsement key (EK) that is stored on the TPM by the manufacture. It provides proof that an entity’s certificate is signed by the same CA that signed the TPM. The TPM provides a reliable and secure standard for storing data.