Advantech platform security follows NIST Special Publication 800-193 (NIST SP 800 - 193), Platform Firmware Resiliency (PFR) Guidelines (May, 2018.) The PFR guidelines provides technical recommendations intended to support resiliency of platforms against potentially destructive attacks, which are based on three principles: (please click below hexagon icon for more information)
Advantech platform security provides sustainable compliance of NIST SP 800-193 to fulfill network edge requirements.
Selectable customization firmware for different business segment Secure hardening depends on customer’s usage
Advantech PFR solution provides maximum firmware resiliency without additional hardware cost.
We always care about user experience and product efficiency!
Advantech platform security is fully Compatible across network edge platform products.
Sustainable NIST.SP.800-193
The complete solution includes hardware protection and a firmware root of trust, which secures all operations of the computing system. Advantech platform security will enhance protection and recovery from the firmware root of trust without extra hardware changes. It is primarily used to protect against remote attacks, aimed at protecting each device from unauthorized changes to its firmware or critical data and restoring the platform to a state of integrity.
NIST SP 800-193 | Summary |
---|---|
4.1 RooT-of-Trust / Chain-of-Trust |
The RooT of Trust (RoT) and Chain of Trust (CoT) are established by Advantech’s proprietary solution. Secure Platform (SP) uses RoT to verify BMC and BIOS firmware before launching it, then create a CoT. |
4.2.1 Protection and Update of Mutable Code |
SP uses authenticated Secure Firmware Update mechanism, which is anchored with Advantech’s proprietary RoT. Firmware images are digitally signed by Advantech and verified during upgrade and each boot-up. Firmware is only upgradable by authenticated users via a Secure Interface. (Optional) UEFI secure Boot |
4.2.2 Protection of Immutable Code |
The immutable boot firmware (e.g. bootloader) is locked and cannot be overwritten when RoT is enabled. |
4.2.3 Runtime Protection of Critical Platform Firmware |
All firmware upgrade will be secured by BMC with authentication mechanism. Other unauthenticated upgrade methods will be blocked. |
4.2.4 Protection of Critical Data |
Critical data can only be modified through a secure interface (e.g. Redfish) by an authenticated user. Reloading to factory default need to be authorized by BMC. |
4.3.1 Detection of Corrupted Code |
Secure Platform performs the integrity and signature verification at each boot up. It is capable of starting a recovery process to an authentic version with a BMC Watchdog. With the detection mechanisms of Advantech Integrity Sensor, System Event Logger (SEL), and Alert Notification, SP can create notifications and logging events if unauthorized changes or corrupted data are detected. In addition, SP can prevent the system booting into a tampered OS. It works with Event Logger and Alert Notifications. (Optional) With RoT Hardening, the Intel Boot Guard and AMD PSP are also optional for the BIOS. |
4.3.2 Detection of Corrupted Critical Data |
The integrity checks will be performing for detecting potential corruption of critical data, and capable of starting a recovery process to restore the device’s critical data. Event Logger (SEL), and Alert Notification is also capable if corruption detected. |
4.4.1 Recovery of Mutable Code |
SP supports automatic and manual firmware recovery mechanisms. With Dual Flash Design, the backup image content is protected independently of the running firmware. |
4.4.2 Recovery of Critical Data |
Both BMC and BIOS support automatic roll-back to a known good copy if critical data corruption was detected. In addition, end-users can save their default settings as a user default and perform a manual recovery via the BIOS setup menu. |
* For more detail technical white paper under NDA, please contact with your Advantech product representative.
** Advantech follows NIST Special Publication 800-193,
Platform Firmware Resiliency Guidelines, May 2018
*** All information, links, etc. contained in this page (hereinafter referred to as "information"), Advantech reserves the right to change the information at any time without prior notice. Advantech do not warrant, expressly or implicitly, that product users are absolutely free from attack or loss.