I've attempted to secure physical hardware at a previous job. The primary tools we used were vendor relationships and extensive testing. There's no silver bullet to getting hardware safe against a "root" user.

Not trying to give an unhelpful answer; but outside of the groups that Jeremy linked, there's been very little innovation enabling you to secure  your hardware,  unless you work directly with a vendor (and have the buying power to make them listen).

-
Jay Faulkner


On Tue, Dec 15, 2020 at 3:48 PM Eric K. Miller <emiller@genesishosting.com> wrote:

Hi,

 

We have considered ironic for deploying physical hosts for our public cloud platform, but have not found any way to properly secure the hosts, or rather, how to reset a physical host back to factory defaults between uses - such as BIOS and BMC settings.  Since users (bad actors) can access the BMC via SMBus, reset BIOS password(s), change firmware versions, etc., there appears to be no proper way to secure a platform.

 

This is especially true when resetting BIOS/BMC configurations since this typically involves shorting a jumper and power cycling a unit (physically removing power from the power supplies - not just a power down from the BMC).  Manufacturers have not made this easy/possible, and we have yet to find a commercial device that can assist with this out-of-band.  We have actually thought of building our own, but thought we would ask the community first.

 

Thanks!


Eric