The following outlines the design of the SEE and describes the main functions of the hardware components the Secure Foundation Platform (SFP), Trust Anchor (TA), and PrimeKey’s Integrated Lights On (PiLO).
A notable part of SEE's security design is that there is no access to the Supermicro mainboard BIOS. The BIOS is reprogrammed (by PrimeKey) to only boot from PrimeKey Linux OS (PrimeLFS), presented to the BIOS by the Trust Anchor (TA). The PrimeLFS OS image is digitally signed by PrimeKey and cannot be presented to the Supermicro mainboard BIOS until the integrity of this image has been verified by the TA. The lack of BIOS access means that you cannot see the BIOS boot process (there is no port to connect your monitor), and you cannot interrupt the boot process (there is no port to connect the keyboard).
The SEE is a full-size rack-mount x86 server and essentially consists of the following three hardware components. The first two components are enclosed in a hardened epoxy resin.
The following illustrates the main hardware components and their location.
Secure Foundation Platform (SFP)
The Secure Foundation Platform (SFP), running PrimeLFS on the Supermicro hardware, is responsible for executing your applications. It provides KVM, QEMU, and libvirt virtualization tools for your applications to run within a virtual machine.
You prepare your application within a qcow2 (QEMU copy on write) image which is then deployed within the SFP (either on the internal SSD disk or one of the external SATA disks). Note that other virtual disk images can be converted to the qcow2 format using the tools available on the SFP. The SFP provides a browser-based user interface and a set of Python CLI tools to allow you to configure your virtual machines.
Deploying a virtual machine requires access to the SFP. During the configuration of the virtual machines, OpenSSH Secure Shell (SSH) access to the SFP is available and a default private SSH key is delivered with your SEE. Note that SFT access is restricted to authorized and/or authenticated users.
Trust Anchor (TA)
The Trust Anchor (ARM Cortex-A9 SoM) provides secure booting to the Supermicro mainboard.
The Trust Anchor represents the brains of the SEE. The TA decides whether or not to power on the mainboard (SFP hypervisor) and checks the integrity of the PrimeLFS OS image and whether or not to present this image to the BIOS for booting. It also allows storing sensitive data on its embedded Multi-Media Card (eMMC), for use either by the PiLO or the SFP.
The TA uses the following input-output ports for communication:
- An OTG USB device to exchange data with the SFP and provide the PrimeLFS OS boot image. The OTG USB device is completely sealed within the epoxy resin and within the FIPS 140-2 Level 3 boundary.
- A serial port which is used to communicate to the SFP. This device is also completely sealed within the epoxy resin and within the FIPS 140-2 Level 3 boundary.
- A serial port used to communicate to the PiLO.
When the SFP (mainboard) is powered off, the only communication port open to the TA is the serial line connected to the PiLO. Note that the application running on the TA, listening for commands from the PiLO, only interprets a limited number of commands. There is no direct access to the TA from the PiLO or the SFP.
PrimeKey’s Integrated Lights On (PiLO)
Provides management of the Secure Foundation Platform (SFP) and Trust Anchor (TA).
PrimeKey’s Integrated Lights On (PiLO) provides a touchscreen to communicate with the TA and, indirectly, with the SFP. Its web-based graphical user interface drives the touchscreen on the front panel and the PiLO can be used remotely with any Web browser.
The PiLO is located outside the FIPS 140-2 Level 3 boundary and is not embedded within the epoxy resin. The PiLO responds to user requests and passes these requests onto the TA. Thus, PiLO does not store any sensitive data.