Broadcom 96xx User Guide
Broadcom
®
96xx PCIe 4.0, 24G SAS MegaRAID
™
and eHBA Tri-Mode Storage Adapters
The device authentication process includes a platform RoT device (a baseboard management controller [BMC] or a
discreet component) and the adapter (the attested device). The platform RoT device requests the device certificate
from the controller on the adapter for authentication. If the device authentication process fails, the platform RoT device
operates in accordance with its platform security policy.
Device Certificate
The controller on the adapter uses a device certificate and associated certificate chain to present evidence of its device
identity. The certificate chain is based on the X.509 v3 standards and the Security Protocol and Data Model (SPDM)
Specification, version 1.1.0.
The device certificate contains identifying information about the controller, including the device serial number. The private
key of a parent and intermediate signing certificate signs the device certificate. The device certificate cannot be modified
after manufacture.
Broadcom manufacturing provisions each board with its device certificate. Every 96xx adapter manufactured is
provisioned with a certificate chain. When the SPDM GET_CERTIFICATE command queries the controller, the controller
returns the device certificate chain, which includes a hash of the root certificate.
Attestation Procedure
Attestation is the process in which the server’s BMC, or other discrete logic, challenges the adapter for proof of
authenticity. Using attestation in the server is optional. The adapter functions without performing attestation. If attestation
fails, the adapter continues to function normally. You must determine the next steps for your system if the adapter fails
attestation.
Figure 3: Attestation Procedure Example
To support attestation, you must obtain the external root certificate authority to configure the platform RoT, such as BMC.
You can download the external root certificate from Support Documents and Downloads.
SPDM Capabilities
Security Protocol and Data Model (SPDM) Specification v1.1.0 enables the Requester (BMC/discrete logic) and the
Responder (adapter) to exchange keys to enable encryption support for the management interface information exchange.
By default, if the Requester asks, the adapter enables authenticated encryption of the management interface. This
process occurs dynamically between the Requester and Responder as part of the attestation procedure and requires no
change to the adapter’s settings.
The following table lists the SPDM v1.1 endpoint CAPABILITIES response message flags. Flags listed as supported
respond to the GET_CAPABILITIES request message.
Broadcom
96xx-MR-HBA-Tri-Mode-UG108
26
To Next Page
Loading...
Need help?
General
