Xerox® Security Guide for Entry Production Color Class Products
March 2019 Page 4-20
Pre-Boot Security
BIOS
The BIOS used in Versant® and ColorPress® products is embedded and cannot be accessed directly.
Unlike devices such as Desktop and Laptop computers that have a BIOS that can be accessed via a
keystroke on startup, the BIOS of Versant® and ColorPress® products is not accessible.
Many devices can be cleared to factory defaults (including passwords and security settings) by
depressing a reset button using a paperclip or similar method. For security reasons, ColorPress® and
Versant® products do not offer such a method to clear or reset the BIOS. Note that configuration settings
may be reset to factory defaults by an authorized administrator, however this does not impact BIOS
settings.
BIOS updates are applied by device firmware updates. Firmware is protected from tampering by use of
digital signatures (discussed later in this section).
The BIOS is designed to fail secure. An integrity check is performed immediately when power is applied.
If verification is successful, the system proceeds with OS kernel boot. If the integrity check fails, the
system will fail secure.
Embedded Encryption
AES encryption is used to protect the system, user data, and configuration (including security settings)
from being retrieved or modified. Each device uses its own unique key that is securely generated.
Encryption is enabled by default. Media encryption and sanitization are discussed in Section 2 User Data
Protection.
Boot Process Security
Firmware Integrity
Unlike open operating systems such as servers and user workstations in which software may be installed
by users, Xerox products are based on embedded systems and the contents are managed by Xerox. The
only means of modifying the contents of a device is by applying a firmware update package.
Firmware updates use a special format and each firmware update is digitally signed to protect the
integrity of the contents. Firmware that is corrupt or has been illicitly modified will be rejected. This
security control cannot be disabled.
ColorPress® and Versant® products include a built-in firmware software validation. This is a file integrity
monitor that compares the security hashes of currently installed firmware to a secured whitelist that was
installed when the signed firmware was installed.
Event Monitoring & Logging
Audit Log
The Audit Log feature records security-related events. The Audit Log contains the following information:
A unique value that identifies the event.
The date that the event happened in mm/dd/yy format.
To Next Page
Loading...
