Appendix A List of Acronyms¶
ACA |
Attestation Certificate Authority |
AD |
Active Directory |
ADK |
(Windows) Assessment and Deployment Kit |
API |
Application Programming Interface |
AQL |
(IBM QRadar) Ariel Query Language |
BIOS |
Basic Input/Output System |
CMSL |
(HP) Client Management Script Library |
DHCP |
Dynamic Host Configuration Protocol |
DNS |
Domain Name System |
DPD |
Direct Platform Data |
DTD |
Dell Trusted Device |
FQDN |
Fully Qualified Domain Name |
HIRS |
Host Integrity at Runtime and Start-Up |
HPE |
Hewlett Packard Enterprise |
HTTP |
Hypertext Transfer Protocol |
IIS |
(Microsoft) Internet Information Services |
IP |
Internet Protocol |
IRM |
(Archer) Integrated Risk Management |
IT |
Information Technology |
JDK |
Java Development Kit |
JSON |
JavaScript Object Notation |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
NTP |
Network Time Protocol |
ODM |
Original Design Manufacturer |
OEM |
Original Equipment Manufacturer |
OS |
Operating System |
PC |
Personal Computer |
PCVT |
(HPE) Platform Certificate Verification Tool |
PM2 |
Process Manager 2 |
PMCS |
Platform Manifest Correlation System |
PXE |
Preboot Execution Environment |
REST |
Representational State Transfer |
SAS |
Serial Attached SCSI |
SCA |
Supply Chain Assurance |
SCRM |
Supply Chain Risk Management |
SCSI |
Small Computer System Interface |
SCV |
(Dell) Secured Component Verification |
SKU |
Stock Keeping Unit |
SP |
Special Publication |
SSMS |
(Microsoft) SQL Server Management Studio |
TB |
Terabyte |
TCG |
Trusted Computing Group |
TEI |
(NCCoE) Trusted Enterprise Infrastructure |
TFTP |
Trivial File Transfer Protocol |
TPM |
Trusted Platform Module |
TSC |
(Intel) Transparent Supply Chain |
UEFI |
Unified Extensible Firmware Interface |
UI |
User Interface |
URL |
Uniform Resource Locator |
UUID |
Universally Unique Identifier |
WinPE |
Windows Preinstallation Environment |
XML |
Extensible Markup Language |
Appendix B Archer Applications¶
The following tables detail the data fields in each Archer application for use in Section 2.11.2.1. The first column is the name of the data field we used in this demonstration and the second column is the data type. Data fields that are calculated are indexed in the third column and available in the subsequent table. Bolded rows are Key Fields, similar to a primary key.
Table 3‑1 Devices Application
Data Field Name |
Data Field Type |
Calculated |
|---|---|---|
Associated Components |
Cross-Reference |
|
Last Event Timestamp |
Date |
|
Last System Scan Date |
Date |
|
System Firmware Date |
Date |
|
Firmware Integrity Aggregation Status |
Numeric |
|
Firmware Integrity Check Status |
Numeric |
|
Count of Failed Configuration Scan Results |
Text |
|
Count of Configuration Scans |
Text |
|
Enterprise Unique Identifier |
Text |
|
Family |
Text |
|
Platform Model |
Text |
|
Model |
Text |
|
Original Design Manufacturer |
Text |
|
Original Equipment Manufacturer |
Text |
|
Product Name |
Text |
|
SKU |
Text |
|
System Firmware Version |
Text |
|
Manufacturer |
Values List |
|
Device Scan State |
Values List |
1 |
Eclypsium Integrity Scan Status |
Values List |
2 |
Continuous Monitoring Platform Integrity Status |
Values List |
3 |
Table 3‑2 Calculated Fields (Devices)
Index |
Calculation |
|---|---|
1 |
IF (ISEMPTY([Helper Previous Last Scanned Date Calc]),
VALUEOF([Device Scan State],"New"),
IF (DATEDIF([Helper Max Last Scanned Date Calc],[Helper
Previous Last Scanned Date Calc])=0, [Device Scan State],
VALUEOF([Device Scan State], "Matched")))
|
2 |
IF (ISEMPTY([Firmware Integrity Check Status]),
VALUEOF([Eclypsium Integrity Scan Status], "No Data"),
IF ([Firmware Integrity Check Status]=1, VALUEOF([Eclypsium
Integrity Scan Status], "No Integrity Issues Detected"),
IF ([Firmware Integrity Check Status]=0, VALUEOF([Eclypsium
Integrity Scan Status], "Integrity Issue Detected - Action
Recommended"))))
|
3 |
IF (ISEMPTY([Continuous Monitoring Platform Integrity Status]),
VALUEOF([Continuous Monitoring Platform Integrity Status], "No
Data from Configuration Management System"))
|
Table 3‑3 Components Application
Data Field Name |
Data Field Type |
|---|---|
Addresses |
Text |
Class |
Text |
Field Replaceable |
Text |
First Published |
First Published Date |
Free Text |
Text |
Last Updated |
Last Updated Date |
Manufacturer |
Text |
Model |
Text |
Platform Certificate |
Text |
Platform Certificate URI |
Text |
Revision |
Text |
SCA Devices (Associated Components) |
Related Records |
Seagate Firmware Attestation (Seagate Drive Serial) |
Related Records |
Seagate Firmware Hash (Seagate Drive) |
Related Records |
Serial |
Text |
Tracking ID |
Tracking ID |
Version |
Text |
Associated Components |
Cross-Reference |
Table 3‑4 HP UEFI Configuration Variables Application
Data Field Name |
Data Field Type |
Calculated |
|---|---|---|
Associated Computing Device |
Cross-Reference |
|
CompositeUUIDVariable |
Text |
1 |
Computing Device UUID |
Text |
|
First Published |
First Published Date |
|
HP Inc BIOS Configuration Status |
Values List |
|
Last Updated |
Last Updated Date |
|
Tracking ID |
Tracking ID |
|
UEFI Variable Description |
Text |
2 |
UEFI Variable Friendly Name |
Text |
|
UEFI Variable Name |
Text |
|
UEFI Variable Possible Values |
Text |
3 |
UEFI Variable Recommended Values |
Text |
4 |
Value |
Text |
Table 3‑5 Calculated Fields (HP UEFI Configuration Variables)
Index |
Calculation |
|---|---|
1 |
CONCATENATE([Computing Device UUID],[UEFI Variable Name])
|
2 |
IF ([First Published]<>[Last Updated], "Change Detected",
IF ([First Published]=[Last Updated], "No Change Detected"))
|
3 |
IF ([UEFI Variable Name]="SS_SB_KeyProt", "Provides enhanced
protection of the secure boot databases and keys used by BIOS
to verify the integrity and authenticity of the OS bootloader
before launching it at boot.",
IF ([UEFI Variable Name]="FW_RIPD", "Utilizes specialized
hardware in the platform chipset to prevent, detect, and
remediate anomalies in the Runtime HP SMM BIOS.",
IF ([UEFI Variable Name]="TL_Power_Off", "HP Tamperlock
feature: The system immediately turns off if the cover is
removed while the system is On or in Sleep state S3 or Modern
Standby.",
IF ([UEFI Variable Name]="TL_Clear_TPM", "TPM is cleared on the
next startup after the cover is removed. Be aware that all
customer keys in the TPM are cleared. This setting should only
be Enabled in a situation where manual recovery is possible
using remote backups, or no recovery is desired. In the case of
BitLocker being enabled, the BitLocker recovery key is required
to decrypt the drive.",
IF ([UEFI Variable Name]="SS_GPT_HDD", "HP Sure Start maintains
a protected backup copy of the MBR/GPT partition table from the
primary drive and compares the backup copy to the primary on
each boot. If a difference is detected, the user is prompted
and can choose to recover from the backup to the original
state, or to update the protected backup copy with the
changes.",
IF ([UEFI Variable Name]="SS_GPT_Policy", "Defines Sure Start
behavior to either Local User Control or Automatic to restore
the MBR/GPT to the saved state any time differences are
encountered.",
IF ([UEFI Variable Name]="DMA_Protection", "BIOS will configure
IOMMU hardware for use by operating systems that support DMA
protection.",
IF ([UEFI Variable Name]="PreBoot_DMA", "IOMMU hardware-based
DMA protection is enabled in a BIOS pre-boot environment for
Thunderbolt and / or all internal and external PCI-e attached
devices.",
IF ([UEFI Variable Name]="Cover_Sensor", "Policy defined
actions taken when Tamperlock cover removal sensor is
triggered. Administrator credential or password requires valid
response before continuing to startup after the cover is
opened.",
IF ([UEFI Variable Name]="", "No Description", "No
Description")
)))))))))
|
4 |
IF ([UEFI Variable Name]="SS_SB_KeyProt", "[Disable, Enable]",
IF ([UEFI Variable Name]="FW_RIPD", "[Disable, Enable]",
IF ([UEFI Variable Name]="TL_Power_Off", "[Disable, Enable]",
IF ([UEFI Variable Name]="TL_Clear_TPM", "[Disable, Enable]",
IF ([UEFI Variable Name]="SS_GPT_HDD", "[Disable, Enable]",
IF ([UEFI Variable Name]="SS_GPT_Policy", "[Local user control,
Recover in event of corruption]",
IF ([UEFI Variable Name]="DMA_Protection", "[Disabled,
Enabled]",
IF ([UEFI Variable Name]="PreBoot_DMA", "[Thunderbolt Only, All
PCI-e Devices]",
IF ([UEFI Variable Name]="Cover_Sensor", "[Disable, Notify
user, Administrator Credential, Administrator Password]",
IF ([UEFI Variable Name]="", "No Possible Values", "No Possible
Values")
)))))))))
|
Table 3‑6 Seagate Firmware Attestation Application
Data Field Name |
Data Field Type |
|---|---|
Assessor Identifier |
Text |
Associated Computing Device |
Cross-Reference |
Device Nonce |
Text |
Firmware Version |
Text |
First Published |
First Published Date |
Last Updated |
Last Updated Date |
Root of Trust Identifier |
Text |
Root of Trust Nonce |
Text |
Seagate Drive Serial |
Cross-Reference |
Secure Boot Device State |
Text |
Signing Auth Database |
Text |
Tracking ID |
Tracking ID |
Table 3‑7 Seagate Firmware Hash Application
Data Field Name |
Data Field Type |
Calculated |
|---|---|---|
Associated Computing Device |
Cross-Reference |
|
BFW IDBA Hash |
Text |
|
BFW ITCM Hash |
Text |
|
CFW Hash |
Text |
|
Drive Serial Number |
Text |
|
Firmware Hash Status |
Values List |
1 |
First Published |
First Published Date |
|
History |
History Log |
|
Last Updated |
Last Updated Date |
|
Seagate Drive |
Cross-Reference |
|
SEE Firmware Hash |
Text |
|
SEE Signing AuthN Key Certificate Hash |
Text |
|
SERVO Firmware Hash |
Text |
|
Signing AuthN Key Certificate Hash |
Text |
|
Tracking ID |
Tracking ID |
Table 3‑8 Calculated Fields (Seagate Firmware Hash)
Index |
Calculation |
|---|---|
1 |
IF ([First Published]<>[Last Updated], "Change Detected",
IF ([First Published]=[Last Updated], "No Change Detected"))
|