HPE Community
Integrity Servers
1753363 Members
5519 Online
108792 Solutions
New Discussion юеВ

Re: Itanium/PA RISC Firmware

 
SOLVED
Go to solution
john guardian
Super Advisor

тАО04-19-2011 06:27 AM - last edited on тАО07-11-2011 11:26 AM by

тАО04-19-2011 06:27 AM - last edited on тАО07-11-2011 11:26 AM by

Itanium/PA RISC Firmware

In a 2009 thread, I read that neither PA-RISC nor Itanium servers have what's considered a BIOS, just firmware. Typically in a PC Win Server environment, management wants to ascertain whether or not the BIOS is password protected.

Here's the thread:

http://h30499.www3.hp.com/t5/System-Administration/Commands-to-obtain-BIOS-amp-Processor-Info-in-HP-UX/m-p/4446793#M358178


As I don't typically get into the nuts and bolts of these systems, could someone pls elaborate on this subject and/or make a case for why the firmware is either not password protected or can/should be? I would usually just vote for physically protecting the machine in a locked room, but that's not always a good answer for bean counters.

Thx.

0 Kudos
Reply
7 REPLIES 7
Mel Burslan
Honored Contributor

тАО04-19-2011 08:59 AM

тАО04-19-2011 08:59 AM

Re: Itanium/PA RISC Firmware

I think you are asking the same question that I tried to answer on your other thread. The server you are talking about is not a $500 Intel server that you can buy from the corner store. Unless you protect these servers under lock and key and someone walks away with them, the financial penalty will be much more than $500. So, even though bean counters may not like it, locking these up in a data center make sense to protect their beans.

Your statement about BIOS is wrong in my opinion. BIOS on an X86 series server is nothing more than a specialized firmware. So, both PA-RISC/Itanium machines and X86 machines have firmware code. HP chose not to put a password protection on theirs (I am not very closely familiar with Itaium family and there might be a feature like this that I am not aware of).
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
cnb
Honored Contributor

тАО04-19-2011 01:44 PM

тАО04-19-2011 01:44 PM

Solution

Re: Itanium/PA RISC Firmware

Hi,

PDC (System Firmware) is not password protected and "usually" requires physical system access to update or modify it. Yes, you can update Firmware remotely on some systems via an O/S patch, others require FTP or an ISO media image to boot from. In all cases you can set elevated privileges and passwords to take the system down, access the MP (system) console or USB/Media devices.

IMHO it should be locked up to prevent unauthorized physical access.

Rgds,
Reply
Duncan Edmonstone
HPE Pro

тАО04-19-2011 11:34 PM

тАО04-19-2011 11:34 PM

Re: Itanium/PA RISC Firmware

On Itanium systems at least, EFI does offer some password protection options... I've never used them myself, but they are there as an option on one of the EFI menus. Apparently you can set a user password that just protects access to EFI at all, and then an administrator password which then controls acccess to the system configuration and boot configuration menus.

AFAIK there is no equivalent for PDC/BCH on a PA-RISC system

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Duncan Edmonstone
HPE Pro

тАО04-20-2011 12:49 AM

тАО04-20-2011 12:49 AM

Re: Itanium/PA RISC Firmware

I should add tnhat although you can setup these EFI passwords, anyone who has admin access to the iLO/MP can reset these passwords anyway via the "BP" command...

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Michael Steele_2
Honored Contributor

тАО04-20-2011 11:54 AM

тАО04-20-2011 11:54 AM

Re: Itanium/PA RISC Firmware

You just got answers for this same question under 'hpux -is'. You wanted to know if it were possible and recommended. All of your responses were from some of the most senior members of the forum and all said that they didn't like passwords to boot up into single user mode.

Regarding your question about the differences in firmware between pa-risc / itanium and intel.

That they are firmware and the first part of the boot sequence should explain everything, that they are called by another name is arbitrary. That they all have an option to be password protected is probably more akin to a marketing decision of jumping onto the band wagon because the other guy does this.

Having a password to boot up is your preference. However, the procedure to recover is not pleasant and very similar on all: Restore the firmware defaults. And I believe this means all of the firmware and not just the word byte that holds the password.

And for this, you probably need a CE an up to date resume. Because no manager is going to tolerate a lost password in the middle of an outage.
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Michael Steele_2
Honored Contributor

тАО04-21-2011 06:35 AM

тАО04-21-2011 06:35 AM

Re: Itanium/PA RISC Firmware

BTW, I think what you are looking for is the basic model that something like 99% of all computers follow: The model is called Harvard Architecture.

Harvard Arch. is a cpu, memory, disk, bus IO, user input and output, just like most computers today including those made by Sun, HP, Intel, et al.

Harvard arch. is almost exactly the same as Von Neuman Arch. Both are similar and separately developed but Von Neumon does something different like handle program code the same as data.

A different computer arch. would be the connection machine, for example.

Here's a link to Harvard arch.

http://en.wikipedia.org/wiki/Harvard_architecture
Support Fatherhood - Stop Family Law
Reply
john guardian
Super Advisor

тАО04-21-2011 08:38 AM

тАО04-21-2011 08:38 AM

Re: Itanium/PA RISC Firmware


First, I'd like to personally thank all who responded.

Next, I need to mention that I am not in disagreement w/the majority on physical security. In theory, it's sound. Unfortunately, in practice, it doesn't always work. Why? Because I don't own the company(ies), I just work for it/them. As I consult for several companies (simultaneously... and generally on the same issues) I sometimes have to "demonstrate" to them that even though I (or someone else) may have already asked the same question, they want it asked "again". I prefer to not have to repeat myself either...

When it comes to the customer, they know what they want, they just don't know why they want it or whether or not it's feasible, it's simply something they picked up at an IA conference in Vegas.

Once again, my appreciation goes out to everyone who responded positively, regardless of the topic.

Thx again.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.