Search

US-12621349-B2 - Dynamic unlocking of software defined silicon (SDSi) processor features via security protocol data model (SPDM)

US12621349B2US 12621349 B2US12621349 B2US 12621349B2US-12621349-B2

Abstract

In one embodiment, an Information Handling System (IHS), comprises an SPDM-enabled device conforming to a SPDM specification. The SPDM-enabled device causes the IHS to identify a device in the IHS having optional hardware features, provision activation data for the optional hardware features, and activate the optional hardware features by sending SPDM messages to the device. The IHS comprises a host processor module configured to host one or more processors, a secure control module configured to host a baseboard management controller, and a secure control interface configured to support communication between the secure control module and the host processor module. The one or more processors have optional hardware features. The one or more processors may be Software Defined Silicon (SDSi) devices. The baseboard management controller identifies the device having optional hardware features using a SPDM GET_CERTIFICATE request message sent to the devices.

Inventors

  • Deepaganesh Paulraj

Assignees

  • DELL PRODUCTS, L.P.

Dates

Publication Date
20260505
Application Date
20230301

Claims (18)

  1. 1 . An Information Handling System (IHS), comprising: a Security Protocol and Data Model (SPDM)-enabled device in conformance to a SPDM specification, wherein the SPDM-enabled device comprises at least one processor coupled to at least one memory, the at least one memory configured with program instructions stored thereon that, upon execution by the at least one processor, cause the IHS to: identify a Software Defined Silicon (SDSi) device in the IHS configured with optional hardware features based at least in part on an encrypted capability activation payload and authentication certificate indexed against a hardware identity of the SPDM-enabled device; provision activation data for the optional hardware features, wherein the activation data includes a capability activation payload and an authentication key certificate; and activate the optional hardware features by sending SPDM messages to the SDSi device.
  2. 2 . The IHS of claim 1 , further comprising: a host processor module configured to host one or more processors; a secure control module configured to host a baseboard management controller; and a secure control interface configured to support communication between the secure control module and the host processor module.
  3. 3 . The IHS of claim 1 , wherein the IHS is configured to expose a user interface to provision activation data for the optional hardware features.
  4. 4 . The IHS of claim 1 , wherein the IHS further comprises: a credential vault configured to store the capability activation payload and authentication key certificate for a selected device hardware identity.
  5. 5 . The IHS of claim 2 , wherein the one or more processors are SDSi devices that have optional hardware features.
  6. 6 . The IHS of claim 2 , wherein the baseboard management controller is configured to identify the SDSi device with optional hardware features based at least in part on a SPDM GET_CERTIFICATE request message sent to the device.
  7. 7 . The IHS of claim 2 , wherein the baseboard management controller activates the optional hardware features by sending SPDM SET_CERTIFICATE/ENCAPSULATED_REQUEST messages to the SDSi device.
  8. 8 . The IHS of claim 3 , wherein the user interface is a Redfish API.
  9. 9 . The IHS of claim 4 , wherein the IHS is further configured to: determine what optional hardware features to activate based upon a data center license; and activate the optional hardware features using the capability activation payload and the authentication key certificate stored in the credential vault.
  10. 10 . A method for unlocking optional hardware features for an Information Handling System (IHS), the method comprising: discovering Software Defined Silicon (SDSi) hardware devices with optional features via Security Protocol and Data Model (SPDM) messages sent by a baseboard management controller; identifying optional features that are locked on the SDSi hardware devices, based at least in part on at least one encrypted capability activation payload and authentication certificate indexed against at least one respective identity of the SDSi hardware devices; exposing a user interface to provision a capability activation payload and an authentication key certificate for the optional features; and activating the optional features using the capability activation payload and the authentication key certificate by sending SPDM messages to the SDSi hardware devices.
  11. 11 . The method of claim 10 , wherein the baseboard management controller sends SPDM GET_VERSION and GET_CAPABILITIES request messages to discover SDSi hardware devices with optional features.
  12. 12 . The method of claim 10 , wherein locked optional features are identified from a hardware identity certificate obtained using an SPDM GET_CERTIFICATE request message.
  13. 13 . The method of claim 10 , wherein the optional features are activated by sending SPDM SET_CERTIFICATE/ENCAPSULATED_REQUEST messages to the SDSi hardware device.
  14. 14 . The method of claim 10 , further comprising: encrypting and storing the at least one capability activation payload and authentication key certificate indexed against the at least one respective identity of the SDSi hardware devices in a credential vault.
  15. 15 . The method of claim 10 , further comprising: performing a compatibility check between available hardware features and activated hardware features in the IHS; identifying mismatches between available and activated hardware features; and suggesting, to an IHS user, a proposed combination of hardware features to be activated for best system utilization.
  16. 16 . The method of claim 10 , further comprising: identifying available optional hardware features in the IHS; and determining a least feature set of optional features to be activated based on a current IHS configuration.
  17. 17 . The method of claim 10 , further comprising: activating optional hardware features required by a current IHS license by provisioning the capability activation payload and the authentication key certificate via SPDM SET_CERTIFICATE/ENCAPSULATED_REQUEST messages.
  18. 18 . The method of claim 14 , further comprising: identifying a system hardware configuration for the IHS; and activating the optional features automatically based on the system hardware configuration using the capability activation payload and the authentication key certificate stored in the credential vault.

Description

BACKGROUND Pay-as-you-go processors, such as the Intel® Xeon® family of processors, which support Intel® On Demand (formerly known as Software Defined Silicon (SDSi), allow for the configuration of optional processor features via a license activation process. This minimizes upfront costs and enables organizations to add new features without a hardware upgrade. To unlock processor features, a data center needs to have an OS kernel driver as well as a user-space application to provision an authentication key certificate and needs to read an SDSi state certificate showing the CPU's configuration state. In current systems, processor features are unlocked by user manually. SUMMARY Systems and methods provide for discovery of optional hardware features via Security Protocol and Data Model (SPDM), such as SDSi-capable hardware devices. A capability activation payload and authentication key certificate are provisioned, and then hardware features are activated via SPDM SET_CERTIFICATE and ENCAPSULATED_REQUEST messages. A Baseboard Management Controller (BMC) automatically activates the optional hardware features based on the system hardware configuration and license level. The BMC performs a compatibility check among the hardware devices provisioned with SDSi and notifies an administrator if there are mismatches or incompatibility. The BMC may be configured with cloud computing auto scaling, which determines a least feature set to be activated based on a current configuration and need and then provisions the hardware features accordingly. In one embodiment, an Information Handling System (IHS), comprises an SPDM-enabled device conforming to a SPDM specification. The SPDM-enabled device causes the IHS to identify a device in the IHS having optional hardware features, provision activation data for the optional hardware features, and activate the optional hardware features by sending SPDM messages to the device. The IHS comprises a host processor module configured to host one or more processors, a secure control module configured to host a baseboard management controller, and a secure control interface configured to support communication between the secure control module and the host processor module. The one or more processors have optional hardware features. The one or more processors may be Software Defined Silicon (SDSi) devices. The baseboard management controller identifies the device having optional hardware features using a SPDM GET_CERTIFICATE request message sent to the devices. The baseboard management controller activates the optional hardware features by sending SPDM SET_CERTIFICATE/ENCAPSULATED_REQUEST messages to the device. The IHS is configured to expose a user interface to provision activation data for the optional hardware features. The user interface may be a Redfish API. The activation data includes a capability activation payload and an authentication key certificate. The IHS further comprises a credential vault configured to store a capability activation payload and an authentication key certificate for a selected hardware identity. The IHS is further configured to determine what optional hardware features to activate based upon a data center license and to activate the optional hardware features using the capability activation payload and the authentication key certificate stored in the credential vault. BRIEF DESCRIPTION OF THE DRAWINGS The present invention(s) is/are illustrated by way of example and is/are not limited by the accompanying figures. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. FIG. 1 is a block diagram illustrating multi-node building blocks of a modular hardware system for a data center. FIG. 2 is a block diagram illustrating elements of a data center system. FIG. 3 is a flowchart illustrating an example process for activating optional hardware features in the system illustrated in FIG. 2. FIG. 4 is a flowchart illustrating another example process for activating optional hardware features. FIG. 5 is a flowchart illustrating a further example process for activating optional hardware features. DETAILED DESCRIPTION Modular server architectures give cloud service providers a variety of compute choices to meet market and business conditions, to offer flexible configurations, and to deliver innovative solutions. The Datacenter-Modular Hardware System (DC-MHS) provides interoperability between datacenter, edge, and enterprise infrastructure using consistent interfaces and modular building blocks. DC-MHS standardizes various Host Processor Module (HPM) form factors and provides supporting elements for interoperability of HPMs across various platforms. The HPM is managed by a Datacenter—Secure Control Module (DC-SCM), which is designed to enable a common management and security infrastructure across platforms within a data center. The interface between the DC-SCM and the HPM is referred as the Datacenter—Secure Control