Security

This section provides information about security measures in the DGX A100 system.

User Security Measures

The NVIDIA DGX A100 system is a specialized server designed to be deployed in a data center. It must be configured to protect the hardware from unauthorized access and unapproved use. The DGX A100 system is designed with a dedicated BMC Management Port and multiple Ethernet network ports.

When you install the DGX A100 system in the data center, follow best practices as established by your organization to protect against unauthorized access.

Securing the BMC Port

NVIDIA recommends that you connect the BMC port in the DGX A100 system to a dedicated management network with firewall protection.

If remote access to the BMC is required, such as for a system hosted at a co-location provider, it should be accessed through a secure method that provides isolation from the internet, such as through a VPN server.

System Security Measures

This section provides information about the security measures that have been incorporated in an NVIDIA DGX A100 system.

Secure Flash of DGX A100 Firmware

Secure Flash is implemented for the DGX A100 to prevent unsigned and unverified firmware images from being flashed onto the system.

Encryption

Here is some information about encrypting the DGX A100 firmware.

The firmware encryption algorithm is AES-CBC.

• The firmware encryption key strength is 128 bits or higher.

• Each firmware class uses a unique encryption key.

• Firmware decryption is performed either by the same agent that performs signature check or a more trusted agent in the same COT.

Signing

• The firmware signature is validated upon each boot of the DGX A100.

  This is not implemented for the power supply and support controllers on the DGX A100.

• The firmware signature is validated on every update before the firmware image is updated in non-volatile storage.

NVSM Security

For information about security in NVSM, see Configuring NVSM Security.

Secure Data Deletion

This section explains how to securely delete data from the DGX A100 system SSDs to permanently destroy all the data that was stored there.

This process performs a more secure SSD data deletion than merely deleting files or reformatting the SSDs.

Prerequisites

You need to prepare a bootable installation medium that contains the current DGX OS Server ISO image.

Refer to the following content for more information:

• Obtaining the DGX A100 Software ISO Image and Checksum File

• Creating a Bootable Installation Medium

Instructions

Here are the instructions to securely delete data from the DGX A100 system SSDs.

1. Boot the system from the ISO image, either remotely or from a bootable USB key.

2. At the GRUB menu, select:

   • (For DGX OS 4): ‘Rescue a broken system’ and configure the locale and network information.

   • (For DGX OS 5): ‘Boot Into Live Environment’ and configure the locale and network information.

3. When prompted to select a root file system, choose Do not use a root file system and then Execute a shell in the installer environment.

4. Log in.

5. Run the following command to identify the devices available in the system:

   $ nvme list
   

   If nvmecli is not installed, then install the CLI as follows and then run nvme list.

   DGX OS 4

   $ dpkg -i /cdrom/extras/pool/main/n/nvme-cli/nvme-cli_1.5-1ubuntu1_amd64.deb
   

   DGX OS 5

   $ dpkg -i /usr/lib/live/mount/rootfs/filesystem.squashfs/curtin/repo/nvme- cli_1.9-1ubuntu0.1_amd64.deb
   

6. Run nvme format -s1 on all storage devices listed.

   $ nvme format -s1 <device-path>
   

   where

   <device-path> is the specific storage node as listed in the previous step. For example, /dev/nvme0n1.