HPE Trusted Supply Chain Servers Built in the USA

10
HPE ProLiant DL380T Server With Made In USA Label
HPE ProLiant DL380T Server With Made In USA Label

In response to the US National Defense Authorization Act, HPE is taking the opportunity to bring more of its manufacturing back to the US. With HPE Trusted Supply Chain servers, HPE gets to designate its servers with a “Country of Origin USA” label. We had a chance to discuss with HPE the new offering ahead of its launch.

HPE Trusted Supply Chain Servers Built in the USA

The driver for the HPE Trusted Supply Chain is, as one may expect, nationalistic calls for technology that has secure origins. All major global governments and critical sectors are looking for a way to secure the building blocks of their technology infrastructure. HPE has crafted a solution for these calls.

HPE Trusted Supply Chain Reasons
HPE Trusted Supply Chain Reasons

Concerns around the hardware supply chain are important, and there is heightened industry awareness around hardware security. The HPE Trusted Supply Chain is a very cool offering to address these needs.

HPE has a manufacturing facility in Chippewa Falls Wisconsin. There, it has vetted personnel that can assemble the server. We also asked HPE, and they said they have met the requirements for getting a Country of Origin USA label. Note, that is different than Made in the USA. We were told not all of the components are manufactured in the US, but enough are to meet requirements.

HPE Trusted Supply Chain Scope
HPE Trusted Supply Chain Scope

As we discussed the offering with HPE, the company is thinking well beyond just the assembly of the server. That is just the start of hardware security and HPE is thinking beyond the lifecycle.

For example, HPE has a server configuration lock feature that uses cryptographic signing to ensure that the configuration that leaves the factory is the same configuration that is next booted. If a component is altered or swapped, that is immediately flagged so that operators know a change has occurred. This is important for ensuring configurations remain safe after they leave the factory.

Keeping hardware shipments safe after they leave the factory is a major industry concern. Interception of servers in-transit is a big deal since they can often pass through logistics chains that can be compromised. Not only does HPE offer a secure firmware base, and the ability to configuration lock the systems, it can also deliver the servers to data centers and get them installed. This allows HPE to screen the folks in the logistics chain handling servers adding another layer of security.

HPE Trusted Supply Chain ProLiant DL380T Cyber Catalyst Designation
HPE Trusted Supply Chain ProLiant DL380T Cyber Catalyst Designation

The cost of the “T” series servers is higher, but it is not expected to be a 50-100% premium. Our sense is that the market will likely pay a 10-25% premium for this designation. Part of that cost will be offset through what HPE says is a lower cyber insurance premium.

Final Words

Make no mistake, HPE has an awesome offering for the security market, with a very specific caveat: currently, the only offering is the HPE ProLiant DL380T Gen10. The “T” represents the trusted supply chain. HPE told us to expect expanded offerings in 2020 and we expect those to include even an AMD EPYC platform if not more than one. HPE also said it will offer servers made elsewhere, for example for Europe as it now has a blueprint to replicate this type of solution.

We are now seeing servers from other vendors using language such as “Assembled in United States” or similar as they try to cater to new RFPs. There are now multiple Silicon Valley factories pumping out high volumes of servers where the final assembly is happening locally. HPE is going a step beyond that with its new T offerings that encompass more than just hardware and all the way to installation. That also means that its other servers are now not produced via the company’s Trusted Supply Chain.

This is not necessarily an announcement of a “new” server. The DL380 is a well-known server and the DL380T is more of a variant for the Trusted Supply Chain variant. It does not offer new levels of performance. Instead, it is designed to offer different sourcing and security options to those that need that type of assurance.

10 COMMENTS

  1. Alexandru

    “We also asked HPE, and they said they have met the requirements for getting a Country of Origin USA label. Note, that is different than Made in the USA. We were told not all of the components are manufactured in the US, but enough are to meet requirements”

    It’s either Mars, Taiwan or China. It’s not difficult to find out. The key terms is enough are made in the US to meet requirements.

  2. I guess it’s not possible to purchase (L)RDIMMs which would not be built/assembled in China. On the other hand it would be great if the programme at least secure an option to have motherboard and its software (and BMC!) to be made in U.S.

  3. As a European, this would be a sad joke still.
    Closed source/hardware with blackbox UEFI/Intel Management Engine/Etc.??
    Only thing to remotely trust is not to be spied on by China but by the US.
    Until the hardware is 100% open, this is just an offering for US customers. Nothing less, but certainly nothing more.
    But with the EUs plan to build 100% EU controlled and trusted CPUs based on Arm, which is now also in US control soon, i sadly have not much hope for a European market option.
    Until there is 100% open hardware for 100% open software, both will be a tool for either superpower to exert control and influence, with the added “bonus” of state level industrial espionage.
    And yes, not only China does this, the US acts no different, and likely any country with the abilities to do so. All PR talk of friendship nonewithstanding that tend to cover up the geopolitical reality for some.
    Coreboot is a start, OpenPower maybe (i have no expertise on that case), and also maybe RISC-V. But only when paired with a 100% open system, software, in a 100% open network environment.. And THEN you also have to be able to control and trust 100% of each supply chain, logistic chain..
    It is a hugely important objective to achieve this digital souvereignity and security. I have been waiting for this for decades to emerge. But without mentioned building blocks, it is nothing more than a product for some US customers, and a sad joke for any other nation. And China and maybe Russia seem capable to soon (5-10 years) fullfill their long standing goal for digital souvereinity.
    If this is aimed against China primarily (and it surely is), it will only strengthen Chinas resolve to achieve the same. And strengthen Chinas development and power with it.

  4. Steven,

    I wanted to comment about ARM.

    Yes, it looks like ARM may wind up being owned by Nvidia. However, I’m not sure that will mean that ARM CPUs will become tools of the US government, anymore than they are currently tools of the UK government.

    ARM doesn’t actually make the hardware. The companies who license ARM IP and make chips aren’t told by ARM the equivalent of “include this little section of the CPU even though we won’t tell you what it actually does.” It’s far more likely that any malicious features would be added by the chipmaker, although I haven’t seen any evidence that this is really happening.

    Apple is a good example. They use ARM IP to produce their CPUs. However, if they were including secret features for the US government, it’s likely that someone would have talked about it already. We’re not at the point yet in the US where anyone working on such a project is buried in a hole on the Apple campus, similar to how pirates buried everyone involved in the hole with their treasure chest on some island in the Caribbean.

    I would also note that, when the US government wanted access to some iPhones, Apple refused to put a backdoor in iOS and was unable to decrypt the data on those iPhones. I suppose that you could believe this was all Kabuki theatre meant to convince us that Apple wasn’t working for the US government, or that Apple itself has a backdoor for their own nefarious purposes that they’re not willing to share with the government.

    For myself, I do employ cryptography for some things. I use Signal, use pgp/gpg for my e-mail, choose HTTPS whenever possible, have a strong firewall (pfSense), and I try not to give out any more personal information than I absolutely have to. I do make compromises with some things because of convenience, so I’m not trying to hold myself up as a model of security and privacy.

    However, I feel that the US government in many cases would not have to do anything really sneaky in order to spy on someone. So many people give up their personal data on sites like Facebook that a state or bad actor can just browse publicly available information and doesn’t need to resort to putting hidden chips in your computer that send everything back to the mothership.

    Yes, there _are_ things to be worried about. Yes, it _is_ a good idea to try to limit your exposure and keep things private. I just don’t think that I’ve see anything yet that would make me suspect the hardware I’m using.

    I can see why the military has concerns about the hardware and software they use. They need to operate at a different level than I as a private individual do.

    BTW, I am far more concerned that Nvidia will become more powerful as a result of owning ARM and that this will stifle competition. We don’t need another Intel or Qualcomm, etc. That’s what concerns me about this deal, not that ARM might become controlled by the US government.

    (What about ARM being controlled by the UK goverment? I don’t trust people like Boris Johnson or Theresa May any more than I trust Donald Trump or William Barr. I don’t actually think that ARM is secretly controlled by the government now, but I mention it because it seems as likely to me as ARM being secretly controlled by or in cahoots with the US government if it becomes owned by Nvidia.)

  5. Steven,

    I forgot to add that I really do hope that RISC-V becomes more widely used. I’m very much in favor of open standards, open hardware, and free software where we can look at the code.

  6. I don’t get your comments on Arm being sold to NVIDIA as a worry. Arm is already not an EU-based company (UK) with ownership in Japan (SoftBank)

    It’s silly to talk about EU losing Arm as a home-grown IP supplier. That already happened

  7. Of course once more we are supposed to trust the closed source UEFI firmware and all the other code that is running on the system as being secure.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.