topic Re: TPM 2.0 on Bay Trail in Embedded Intel Atom® Processors

TPM 2.0 on Bay Trail

FYoun1 — Tue, 24 Feb 2015 19:19:43 GMT

I'm hoping that someone can help use with some TXE questions for the Bay Trail Soc. We plan to use coreboot to boot Linux via a custom coreboot payload with an E3845 Soc.

We've been trying to determine how to make use of the TPM 2.0 functionality that's built into the TXE device on the Bay Trail Soc.

We're able to start the MEI Linux drivers from drivers/misc/mei and run the TXEInfo command. Can we use this driver to issue TPM 2.0 requests to the TXE?

If this doesn't work; can we use the TPM drivers from drivers/char/tpm instead?

Does the tpm_tis driver work on Bay Trail?

Do we need to add a TPM2 table to ACPI so that the tpm_tis driver sees the TXE device? We tried using Linux kernel 3.19 with the latest tpmdd-devel patches (which include Jarkko Sakkinen's patches to add TPM 2.0 support to the tpm driver) and made sure to enable CONFIG_TCG_TPM, CONFIG_TCG_TIS, and CONFIG_TCG_CRB in our kernel. However, the TPM 2.0 device was not seen by the tpm_tis driver (though the TXEInfo command worked fine).

Is there sample TPM 2.0 source available that makes use of these drivers?

Thanks in advance for your help.

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Tue, 24 Feb 2015 21:59:58 GMT

Hello Fred Young

According to http://www.intel.com/content/www/us/en/intelligent-systems/bay-trail/atom-e3800-family-datasheet.html Intel® Atom™ Processor E3800 Product Family datasheet, section 34.2.1 Features, family e3800 supports only TPM 1.2.

Please check the chapter 3 from http://pcache-www.intel.com/cd/00/00/55/58/555803_TPM2_Migration_Guide.pdf?HashKey=1424810059_219bc004154b1e57e551238f83c6d38f TPM2 Migration Guide, and section 1.2 references.

Take a look at it and do not hesitate to contact me if you have any question!

Regards.

Josue.

Re: TPM 2.0 on Bay Trail

FYoun1 — Wed, 25 Feb 2015 22:05:00 GMT

Thank you very much for your response Josue.

Version TPM 1.2 mentioned in section 34.2.1 refers to using a TPM device over the LPC interface not the TPM functionality built into the TXE. We want to use the TPM2.0 functionality offered by the Intel PTT as part of the TXE firmware. Is there any documentation on how to enable that functionality?

Thanks,

Fred Young

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Wed, 25 Feb 2015 23:19:28 GMT

Hi, Fred Young

There may be a need to access some Intel Confidential content. For example section 7 Intel® Platform Trust Technology (PTT) from Document Number: 541924:

Bay Trail-T (Entry Type 3) Platform Intel® Trusted Execution Engine (Intel® TXE) Firmware Compliance Guide

Would you please apply for an EDC Privileged account: https://www-ssl.intel.com/content/www/us/en/forms/intelligent-systems/registration-po.html Apply for an Intel® Embedded Design Center Privileged Account. Once you submit it, please let me know.

Regards.

Josue.

Re: TPM 2.0 on Bay Trail

FYoun1 — Thu, 26 Feb 2015 04:32:39 GMT

Thanks for your reply, Josue.

We do have access to the document you referred to. Section 7 of the document describes test cases that can be run under Windows to ensure that TPM/PTT is working. There's nothing in the document that indicates how to start TPM/PTT in the TXE.

Do you know how enable TPM/PTT in the TXE?

Fred Young

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Thu, 26 Feb 2015 19:30:51 GMT

Hello Fred

We are investigating this issue, I will let you know as soon we have any update.

Regards.

Josue.

Re: TPM 2.0 on Bay Trail

RWata1 — Fri, 27 Feb 2015 19:35:45 GMT

I don't have the answer to your questions, but you might want to check out document numbers 514966 and 544255.

Ross

Re: TPM 2.0 on Bay Trail

JThom27 — Fri, 27 Feb 2015 21:37:51 GMT

Sorry Fred,

We threw it around the company this morning and it does not appear that anyone has implemented this type of capability in a generic coreboot implementation yet.

According to our CTO, Intel has done some work to make the integrated TPM capability available,and Google has done some unrelated work to enable TPM capability in conjunction with Chrome OS, but there doesn't seem to be any reason to believe that general coreboot solution has been worked through.

Sage is working on a mainstream solution, but BayTrail will not be our lead solution.

Very sorry not be able to help, but good luck.

jeff

Re: TPM 2.0 on Bay Trail

Natalie_Z_Intel — Sun, 01 Mar 2015 03:36:29 GMT

Thanks rosswatanabe for the contribution! Fred, if you got to http://edc.intel.com/ http://edc.intel.com and type 514966 in the search box you can access that document. Probably by Monday night document 544255 will be added to the EDC as well. I'm working on it! Have a nice weekend! LynnZ.

Re: TPM 2.0 on Bay Trail

Natalie_Z_Intel — Tue, 03 Mar 2015 00:04:31 GMT

Document 544255 is now located at https://www-ssl.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-firmware-external-architecture-spec.html?wapkw=544255 https://www-ssl.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-firmware-external-arch….

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Tue, 03 Mar 2015 17:18:35 GMT

Hi, Fred Young

I'm sorry to inform you that there is no Bay Trail TPM 2.0 related documentation available for linux or Windows, Bay Trail does not support TPM 2.0.

TXE FW does not support TPM2.0, an additional TPM chip should be used if it is required.

Regards.

Josue.

Re: TPM 2.0 on Bay Trail

FYoun1 — Tue, 03 Mar 2015 21:58:41 GMT

Hi Josue,

Thanks for the reply. Your news is unexpected for us since document 544255 (Section 5.1) stated the following:

Intel® Platform Trust Technology: Also referred as Intel® PTT, is Intel implementation of TCG TPM 2.0 specification in Intel® TXE FW. Intel® PTT uses TXE as the security processor and SPI flash for secure storage. PTT is designed to meet MSFT windows certification requirements for connected standby platforms. A

This suggests that there is an implementation of the Intel PTT within the Intel TXE Firmware that supports some functionality of TCG TPM 2.0. Could you help me understand why you think the TXE FW does not support TPM2.0 and would require an additional TPM chip?

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Tue, 03 Mar 2015 23:13:16 GMT

Hi Fred

The document 544255: Bay Trail-M/D Platform Intel® TXE Firmware External Architecture Specification does not apply for E3845 SoC, this is because E3845 SoC is a Bay Trail - I (Embedded) processor not a Bay Trail-M/D (Mobile/Desktop) processor.

Regards.

Josue.

Re: TPM 2.0 on Bay Trail

FYoun1 — Wed, 04 Mar 2015 02:50:15 GMT

Thanks Josue, for this information.

If E3845's TXE does not offer TPM2 functionality, does it offer simpler hardware security functionality?

In particular, we essentially need the ability for the TXE to securely protect a key and enable usage of the secret key to the application only when the system is booted under a trusted environment.

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Thu, 05 Mar 2015 21:11:06 GMT

Hi Fred

TXE is used for storing hash and secure boot manifest during Secure Boot Flow.

Please check Document Number: 521918: "Bay Trail – Intel® Trusted Execution Engine (Intel® TXE) and Firmware Applications".

This is Intel® confidential.

Please https://www-ssl.intel.com/content/www/us/en/forms/intelligent-systems/registration-po.html Apply for an Intel® Embedded Design Center Privileged Account.

I hope this is useful.

Best Regards.

Josue.

Re: TPM 2.0 on Bay Trail

Natalie_Z_Intel — Thu, 05 Mar 2015 23:08:57 GMT

Hi, Fred. I want to clarify some details with you. You already have a Basic account on the EDC and therefore just need to request an upgrade to Privileged. To do this, please go to https://www-ssl.intel.com/content/www/us/en/intelligent-systems/embedded-design-center-contact-us.html Intel® Embedded Design Center Contact and Support and go to the "Manage your Intel EDC Account" and click on the link "Manage my Intel Profile". Once there you should see an "upgrade to Privileged" option. After you complete the form and agree to the T&Cs, please let us know so we can help expedite the review process for you.

Document 521918 is not currently on the EDC. But it will be by the time you submit your upgrade request. Once it is published you can go to http://edc.intel.com/ http://edc.intel.com and type 521918 in the search box and the document will surface.

Hope this helps! LynnZ

Re: TPM 2.0 on Bay Trail

Josue_C_Intel — Fri, 06 Mar 2015 21:26:46 GMT

Hi Fred

The file is already in the http://www.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-and-firmware-applications-course-tpt-101.html EDC Library.

Best Regards.

Josue.

Re: TPM 2.0 on Bay Trail

FYoun1 — Mon, 09 Mar 2015 16:17:11 GMT

Hi Josue,

The Bay Trail TXE firmware is capable for more than just Secure Boot. In the E3800 datasheet, under Section 22 titled "Intel Trusted Execution Engine (TXE)", "Chip Unique Key encryption key wrapping of other platform keys (Flash)" is listed as a supported feature by the firmware.

Since this is no longer a discussion of the TPM2.0 functionality, I will start a new thread.

Thank you, Fred Young

Re: TPM 2.0 on Bay Trail

FYoun1 — Wed, 11 Mar 2015 18:29:20 GMT

Hi Lynn,

I upgraded my account to be Privileged and now I can download document 521918. That document definitely provides some useful information to understand the TXE/BIOS interactions.

Thanks a lot, Fred Young

Re: TPM 2.0 on Bay Trail

Natalie_Z_Intel — Wed, 11 Mar 2015 19:09:06 GMT

Hi, Fred! I love when things work out like this! So glad that we could be of help to you!! Happy reading! Lynn.