Embedded Intel Atom® Processors
Intel Atom® Hardware, Software, Firmware, Graphics
Announcements
Welcome to the Intel Community. If you get an answer you like, please mark it as an Accepted Solution to help others. Thank you!
970 Discussions

Enabling Secure Boot with TXE on Bay Trail

pietrushnic
Novice
1,363 Views

We're trying to enable Secure Boot in coreboot following "558081 Rev. 1.0 Enabling Secure Boot with Intel® FSP and coreboot* for Intel® AtomTM Processor E3800 Product Family Implementation Guide".

 

We've managed to successfully enable FSP stage 2 validation as well as both of later coreboot stages (ramstage and payload). According to FLAMInGO every step was completed successfully, even verification of final image:

 

```

FLAMInGO.exe VerifyBios FpfConfiguration.txt coreboot.bin

 

FLAMInGO v1.1.0.1089 - Intel (R) Trusted Execution Engine Secure Boot Manifest Generation Tool (Intel (R) TXE SBMGT)

Copyright (C) 2012-2013 Intel Corporation

 

Success!

```

 

Still, whatever we do, TXE doesn't block altered IBB from being run. Does it require something more than enabling an option (FUSE_FILE_SECURE_BOOT_EN) in FPF configuration? Is it possible that FLAMInGO reports success and manifest is not valid?

 

What next steps we can take to debug that problem deeper?

 

Enabling Secure Boot in FSP with BCT seems to only enable validation of stage 2, it doesn't affect IBB validation (which doesn't make sense actually, as it would just validate itself in this case).

0 Kudos
9 Replies
CarlosAM_INTEL
Moderator
383 Views

​Hello, @pietrushnic​:

 

Thank you for contacting Intel Embedded Community.

 

In order to be on the same page, could you please let us know if the project related to this situation has been developed by a third-party company or by you? 

 

In case that it is a third-party design, please give us the name of the manufacturer, part number, model , where is stated the information related to it.

 

On the other hand, Could you please give us know the part number and SKU of the processor related to your design? By the way , could you please provide the document number and version of the Intel(R) Trusted Execution Engine [Intel(R) TXE] related to this situation? Also, could you please inform us the FLAMinGO tool document number, version, and how do you obtain it?

 

Waiting for the information that should answer these questions.

 

Best regards,

@Mæcenas_INTEL​. 

pietrushnic
Novice
383 Views

@Mæcenas_INTEL​ ,

I'm trying to do that on MinnowBoard Turbot Dual-Core, so the board was not manufactured by me. I'm not sure why processor model is so important procedure should work for any Bay Trail model? It use Dual-core Intel® Atom™ E3826. You can find more information here: https://minnowboard.org/minnowboard-turbot/technical-specs

 

How I can get part number and SKU, does cat /proc/cpuinfo would be enough, please let me know how to obtain that infromation.

 

In case of tools those are available on http://platformsw.intel.com/ and we are talking about TXE FW 1.1.5.1162.

CarlosAM_INTEL
Moderator
383 Views

​Hello, @pietrushnic​:

 

Thanks for your reply.

 

Based on the provided information, the Intel (R) TXE firmware is unsupported by the board that you are using. You can confirm this information as a reference at the following website:

 

https://minnowboard.org/compare-boards/

 

Due to this fact, we suggest you use the suggested firmware.

 

We hope that this information may help you.

 

Best regards,

@Mæcenas_INTEL​. 

pietrushnic
Novice
383 Views

@Mæcenas_INTEL​  please clarify. Do you mean that because Security Engine is TXE 1.0 that imply TXE FW 1.1.5.1162 will not work on that platform? Unfortunately TXE FW 1.0.x is not available on your portal. Does this mean again I need Intel Primer Support?

What is the reason of providing TXE FW 1.1 and not providing TXE FW 1.0?

 

I have to admin whole ecosystem around firmware is very convoluted and there seem to be no documentation that correctly describe that for outsider. It also look like Intel Primer Support is for hardware manufacturers, but AMI, Insyde, Phoenix and other IBV are not hardware manufacturers, so how they get access to those components?

CarlosAM_INTEL
Moderator
383 Views

​Hello, @pietrushnic​:

 

Thanks for your reply.

 

Please let us try to explain our previous suggestion.

 

Based on your second communication of this thread you are using a third-party design. 

 

We would like to have the proper information to answer any question related to this type of projects but the information is only handle by their manufacturers.

 

By the way, their manufacturers have the information related to the validations that they have made for their implementations.

 

We hope that this communication may clarify our message.

 

Best regards,

@Mæcenas_INTEL​. 

  

pietrushnic
Novice
383 Views

@Mæcenas_INTEL​ ,

sorry, maybe I misunderstand you. In previous message you wrote "Based on the provided information, the Intel (R) TXE firmware is unsupported by the board that you are using. (...). Due to this fact, we suggest you use the suggested firmware." - I just want to know what lead to that conclusion.

 

You claim all answers have manufacturer, but despite that you answer that TXE firmware is unsupported. Please explain how you figure out based on mentioned website data that TXE is not supported?

CarlosAM_INTEL
Moderator
383 Views

​Hello, @pietrushnic​:

 

Thanks your reply.

 

We have found at the website provided as a reference the following information:

 

minnowboard supported firmware.jpg

 

As you may notice, the supported firmware is different that the one used by you.

 

Due to this fact, we suggest you use the one mentioned by the manufacturer or contact them to verify if the firmware that you desire to use can be supported by their design.

 

We hope that this communication may clarify my previous messages.

 

Best regards,

@Mæcenas_INTEL​. 

pietrushnic
Novice
383 Views

@Mæcenas_INTEL​ I understand your logic now, but I think you look for issue in different place.

 

First I cannot agree with ignorance about firmware market diversity. Your assumption is that the only supported firmware is Tianocore UEFI published by Intel, if it would make sense I would bring commercial examples of successful product build with MinnowBoard and coreboot. More to that your own document mentioned above suggest Minnowboard 558081 as platform for exercising procedure.

 

But to get any valuable output from this thread let's assume that your assumption is correct, so I would like to ask different questions very closely related:

 

  1. How I can obtain Intel Bayley Bay CRB?
  2. What is the number of document that describe enabling Secure Boot with Tianocore UEFI for Bay Trail platform with TXE FW?
CarlosAM_INTEL
Moderator
383 Views

​Hello, @pietrushnic​:

 

Thanks for your update.

 

We should clarify that the provided information as a reference is from the manufacturer website of the affected design as you have confirmed one of your communications. Due to this fact, your suggestions, clarifications, questions, or validations associated to this third-party design should be addressed to them because we are not the owner of the source that we provided as a reference.

 

On the other hand, you can obtain the requested Customer Reference Board (CRB) at: 

 

https://click.intel.com/edc/evaluation-kits-current.html

 

By the way, as a reference the Tianocore documentation that may help you is stated at:

 

https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-User-Documentation

 

https://www.tianocore.org/docs/

 

It is important to let you know as a reference as well that your Tianocore questions should be addressed to the channel stated at the following website:

 

https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Issues

 

We hope that this information may help you.

 

Best regards,

@Mæcenas_INTEL​. 

Reply