Embedded Intel Atom® Processors
Technological Conversations about Intel Atom® Hardware, Software, Firmware, Graphics

TPM 2.0 on Bay Trail

FYoun1
New Contributor I
8,036 Views

I'm hoping that someone can help use with some TXE questions for the Bay Trail Soc. We plan to use coreboot to boot Linux via a custom coreboot payload with an E3845 Soc.

We've been trying to determine how to make use of the TPM 2.0 functionality that's built into the TXE device on the Bay Trail Soc.

We're able to start the MEI Linux drivers from drivers/misc/mei and run the TXEInfo command. Can we use this driver to issue TPM 2.0 requests to the TXE?

If this doesn't work; can we use the TPM drivers from drivers/char/tpm instead?

Does the tpm_tis driver work on Bay Trail?

Do we need to add a TPM2 table to ACPI so that the tpm_tis driver sees the TXE device? We tried using Linux kernel 3.19 with the latest tpmdd-devel patches (which include Jarkko Sakkinen's patches to add TPM 2.0 support to the tpm driver) and made sure to enable CONFIG_TCG_TPM, CONFIG_TCG_TIS, and CONFIG_TCG_CRB in our kernel. However, the TPM 2.0 device was not seen by the tpm_tis driver (though the TXEInfo command worked fine).

Is there sample TPM 2.0 source available that makes use of these drivers?

Thanks in advance for your help.

0 Kudos
1 Solution
FYoun1
New Contributor I
4,209 Views

Hi Lynn,

I upgraded my account to be Privileged and now I can download document 521918. That document definitely provides some useful information to understand the TXE/BIOS interactions.

Thanks a lot, Fred Young

View solution in original post

0 Kudos
20 Replies
Josue_C_Intel
Employee
4,189 Views

Hello Fred Young

According to http://www.intel.com/content/www/us/en/intelligent-systems/bay-trail/atom-e3800-family-datasheet.html Intel® Atom™ Processor E3800 Product Family datasheet, section 34.2.1 Features, family e3800 supports only TPM 1.2.

Please check the chapter 3 from http://pcache-www.intel.com/cd/00/00/55/58/555803_TPM2_Migration_Guide.pdf?HashKey=1424810059_219bc004154b1e57e551238f83c6d38f TPM2 Migration Guide, and section 1.2 references.

Take a look at it and do not hesitate to contact me if you have any question!

Regards.

Josue.

0 Kudos
FYoun1
New Contributor I
4,189 Views

Thank you very much for your response Josue.

Version TPM 1.2 mentioned in section 34.2.1 refers to using a TPM device over the LPC interface not the TPM functionality built into the TXE. We want to use the TPM2.0 functionality offered by the Intel PTT as part of the TXE firmware. Is there any documentation on how to enable that functionality?

Thanks,

Fred Young

0 Kudos
Josue_C_Intel
Employee
4,189 Views

Hi, Fred Young

There may be a need to access some Intel Confidential content. For example section 7 Intel® Platform Trust Technology (PTT) from Document Number: 541924:

Bay Trail-T (Entry Type 3) Platform Intel® Trusted Execution Engine (Intel® TXE) Firmware Compliance Guide

Would you please apply for an EDC Privileged account: https://www-ssl.intel.com/content/www/us/en/forms/intelligent-systems/registration-po.html Apply for an Intel® Embedded Design Center Privileged Account. Once you submit it, please let me know.

Regards.

Josue.

0 Kudos
FYoun1
New Contributor I
4,189 Views

Thanks for your reply, Josue.

We do have access to the document you referred to. Section 7 of the document describes test cases that can be run under Windows to ensure that TPM/PTT is working. There's nothing in the document that indicates how to start TPM/PTT in the TXE.

Do you know how enable TPM/PTT in the TXE?

Fred Young

0 Kudos
Josue_C_Intel
Employee
4,189 Views

Hello Fred

We are investigating this issue, I will let you know as soon we have any update.

Regards.

Josue.

0 Kudos
RWata1
New Contributor I
4,189 Views

I don't have the answer to your questions, but you might want to check out document numbers 514966 and 544255.

Ross

0 Kudos
JThom27
Beginner
4,189 Views

Sorry Fred,

We threw it around the company this morning and it does not appear that anyone has implemented this type of capability in a generic coreboot implementation yet.

According to our CTO, Intel has done some work to make the integrated TPM capability available,and Google has done some unrelated work to enable TPM capability in conjunction with Chrome OS, but there doesn't seem to be any reason to believe that general coreboot solution has been worked through.

 

Sage is working on a mainstream solution, but BayTrail will not be our lead solution.

Very sorry not be able to help, but good luck.

jeff

 

0 Kudos
Natalie_Z_Intel
Employee
4,189 Views

Thanks rosswatanabe for the contribution! Fred, if you got to http://edc.intel.com/ http://edc.intel.com and type 514966 in the search box you can access that document. Probably by Monday night document 544255 will be added to the EDC as well. I'm working on it! Have a nice weekend! LynnZ.

0 Kudos
Josue_C_Intel
Employee
4,189 Views

Hi, Fred Young

 

I'm sorry to inform you that there is no Bay Trail TPM 2.0 related documentation available for linux or Windows, Bay Trail does not support TPM 2.0.

TXE FW does not support TPM2.0, an additional TPM chip should be used if it is required.

 

Regards.

Josue.

 

0 Kudos
FYoun1
New Contributor I
4,189 Views

Hi Josue,

Thanks for the reply. Your news is unexpected for us since document 544255 (Section 5.1) stated the following:

Intel® Platform Trust Technology: Also referred as Intel® PTT, is Intel implementation of TCG TPM 2.0 specification in Intel® TXE FW. Intel® PTT uses TXE as the security processor and SPI flash for secure storage. PTT is designed to meet MSFT windows certification requirements for connected standby platforms. A

This suggests that there is an implementation of the Intel PTT within the Intel TXE Firmware that supports some functionality of TCG TPM 2.0. Could you help me understand why you think the TXE FW does not support TPM2.0 and would require an additional TPM chip?

0 Kudos
Josue_C_Intel
Employee
4,189 Views

Hi Fred

The document 544255: Bay Trail-M/D Platform Intel® TXE Firmware External Architecture Specification does not apply for E3845 SoC, this is because E3845 SoC is a Bay Trail - I (Embedded) processor not a Bay Trail-M/D (Mobile/Desktop) processor.

Regards.

Josue.

0 Kudos
FYoun1
New Contributor I
4,189 Views

Thanks Josue, for this information.

If E3845's TXE does not offer TPM2 functionality, does it offer simpler hardware security functionality?

In particular, we essentially need the ability for the TXE to securely protect a key and enable usage of the secret key to the application only when the system is booted under a trusted environment.

0 Kudos
Josue_C_Intel
Employee
4,189 Views

Hi Fred

TXE is used for storing hash and secure boot manifest during Secure Boot Flow.

Please check Document Number: 521918: "Bay Trail – Intel® Trusted Execution Engine (Intel® TXE) and Firmware Applications".

This is Intel® confidential.

Please https://www-ssl.intel.com/content/www/us/en/forms/intelligent-systems/registration-po.html Apply for an Intel® Embedded Design Center Privileged Account.

 

I hope this is useful.

Best Regards.

Josue.

0 Kudos
Natalie_Z_Intel
Employee
4,189 Views

Hi, Fred. I want to clarify some details with you. You already have a Basic account on the EDC and therefore just need to request an upgrade to Privileged. To do this, please go to https://www-ssl.intel.com/content/www/us/en/intelligent-systems/embedded-design-center-contact-us.html Intel® Embedded Design Center Contact and Support and go to the "Manage your Intel EDC Account" and click on the link "Manage my Intel Profile". Once there you should see an "upgrade to Privileged" option. After you complete the form and agree to the T&Cs, please let us know so we can help expedite the review process for you.

Document 521918 is not currently on the EDC. But it will be by the time you submit your upgrade request. Once it is published you can go to http://edc.intel.com/ http://edc.intel.com and type 521918 in the search box and the document will surface.

Hope this helps! LynnZ

0 Kudos
FYoun1
New Contributor I
4,189 Views

Hi Josue,

The Bay Trail TXE firmware is capable for more than just Secure Boot. In the E3800 datasheet, under Section 22 titled "Intel Trusted Execution Engine (TXE)", "Chip Unique Key encryption key wrapping of other platform keys (Flash)" is listed as a supported feature by the firmware.

Since this is no longer a discussion of the TPM2.0 functionality, I will start a new thread.

Thank you, Fred Young

0 Kudos
FYoun1
New Contributor I
4,210 Views

Hi Lynn,

I upgraded my account to be Privileged and now I can download document 521918. That document definitely provides some useful information to understand the TXE/BIOS interactions.

Thanks a lot, Fred Young

0 Kudos
Natalie_Z_Intel
Employee
4,189 Views

Hi, Fred! I love when things work out like this! So glad that we could be of help to you!! Happy reading! Lynn.

0 Kudos
RChin3
Beginner
3,737 Views

Hi,

I am looking for the onboard TPM functionality in the Baytrail SOC. On reading the E3800 datasheet on Section 22, it says the support for the security processor. We will be using Windows 10 IoT Core OS and would like to know if there are API/SDK available for us to use the Secure processor. We are looking to store AES 128 bit and RSA 2048 bit TLS certificates for the secure storage and also would need to have the ability to do secure encryption on the processor using a specific secure key slot. Are these possible with the onboard Intel® TXE?

These are the boards we are evaluating

http://www.bfdisplay.fr/fiches-techniques/cartes-msi-3-et-demi/msi-ms-98f6.pdf http://www.bfdisplay.fr/fiches-techniques/cartes-msi-3-et-demi/msi-ms-98f6.pdf

https://minnowboard.org/minnowboard-turbot/board-explorer https://minnowboard.org/minnowboard-turbot/board-explorer

0 Kudos
Reply