I'm hoping that someone can help use with some TXE questions for the Bay Trail Soc. We plan to use coreboot to boot Linux via a custom coreboot payload with an E3845 Soc.
We've been trying to determine how to make use of the TPM 2.0 functionality that's built into the TXE device on the Bay Trail Soc.
We're able to start the MEI Linux drivers from drivers/misc/mei and run the TXEInfo command. Can we use this driver to issue TPM 2.0 requests to the TXE?
If this doesn't work; can we use the TPM drivers from drivers/char/tpm instead?
Does the tpm_tis driver work on Bay Trail?
Do we need to add a TPM2 table to ACPI so that the tpm_tis driver sees the TXE device? We tried using Linux kernel 3.19 with the latest tpmdd-devel patches (which include Jarkko Sakkinen's patches to add TPM 2.0 support to the tpm driver) and made sure to enable CONFIG_TCG_TPM, CONFIG_TCG_TIS, and CONFIG_TCG_CRB in our kernel. However, the TPM 2.0 device was not seen by the tpm_tis driver (though the TXEInfo command worked fine).
Is there sample TPM 2.0 source available that makes use of these drivers?
Thanks in advance for your help.
Hello Fred Young
According to http://www.intel.com/content/www/us/en/intelligent-systems/bay-trail/atom-e3800-family-datasheet.htm... Intel® Atom™ Processor E3800 Product Family datasheet, section 34.2.1 Features, family e3800 supports only TPM 1.2.
Please check the chapter 3 from http://pcache-www.intel.com/cd/00/00/55/58/555803_TPM2_Migration_Guide.pdf?HashKey=1424810059_219bc0... TPM2 Migration Guide, and section 1.2 references.
Take a look at it and do not hesitate to contact me if you have any question!
Thank you very much for your response Josue.
Version TPM 1.2 mentioned in section 34.2.1 refers to using a TPM device over the LPC interface not the TPM functionality built into the TXE. We want to use the TPM2.0 functionality offered by the Intel PTT as part of the TXE firmware. Is there any documentation on how to enable that functionality?
Hi, Fred Young
There may be a need to access some Intel Confidential content. For example section 7 Intel® Platform Trust Technology (PTT) from Document Number: 541924:
Bay Trail-T (Entry Type 3) Platform Intel® Trusted Execution Engine (Intel® TXE) Firmware Compliance Guide
Would you please apply for an EDC Privileged account: https://www-ssl.intel.com/content/www/us/en/forms/intelligent-systems/registration-po.html Apply for an Intel® Embedded Design Center Privileged Account. Once you submit it, please let me know.
Thanks for your reply, Josue.
We do have access to the document you referred to. Section 7 of the document describes test cases that can be run under Windows to ensure that TPM/PTT is working. There's nothing in the document that indicates how to start TPM/PTT in the TXE.
Do you know how enable TPM/PTT in the TXE?
We threw it around the company this morning and it does not appear that anyone has implemented this type of capability in a generic coreboot implementation yet.
According to our CTO, Intel has done some work to make the integrated TPM capability available,and Google has done some unrelated work to enable TPM capability in conjunction with Chrome OS, but there doesn't seem to be any reason to believe that general coreboot solution has been worked through.
Sage is working on a mainstream solution, but BayTrail will not be our lead solution.
Very sorry not be able to help, but good luck.
Hi, Fred Young
I'm sorry to inform you that there is no Bay Trail TPM 2.0 related documentation available for linux or Windows, Bay Trail does not support TPM 2.0.
TXE FW does not support TPM2.0, an additional TPM chip should be used if it is required.
Thanks for the reply. Your news is unexpected for us since document 544255 (Section 5.1) stated the following:
Intel® Platform Trust Technology: Also referred as Intel® PTT, is Intel implementation of TCG TPM 2.0 specification in Intel® TXE FW. Intel® PTT uses TXE as the security processor and SPI flash for secure storage. PTT is designed to meet MSFT windows certification requirements for connected standby platforms. A
This suggests that there is an implementation of the Intel PTT within the Intel TXE Firmware that supports some functionality of TCG TPM 2.0. Could you help me understand why you think the TXE FW does not support TPM2.0 and would require an additional TPM chip?
The document 544255: Bay Trail-M/D Platform Intel® TXE Firmware External Architecture Specification does not apply for E3845 SoC, this is because E3845 SoC is a Bay Trail - I (Embedded) processor not a Bay Trail-M/D (Mobile/Desktop) processor.
Thanks Josue, for this information.
If E3845's TXE does not offer TPM2 functionality, does it offer simpler hardware security functionality?
In particular, we essentially need the ability for the TXE to securely protect a key and enable usage of the secret key to the application only when the system is booted under a trusted environment.
TXE is used for storing hash and secure boot manifest during Secure Boot Flow.
Please check Document Number: 521918: "Bay Trail – Intel® Trusted Execution Engine (Intel® TXE) and Firmware Applications".
This is Intel® confidential.
Please https://www-ssl.intel.com/content/www/us/en/forms/intelligent-systems/registration-po.html Apply for an Intel® Embedded Design Center Privileged Account.
I hope this is useful.
Hi, Fred. I want to clarify some details with you. You already have a Basic account on the EDC and therefore just need to request an upgrade to Privileged. To do this, please go to https://www-ssl.intel.com/content/www/us/en/intelligent-systems/embedded-design-center-contact-us.ht... Intel® Embedded Design Center Contact and Support and go to the "Manage your Intel EDC Account" and click on the link "Manage my Intel Profile". Once there you should see an "upgrade to Privileged" option. After you complete the form and agree to the T&Cs, please let us know so we can help expedite the review process for you.
Document 521918 is not currently on the EDC. But it will be by the time you submit your upgrade request. Once it is published you can go to http://edc.intel.com/ http://edc.intel.com and type 521918 in the search box and the document will surface.
Hope this helps! LynnZ
The file is already in the http://www.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-and-fir... EDC Library.
The Bay Trail TXE firmware is capable for more than just Secure Boot. In the E3800 datasheet, under Section 22 titled "Intel Trusted Execution Engine (TXE)", "Chip Unique Key encryption key wrapping of other platform keys (Flash)" is listed as a supported feature by the firmware.
Since this is no longer a discussion of the TPM2.0 functionality, I will start a new thread.
Thank you, Fred Young
I am looking for the onboard TPM functionality in the Baytrail SOC. On reading the E3800 datasheet on Section 22, it says the support for the security processor. We will be using Windows 10 IoT Core OS and would like to know if there are API/SDK available for us to use the Secure processor. We are looking to store AES 128 bit and RSA 2048 bit TLS certificates for the secure storage and also would need to have the ability to do secure encryption on the processor using a specific secure key slot. Are these possible with the onboard Intel® TXE?
These are the boards we are evaluating