Re: Using Bay Trail TXE for secure key wrapping

FYoun1 · ‎03-09-2015

Hi All,

I am looking for a way to take advantage of the hardware root of trust provided by the TXE to securely store platform keys. In the E3800 datasheet, under Section 22 titled "Intel Trusted Execution Engine (TXE)", "Chip Unique Key encryption key wrapping of other platform keys (Flash)" is listed as a supported feature by the firmware. This is exactly what we need in our application. However, we cannot find any documentation on how to enable this functionality. I'm hoping that someone in this forum will be able to point me to the right direction.

I had originally hoped to get this functionality via Intel PTT and TPM2.0. However, in another thread, Josue helped me discover that the Bay Trail-I E3845 SoC does not actually support PTT over TXE. So I'm back to asking this more fundamental question of just how to enable hardware key wrapping using TXE.

Thanks, Fred Young

Josue_C_Intel · ‎03-10-2015

Hi Fred

We are working this case, we will let you know any update as soon as possible.

Regards.

Josue.

Josue_C_Intel · ‎03-11-2015

Hi Fred

What is the current TXE firmware version installed on the system?

Regards.

Josue.

FYoun1 · ‎03-12-2015

Hi Josue,

Regarding the TXE firmware version; we've tried version 1.0.2.1067 from BAY_TRAIL_FSP_KIT_GOLD3.tgz and version 1.1.0.1089 from 543843_BYT_I_DUAL_BOOT_TXE_KIT_GOLD_RELEASE_1.1.0.1089.tar.

Fred Young

Josue_C_Intel · ‎03-11-2015

Hi Fred

Please check https://software.intel.com/en-us/blogs/2012/09/25/how-to-enable-an-intel-trusted-execution-technology-capable-server How to Enable an Intel® Trusted Execution Technology Capable Server

And make sure to enable TXT Technology in system configuration.

We will upload the Document Number: 515108 Bay Trail T/I Platform, Manufacturing Recommendation for Intel® Trusted Execution Engine (Intel® TXE) Firmware, Guidelines and Recommendations to EDC Library, we will let you know as soon as the file is available.

Best Regards.

Josue.

Natalie_Z_Intel · ‎03-11-2015

Hi! I see 515108 is already on the EDC. It can be found typing 515108 in the search box or here is the URL: https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-t-i-manufacturing-rec-txe-firmware.html?wapkw=515108 https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-t-i-manufacturing… This document is classified as "Intel Confidential."

FYoun1 · ‎03-16-2015

Hi Josue,

I don't think TXT applies to Bay Trail SoCs. Also, we already have document 515108_ByTti_TXEMfgRecomm_Rev1p2.pdf; that just tells us how to use the manufacturing tools but not about how to accomplish key wrapping.

Thanks, Fred Young

Josue_C_Intel · ‎03-16-2015

Hi Fred

We have found Document # 543572 Intel® TXE Slim FW and tools for Intel® Atom™ Processor, E3800 (Bay Trail-I) Product Family.

From section 2.5 Intel® TXE Setting Checker Tool. This tool retrieves and displays information about some of the Intel® TXE settings, the Intel® TXE FW version, and the FW capability on the platform.

From section 6 Intel® TXEInfo. This tool Intel TXEInfo provide a simple test to check whether the Intel® TXE FW is alive or not.

We will let you know as soon as the tool is available in EDC Library.

Regards.

Josue.

Josue_C_Intel · ‎03-16-2015

Hi Fred

While we're waiting for 543572 to be uploaded you may find document # 527101 helpful .

https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-m-d-i-soc-linux-txe-firmware-guide.html Intel® Atom™ Processor E3800 Product Family/ Intel® Celeron® Processor N2920/J1900– Linux System Tools for Intel® Trusted Execution Engine Firmware

https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-m-d-i-soc-linux-txe-firmware-guide.html User Guide

Regards.

Josue.

FYoun1 · ‎03-18-2015

Hi Josue,

We understand that Bay Trail E3845 (Bay Trail I) has a number of Field programmable fuses that can be set by certain tools provided by Intel.

The Intel Trusted Execution Engine Bring-Up Guide, 515108_ByTti_TXEMfgRecomm_Rev1p2.pdf, lists the "Fuse file IDs" that can be specified in the FPF configuration file, for example, OEM_KEY_HASH_1.

We would like to know if there are unused fuses in Bay Trail that could be used to store other OEM-specific information.

Thanks, Fred Young

Josue_C_Intel · ‎03-20-2015

Hi Fred

Document https://www-ssl.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-slim-fw-and-tools.html # 543572 Intel® TXE Slim FW and tools for Intel® Atom™ Processor, https://www-ssl.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-slim-fw-and-tools.html E3800 (Bay Trail-I) Product Family is now available in EDC Library.

We still working in your thread, please stay tuned.

Best Regards.

Josue.

Natalie_Z_Intel · ‎03-20-2015

FYI, FredYoung - we added a user guide to the EDC, http://www.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-m-d-t-soc-txe-firmware-guide.html Bay Trail-M/D/T SoC - System Tools for Intel® Trusted Execution Engine Firmware. It is classified as Intel Confidential.

Josue_C_Intel · ‎03-23-2015

Hello Fred Young

There is no reference to additional fuses that could be used to store other OEM-specific information.

As mentioned in section 2.1.7 FPF Programming

"This fuse is one time programmable inside Bay Trail SoC ... and should not be change after manufacturing and shipment."

Best Regards,

Josue.