I am looking for a way to take advantage of the hardware root of trust provided by the TXE to securely store platform keys. In the E3800 datasheet, under Section 22 titled "Intel Trusted Execution Engine (TXE)", "Chip Unique Key encryption key wrapping of other platform keys (Flash)" is listed as a supported feature by the firmware. This is exactly what we need in our application. However, we cannot find any documentation on how to enable this functionality. I'm hoping that someone in this forum will be able to point me to the right direction.
I had originally hoped to get this functionality via Intel PTT and TPM2.0. However, in another thread, Josue helped me discover that the Bay Trail-I E3845 SoC does not actually support PTT over TXE. So I'm back to asking this more fundamental question of just how to enable hardware key wrapping using TXE.
Thanks, Fred Young
Please check https://software.intel.com/en-us/blogs/2012/09/25/how-to-enable-an-intel-trusted-execution-technology-capable-server How to Enable an Intel® Trusted Execution Technology Capable Server
And make sure to enable TXT Technology in system configuration.
We will upload the Document Number: 515108 Bay Trail T/I Platform, Manufacturing Recommendation for Intel® Trusted Execution Engine (Intel® TXE) Firmware, Guidelines and Recommendations to EDC Library, we will let you know as soon as the file is available.
Hi! I see 515108 is already on the EDC. It can be found typing 515108 in the search box or here is the URL: https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-t-i-manufacturing-rec-txe-firmware.html?wapkw=515108 https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-t-i-manufacturing… This document is classified as "Intel Confidential."
We have found Document # 543572 Intel® TXE Slim FW and tools for Intel® Atom™ Processor, E3800 (Bay Trail-I) Product Family.
From section 2.5 Intel® TXE Setting Checker Tool. This tool retrieves and displays information about some of the Intel® TXE settings, the Intel® TXE FW version, and the FW capability on the platform.
From section 6 Intel® TXEInfo. This tool Intel TXEInfo provide a simple test to check whether the Intel® TXE FW is alive or not.
We will let you know as soon as the tool is available in EDC Library.
While we're waiting for 543572 to be uploaded you may find document # 527101 helpful .
https://www-ssl.intel.com/content/www/us/en/secure/intelligent-systems/privileged/bay-trail/atom-e3800-m-d-i-soc-linux-txe-firmware-guide.html Intel® Atom™ Processor E3800 Product Family/ Intel® Celeron® Processor N2920/J1900– Linux System Tools for Intel® Trusted Execution Engine Firmware
We understand that Bay Trail E3845 (Bay Trail I) has a number of Field programmable fuses that can be set by certain tools provided by Intel.
The Intel Trusted Execution Engine Bring-Up Guide, 515108_ByTti_TXEMfgRecomm_Rev1p2.pdf, lists the "Fuse file IDs" that can be specified in the FPF configuration file, for example, OEM_KEY_HASH_1.
We would like to know if there are unused fuses in Bay Trail that could be used to store other OEM-specific information.
Thanks, Fred Young
Document https://www-ssl.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-slim-fw-and-tools.html # 543572 Intel® TXE Slim FW and tools for Intel® Atom™ Processor, https://www-ssl.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-txe-slim-fw-and-tools.html E3800 (Bay Trail-I) Product Family is now available in EDC Library.
We still working in your thread, please stay tuned.
FYI, FredYoung - we added a user guide to the EDC, http://www.intel.com/content/www/us/en/secure/embedded/nda/products/bay-trail/atom-e3800-m-d-t-soc-txe-firmware-guide.html Bay Trail-M/D/T SoC - System Tools for Intel® Trusted Execution Engine Firmware. It is classified as Intel Confidential.
Hello Fred Young
There is no reference to additional fuses that could be used to store other OEM-specific information.
As mentioned in section 2.1.7 FPF Programming
"This fuse is one time programmable inside Bay Trail SoC ... and should not be change after manufacturing and shipment."