Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2931 Discussions

Are there two different Key Manifests?

Jon-xelex
New Contributor I
‎03-07-2021 06:25 PM
1,473 Views

I recently start develop BIOS for the new Tiger Lake CPU. I want to enable Intel Boot Guard technology to make platform much more secure, but I encounter one concept that baffle me in Boot Guard: Key Manifest.

I reference Intel® Converged Boot Guard and Intel® Trusted ExecutionTechnology (Intel® TXT) (doc no 575623) document and it mentions a concept called Key Manifest, which stores hashed public key to verify Boot Policy Manifest components. Then I reference Tiger Lake and Rocket Lake Signing and Manifesting Guide for a clue about how signature work and how to make one. I encountered concept Key Manifest again in Tiger Lake and Rocket Lake Signing and Manifesting Guide (interestingly, this Key Manifest is called OEM Key Manifest), which contains hashed public key for firmware component (ISH, OS BootLoader, iUnit, Audio, ME...). Moreover, I compared structure of Key Manifest between two mentioned documents and they are different!

I want to know if there are actually two different Key Manifests for two different purposes:

- One for Intel Boot Guard (Key Manifest -> Boot Policy Manifest -> Initial Boot Block)

- One for verify firmware components (Key Manifest -> Firmware components). This Key Manifest is also called OEM Key Manifest

Beside, I'd like to know if it happens that there are two different Key Manifest, are their signature's public key come from same Field Programmable Fuses (FPF)?

Thank you!

0 Kudos

Link Copied

2 Replies
JoseH_Intel
Moderator
‎03-10-2021 04:22 PM
1,437 Views

Hello Jon-xelex,


Thank you for joining the Intel community


Please allow us a bit of time in order to research on your question. We will get back to you soon.


Regards


Jose A.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit:

https://intel.com/support/serverbios


0 Kudos
Copy link
Alberto_Sykes
Employee
‎03-11-2021 10:25 AM
1,423 Views

Jon-xelex, Thank you for posting in the Intel® Communities Support.


In order for us to be able to provide the most accurate support on this matter, please visit, sign-in and submit your inquiry in our Intel® Developer Zone site, they will further assist you with this topic ion there:

https://software.intel.com/content/www/us/en/develop/home.html


Regards,

Albert R.


Intel Customer Support Technician



0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.