19 Replies Latest reply on Mar 11, 2015 12:09 PM by LynnZ

    TPM 2.0 on Bay Trail

    FredYoung Green Belt

      I'm hoping that someone can help use with some TXE questions for the Bay Trail Soc. We plan to use coreboot to boot Linux via a custom coreboot payload with an E3845 Soc.

       

      We've been trying to determine how to make use of the TPM 2.0 functionality that's built into the TXE device on the Bay Trail Soc.

                            

      We're able to start the MEI Linux drivers from drivers/misc/mei and run the TXEInfo command. Can we use this driver to issue TPM 2.0 requests to the TXE?

       

      If this doesn't work; can we use the TPM drivers from drivers/char/tpm instead?

       

      Does the tpm_tis driver work on Bay Trail?

       

      Do we need to add a TPM2 table to ACPI so that the tpm_tis driver sees the TXE device? We tried using Linux kernel 3.19 with the latest tpmdd-devel patches (which include Jarkko Sakkinen's patches to add TPM 2.0 support to the tpm driver) and made sure to enable CONFIG_TCG_TPM, CONFIG_TCG_TIS, and CONFIG_TCG_CRB in our kernel. However, the TPM 2.0 device was not seen by the tpm_tis driver (though the TXEInfo command worked fine).

       

      Is there sample TPM 2.0 source available that makes use of these drivers?

       

      Thanks in advance for your help.

        • Re: TPM 2.0 on Bay Trail
          jc Brown Belt

          Hello Fred Young

           

          According to Intel® Atom™ Processor E3800 Product Family datasheet, section 34.2.1 Features, family e3800 supports only TPM 1.2.

           

          Please check the chapter 3 from TPM2 Migration Guide, and section 1.2 references.

           

          Take a look at it and do not hesitate to contact me if you have any question!

           

          Regards.

          Josue.

            • Re: TPM 2.0 on Bay Trail
              FredYoung Green Belt

              Thank you very much for your response Josue.

               

              Version TPM 1.2 mentioned in section 34.2.1 refers to using a TPM device over the LPC interface not the TPM functionality built into the TXE.  We want to use the TPM2.0 functionality offered by the Intel PTT as part of the TXE firmware.  Is there any documentation on how to enable that functionality?

               

              Thanks,

              Fred Young

                • Re: TPM 2.0 on Bay Trail
                  jc Brown Belt

                  Hi, Fred Young

                   

                  There may be a need to access some Intel Confidential content. For example section 7 Intel® Platform Trust Technology (PTT) from Document Number: 541924:

                   

                  Bay Trail-T (Entry Type 3) Platform Intel® Trusted Execution Engine (Intel® TXE) Firmware Compliance Guide

                   

                  Would you please apply for an EDC Privileged account: Apply for an Intel® Embedded Design Center Privileged Account.  Once you submit it, please let me know.

                   

                  Regards.

                  Josue.

                  • Re: TPM 2.0 on Bay Trail
                    jc Brown Belt

                    Hi, Fred Young


                    I'm sorry to inform you  that there is no Bay Trail TPM 2.0 related documentation available for linux or Windows, Bay Trail does not support TPM 2.0.

                    TXE FW does not support TPM2.0, an additional TPM chip should be used if it is required.


                    Regards.

                    Josue.

                      • Re: TPM 2.0 on Bay Trail
                        FredYoung Green Belt

                        Hi Josue,

                         

                        Thanks for the reply.  Your news is unexpected for us since document 544255 (Section 5.1) stated the following:

                         

                        Intel® Platform Trust Technology: Also referred as Intel® PTT, is Intel implementation of TCG TPM 2.0 specification in Intel® TXE FW. Intel® PTT uses TXE as the security processor and SPI flash for secure storage. PTT is designed to meet MSFT windows certification requirements for connected standby platforms. A

                         

                        This suggests that there is an implementation of the Intel PTT within the Intel TXE Firmware that supports some functionality of TCG TPM 2.0.  Could you help me understand why you think the TXE FW does not support TPM2.0 and would require an additional TPM chip?

                          • Re: TPM 2.0 on Bay Trail
                            jc Brown Belt

                            Hi Fred

                             

                            The document 544255: Bay Trail-M/D Platform Intel® TXE Firmware External Architecture Specification does not apply for E3845 SoC, this is because E3845 SoC is a Bay Trail - I (Embedded) processor not a Bay Trail-M/D (Mobile/Desktop) processor.

                             

                            Regards.

                            Josue.

                              • Re: TPM 2.0 on Bay Trail
                                FredYoung Green Belt

                                Thanks Josue, for this information.

                                 

                                If E3845's TXE does not offer TPM2 functionality, does it offer simpler hardware security functionality?

                                 

                                In particular, we essentially need the ability for the TXE to securely protect a key and enable usage of the secret key to the application only when the system is booted under a trusted environment.

                                  • Re: TPM 2.0 on Bay Trail
                                    jc Brown Belt

                                    Hi Fred

                                     

                                    TXE is used for storing hash and secure boot manifest during Secure Boot Flow.

                                     

                                    Please check Document Number: 521918: “Bay Trail – Intel® Trusted Execution Engine (Intel® TXE) and Firmware Applications”.

                                    This is Intel® confidential.

                                     

                                    Please Apply for an Intel® Embedded Design Center Privileged Account.


                                    I hope this is useful.

                                    Best Regards.

                                    Josue.

                                      • Re: TPM 2.0 on Bay Trail
                                        LynnZ Brown Belt

                                        Hi, Fred.  I want to clarify some details with you.  You already have a Basic account on the EDC and therefore just need to request an upgrade to Privileged.  To do this, please go to Intel® Embedded Design Center Contact and Support and go to the "Manage your Intel EDC Account" and click on the link "Manage my Intel Profile".  Once there you should see an "upgrade to Privileged" option.  After you complete the form and agree to the T&Cs, please let us know so we can help expedite the review process for you.

                                        Document 521918 is not currently on the EDC.  But it will be by the time you submit your upgrade request.  Once it is published you can go to http://edc.intel.com and type 521918 in the search box and the document will surface.

                                        Hope this helps!  LynnZ