[U-Boot] About U-boot's TPM

Mon Dec 5 07:24:19 CET 2016

Hi Ronny,

On 1 December 2016 at 04:53, Ronny Ko <hrko at g.harvard.edu> wrote:
> Hi Simon,
>
> I received the following reply from Minnowboard enginer from intel:
>
>> fTPM is implemented in firmware. Firmware will capture IO transition and
>> show same behavior like dTPM. From user point of view, fTPM is transparent,
>> you can use it like dTPM. You can’t access fTPM code space as it is
>> protected by hardware. Please use it according to TCG spec.
>
>
> So it seems that firmware TPM in UEFI is identical with discrete TPM,
> software-wise. But I wouldn't be able to use it with U-boot, anyway, because
> it's TPM 2.0 standard...

Well it would be possible to add TPM 2 support for U-Boot - it will
need to be done at some point anyway. You can look at the chromium
project for open source TPM2 code, for example.

So it sounds like you need to load a binary blob into memory somewhere
for the fTPM? Is this handled by the Intel Management Engine? If so
then I suppose it should work with some addressing changes in U-Boot.

Regards,
Simon

>
> Ronny
>
> On Thu, Dec 1, 2016 at 12:50 AM, Ronny Ko <hrko at g.harvard.edu> wrote:
>>
>> Hi Simon,
>>
>> fTPM is firmware TPM (virtual TPM), and dTPM is discrete TPM (hardware
>> TPM). The intel engineer said fTPM and discrete TPM 1.2 are identical from
>> the OS developer's viewpoint.
>>
>> I try to build an IoT hypervisor, and for this I've been looking for a
>> board that supports x64, TPM 1.2 and U-boot. But there seems to be none
>> which qualifies all these three categories...
>>
>> Ronny
>>
>> On Thu, Dec 1, 2016 at 12:20 AM, Simon Glass <sjg at chromium.org> wrote:
>>>
>>> Hi Ronny,
>>>
>>> What is ftpm and dtpm?
>>>
>>> No U-Boot does not support TPM 2.0 yet. Are you thinking of running
>>> U-Boot from UEFI, and having U-Boot access UEFI's virtual TPM?
>>>
>>> Regards,
>>> SImon
>>>
>>> On 30 November 2016 at 13:55, Ronny Ko <hrko at g.harvard.edu> wrote:
>>> > Hi Simon,
>>> >
>>> > I checked with the Minnowboard management team in intel, and they say
>>> > fTPM
>>> > is implemented in the UEFI firmware, which is simply a virtual version
>>> > of
>>> > dTPM. I think this is why TPM is not in the datasheet of the target
>>> > CPU.
>>> > They also said the way of using an fTPM should be the same as dTPM.
>>> >
>>> > But fTPM is based on TPM 2.0 standard (not TPM 1.2). Does U-boot
>>> > support TPM
>>> > 2.0 in its library? If so, I think Minnowboard's fTPM could be accessed
>>> > and
>>> > seamlessly utilized via U-boot's TPM library calls.
>>> >
>>> > Ronny
>>> >
>>> >
>>> >
>>> > On Wed, Nov 30, 2016 at 12:40 AM, Simon Glass <sjg at chromium.org> wrote:
>>> >>
>>> >> Hi Ronny,
>>> >>
>>> >> On 27 November 2016 at 10:47, Ronny Ko <hrko at g.harvard.edu> wrote:
>>> >> > Hi Simon,
>>> >> >
>>> >> > I'm using Minnowboard MAX. It has fTPM, which is an integrated TPM
>>> >> > into
>>> >> > SoC
>>> >> > (Bay Trail).
>>> >> >
>>> >> > http://wiki.minnowboard.org/MinnowBoard_MAX
>>> >> >
>>> >> >
>>> >> > https://firmware.intel.com/blog/security-technologies-and-minnowboard-max
>>> >> >
>>> >> >
>>> >> > https://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20
>>> >>
>>> >> I don't see any info in the datasheet here:
>>> >>
>>> >>
>>> >>
>>> >> http://www.intel.com/content/www/us/en/embedded/products/bay-trail/atom-e3800-family-datasheet.html
>>> >>
>>> >> Do you know where it is documented?
>>> >>
>>> >> Regards,
>>> >> SImon
>>> >>
>>> >> >
>>> >> > Ronny
>>> >> >
>>> >> > On Sun, Nov 27, 2016 at 7:02 PM, Simon Glass <sjg at chromium.org>
>>> >> > wrote:
>>> >> >>
>>> >> >> Hi Ronny,
>>> >> >>
>>> >> >> On 24 November 2016 at 14:20, Ronny Ko <hrko at g.harvard.edu> wrote:
>>> >> >> > Hi Simon,
>>> >> >> >
>>> >> >> > I have a question about using a TPM from U-Boot. I try to run
>>> >> >> > U-Boot
>>> >> >> > on
>>> >> >> > Minnowboard MAX, which has a firmware TPM (fTPM), instead of
>>> >> >> > discrete
>>> >> >> > TPM
>>> >> >> > (dTPM). I wonder if the way of using fTPM from U-Boot is the same
>>> >> >> > as
>>> >> >> > using
>>> >> >> > dTPM. I suppose the answer is yes, if an fTPM is simply a virtual
>>> >> >> > version of
>>> >> >> > dTPM. Or is it not so?
>>> >> >>
>>> >> >> I don't know how that is connected. Do you have any documentation?
>>> >> >>
>>> >> >> Regards,
>>> >> >> Simon
>>> >> >
>>> >> >
>>> >
>>> >
>>
>>
>