<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 06/04/16 20:21, Krau, Michael P
wrote:<br>
</div>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B28677@ORSMSX110.amr.corp.intel.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"French Script MT";
panose-1:3 2 4 2 4 6 7 4 6 5;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.st
{mso-style-name:st;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:661660618;
mso-list-template-ids:1514339292;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.75in;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.25in;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.75in;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.25in;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.75in;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.25in;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.75in;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:964238290;
mso-list-type:hybrid;
mso-list-template-ids:-745094388 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Condensing
the discussion to the now open elements:<o:p></o:p></span></a></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">Is it TPM 1.2 or 2.0? Does it have a
persistent memory?<br>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
believe the fTPM is 2.0 standard (but have not found
confirmation). The fTPM does have its own persistent
memory, though I do not have specifics on how much and
where.
</span></p>
</div>
</blockquote>
It is 2.0<br>
<br>
<a class="moz-txt-link-freetext" href="http://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20">http://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20</a><br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec">https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec</a><br>
<br>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B28677@ORSMSX110.amr.corp.intel.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">Storing the password in TPM's secure
storage area will be the right option, but as you said with
fTPM is not possible, so maybe an external TPM can do that.<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
believe there is some TPM support in the UEFI Open Sources,
but not currently pulled into the MinnowBoard MAX Build. We
do not pull code support into firmware images unless there
is a requirement to do so. In the case of the MAX/Turbot,
the general product does not require TPM support, so the
sources are not included in the build. (they can be
added).
</span></p>
</div>
</blockquote>
Yes, it is in:<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm12.h">https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm12.h</a><br>
<a class="moz-txt-link-freetext" href="https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm20.h">https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm20.h</a><br>
<br>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B28677@ORSMSX110.amr.corp.intel.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">Do you know any supported discrete TPM by
UEFI on MinnowBoard MAX ?<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Work
was done on the MAX/Turbot to support the I2S Bus for the
purpose of supporting peripherals like TPM. So there is
some support, but it was provided as expansion capability
(good question to the TIanocore.org mailing lists)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">Does UEFI (Release 0.80) support pre-boot
authentication (<span class="st">PBA)</span> communication?<br>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Not
as such. This was not a requirement of code base, and I am
not sure if there are any examples in the current Open
Source repositories. However see my notes below regarding
PBA and how it probably works with firmware. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">A
Note on terminology: The firmware for the MinnowBoard
MAX/Turbot (as shipped on the product and provided at
Firmware.intel.com) does conform to the UEFI Specification
(as opposed to coreboot or Uboot, or legacy BIOS). However,
to use the term “UEFI” to represent any specific firmware
implementation (for any specific product) is a miss use of
the term UEFI. UEFI is a standard Forum, of over 250
members within the industry. The UEFI forum is responsible
for several specifications, including the UEFI
specification, PI specification, UEFI Shell Specification,
and ACPI Specification. The UEFI specification supports
many technologies and capabilities, some of which are
mutually exclusive. There are hundreds (if not thousands)
of products using UEFI specification compliant code to boot,
across different architectures and classes of devices.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So
it is highly possible that there are in existence,
somewhere, UEFI based firmware solutions that support unique
and special technologies. However, those firmware solutions
may be proprietarily owned, closed sourced, specific to a
specialized product, and basically not appropriate to the
discussion of the MinnowBoard platform. The real question
is what is currently available for MinnowBoard MAX/Turbot
and/or what can be found in the Open Source code base that
can be included (if it is not a part of the current
product). Otherwise it would still be possible to support
new and unique technology in the MinnowBoard MAX/Turbot
firmware, but it will be a development process to create the
appropriate drivers and applications and integrate them in
the firmware image.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
To add:<br>
<br>
Self Encrypted Hard Drive ( SED ) needs:<br>
<br>
Storage Security Command Protocol for encrypted HDD
(EFI_STORAGE_SECURITY_COMMAND_PROTOCOL) it was added since UEFI
2.3.1a, this enables security protocol commands to be sent to and
from the SED (it is used to allow programs running in the EFI boot
services environment to send security protocol commands to the
drive).<br>
<br>
The master supports Opal 2.0/1.0 standard.<br>
<br>
For the password support it is in:
<a class="moz-txt-link-freetext" href="https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Opal">https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Opal</a><br>
<br>
But it is not in UDK2015<br>
<br>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B28677@ORSMSX110.amr.corp.intel.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">As I understood SED drives come with the
pre-boot authentication (<span class="st">PBA) installed, so
does
</span>UEFI have to receive the request to send the encryption
key to the SED drive
<b>OR</b> the communication is only done between the pre-boot
and the user, TPM ..etc ? So it is up to the SED on how to get
the encryption key !!<br>
<br>
Most Full Disk Encryption products allow administrators to
enable users to provide the encryption key for a system at the
pre-boot stage in several ways:
<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->in the form of a
password or passphrase;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->by inserting a USB
drive containing the key;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->using a one-time
password generating device such as an RSA token;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->using some biometric
device such as a fingerprint reader (usually connected to a
<a moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/Trusted_Platform_Module">Trusted
Platform Module</a> which holds the actual encryption key<o:p></o:p></p>
<p>When the <b>BIOS</b> requests the <b>Master Boot Record</b>
from the drive, the
<b>drive</b> instead returns the <b>pre-boot record</b> to
the user. This <b>pre-boot</b> record is a complete,
<b>though quite restricted OS, usually something simple like
MS-DOS or LINUX.</b> The
<b>pre-boot</b> image requests the Authentication Credentials
from the user, which are passed to and checked directly by the
drive logic. If accepted, then the drive returns the MBR and
the OS is loaded. Important point: This pre-boot
authentication is the FIRST thing that happens and is
controlled by the drive directly. This has the added
advantages of not modifying the MBR, which many software
encryption products do, and allowing the MBR to be encrypted
like all other user accessible data.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">From
your description, the PBA basically adds another stage in
the bootstrap process. Normally: Firmware
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS loader
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS execution. With PBA: Firmware
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
PBA
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS Loader
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS execution.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So
it sounds like the PBA takes care of itself.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Basically
since the pre-boot record is an OS, the firmware will boot
to the pre-boot record, and the pre-boot record then goes
about getting the authentication from the system. Using
standard channels. It sounds to me like you wish to expand
the pre-boot record to access another device (i.e. TPM) and
retrieve the password from it. The firmware might provide
some Basic I/O primitives to make the OS’s job of device
access easier, but that would be an implementation aspect of
the PBA. I would also imagine that the PBA does not call
ExitBootServices (which terminates the boot time services of
UEFI compliant firmware) but would rather leave the UEFI
boot services running so the final (decrypted) OS image can
utilize the UEFI boot services as a part of its boot process
(and then call ExitBootServices when it is ready to
terminate UEFI boot support).
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
TPM is not required in order to run hardware encryption. However, a
TPM can provide additional data security functions, such as mating
the SED to the host system so it cannot be operated in any other
host computer.<br>
<br>
I checked Intel® Firmware Engine 2.0 :
<a class="moz-txt-link-freetext" href="https://firmware.intel.com/learn/intel-firmware-engine/intel-firmware-engine">https://firmware.intel.com/learn/intel-firmware-engine/intel-firmware-engine</a><br>
<br>
It is a great tool to build platform firmware images, it supports
MinnowBoard MAX & MinnowBoard Turbot, it looks that is based on
<b>UDK201</b><b>5</b>, <b>is it right?</b><br>
<br>
But it does not support Self Encrypted Hard Drive (SED) yet.<br>
<br>
Thanks a lot.<br>
Ghani<br>
<br>This email has been scanned by Barracuda Networks.
</body>
</html>