<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"French Script MT";
panose-1:3 2 4 2 4 6 7 4 6 5;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.st
{mso-style-name:st;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:661660618;
mso-list-template-ids:1514339292;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.75in;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.25in;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.75in;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.25in;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.75in;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.25in;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.75in;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello Ghani,<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It looks like you did the extra research, which I applaud.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">There are a couple of UDK2015 questions below that could be discussed. The 0.90 firmware for MinnowBoard MAX/Turbot is based upon UDK2014.SP1.P1. However, the
upcoming 0.91 firmware is going to be based upon the UDK2015. (This is why there is a 12 week window between 0.90 and 0.91, instead of the usual 5-6 weeks, the re-base of a firmware is not a simple or trivial task)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">However, it should also be noted that the UDK2015 is still integrating the UEFI specification features form the latest UEFI specification (version 2.6) so some
features may not be in the UDK2015 at this time. As for Firmware Engine, yes, the platform support for MinnowBoard MAX/Turbot is based upon UDK2015 , but the same disclaimer applies.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The UEFI specification does provide the protocols for communicating with Secure storage, but
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I agree that TPM is not required for advanced security of a platform (like hardware encryption), but it does provide some hardware options that can be useful.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">When you state:<o:p></o:p></span></p>
<p class="MsoNormal">As I understood SED drives come with the pre-boot authentication (<span class="st">PBA) installed, so does
</span>UEFI have to receive the request to send the encryption key to the SED drive
<b>OR</b> the communication is only done between the pre-boot and the user, TPM ..etc ? So it is up to the SED on how to get the encryption key !!<br>
<br>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It seems to me that it is really is up to the SED’s PBA as to the source of the key. See, once the PBA is running, it has the power to query any system resource
(including the operator via console) for the password/key. This is actually rather clever, as it allows the PBA (an integral part of the SED system) to have autonomous control of the process, rather than expecting the system firmware (which may have to support
several SED implementations – each with different mechanisms) to provide the interface specifics). Though the SED may have system requirements that have to be met (i.e. if the PBA is going to use a biometric device for key/hash entry, then the system will
have to have that device). <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Sincerely,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:18.0pt;font-family:"French Script MT";color:#1F497D">Michael Krau</span><span style="color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><a name="_____replyseparator"></a><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> Abdelghani Ouchabane
[mailto:abdelghani@ezono.com] <br>
<b>Sent:</b> Friday, April 08, 2016 1:45 AM<br>
<b>To:</b> Krau, Michael P <michael.p.krau@intel.com>; MinnowBoard Development and Community Discussion <elinux-minnowboard@lists.elinux.org><br>
<b>Subject:</b> Re: [MinnowBoard] MinnowBoard Turbot & mSATA self encrypted SSD & UEFI<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 06/04/16 20:21, Krau, Michael P wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Condensing the discussion to the now open elements:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Is it TPM 1.2 or 2.0? Does it have a persistent memory?<br>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I believe the fTPM is 2.0 standard (but have not found confirmation). The fTPM does have its own persistent memory, though I do not have specifics on how much and where.
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">It is 2.0<br>
<br>
<a href="http://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20">http://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20</a><br>
<br>
<a href="https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec">https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec</a><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Storing the password in TPM's secure storage area will be the right option, but as you said with fTPM is not possible, so maybe an external TPM can do that.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I believe there is some TPM support in the UEFI Open Sources, but not currently pulled into the MinnowBoard MAX Build. We do not pull code support into firmware
images unless there is a requirement to do so. In the case of the MAX/Turbot, the general product does not require TPM support, so the sources are not included in the build. (they can be added).
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">Yes, it is in:<br>
<br>
<a href="https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm12.h">https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm12.h</a><br>
<a href="https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm20.h">https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm20.h</a><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Do you know any supported discrete TPM by UEFI on MinnowBoard MAX ?<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Work was done on the MAX/Turbot to support the I2S Bus for the purpose of supporting peripherals like TPM. So there is some support, but it was provided as expansion
capability (good question to the TIanocore.org mailing lists)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Does UEFI (Release 0.80) support pre-boot authentication (<span class="st">PBA)</span> communication?<br>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Not as such. This was not a requirement of code base, and I am not sure if there are any examples in the current Open Source repositories. However see my notes below regarding
PBA and how it probably works with firmware. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">A Note on terminology: The firmware for the MinnowBoard MAX/Turbot (as shipped on the product and provided at Firmware.intel.com) does conform to the UEFI Specification
(as opposed to coreboot or Uboot, or legacy BIOS). However, to use the term “UEFI” to represent any specific firmware implementation (for any specific product) is a miss use of the term UEFI. UEFI is a standard Forum, of over 250 members within the industry.
The UEFI forum is responsible for several specifications, including the UEFI specification, PI specification, UEFI Shell Specification, and ACPI Specification. The UEFI specification supports many technologies and capabilities, some of which are mutually
exclusive. There are hundreds (if not thousands) of products using UEFI specification compliant code to boot, across different architectures and classes of devices.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So it is highly possible that there are in existence, somewhere, UEFI based firmware solutions that support unique and special technologies. However, those firmware
solutions may be proprietarily owned, closed sourced, specific to a specialized product, and basically not appropriate to the discussion of the MinnowBoard platform. The real question is what is currently available for MinnowBoard MAX/Turbot and/or what
can be found in the Open Source code base that can be included (if it is not a part of the current product). Otherwise it would still be possible to support new and unique technology in the MinnowBoard MAX/Turbot firmware, but it will be a development process
to create the appropriate drivers and applications and integrate them in the firmware image.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">To add:<br>
<br>
Self Encrypted Hard Drive ( SED ) needs:<br>
<br>
Storage Security Command Protocol for encrypted HDD (EFI_STORAGE_SECURITY_COMMAND_PROTOCOL) it was added since UEFI 2.3.1a, this enables security protocol commands to be sent to and from the SED (it is used to allow programs running in the EFI boot services
environment to send security protocol commands to the drive).<br>
<br>
The master supports Opal 2.0/1.0 standard.<br>
<br>
For the password support it is in: <a href="https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Opal">
https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Opal</a><br>
<br>
But it is not in UDK2015<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">As I understood SED drives come with the pre-boot authentication (<span class="st">PBA) installed, so does
</span>UEFI have to receive the request to send the encryption key to the SED drive
<b>OR</b> the communication is only done between the pre-boot and the user, TPM ..etc ? So it is up to the SED on how to get the encryption key !!<br>
<br>
Most Full Disk Encryption products allow administrators to enable users to provide the encryption key for a system at the pre-boot stage in several ways:
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>in the form of a password or passphrase;<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>by inserting a USB drive containing the key;<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>using a one-time password generating device such as an RSA token;<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>using some biometric device such as a fingerprint reader (usually connected to a
<a href="http://en.wikipedia.org/wiki/Trusted_Platform_Module">Trusted Platform Module</a> which holds the actual encryption key<o:p></o:p></p>
<p>When the <b>BIOS</b> requests the <b>Master Boot Record</b> from the drive, the
<b>drive</b> instead returns the <b>pre-boot record</b> to the user. This <b>pre-boot</b> record is a complete,
<b>though quite restricted OS, usually something simple like MS-DOS or LINUX.</b> The
<b>pre-boot</b> image requests the Authentication Credentials from the user, which are passed to and checked directly by the drive logic. If accepted, then the drive returns the MBR and the OS is loaded. Important point: This pre-boot authentication is the
FIRST thing that happens and is controlled by the drive directly. This has the added advantages of not modifying the MBR, which many software encryption products do, and allowing the MBR to be encrypted like all other user accessible data.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">From your description, the PBA basically adds another stage in the bootstrap process. Normally: Firmware
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> OS loader
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> OS execution. With PBA: Firmware
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> PBA
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> OS Loader
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> OS execution.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So it sounds like the PBA takes care of itself.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Basically since the pre-boot record is an OS, the firmware will boot to the pre-boot record, and the pre-boot record then goes about getting the authentication
from the system. Using standard channels. It sounds to me like you wish to expand the pre-boot record to access another device (i.e. TPM) and retrieve the password from it. The firmware might provide some Basic I/O primitives to make the OS’s job of device
access easier, but that would be an implementation aspect of the PBA. I would also imagine that the PBA does not call ExitBootServices (which terminates the boot time services of UEFI compliant firmware) but would rather leave the UEFI boot services running
so the final (decrypted) OS image can utilize the UEFI boot services as a part of its boot process (and then call ExitBootServices when it is ready to terminate UEFI boot support).
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
TPM is not required in order to run hardware encryption. However, a TPM can provide additional data security functions, such as mating the SED to the host system so it cannot be operated in any other host computer.<br>
<br>
I checked Intel® Firmware Engine 2.0 : <a href="https://firmware.intel.com/learn/intel-firmware-engine/intel-firmware-engine">
https://firmware.intel.com/learn/intel-firmware-engine/intel-firmware-engine</a><br>
<br>
It is a great tool to build platform firmware images, it supports MinnowBoard MAX & MinnowBoard Turbot, it looks that is based on
<b>UDK2015</b>, <b>is it right?</b><br>
<br>
But it does not support Self Encrypted Hard Drive (SED) yet.<br>
<br>
Thanks a lot.<br>
Ghani<br>
<br>
This email has been scanned by Barracuda Networks. <o:p></o:p></p>
</div>
</body>
</html>