<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/04/16 20:55, Krau, Michael P
wrote:<br>
</div>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B3BEDB@ORSMSX109.amr.corp.intel.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"French Script MT";
panose-1:3 2 4 2 4 6 7 4 6 5;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.st
{mso-style-name:st;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:661660618;
mso-list-template-ids:1514339292;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.75in;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.25in;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.75in;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.25in;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.75in;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.25in;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.75in;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello
Ghani,<o:p></o:p></span></a></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It
looks like you did the extra research, which I applaud.
</span></p>
</div>
</blockquote>
Hallo Michael,<br>
thanks a lot for your great support, I am learning a lot.<br>
<br>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B3BEDB@ORSMSX109.amr.corp.intel.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">There
are a couple of UDK2015 questions below that could be
discussed. The 0.90 firmware for MinnowBoard MAX/Turbot is
based upon UDK2014.SP1.P1. However, the upcoming 0.91
firmware is going to be based upon the UDK2015. (This is
why there is a 12 week window between 0.90 and 0.91, instead
of the usual 5-6 weeks, the re-base of a firmware is not a
simple or trivial task)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
This will be great, I wish it will support more features like Opal 2
..etc<br>
<br>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B3BEDB@ORSMSX109.amr.corp.intel.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">However,
it should also be noted that the UDK2015 is still
integrating the UEFI specification features form the latest
UEFI specification (version 2.6) so some features may not be
in the UDK2015 at this time. As for Firmware Engine, yes,
the platform support for MinnowBoard MAX/Turbot is based
upon UDK2015 , but the same disclaimer applies. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The
UEFI specification does provide the protocols for
communicating with Secure storage, but
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
agree that TPM is not required for advanced security of a
platform (like hardware encryption), but it does provide
some hardware options that can be useful.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">When
you state:<o:p></o:p></span></p>
<p class="MsoNormal">As I understood SED drives come with the
pre-boot authentication (<span class="st">PBA) installed, so
does
</span>UEFI have to receive the request to send the encryption
key to the SED drive
<b>OR</b> the communication is only done between the pre-boot
and the user, TPM ..etc ? So it is up to the SED on how to get
the encryption key !!<br>
<br>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It
seems to me that it is really is up to the SED’s PBA as to
the source of the key. See, once the PBA is running, it has
the power to query any system resource (including the
operator via console) for the password/key. This is
actually rather clever, as it allows the PBA (an integral
part of the SED system) to have autonomous control of the
process, rather than expecting the system firmware (which
may have to support several SED implementations – each with
different mechanisms) to provide the interface specifics).
Though the SED may have system requirements that have to
be met (i.e. if the PBA is going to use a biometric device
for key/hash entry, then the system will have to have that
device). <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
This sounds great.<br>
<br>
Well, I got confused about the UEFI runtime services, I thought that
PBA is calling them to commnicate with TPM.<br>
<br>
So what does Opal feature do in UDKII implementation ?<br>
<br>
Regards<br>
Ghani<br>
<br>
<blockquote
cite="mid:9F85465CC6A8EE4EAEEF3823366D234BA3B3BEDB@ORSMSX109.amr.corp.intel.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Sincerely,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:18.0pt;font-family:"French Script
MT";color:#1F497D">Michael Krau</span><span
style="color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><a moz-do-not-send="true"
name="_____replyseparator"></a><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
Abdelghani Ouchabane [<a class="moz-txt-link-freetext" href="mailto:abdelghani@ezono.com">mailto:abdelghani@ezono.com</a>] <br>
<b>Sent:</b> Friday, April 08, 2016 1:45 AM<br>
<b>To:</b> Krau, Michael P
<a class="moz-txt-link-rfc2396E" href="mailto:michael.p.krau@intel.com"><michael.p.krau@intel.com></a>; MinnowBoard
Development and Community Discussion
<a class="moz-txt-link-rfc2396E" href="mailto:elinux-minnowboard@lists.elinux.org"><elinux-minnowboard@lists.elinux.org></a><br>
<b>Subject:</b> Re: [MinnowBoard] MinnowBoard Turbot
& mSATA self encrypted SSD & UEFI<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 06/04/16 20:21, Krau, Michael P wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Condensing
the discussion to the now open elements:</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Is it TPM 1.2 or 2.0? Does it have a
persistent memory?<br>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
believe the fTPM is 2.0 standard (but have not found
confirmation). The fTPM does have its own persistent
memory, though I do not have specifics on how much and
where.
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">It is 2.0<br>
<br>
<a moz-do-not-send="true"
href="http://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20">http://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20</a><br>
<br>
<a moz-do-not-send="true"
href="https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec">https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec</a><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Storing the password in TPM's secure
storage area will be the right option, but as you said with
fTPM is not possible, so maybe an external TPM can do that.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
believe there is some TPM support in the UEFI Open
Sources, but not currently pulled into the MinnowBoard MAX
Build. We do not pull code support into firmware images
unless there is a requirement to do so. In the case of
the MAX/Turbot, the general product does not require TPM
support, so the sources are not included in the build.
(they can be added).
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">Yes, it is in:<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm12.h">https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm12.h</a><br>
<a moz-do-not-send="true"
href="https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm20.h">https://github.com/tianocore/edk2/tree/master/MdePkg/Include/IndustryStandard/Tpm20.h</a><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Do you know any supported discrete TPM by
UEFI on MinnowBoard MAX ?<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Work
was done on the MAX/Turbot to support the I2S Bus for the
purpose of supporting peripherals like TPM. So there is
some support, but it was provided as expansion capability
(good question to the TIanocore.org mailing lists)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">Does UEFI (Release 0.80) support pre-boot
authentication (<span class="st">PBA)</span> communication?<br>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Not
as such. This was not a requirement of code base, and I
am not sure if there are any examples in the current Open
Source repositories. However see my notes below
regarding PBA and how it probably works with firmware. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">A
Note on terminology: The firmware for the MinnowBoard
MAX/Turbot (as shipped on the product and provided at
Firmware.intel.com) does conform to the UEFI Specification
(as opposed to coreboot or Uboot, or legacy BIOS).
However, to use the term “UEFI” to represent any specific
firmware implementation (for any specific product) is a
miss use of the term UEFI. UEFI is a standard Forum, of
over 250 members within the industry. The UEFI forum is
responsible for several specifications, including the UEFI
specification, PI specification, UEFI Shell Specification,
and ACPI Specification. The UEFI specification supports
many technologies and capabilities, some of which are
mutually exclusive. There are hundreds (if not
thousands) of products using UEFI specification compliant
code to boot, across different architectures and classes
of devices.
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So
it is highly possible that there are in existence,
somewhere, UEFI based firmware solutions that support
unique and special technologies. However, those firmware
solutions may be proprietarily owned, closed sourced,
specific to a specialized product, and basically not
appropriate to the discussion of the MinnowBoard
platform. The real question is what is currently
available for MinnowBoard MAX/Turbot and/or what can be
found in the Open Source code base that can be included
(if it is not a part of the current product). Otherwise
it would still be possible to support new and unique
technology in the MinnowBoard MAX/Turbot firmware, but it
will be a development process to create the appropriate
drivers and applications and integrate them in the
firmware image.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">To add:<br>
<br>
Self Encrypted Hard Drive ( SED ) needs:<br>
<br>
Storage Security Command Protocol for encrypted HDD
(EFI_STORAGE_SECURITY_COMMAND_PROTOCOL) it was added since
UEFI 2.3.1a, this enables security protocol commands to be
sent to and from the SED (it is used to allow programs running
in the EFI boot services environment to send security protocol
commands to the drive).<br>
<br>
The master supports Opal 2.0/1.0 standard.<br>
<br>
For the password support it is in: <a moz-do-not-send="true"
href="https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Opal">
https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Opal</a><br>
<br>
But it is not in UDK2015<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">As I understood SED drives come with the
pre-boot authentication (<span class="st">PBA) installed, so
does
</span>UEFI have to receive the request to send the
encryption key to the SED drive
<b>OR</b> the communication is only done between the
pre-boot and the user, TPM ..etc ? So it is up to the SED on
how to get the encryption key !!<br>
<br>
Most Full Disk Encryption products allow administrators to
enable users to provide the encryption key for a system at
the pre-boot stage in several ways:
<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->in the form of a
password or passphrase;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->by inserting a USB
drive containing the key;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->using a one-time
password generating device such as an RSA token;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]-->using some biometric
device such as a fingerprint reader (usually connected to a
<a moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/Trusted_Platform_Module">Trusted
Platform Module</a> which holds the actual encryption key<o:p></o:p></p>
<p>When the <b>BIOS</b> requests the <b>Master Boot Record</b>
from the drive, the
<b>drive</b> instead returns the <b>pre-boot record</b> to
the user. This <b>pre-boot</b> record is a complete,
<b>though quite restricted OS, usually something simple like
MS-DOS or LINUX.</b> The
<b>pre-boot</b> image requests the Authentication
Credentials from the user, which are passed to and checked
directly by the drive logic. If accepted, then the drive
returns the MBR and the OS is loaded. Important point: This
pre-boot authentication is the FIRST thing that happens and
is controlled by the drive directly. This has the added
advantages of not modifying the MBR, which many software
encryption products do, and allowing the MBR to be encrypted
like all other user accessible data.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">From
your description, the PBA basically adds another stage in
the bootstrap process. Normally: Firmware
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS loader
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS execution. With PBA: Firmware
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
PBA
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS Loader
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">è</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
OS execution.
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So
it sounds like the PBA takes care of itself.
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Basically
since the pre-boot record is an OS, the firmware will boot
to the pre-boot record, and the pre-boot record then goes
about getting the authentication from the system. Using
standard channels. It sounds to me like you wish to
expand the pre-boot record to access another device (i.e.
TPM) and retrieve the password from it. The firmware
might provide some Basic I/O primitives to make the OS’s
job of device access easier, but that would be an
implementation aspect of the PBA. I would also imagine
that the PBA does not call ExitBootServices (which
terminates the boot time services of UEFI compliant
firmware) but would rather leave the UEFI boot services
running so the final (decrypted) OS image can utilize the
UEFI boot services as a part of its boot process (and then
call ExitBootServices when it is ready to terminate UEFI
boot support).
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
TPM is not required in order to run hardware encryption.
However, a TPM can provide additional data security functions,
such as mating the SED to the host system so it cannot be
operated in any other host computer.<br>
<br>
I checked Intel® Firmware Engine 2.0 : <a
moz-do-not-send="true"
href="https://firmware.intel.com/learn/intel-firmware-engine/intel-firmware-engine">https://firmware.intel.com/learn/intel-firmware-engine/intel-firmware-engine</a><br>
<br>
It is a great tool to build platform firmware images, it
supports MinnowBoard MAX & MinnowBoard Turbot, it looks
that is based on
<b>UDK2015</b>, <b>is it right?</b><br>
<br>
But it does not support Self Encrypted Hard Drive (SED) yet.<br>
<br>
Thanks a lot.<br>
Ghani<br>
<br>
This email has been scanned by Barracuda Networks. <o:p></o:p></p>
</div>
</blockquote>
<br>
<br>This email has been scanned by Barracuda Networks.
</body>
</html>