Intel Server Board S2400BB
Intel® Server Board S2400BB TPS
Revision 2.0
38
4.2 Trusted Platform Module (TPM) Support
The Trusted Platform Module (TPM) option is a hardware-based security device that addresses the growing
concern on boot process integrity and offers better data protection. TPM protects the system start-up process
by ensuring it is tamper-free before releasing system control to the operating system. A TPM device provides
secured storage to store data, such as security keys and passwords. In addition, a TPM device has encryption
and hash functions. The server board implements TPM as per TPM PC Client specifications revision 1.2 by the
Trusted Computing Group (TCG).
A TPM device is optionally installed onto a high density 14-pin connector labeled “TPM” on the server board,
and is secured from external software attacks and physical theft. A pre-boot environment, such as the BIOS
and operating system loader, uses the TPM to collect and store unique measurements from multiple factors
within the boot process to create a system fingerprint. This unique fingerprint remains the same unless the pre-
boot environment is tampered with. Therefore, it is used to compare to future measurements to verify the
integrity of the boot process.
After the system BIOS completes the measurement of its boot process, it hands off control to the operating
system loader and in turn to the operating system. If the operating system is TPM-enabled, it compares the
BIOS TPM measurements to those of previous boots to make sure the system was not tampered with before
continuing the operating system boot process. Once the operating system is in operation, it optionally uses
TPM to provide additional system and data security.
4.2.1 TPM security BIOS
The BIOS TPM support conforms to the TPM PC Client Implementation Specification for Conventional BIOS
and to the TPM Interface Specification, and the Microsoft Windows BitLocker* Requirements. The role of the
BIOS for TPM security includes the following:
Measures and stores the boot process in the TPM microcontroller to allow a TPM enabled operating
system to verify system boot integrity.
Produces EFI and legacy interfaces to a TPM-enabled operating system for using TPM.
Produces ACPI TPM device and methods to allow a TPM-enabled operating system to send TPM
administrative command requests to the BIOS.
Verifies operator physical presence. Confirms and executes operating system TPM administrative
command requests.
Provides BIOS Setup options to change TPM security states and to clear TPM ownership.
For additional details, refer to the TCG PC Client Specific Implementation Specification, the TCG PC Client
Specific Physical Presence Interface Specification, and the Microsoft BitLocker* Requirement documents.
4.2.2 Physical Presence
Administrative operations to the TPM require TPM ownership or physical presence indication by the operator to
confirm the execution of administrative operations. The BIOS implements the operator presence indication by
verifying the setup Administrator password.
A TPM administrative sequence invoked from the operating system proceeds as follows:
1. User makes a TPM administrative request through the operating system’s security software.
2. The operating system requests the BIOS to execute the TPM administrative command through TPM ACPI
methods and then resets the system.
3.
The BIOS verifies the physical presence and confirms the command with the operator.
4. T
he BIOS executes TPM administrative command(s), inhibits BIOS Setup entry and boots directly to the
operating system which requested the TPM command(s).