Technical Product Specification

Intel® Server Board S5520UR and S5520URT TPS Functional Architecture

Revision 1.9 Intel order number E44031-012

3.9 Trusted Platform Module (TPM) – Supported only on S5520URT

3.9.1 Overview

Trusted Platform Module (TPM) is a hardware-based security device that addresses the

growing concern on boot process integrity and offers better data protection. TPM protects the

system start-up process by ensuring it is tamper-free before releasing system control to the

operating system. A TPM device provides secured storage to store data, such as security keys

and passwords. In addition, a TPM device has encryption and hash functions. The Intel

Server

Board S5520URT implements TPM as per TPM PC Client specifications revision 1.2 by the

Trusted Computing Group (TCG).

A TPM device is affixed to the motherboard of the server and is secured from external software

attacks and physical theft. A pre-boot environment, such as the BIOS and operating system

loader, uses the TPM to collect and store unique measurements from multiple factors within the

boot process to create a system fingerprint. This unique fingerprint remains the same unless

the pre-boot environment is tampered with. Therefore, it is used to compare to future

measurements to verify the integrity of the boot process.

After the BIOS complete the measurement of its boot process, it hands off control to the

operating system loader and in turn to the operating system. If the operating system is TPM-

enabled, it compares the BIOS TPM measurements to those of previous boots to make sure

the system was not tampered with before continuing the operating system boot process. Once

the operating system is in operation, it optionally uses TPM to provide additional system and

data security (for example, Microsoft Vista* supports Bitlocker drive encryption).

3.9.2 TPM security BIOS

The BIOS TPM support conforms to the TPM PC Client Specific – Implementation Specification

for Conventional BIOS, version 1.2, and to the TPM Interface specification, version 1.2. The

BIOS adheres to the Microsoft Vista* BitLocker requirement. The role of the BIOS for TPM

security includes the following:

 Measures and stores the boot process in the TPM microcontroller to allow a TPM

enabled operating system to verify system boot integrity.

 Produces EFI and legacy interfaces to a TPM-enabled operating system for using TPM.

 Produces ACPI TPM device and methods to allow a TPM-enabled operating system to

send TPM administrative command requests to the BIOS.

 Verifies operator physical presence. Confirms and executes operating system TPM

administrative command requests.

 Provides BIOS Setup options to change TPM security states and to clear TPM

ownership.

For additional details, refer to the TCG PC Client Specific Implementation Specification, the

TCG PC Client Specific Physical Presence Interface Specification, and the Microsoft BitLocker*

Requirement documents.

3.9.2.1 Physical Presence

Administrative operations to the TPM require TPM ownership or physical presence indication by

the operator to confirm the execution of administrative operations. The BIOS implements the