TPM User's Guide Revision 1.
The information in this user’s guide has been carefully reviewed and is believed to be accurate. The vendor assumes no responsibility for any inaccuracies that may be contained in this document, and makes no commitment to update or to keep current the information in this manual, or to notify any person or organization of the updates. Please Note: For the most up-to-date version of this manual, please see our web site at www.supermicro.com. Super Micro Computer, Inc.
Preface Preface About This User's Guide This user's guide is written for system integrators, IT professionals, and knowledgeable end users who wish to add additional data security levels to their systems to protect highly sensitive applications. It provides detailed information on configuring, provisioning, and using the trusted platform module (TPM). User's Guide Organization Chapter 1 provides an overview of the trusted platform module (TPM), including its features and uses.
SMT IPMI User's Guide Contacting Supermicro Headquarters Address: Super Micro Computer, Inc. 980 Rock Ave. San Jose, CA 95131 U.S.A. Tel: +1 (408) 503-8000 Fax: +1 (408) 503-8008 Email: marketing@supermicro.com (General Information) support@supermicro.com (Technical Support) Website: www.supermicro.com Europe Address: Super Micro Computer B.V. Het Sterrenbeeld 28, 5215 ML 's-Hertogenbosch, The Netherlands Tel: +31 (0) 73-6400390 Fax: +31 (0) 73-6416525 Email: sales@supermicro.
SMT IPMI User's Guide Table of Contents Preface............................................................................................................ 3 About This User's Guide................................................................................................ 3 User's Guide Organization............................................................................................. 3 Conventions Used in This User's Guide........................................................................
Chapter 1: Introduction Chapter 1 Introduction 1.1 Overview of the Trusted Platform Module (TPM) The Trusted Platform Module (TPM) is a special add-on module that may be installed onto most Supermicro X9, all Supermicro X10, and some Supermicro AMD motherboards. It holds computer-generated encryption keys used to bind and authenticate input and output data passing through a system. A. Types of TPMs Supermicro makes available two lines of TPMs, each of them divided into four distinct products.
SMT IPMI User's Guide 2. Microcontroller in 0.22/0.09-µm CMOS technology 3. Compliant embedded software 4. EEPROM for TCG firmware enhancements and for user data and keys 5. Hardware accelerator for SHA-1 and SHA-256 hash algorithm 6. True Random Number Generator (TRNG) 7. Tick counter with tamper detection 8. Protection against dictionary attack 9. Infineon's TPM 1.2 is Common Criteria certified at Evaluation Assurance Level (EAL) 4 Moderate 10. General-purpose I/O 11.
Chapter 1: Introduction A. How the TXT Works The Intel TXT, when enabled, follows a step-by-step process to ensure security of pre-launch components. 1. Measures the hypervisor launch upon system startup 2. Checks for a match 3. If matched: The TXT signals "trusted," and the launch is allowed to proceed. 4. If mismatched: The TXT signals "untrusted," and the launch is blocked. 1.4 Motherboards Supported Please refer to the Supermicro website (http://www.supermicro.
TPM User's Guide Chapter 2 Deploying and Using the TPM Follow the instructions below to begin using the TPM. 2.1 Installing the TPM Onto the Motherboard To install the Trusted Platform Module onto your motherboard, follow the steps below. 1. Find the 20-pin male JTPM1 connector on the motherboard. If you need help locating this connector, consult your motherboard manual. If the board does not have this feature, then it does not support the TPM. 2.
TPM User's Guide 2.2 Enabling TPM in the BIOS The steps below describe the proper procedure on how to enable the TPM in the BIOS. This process is necessary to activate support in the system before you can start using the TPM. 1. Enter the BIOS setup screen. You may do this either from the IPMI remote console or from the server directly using KVM. Reboot the system, and press the key as the system boots until you reach the BIOS screen. 2. You will be presented with the BIOS Setup main screen.
TPM User's Guide 7. 2.3 You must save your changes and reset for the changes to take effect. Scroll to the Save & Exit tab and select "Save Changes and Reset." The TPM is now enabled. Setting Up TXT Support Before you begin using the TXT, you must follow the steps below. 1. Insert the TPM onto the motherboard, enable, and provision it. See the previous sections of chapter 2 for instructions on how to do this. 2. Restart the system and enter the BIOS setup screen. 3.
TPM User's Guide 5. Select "Enabled," and press . 6. Save changes and reset to save your changes and allow them to take effect. The TXT is now enabled. 7. Use a third-party tool to test the hypervisor launch. 2.4 Intel Provision Utility To lock the TPM, you must run the Intel Provision Utility. 1. Save a copy of the utility to a USB flash drive, and plug the drive into your sytem. To download the utility, contact Supermicro support. 2. Boot into the UEFI shell.
TPM User's Guide • Option 2: Reboot the system. As the system boots up, press the key. The following list will appear. Using your arrow keys, select "UEFI: Built-in EFI Shell." Press . 3. You are now in the EFI shell. If a line prompts you to press to skip startup.nsh, do so.Type map to find out your USB ID.
TPM User's Guide 4. Type fs0: to enter the flash drive directory. 5. Type cd serverTPMTool. 6. Type cd Executable. 7. Type DefaultTPMProvisionNPW-Locked.nsh. 8. You should see the screen shown below indicating that the TPM is now locked. 9. To check that the TPM has been successfully locked, type ServerTPMTool.efi.
TPM User's Guide 10. From the menu that appears, press <1> ("Display TPM Status"), as shown above, and press . 11. From the TPM Status Menu that appears, press <3>, and press . 12. You should receive an output log. The "nvLocked" item, indicated by the arrow below, should be set to 1. This shows that the TPM has been successfully locked. 13.
TPM User's Guide Notes 2-8
(Disclaimer Continued) The products sold by Supermicro are not intended for and will not be used in life support systems, medical equipment, nuclear facilities or systems, aircraft, aircraft devices, aircraft/emergency communication devices or other critical systems whose failure to perform be reasonably expected to result in significant injury or loss of life or catastrophic property damage.
