How it Works
Intel
Loading...
B
Loading...
Loading...
BpmGen2
GUI User Guide
23 pgs954.9 Kb0
User guide
45 pgs1.14 Mb0

Intel BpmGen2 User guide

Intel® Security Technologies
BpmGen2 User Guide
Revision 0.9 Last updated September 21, 2020
Note: BpmGen2 is significantly different from and not backward compatible with the original BpmGen tool.
This toolkit is provided “as is” with no express or implied warranty and thus it is the user’s
responsibility to verify proper functionality.
1 Introduction
1.1 Scope
The purpose of this document is twofold:
Describe how to use the BpmGen2 tool
Provide the OEM (Platform Architect and BIOS Developer) with information on how to best configure
the BPM and explain the impact of those settings on Intel® Boot Guard and Intel® Trusted Execution Technology.
The first time you read this document you should read (at least browse through) the entire document.
Chapter 1 Introduction” is a short introduction to the tool’s capability.
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 2
Chapter 2 BpmGen2 Tool Fundamentals” explains how to use the tool. Chapter 3 BPM PARAMS File” explains how to edit the BPM Parameter file and provides guidance on
various settings. However some topics require more detailed discussion, thus the following chapters and Annexes.
Chapter 4 Understanding Your Role and Responsibilities” provides a more detailed guide for setting
required components.
Chapter 5 Power Down Memory Depletion” provides a guide to using a new Intel TXT capability – Power
Down Memory Depletion backup method for scrubbing memory. Chapter 6 Boot from Block” explains how to produce a BPM for booting from a block media device. Chapter 7 OBB Hash” explains how the BpmGen2 tool can calculate OBB Hash measurements Appendix A BpmGen2GUI Tool” provides an introduction to the BpmGen2GUI tool. Appendix B Recommendations” provides recommendations and tutorials on using the tools.
1.2 Overview
Intel© has converged Intel Trusted Execution Technology (Intel© TXT) with Intel© Boot Guard Technology (Intel© BtG) merging redundant structures into the Boot Policy Manifest (BPM). Specifically, some of the information that the OEM previously provided in the Firmware Information Table (FIT), in the TPM PS Index, and PS Policy the OEM now provides in the Boot Policy Manifest (BPM). In addition, new features have been added and the OEM establishes policies for these features via the BPM. This integration is referred to herein as Converged Intel BTG/TXT (CBnT).
To support either Intel TXT or Intel BtG, the OEM is responsible for producing a Key Manifest (KM) and Boot Policy Manifest (BPM) and including them in the BIOS image. These manifests are locatable via FIT type 0x0b and 0x0c records. The BPM must be regenerated for each BIOS update.
The BPMGen2 Toolkit consists of several tools:
The BPMGen2 tool is a Windows DOS based application designed to generate the Boot Policy Manifest
(BPM) and can be used in a batch file to automatically update the BIOS image with the new BPM. It can
also generate a Key Manifest.
The BpmGen2GUI is a Windows GUI based tool that will generate the BPM Parameters file needed for
the BpmGen2 tool and can also generate a Key Manifest (KM).
For Converged Intel BTG/TXT the BPM was enhanced to include new structures and the KM was modified to support KM public Key Hash algorithm agility and add the ability to authenticate multiple keys. The BPM and KM can support RSA and SM2 signing (in preparation for ACMs that support SM2).
When using the BpmGen2 tool to build a new BPM, instead of having a long complicated command line required for the old BpmGen tool, you now provide a BPM parameters file (aka: Bpm Params). The Bpm Params file contains parameters that typically don’t change from build to build. The Bpm Params file is a text file of particular format. You can use the BPMGen2GUI tool to build the Bpm Params file or you can simply edit an existing Bpm Params file.
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 3
Chapter 2 explains how to use the BpmGen2 tool Chapter 3 provides specifics on editing the Bpm Params file The remaining chapters and appendixes provide details on specific features.
1.3 Tool Capabilities
The BpmGen2 tool is capable of:
Generating a new v2.1 BPM
Generating a new v2.1 KM
Generating a legacy 1.0 BPM
Generating a legacy 1.0 KM
Updating the Firmware file with the new BPM and KM
Displaying a BPM or KM
Displaying the BtG components of a Firmware file (FIT, BPM, KM), and the key hashes
Internal or external BPM/KM manifest signing
o RSASSA Pkcsv1.5 and RSASSA_PSS o ECC-P256 and ECC-P384 o SM2
Supporting the following Hash algorithms:
o SHA256 o SHA384 o SHA512 o SM3 o SHA1
Prepending Boot Partition Descriptor Tables to the Firmware file (for BFX)
New operations added to support other manifests:
o Hashing a file (0r a portion of a file) o Signing a file o Extracting the public key from a PEM file
The BpmGen2GUI tool is capable of:
Generating the BPM Parameter file (*.bpDef) used by the BpmGen2 tool
Generating a new v2.1 KM
Generating a legacy 1.0 KM
Internal or external KM manifest signing
o RSASSA Pkcsv1.5 and RSASSA_PSS using SHA256,SHA384, SHA512 o SM2 using SM3
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 4
1.4 References
Table 1 Reference Documents
Document/Toolkit
Document No. /Location
[1] “Intel® BTG/TXT Server BIOS Specification”
IBL/CDI Doc# xxxxxx
[2] “Intel® BTG/TXT Server Design Guide
IBL/CDI Doc# xxxxxx
[3]
[4]
1.5 Terminology
Term
Description
ACM
Authenticated Code Module: Platform specific code created and signed by Intel. An ACM is authenticated by hardware and executed in an isolated environment within the processor.
Authentication
A cryptographic method of verifying both integrity and ownership of a binary module. A module signed with a private / public key pair can be cryptographically authenticated. Also, matching a cryptographic hash measurement of a module to a known good measurement.
BIOS ACM BtG ACM Startup ACM
An Intel provided ACM the OEM includes in the BIOS image. A portion of the ACM (referred to as Startup ACM or BtG ACM) executes before BIOS, contains BtG policy engine, and verifies BIOS code. For Intel TXT, the BIOS ACM is also invoked later by BIOS to perform certain security checks and functions. The terms Startup ACM, BIOS ACM, and BtG ACM refer to the same module.
BPM
Boot Policy Manifest – a structure signed by the OEM that establishes policies for Intel BtG and Intel TXT.
BPM Administrator
A person (or persons) that has the authority to sign a BPM using a particular signing key. There can be a different BPM administrators for different projects and the Key Manifest for a particular project specifies which key, and therefore which BPM administrator, is valid for the that project.
Converged BtG/TXT (CBnT)
Intel BtG converged with Intel TXT. These two technologies now share common structures.
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 5
Term
Description
DPR
DMA Protected Range a region of system memory that is blocked to I/O device’s memory accesses to prevent I/O devices from gaining access to Intel TXT restricted memory.
FIT
Firmware Interface Table A data structure embedded in BIOS so that Intel microcode and ACMs can locate BIOS components.
KM
Key Manifest – a structure signed by the OEM that establishes the validity of the key used to sign BPM. Each platform is permanently configured with a KM_ID plus the hash of the KM public signing key such that only a KM with the same KM_ID and signed with the matching private key will be considered valid.
KMID
Key Manifest Identifier – KMID values are arbitrarily assigned by the OEM and typically used as a project ID to control which BPM administrator is allowed to sign the BPM for that project.
KM Administrator
A person (or persons) that has the authority to sign a KM. The role of the KM administrator is to manage which BPM signing key, and therefore which BPM administrator, is authorized for a particular project.
Measurement
A cryptographic fingerprint of a binary module. Also called hash or digest. Hashing a binary module using a hash algorithm like SHA256 produces a unique hash digest value (the module’s measurement). It is not possible to derive the original binary from the hash bytes.
ME/SPS
Management Engine/Server Platform Services – Intel® Server Platform Services (Intel® SPS) firmware running in Intel® Management Engine (Intel® ME) microcontroller present in the chipset to perform security and other system functions.
NEM
Non-Eviction Mode
PCR
Platform Credential Registers -- Dedicated registers in the TPM (sometimes referred to as Platform Configuration Registers).
PS Index
Obsolete “platform supplier” TPM NV Index where platform vendor set TXT Policies.
Now vendor TXT policies are specified in the BPM.
Startup ACM
See BtG ACM.
TCB
Trusted Computing Base Includes all the elements capable of modifying/protecting the platform’s configuration.
TPM
Trusted Platform Module a hardware device defined by the TCG that provides a set of security features used by Intel TXT and Intel BtG.
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 6
Term
Description
Intel TXT
Intel Trusted Execution Technology.
VT-d
Virtualization Technology for Directed I/O – hardware support component of Intel® Virtualization Technology for managing DMA and interrupts generated by I/O devices.
2 BpmGen2 Tool Fundamentals
The BpmGen2 tool’s primary purpose it to take your initial BIOS file (after it has been updated with a Firmware Interface Table (FIT)), create a Boot Policy Manifest (BPM) signed by you, insert that BPM into the BIOS image and save the updated BIOS image to a file that can be used to create a SPI Flash device or a file that can be used to create a Boot Partition file (for platforms booting from a block media device).
Initial
BIOS
File
Signed
BIOS
for
Flash
Signed
BIOS
for
Block
Fixed-
up
BIOS
File
Compiler
BIOS
files
Data
Drivers
FitGen
Tool
BpmGen2
Tool
Flash
Image
Boot
Partition
File
Scope of this
document
MEU &
FIT Tool
MEU &
FIT Tool
Booting
from SPI
Flash
Booting
from
Block
Device
Figure 1 Tool Chain
2.1 Getting Started
The BpmGen2 tool has many options. This section provides an overview on using the most common features. See Appendix B Recommendations” for some advanced topics and hints on how to better use the tool.
This tool (BpmGen2) generates the Version 2 BPM (for platforms that support converged BtG/TXT).
Older platforms require a Version 1 BPM. The BpmGen2 tool is also capable of generating a v1 BPM,
which is a subset of Version 2. The BPM must be updated for each BIOS release. The BpmGen2 tool is designed to do that as part of a
batch file that you run to build the BIOS (i.e., build BIOS image, generate the FIT, then use this tool to
update BPM). You must reserve space for the BPM in your BIOS image (via FIT Type 0xC record) that is at least as large
as your actual BPM. There are a number of factors which affect BPM size (see Table 2 Typical Manifest
Sizes). FYI: An example BPM signed with a 3072-bit RSA key using SHA384 can be 1341 bytes plus the
size of any Platform Manufacture’s data that you wish to add.
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 7
The tool can matically replace that dummy BPM with your actual BPM. There is a companion tool (BpmGen2GUI) that builds a parameter file used by this tool, or you can
manually edit one of the sample parameter files (*.bpDef). Typically, the parameter file does not change from build to build. However, you might want to use a
different parameter file during debug than for the final production worthy BIOS. The BpmGen2 tool is capable of also replacing the KM. Typically, the KM does not change from build to
build. So you may want to just imbed the actual KM in the original BIOS image.
You can either use this tool or the BpmGen2GUI tool to produce your KM. Both the KM and BPM must be signed. The tools can generate the signature or you can use an external
signing service. The key used to sign the KM is considered a master key, because the KM authorizes the key that signs
the BPM as well as keys for other manifest. See Annex B.2 Master and Subordinate Keys” for more
information. The manufacturing process must program the hash of the KM Public signing key into the chipset’s Field
Programmable Fuses (FPFs). The BpmGen2 tool can calculate/display the KM Public signing key hash
value. Using a different key for signing the BPM (than for signing the KM) allows you to authorize different
BIOS authorities. That is, each BIOS developer/provider can have their own key, which a KM
administrator is able to revoke if needed.
Typically you will need to:
1. Use either the BpmGen2 tool or the BpmGen2GUI tool to build one or more Key Manifests
2. Use the BpmGen2GUI to create/edit your BPM Parameters file
3. Use the BpmGen2 tool to create the BPM and update your BIOS image
2.2 Capabilities
The BPMGen2 tool can:
Generate a KM based on command line arguments and save it to a file.
Generate a BPM based on the specified BIOS image and your BPM Parameter file:
o save the BIOS image updated with the new BPM (and optionally a specified KM) o save the new BPM to a file to be manually imported into the BIOS
Display the FIT/BPM/KM information for a specified BIOS image.
Display a BPM or KM given a BPM or KM file.
And in support for generating other manifests, the tool can:
Generate the hash digest of a file (or portion of the file)
Generate a signature of a file (or portion of the file)
Extract the binary public key form a PEM file
A BPM must be signed and the tools support both internal and external signing.
Note: Supported algorithms and key sizes vary by platform. Please check platform requirements
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 8
The tool supports the following hashing algorithms:
SHA256
SHA384
SHA512
SM3
The tools supports the following signing algorithms:
RSASSA-PKCS v1.5 signatures with 2048 and 3072 bit keys
RSASSA-PSS signatures with 2048 and 3072 bit keys
ECDSA signatures with:
o NIST P256 Curve (256-bit key) w/ SHA256, SHA384, & SHA512 o NIST P-384 Curve (384-bit key) w/ SHA384, & SHA512 o Chinese SM2 Curve (256-bit key) w/ SM3
Note: The set of allowed signature schemes is platform specific. Currently, RSASSA-PKCS v1.5 is supported on all platforms, but check your platform requirements
2.3 BIOS Requirements
The BIOS image must include a Firmware Interface Table (FIT). FIT Pointer must be at 0xFFFFFFFC (0x40 below Top of Low Memory). FIT must include a Type 0x0b (KM) record and a Type 0x0c (BPM) record. Size indicated in those records must be large enough to fit the new manifests.
2.4 Manifest Sizes
The size of the BPM and KM will vary with the selected hash algorithms, signing key type, and key size. The size of the BPM also has a number of variable sized elements:
IBB Element contains a variable number of segments (12 bytes per segment), 8 segments max
TXT Element (optional) – in the future the TXT Element might include a variable number of segments
Platform Config Data Element (optional) specifies the Power Down Request location
Platform Manufacture’s Element (optional) arbitrary size
The following table provides you with some insight into the size that you need to reserve for the manifests.
Table 2 Typical Manifest Sizes
Manifest
Hash Alg
Signing Key Type/Size
Typical Manifest Size
KM w/1Key
SHA384
RSA 3072
869 (0x365) bytes
KM w/1Key
SHA256
RSA 2048
597 (0x255) bytes
KM w/1Key
SM3
SM2 (256)
213 (0x0D5) bytes
BPM w/8 IBB segments
SHA384
RSA 3072
1341 (0x53D) bytes
BPM w/8 IBB segments
SHA256
RSA 2048
1053 (0x41D) bytes
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 9
BPM w/8 IBB segments
SM3
SM2 (256)
669 (0x29D) bytes
BPM sizing includes typical TXT Element, max PCD Element, and no PM Element. In the future, the size of elements could increase and there could be additional elements.
A rule of thumb is to allocate at least 0x400 bytes for KM and 0x600 bytes for BPM
2.5 Using the Tool
2.5.1 Required Files
To use the tool, the following files from the toolkit need to be in your working directory:
BpmGen2.exe (the tool) The following DLL files from the toolkit
o ippccp8-9.0.dll
o ippcore-9.0.dll
o ippcp-9.0.dll
o ippcpp8-9.0.dll
BIOS file to analyze (update) BPM Parameter file Public signing key (a PEM, DER, or binary file) – the private key file can be used
Private signing key (if using the tool to sign the BPM) Batch file for signing (if externally signing the BPM) Key Manifest binary file (optional)
2.5.2 Main Functions
The tools main functions are:
BpmGen2 GEN : Generates a v1.0 or v2.0 BPM depending on the BPM Parameter file
BpmGen2 KMGEN : Generates a v2.0 KM
BpmGen2 KM1GEN : Generates a v 1.0 KM
BpmGen2 INFO : Displays KM, BPM, or BIOS information
BKM: Issuing the command specifying only the main function without any additional parameters (i.e., BpmGen2
GEN ) displays the syntax for that function.
The following sections provide the syntax for invoking the tool. The tool is designed to be invoked from the DOS prompt or as part of a batch file.
The main form for the syntax is:
ToolName OPERATION Required parameters Additional (optional) parameters
All command line parameters are case insensitive (i.e., you can use upper and/or lower case characters).
The syntax uses tags followed by zero or more variables (such as filename). Tags are shown in
UPPERCASE with “-“ as the first character (e.g., -TAG <filename>).
Variables are shown encased in <…>.
Optional parameters are indicated by brackets “[…]” and starts with a tag.
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 10
2.5.3 Syntax for Displaying Boot Policy Information
BpmGen2 INFO <BiosFile>
-- displays the FIT, BPM, KM, and other information and calculates key hash
values
BpmGen2 INFO <KM or BPM filename>
-- displays the KM or BPM, and verifies its signature
2.5.4 Syntax for Boot Policy Manifest Generation
Initial BIOS File
BPM
Parameters File
Key Manifest
User Data
Signing Key
Signed BPM
Modified
BIOS File
BpmGen2
Tool
BpmGen2 GEN <BIOSFileToUpdate> <BpmParamsFile> [-BPM <BpmOutputFileName>] [-U <UpdatedBIosFilename> [-KM <KeyManifiestFile>] ]
Either –BPM or –U (or both) must be specified
-BPM instructs the tool to save the BPM binary to the specified filename
-U directs the tool to update the BIOS file with the new BPM (and KM if specified) and then save
the updated BIOS image to the specified filename.
-KM instructs the tool to replace the KM in the updated BIOS image with the specified KM.
To use the –U option, the original BIOS file (BIOSFileToUpdate) must have a Firmware Interface Table (FIT) that includes a Type 0x0c BPM record. This indicates where the tool will place the BPM. The size for this location must be equal or greater that the size of the new BPM.
The –KM option can only be used with the –U option and the FIT must include a Type 0x0b KM record indicating where the tool will replace the KM and the size specified for that location must be equal or greater that the size of the specified KM.
Note that unlike the BPM, which must be updated for each BIOS build, the KM is typically only generated once per project and thus you have the option of including it in the original BIOS file (BIOSFileToUpdate) or having the tool insert it (-KM KeyManifiestFile) at the same time it updates the BIOS image with the new BPM.
To generate a modified BIOS with an updated BPM, you would use the following form:
BpmGen2 GEN <BIOSFileToUpdate> <BpmParamsFile> -U <UpdatedBIosFilename>
Which creates a new BPM based on the BIOSFileToUpdate plus BpmParamsFile and generates an updated BIOS image with the new BPM saving it to UpdatedBIosFilename.
The BpmParamsFile contains static policy settings (i.e., the settings that typically don’t change from build to build). See Chapter 3 BPM PARAMS File for details.
Example:
BpmGen2
Tool
Modified BIOS File
FIT
BPM
KM
BpmGen2
Tool
BPM File
BPM
BpmGen2
Tool
KM File
KM
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 11
BpmGen2 GEN BiosFile.Fd MyBpmParams.bpDef -U UpdatedBiosFile.Fd -KM MyKM.bin
Additional command line arguments include the following:
[-BLOCK [ <TsSize> ] ] : must be used with the –U option and instructs the tool to generate a BPM for a platform the
boots from a block device (in contrast to booting from a SPI flash device) and also prepends Boot Partition Descriptor Tables to the BIOS image. TsSize is the Block Top Swap size. See Annex 6 Boot from Block”.
2.5.5 Syntax for Key Manifest Generation
BpmGen2
Tool
KM Parameters
Signing Key
Public Keys Signed KM
Note: using the BpmGen2GUI tool provides a more user-friendly way to generate a Key Manifest.
BpmGen2 KMGEN -KEY <BpKeyFileName> <keyParams> -KM <KmOutputFilename> [Optional settings] {Signing directive}
BpmGen2 KM1GEN -BPKEY <BpKeyFileName> -KM <KmOutputFilename> [Optional settings] {Signing directive}
Generates a signed KM where:
KM1GEN” creates a v1.0 KM (for platforms prior to converged BGT/TXT) while KMGEN create a v2.1 KM.
Optional settings are not order dependent, Default value is used if not specified, and include:
KMID <value 0-15> Default is 1 SVN <value 0-15> Default is 1 KMVERSION <value 0-255> Default is 1 BPKHASH <SHA256 | SHA384 | SM3> (v1 only) hash alg used to create BPM Key Hash. Default is SHA256 KMKHASH <SHA256 | SM3> (v2 only) hash alg used to create KM Key Hash. Default is SHA256 SIGHASHALG <SHA256 | SHA384 | SM3> hash alg used in signing. Default is SHA256 SIGALG <RSA | ECC> key algorithm. Default is RSA (use ECC for SM2 signing) SCHEME <RSASSA | RSAPSS | ECDSA | SM2> signing algorithm. Default is RSASSA
Signing directive must be one of the following:
SIGNKEY <PrivateKeyFileName>] [–SIGNPUBKEY <KeyFileName>] Note: PubKey only needed when PrivateKey
does not contain the public key (most private key structures do).
XSIGN <DataFile> <BatchFile> <sigFile> SIGNPUBKEY <KeyFileName> [-OUTHASH] Tool will generate KM body and
save it to <datafile>, invoke <BatchFile> and then read the signature from <sigFile>. If you include the -OUTHASH option, the tool will output the hash of the KM body instead of the KM body. Your batch file is expected to take the <datafile>, and create <sigFile>, which is a binary signature the size of the binary public key. See 4.4 External Signing.
[-KEY <BpKeyFileName><keyParams>] can be repeated to authenticate multiple keys (v2 only)
<KeyParams> can be any of the following:
[SHA256 | SHA384 | SM3] - Specifies the hash algorithm for creating the KeyHash (Default: SHA256)
[BPM] [FPM] [ACMM] [SDEV] [...] - Specifies Key usage (BPM, FIT Manifest, ACM Manifest, etc.) Default: BPM
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 12
-U:<hexValue> - Specifies Key usage value (for setting usage bits not yet defined) example: -U:83 would set BPM[0] FPM[1] and bit 7
BPM FPM -U:80 would also set BPM[0] FPM[1] and bit 7
The primary purpose of the KM is to authenticate the BPM public signing key. If you do have the need to authenticate additional keys, the BPM key should be first.
A typical usage to have the tool sign the KM would be:
BpmGen2 KMGEN -KEY BpmPublic.pem BPM -KM MyKM.bin –SIGNKEY KmPrivate.pem
Or (for external signing):
BpmGen2 KMGEN -KEY BpmPublic.pem BPM -KM MyFirstKM.bin –XSIGN Data2Sign.SignIt.bat Signature.bin
3 BPM PARAMS File
An example BPM PARAMS file is provided in Appendix C. The BpmGen2GUI tool can be used to generate/edit
BPM PARAM files, but the BPM PARAM file is easily modified using a text editor. Let’s look at the various
sections of the BPM Params file and your options.
Lines starting with # are section (and subsection) labels and must not be modified (nor moved).
Don’t change the first 3 lines in the first section (# FILEHEADER).
Lines starting with // are comments and are ignored by the BPMGen2 tool. You may insert or delete
comment lines, but comments cannot be added to the end of line i.e., “//” must be the first characters of the line.
The remaining lines use the format: TAG: Value – Don’t change the TAG.
Some tags are used only by the BpmGen2GUI tool that generates the bpDef file and are ignored by the
BpmGen2 tool. Tags of interest are highlighted in Green font in this chapter.
Some values (such as algorithm IDs) contain a numeric value (decimal or hex), followed by a “:” and then
text. The : and following text is ignored by the tool, but makes it easier for human interpretation. Thus, just changing that text doesn’t change anything.
The following subsections provide information on the values that you may modify.
3.1 BPM_DEF
Must be the first section following the FILEHEADER section. It starts with the “# BPM_DEFlabel, and there must be exactly one.
# BPM_DEF PlatformRules: Server
BpmStrutVersion: 0x21
BpmRevision: 0x03 BpmRevocation: 0
AcmRevocation: 2
NEMPages: 0x20
IbbSetCount: 1
CurrentIbbSet: 0
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 13
BpmStrutVersion: Typically 0x21 to build version 2 BPM. Setting this to 0x10 builds a v1.0 BPM. BpmRevision: You specify an arbitrary value for BPM revision so you can identify different BPM builds. Max
values is 0xFF (255). Consider incrementing this value each time you modify the BpDef file or each time you release a BIOS update.
BpmRevocation and AcmRevocation are used to revoke BPMs and ACMs respectively (aka anti-rollback). BpmRevocation is the BPM’s SVN (Security Version Number) and AcmRevocation is compared to the ACM’s SVN.
Their values may be 0-15 (0x0 – 0xF). If for any reason you need to revoke a previous BPM, just increment
BpmRevocation and BPMs with lower SVN values will no longer be accepted once the platform boots using a valid
BIOS with the newer BPM. AcmRevocation is only effective if it matches the value of the ACM. Intel will inform OEMs if an ACM ever needs to be revoked. ACMs with SVN of 0 or 1 are considered Non-Production-Worthy and thus production Qualified ACMs will always have SVNs greater than 1. See Annex B.6 Revoking Keys”.
Warning: Once BpmRevocation is incremented, its value is permanently saved on platforms that boot with the new BPM and cannot be rolled back. Thus, there is a maximum of 15 BPM revocations. So only revoke BPMs that pose a security concern.
NEMPages: BtG automatically allocates enough Non-Eviction Mode (NEM) memory in processor cache to hold
the IBB segments (both measured and Post IBB, however it only loads the measured segments). Here you can specify the number of additional pages that IBB needs for data it also wants protected (such as its software stack). Note that the total number of pages depends on the processor’s cache size and thus specifying too large of a number could result in a failure. Client processors tend to have smaller cache sizes than server processors.
IbbSetCount and CurrentIbbSet are only used by the GUI tool that creates the BPM PARAMS file.
3.2 IBB SET
Section starts with the “# IBB_SET” label and in the future there might be multiple IBB_SET sections (e.g., one for IBB Cold Boot Set and one for S3Resume Set). Currently, only the ColdBoot set can be included.
# IBB_SET
IbbSetType: 0:ColdBoot IbbSetInclude: TRUE
PBETValue: 3
MCHBAR: VTD_BAR:
//DMA Protection
DmaProtBase0:
DmaProtLimit0:
DmaProtBase1: DmaProtLimit1:
IbbFlags: 0x3
// Bit0 : Enable DMA Protection // Bit1 : Issue TPM Start-up from Locality 3
// Bit2 : Extend Authority Measurements into the Authority PCR // Bit3 : On error: Leave TPM Hierarchies enabled. Cap all PCRs
// Bit4 : BIOS supports Top Swap
DmaProtAutoCalc: TRUE
Intel® TXT/BTG – BpmGen2 Tool User Guide
Technology Solutions Enabling Intel® TXT/BtG Tools
Page 14
IbbHashAlgID: 0x0B:SHA256
IbbEntry: 0xFFFFFFF0
PostIbbHashAlgID: 0x10:NULL
PostIBBHashSource: Calculate PostIbbHashFile: PostIbbDigest.hash
IbbSegSource: MANUAL
IbbSegBase: 0xFFA00000 IbbSegSize: 0x2C0000
IbbSegHashed: FALSE IbbSegCacheType: WB
IbbSegFile:
IbbGuid: 4a4ca1c6-871c-45bb-8801-6910a7aa5807 ObbHashAlgID: 0x0B:SHA256
ObbHashSource: List
ObbHashFile: 32Byte.hash ObbGuid: 9e21fd93-9c72-4c15-8c4b-e77f1db2d792: Example GUID
ObbGuid: 7bb28b99-61bb-11d5-9a5d-0090273fc14d: Example GUID 2//
# MINOR_VERSION_ADDITIONS: 1
IbbSetType: One of {0:ColdBoot, 1:S3Resume} Tool only looks at first character, which must be 0 or 1. Most
projects require a ColdBoot set and do not support other sets. Check the platform requirements.
IbbSetInclude: If FALSE, this set will be excluded from the BPM. Must be true for ColdBoot set. Must be FALSE for
any Set Type the target ACM does not support. BpmGen2 tool will ignore sets with IbbSetInclude == FALSE.
PBETValue: You specify the additional time (number of seconds) BIOS needs for the Protect BIOS Environment
Timer. Max value is 31. Actual timeout value will be 5s plus this value. PBET is started when the ACM invokes
the BIOS code at the specified entry point. If BIOS does not stop the PBET timer before it times out, the platform will start the enforcement action for invalid BIOS.
See Chapter 4.7 DMA Protection” for details on setting the following values.
MCHBAR: 64 bit value exactly as it is to be written to the MCHBAR VTD_BAR: 64 bit value exactly as it is to be written to the VT-d BAR (not used on most server platforms)
Note MCHBAR and VTD_BAR ranges must exclude:
1 The flash range. [In HSW-ULT this is: 0xFFE00000 - 0xFFFFFFFF) 2 LT space [FED2_0000 thru FED3_FFFF] 3 Extended reserved/LT ranges [FED4_0000 thru FED7_FFFF] 4 The address space occupied by the ACM
BtG sets up DMA protection if you desire (IbbFlags.Bit0) using the following:
DmaProtBase0 and DmaProtLimit0: 0x0 if not used
DmaProtBase1 and DmaProtLimit1: 0x0 if not used
IbbFlags:
Bit0 : Enable DMA protection (VT-d on client platforms and GenProt registers on server platforms)
Bit1 : Issue TPM Start-up from Locality 3 – must be set for CBnT
Bit2 : Extend Authority Measurements into the Authority PCR
Loading...
+ 31 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use