Intel BpmGen2 GUI User Guide

Intel® Security Technologies

BpmGen2 GUI User Guide

Revision 0.5
Last updated March 5, 2020

Important Changes and Updates:
Jan 18, 2017 Initial draft
Feb 22, 2017 Updated for tool changes
Dec 19, 2017 Updated for numerous architecture changes
Mar 5, 2020 Updated for numerous architecture changes

Note: BpmGen2 GUI is significantly different from and not backward compatible with the
original BpmGen GUI tool. This tool is provided “as is” with no express or implied warranty
and thus it is the user’s responsibility to verify proper functionality.

1 Introduction

1.1 Overview

Intel© has converged Intel Trusted Execution Technology (Intel TXT) with Intel Boot Guard Technology (Intel BtG)
merging redundant structures into the Boot Policy Manifest (BPM). Specifically, some of the information in the
Firmware Information Table (FIT) and in the TPM PS Index are now provided in the BPM. In addition, new
features have been added and thus the OEM uses the BPM to establish policies for these features. This
integration is referred to herein as Converged BtG and TXT (CBnT).

In order to support Intel TXT and/or Intel BtG, the OEM is responsible for including a Key Manifest (KM) and
Boot Policy Manifest (BPM) in the BIOS image. These manifests are locatable via FIT type 0x0b and 0x0c
records. The KM is typically static, but the BPM must be regenerated for each BIOS update.

The BPMGen2 Toolkit consists of several tools:

• The BPMGen2 tool is a Windows based application designed to generate the Boot Policy Manifest (BPM)

and can be used in a batch file to automatically update the BIOS image with the new BPM.

• The BpmGen2GUI is a Windows GUI based tool that will generate the BPM Parameters file needed for

the BpmGen2 tool and can also generate the Key Manifest (KM).

For Intel CBnT, the BPM structure has been enhanced to include new structures and also the KM structure was
modified to support KM public key hash algorithm agility and multiple key authorizations.

When building a new BPM, instead of having a long complicated command line, you provide a BPM Parameters
file. The BPM Params file is a text file of particular format.

Intel® TXT/BTG – BpmGen2GUI Tool User Guide

Technology Solutions Enabling Intel® TXT/BtG Tools

Page 2

The BPMGen2GUI tool’s primary purpose is to build that params file and it is also capable of generating a Key
Manifest.

The purpose of this document is to:

• Explain how to install the tool

• Explain how to use the tool

• Explain your options for signing the manifests

• Provide guidance on making various selections

1.2 References

Table 1 Reference Documents

Document/Toolkit

Document No. /Location

[1] “Intel® TXT/BTG Server BIOS Specification”

IBL/CDI Doc# xxxxxx

[2] “Intel® TXT/BTG Server Design Guide”

IBL/CDI Doc# xxxxxx

[3] Intel Boot Policy Manifest Generator version 2.1

Toolkit

IBL/CDI Doc# 573188

2 BpmGen2GUI Tool Fundamentals

2.1 Capabilities

• Create BPM Parameter file (*.bpDef)

• Create KM Parameter file (*.kmDef) and generate a Key Manifest

• Calculate the cryptographic hash digest of a file

• Generate signing keys

The BpmGen2GUI tool runs in a Windows environment and generates definition files (*.kmDef and *.bpDef) for
creating KMs and BPMs. It will also create a KM.

To create a Key Manifest (KM) you use the tool to select options and specify input files. These selections are
saved in a *.kmDef that may be loaded and edited at a later time. When you click the Generate KM button, the
tool generates a binary KM file for you to insert into the BIOS image. The BpmGen2 tool is capable of updating
the BIOS image with your KM. You should save the files using a filename that indicates which platform the KM is
targeted (ex. GoldenEagle.kmDef and GoldenEagleKM.bin).

To create a Bpm Params file you use the GUI tool to select options and specify input files. These selections are
saved in a *.bpDef file that may be loaded and edited at a later time and is used by the BpmGen2 tool. The
BpmGen2 tool uses those settings to generate the BPM (and updates the BIOS image with that new BPM).

The GUI tool is also capable of hashing a file and generating signing keys.

Intel® TXT/BTG – BpmGen2GUI Tool User Guide

Technology Solutions Enabling Intel® TXT/BtG Tools

Page 3

A BPM and KM must be signed and the tools support both internal and external signing. That is, you can use the
tools to sign the manifest or use your own signing service.

Note: Supported algorithms and key sizes vary by platform. Please check platform requirements

The tool supports the following hashing algorithms:

• SHA256

• SHA384

• SHA512

• SM3

The tools supports the following signing algorithms:

• RSA SSA – PKCS-1.5 (RSASSA) signatures with 2048 and 3072 bit keys using SHA256, SHA384, SHA512

• RSA (SSA – PSS (RSAPSS) signatures with 2048 and 3072 bit keys using SHA256, SHA384, SHA512

• ECC (ECDSA and SM2) signatures with:

o NIST P256 Curve (256-bit key) using SHA256, SHA384, & SHA512
o NIST P-384 Curve (384-bit key) using SHA384, & SHA512
o Chinese SM2 Curve (256-bit key) using SM3

2.2 Running the Tool

To run the tool, double click BpmGen2GUI.exe
On first use, you will be asked to specify the working directory. For reference we will assume C:BpmGen2. The

working directory is the default location for input and output files. You can change the working directory at any
time via the tool’s Option menu. When specifying files, you are able to browse to other directories, but the tool
starts looking in the working directory.

2.3 Platform Specific Information

Here is a list of settings that vary by platform. You will need to check your specific platform’s specification to

determine what is supported.

Setting

Allowed values

Notes

Platform Rules:

 Client or  Server

Firm requirement

BPM/KM Structure Version:

 v1.0 or  v2.1

Firm requirement

Supported KM Public Key

Hash Algorithms:

 SHA256,
 SM3

Supported Hash
Algorithms:

 SHA256,
 SH384,
 SM3,
 SHA1

SHA1 is only acceptable when the platform
contains a TPM1.2. Even then it is
recommended that you use a stronger
algorithm.

TXT:

Supported TXT Execution
Profiles:

 Default,
 Unified,

Most servers only accept “Default”

Intel® TXT/BTG – BpmGen2GUI Tool User Guide

Technology Solutions Enabling Intel® TXT/BtG Tools

Page 4

Setting

Allowed values

Notes

 Client

Supported Backup Memory

Scrubbing Action:

 Power-down memory

depletion

 Unbreakable

shutdown

Most servers only support Power-down
memory depletion

Signing Schemes:

RSA Key Size/HashAlg:

 2048/SHA256,
 3072/SHA256,
 3072/SHA384

RSA Signing Schemes:

 RSA SSA-PKCSv1.5,
 RSA SSA-PSS

ECC (Curve/HashAlg):

 ECDSA P256/SHA256,
 ECDSA P384/SHA384,
 SM2/SM3

Most platforms do not support ECDS and
client platforms don’t support SM2currently

3 BpmGen2GUI Tool Screens

3.1 Menus

• File menu contains the typical file commands

• Options menu allows you to change the working directory

• Tools menu allows you to calculate the hash of a file by selecting the file and specifying the hash

algorithm and then can save the hash to a file. You can also generate a pair of RSA or SM2 signing keys.

• Help menu allows you to open the tool’s manual, display the tools log, and display tool information

3.2 Help buttons and Links

Help buttons and links: On each edit screen is a help button . Clicking it provides information about that
screen and its purpose. In addition, certain labels ((blue underlined text)) are links to additional information
about that control and/or that section and sometimes guidance on appropriate selections.

3.3 Platform Rules

On KM and BPM edit screens, there is a dropdown box named Platform Rules. Originally, the plan was to list the
different platforms and limit selections to only values supported by that platform. This turned out to be too
difficult to maintain. So now you are able to select Client, Server, or None. When you save a def file or generate
a KM, the tool performs a rules check depending on the platform type you selected.

Some high end desktops and workstations use server processors and/or chipset and thus followi server rules
while some entry level servers use client processors/chipsets and thus follow client rules. So select the platform

Intel® TXT/BTG – BpmGen2GUI Tool User Guide

Technology Solutions Enabling Intel® TXT/BtG Tools

Page 5

rules required by the platform for which you are creating the manifest and the tool will limit your selections
based on that setting and check to make sure existing settings are appropriate for that platform. A setting of
None removes all restrictions (to allow the tool to be used with future platforms).

Note: If you need to select a value not allowed by the current platform selection, then you can
change Platform Rules to None. It is recommended that this not be done until all other
selections have been made.

4 Main Screen

To create a new KM from scratch, click the Create Key Manifest (KM) button and it will take you to the KM edit
screen.

Clicking on Edit Key Manifest (KM) Definition prompts you to select an existing *.kmDef file and then takes you
to the KM edit screen to edit that file.

To create a new Bpm Params file from scratch, click the Create Boot Policy Manifest (BPM) Def button and it
will take you to the first BPM edit screen.

Clicking on Edit Boot Policy Manifest (BPM) Def prompts you to select an existing *.bpDef file and then takes
you to the first BPM edit screen to edit that file.

5 KM Edit Screen

The Key Manifest screen is shown in Figure 1 KM Definition Screen and the following subsections explain the
various controls and selection tradeoffs.

Intel® TXT/BTG – BpmGen2GUI Tool User Guide

Technology Solutions Enabling Intel® TXT/BtG Tools

Page 6

Figure 1 KM Definition Screen

The button displays information about the screen. Also, clicking on a blue underlined label displays
information about that control or group of controls.

And returns you to the main screen

5.1.1 Platform Rules:

This control establishes values, limits, and ranges for the selected platform type. For example, changing the
platform type might change which hashing algorithms and signing algorithms are valid. You should select the
platform rules for which the KM will be used. See section 3.3 Platform Rules.

Intel® TXT/BTG – BpmGen2GUI Tool User Guide

Technology Solutions Enabling Intel® TXT/BtG Tools

Page 7

5.1.2 Structure Version:

Currently all CBnT platforms only support version 2.0, while all previous platforms support only v1.0. Select the
version that the target platform supports.

5.1.3 KM Revision (0-255):

This is an arbitrary value that allows you to identify different instances of the KM. Typically, this starts at 0 and
should be incremented each time you create a new KM with the same KM ID and KM signing key. Selecting
Auto-Increment will cause the tool to automatically increment this value each time you generate the KM. For
platforms that support S3 power state, the combination of KM Revision and KM ID must be unique for all KMs
signed with the same key.

5.1.4 KMSVN (0-15)

This is used for revocation (anti-rollback) of previous KMs. This should start at 0 and only be incremented if a KM
with the previous KM SVN (for same KM ID and signing key) must no longer be allowed (i.e., revoked). Caution,

there are only 15 levels of revocation so once this counter reaches 15, you will not be able to revoke KM’s with

SVN==15.

5.1.5 KM ID (0-15):

This value must match the KMID value programmed into the platform’s chipset (FPFs), else the KM will be
considered invalid.

5.1.6 KM Public Key Hash Alg:

New for V2.1 KM. Specify the hash algorithm that was used to create the KM Public Key Hash programmed into
the platform’s chipset (FPFs).

5.1.7 Keys Being Authorized:

A v1.0 KM only authorizes BPM key. For v2.1, you can specify keys for other usages. A key that is used for
multiple usages only needs to be added once.

To add the BPM key, click “Add” button and enter the Filename or click Browse to select it. Specify the Hash
Algorithm that you want BtG to use to authenticate the BPM’s signature. The file can be a PEM file or a Binary

file containing the key, or you may specify a binary Digest file containing the hash of the public key. If PEM file or
Binary file the tool calculates the hash. In any case, you must specify the Hash Alg. Check the BPM box (and any

other appropriate box).
To add other keys, repeat this process and select their use. Only one key can have the BPM box selected. Bits 4-7

are for future use to allow you to specify usages that will be defined later.
Clicking the Delete button will remove the key being displayed.
For older platforms (V1.0) Hash Alg must be SHA256 and only the BPM key can be specified.