Intel® Server Board M50CYP2SB Family Technical Product Specification
105
fingerprint. This unique fingerprint remains the same unless the pre-boot environment is tampered with.
Therefore, it is used to compare to future measurements to verify the integrity of the boot process.
After the system BIOS completes the measurement of its boot process, it hands off control to the operating
system loader and, in turn, to the operating system. If the operating system is TPM-enabled, it compares the
BIOS TPM measurements to the ones of previous boots to make sure the system was not tampered with
before continuing the operating system boot process. Once the operating system is in operation, it optionally
uses the TPM to provide additional system and data security (for example, Microsoft Windows* 10 supports
BitLocker* drive encryption).
12.6.1
Trusted Platform Module (TPM) Security BIOS
The BIOS TPM support conforms to the TPM PC Client Implementation Specification for Conventional BIOS
the TPM Interface Specification, and the Microsoft Windows* BitLocker* Requirements. The role of the BIOS
for TPM security includes the following:
•
Measures and stores the boot process in the TPM microcontroller to allow a TPM-enabled operating
system to verify system boot integrity.
•
Produces Extensible Firmware Interface (EFI) to a TPM-enabled operating system for using TPM.
•
Produces Advanced Configuration and Power Interface (ACPI) TPM device and methods to allow a
TPM-enabled operating system to send TPM administrative command requests to the BIOS.
•
Verifies operator physical presence. Confirms and executes operating system TPM administrative
command requests.
•
Provides BIOS Setup options to change TPM security states and to clear TPM ownership.
For additional details, see the
TCG PC Client Specific Implementation Specification
, the
TCG PC Client Specific
Physical Presence Interface Specification
, and the
Microsoft Windows* BitLocker* Requirements
documents.
12.6.2
Physical Presence
Administrative operations to the TPM require TPM ownership or physical presence indication by the
operator to confirm the execution of administrative operations. The BIOS implements the operator presence
indication by verifying the setup administrator password.
A TPM administrative sequence invoked from the operating system proceeds as follows:
1.
A user makes a TPM administrative request through the operating system’s security software.
2.
The operating system requests the BIOS to execute the TPM administrative command through TPM
ACPI methods and then resets the system.
3.
The BIOS verifies the physical presence and confirms the command with the operator.
4.
The BIOS executes TPM administrative command, inhibits BIOS Setup entry, and boots directly to the
operating system that requested the TPM command.
12.6.3
TPM Security Setup Options
The BIOS TPM setup allows the operator to view the current TPM state and to carry out rudimentary TPM
administrative operations. Performing TPM administrative options through the BIOS Setup requires TPM
physical presence verification.
Using the BIOS TPM setup, the operator can turn TPM functionality On or Off and clear the TPM ownership
contents. After the requested BIOS TPM setup operation is carried out, the option reverts to No Operation.
The BIOS TPM setup also displays the current state of the TPM, whether TPM is enabled or disabled and
activated or deactivated. While using TPM, a TPM-enabled operating system or application may change the
TPM state independently of the BIOS Setup. When an operating system modifies the TPM state, the BIOS
Setup displays the updated TPM state.