Intel® Server Board S2600CW Family TPS System Security
Revision 2.4
4.3 Trusted Platform Module (TPM) Support
The Trusted Platform Module (TPM) option is a hardware-based security device that
addresses the growing concern on boot process integrity and offers better data protection.
TPM protects the system start-up process by ensuring it is tamper-free before releasing
system control to the operating system. A TPM device provides secured storage to store data,
such as security keys and passwords. In addition, a TPM device has encryption and hash
functions. The server board implements TPM as per TPM PC Client Specifications revision 1.2
by the Trusted Computing Group (TCG).
A TPM device is optionally installed onto a high density 14-pin connector labeled “TPM” on
the server board, and is secured from external software attacks and physical theft. A pre-boot
environment, such as the BIOS and operating system loader, uses the TPM to collect and store
unique measurements from multiple factors within the boot process to create a system
fingerprint. This unique fingerprint remains the same unless the pre-boot environment is
tampered with. Therefore, it is used to compare to future measurements to verify the integrity
of the boot process.
After the system BIOS completes the measurement of its boot process, it hands off control to
the operating system loader and in turn to the operating system. If the operating system is
TPM-enabled, it compares the BIOS TPM measurements to those of previous boots to make
sure the system was not tampered with before continuing the operating system boot process.
Once the operating system is in operation, it optionally uses TPM to provide additional system
and data security (for example, Microsoft Vista* supports Bitlocker drive encryption).
4.3.1 TPM Security BIOS
The BIOS TPM support conforms to the TPM PC Client Implementation Specification for
Conventional BIOS and to the TPM Interface Specification, and the Microsoft Windows
BitLocker* Requirements. The role of the BIOS for TPM security includes the following:
Measures and stores the boot process in the TPM microcontroller to allow a
TPM-enabled operating system to verify system boot integrity.
Produces EFI and legacy interfaces to a TPM-enabled operating system for using TPM.
Produces ACPI TPM device and methods to allow a TPM-enabled operating system to
send TPM administrative command requests to the BIOS.
Verifies operator physical presence. Confirms and executes operating system TPM
administrative command requests.
Provides BIOS Setup options to change TPM security states and to clear TPM
ownership.
For additional details, refer to the TCG PC Client Specific Implementation Specification, the
TCG PC Client Specific Physical Presence Interface Specification, and the Microsoft BitLocker*
Requirement documents.
To Next Page
Loading...
