Supermicro TPM9670 - User Manual

The Supermicro TPM (Trusted Platform Module) is an add-on module designed to enhance data security in systems, particularly for highly sensitive applications. It is available in several SKUs: AOM-TPM-9670V, AOM-TPM-9670H, and AOM-TPM-9670V(H)-S. The "V" in the SKU denotes a vertical form factor, while "H" indicates a horizontal form factor. The "S" suffix signifies a server model.

Function Description:

The primary function of the TPM is to provide a hardware-based root of trust for system security. It enables features like Intel® Trusted Execution Technology (TXT) and AMD® Secure Virtual Machine Architecture support, which are crucial for protecting pre-launch firmware, hypervisors, and other critical system components from malicious attacks. By integrating with the system's BIOS and specialized provisioning utilities, the TPM helps establish a secure computing environment. It works by measuring the hypervisor launch upon system startup and checking for a match with encryption keys. If a match is found, the system is deemed "trusted," and the launch proceeds; otherwise, it is blocked. This mechanism is vital for securing clusters and cloud environments.

Important Technical Specifications:

• TCG 2.0 Compliance: The TPM-9670 series adheres to the Trusted Computing Group (TCG) version 2.0 firmware specifications, ensuring interoperability and adherence to industry security standards.
• SPI Interface: The module utilizes a Serial Peripheral Interface (SPI) for communication with the motherboard, providing a robust and efficient connection.
• Microcontroller Technology: It incorporates a microcontroller built with 0.22/0.09-µm CMOS technology, indicating a compact and power-efficient design.
• Embedded Software: The TPM comes with compliant embedded software, ensuring its functionality and security features are up-to-date and reliable.
• EEPROM: An Electrically Erasable Programmable Read-Only Memory (EEPROM) is included for TCG firmware enhancements, as well as for storing user data and cryptographic keys.
• Hardware Accelerators: It features hardware accelerators for SHA-1 and SHA-256 hash algorithms, significantly speeding up cryptographic operations.
• True Random Number Generator (TRNG): A True Random Number Generator is integrated to provide high-quality random numbers, essential for strong cryptographic key generation and other security functions.
• Tick Counter with Tamper Detection: The module includes a tick counter with tamper detection capabilities, which helps in identifying and preventing unauthorized physical tampering.
• Protection Against Dictionary Attack: The TPM is designed with mechanisms to protect against dictionary attacks, enhancing the security of passwords and other sensitive data.
• Common Criteria Certification: Infineon's TPM 2.0, which is likely the core component of this module, is Common Criteria certified at Evaluation Assurance Level (EAL) 4 Moderate, signifying a high level of security assurance.
• General-Purpose I/O: The inclusion of general-purpose I/O allows for flexible integration and control within various system configurations.
• Intel® TXT Support: Full support for Intel® Trusted Execution Technology (TXT) is a key feature, enabling advanced platform security.
• AMD® Secure Virtual Machine Architecture Support: The TPM also supports AMD® Secure Virtual Machine Architecture, extending its compatibility and security benefits to AMD-based platforms.
• Full Personalization: It allows for full personalization with an Endorsement Key (EK) and an EK certificate, providing a unique identity and verifiable authenticity for each module.
• Power-Saving Sleep Mode: A power-saving sleep mode helps reduce energy consumption when the TPM is not actively performing operations.
• Power Supply: The module operates on a 3.3V power supply, which is a common standard for such components.
• WHQL Dual-Mode Driver: It includes a WHQL (Windows Hardware Quality Labs) dual-mode 1.1b + 1.2 TPM Windows Kernel Mode Driver, ensuring compatibility and optimal performance with Windows operating systems.

Usage Features:

• Form Factors: The TPM is available in both vertical (AOM-TPM-9670V) and horizontal (AOM-TPM-9670H) form factors to accommodate different chassis heights and physical space constraints. Horizontal TPMs are typically used in 1U chassis, while vertical TPMs are designed for 2U or taller chassis, offering a smaller footprint on the motherboard.
• Motherboard Compatibility: The TPM is designed for Supermicro X11 Dual Processor boards and single Processor boards with socket 3647. It is also compatible with most X9, all X10, and some AMD motherboards that feature a specially designated JTPM1 connector. Users should consult their motherboard manual for connector location and compatibility.
• Installation: Installation involves locating the 9-pin male JTPM1 connector on the motherboard, orienting the TPM module using the key pin as a reference, and carefully inserting it to avoid damaging the pins.
• BIOS Configuration: Enabling the TPM requires navigating through the BIOS setup utility. This includes enabling "Intel Virtualization Technology" and configuring "Trusted Computing" options. Specifically, "SHA-1 PCR Bank" and "SHA-256 PCR Bank" should be enabled. Initially, "PH Randomization" and "TXT Support" should be disabled in the BIOS before provisioning.
• Intel TXT Provisioning (Server Models): For AOM-TPM-9670V-S or AOM-TPM-9670H-S models, Intel TXT provisioning is integrated. For other models, it involves booting into the UEFI shell, identifying the USB device containing the provisioning tool, and executing specific commands like "TPM2TxtProv.nsh sha 256 default" to complete the provisioning process.
• Enabling TXT Support: After provisioning, users must re-enter the BIOS to enable "Platform Hierarchy," "Storage Hierarchy," "Endorsement Hierarchy," "PH Randomization," and "TXT Support" under the "Trusted Computing" options. Finally, TXT support is activated by running "getsec64.efi -l sen -a" in the UEFI shell.
• Exiting TXT Environment: To exit the TXT environment, the command "getsec64.efi -l sexit" is used in the UEFI shell.

Maintenance Features:

• Firmware Enhancements: The EEPROM allows for TCG firmware enhancements, suggesting that the module's firmware can be updated to incorporate new features or security patches.
• User Manual and Support: The user's guide provides detailed instructions for configuration and use. Supermicro also offers technical support and maintains an updated website for the latest information on motherboard compatibility and other resources.
• Regulatory Compliance: The product is subject to California Best Management Practices Regulations for Perchlorate Materials, and a warning is provided regarding potential exposure to chemicals like lead, advising users to refer to www.P65Warnings.ca.gov for more information. This indicates adherence to environmental and safety regulations.
• Copyright and Licensing: The manual emphasizes that the product is supplied under a license, and unauthorized copying or reproduction is not allowed without written permission from Super Micro Computer, Inc., ensuring proper intellectual property management.