TCG Archives - AMI

Trusted Computing Group (TCG) Webinar – Remote Platform Integrity Attestation

Mon, 02 May 2022 15:00:00 +0000

Presented by

Muthu Ramalingam, Engineering Manager, R&D – Software & Security Engineering, AMI (USA)

About this talk

This presentation will outline the technology concepts underlying platform integrity, one of the foundational standards of trusted computing. It will also illustrate a use case for establishing trust leveraging the TCG Trusted Computing Standard as implemented in the AMI TruE™ Platform Attestation Solution.

The post Trusted Computing Group (TCG) Webinar – Remote Platform Integrity Attestation appeared first on AMI.

Aptio V UEFI Firmware from AMI Supports Pyrite Security Subsystem Class (SSC) v2.00

Wed, 15 May 2019 04:00:00 +0000

NORCROSS, GEORGIA – AMI, a global leader in BIOS, BMC and remote management tools and utilities, is pleased to announce its support for the Pyrite Security Subsystem Class (SSC) version 2.00 in its flagship Aptio® V UEFI Firmware.

In late 2018, the Trusted Computing Group (TCG) released the Pyrite SSC v2.00 specification, which was extended to allow support for storage devices with certain Data Removal features, making it compatible with other Opal family SSCs and achieves feature parity with the ATA Security Feature Set. This Data Removal feature supports user data removal without requiring encryption.

The Pyrite SSC v2.00 specification brings a variety of new features and enhanced capabilities, including the mandatory PSID Feature Set, which includes a selectable data removal mechanism, updated rules on the side effects of the Revert and RevertSP methods and the addition of a KeepData parameter to the RevertSP method.

For more information on TCG’s Pyrite SSC version 2.00, please visit https://trustedcomputinggroup.org/resource/tcg-storage-security-subsystem-class-pyrite/.

To learn more about Aptio V UEFI Firmware from AMI, please visit ami.com/aptio.

The post Aptio V UEFI Firmware from AMI Supports Pyrite Security Subsystem Class (SSC) v2.00 appeared first on AMI.

PR Announcement: AMI Adds TPM Support on Arm®-based Systems Running Aptio® V UEFI Firmware

Mon, 14 May 2018 00:00:00 +0000

AMI is pleased to announce support for TPM on Arm®-based systems running AMI’s Aptio® V UEFI firmware.

The Trusted Platform Module (TPM) is defined in the Trusted Computing Group’s (TCG) TPM specification, which discusses the enablement of trust in computing platforms. There are multiple ways TPM can be used. TPM can be used to measure code that will be executed and authenticate platforms using certificates, digital signatures and encryption keys.

Before adding TPM support to Arm-based systems, AMI had only supported TPM on x86 platforms. But with the need to extend TPM support to additional platforms, AMI developed TPM support that is now available for Arm systems.

To read the press release in full detail, please visit: ami.com/press-release/american-megatrends-adds-tpm-support-on-armbased-systems-running-aptio-v-uefi-firmware/.

Arm® is a registered trademark of Arm Limited or its subsidiaries in the U.S. and/or other countries.

The post PR Announcement: AMI Adds TPM Support on Arm®-based Systems Running Aptio® V UEFI Firmware appeared first on AMI.

Support for Block SID PPI

Mon, 06 Nov 2017 00:00:00 +0000

Recently, AMI added support for the Block SID Physical Presence Interface (PPI) specification for NVMe drives running Aptio® V UEFI firmware. The Block SID PPI specification is defined in the Trusted Computing Group’s (TCG) Storage Opal Integration Guidelines, which specifically outlines the SID authority and how it manages storage devices.

Security plays a big part when it comes to technology and Block SID gives users an extra layer of security for their drives. Block SID Physical Presence elaborates on this extra layer of security by creating a way to authorize TPM-related technologies (which includes Block SID!). Physical Presence requires a platform operator to carry out platform operations initiated by the OS. That means, the platform operator has to physically be present to make sure the operations are authorized. This is beneficial for security purposes because then users can lessen the risk of unauthorized and/or malicious changes encrypting the drive. The support for the Block SID specification allows users to protect their devices from being accessed by unauthorized sources and authenticate the SID authority. For customers who want to streamline their security offerings for their customers and create secure platforms, the new support for Block SID Physical Presence puts those abilities into the hands of users.

To learn more about the new support for the Block SID PPI specification, please read the full press release at ami.com/press-release/american-megatrends-provides-block-sid-for-nvme-drives-in-aptio-v-uefi-bios-firmware/.

To read more about the Physical Presence Interface Specification, https://trustedcomputinggroup.org/wp-content/uploads/Physical-Presence-Interface_1-30_0-52.pdf.

The post Support for Block SID PPI appeared first on AMI.

Trusted Platform Module 2.0: A Brief Introduction by Trusted Computing Group

Fri, 27 Oct 2017 00:00:00 +0000

Trusted Platform Module (TPM) 2.0 Brief Introduction

TPM Module 2.0 Brief Introduction.pdf

The Trusted Computing Group (TCG) has been addressing the trust issue – and related security benefits – for PCs, servers, networking gear and embedded systems for more than a decade, driven by the Trusted Platform Module (TPM) specification.

The TPM standard defines a hardware root of trust (HRoT) widely accepted as more secure than software that can be more easily breached by attackers.

The TPM is used with software to enable features; open source APIs are available and custom software can be developed. Additional resources for software support also are provided later in this paper.

In many systems, the TPM provides integrity measurements, health checks and authentication services.

TPM Evolves

While the earlier TPM 1.2 standard was incorporated into billions of PCs, servers, embedded systems, network gear and other devices, the evolving Internet of Things and increasing demand for security beyond traditional PC environment led TCG to develop a new TPM specification, which recently was adopted as an international standard ISO/IEC 11889:2015.

For more flexibility of application and to enable more widespread use of the specification, TCG created TPM 2.0 with a “library” approach. This allows users to choose applicable aspects of TPM functionality for different implementation levels and levels of security. Also, new features and functions were added, such as algorithm agility, the ability to implement new cryptographic algorithms as needed.

Attributes of the TPM Include:

Support for bulk (symmetric) encryption in the platform
High quality random numbers
Cryptographic services
A protected persistent store for small amounts of data, sticky- bits, monotonic counters and extendible registers
A protected pseudo-persistent store for unlimited amounts of keys and data
An extensive choice of authorization methods to access protected keys and data
Platform identities
Support for platform privacy
Signing and verifying digital signatures (normal, anonymous, pseudonymous)
Certifying the properties of keys and data
Auditing the usage of keys and data

In A Trusted Platform the TPM Also Provides:

Attestation: reporting platform state
Sealing: using platform state to authorize access to keys and data

A TPM For Many Applications

With TPM 2.0, TCG created a library specification that describes all the commands/features that could be implemented and might be needed in platforms from servers to laptops to embedded systems. Each platform can choose the features needed and the level of security or assurance required. In this way, TPM 2.0 is much more flexible than the original TPM specification. That flexibility allows the newest TPMs to be applied to many embedded applications, including automotive, industrial, smart home and many more – and for designers and developers to select with more granularity the appropriate TPM capabilities for the targeted use case.

Four types of TPM are popular today, offering different trade-offs between cost, features, and security. TCG continues to evaluate market requirements to further evolve the TPM.

Discrete TPM
Discrete TPM provides the highest level of security, as might be needed for a TPM used to secure the brake controller in a car. The intent of this level is to ensure that the device it’s protecting does not get hacked via even sophisticated methods. To accomplish this, a discrete chip is designed, built and evaluated for the highest level of security that can resist tampering with the chip, including probing it and freezing it with all sorts of sophisticated attacks.
Integrated TPM
Integrated TPM is the next level down in terms of security. This level still has a hardware TPM but it is integrated into a chip that provides functions other than security. The hardware implementation makes it resistant to software bugs, however, this level is not designed to be tamper-resistant.
Firmware TPM
Firmware TPM is implemented in protected software. The code runs on the main CPU, so a separate chip is not required. While running like any other program, the code is in a protected execution environment called a trusted execution environment (TEE) that is separated from the rest of the programs that are running on the CPU. By doing this, secrets like private keys that might be needed by the TPM but should not be accessed by others can be kept in the TEE creating a more difficult path for hackers.
In addition to the lack of tamper resistance, the downside to the TEE or firmware TPM is that now the TPM is dependent on many additional aspects to keep it secure, including the TEE operating system, bugs in the application code running in the TEE, etc.
Software TPM
Software TPM can be implemented as a software emulator of the TPM. However, a software TPM is open to many vulnerabilities, not only tampering but also the bugs in any operating system running it. It does have key applications: it is very good for testing or building a system prototype with a TPM in it. For testing purposes, a software TPM could provide the right solution/approach.

Many IoT systems include sensors and cloud processing, which means virtualization. In a cloud environment, one clever way to implement a TPM is through a virtual TPM. The virtual TPM is part of the cloud-based environment and it provides the same commands that a physical TPM would but it provides those commands separately to each virtual machine.

TPM Solutions for Different Needs

The five variations of TPM, discussed roughly in order of security level and decreasing cost, are shown in Table 1. To get a better handle on the cost and security level impact, the TPM supplier needs to be consulted.

TPM Resources

An “open access” book intended to get one started with TPMs:
“A Practical Guide to TPM 2.0 – Using the Trusted Platform Module in the New Age of Security”; Arthur, Challener
https://www.springer.com/us/book/9781430265832

A reference book intended to help explain TPMs:

“Trusted Computing Platforms – TPM2.0 in Context”; Proudler, Chen, Dalton; Springer
https://www.springer.com/us/book/9783319087436

Software

https://sourceforge.net/projects/ibmswtpm2/
https://chromium.googlesource.com/chromiumos/third_party/tpm2/
https://github.com/vbendeb/tpm2_server
https://research.microsoft.com/en-US/downloads/35116857-e544-4003-8e7b-584182dc6833/default.aspx
https://github.com/PeterHuewe/linux-tpmdd/tree/tpm-emulator
https://github.com/PeterHuewe/linux-tpmdd/commit/9329f13c403daf1f4bd1e715d2ba0866e089fb1d
https://github.com/PeterHuewe/linux-tpmdd/commit/bbf2f7064c1452b47f11dfad340326b1205d863a

The post Trusted Platform Module 2.0: A Brief Introduction by Trusted Computing Group appeared first on AMI.

AMI Provides Block SID for NVMe Drives in Aptio® V UEFI BIOS Firmware

Wed, 25 Oct 2017 04:00:00 +0000

NORCROSS, GEORGIA: – AMI, a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems, is pleased to announce support for the Block SID Physical Presence Interface specification (defined in TCG Storage Opal Integration Guidelines Version 1.00 Revision 1.00), specifically for NVMe drives, in Aptio® V UEFI BIOS firmware.

To provide more streamlined encryption capabilities to its customers, AMI, Inc. (AMI) has added support for Block SID Physical Presence in its flagship Aptio® V UEFI BIOS firmware. The Trusted Computing Group’s (TCG) Block SID Authentication Feature Set was developed to enable storage device users to create trusted platforms and protect their devices from unauthorized access.

The Physical Presence Interface (PPI) specification describes the communication between the OS and BIOS firmware to manage the configuration of trusted platform modules (TPM) and/or TPM-related technologies, including Block SID. Physical Presence is a way to authorize TPM operations, requiring a physical platform operator to carry out platform operations initiated by the OS. Drives with Block SID possess encryption capabilities and are frozen to prevent a malicious program from encrypting the drive. The Block SID PPI allows the operating system to request the drive not to be frozen so that it can encrypt the drive the next time the system boots.

By providing support for Block SID physical presence for storage devices, AMI is creating more streamlined security offerings for customers. The support for Block SID allows customers to create trusted platforms that take precautionary steps to prevent their systems and storage devices from experiencing malicious attacks.

To learn more about Aptio V UEFI Firmware from AMI, please visit ami.com/aptio.

The post AMI Provides Block SID for NVMe Drives in Aptio® V UEFI BIOS Firmware appeared first on AMI.

AMI Adds Support for SMBIOS 3.1.1 Specification

Thu, 18 May 2017 00:00:00 +0000

To keep up with the latest industry standards, AMI recently added support for the SMBIOS 3.1.1 specification. The System Management BIOS (SMBIOS) specification is an industry standard that defines how management information is delivered by the system firmware. The SMBIOS specification is managed and developed by the Distributed Management Task Force (DMTF) and various companies have integrated support for the SMBIOS specification including AMI.

The most relevant updates in the 3.1.1 specification includes information about TCG, TPM and additional processor support. Read more about the newest updates and AMI’s integrated support at ami.com/press-release/american-megatrends-announces-support-for-smbios-311-specification/.

The post AMI Adds Support for SMBIOS 3.1.1 Specification appeared first on AMI.

AMI Announces Support for SMBIOS 3.1.1 Specification

Mon, 15 May 2017 04:00:00 +0000

The System Management BIOS (SMBIOS) specification is a standard that defines how management information is delivered by the system firmware. The SMBIOS specification is developed by the Distributed Management Task Force (DMTF) and AMI recently integrated support for the SMBIOS 3.1.1 specification. For system firmware, relevant updates in the 3.1.1 specification are related to adding a TCG specific table, additional processors support and more. The TCG information includes TPM vendor information, supported TPM versions and information about switching between TPM 1.2 and 2.0. For customers who are developing on AMD-based systems, the newest specification has added support for the AMD Zen processor family. Other additional updates include SP3r2 sockets and Host Interface Type and Protocol Identifier enumerations.

To learn more about Aptio V UEFI Firmware from AMI, please visit ami.com/aptio.

The post AMI Announces Support for SMBIOS 3.1.1 Specification appeared first on AMI.