This utility is intended for re-provisioning of the platform keys AFTER applying the Intel (R) ME/ TXE firmware update in response to security advisory SA-00086. More information on the Intel (R) ME/ TXE update and security advisory can be found at https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr. At the link above there is also an INTEL-SA-00086 Detection Tool that assists in discovering the platform vulnerability status described in INTEL-SA-00086. Please refer the link for a full list of affected platforms.
- Ensure Intel (R) PTT is enabled in BIOS.
- Ensure TPM CRB kernel driver is enabled on your Linux. You can check if the device exists with "ls /dev/tpm*" after PTT is enabled in BIOS.
- Intel (R) MEI driver needs to be installed on the system. You can check this with "ls /dev/mei*""
- Following dependencies may need to be installed prior to tpm2-software install. (names may vary per your Linux distribution). rpm, autoconf-archive, curl, net-tools, build-essential, pkg-config, gcc, g++, m4, libtool, automake, libgcrypt20-dev, libssl-dev, autoconf, gnulib, wget, libdbus-1-dev, libglib2.0-dev, libcurl4-openssl-dev, dbus-x11, iproute2, libtasn1-6-dev, socat, libseccomp-dev, gawk, libyaml-dev, uuid-dev
- Install tpm2-software: tpm2-tss v3.1.0, tpm2-abrmd v2.4.0 and tpm2-tools v4.1.1 by executing the "build.sh" script as "sudo".
- If the dependency packages were installed appropriately, the build.sh should proceed to indicate the appropriate icls package versions ( i386/ x86_64 ) to install from the packages directory.
- Prior to installing the icls client libraries you can verify the rpm signatures
To do this import the public key to verify the signature from packages/iCLS dir
rpm --import "Intel(R) Trust Services.key" && rpm -K iclsClient-<version>.<arch>.rpm"
- Install iCLS client libraries from the Packages folder.
Instructions based on the package manager
- rpm --> "rpm -i -nodeps iclsClient..rpm"
- alien --> "alien -i -nodeps –-script iclsClient..rpm"
- yum --> "yum install iclsClient..rpm"
- Please make sure system wide proxy has been setup and the platform is connected.
- After installing above dependencies a reboot is required.
- Please run the TPM access broker and resource manager daemon
sudo -u tss tpm2-abrmd --tcti=device &
- Run the Intel-SA-00086-Recovery-Tool to launch the provisioning bash script. If the platform supports, an ECC based EK certificate can be retrieved by specifying "-E" option.
- If you have received the necessary Intel (R) ME/ TXE firmware update then:
- You must see the message "EPS generated by Intel (R) PTT"
- At this point the recovery application should re-provision the keys.
- After successful recovery, An NV Index for Intel (R) PTT Endorsement Key certificate is created at index 0x1c00002 for an RSA EK certificate and if the platform supports it, at index 0x1c0000a for an ECC EK certificate. A copy of it is read to the file system path indicated in the bash script, Intel-SA-00086-Recovery-Tool .
- OR,If you have not received the necessary Intel (R) ME/ TXE firmware update then:
- You must see the message "EPS is generated by Manufacturer"
- At this point the platform does not trigger the recovery process.
- The recovery tool instead tries to retrieve the Intel (R) PTT Endorsement Key certificate through non recovery process.
NOTE: Affected platform MUST receive the Intel (R) ME/ TXE firmware update to
fully mitigate the issue. An indication of this being completed is that the
tpmGeneratedEPS bit is set and can be read with tpm2_getcap properties-variable