When one wishes to deploy Intel TXT in a cloud environment across a broad volume of systems the first requirement is enabling the technology within the BIOS on those systems. This article describes a methodology that will allow one to automate this process on Dell servers using Lifecycle Controller iDRAC – Integrated Dell Remote Access Controller*.
iDRAC is Dell’s solution for remote manipulation of their servers. The methodology discussed here assumes that iDRAC has been enabled for the servers in your environment. See links at the end of the article for iDRAC documentation and supported servers. Enabling iDRAC requires a network connection to the iDRAC interface on the target server with DHCP enabled or static ip address assigned to the interface. The setup of the interface is accomplished within the BIOS. Once this is done you can access the interface via a web browser from any system on your network and will see something like the screenshot below.
Samples of Dell command line scripts for remote management are located in the Dell wiki found at http://en.community.dell.com/techcenter/systems-management/w/wiki/1981.scripting-the-dell-lifecycle-controller.aspx. This article was written based on the scripts from the LC 1.5 Windows Examples found at the above link.
We will cover a list of Windows commands that can be used to query and change Intel TXT related BIOS settings. This example will use a Dell R720, but the same methodology can be used on other Dell servers.
Once you have iDRAC enabled on your server you can use the command below to produce a list of all of the BIOS settings and their current states.
winrm e http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_BIOSEnumeration -u:root -p:password -r:https://192.168.1.1 /wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic
This article focuses on Microsoft Windows®; The reference below is the equivalent command on Linux®
wsman enumerate http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_BIOSEnumeration -h 192.168.1.1 -V -v –c dummy.cert –P 443 –u root –password –j utf-8 –y basic
You can find the equivalent scripts for Linux®, as previously mentioned from the LC 1.5 Linux Examples package at http://en.community.dell.com/techcenter/systems-management/w/wiki/1981.scripting-the-dell-lifecycle-controller.aspx.
The first step in enabling Intel TXT is to ensure that Intel® Trusted Platform Module (Intel® TPM) is enabled. Let’s take a look at one of the BIOS settings, in this case TpmSecurity. We see that currently it is Off and that it is adjustable because the IsReadOnly option is set to false. Possible values are Off, OnPbm (on with pre-boot measurements), OnNoPbm (on without pre-boot measurements).
In order to enable the TpmSecurity attribute we can issue the following command (see 17.3_Changing_the_BIOS_BootMode_SetAttribute.bat from the LC 1.5 Windows Examples)
winrm i SetAttribute http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_BIOSService?SystemCreationClassName=DCIM_ComputerSystem+CreationClassName=DCIM_BIOSService+SystemName=DCIM:ComputerSystem+Name=DCIM:BIOSService -u:root -p:password -r:https://192.168.1.1/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic -file:SetAttribute_BIOS.xml
The command uses an xml file (-file:SetAttribute_BIOS.xml) where a single attribute or multiple attributes can be changed at one time. In this case the xml file values were as follows.
Once the command is issued the following output is produced.
The iDRAC places the BIOS change in a job pool, which requires a reboot in order for the change to take effect. If you manually reboot the system the change will not be implemented. Instead you need to issue a command to apply the pending changes.
In order to apply the pending changes we can issue the following command (see 17.7_Applying_Pending_Values_for_BIOS_Boot_CreateTargetedConfigJob.bat from the LC 1.5 Windows Examples)
winrm i CreateTargetedConfigJob http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_BIOSService?SystemCreationClassName=DCIM_ComputerSystem+CreationClassName=DCIM_BIOSService+SystemName=DCIM:ComputerSystem+Name=DCIM:BIOSService -u:root -p:password -r:https://192.168.1.1/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic -file:CreateTargetedConfigJob_BIOS.xml
The command uses an xml file where a single attribute or multiple attributes can be changed at one time. In this case the xml file values were as follows.
A scheduled start time of TIME_NOW indicates that you wish the changes to take place immediately. The Until Time in this case was set to some arbitrary point in the future. Once the command was issued the following output was produced. A return value of 4096 indicates that the job was created.
Even though the reboot was set to TIME_NOW (immediate) it will still take 30 to 60 seconds for the event to process before you see the server reboot. After the system reboots, the changes still are not implemented. You must allow the system to move past loading the BIOS; after that you will see some new screens as the iDRAC implements your desired changes.
After the changes have been made the system will reboot one more time. At that time, if you check the values on the TpmSecurity BIOS settings, you will see that the CurrentValue changes from Off to OnPbm.
By applying the concepts above, it is possible to enable Intel TXT automatically on Dell servers supporting iDRAC. The key is to query the BIOS for the specific list of Intel TXT settings and crafting an XML file to enable the settings. Once you’ve decoded the sequencing for a particular model of Dell you can then setup a simple batch file to make the changes on multiple servers across your network.
Generally speaking you will need to enable Intel TPM and reboot the platform prior to being able to manipulate the Intel TPM subcomponents. This includes Intel TXT. After enabling Intel TXT an additional reboot is required prior to bringing up the platform to the OS level.
For a Dell R720 server the following BIOS settings and sequence is required for Intel TXT enabling.
Scripts for interfacing with iDRAC
iDRAC7 Supported Systems
More information about TXT: http://www.intel.com/txt
Get your questions answered: email to firstname.lastname@example.org
The Author: David Mulnix is a software engineer and has been with Intel Corporation for over 15 years. His areas of focus have included software automation, server power and performance analysis, and cloud security.
*Other names and brands may be claimed as the property of others
Note: The commands and code examples appearing in this article can be found at the Dell wiki found at http://en.community.dell.com/techcenter/systems-management/w/wiki/1981.scripting-the-dell-lifecycle-controller.aspx
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804