When you wish to deploy Intel TXT in a cloud environment across a broad volume of systems the first requirement is enabling the technology within the BIOS* on those systems. This article describes a methodology that will allow you to automate this process on Supermicro* Servers using Supermicro Update Manager (SUM)*.
SUM is a solution provided by Supermicro for manipulating the BIOS on the SMCI X9* and X10* generation of servers. This includes replacing the BIOS image, modifying individual BIOS settings, and configuring the DMI information. SUM can be installed directly on the managed system and executed locally using the System Management Interrupt interface. The managed system can also be updated remotely through the BMC IPMI interface. This can be done independently of the Operating System on the managed platform or even in the case where the OS has not been installed. The details of proceeding with either method are extensively covered in the Supermicro Update Manager (SUM) User’s Guide that is supplied with the SUM software . Both SUM provisioning methods require a system running Red Hat Linux Server 5 Update 0 (x86_64)* or later. Because this article is focused more on deploying this solution to a large number of systems in a data center, we will focus on the remote deployment method.
The methodology discussed here assumes that you are using an Intel TXT capable Supermicro system, that the BMC interface on the managed system has a network connection, that you have flashed the BMC and BIOS firmware to a version that supports remote access (see table below), and that you have activated the product key for the managed systems (see section 3 of the Supermicro Update Manager (SUM) User’s Guide which is supplied with the SUM software).
X9 ATEN Platform (SMT_X9)
BMC version 3.14 or later
X10 ATEN Platform (SMT_X10)
BMC version 1.19 or later
X9 AMI Platform (SMM_X9)
BMC version 2.32 or later
BIOS version 2.0 or later
Table 1 Supermicro models with associated BIOS and BMC versions that support SUM
Lastly on the system where the SUM executable is located, in this case the SUM_HOME directory, you will need to copy the operating system specific driver file “sum_bios.ko” under the SUM_HOME/driver directory, to the SUM_HOME directory. For example, if the operating system is RHEL* 5.x. execute
<SUM_HOME#> cp ./driver/RHL5_x86_64/sum_bios.ko ./
Once you have a platform with SUM installed on it, and your managed systems have met the above requirements to allow for communication to the BMC IMPI interface via the network, then you can begin the process of enabling Intel TXT on your managed systems.
To obtain the current BIOS configuration of a managed system use the SUM sub-command “GetCurrentBiosCfgTextFile”.
sum [-i -u -p ] –c GetCurrentBiosCfgTextFile [--file ]
./sum –i 192.168.1.1 –u ADMIN –p XXXXXX –c GetCurrentBiosCfgTextFile --file bios_out.txt
A portion of what the sample bios_out.txt file will look like.
* denotes the default option
The following script can be used to overwrite the BIOS settings to enable the Intel® Trusted Platform Module (Intel® TPM) and Intel TXT support on managed systems. Intel TXT is a feature of the Intel TPM, which is why the script needs to enable both at the same time.
For each managed system the enable_txt.sh script will do the following:
1. Read each entry in the managed_systems_list.sh. This file is created by the end user and contains a list of the IP address, username, and password for the BMC interfaces of your managed systems.
2. Capture the current BIOS settings of the managed system into a file called bios_config_old.txt
3. Create a new BIOS configuration file called bios_config_new.txt with the Intel TPM and Intel TXT settings enabled
4. Overwrite the BIOS with the new settings from the bios_config_new.txt file
5. Immediately reboot the system.
Sample Script enable_txt.sh
while read HOST USER PW
./sum -i $HOST -u $USER -p $PW -c GetCurrentBiosCfgTextFile --file bios_config_old.txt --overwrite
cat bios_config_old.txt | sed -e "s/Intel Virtualization Technology=00/Intel Virtualization Technology=01/;s/Intel(R) VT-d=00/Intel(R) VT-d=01/;s/TPM SUPPORT=00/TPM SUPPORT=01/;s/TPM State=00/TPM State=01/;s/Pending operation=00/Pending operation=08/;s/TXT Support=00/TXT Support=01/" > bios_config_new.txt
./sum -i $HOST -u $USER -p $PW -c ChangeBiosCfg --file bios_config_new.txt --reboot
done < managed_systems_list.sh
#IP_ADDRESS USERNAME PASSWORD
192.168.1.1 ADMIN password
192.168.1.2 ADMIN password
192.168.1.3 ADMIN password
You have now enabled Intel TPM and Intel TXT at the BIOS level on your managed Supermicro servers.
The author would like to recognize the following individuals for their contributions to this document.
Todd Christ, Ren Wu, and Belinda Liviero.
For more information about Intel TXT http://www.intel.com/txt
For Intel TXT questions you can email us at firstname.lastname@example.org
The Author: David Mulnix is a software engineer and has been with Intel Corporation for over 15 years. His areas of focus have included software automation, server power and performance analysis, and cloud security.
*Other names and brands may be claimed as the property of others