When you wish to deploy Intel TXT in a cloud environment across a broad volume of systems the first requirement is enabling the technology within the BIOS on those systems. This article describes a methodology that will allow you to automate this process on IBM* Servers using Integrated Management Module (IMM)*.
IMM is a solution provided by IBM for the remote manipulation of their servers. The methodology discussed here assumes that IMM is enabled for the servers in your environment. See links at the end of the article for IMM documentation and supported servers. Enabling IMM requires a network connection to the IMM interface on the target server with DHCP enabled or static ip address assigned to the interface. The setup of the interface is accomplished within the BIOS.
Once this is done you can access the interface via a web browser from any system on your network and one will see something like the screenshot below.
Screenshot from IMM web interface.
IBM provides a command line interface called Advanced Settings Utility(ASU)* which allows you to issue commands on Microsoft* Windowsand on Linux*.
We will cover a list of commands that can be used to query and change Intel TXT related BIOS settings. The commands used below will work both on Windows and Linux as shown. This example will use an IBM x3650 M4 server, but the same methodology can be used on other IBM servers with IMM.
Once you have IMM enabled on your server you can use the command below via ASU to produce a list of all the BIOS settings and their current states. Note that you can use the hostname or ip address for the server that you are querying for the --host option.
asu64 show --host 192.168.1.1
If you wish to capture the output to a file you can do so by executing, asu64 show --host 192.168.1.1 > output.txt
Screenshot of the output generated by the show command.
The first step in enabling Intel TXT is to ensure that Intel® Trusted Platform Module (Intel® TPM) is enabled. Using the show command and reviewing the output you can see from the example above that SystemSecurity.TPMDevice=Enable and SystemSecurity.TPMState=Activate. So in this instance the Intel TPM is enabled and active which is desired state for the Intel TPM. The Intel TPM was enabled by default on the x3650 M4 server from the factory. If you find that the Intel TPM is disabled on your target system you will need to do the following in order to enable it.
1. Press F1 at boot up to enter into the uEFI menu
2. Change the Intel TPM from Disabled to Enabled ( System Setting > System Security > TPM Device )
3. Make sure the Intel TPM State is set to Activate (System Setting > System Security > TPM State )
4. Physically press the KVM/Location Button on the front of the server within 30 seconds of making the changes to the BIOS
5. Save Changes
6. Reboot the system for the changes to take effect.
Note that IBM has implemented a Physical Presence security feature for the Intel TPM. When you enable the Intel TPM in order for the change to take effect you must physically press the KVM/Location button within 30 seconds on the front of the server. On the x3650 M4 server the button was located next to the power on button. This feature makes it impossible to automate enabling/disabling of the Intel TPM without physically interacting with the server.
Here is a sample screenshot of what you might find in the BIOS for an x3650 M4 server.
On a system where the Intel TPM is enabled you can issue the following command to enable Intel TXT
asu64 set SystemSecurity.TXTState Enable --host 192.168.1.1
Issue a reboot to the system using the command
asu64 immapp rebootos --host 192.168.1.1
You have now enabled Intel TXT on your target system.
If your servers already have Intel TPM enabled, then by applying the commands above it is possible to enable Intel TXT on IBM servers through the IMM interface. This allows for Intel TXT enabling through automation on multiple servers.
IBM Advanced Settings Utility (ASU)
IBM Integrated Management Module (IMM)
More about TXT: http://www.intel.com/txt
Have a question? Email us at email@example.com
The Author: David Mulnix is a software engineer and has been with Intel Corporation for over 15 years. His areas of focus have included software automation, server power and performance analysis, and cloud security.
*Other names and brands may be claimed as the property of others