SUPERMICRO TPM for X11 PM 2.0 Security Trusted Platform User Guide
- June 16, 2024
- SuperMicro
Table of Contents
TPM for X11
AOM-TPM-9670V
AOM-TPM-9670H
AOM-TPM-9670V(H)-S
USER’S MANUAL
TPM for X11 PM 2.0 Security Trusted Platform
The information in this user’s guide has been carefully reviewed and is
believed to be accurate.
The vendor assumes no responsibility for any inaccuracies that may be
contained in this document, and makes no commitment to update or to keep
current the information in this manual, or to notify any person or
organization of the updates. Please Note: For the most up-to-date version of
this manual, please see our web site at
www.supermicro.com.
Super Micro Computer, Inc. (“Supermicro”) reserves the right to make changes
to the product described in this manual at any time and without notice. This
product, including software and documentation, is the property of Supermicro
and/or its licensors, and is supplied only under a license.
Any use or reproduction of this product is not allowed, except as expressly
permitted by the terms of said license.
IN NO EVENT WILL SUPER MICRO COMPUTER, INC. BE LIABLE FOR DIRECT, INDIRECT,
SPECIAL, INCIDENTAL, SPECULATIVE OR CONSEQUENTIAL DAMAGES ARISING FROM THE USE
OR INABILITY TO USE THIS PRODUCT OR DOCUMENTATION, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. IN PARTICULAR, SUPER MICRO COMPUTER, INC.
SHALL NOT HAVE LIABILITY FOR ANY HARDWARE, SOFTWARE, OR DATA STORED OR USED
WITH THE PRODUCT, INCLUDING THE COSTS OF REPAIRING, REPLACING, INTEGRATING,
INSTALLING OR RECOVERING SUCH HARDWARE, SOFTWARE, OR DATA.
Any disputes arising between manufacturer and customer shall be governed by
the laws of Santa Clara County in the State of California, USA. The State of
California, County of Santa Clara shall be the exclusive venue for the
resolution of any such disputes. Supermicro’s total liability for all claims
will not exceed the price paid for the hardware product.
FCC Statement: Refer to Supermicro’s website for FCC Compliance Information.
California Best Management Practices Regulations for Perchlorate Materials:
This Perchlorate warning applies only to products containing CR (Manganese
Dioxide) Lithium coin cells. “Perchlorate Material-special handling may apply.
See
www.dtsc.ca.gov/hazardouswaste/perchlorate”.
WARNING: This product can expose you to chemicals including lead, known to the State of California to cause cancer and birth defects or other reproductive harm. For more information, go to www.P65Warnings.ca.gov.
Manual Revision 1.2a
Release Date: October 13, 2022
Unless you request and receive written permission from Super Micro Computer,
Inc., you may not copy any part of this document.
Information in this document is subject to change without notice. Other
products and companies referred to herein are trademarks or registered
trademarks of their respective companies or mark holders.
Copyright © 2022 by Super Micro Computer, Inc.
All rights reserved.
Printed in the United States of America
Preface
About This User’s Guide
This user’s guide is written for system integrators, IT professionals, and
knowledgeable end users who wish to add additional data security mechanisms to
their systems to protect highly sensitive applications. It provides detailed
information on configuring, provisioning, and using the Trusted Platform
Module (TPM).
User’s Guide Organization
Chapter 1 provides an overview of the TPM, including its features and uses.
Chapter 2 provides detailed instructions on installing, provisioning, and
using the TPM.
Conventions Used in This User’s Guide
Pay special attention to the following symbols for proper TPM configuration.
Warning: Important information given to avoid TPM configuration errors.
Note: Additional information given to ensure correct and proper TPM
configuration setup.
Contacting Supermicro
Headquarters
Address: Super Micro Computer, Inc.
980 Rock Ave.
San Jose, CA 95131 U.S.A.
Tel: +1 408-503-8000
Fax: +1 408-503-8008
Email: marketing@supermicro.com (General
Information)
Sales-USA@supermicro.com (Sales Inquiries)
Government_Sales-USA@supermicro.com (Gov. Sales Inquiries)
support@supermicro.com (Technical Support)
RMA@supermicro.com (RMA Support)
Webmaster@supermicro.com (Webmaster)
Website: www.supermicro.com
Europe
Address: Super Micro Computer B.V.
Het Sterrenbeeld 28, 5215 ML ‘s-Hertogenbosch, The Netherlands
Tel: +31 (0) 73-6400390
Fax: +31 (0) 73-6416525
Email: Sales_Europe@supermicro.com
(Sales Inquiries)
Support_Europe@supermicro.com
(Technical Support)
RMA_Europe@supermicro.com (RMA Support)
Website: www.supermicro.nl
Asia-Pacific
Address: Super Micro Computer, Inc.
3F, No. 150, Jian 1st Rd.
Zhonghe Dist., New Taipei City 235
Taiwan (R.O.C)
Tel: +886-(2) 8226-3990
Fax: +886-(2) 8226-3992
Asia-Pacific
Email: Sales-Asia@supermicro.com.tw
(Sales Inquiries)
Support@supermicro.com.tw (Technical
Support)
RMA@supermicro.com.tw (RMA Support)
Website: www.supermicro.com.tw
Chapter 1 Introduction
1.1 Overview of the Trusted Platform Module (TPM)
The Trusted Platform Module (TPM9670) is a special add-on module that may be
installed onto Supermicro X11 dual and single processor motherboards that
support CPU Socket 3674 only.
Types of TPMs
Note: TPM module must be provisioned in order to support Intel® Trusted
Execution Technology (TXT). Please contact Supermicro Technical Support to get
more details about the Intel tool.
The TPM-9670 series add-on modules use TCG (Trusted Computing Group) version
2.0 firmware.
The following SKUs are available:
- AOM-TPM-9670V, a vertical TPM module
- AOM-TPM-9670H, a horizontal TPM module
Horizontal vs. Vertical: Generally, whether you should use a TPM with a
horizontal or vertical form factor depends on the physical space available.
Horizontal TPMs are used in 1U chassis. Vertical TPMs are used in 2U or taller
chassis, which are designed with a smaller footprint to occupy less space on
the motherboard.
Server vs. Client: To use the TXT function, each TPM has been provisioned as a
server model or client model. Be sure to use the appropriate TPM for your
needs.
Both server TPM and client TPM are designed to support motherboards with
Socket P (LGA3647) processors installed.
1.2 Supermicro TPM Features
- TCG 2.0 compliance
- SPI interface
- Microcontroller in 0.22/0.09-µm CMOS technology
- Compliant embedded software
- EEPROM for TCG firmware enhancements and for user data and key support
- Hardware accelerator for SHA-1 and SHA-256 hash algorithm
- True Random Number Generator (TRNG)
- Tick counter with tamper detection
- Protection against dictionary attack
- Infineon’s TPM 2.0 is Common Criteria (CC) certified at Evaluation Assurance Level (EAL) 4 Moderate
- General-purpose I/O
- Intel® Trusted Execution Technology (TXT) support
- AMD ® Secure Virtual Machine Architecture support
- Full personalization with Endorsement Key (EK) and EK certificate
- Power-saving sleep mode
- 3.3V power supply
- WHQL dual-mode 1.1b + 1.2 TPM Windows Kernel Mode Driver
1.3 Motherboards Supported for TPM
Please refer to the Supermicro website (http://www.supermicro.com/) for a
complete and most up-to-date list of the motherboards that can support the
TPM. As a general rule, besides the X11 motherboards, the list includes most
X9 motherboards, all X10 motherboards, and some AMD motherboards. These
motherboards will come with a specially designated JTPM1 connector on every
board, which will be listed in the respective motherboard’s manual.
1.4 Intel® TXT
The Intel Trusted Execution Technology (TXT) is a software tool that may be
used in conjunction with the TPM to provide additional security for pre-launch
firmware of clusters and clouds, including but not limited to the BIOS, IPMI,
SAS firmware, and CMM firmware. It is optional, but the TPM is required for it
to be provisioned.
It will further enhance system security by protecting firmware against
malicious attacks on vulnerable areas.
It works by matching hypervisor measures with encryption keys upon system
launch.
If the hypervisor does not match the keys, the hypervisor will be prevented
from starting up.
To use the TXT, you need to enable TXT support after provisioning the TPM.
Note: TXT is only supported on Intel platforms that support TPM use.
How the TXT Works
The Intel TXT, when enabled, follows a step-by-step process to ensure the
security of pre-launch components.
- Measures the hypervisor launch upon system startup
- Checks for a match
- If matched: The TXT signals “trusted,” and the launch is allowed to proceed.
- If mismatched: The TXT signals “untrusted,” and the launch is blocked.
Chapter 2 Deploying and Using the TPM
Follow the instructions below to begin using the TPM.
2.1 Installing the TPM Onto the Motherboard
To install the Trusted Platform Module onto your motherboard, follow the steps
below.
- Find the 9-pin male JTPM1 connector on the motherboard. If you need help locating this connector, consult your motherboard manual. If the board does not have this feature, then it does not support the TPM.
- Using the key pin as a reference, orient, and align your TPM with the connector.
- Carefully insert the TPM into the connector on the motherboard, making sure not to damage the pins.
Note: The orientation of the TPM to be installed depends on whether it has a horizontal or vertical form factor. The vertical TPM is intended to “stand” perpendicular to the motherboard, while the horizontal TPM lies flat (parallel) on the motherboard. See the below two images for the correct orientation.
2.2 Enabling the TPM via the BIOS and Intel® Provision Utility
There are two components to the process of enabling the TPM. After you have
installed the TPM onto the motherboard, you must first “verify” the TPM for
the motherboard. This is done through the BIOS, which can also be used to
enable TXT support. You then will need to “lock” the TPM in the firmware. This
is done through the provision utility provided by Intel.
A. Enabling the TPM in the BIOS
-
Enter the BIOS setup screen. You may do this either from the IPMI remote console or from the server directly using KVM. Reboot the system, and press the
key as the system boots until you reach the BIOS screen. -
You will be presented with the BIOS Setup main screen. Using your arrow keys, navigate to the “Advanced” tab. From there, navigate down and select the “CPU Configuration” option. Press
. -
You will then be taken to the CPU Configuration page. Using your arrow keys, navigate down to the “Intel Virtualization Technology” option, as shown below, and press
. If this item is not already enabled, select Enable and press . 
-
Once you have enabled virtualization support, press your
key until you are back to the “Advanced” tab. Navigate down to the “Trusted Computing” option and press .The Trusted Computing window will appear.
Note: By default, “SHA-1 PCR Bank” and “SHA-256 PCR Bank” are Enabled.
-
Disable “PH Randomization” and “TXT Support” only. Using the arrow keys, select each option, press the
key to select Disabled, and press the key again. -
Press the
key to bring you back to the “Advanced” tab options. Use the arrow keys to toggle to the “Save & Exit” tab. 
-
Use the arrow keys to select “Save Changes”. Press the
key.
B. Provisioning Intel TXT (Server)
Next, you will need to provision Intel TXT in the UEFI shell.
Note: If the TPM part number is AOM-TPM-9670V-S or AOM-TPM-9670HS, you do
not need to get the Intel® Provisioning Tool. Please go ahead and enable the
Intel TXT feature in the BIOS.
-
Select “UEFI: Built-in EFI Shell” in the BIOS. The system will boot into the Unified Extensible Firmware Interface (UEFI) with a list of available USB devices.
-
Each USB device has its own code. Type the code for the USB device that you want to use into the command line at the bottom of the screen. and press the
key.
Note: The device used for the purposes of this user guide had a code of fs0. Replace this code with the code that corresponds to your device. -
In the command line at the bottom of the screen, follow these steps below after typing “FS0”.
-
After the provisioning process has been completed, you will need to go back into the BIOS and enable “TXT Support”. To do this, type “exit” in the command line at the bottom of the screen and press the
key. 
C. Enabling TXT Support
The last step is enabling TXT Support in the BIOS and UEFI shell.
- Go back to the “Advanced” tab in the BIOS and enable Platform Hierarchy, Storage Hierarchy, Endorsement Hierarchy, PH Randomization, and TXT Support.
- Go back to the “Save & Exit” tab and select “UEFI: Built-in EFI Shell” in the BIOS. When the confirmation window appears, select
. 
- After Enabling TXT Support in the BIOS, you will need to run TXT in the UEFI shell. In the Command line at the bottom of the page, type “get- sec64_v2.0.11.efi -l sen -a” and press the
key. TXT support is now enabled. 
- To Exit from the TXT Environment, type “getsec64_v2.0.11.efi -l sexit” in the command line at the bottom of the screen and press the
key.
2.3 An Important Note to the User
The graphics shown in this user’s guide were based on the latest information
available at the time of publishing of this guide. The TPM screens shown on
your computer may or may not look exactly like the screen shown in this user’s
guide.
For any further assistance, please refer to our website for details.
(Disclaimer Continued)
The products sold by Supermicro are not intended for and will not be used in
life support systems, medical equipment, nuclear facilities or systems,
aircraft, aircraft devices, aircraft/emergency communication devices or other
critical systems whose failure to perform be reasonably expected to result in
significant injury or loss of life or catastrophic property damage.
Accordingly, Supermicro disclaims any and all liability, and should buyer use
or sell such products for use in such ultra-hazardous applications, it does so
entirely at its own risk. Furthermore, buyer agrees to fully indemnify, defend
and hold Supermicro harmless for and against any and all claims, demands,
actions, litigation, and proceedings of any kind arising out of or related to
such ultra-hazardous use or sale.
Downloaded from Arrow.com.