Home » Intel Manuals » Servers » Intel S1400FP » Manual Viewer

Intel S1400FP Intel Server Board S1400FP Technical Product Specification - Page 54

Trusted Platform Module (TPM) Support, 4.2.1 TPM security BIOS

Get Intel S1400FP PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 54 highlights

System Security Intel® Server Board S1400FP TPS In addition to restricting access to most Setup fields to viewing only when a User password is entered, defining a User password imposes restrictions on booting the system. In order to simply boot in the defined boot order, no password is required. However, the F6 Boot popup prompts for a password, and can only be used with the Administrator password. Also, when a User password is defined, it suppresses the USB Reordering that occurs, if enabled, when a new USB boot device is attached to the system. A User is restricted from booting in anything other than the Boot Order defined in the Setup by an Administrator. As a security measure, if a User or Administrator enters an incorrect password three times in a row during the boot sequence, the system is placed into a halt state. A system reset is required to exit out of the halt state. This feature makes it more difficult to guess or break a password. In addition, on the next successful reboot, the Error Manager displays a Major Error code 0048, which also logs a SEL event to alert the authorized user or administrator that a password access failure has occurred 4.2 Trusted Platform Module (TPM) Support Trusted Platform Module (TPM) option is a hardware-based security device that addresses the growing concern on boot process integrity and offers better data protection. TPM protects the system start-up process by ensuring it is tamper-free before releasing system control to the operating system. A TPM device provides secured storage to store data, such as security keys and passwords. In addition, a TPM device has encryption and hash functions. The server board implements TPM as per TPM PC Client Specifications, revision 1.2, by the Trusted Computing Group (TCG). A TPM device is optionally installed onto a high density 14-pin connector labeled "TPM" and is secured from external software attacks and physical theft. A pre-boot environment, such as the BIOS and operating system loader, uses the TPM to collect and store unique measurements from multiple factors within the boot process to create a system fingerprint. This unique fingerprint remains the same unless the pre-boot environment is tampered with. Therefore, it is used to compare to future measurements to verify the integrity of the boot process. After the system BIOS completes the measurement of its boot process, it hands off control to the operating system loader and in turn to the operating system. If the operating system is TPMenabled, it compares the BIOS TPM measurements to those of previous boots to make sure the system was not tampered with before continuing the operating system boot process. Once the operating system is in operation, it optionally uses TPM to provide additional system and data security (for example, Microsoft Vista* supports Bitlocker drive encryption). 4.2.1 TPM security BIOS The BIOS TPM support conforms to the TPM PC Client Specific - Implementation Specification for Conventional BIOS, version 1.2, and to the TPM Interface Specification, version 1.2. The BIOS adheres to the Microsoft Vista* BitLocker requirement. The role of the BIOS for TPM security includes the following:  Measures and stores the boot process in the TPM microcontroller to allow a TPM enabled operating system to verify system boot integrity. 42 Revision 1.0 Intel order number G64246-001

Section	Page
1. Introduction	13
1.1 Chapter Outline	13
1.2 Server Board Use Disclaimer	13
2. Overview	14
2.1 Intel® Server Boards S1400FP Feature Set	14
2.2 Server Board Layout	16
2.2.1 Server Board Connector and Component Layout	16
2.2.2 Server Board Mechanical Drawings	19
2.2.3 Server Board Rear I/O Layout	25
3. Functional Architecture	27
3.1 Processor Support	28
3.1.1 Processor Socket Assembly	28
3.2 Processor Function Overview	28
3.2.1 Intel® QuickPath Interconnect	29
3.2.2 Integrated Memory Controller (IMC) and Memory Subsystem	30
3.2.2.1 Supported Memory	31
3.2.2.2 Memory population rules	32
3.2.2.3 Publishing System Memory	34
3.2.2.4 RAS Features	34
3.2.2.4.1 Independent Channel Mode	35
3.2.2.4.2 Rank Sparing Mode	35
3.2.2.4.3 Mirrored Channel Mode	36
3.2.2.4.4 Lockstep Channel Mode	36
3.2.2.5 Single Device Data Correction (SDDC)	37
3.2.2.6 Error Correction Code (ECC) Memory	37
3.2.2.6.1 Correctable Memory ECC Error Handling	37
3.2.2.6.2 Uncorrectable Memory ECC Error Handling	38
3.2.2.7 Demand Scrubbing for ECC Memory	38
3.2.2.8 Patrol Scrubbing for ECC Memory	38
3.2.3 Processor Integrated I/O Module (IIO)	38
3.2.3.1 Network Interface	40
3.3 Intel® C602 (-A) Chipset Functional Overview	40
3.3.1 Digital Media Interface (DMI)	41
3.3.2 PCI Express* Interface	41
3.3.3 Serial ATA (SATA) Controller	42
3.3.4 AHCI	42
3.3.5 Rapid Storage Technology	42
3.3.6 PCI Interface	42
3.3.7 Low Pin Count (LPC) Interface	42
3.3.8 Serial Peripheral Interface (SPI)	42
3.3.9 Compatibility Modules (DMA Controller, Timer/Counters, Interrupt Controller)	43
3.3.10 Advanced Programmable Interrupt Controller (APIC)	43
3.3.11 Universal Serial Bus (USB) Controller	43
3.3.12 Gigabit Ethernet Controller	43
3.3.13 RTC	44
3.3.14 GPIO	44
3.3.15 Enhanced Power Management	44
3.3.16 Manageability	44
3.3.17 System Management Bus (SMBus* 2.0)	45
3.3.18 Intel® Active Management Technology (Intel® AMT)	45
3.3.19 Integrated NVSRAM Controller	45
3.3.20 Intel® Virtualization Technology for Direct I/O (Intel® VT-d)	45
3.3.21 JTAG Boundary-Scan	45
3.3.22 KVM/Serial Over LAN (SOL) Function	46
3.3.23 On-board Serial Attached SCSI (SAS)/Serial ATA (SATA) Support and Options	46
3.3.23.1 Intel® Embedded Server RAID Technology 2 (ESRT2)	47
3.3.23.2 Intel® Rapid Storage Technology (RSTe)	48
3.4 Integrated Baseboard Management Controller (BMC) Overview	48
3.4.1 Super I/O Controller	49
3.4.1.1 Keyboard and Mouse Support	50
3.4.1.2 Wake-up Control	50
3.4.2 Graphics Controller and Video Support	50
3.4.3 Baseboard Management Controller	51
3.4.3.1 Remote Keyboard, Video, Mouse, and Stoerage (KVMS) Support	51
3.4.3.2 Integrated BMC Embedded LAN Channel	52
4. System Security	53
4.1 BIOS Password Protection	53
4.2 Trusted Platform Module (TPM) Support	54
4.2.1 TPM security BIOS	54
4.2.2 Physical Presence	55
4.2.3 TPM Security Setup Options	55
4.2.3.1 Security Screen	56
4.3 Intel® Trusted Execution Technology	57
5. Technology Support	59
5.1 Intel® Trusted Execution Technology	59
5.2 Intel® Virtualization Technology – Intel® VT-x/VT-d/VT-c	59
5.3 Intel® Intelligent Power Node Manager	60
5.3.1 Hardware Requirements	61
6. Platform Management Functional Overview	62
6.1 Baseboard Management Controller (BMC) Firmware Feature Support	62
6.1.1 IPMI 2.0 Features	62
Non IPMI Features	63
6.1.2 New Manageability Features	64
6.2 Basic and Advanced Features	65
6.3 Integrated BMC Hardware: Emulex* Pilot III	66
6.3.1 Emulex* Pilot III Baseboard Management Controller Functionality	66
6.4 Advanced Configuration and Power Interface (ACPI)	67
6.5 Power Control Sources	67
6.6 BMC Watchdog	68
6.7 Fault Resilient Booting (FRB)	68
6.8 Sensor Monitoring	69
6.9 Field Replaceable Unit (FRU) Inventory Device	69
6.10 System Event Log (SEL)	70
6.11 System Fan Management	70
6.11.1 Thermal and Acoustic Management	70
6.11.2 Setting Throttling Mode	71
6.11.3 Altitude	71
6.11.4 Set Fan Profile	71
6.11.5 Fan PWM Offset	71
6.11.6 Quiet Fan Idle Mode	71
6.11.7 Fan Profiles	72
6.11.8 Thermal Sensor Input to Fan Speed Control	72
6.11.9 Memory Thermal Throttling	74
6.12 Messaging Interfaces	74
6.12.1 User Model	75
6.12.2 IPMB Communication Interface	75
6.12.3 LAN Interface	75
6.12.3.1 RMCP/ASF Messaging	76
6.12.3.2 BMC LAN Channels	76
6.12.3.2.1 Baseboard NICs	76
6.12.3.2.2 Dedicated Management Channel	76
6.12.3.2.3 Concurrent Server Management Use of Multiple Ethernet Controllers	77
6.12.3.3 IPV6 Support	78
6.12.3.4 LAN Failover	78
6.12.3.5 BMC IP Address Configuration	79
6.12.3.5.1 Static IP Address (IP Address Source Values 0h, 1h, and 3h)	79
6.12.3.5.2 Static LAN Configuration Parameters	79
6.12.3.5.3 Enabling/Disabling Dynamic Host Configuration (DHCP) Protocol	80
6.12.3.5.4 DHCP-related LAN Configuration Parameters	80
6.12.3.6 DHCP BMC Hostname	81
6.12.4 Address Resolution Protocol (ARP)	81
6.12.5 Internet Control Message Protocol (ICMP)	81
6.12.6 Virtual Local Area Network (VLAN)	82
6.12.7 Secure Shell (SSH)	82
6.12.8 Serial-over-LAN (SOL 2.0)	82
6.12.9 Platform Event Filter (PEF)	83
6.12.10 LAN Alerting	83
6.12.10.1 SNMP Platform Event Traps (PETs)	84
6.12.11 Alert Policy Table	84
6.12.11.1 E-mail Alerting	84
6.12.12 SM-CLP (SM-CLP Lite)	84
6.12.13 Embedded Web Server	85
6.12.14 Virtual Front Panel	86
6.12.15 Embedded Platform Debug	87
6.12.15.1 Output Data Format	88
6.12.15.2 Output Data Availability	88
6.12.15.3 Output Data Categories	88
6.12.16 Data Center Management Interface (DCMI)	89
6.12.17 Lightweight Directory Authentication Protocol (LDAP)	89
7. Advanced Management Feature Support (RMM4)	90
7.1 Keyboard, Video, Mouse (KVM) Redirection	91
7.1.1 Remote Console	92
7.1.2 Performance	92
7.1.3 Security	93
7.1.4 Availability	93
7.1.5 Usage	93
7.1.6 Force-enter BIOS Setup	93
7.2 Media Redirection	93
7.2.1 Availability	94
7.2.2 Network Port Usage	94
8. On-board Connector/Header Overview	95
8.1 Board Connector Information	95
8.2 Power Connectors	96
8.3 System Management Headers	97
8.3.1 Intel® Remote Management Module 4 Connector	97
8.3.2 TPM connector	98
8.3.3 Intel® RAID C600 Upgrade Key Connector	98
8.3.4 Local Control Panel Header	98
8.3.5 HSBP_I2C Header	98
8.3.6 HDD LED Header	98
8.3.7 Chassis Intrusion Header	99
8.3.8 SATA SGPIO Header	99
8.3.9 SAS SGPIO Header	99
8.3.10 IPMB Connector	99
8.4 Front Panel Connector	99
8.4.1 Power / Sleep Button and LED Support	100
8.4.2 System ID Button and LED Support	100
8.4.3 System Reset Button Support	100
8.4.4 NMI Button Support	101
8.4.5 NIC Activity LED Support	101
8.4.6 Hard Drive Activity LED Support	101
8.4.7 System Status LED Support	101
8.5 I/O Connectors	101
8.5.1 VGA Connector	101
8.5.2 SATA and SAS Connectors	102
8.5.3 Serial Port Connectors	102
8.5.4 USB Connector	103
8.6 Fan Headers	104
9. Jumper Blocks	105
9.1 BIOS Recovery Jumper	106
9.2 Management Engine (ME) Firmware Force Update Jumper Block	107
9.3 Password Clear Jumper Block	107
9.4 BIOS Default Jumper Block	108
9.5 BMC Force Update Jumper Block	108
10. Intel® Light Guided Diagnostics	109
10.1 System ID LED	109
10.2 System Status LED	110
10.3 BMC Boot/Reset Status LED Indicators	111
10.4 Post Code Diagnostic LEDs	112
10.5 5 Volt Stand-By Present LED	112
10.6 Fan Fault LEDs	112
10.7 Memory Fault LEDs	112
11. Environmental Limits Specification	113
11.1 Processor Thermal Design Power (TDP) Support	113
11.2 MTBF	114
12. Server Board Power Distribution	115
12.1 DC Output Specification	115
12.1.1 Output Power/Currents	115
12.1.2 Cross Loading	116
12.1.3 Standby Output	116
12.1.4 Voltage Regulation	116
12.1.5 Dynamic Loading	117
12.1.6 Capacitive Loading	117
12.1.7 Grounding	117
12.1.8 Residual Volatge Immunity in Standy mode	117
12.1.9 Common Mode Noise	118
12.1.10 Ripple/Noise	118
12.1.11 Timing Requirements	118
Appendix A: Integration and Usage Tips	121
Appendix B: Integrated BMC Sensor Tables	122
Appendix C: POST Code Diagnostic LED Decoder	146
Appendix D: POST Code Errors	151
Appendix E: Supported Intel® Server Chassis	157
Glossary	158

Match case Limit results 1 per page

System Security

Intel® Server Board S1400FP TPS

Revision 1.0

Intel order number G64246-001

In addition to restricting access to most Setup fields to viewing only when a User password is

entered, defining a User password imposes restrictions on booting the system. In order to

simply boot in the defined boot order, no password is required. However, the F6 Boot popup

prompts for a password, and can only be used with the Administrator password. Also, when a

User password is defined, it suppresses the USB Reordering that occurs, if enabled, when a

new USB boot device is attached to the system. A User is restricted from booting in anything

other than the Boot Order defined in the Setup by an Administrator.

As a security measure, if a User or Administrator enters an incorrect password three times in a

row during the boot sequence, the system is placed into a halt state. A system reset is required

to exit out of the halt state. This feature makes it more difficult to guess or break a password.

In addition, on the next successful reboot, the Error Manager displays a Major Error code 0048,

which also logs a SEL event to alert the authorized user or administrator that a password

access failure has occurred

4.2

Trusted Platform Module (TPM) Support

Trusted Platform Module (TPM) option is a hardware-based security device that addresses the

growing concern on boot process integrity and offers better data protection. TPM protects the

system start-up process by ensuring it is tamper-free before releasing system control to the

operating system. A TPM device provides secured storage to store data, such as security keys

and passwords. In addition, a TPM device has encryption and hash functions. The server board

implements TPM as per

TPM PC Client Specifications

, revision 1.2, by the Trusted Computing

Group (TCG).

A TPM device is optionally installed onto a high density 14-pin connector labeled “TPM” and is

secured from external software attacks and physical theft. A pre-boot environment, such as the

BIOS and operating system loader, uses the TPM to collect and store unique measurements

from multiple factors within the boot process to create a system fingerprint. This unique

fingerprint remains the same unless the pre-boot environment is tampered with. Therefore, it is

used to compare to future measurements to verify the integrity of the boot process.

After the system BIOS completes the measurement of its boot process, it hands off control to

the operating system loader and in turn to the operating system. If the operating system is TPM-

enabled, it compares the BIOS TPM measurements to those of previous boots to make sure the

system was not tampered with before continuing the operating system boot process. Once the

operating system is in operation, it optionally uses TPM to provide additional system and data

security (for example, Microsoft Vista* supports Bitlocker drive encryption).

4.2.1

TPM security BIOS

The BIOS TPM support conforms to the

TPM PC Client Specific – Implementation Specification

for Conventional BIOS, version 1.2, and to the

TPM Interface Specification

, version 1.2. The

BIOS adheres to the Microsoft Vista* BitLocker requirement. The role of the BIOS for TPM

security includes the following:



Measures and stores the boot process in the TPM microcontroller to allow a TPM

enabled operating system to verify system boot integrity.