Intel (R) SA-00086-Recovery-Tool For Linux* OS
This utility is intended for re-provisioning of the platform keys AFTER applying the Intel (R) ME/ TXE firmware update in response to security advisory SA-00086. More information on the Intel (R) ME/ TXE update and security advisory can be found at https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr. At the link above there is also an INTEL-SA-00086 Detection Tool that assists in discovering the platform vulnerability status described in INTEL-SA-00086. Please refer the link for a full list of affected platforms.
- Ensure Intel (R) PTT is enabled in BIOS.
- Ensure TPM CRB kernel driver is enabled on your Linux. You can check if the device exists with "ls /dev/tpm*"
- Intel (R) MEI driver needs to be installed on the system. You can check this with "ls /dev/mei*""
- Following dependencies need to be installed (names may vary per your Linux distribution). rpm, libcurl4-openssl-dev, libglib2.0-dev, libssl-dev, libdbus-1-dev
- Run "build.sh" script as "sudo" to install support packages tpm2-tss & tpm2-abrmd.
- tpm2-tss & tpm2-abrmd versions packaged here are tested with the flow.
- When installing tpm2-abrmd you can change the dbus-policy and udev-rules dir per your distribution when configuring the installation.
- If the dependency packages were installed appropriately, the build.sh should:
- Compile the Intel-SA-00086-Recovery-Utility ELF.
- Indicate the appropriate icls package versions ( i386/ x86_64 ) to install from the packages directory.
- Prior to installing the icls client libraries you can verify the rpm signatures To do this import the public key to verify the signature from packages/iCLS dir "rpm --import tcs-linux-pgp-public.key" To verify the package: "rpm -K iclsClient.rpm"
- Install iCLS client libraries from the Packages folder.
Instructions based on the package manager
- rpm --> "rpm -i -nodeps iclsClient.rpm"
- alien --> "alien -i -nodeps –-script iclsClient.rpm"
- yum --> "yum install iclsClient.rpm"
- Please make sure system wide proxy has been setup and the platform is connected.
- After installing above dependencies a reboot is needed.
Instructions to run the Intel (R) SA-00086-Recovery-Tool For Linux* OS:
- Please run the TPM access broker and resource manager daemon "sudo -u tss tpm2-abrmd --tcti=device &"
- Run the Intel-SA-00086-Recovery-Tool to launch the provisioning bash script.
- If you have received the necessary Intel (R) ME/ TXE firmware update then:
- You must see the message "EPS generated by Intel (R) PTT"
- At this point the recovery application should re-provision the keys.
- After successful recovery, An NV Index for Intel (R) PTT Endorsement Key certificate is created and a copy of it is read to the file system path indicated in the Intel-SA-00086-Recovery-Tool bash script.
- OR,If you have not received the necessary Intel (R) ME/ TXE firmware update then:
- You must see the message "EPS is generated by Manufacturer"
- At this point the platform does not trigger the recovery process.
- The recovery tool instead tries to retrieve the Intel (R) PTT Endorsement Key certificate through non recovery process.
NOTE: Affected platform MUST receive the Intel (R) ME/ TXE firmware update to fully mitigate the issue.