No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download

Intel (R) SA-00086-Recovery-Tool For Linux* OS


This utility is intended for re-provisioning of the platform keys AFTER applying the Intel (R) ME/ TXE firmware update in response to security advisory SA-00086. More information on the Intel (R) ME/ TXE update and security advisory can be found at At the link above there is also an INTEL-SA-00086 Detection Tool that assists in discovering the platform vulnerability status described in INTEL-SA-00086. Please refer the link for a full list of affected platforms.


  1. Ensure Intel (R) PTT is enabled in BIOS.
  2. Ensure TPM CRB kernel driver is enabled on your Linux. You can check if the device exists with "ls /dev/tpm*"
  3. Intel (R) MEI driver needs to be installed on the system. You can check this with "ls /dev/mei*""
  4. Following dependencies need to be installed (names may vary per your Linux distribution). rpm, libcurl4-openssl-dev, libglib2.0-dev, libssl-dev, libdbus-1-dev
  5. Run "" script as "sudo" to install support packages tpm2-tss & tpm2-abrmd.
    • tpm2-tss & tpm2-abrmd versions packaged here are tested with the flow.
    • When installing tpm2-abrmd you can change the dbus-policy and udev-rules dir per your distribution when configuring the installation.
  6. If the dependency packages were installed appropriately, the should:
    • Compile the Intel-SA-00086-Recovery-Utility ELF.
    • Indicate the appropriate icls package versions ( i386/ x86_64 ) to install from the packages directory.
  7. Prior to installing the icls client libraries you can verify the rpm signatures To do this import the public key to verify the signature from packages/iCLS dir "rpm --import tcs-linux-pgp-public.key" To verify the package: "rpm -K iclsClient.rpm"
  8. Install iCLS client libraries from the Packages folder. Instructions based on the package manager
    • rpm --> "rpm -i -nodeps iclsClient.rpm"
    • alien --> "alien -i -nodeps –-script iclsClient.rpm"
    • yum --> "yum install iclsClient.rpm"
  9. Please make sure system wide proxy has been setup and the platform is connected.
  10. After installing above dependencies a reboot is needed.

Instructions to run the Intel (R) SA-00086-Recovery-Tool For Linux* OS:

  1. Please run the TPM access broker and resource manager daemon "sudo -u tss tpm2-abrmd --tcti=device &"
  2. Run the Intel-SA-00086-Recovery-Tool to launch the provisioning bash script.
  3. If you have received the necessary Intel (R) ME/ TXE firmware update then:
    • You must see the message "EPS generated by Intel (R) PTT"
    • At this point the recovery application should re-provision the keys.
    • After successful recovery, An NV Index for Intel (R) PTT Endorsement Key certificate is created and a copy of it is read to the file system path indicated in the Intel-SA-00086-Recovery-Tool bash script.
  4. OR,If you have not received the necessary Intel (R) ME/ TXE firmware update then:
    • You must see the message "EPS is generated by Manufacturer"
    • At this point the platform does not trigger the recovery process.
    • The recovery tool instead tries to retrieve the Intel (R) PTT Endorsement Key certificate through non recovery process.

NOTE: Affected platform MUST receive the Intel (R) ME/ TXE firmware update to fully mitigate the issue.