Security Enablement#
In today’s rapidly evolving transportation landscape, Edge AI is transforming how we manage traffic and enhance road safety. However, these advancements come with significant AI cybersecurity with AI systems managing critical transportation infrastructure and acting on a vast amount of cities data. There is increased focus on cybersecurity regulations to protect against potential vulnerabilities and attacks, especially with Agentic AI making lot of autonomous decision. Intel platforms, equipped with built-in security features, offer robust solutions to address these concerns, ensuring data privacy, infrastructure protection, and secure AI processing.
This tutorial provides steps and guidance to enable Intel buildt-in security features with the smart intersection application to ensure
Comprehensive Data Privacy: Protect sensitive personal data with strong encryption protocols and blockchain technology, ensuring secure transactions and compliance with regulations.
Infrastructure Protection: Safeguard your critical infrastructure with regular firmware updates and advanced threat detection systems, mitigating vulnerabilities in distributed edge devices.
Secure AI Processing: Leverage privacy-by-design principles and hardware-level security features to prevent AI model manipulation and ensure secure, compliant AI operations.
This guide covers security enablement for the Smart Intersection application, including:
dTPM (Discrete Trusted Platform Module)
FDE (Full Disk Encryption)
UEFI Secure Boot
TME (Total Memory Encryption)
Trusted Compute deployment for isolated video analytics
These security features protect the Smart Intersection system from unauthorized access and ensure data integrity for traffic monitoring and analysis.
1. Enabling dTPM for Smart Intersection Security#
Prerequisites:
dTPM module must be physically connected to the PTL Board
Recommended: Infineon TPM (Xenon_4.1.0) for optimal Smart Intersection compatibility
Step 1: Download Required Components
Download IFWI Firmware
Navigate to: IFWI Firmware Download Location
Download the IFWI file
You need to sign in to intel.com to get the access.
Extract the zip file.
Locate the binary file(*.bin) file according to your platform (e.g.,
858133_ptl-h-refbios_releasepackage\858133_ptl-h-refbios3332_52releasepackage\IFWI\CRB\ECG_PTL_PR04_XXXX-XXXODCA_RPRF_SEP5_11E50692_2025WW34.4.02_BI333252_CRB.bin)
Navigate to: MFIT Download Location
Download “Intel_CSME_SW_PTL_2540.8.40.0_Consumer_Corporate.zip” under “Intel_CSME_SW_PTL_2540.8.40.0_Consumer_Corporate”
Extract the downloaded zip file
“mfi.exe” will be located under “Intel_Silicon_FW_Kit_PTL-H12Xe_ES1_ES2_2025WW41.2.02\Tools\System_Tools\MFIT\Windows64”
Step 2: Configure IFWI with dTPM Support
Launch MFIT Tool: Execute
mfit.exeand wait for the application to fully load.Decompose Original IFWI:
Click the “Decompose Image” button
Select the downloaded IFWI file from the extracted directory
Wait for the decomposition process to complete modul
Enable dTPM Configuration & Build Image:
Navigate to “Platform Protection Features” section
Locate “TPM Technologies” subsection
From the available TPM options, select “dTPM”
Click “Build Image” to generate the new firmware image
The tool will create a new IFWI file named
image.binin the same directoryVerify the
image.binfile has been successfully created
Step 3: Flash the Modified IFWI
Important: Power OFF the PTL board before flashing
Prepare Flashing Environment:
Ensure the PTL board is properly connected to the flashing hardware
Verify DediProg or TTK3 is correctly configured and recognized
Flash the New IFWI:
Using your preferred flashing tool (DediProg or TTK3), load the newly generated
image.binfileInitiate the flashing process
Monitor the flashing progress for any errors
Power cycle the PTL board after successful flashing
Verify dTPM Functionality:
Check that dTPM functionality is enabled in the system BIOS/UEFI
Confirm dTPM is properly detected by the operating system
2. Enabling UEFI Secure Boot for Smart Intersection#
UEFI Secure Boot establishes a chain of trust from firmware to OS, cryptographically verifying the signature and hash of all boot components before passing control to the operating system. This ensures the Smart Intersection application runs on a verified, secure platform.
Ubuntu LTS official releases are signed by Canonical, and Canonical’s certificate is pre-enrolled in the MOK (Machine Owner Key) database.
Step 1: Install Required Tools
sudo apt update
sudo apt upgrade
sudo apt-get install -y openssl mokutil sbsigntool
Step 2: Verify Kernel Signature
sudo sbverify --list /boot/vmlinuz-<kernel_version>-generic
Step 3: Verify Certificate Enrollment
mokutil --list-enrolled
Step 4: Install Signed Shim Binary
Most UEFI firmware has Microsoft keys enrolled by default. To verify GRUB and Linux kernel signed by Canonical, install the signed shim binary. Shim is a small bootloader signed by Microsoft that bridges the gap between firmware and Linux GRUB, maintaining the chain of trust.
sudo apt-get install sbsigntool openssl grub-efi-amd64-signed shim-signed
sudo grub-install --uefi-secure-boot
Step 5: Configure Secure Boot
Reboot the platform and enter the UEFI GUI menu
Verify that Secure Boot is initially disabled
Confirm the shim binary can boot to OS
Step 6: Enroll Microsoft Certificates
Get the Secure Boot Microsoft keys and certificates:
git clone https://git.launchpad.net/qa-regression-testing
Enroll the certificates (type ‘y’ when prompted):
cd qa-regression-testing/notes_testing/secure-boot
cp -rf * /tmp
sudo /tmp/sb-setup enroll microsoft
Note: If enrollment errors occur, reboot the platform, boot using
fs0:/efi/ubuntu/shimx64.efi, and rerun the enroll command.
Step 7: Enable and Verify Secure Boot
Reboot the platform and enter the BIOS menu
Verify that Secure Boot is now enabled
Boot using
fs0:/efi/ubuntu/shimx64.efiCheck the Secure Boot status after booting to Ubuntu:
mokutil --sb-state
TPM Clear Operation#
TPM clear removes all stored keys, certificates, and ownership data from the Trusted Platform Module, resetting it to factory defaults. This is useful when setting up security for a new Smart Intersection deployment.
Enter the boot manager menu
Choose the TCG2 configuration
Clear the TPM
3. Ubuntu Installation with Full Disk Encryption#
Full Disk Encryption (FDE) protects Smart Intersection application data and configurations by encrypting the entire disk. This ensures that sensitive traffic analysis data and system configurations remain secure even if the hardware is compromised.
Once FDE is enabled, the encrypted disk can only be accessed with the security key configured during installation.
Step 1: Prepare Ubuntu Installation Media
Download the official Ubuntu 24.04.2 LTS release from the Ubuntu website
Create a bootable Ubuntu USB drive
Enter the boot manager menu and select the bootable USB with Ubuntu 24.04.2
Step 2: Begin Ubuntu Installation
Boot from the bootable USB and select “Try or Install Ubuntu”.
Step 3: Configure Basic Settings
Configure language, accessibility options, keyboard layout, and other basic settings. Optionally connect to wired internet if available.
Step 4: Select Installation Type
Select “Install Ubuntu” option.
Step 5: Choose Installation Mode
Select “Interactive Installation” for full control over security settings.
Step 6: Configure Applications
In the Applications page, select “Default selection”. If you made a wired connection earlier, select both checkboxes.
Step 7: Enable Disk Encryption
In the Disk setup page:
Select “Erase disk and install Ubuntu”
Click the “Advanced features” button to access encryption options
Step 8: Choose Encryption Method
There are two FDE methods available. Choose based on your Smart Intersection security requirements:
Method 1: Software-based Encryption
Select “Use LVM and encryption”
This encrypts your entire drive using LVM
Requires a strong passphrase that you’ll enter at boot time to decrypt and access your system
Method 2: Hardware-backed Full Disk Encryption
Uses dedicated security chips (TPM or Secure Enclave) to store encryption keys
Provides stronger protection than software-only encryption
Note: To enable this option, you must first enable Secure Boot in BIOS/UEFI settings and clear/reset the TPM module
If Hardware-backed full disk encryption is enabled, you can skip Steps 9 and 12 as the TPM chip will automatically handle key management and drive decryption.
TPM Recovery Key: Use the following command to show TPM recovery keys:
sudo snap recovery --show-keys
Step 9: Create Security Key (Software-based Encryption Only)
Create a Security Key that will be required to decrypt the Ubuntu drive before accessing the Smart Intersection application.
Step 10: Complete Installation Configuration
Complete the installation by configuring:
Username and password
Timezone settings
Review your choices before proceeding
Step 11: Finalize Installation
Complete the installation process
Restart the PC when prompted
Remove the bootable drive when instructed after restart
Step 12: First Boot with Encryption (Software-based Encryption Only)
Enter your Security Key from Step 9 as the encryption password to unlock the disk
The Ubuntu login screen will appear
Ubuntu installation with FDE is now completed and ready for Smart Intersection deployment
4. TME (Total Memory Encryption) Enablement#
Intel TME encrypts the computer’s entire memory with a single transient key. All memory data passing to and from the CPU is encrypted, including sensitive Smart Intersection data such as traffic analysis algorithms, detection models, credentials, encryption keys, and other proprietary information.
Step 1: Check TME Support
First, verify if TME is supported on the Intel platform. Read bits 35:32 of MSR 0x981. If this value is non-zero, TME is supported.
Step 2: Enable TME in BIOS
Enter BIOS menu by pressing ‘F2’ while booting the platform
Navigate to: Intel Advanced Menu → CPU Configuration → Total Memory Encryption
Set to Enabled
Save changes (F4) and reboot
Step 3: Verify TME Enablement
Check if TME is enabled by reading bit 1 of MSR 0x982. If TME is enabled, the value returned will be 1 as shown.
Step 4: Alternative Verification Using Kernel Logs
You can also use the dmesg kernel log to check TME enablement status:
dmesg | grep -i tme
5. Trusted Compute Smart City Intersection#
The Smart Intersection is a sample application that unifies the analytics of a traffic intersection using Trusted Compute technology. Deep Learning Streamer Pipeline Server (DL Streamer Pipeline Server) utilizes a pre-trained object detection model to generate object detection metadata and a local NTP server for synchronized timestamps. This metadata is published to the MQTT broker. This example demonstrates the deployment of the DL Streamer Pipeline Server in a TC environment, facilitating the isolation of video analytics pipelines.
Prerequisites#
Trusted Compute must be installed and running
K3s (Kubernetes) installed on the system
Helm package manager installed
Step 1: Install Required Tools#
Install K3s if not already available:
# Install K3s
curl -sfL https://get.k3s.io | sh -
# Verify K3s Installation
sudo systemctl status k3s
# Wait a moment for K3s to fully start, then check nodes
sudo k3s kubectl get nodes
# Set up Kubeconfig
mkdir -p ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown $USER:$USER ~/.kube/config
chmod 600 ~/.kube/config
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
echo 'export KUBECONFIG=/etc/rancher/k3s/k3s.yaml' >> ~/.bashrc
source ~/.bashrc
Install Helm:
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod +x get_helm.sh
# Execute the script to install Helm
./get_helm.sh
# Verify the installation
helm version
Step 2: Clone the Repository#
Clone and navigate to the Smart Intersection Helm repository:
# Clone the repository
git clone https://github.com/open-edge-platform/edge-ai-suites.git
# Navigate to the Metro AI Suite directory
cd edge-ai-suites/metro-ai-suite/metro-vision-ai-app-recipe/
Step 3: Replace the Deployment YAML#
Inside the smart-intersection/chart/templates/dlstreamer-pipeline-server/ directory, replace the deployment.yaml with the YAML file available here
# Navigate to the templates directory
cd smart-intersection/chart/templates/dlstreamer-pipeline-server/
# Replace the deployment file with your custom version
# Copy the custom deployment.yaml to this location
# Update the WEBRTC_SIGNALING_SERVER configuration
# In configmap.yaml, change:
# WEBRTC_SIGNALING_SERVER: "ws://localhost:8443"
# to:
# WEBRTC_SIGNALING_SERVER: "ws://<Host_IP>:8443"
# Where <Host_IP> is the Host IP of the machine where the application is running
Step 4: Configure Resource Allocation#
Configure resource allocation to allocate CPU cores and memory. You can adjust the resource requirements according to your specific needs by modifying the resource specifications in the deployment YAML file.
Step 5: Deploy the Helm Chart#
Follow the steps mentioned in the official documentation to run the Helm chart:
Step 6: Verify DL Streamer Launch#
1. Verify the DL Streamer Launch in TC
To confirm that the DL Streamer has successfully launched in the Trusted Compute environment, check if the virtual machine associated with it is running:
ps aux | grep qemu
If DL Streamer is running correctly, you should see a process entry for the corresponding QEMU instance. This entry typically includes:
The command used to launch the VM
The amount of CPU/memory it is using
The process ID (PID) of the VM
2. Check DL Streamer Logs
To monitor the DL Streamer and see the total frames per second (FPS) count, postdecode timestamp, check the logs of the DL Streamer pod:
kubectl logs <dl-streamer-deployment-name> -n smart-intersection
This trusted compute implementation adds an additional layer of security by isolating video analytics pipelines within secure virtual machines, ensuring that sensitive traffic analysis operations are protected from potential threats.
Summary#
By leveraging Intel’s cutting-edge security solutions, transportation systems can fully harness the potential of Edge AI and Agentic AI while safeguarding against potential threats. This paves the way for smarter, safer cities, where AI-driven threat detection and digital twins for cybersecurity scenarios continue to evolve. Trust Intel to provide the security technologies needed to meet the demands of modern urban environments, with affordable and secure AI and protect your transportation infrastructure.
With these security features enabled, your Smart Intersection application will benefit from:
dTPM: Hardware-based cryptographic operations and secure key storage
UEFI Secure Boot: Verified boot chain ensuring system integrity
Full Disk Encryption: Protection of traffic analysis data and system configurations
Total Memory Encryption: Runtime protection of sensitive algorithms and detection models
Trusted Compute: Isolated execution environment for video analytics pipelines with enhanced security
This comprehensive security implementation ensures that your Smart Intersection system can safely process traffic data, store sensitive configurations, and operate in trusted environments with multiple layers of protection.