Security Enablement#
This guide covers security enablement for the Smart Intersection application, including:
dTPM (Discrete Trusted Platform Module)
FDE (Full Disk Encryption)
UEFI Secure Boot
TME (Total Memory Encryption)
These security features protect the Smart Intersection system from unauthorized access and ensure data integrity for traffic monitoring and analysis.
1. Enabling dTPM for Smart Intersection Security#
Prerequisites:
dTPM module must be physically connected to the PTL Board
Recommended: Infineon TPM (Xenon_4.1.0) for optimal Smart Intersection compatibility
Step 1: Download Required Components
Download IFWI Firmware
-
Download the IFWI file
You need to sign in to intel.com to get the access.
Extract the zip file.
Locate the binary file(*.bin) file according to your platform (e.g.,
858133_ptl-h-refbios_releasepackage\858133_ptl-h-refbios3332_52releasepackage\IFWI\CRB\ECG_PTL_PR04_XXXX-XXXODCA_RPRF_SEP5_11E50692_2025WW34.4.02_BI333252_CRB.bin)
-
Download “Intel_CSME_SW_PTL_2540.8.40.0_Consumer_Corporate.zip” under “Intel_CSME_SW_PTL_2540.8.40.0_Consumer_Corporate”
Extract the downloaded zip file
“mfi.exe” will be located under “Intel_Silicon_FW_Kit_PTL-H12Xe_ES1_ES2_2025WW41.2.02\Tools\System_Tools\MFIT\Windows64”
Step 2: Configure IFWI with dTPM Support
Launch MFIT Tool: Execute
mfit.exeand wait for the application to fully load.Decompose Original IFWI:
Click the “Decompose Image” button
Select the downloaded IFWI file from the extracted directory
Wait for the decomposition process to complete modul
Enable dTPM Configuration & Build Image:
Navigate to “Platform Protection Features” section
Locate “TPM Technologies” subsection
From the available TPM options, select “dTPM”
Click “Build Image” to generate the new firmware image
The tool will create a new IFWI file named
image.binin the same directoryVerify the
image.binfile has been successfully created
Step 3: Flash the Modified IFWI
Important: Power OFF the PTL board before flashing
Prepare Flashing Environment:
Ensure the PTL board is properly connected to the flashing hardware
Verify DediProg or TTK3 is correctly configured and recognized
Flash the New IFWI:
Using your preferred flashing tool (DediProg or TTK3), load the newly generated
image.binfileInitiate the flashing process
Monitor the flashing progress for any errors
Power cycle the PTL board after successful flashing
Verify dTPM Functionality:
Check that dTPM functionality is enabled in the system BIOS/UEFI
Confirm dTPM is properly detected by the operating system
2. Enabling UEFI Secure Boot for Smart Intersection#
UEFI Secure Boot establishes a chain of trust from firmware to OS, cryptographically verifying the signature and hash of all boot components before passing control to the operating system. This ensures the Smart Intersection application runs on a verified, secure platform.
Ubuntu LTS official releases are signed by Canonical, and Canonical’s certificate is pre-enrolled in the MOK (Machine Owner Key) database.
Step 1: Install Required Tools
sudo apt update
sudo apt upgrade
sudo apt-get install -y openssl mokutil sbsigntool
Step 2: Verify Kernel Signature
sudo sbverify --list /boot/vmlinuz-<kernel_version>-generic
Step 3: Verify Certificate Enrollment
mokutil --list-enrolled
Step 4: Install Signed Shim Binary
Most UEFI firmware has Microsoft keys enrolled by default. To verify GRUB and Linux kernel signed by Canonical, install the signed shim binary. Shim is a small bootloader signed by Microsoft that bridges the gap between firmware and Linux GRUB, maintaining the chain of trust.
sudo apt-get install sbsigntool openssl grub-efi-amd64-signed shim-signed
sudo grub-install --uefi-secure-boot
Step 5: Configure Secure Boot
Reboot the platform and enter the UEFI GUI menu
Verify that Secure Boot is initially disabled
Confirm the shim binary can boot to OS
Step 6: Enroll Microsoft Certificates
Get the Secure Boot Microsoft keys and certificates:
git clone https://git.launchpad.net/qa-regression-testing
Enroll the certificates (type ‘y’ when prompted):
cd qa-regression-testing/notes_testing/secure-boot
cp -rf * /tmp
sudo /tmp/sb-setup enroll microsoft
Note: If enrollment errors occur, reboot the platform, boot using
fs0:/efi/ubuntu/shimx64.efi, and rerun the enroll command.
Step 7: Enable and Verify Secure Boot
Reboot the platform and enter the BIOS menu
Verify that Secure Boot is now enabled
Boot using
fs0:/efi/ubuntu/shimx64.efiCheck the Secure Boot status after booting to Ubuntu:
mokutil --sb-state
TPM Clear Operation#
TPM clear removes all stored keys, certificates, and ownership data from the Trusted Platform Module, resetting it to factory defaults. This is useful when setting up security for a new Smart Intersection deployment.
Enter the boot manager menu
Choose the TCG2 configuration
Clear the TPM
3. Ubuntu Installation with Full Disk Encryption#
Full Disk Encryption (FDE) protects Smart Intersection application data and configurations by encrypting the entire disk. This ensures that sensitive traffic analysis data and system configurations remain secure even if the hardware is compromised.
Once FDE is enabled, the encrypted disk can only be accessed with the security key configured during installation.
Step 1: Prepare Ubuntu Installation Media
Download the official Ubuntu 24.04.2 LTS release from the Ubuntu website
Create a bootable Ubuntu USB drive
Enter the boot manager menu and select the bootable USB with Ubuntu 24.04.2
Step 2: Begin Ubuntu Installation
Boot from the bootable USB and select “Try or Install Ubuntu”.
Step 3: Configure Basic Settings
Configure language, accessibility options, keyboard layout, and other basic settings. Optionally connect to wired internet if available.
Step 4: Select Installation Type
Select “Install Ubuntu” option.
Step 5: Choose Installation Mode
Select “Interactive Installation” for full control over security settings.
Step 6: Configure Applications
In the Applications page, select “Default selection”. If you made a wired connection earlier, select both checkboxes.
Step 7: Enable Disk Encryption
In the Disk setup page:
Select “Erase disk and install Ubuntu”
Click the “Advanced features” button to access encryption options
Step 8: Choose Encryption Method
There are two FDE methods available. Choose based on your Smart Intersection security requirements:
Method 1: Software-based Encryption
Select “Use LVM and encryption”
This encrypts your entire drive using LVM
Requires a strong passphrase that you’ll enter at boot time to decrypt and access your system
Method 2: Hardware-backed Full Disk Encryption
Uses dedicated security chips (TPM or Secure Enclave) to store encryption keys
Provides stronger protection than software-only encryption
Note: To enable this option, you must first enable Secure Boot in BIOS/UEFI settings and clear/reset the TPM module
If Hardware-backed full disk encryption is enabled, you can skip Steps 9 and 12 as the TPM chip will automatically handle key management and drive decryption.
TPM Recovery Key: Use the following command to show TPM recovery keys:
sudo snap recovery --show-keys
Step 9: Create Security Key (Software-based Encryption Only)
Create a Security Key that will be required to decrypt the Ubuntu drive before accessing the Smart Intersection application.
Step 10: Complete Installation Configuration
Complete the installation by configuring:
Username and password
Timezone settings
Review your choices before proceeding
Step 11: Finalize Installation
Complete the installation process
Restart the PC when prompted
Remove the bootable drive when instructed after restart
Step 12: First Boot with Encryption (Software-based Encryption Only)
Enter your Security Key from Step 9 as the encryption password to unlock the disk
The Ubuntu login screen will appear
Ubuntu installation with FDE is now completed and ready for Smart Intersection deployment
4. TME (Total Memory Encryption) Enablement#
Intel TME encrypts the computer’s entire memory with a single transient key. All memory data passing to and from the CPU is encrypted, including sensitive Smart Intersection data such as traffic analysis algorithms, detection models, credentials, encryption keys, and other proprietary information.
Step 1: Check TME Support
First, verify if TME is supported on the Intel platform. Read bits 35:32 of MSR 0x981. If this value is non-zero, TME is supported.
Step 2: Enable TME in BIOS
Enter BIOS menu by pressing ‘F2’ while booting the platform
Navigate to: Intel Advanced Menu → CPU Configuration → Total Memory Encryption
Set to Enabled
Save changes (F4) and reboot
Step 3: Verify TME Enablement
Check if TME is enabled by reading bit 1 of MSR 0x982. If TME is enabled, the value returned will be 1 as shown.
Step 4: Alternative Verification Using Kernel Logs
You can also use the dmesg kernel log to check TME enablement status:
dmesg | grep -i tme
Summary#
With these security features enabled, your Smart Intersection application will benefit from:
dTPM: Hardware-based cryptographic operations and secure key storage
UEFI Secure Boot: Verified boot chain ensuring system integrity
Full Disk Encryption: Protection of traffic analysis data and system configurations
Total Memory Encryption: Runtime protection of sensitive algorithms and detection models
This comprehensive security implementation ensures that your Smart Intersection system can safely process traffic data, store sensitive configurations, and operate in trusted environments.