Intel (Converged Security) Trusted Execution Engine: Drivers, Firmware and Tools

Updates 15/07/2015:

Re-Uploaded Intel TXEI Driver INF v2.0.0.1067 r2
Re-Uploaded Intel TXEI Drivers & Software v2.0.0.2073 r2

These are from 26/06 instead of 16/06 and include new compiled drivers of the same version with newer digital signatures.

Updates 29/07/2015:

Intel TXE Thread:

Updated Intel TXE 1.1 1.375MB Firmware BYT-M/D from v1.1.3.1133 → v1.1.4.1145
Updated Intel TXEI Drivers & Software from v1.1.2.1120 → v1.1.4.1145
Updated Intel TXEInfo Tool for TXE 1.1 Firmware from v1.1.1.1120 → v1.1.4.1145
Updated Intel TXEManuf Tool for TXE 1.1 Firmware from v1.1.1.1120 → v1.1.4.1145
Updated Intel FWUpdate Tool for TXE 1.1 Firmware from v1.1.1.1120 → v1.1.4.1145


Intel TXE System Tools v1.1 from r2 → r3:

Updated Flash Image Tool from v1.1.1.1120 → v1.1.4.1145
Updated Flash Programming Tool(EFI) from v1.1.1.1120 → v1.1.4.1145
Updated Flash Programming Tool(EFI32) from v1.1.1.1120 → v1.1.4.1145
Updated Flash Programming Tool(Windows) from v1.1.1.1120 → v1.1.4.1145
Updated Flash Programming Tool(Windows64) from v1.1.1.1120 → v1.1.4.1145
Updated FWUpdate(LocalEfi32) from v1.1.1.1120 → v1.1.4.1145
Updated FWUpdate(LocalEfi64) from v1.1.1.1120 → v1.1.4.1145
Updated FWUpdate(LocalWin32) from v1.1.1.1120 → v1.1.4.1145
Updated FWUpdate(LocalWin64) from v1.1.1.1120 → v1.1.4.1145
Updated TXEInfo(EFI) from v1.1.1.1120 → v1.1.4.1145
Updated TXEInfo(EFI32) from v1.1.1.1120 → v1.1.4.1145
Updated TXEInfo(Windows) from v1.1.1.1120 → v1.1.4.1145
Updated TXEInfo(Windows64) from v1.1.1.1120 → v1.1.4.1145
Updated TXEManuf(EFI) from v1.1.1.1120 → v1.1.4.1145
Updated TXEManuf(EFI32) from v1.1.1.1120 → v1.1.4.1145
Updated TXEManuf(Windows) from v1.1.1.1120 → v1.1.4.1145
Updated TXEManuf(Windows64) from v1.1.1.1120 → v1.1.4.1145
Updated VSCCommn_bin Content from v2.7.8 (07/2013) → v2.7.16 (03/2015)
Updated Bay Trail-MD Intel TXE FW Bring Up Guide from v1.7 (02/2014) → v1.8 (03/2015)
Updated Bay Trail MD Intel TXE FW Release Notes from v1.1.2.1120 (09/2014) → v1.1.4.1145 (07/2015)
Added Intel TXE FW Release Customer Communication v1.1.4.1145 (07/2015)

Updates 30/07/2015:

Intel TXE Thread:

* Updated Intel TXE 2.0 1.375MB Firmware from v2.0.0.2060 → v2.0.0.2073

Hi.

I successfully updated updated my baytrail tablet from 1.0.2.1060 3MB to 1.0.7.1133. I saw, that can it be updated to 1.1, but i cannot find any tips how.
And another thing, ME FITC version is still old, how can i update that?

Thanks.

@ Jest:

FITC is a tool, you cannot “update it”. What ME Analyzer shows is the version of FITC that the OEM used to modify the ME Region of your BIOS file. Nothing more, it’s just information.

You can upgrade to 1.1 firmware but not with FWUpdate. Only with FPT and only if your flash descriptor is unlocked (error 26 should not be shown when running fptw64 -d SPI.bin for the latter to be true).

HWinfo32 says "Host ME Region Flash Protection Override Status: Locked
Is this it?

@ Jest:

Yes, it’s locked. You could test the same with FPT but it doesn’t matter. The only way to upgrade now is via an external programmer. It’s not worth all the trouble though. Unless you have programmer knowledge, I suggest you just update to the latest 1.0 firmware. Normally it’s up to the OEM to do the upgrade from 1.0 to 1.1 but that rarely happens.

I did test with FP and i get error 26 or something like that.
So v1.0.7.1133 is the latest version for my tablet right now.

Ok, thanks for your help.

It’s me again. Now with a different problem.

I have Asrock Q1900M baytrail motherboard. Original came with TXE 1.0.2.1060 3MB and i did update it to 1.0.7.1133. So i was curious if upgrade to 1.1 is possible.

TXEInfo shows

Intel(R) TXEInfo Version: 1.0.4.1089
Copyright(C) 2005 - 2013, Intel Corporation. All rights reserved.

Intel(R) TXE code versions:

BIOS Version: P1.50
VendorID: 8086
SOC Version: C
FW Version: 1.0.7.1133
TXEI Driver Version: 1.0.0.1064

FW Capabilities: 0x20001040

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED

Last TXE reset reason: Global system reset
Local FWUpdate: Enabled
BIOS Config Lock: Disabled
Host Read Access to TXE: Enabled
Host Write Access to TXE: Enabled
SPI Flash ID #1: EF6017
SPI Flash ID VSCC #1: 20052005
SPI Flash BIOS VSCC: 20052005
BIOS boot State: Post Boot
OEM Id: 00000000-0000-0000-0000-000000000000
Capability Licensing Service: Enabled
OEM Tag: 0x00000001
Global Valid FPF: Invalid
PTT FPF: Enabled
Perform Secure Boot FPF: Disabled
OEM Public Key Hash FPF: 0000000000000000000000000000000000000000
000000000000000000000000
Key Manifest ID FPF: 00
Alternative BIOS Limit FPF: 0000
Secure Boot Status: Not Executed
Secure Boot Recovery Status: Not Executed
PTT Lockout Override Counter: 10


From what i understand, descriptor is not locked. Am i right?
But when i tried fptw64 -d SPI.bin, error 26 shows.

Intel (R) Flash Programming Tool. Version: 1.0.4.1089
Copyright (c) 2007 - 2013, Intel Corporation. All rights reserved.

Platform: Bay Trail
Reading HSFSTS register… Flash Descriptor: Valid

— Flash Devices Found —
W25Q64DW ID:0xEF6017 Size: 8192KB (65536Kb)



Error 26: The host CPU does not have read access to the target flash area. To en
able read access for this operation you must modify the descriptor settings to g
ive host access to this region.

If Error 26 shows, you have a locked flash descriptor. Only via a programmer can you upgrade from v1.0 to v1.1 in such a case.

Updates 10/08/2015:

Intel TXE Thread:

Intel TXE 2.0 1.375MB Firmware v2.0.0.2073 from EXTR → RGN
Intel FWUpdate Tool for TXE 2.0 Firmware from v2.0.0.2060 → v2.0.0.2073
Intel TXEInfo Tool for TXE 2.0 Firmware from v2.0.0.2056 → v2.0.0.2073
Intel TXEManuf Tool for TXE 2.0 Firmware from v2.0.0.2056 → v2.0.0.2073

Intel TXE System Tools v2.0 from r2 → r3:

Flash Image Tool: v2.0.0.2056 → v2.0.0.2073
Flash Manifest Generation Tool: v2.0.0.1056 → v2.0.0.1059
Flash Programming Tool(EFI): v2.0.0.2056 → v2.0.0.2073
Flash Programming Tool(EFI32): v2.0.0.2056 → v2.0.0.2073
Flash Programming Tool(Windows): v2.0.0.2056 → v2.0.0.2073
Flash Programming Tool(Windows64): v2.0.0.2056 → v2.0.0.2073
FWUpdate(EFI): v2.0.0.2056 → v2.0.0.2073
FWUpdate(EFI32): v2.0.0.2056 → v2.0.0.2073
FWUpdate(Windows): v2.0.0.2060 → v2.0.0.2073
FWUpdate(Windows64): v2.0.0.2060 → v2.0.0.2073
TXEInfo(EFI): v2.0.0.2056 → v2.0.0.2073
TXEInfo(EFI32): v2.0.0.2056 → v2.0.0.2073
TXEInfo(Windows): v2.0.0.2056 → v2.0.0.2073
TXEInfo(Windows64): v2.0.0.2056 → v2.0.0.2073
TXEManuf(EFI): v2.0.0.2056 → v2.0.0.2073
TXEManuf(EFI32): v2.0.0.2056 → v2.0.0.2073
TXEManuf(Windows): v2.0.0.2056 → v2.0.0.2073
TXEManuf(Windows64): v2.0.0.2056 → v2.0.0.2073
Braswell Intel TXE FW Bring Up Guide from v1.2 (03/2015) → v1.3 (04/2015)
Braswell Intel TXE FW PV Release Notes from v2.0.0.2056 (05/2015) → v2.0.0.2073 (06/2015)
Braswell Intel TXE FW Customer Communication from v2.0.0.2056 (03/2015) → v2.0.0.2073 (06/2015)
VSCCommn_bin Content from v2.8.1 (12/2014) → v2.8.3 (03/2015)

Just wanted to say that I was able to get my Lenovo laptop (has a Bay-Trail CPU) updated to the latest firmware. It gave me a message about the OEM ID not being correct so I looked it up with TXEInfoWin and then copied the OEM ID and used the command fwupdlcl64.exe -OEMID ID# -f TXE.bin


Yes, that’s a common practice of Lenovo. ME Analyzer should show a note about the existence of such an OEMID inside the BIOS (SPI) image. I’d like to verify it myself again, so can you tell me the model of that Lenovo laptop?

Updates 26/08/2015:

Intel TXEInfo Tool for TXE 2.0 Firmware from v2.0.0.2073 → v2.0.0.2077
Intel TXEManuf Tool for TXE 2.0 Firmware from v2.0.0.2073 → v2.0.0.2077
* Intel FWUpdate Tool for TXE 2.0 Firmware from v2.0.0.2073 → v2.0.0.2077

Intel TXE System Tools v2.0 from r3 → r4:

Flash Image Tool from v2.0.0.2073 → v2.0.0.2077
Flash Programming Tool(EFI) from v2.0.0.2073 → v2.0.0.2077
Flash Programming Tool(EFI32) from v2.0.0.2073 → v2.0.0.2077
Flash Programming Tool(Windows) from v2.0.0.2073 → v2.0.0.2077
Flash Programming Tool(Windows64) from v2.0.0.2073 → v2.0.0.2077
FWUpdate(EFI) from v2.0.0.2073 → v2.0.0.2077
FWUpdate(EFI32) from v2.0.0.2073 → v2.0.0.2077
FWUpdate(Windows) from v2.0.0.2073 → v2.0.0.2077
FWUpdate(Windows64) from v2.0.0.2073 → v2.0.0.2077
TXEInfo(EFI) from v2.0.0.2073 → v2.0.0.2077
TXEInfo(EFI32) from v2.0.0.2073 → v2.0.0.2077
TXEInfo(Windows) from v2.0.0.2073 → v2.0.0.2077
TXEInfo(Windows64) from v2.0.0.2073 → v2.0.0.2077
TXEManuf(EFI) from v2.0.0.2073 → v2.0.0.2077
TXEManuf(EFI32) from v2.0.0.2073 → v2.0.0.2077
TXEManuf(Windows) from v2.0.0.2073 → v2.0.0.2077
TXEManuf(Windows64) from v2.0.0.2073 → v2.0.0.2077
Braswell Intel TXE FW Release Notes v2.0.0.2073 from PC → PV
Braswell Intel TXE FW Customer Communication v2.0.0.2073 from PC → PV

Update 28/08/2015:

Intel TXE 1.2 1.375MB Firmware BYT-M/D from v1.1.4.1145 → v1.2.0.1149

Can someone with a v1.1 system test if you can update to v1.2 firmware with FWUpdate tool?


I can’t, it complains about sku mismatch. I have an N2830 on a Toshiba which I think is BayTrail-M
I would like to try 1.1.4.1145 and see what that says but you seem to remove old versions.

I thought so. That’s what they did with v1.0 → v1.1 updating as well.

I have attached 1.1.4.1145 for you to test.

1.1.4.1145_1.375MB_PRD_RGN.rar (672 KB)



I can install that ok. I was on a really old version and was able to update to Intel TXE Firmware v1.1.1.1130 (1.375MB BYT-I).rar & now 1.1.4.1145.

Any time I have tried 1.2 I get

C:\Users\Password\Downloads>FWUpdLcl64.exe -f Production_VLV_SEC_REGION.bin

Intel (R) Firmware Update Utility Version: 1.1.4.1145
Copyright (C) 2007 - 2015, Intel Corporation. All rights reserved.

Communication Mode: TXEI
Checking firmware parameters…

Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]

FW Update: [ 15% (Stage: 4 of 17) (/)]
Error 8741: FW Update Failed.

Error 8704: Firmware update operation not initiated due to a SKU mismatch

Whether it works or not is another matter, I got here because I don’t appear to have a TPM and all I know about TXE comes from Wikipedia/google

"Intel TXT uses a Trusted Platform Module (TPM) and cryptographic techniques to provide measurements of software and platform components so that system software as well as local and remote management applications may use those measurements to make trust decisions"

My CPU isn’t listed in the baytrail md pdf, but I’m sure it is a baytrail m

7 Hardware and Software Compatibility • Intel® Pentium® N3510/ 3520 Processor • Intel® Celeron® N2810/ 2820 Processor • Intel® Celeron® N2910/ 2920 Processor • Intel® Celeron® N2805/ N2806 Processor • Intel® Celeron® N2815 Processor

Intel says:

Intel TXT enabled BIOS, Authenticated Code Modules (ACM) created and signed by Intel inside the BIOS, and Trusted Platform Modules (TPM) integrated onto the motherboard that provides securely-generated cryptographic keys. This is a hardware-based mechanism that stores cryptographic keys and other data related to Intel TXT within the platform. It also provides hardware support for the attestation process to confirm the successful invocation of the Intel TXT environment. The attestation process uses the TPM to establish mutual trust between parties regarding execution environment during runtime.

But TPM isn’t mentioned in my BIOS and Windows can’t find it, so it might be that I won’t actually be able to use TXE even though device manager gives me a yellow warning sign if the driver isn’t installed.

It seems that everyone can update to everything in TXE (when being at the same minor version of course). Maybe I’ll remove those BYT-MD and BYT-I firmware distinctions. I will upload 1.1.4.1145 again for all systems with v1.1 firmware. I guess, as before (v1.0 → v1.1), the only way to update is via FPT + full TXE Region and not FWUpdate.

Intel TXT (Trusted Execution Technology) is not related to Intel TXE (Trusted Execution Engine). Similar name but not related. Updating TXE does not give TPM capabilities.



I got hoodwinked by a post on reddit

https://www.reddit.com/r/intel/comments/…d_do_i_need_it/

"TXE is Trusted Execution Technology. Used for Security, etc.

http://en.wikipedia.org/wiki/Trusted_Exe…Technology"

So TXE is a RISC cpu that does "security", like starlet on the wii.



Does this mean I can’t do that:

Intel (R) Flash Programming Tool. Version: 1.1.4.1145
Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.

Platform: Bay Trail
Reading HSFSTS register… Flash Descriptor: Valid

— Flash Devices Found —
EN25S64 ID:0x1C3817 Size: 8192KB (65536Kb)



Error 26: The host CPU does not have read access to the target flash area. To enable read access for this operation you must modify the descriptor settings to give host access to this region.