Intel (Converged Security) Trusted Execution Engine: Drivers, Firmware and Tools

Thank you very much Smartpol for your contribution. Enjoy your firmware-upgraded system!

Hi @plutomaniac
Can I ask you where did you find the CSTXE 3.1.50.2222 that you used to update that BIOS?
Thanks

@TheGiolly

At the Engine Firmware Repositories you can now find CSTXE 3 & 4 packs. I will also update the Engine CleanUp Guide with CSTXE instructions so that the user can check if their firmware is OEM signed. If itā€™s not signed, the procedure remains the same but if it is, the user will need to input the OEM Private Key used during signing which of course is not public but the instructions will be there in case someone has it.

Is there anyway to update CSTXE firmware without a backup bios? (if not is there anyway to backup a laptopā€™s bios)
I have an Apollo lake laptop (Yepo 737A) thatā€™s similar to the Jumper Ezbook in the previous post but unfortunately I couldnā€™t find a bios online.



There is no way to update CSTXE firmware without BIOS image. So if you canā€™t find it online, you should do BIOS backup to obtain it. If you can boot to built-in UEFI shell (as in Jumper), you can do BIOS backup by AfuEfix64.efi utility with this command "AfuEfix64.efi backup.rom /O". More information about it and your laptop you can find at Techtablets.com.

Thanks, I have backed up the firmware, can anyone help create an updated version?
https://nofile.io/f/d3dn2feEZ0T/backup.bin

@zyo

Your image is OEM signed. However, I have made an attempt to update the CSTXE firmware using a new method. I cannot guarantee that it will work but I think it will. So if you decide to test this, I suggest to make sure that you can recover via a programmer.

backup_fix.rar (3.93 MB)

Thanks, I dont really have a programmer to recover in case this goes bad. I recall seeing someone at techtablets flashing a Jumper Ezbook 3 pro bios onto a Yepo 737A laptop I wonder if itā€™s OEM signed how they can do that without brickingā€¦

From the two SPI images Iā€™ve seen, the RSA Keys are different. The real question is whether these OEMs actually closed Manufacturing Mode at their factory in order to commit the RSA Public Key Hash at the Chipset hardware (FPF). Run ā€œTXEInfo -verboseā€ and show me the results.

Intel(R) TXEInfo Version: 3.1.50.2222
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.



FW Status Register1: 0x80000255
FW Status Register2: 0x39850000
FW Status Register3: 0x30B50608
FW Status Register4: 0x00080000
FW Status Register5: 0x00000000
FW Status Register6: 0x00000000

CurrentState: Normal
ManufacturingMode: Enabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
Phase: BringUp
TXE File System Corrupted: No
PhaseStatus: UNKNOWN
FPF and TXE Config Status: Not committed
FW Capabilities value is 0x31109040
Feature enablement is 0x31109040
Platform type is 0x73FF0321
Intel(R) TXE code versions:

Table Type 0 ( 0x 00 ) found, size of 0 (0x 00 ) bytes
BIOS Version YEPOM10x.8.WP313R.NHNAUHL01
Vendor ID 8086
PCH Version B
FW Version 3.0.13.1144
Security Version (SVN) 0
Number of IFWI Modules 4
IFWI Module Name/Version
FTPR.man Version: 3.0.13.1144
PMCP.man Version: 0.1.0.0
SMIP.man Version: 11822.0.0.0
IUNP.man Version: 0.0.0.0

FW Capabilities 0x31109040

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Service Advertisement & Discovery - NOT PRESENT
Intel(R) Platform Trust Technology - PRESENT/ENABLED
Persistent RTC and Memory - PRESENT/ENABLED

Re-key needed False
Last TXE reset reason Power up
BIOS Config Lock Enabled
Get flash master region access statusā€¦done
Host Read Access to TXE Enabled
Host Write Access to TXE Enabled
Get EC region access statusā€¦done
Host Read Access to EC Disabled
Host Write Access to EC Disabled
Protected Range Register Base #0 0x0
Protected Range Register Limit #0 0x0
Protected Range Register Base #1 0x0
Protected Range Register Limit #1 0x0
Protected Range Register Base #2 0x0
Protected Range Register Limit #2 0x0
Protected Range Register Base #3 0x0
Protected Range Register Limit #3 0x0
Protected Range Register Base #4 0x0
Protected Range Register Limit #4 0x0
SPI Flash ID 1 C86017
SPI Flash ID 2 Not Available
BIOS boot State Post Boot
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
EPID Group ID 0x11E4
Keybox Not Provisioned
Crypto HW Support Enabled
Replay Protection Not Supported
Replay Protection Bind Counter 0
Storage Device Type SPI
Replay Protection Bind Status Pre-bind
Replay Protection Rebind Not Supported
Replay Protection Max Rebind 0
Intel(R) PTT Supported Yes
Intel(R) PTT initial power-up state Enabled
PAVP Supported Yes
Integrated Sensor Hub Initial Power State Disabled
End of Manufacturing Enable No
Post Manufacturing NVAR Config Enabled No
Protect BIOS Environment Enabled
CPU Debugging Disabled
BSP Initialization Disabled
Measured Boot Enabled
Verified Boot Enabled
OEM Public Key Hash FPF Not set
OEM Public Key Hash UEP 340383FBD2D92AC6451D2E6AB412B5A5FCC9B476BC496A86845F77F20DAA9C76
OEM Public Key Hash TXE FW 340383FBD2D92AC6451D2E6AB412B5A5FCC9B476BC496A86845F77F20DAA9C76

FPF UEP TXE FW
ā€” ā€” ------
Boot Guard Profile Not set 2 - VM 2 - VM
Key Manifest ID Not set 0x1 0x1
PTT Not set Enabled Enabled
UFS Boot Source Not set Disabled Disabled
EMMC Boot Source Not set Disabled Disabled
SPI Boot Source Not set Enabled Enabled
LED Indication Enabled Disabled Disabled
DnX Not set Disabled Disabled
OEM ID Not set 0x0 0x0
OEM Platform ID Not set 0x0 0x0
SOC Config Lock Not set Not set Not set
RPMB Bind Counter 0x0 0x0 0x0
RPMB Migration Done Not set Not set Not set
Persistent PRTC Backup Power Exists Exists Exists
Allow OEM Signing of DAL Applets No No No
EK Revoke State Not Revoked Not Revoked Not Revoked

Looks like FPF is not set?

Yeap, as you can see:

ManufacturingMode: Enabled
FPF and TXE Config Status: Not committed
Host Read Access to TXE Enabled
Host Write Access to TXE Enabled
End of Manufacturing Enable No
OEM Public Key Hash FPF Not set
(all FPF are Not set)

All of the above indicate that, although the SPI/BIOS image is signed, the signature was never hardware(FPF)-committed by the OEM. So you can do whatever you want, even commit to FPF yourself with your own key or whatever (why though?). You can thus follow the Engine CleanUp Guide and at step 7, just remove the OEM Public Key Hash to disable Signing. The platform should accept that change because the FPF are not committed. At the above fixed SPI I attached, Iā€™ve updated the CSTXE firmware to the latest 3.1.50.2238 as well the APL CPU Microcode for Spectre Variant 2 mitigation.

Iā€™d like to emphasize that the above portray my own understanding of the situation. Although, to my knowledge, nothing should be capable of blocking the update, the risk of flashing is always on the modder.

Thanks for the explanation much appreciated, I will try flashing the bios tonight.

Just to clarify, is there anything I need to do prior to flashing? Do I just need to load the firmware onto a USB drive and flash it using afuefix /p /b in EFI shell

Yes, you can flash it via AFU. After flashing, you may need to remove all power (AC + Battery, RTC is ok) for 1 minute or so and in the meantime, press the power button 1-2 times as well. The system should boot. If not, try to a few things like discussed here. Once itā€™s up, run Flash Programming Tool with command ā€œfptw -gresetā€ for good measure and after the system reboot, everything should be updated and operational.

That worked, the SA-00086 as well as Spectre are patched. Meltdown still remains, I thought the Microcode update would have addressed that?

Only Spectre Variant 2 requires a microcode fix. Meltdown, Spectre Variant 1 and Spectre Variant 2 rely on OS-based fixes.

Intel CSTXE 4 Firmware v4.0.0.1245

Capture0.PNG



Intel CSTXE 3.1 Firmware v3.1.50.2238

Capture1.PNG



Intel CSTXE 3.2 Firmware v3.2.10.1129

Capture2.PNG



Note: Added instructions on how you can update the CSTXE 3 & 4 firmware-based platforms (CSTXE 3 - 4 Updating).

Intel CSTXE System Tools v4 r1

Hi, plutomaniac. Can you take a look at this BIOS: Teclast F7 rom. Itā€™s not OEM signed and can be fixed against intel SA-00086 and 88 or not?
ME Analyzer told me, that there is OEM RSA Signature, but in previous case this signature was not a problem.

TeclastF7.jpg

It is signed as can be seen in MEA. Follow the Engine CleanUp Guide.