Table of Contents
Advertisement
Chapter 6: BIOS
Security Device Support
If this feature and the TPM jumper (JPT1) on the motherboard are both enabled, the onboard
security (TPM) device will be enabled in the BIOS to enhance data integrity and system
security. Please note that the OS will not show the security device. Neither TCG EFI protocol
nor INT1A interaction will be made available for use. If you have made changes on the setting
on this item, be sure to reboot the system for the change to take effect. The options are
Disable and Enable. If this option is set to Enable, the following screen and items will display:
Pending Operation
Use this feature to schedule a TPM-related operation to be performed by a security (TPM)
device at the next system boot to enhance system data integrity. Your system will reboot to
carry out a pending TPM operation. The options are None and TPM Clear.
Note: Your system will reboot to carry out a pending TPM operation.
Platform Hierarchy (for TPM Version 2.0 and above)
Select Enabled for TPM Platform Hierarchy support which will allow the manufacturer to utilize
the cryptographic algorithm to define a constant key or a fixed set of keys to be used for
initial system boot. This early boot code is shipped with the platform and is included in the
list of "public keys". During system boot, the platform firmware uses this trusted public key
to verify a digital signature in an attempt to manage and control the security of the platform
firmware used in a host system via a TPM device. The options are Enabled and Disabled.
Storage Hierarchy
Select Enabled for TPM Storage Hierarchy support that is intended to be used for non-privacy-
sensitive operations by the platform owner such as an IT professional or the end user. Storage
Hierarchy has an owner policy and an authorization value, both of which can be set and are
held constant (-rarely changed) through reboots. This hierarchy can be cleared or changed
independently of the other hierarchies. The options are Enabled and Disabled.
Endorsement Hierarchy
Select Enabled for Endorsement Hierarchy support, which contains separate controls to
address the user's privacy concerns because the primary keys in this hierarchy are certified
by the TPM or a manufacturer to be constrained to an authentic TPM device that is attached
to an authentic platform. A primary key can be an encrypted, and a certificate can be created
using TPM2_ ActivateCredential. It allows the user to independently enable "flag, policy, and
authorization value" without involving other hierarchies. A user with privacy concerns can
disable the endorsement hierarchy while still using the storage hierarchy for TPM applications
and permitting the platform software to use the TPM. The options are Enabled and Disabled.
89
Advertisement
Table of Contents
