README.md: Updated information for newer packages

Signed-off-by: Imran Desai <[email protected]>
intel · Apr 13, 2020 · f19b501 · f19b501
1 parent e98cee9
commit f19b501
Showing 1 changed file with 31 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 ## Purpose:
 This utility is intended for re-provisioning of the platform keys AFTER applying
 the Intel (R) ME/ TXE firmware update in response to security advisory SA-00086.
-More information on the Intel (R) ME/ TXE update and  security advisory can be found at 
+More information on the Intel (R) ME/ TXE update and  security advisory can be found at
 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr.
 At the link above there is also an INTEL-SA-00086 Detection Tool that assists in 
 discovering the platform vulnerability status described in INTEL-SA-00086.
@@ -12,41 +12,52 @@ Please refer the link for a full list of affected platforms.
 ## Prerequisites:
 1. Ensure Intel (R) PTT is enabled in BIOS.
 2. Ensure TPM CRB kernel driver is enabled on your Linux. 
-   You can check if the device exists with "ls /dev/tpm*"
+   You can check if the device exists with "ls /dev/tpm*" after PTT is enabled
+   in BIOS.
 3. Intel (R) MEI driver needs to be installed on the system. 
    You can check this with "ls /dev/mei*""
-4. Following dependencies need to be installed 
+4. Following dependencies may need to be installed prior to tpm2-software install.
    (names may vary per your Linux distribution).
-   rpm, libcurl4-openssl-dev, libglib2.0-dev, libssl-dev, libdbus-1-dev
-5. Run "build.sh" script as "sudo" to install support packages tpm2-tss & tpm2-abrmd. 
-   * tpm2-tss & tpm2-abrmd versions packaged here are tested with the flow.
-   * When installing tpm2-abrmd you can change the dbus-policy and udev-rules dir per your distribution when configuring the installation.
-6. If the dependency packages were installed appropriately, the build.sh should:
-   * Compile the Intel-SA-00086-Recovery-Utility ELF. 
-   * Indicate the appropriate icls package versions ( i386/ x86_64 ) to install from the packages directory.
+   rpm, autoconf-archive, curl, net-tools, build-essential, pkg-config, gcc,
+   g++, m4, libtool, automake, libgcrypt20-dev, libssl-dev, autoconf, gnulib,
+   wget, libdbus-1-dev, libglib2.0-dev, libcurl4-openssl-dev, dbus-x11,
+   iproute2, libtasn1-6-dev, socat, libseccomp-dev, gawk, libyaml-dev, uuid-dev
+5. Install tpm2-software: tpm2-tss v2.3.2, tpm2-abrmd v2.3.1 and tpm2-tools v4.1.1
+   by executing the "build.sh" script as "sudo".
+6. If the dependency packages were installed appropriately, the build.sh should
+   proceed to indicate the appropriate icls package versions ( i386/ x86_64 )
+   to install from the packages directory.
 7. Prior to installing the icls client libraries you can verify the rpm signatures
    To do this import the public key to verify the signature from packages/iCLS dir
-   "rpm --import tcs-linux-pgp-public.key"
-   To verify the package: "rpm -K iclsClient<VERSION>.rpm"
+   `rpm --import "Intel(R) Trust Services.key" && rpm -K iclsClient-<version>.<arch>.rpm"`
 8. Install iCLS client libraries from the Packages folder. 
    Instructions based on the package manager 
-   * rpm   --> "rpm -i -nodeps iclsClient<VERSION>.rpm"
-   * alien --> "alien -i -nodeps –-script iclsClient<VERSION>.rpm"
-   * yum   --> "yum install iclsClient<VERSION>.rpm"
+   * rpm   --> "rpm -i -nodeps iclsClient<version>.<arch>.rpm"
+   * alien --> "alien -i -nodeps –-script iclsClient<version>.<arch>.rpm"
+   * yum   --> "yum install iclsClient<version>.<arch>.rpm"
 9. Please make sure system wide proxy has been setup and the platform is connected.
-9. After installing above dependencies a reboot is needed. 
+9. After installing above dependencies a reboot is required. 
 
 ## Instructions to run the Intel (R) SA-00086-Recovery-Tool For Linux* OS:
 1. Please run the TPM access broker and resource manager daemon
-   "sudo -u tss tpm2-abrmd --tcti=device &"
+   `sudo -u tss tpm2-abrmd --tcti=device &`
 2. Run the Intel-SA-00086-Recovery-Tool to launch the provisioning bash script.
+   If the platform supports, an ECC based EK certificate can be retrieved by
+   specifying "-E" option.
 3. If you have received the necessary Intel (R) ME/ TXE firmware update then:
    * You must see the message "EPS generated by Intel (R) PTT"
    * At this point the recovery application should re-provision the keys.
-   * After successful recovery, An NV Index for Intel (R) PTT Endorsement Key certificate is created and a copy of it is read to the file system path indicated in the Intel-SA-00086-Recovery-Tool bash script.
+   * After successful recovery, An NV Index for Intel (R) PTT Endorsement Key
+   certificate is created at index 0x1c00002 for an RSA EK certificate and if
+   the platform supports it, at index 0x1c0000a for an ECC EK certificate.
+   A copy of it is read to the file system path indicated in the bash script,
+   Intel-SA-00086-Recovery-Tool .
 4. OR,If you have not received the necessary Intel (R) ME/ TXE firmware update then:
    * You must see the message "EPS is generated by Manufacturer"
    * At this point the platform does not trigger the recovery process.
-   * The recovery tool instead tries to retrieve the Intel (R) PTT Endorsement Key certificate through non recovery process.
+   * The recovery tool instead tries to retrieve the Intel (R) PTT Endorsement
+   Key certificate through non recovery process.
 
-NOTE: Affected platform MUST receive the Intel (R) ME/ TXE firmware update to fully mitigate the issue.  
+NOTE: Affected platform MUST receive the Intel (R) ME/ TXE firmware update to
+fully mitigate the issue. An indication of this being completed is that the
+tpmGeneratedEPS bit is set and can be read with `tpm2_getcap properties-variable`