COMe-cEL6 - User Guide, Rev.1.3
// 42
3.12.2.
Booting the SPI Flash Chip
Initially, the EFI Shell is booted with an USB key containing the binary used to flash the on-module SPI Flash chip.
T
o
program the external SPI Flash chip on the carrier board with the BIOS binary, use an external programmer.
Register for Kontron’s Customer Section to get access to BIOS downloads and PCN service.
To boot either the carrier board or on-module SPI flash chip, perform the following:
1.
Connect a SPI flash with the correct size (similar to BIOS binary (*.BIN) file size) to the carrier SPI interface.
The external SPI flash chip on the carrier is required to be 32MByte (256MBit) .
2.
Open pin A34 (BIOS_DIS0#) and connect pin B88 (BIOS_DIS1#) to ground to enable the external SPI Flash chip to
boot on carrier
SPI or ground pin A34 (BIOS_DIS0#), and open pin B88 (BIOS_DIS1#) to enable SPI Flash chip to
boot on-module SPI.
The command line is EtaAfuOemEfi64.efi command line.
In case of change, check Kontron’s Customer Section for the latest BIOS binary package with
reference command line.
3.12.3.
External SPI Flash Boot on Modules with Intel® Management Engine
When booting from the external SPI Flash on the carrier board if the COM Express® module is exchanged for another
module of the same type, the Intel® Management Engine (ME) will fail during the next start. The Management Engine
(ME) binds itself to every module it has previously flashed which in the case of an external SPI Flash is the module
present when flashed.
To avoid this issue, after changing the COM Express® module for another module, conduct a complete flash from the
external SPI Flash device. If disconnecting and reconnecting the same module again, this step is not necessary.
3.13.
TPM 2.0
The Trusted Platform Module (TPM) 2.0 technology stores RSA encryption keys specific to the host system for
hardware authentication
Each TPM contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the TPM and
cannot be accessed by software. The Storage Root Key (SRK) is created when a user or administrator takes ownership
of the system. This key pair is generated by the TPM based on the Endorsement Key and an owner-specified
password.
A second key, called an Attestation Identity Key (AIK) protects the device against unauthorized firmware and software
modification by hashing critical sections of firmware and software before they are executed. When the system
attempts to connect to the network, the hashes are sent to a server that verifies they match the expected values. If
any of the hashed components have been modified since the last start, the match fails, and the system cannot gain
entry to the network.
The COMe-cEL6 supports firmware TPM (fTPM) using the integrated TPM 2.0 capability of the Intel Platform Trusted
Technology (Intel® PTT). Hardware TPM is an option.