﻿Intel(R) Trusted Device Setup - Sealing Tool 1.0.6.2

This document describes usage of Intel(R) TDS Sealing Tool
==========================================================

Intel® Trusted Device Setup (TDS) Sealing allows seal the platform with OEM
Platform Measurements values so that enterprise can:
- verify that the platform has not been tampered after leaving manufacturing
- verify that the platform is configured exactly as expected during manufacturing

==========================================================

Table of Contents:

1.  Package content
2.  System requirements
3.  Intel(R) TDS Sealing Tool Configuration
4.  Intel(R) TDS Sealing Tool Capabilities
 4.1.  Sealing the device
 4.2.  Sealing the device in Collection Mode
 4.3.  Unsealing the device
 4.4.  Checking if device is sealed
 4.5   Validating PMF against current Platform
5.  Logging options
6. Intel(R) TDS Sealing Tool Features description
 6.1.  Trust Level 1 (TL1) Seal Signing
 6.2.  Trust Level 3 (TL3) Seal Signing
 6.3.  Opt-out hotkey
 6.4.  Verification of the disk measurements
 6.5.  System Timezone override functionality
7. Return codes
8.  Troubleshooting
9.  Known issues

==========================================================

1. Package content
------------------

This Intel(R) Trusted Device Setup Sealing package contains following files:
* seal.exe - Command line application
* seal.ini - INI configuration file
* Intel_TDS_Sealing_Readme.txt - This document

2. System requirements
----------------------

The Intel(R) TDS Sealing Tool needs to be run an Intel(R) TDS-enabled platform.
Refer to Intel(R) TDS EndToEnd flow document for platform-level requirements.

OS Requirements: Windows PE (64-bit) (tested with version: 10.0.16299.15) or Windows 10 (64-bit) (tested with version: 1511)
                 with Intel(R) Management Engine Interface driver (HECI driver) installed (tested with version: 11/10/2016,12.0.0.1015).

                 The "heci.inf" file can be obtained from Intel® Management Engine Driver zip package available on the Intel® Drivers & Software website.
                 In order to load the HECI driver into Windows PE, you can use the following command:
                 > drvload heci.inf
                 from a directory containing the unzipped HECI driver.

SAS: Intel(R) TDS System Architecture Spec 0.95
IFWI: WW03'20-WHL
Platform Measurements Tool (PMT): 2.14B
Trusted Device Setup: 0.1, 1.0

3. Intel(R) TDS Sealing Tool Configuration
------------------------------------------

Intel(R) TDS Sealing Tool behaviour can be configured from INI configuration file.
Each configuration parameter has to be delcared under specific section.
If parameter is applicable and it is not specified in INI configuration file, a default value will be applied.
Configuration file contains the following options for configuring the requested seal parameters:

* Section [Seal Configuration]:
  - ChassisIntrusionEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
    NOTE: Chassis Intrusion Detection should already be enabled in BIOS before running this tool for sealing the platform.
          A proper configuration of Chassis Intrusion Detection feature in BIOS is this is not verified by TDS Seal tool.
          If a Chassis Intrusion Detection feature is not configured properly, the Tamperproof Seal would be broken on first Intel(R) TDS boot
  - BIOSLockEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
  - SealSigningEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
    Request seal signing. If Enabled, SealSigningMethod and SealSigningKeyPath options are required.
  - CustomOptOutEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
    If Enabled, OptOutHotKey option is required.
  - SEDLockEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
  - PMFSigningEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
  
* Section [Intel TDS Feature configuration]:
  - BootGuardEnabled = 1 (Enabled) or 0 (Disabled) | Default value: 0
    Require Boot Guard profile 5 to be enabled

* Section [Logging]:
  - FileLogPath = seal.log | Default value: seal.log
    Path to log file containing logging information. Path may be absolute or relative to working directory of seal.exe process.
  - FileLogLevel = 0 (OFF), 1 (BRIEF), 2 (INFO), 3 (DEBUG) | Default value: 3

* Section [Device Identification]:
  - DeviceIdSource = UUID, SERIAL_NUMBER, OEM_DEFINED_BLOB, OEM_DEFINED_LITERAL
    Default: UUID
	Source of the Device ID. Options supported by this release:
		> UUID - Device ID is obtained from SMBIOS System Information UUID field. UUID value is represented as a hex string in GUID-like format.
		> SERIAL_NUMBER - Device ID is obtained from SMBIOS System Information Serial Number field. Max length is 31 bytes.
		> OEM_DEFINED_BLOB - Requires --external_device_id <string> option. Uppercase hex string starting with 0x. Max length: 32 bytes.
		> OEM_DEFINED_LITERAL - Requires --external_device_id <string> option. Max length: 31 bytes. String must not start with 0x to avoid confusion with blob option.

* Section [SealSigning]:
  NOTE: This section applies only if SealSigningEnabled==1 in the [SealConfiguration] section.
  - SealSigningMethod = Software or TL3 | Default value: Software
    Method of signing the seal. Only Software (TL1 trust level) and TL3 options are supported in this release.

* Section [SealSigning_Software]:
  NOTE: This section applies only if SealSigningEnabled==1 in the [SealConfiguration] section and if SealSigningMethod=Software in the [SealSigning] section.
  - SealSigningKeyPath = <path_to_private_key.pem> | No default value, parameter must be defined.
    Path to RSA private key file in PKCS#8 format no password protected. Supported key lengths: 2048.
    Path may be absolute or relative to working directory of seal.exe process.
	
* Section [SealSigning_TL3]:
  NOTE: This section applies only if SealSigningMethod=TL3 in the [SealSigning] section.
  - TL3Algorithm = SHA256-NULL-ENCRYPTION
    Seal signing algorithm used in TL3 mode
  - TL3OutputFilePath = <path_to_tl3_output_file> | No default value, parameter must be defined.
    Path to the location where TL3 Seal Integrity data CSV output will be stored. Path may contain tokens for values distinguished by Device Identification.
    DeviceIdSource tokens are delimited by double-colons (e.g. TDS_TL3_Seal_Identity_File_::SERIAL_NUMBER::.csv). For list of supported tokens see section [Device Identification] description.
    OEM_DEFINED values requires providing a value for external_device_id. Two different types of OEM_DEFINED DeviceIdSources cannot be used at once.
    Path may be absolute or relative to working directory of seal.exe process.
    File will be overwritten on success or may be deleted in case of sealing error.
    
* Section [CustomOptOut]:
  NOTE: This section applies only if CustomOptOutEnabled==1 in the [SealConfiguration] section.
  - OptOutHotKey = <hotkey> | No default value, parameter must be defined.
    Custom Opt-out key sequence allowing to break the DropShip boot. Number of keystrokes in the range 1-7.
    For keystroke syntax loot at section "6.3. Opt-out hotkey".
  - OptOutIntervalSeconds = <15;2^32-1> | Default value: 15
    Time in seconds during which the Drop Ship BIOS Extension shall wait for the hotkey to be inserted.

* Section [Manufacturing Test]
  - AssertedPCRs = <PcrsList>
    List of PCRs IDs to compare with the platform before sealing. Provided as a comma-separated list of Integers in range <0;23>. 
	Empty or missing value will be treated as an empty list.
  - PMFTrustedCaDir = <path_to_trusted_ca_directory> | No default value, parameter must be defined.
    A directory of trusted certificates.
  - PMFIntermediateCaDir = <path_to_intermediate_ca_directory> | No default value, parameter is optional.
    A directory of intermediate certificates. Additional untrusted certificates (intermediate issuer CAs)
    used to construct a certificate chain from the subject certificate to a trust-anchor.
  - PMFExternalCertificatePath = <pmf_external_certificate_path> | No default value, parameter is optional.
    An external file containing PEM-encoded PMF certificate.
  - BOMLocationVolumeLetterMismatchAllowed = 1 (Enabled) or 0 (Disabled) | Default value: 0
    Bypass partition letter mismatch for BOM file location in PMF.
  	
* Section [SEDLock]
  NOTE: This section applies only if SEDLockEnabled=1 in the [Seal Configuration] section.
  - IgnoreUSBDevices = 1 (Enabled) or 0 (Disabled) | Default value: 0
  - BlockSIDDetection = 1 (Enabled) or 0 (Disabled) | Default value: 1
	
4. Intel(R) TDS Sealing Tool Capabilities
-----------------------------------------

4.1. Sealing the device
-----------------------

To seal the device, use:
 > seal.exe --seal -g <pmf>  [-c <ini_config_file>] [-o <log_file>] [-v <0-3>] [-l <0-3>] [--force]
                             [--pmf_external_certificate_path=<pmf_external_certificate_path>] [--bypass_version_check]
                             [--external_device_id=<string>] [--tl3_output_file=<TL3_output_file>] [--ignore_usb_devices]  

Required Options:
      --seal                    seal the device
  -g  <pmf>                     path to the Platform Measurements File (PMF)

Optional Options:
  -c  <ini_config_file>         path to the Intel(R) TDS Sealing Tool Configuration file (Default: seal.ini)
  -o  <log_file>                path to log file
  -v  <0-3>                     run in verbose mode. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
  -l  <0-3>                     file logging level. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
        --force                 continue sealing even if PMF does not match the platform
        --pmf_external_certificate_path=<pmf_external_certificate_path> 
                                path to the external PMF Certificate
        --bypass_version_check  skip checking if Intel(R) TDS version on the platform 
                                is supported by this tool
        --external_device_id=<string>
                                provide Device ID as ASCII literal or hex string 
                                starting with 0x.
        --tl3_output_file=<TL3_output_file> 
                                path to the Trusted Level 3 output file
        --ignore_usb_devices    ignore usb devices while scanning disks available 
                                on the platform during SED lock / unlock operation
		  
Unicode characters will be converted to nearest ASCII.

Sealing executes following steps:
  * check that device is not sealed
  * assert that platform matches the PMF by performing following tests:
    - validate that platform matches PMF::SystemInfoExtension
    - validate that Seal Signing public key hash is whitelisted in PMF::KeyManifestExtension
    - verify that certificate stored in PMF::CertificateExtension is valid and trusted
    - validate PCR values stored in PMF::PCRMetadataFileExtension
    - validate GPT layout stored in PMF::DiskMetadataFileExtension
    - validate disk partitions measurements integrity with PMF::DiskMetadataFileExtension
  * check if Platform Measurements File signature is valid
      note: This step only recalculates PMF signature. Certificate validation will be skipped.
  * lock self-encrypting disk.
  * set Platform Measurements File into CSME using GM_FILE_SET
  * configure the seal using DS_FEATURE_CONFIG command
  * enable seal using DS_FEATURE_ENABLE command


4.2. Sealing the device in Collection Mode
------------------------------------------

To seal the device in Collection Mode, use:
 > seal.exe --collection_mode_seal [-c <ini_config_file>] [-o <log_file>] [-v <0-3>] [-l <0-3>]
                                   [--bypass_version_check] [--external_device_id=<string>] 

Required Options:
      --collection_mode_seal    seal the device in Collection Mode

Optional Options
  -c  <ini_config_file>         path to the Intel(R) TDS Sealing Tool Configuration file (Default: seal.ini)
  -o  <log_file>                path to log file
  -v  <0-3>                     run in verbose mode. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
  -l  <0-3>                     file logging level. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
      --bypass_version_check    skip checking if Intel(R) TDS version on the platform 
                                is supported by this tool
      --external_device_id=<string>
                                provide Device ID as ASCII literal or hex string 
                                starting with 0x.
                                
Unicode characters will be converted to nearest ASCII.

Sealing in Collection Mode executes following steps:
  * check that device is not sealed
  * configure seal using DS_FEATURE_CONFIG command
  * enable seal using DS_FEATURE_ENABLE command

4.3. Unsealing the device
-------------------------

To unseal the device, use:
 > seal.exe --unseal [-r <0-2>] [-c <ini_config_file>] [-o <log_file>] [-v <0-3>] [-l <0-3>]
                                [--ignore_usb_devices] [--bypass_version_check]
                                [--ignore_get_version_errors] [--ignore_get_state_errors]

Required Options:
      --unseal                  unseal the device

Optional Options:
  -r, --reason=<0-2>            unseal reason
                                0 - Attestation Successfull
                                1 - Attestation Failed
                                2 - Seal Aborted (Default)
  -c  <ini_config_file>         path to the Intel(R) TDS Sealing Tool Configuration file (Default: seal.ini)
  -o  <log_file>                path to log file
  -v  <0-3>                     run in verbose mode. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
  -l  <0-3>                     file logging level. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
      --bypass_version_check    skip checking if Intel(R) TDS version on the platform 
                                is supported by this tool
      --ignore_get_version_errors  ignore DS_GET_VERSION command errors
                                while attempting to unseal the platform
      --ignore_get_state_errors ignore DS_FEATURE_GET_STATE command errors 
                                while attempting to unseal the platform
      --ignore_usb_devices      ignore usb devices while scanning disks available
                                on the platform during SED lock / unlock operation
                                
Unicode characters will be converted to nearest ASCII.

4.4. Checking if device is sealed
---------------------------------

To check if the device is sealed, use:
 > seal.exe --get_state [-c <ini_config_file>] [-o <log_file>] [-v <0-3>] [-l <0-3>]
                        [--bypass_version_check]

Required Options:
      --get_state               check if the device is sealed

Optional Options:
  -c  <ini_config_file>         path to the Intel(R) TDS Sealing Tool Configuration file (Default: seal.ini)
  -o  <log_file>                path to log file
  -v  <0-3>                     run in verbose mode. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
  -l  <0-3>                     file logging level. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
      --bypass_version_check    skip checking if Intel(R) TDS version on the platform 
                                is supported by this tool
                                
Unicode characters will be converted to nearest ASCII.

4.5. Validating  Platform Measurements File (PMF) against current platform
--------------------------------------------------------------------------

To validate Platform Measurements File against current platform, use:
 > seal.exe --check_pmf -g <pmf> [-c <ini_config_file>] [-o <log_file>] [-v <0-3>] [-l <0-3>]
                                 [--pmf_external_certificate_path=<pmf_external_certificate_path>] [--bypass_version_check]

Required Options:
      --check_pmf               validate PMF against current platform
  -g  <pmf>                     path to the PMF

Optional Options:
  -c  <ini_config_file>         path to the Intel(R) TDS Sealing Tool Configuration file (Default: seal.ini)
  -o  <log_file>                path to log file
  -v  <0-3>                     run in verbose mode. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
  -l  <0-3>                     file logging level. 0 - OFF, 1 - BRIEF, 2 - INFO, 3 - DEBUG
      --pmf_external_certificate_path=<pmf_external_certificate_path> 
                                path to the external PMF Certificate
      --bypass_version_check    skip checking if Intel(R) TDS version on the platform 
                                is supported by this tool
                                
Unicode characters will be converted to nearest ASCII.
                                
5. Logging options
--------------------

Logging options can be set in configuration file, or by setting options in command line, if not set by any of these methods
Intel(R) TDS Sealing uses default values.

Logging options priority:
  Options set in command line have the highest priority, second to them are options set in configuration file, default
  options have the lowest priority.

Command line options:
  Logging verbosity level on command line can be set by the use of -v option with a value from range 0-3.
  File logging options allow to set log file path by the use of -o option and to set log file logging verbosity level
  by setting the -l option with a value from range 0-3.

Configuration file options:
  Configuration file does not contain any option to set command line verbosity level.
  File logging section contains options that allow to set log file path under FileLogPath option and to set log file
  logging verbosity level under FileLogLevel with a value from range 0-3.

Available verbosity values:
  Command line verbosity levels: OFF, BRIEF, INFO, DEBUG.
  Log file verbosity levels: OFF, BRIEF, INFO, DEBUG.

Default values:
  Command line verbosity level: BRIEF
  Log file verbosity level: DEBUG

Remarks:
  If file logging verbosity level is set to OFF, then the log file will not be created.


6. Intel(R) TDS Sealing Tool Features description
--------------------

6.1. Trust Level 1 (TL1) Seal Signing
-------------------------------------

Intel(R) TDS Sealing software-based seal signing method - TL1, which takes a path to a private key file as input.
To enable Seal signing feature, enable in the ini configuration file SealSigningEnabled option then set signing
method in the SealSigningMethod option and complete the path to your private key (RSA-2048) in encrypted or 
unencrypted PKCS8 format.

The private key can be generated with the OpenSSL library as follows:
    a) generate RSA private key in PKCS#1 format:
           openssl genrsa -out private.pem 2048
    b) convert PKCS#1 key to PKCS#8 format:
           openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private.pem -out private_pkcs8.pem

If the private key requires to be password-protected, it is necessary to remove the argument -nocrypt and type
the password. In case when the private key is password-protected, you should set the SEAL_KEY_PASSWORD environment
variable with the valid password.

6.2. Trust Level 3 (TL3) Seal Signing
-------------------------------------

Intel(R) TDS Sealing Trust Level 3 seal signing method - TL3 generates output file, 
which conforms to CSV file format as defined by [RFC 4180], with the following clarifications:
    1. The separator character is set to “,” (comma)
    2. The file begins with the following line: sep=, - this allows to open the CSV file in Microsoft Excel, 
    independently of regional settings. Other Entities parsing the CSV are expected to skip this line
    3. Second line in file contains file header with version. It should match following data: “TDS TL3 Seal File,version,1”.
    4. Third line is empty line left to separate data from headers. Significant data starts with fourth line, 
    which contains following column titles: “Seal Date & Time,Device ID Type,Device ID,Seal Instance ID,TL3 Sign Algorigthm,Seal Integrity Data”.

First and only present data record is placed in fifth line and contains data retrieved from TL3 seal signing on particular platform.
Data fields correspond to the respective columns:
    1. Seal Date & Time - contains a timestamp of the sealing event, in UTC time zone - formatted according to [ISO 8601].
    2. Device ID Type - contains chosen Device Identification type name. See section 3. [Device Identification] for details.
    3. Device ID - contains value of chosen Device Identification. It's format is determined by Device ID Type. See section 3. [Device Identification] for details.
    4. Seal Instance ID - contains identification of the sealing instance in number format.
    5. TL3 Sign Algorigthm - contains algorithm name used in TL3 Seal signing.
    6. Seal Integrity Data - contains Seal Data. For SHA256-NULL-ENCRYPTION algorithm it's a Seal Integrity data SHA256 hash encoded as hex string.

Example TL3 seal signing output full file content:
===================
sep=,
TDS TL3 Seal File,version,1

Seal Date & Time,Device ID Type,Device ID,Seal Instance ID,TL3 Sign Algorigthm,Seal Integrity Data
2020-07-15T08:33:04Z,UUID,6ED6FF6C-E8F0-4EBE-BC27-F2B5047B7B6F,1234567295,SHA256-NULL-ENCRYPTION,6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
===================

6.3. Opt-out hotkey sequence
-------------------
Type Opt-out key sequence to break the DropShip boot. The maximum number of keystrokes in a sequence is currently 7.
Keystrokes have to be separated by commas, white characters between them are ignored. Specific keys in keystrokes
have to be separated by plus sign. No distinguishing between left/right shift state key such as SHIFT, CTRL, ALT.

HotkeySequence := <Hotkey>[','<Hotkey>](1;7)

        Hotkey := [<ShiftStates>'+']<ScanCode>

    ShiftState := ('SHIFT' | 'CTRL' | 'ALT' | 'LOGO' | 'MENU' | 'SYS_RQ')

      ScanCode := ('UP' | 'DOWN' | 'RIGHT' | 'LEFT' | 'HOME' | 'END' | 'INSERT' | 'DELETE' |'PG_UP' | 'PG_DN'
                   'F1' (...) 'F12' | <one of: [`-=[];\'/.] >| <digit> | <lowercase a-z letter > | 'TAB' | 'BACKSPACE'| 'ENTER'
                   'SPACE' | 'COMMA')

Example:
    OptOutHotKey = CTRL+ALT+o, CTRL+COMMA, CTRL+F1, SHIFT+ALT+ESC

6.4.  Verification of the disk measurements
----------------------------------------
Disk measurement types supported in this release of the tool:
- BOM_PROVIDED(3)

6.4.1 Verification of the BOM_PROVIDED(3) measurement
----------------------------------------
For each partition in the PMF that has BOM_PROVIDED(3) measurement type specified, the Intel(R) TDS Sealing Tool checks that the hash of BOM file provided in the PMF matches the digest of the file on disk.
Semantics of the BOM file are not checked - this is an OEM-specific step which depends on the actual BOM contents and the OEM implementation of the measurement.

The Intel(R) TDS Sealing Tool additionally checks that the BOM file path is absolute and located on the partition being measured(*).

(*) Intel(R) TDS Sealing Tool will check if the volume letter in the path matches the volume indicated by the LBA range. In order to support different volume letter mappings
    in the manufacturing environment, the tool allows to bypass the letter<>LBA range assertion.
    When the 'BOMLocationVolumeLetterMismatchAllowed' option is set to 1 in the configuration file (section: [Manufacturing Test]), the tool will ignore the drive letter mismatch.
       
Known limitation:
In the current version, the partition being measured must be assigned to a volume letter in order to retrieve BOM file from it.

6.5.  System Timezone override functionality
----------------------------------------
Intel(R) TDS Sealing Tool allows user to provide custom timezone to be used instead of System timezone.
The tool will read the local time from the System and treat it as a local for the provided timezone.

To override the System Timezone for the sealing time, please set the System Timezone field in the configuration file.

Supported format:
 - auto - the tool will use actual timezone read from the system (no override)
 - Timezone Offset: UTC[+/-]HH:MM - the tool will treat system time as local for provided timezone.
   Allowed values are between following range: (UTC-23:59, UTC+23:59).
   This method does not provide the support for Daylight Saving Time (DST) tracking.
 - System Timezone Name: the name of the timezone supported by the Intel(R) TDS Sealing Tool - The tool will behave in the same
   way as with timezone offset, but this offset will be retrieved as actual for the given timezone name. In this method some of
   timezones provides support for Daylight Saving Time tracking. If the timezone provides support for the DST tracking, user can
   disable it by adding '_dstoff' offset. To list supported timezone names please run the --list_timezones mode.


7.  Return codes
------------------

Intel(R) TDS Sealing Tool exits with following return codes:
-  RC_SUCCESS                  (0) -> Returned when finished with success.
-  RC_HECI_COMMUNICATION_ERROR (2) -> Returned when HECI communication failed.
-  RC_INVALID_PARAMETERS       (3) -> Returned when invalid parameters were passed to the tool (including wrong CLI input,
                                      errors during parsing Platform Measuerment file or invalid INI configuration).
-  RC_WRONG_STATE              (4) -> Returned if the device is sealed when sealing or unsealed when unsealing.
-  RC_VALIDATION_ERROR         (5) -> Returned if Platform Measurement does not match current platform
-  RC_INTERNAL_ERROR           (1) -> Returned when unexpected error occurred.
-  RC_GENERIC_ERROR            (8) -> Returned when an error occurred that is hard to classify. Error description is stored in log file.

                                      code is defined.
-  RC_VERSION_ERROR            (6) -> Returned when Intel(R) TDS version is not supported.
-  RC_NOT_SUPPORTED            (7) -> Returned when hardware setup is not supported.

8. Troubleshooting
------------------

8.1 Symptom: Cannot boot to the OS after sealing a device with SEDLockEnabled.

    Probable causes:
        - Disk cannot be unlocked during device boot.
        - PBA is not enabled.

    How to recover:
        - Boot WinPE and perform unseal operations using the Intel(R) TDS Sealing Tool. The drive will be
          unlocked by the Intel(R) TDS Sealing Tool.
        - If unseal operation does not work, proceed with PSID revert operation using BIOS (if supported) 
          or with publicly available tool. PSID revert allows to regain the use of the disk.
          WARNING: PSID revert removes all data on the disk.

8.2 Symptom: Intel(R) TDS Sealing Tool fails to seal the device reporting an error that disk is already locked.

    Probable causes:
        - The disk is locked by another external tool.

    How to recover:
        - If the password is known then unlock the disk using an external tool and perform seal 
          operations again.
        - If password is not known then perform PSID revert operations using the BIOS(if supported) or with publicly
          available tools. PSID revert allows to regain the use of the disk.
          WARNING: PSID revert removes all data on the disk.

8.3 Symptom: Intel(R) TDS Sealing Tool fails to seal the device reporting an error that hardware setup is not supported.

    Probable causes:
        - The disk is not Self Encrypting Drive(SED).
        - The disk is not compatible with Opal family specification.
        - The number of available physical disks is greater than 1.

    How to recover:
        - Make sure that the disk supports Self Encrypting Drive feature and is compatible with Opal
          family specification.
        - Change the platform with one physical disk that supports Self Encrypting Drive feature.

9. Known issues
---------------

9.1 Symptom: Sealing with Disk Lock feature enabled fails when Intel(R) RST driver (IAStorA.sys, up to version 17.5) is installed.

    There are 4 options to recover:
        - Use different driver (e.g. Microsoft Inbox NVMe Driver)
        - Update Intel(R) RST driver to version 17.8
        - Proceed with Seal step by disabling disk locking. This allows E2E flow to move forward if using an iRST 17.5 RST driver
        - Use an alternate OPALv2 or Pyrite (v1 or v2)-compliant NVMe Self Encrypting Drive (SED), unlocked and not activated
          Example: Samsung SSD 960 512 GB or Toshiba XG5 (KXG5AZNV512G)
		  
9.2 Symptom: Sealing with Disk Lock feature enabled fails when running on Windows* PE with Microsoft Inbox NVMe Driver.
    Issue was observed on the one specific WHL platform with Intel(R) 7600p series disk drive.

    There are 2 options to recover:
        - Use different driver (e.g. Intel(R) RST driver)
        - Use an alternate OPALv2 or Pyrite (v1 or v2)-compliant NVMe Self Encrypting Drive (SED), unlocked and not activated
          Example: Samsung SSD 960 512 GB or Toshiba XG5 (KXG5AZNV512G) 

9.3 Symptom: Sealing with Seal Signing TL3 enabled and serial number used as a token in TL3OutputFilePath option refuses to save TL3 file if S/N contains some characters.
    Issue was observed if platform's serial number contained characters out of [0-9a-zA-Z_-.].
	
	There is 1 option to recover:
	    - Do not use serial number token (::SERIAL_NUMBER::) in TL3OutputFilePath on platforms containing characters out of specified range.
	
