Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TPM not working after the mod #21

Closed
Rawit-git opened this issue Jan 26, 2020 · 7 comments
Closed

TPM not working after the mod #21

Rawit-git opened this issue Jan 26, 2020 · 7 comments

Comments

@Rawit-git
Copy link

The TPM seems to be stuck in MFG mode after the mod. TPM.msc and such claim that it cleared the TPM, but trying to use BitLocker gives me an "internal error detected". In the BIOS the security chip is set to MFG (manufacturing mode) mode, with no other options. Any way to fix this?
@Rawit-git
Copy link
Author

Rawit-git commented Jan 27, 2020
edited
Loading

I reverted back to 2.60 through IVprep. TPM remained unusable until I cleared the Security Chip from the BIOS. This option appears when you do the following:

  • Set a supervisor password;
  • Save and boot;
  • Turn off machine completely;
  • Enter BIOS on cold boot and check the Security Chip section for the option, it will not appear right way;

I reflashed the machine afterwards with the mod. TPM could not be used again by BitLocker. I've tried the steps above to clear the Security Chip, but the option hasn't appeared yet (10+ cold boots).

@n4ru
Copy link
Owner

n4ru commented Feb 2, 2020
edited
Loading

Investigating this, but don't hold your breath - might be a side effect of using a custom Lenovo BIOS mod that I might have overlooked. I apologize. Thank you for the information.

@n4ru
Copy link
Owner

n4ru commented Feb 2, 2020
edited
Loading

As an aside, you may still use BitLocker with a manually typed password instead of the TPM. If you find any additional information, I'll reopen this thread. For now, it seems like we're stuck unable to use TPM.

@n4ru n4ru closed this as completed Feb 3, 2020
@pgera
Copy link

pgera commented Feb 9, 2020

I discovered this issue when I did the original PoC. From what I remember, TPM works, but you need to take ownership before the bios is patched. i.e., You can take ownership with a stock bios, but not if it is patched. However, if you provision it in the stock state, the tpm state persists after the mod. I don't use windows or bitlocker, but this can be verified on linux with simple-tpm-pk11.

@pgera
Copy link

pgera commented Feb 9, 2020

I should also point out that TPM will work as expected with coreboot. So if you need reliable TPM, coreboot + seabios is always an option. The usability of coreboot across different models and OSes will vary. The nvidia gpu ones are problematic with coreboot, and windows is not as heavily tested.

@n4ru
Copy link
Owner

n4ru commented Feb 20, 2020

Thanks for the information. I'll integrate it into the FAQ.

@pgera
Copy link

pgera commented Feb 21, 2020

Btw, I only tested the TPM with the additional patches in that thread that match the signatures and hashes (i.e., the ones for removing the 5 beeps). I didn't see any code in this repository for fixing up those things. Is that already in the patcher binary ?

@digmorepaka digmorepaka mentioned this issue Jun 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@n4ru @Rawit-git @pgera