AEM and TPM no longer working
86 views
Skip to first unread message
qubenix
Jan 20, 2017, 3:22:38 PM1/20/17
to qubes...@googlegroups.com
I'm using a Thinkpad T420. When I first installed AEM, I had to disable
TXT in order to get any output from `cat /sys/devices/*/*/pcrs`. I
wasn't really sure if TXT was needed back then, but I understand now
that it is.
A few hours ago I did my dom0 update from qubes-dom0-current-testing,
and I got the AEM related upgrades. After rereading the docs on
installing I decided to reinstall AEM the proper way with TXT. Here are
the steps I took and the results (tl;dr: I can't see the tpm no matter
what now).
1. I shutdown and go to BIOS where I enable TXT.
2. Startup with AEM does not work.
3. Startup without AEM. No output from `cat /sys/devices/*/*/pcrs`, even
though the file exists.
4. Shutdown, to BIOS, disable TXT.
6. Startup without AEM. Output from `cat /sys/devices/*/*/pcrs` is
normal. Following docs I issue `tpm_clear -y`. Output and docs tell me
to restart (docs mention clearing tpm in BIOS, but stdout does not).
7. Restart, to BIOS, option for clearing tpm is gone from BIOS?!?!
8. Whether TXT is enabled or not, the pcrs file is always blank and no
tpm commands can communicate with the device.
Any ideas? I've attempted disabling and reenabling the chip in BIOS to
no effect.
--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
TXT in order to get any output from `cat /sys/devices/*/*/pcrs`. I
wasn't really sure if TXT was needed back then, but I understand now
that it is.
A few hours ago I did my dom0 update from qubes-dom0-current-testing,
and I got the AEM related upgrades. After rereading the docs on
installing I decided to reinstall AEM the proper way with TXT. Here are
the steps I took and the results (tl;dr: I can't see the tpm no matter
what now).
1. I shutdown and go to BIOS where I enable TXT.
2. Startup with AEM does not work.
3. Startup without AEM. No output from `cat /sys/devices/*/*/pcrs`, even
though the file exists.
4. Shutdown, to BIOS, disable TXT.
6. Startup without AEM. Output from `cat /sys/devices/*/*/pcrs` is
normal. Following docs I issue `tpm_clear -y`. Output and docs tell me
to restart (docs mention clearing tpm in BIOS, but stdout does not).
7. Restart, to BIOS, option for clearing tpm is gone from BIOS?!?!
8. Whether TXT is enabled or not, the pcrs file is always blank and no
tpm commands can communicate with the device.
Any ideas? I've attempted disabling and reenabling the chip in BIOS to
no effect.
--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
Rusty Bird
Jan 20, 2017, 4:18:45 PM1/20/17
to qubenix, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
qubenix:
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJYgn6hXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrflo0P/2Sr+pYvctOG+hSjJ960sE3L
2/T2a4hmRdWKz/YO27Suu6GPDqUgcxuSddXC4Qj78bK+ma06LIPmKt3OvdtDZ2OG
7pwUdyYe0eNcKHNkV/0DVJOoKIGuCKVGuOOR2obv9WovHzRAEUj1P9IxQq6YIIeX
tpl2oRcJO83kjfxi/kgU6+2flUtDwmuZl6k0cMzAud+cs3ri0XyebfOQBAWBJbrg
XzpV4ks5wbe5fCp4pXRxxDF6QW26aApnnzHf7cJUNTNsZMRgxHKmVk6StSK1kP8q
8N8wRn1fMnSimJhbMd/WCCULsro4K0lP59oFkx54pfT9OKHahg7GhTTfOL2LkMDC
yo7c2O+beEthQmfa/4mHOaQQibaMJNZmqkQhm/YlgGlZHO1YeRRighaOsSGah9ej
nHOiv8wIr434YE1OaeUTJAB0rtYW6QmHv05wVon7CFcAH2zKdD6bEQpSjmB5SePm
fL7OfxI0Lj5IDU4aOwXzalAItgUm9+YC7vIpBcdWc4oSKyBjGw4RbGt+fPiI+zl6
QcNxeOD9ujo62krYURZPvtkCMrGGPaGQ2hgIMtqmg2mofjD1i91WCZqKk56DA66h
4xHRfCdJBXu3c/oCr0740OcE0ADr3zrcpUnIoCpLkkluwC3zghwVzqb/Mq2KP8wZ
gOgQTy8XP0jfwiwI9Q6h
=WQ9L
-----END PGP SIGNATURE-----
Hash: SHA512
qubenix:
> 7. Restart, to BIOS, option for clearing tpm is gone from BIOS?!?!
The option is only available on cold boot, not when you restart.
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJYgn6hXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrflo0P/2Sr+pYvctOG+hSjJ960sE3L
2/T2a4hmRdWKz/YO27Suu6GPDqUgcxuSddXC4Qj78bK+ma06LIPmKt3OvdtDZ2OG
7pwUdyYe0eNcKHNkV/0DVJOoKIGuCKVGuOOR2obv9WovHzRAEUj1P9IxQq6YIIeX
tpl2oRcJO83kjfxi/kgU6+2flUtDwmuZl6k0cMzAud+cs3ri0XyebfOQBAWBJbrg
XzpV4ks5wbe5fCp4pXRxxDF6QW26aApnnzHf7cJUNTNsZMRgxHKmVk6StSK1kP8q
8N8wRn1fMnSimJhbMd/WCCULsro4K0lP59oFkx54pfT9OKHahg7GhTTfOL2LkMDC
yo7c2O+beEthQmfa/4mHOaQQibaMJNZmqkQhm/YlgGlZHO1YeRRighaOsSGah9ej
nHOiv8wIr434YE1OaeUTJAB0rtYW6QmHv05wVon7CFcAH2zKdD6bEQpSjmB5SePm
fL7OfxI0Lj5IDU4aOwXzalAItgUm9+YC7vIpBcdWc4oSKyBjGw4RbGt+fPiI+zl6
QcNxeOD9ujo62krYURZPvtkCMrGGPaGQ2hgIMtqmg2mofjD1i91WCZqKk56DA66h
4xHRfCdJBXu3c/oCr0740OcE0ADr3zrcpUnIoCpLkkluwC3zghwVzqb/Mq2KP8wZ
gOgQTy8XP0jfwiwI9Q6h
=WQ9L
-----END PGP SIGNATURE-----
qubenix
Jan 20, 2017, 10:14:02 PM1/20/17
to Rusty Bird, qubes...@googlegroups.com
Rusty Bird:
BIOS, but that didn't fix the issue. All tpm related tools believe tpm
in disabled, and the prcs file is always empty with TXT or without.
I am 100% sure that the chip is active in BIOS. Any other ideas?
--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
> qubenix:
>> 7. Restart, to BIOS, option for clearing tpm is gone from BIOS?!?!
>
> The option is only available on cold boot, not when you restart.
>
> Rusty
>
Thank you for the reply, Rusty. That was the problem for clearing tpm in
>> 7. Restart, to BIOS, option for clearing tpm is gone from BIOS?!?!
>
> The option is only available on cold boot, not when you restart.
>
> Rusty
>
BIOS, but that didn't fix the issue. All tpm related tools believe tpm
in disabled, and the prcs file is always empty with TXT or without.
I am 100% sure that the chip is active in BIOS. Any other ideas?
--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
Rusty Bird
Jan 21, 2017, 6:17:49 AM1/21/17
to qubenix, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
qubenix:
Hash: SHA512
qubenix:
> All tpm related tools believe tpm
> in disabled, and the prcs file is always empty with TXT or without.
> I am 100% sure that the chip is active in BIOS. Any other ideas?
Not really, sorry. Maybe dmesg has something interesting?
> in disabled, and the prcs file is always empty with TXT or without.
> I am 100% sure that the chip is active in BIOS. Any other ideas?
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJYg0MDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0ZEP/iwJ6uBbRrn9ShnZnpu3GHTl
rVoWavGZ2wsQWM/o591W7dV6DzDjbRbeXv2SYOAxHncw3W2bR2d2Z1FkykJOVEGk
SBwVC93+PqH3po8rcOHf01KFxxVIMjrQaEjoPCihLJ72ueoAzbh+Cj2tDDiBsAzw
Uc0AKaG4gM/JNAFjemZsR++OVFvYcDaKR9wUdr7cBZR/4AmA3KvQizfiWTbKRSvA
N0/gWQ08Q0u04zdghbE8liKaSKo8cuPkE470Niil5VI5QgNiqXDPXw0rrXs3Elqe
4/dI4B+94ZBKdklCwNcsALou2+QYqpv2tM7deHsSOPbmQvCgMsHXdPzy7ZX2JzAX
WXeuk9Vq8HXQPAfAWa5X5mP9kzOoyyqjhH/YP5DKJ83eGWjtwmI3aH0cA1HKY7Zq
uw/qPONr2zSumuiK2Y5yexNQAaGpP+f+UOxMCXiaZrtU49b+b0zk0/cI2gs6xSuD
Q4/Sd+mwlkj9AjNC5fuGwlHuK0Ifu5ktcNZkm1tb/FaWZxbrqREUpXg8qt3wCOcO
YieIqLigBIb5TQ7StaVpF9NboSTijmIQYAWrC1kChan1YfhQZHxwNPigE2SX3PQF
1EaJ4R15c5ybTBknGShWYrW12ZaVkbJdMq+D7ktDmTAAyp9gpci62C/yzU1R+IKP
Gaso0vADpdrtMNuhKdrA
=f79Y
-----END PGP SIGNATURE-----
Chris Laprise
Jan 23, 2017, 2:44:33 PM1/23/17
to qubenix, qubes...@googlegroups.com
On 01/21/2017 06:16 AM, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> qubenix:
>> All tpm related tools believe tpm
>> in disabled, and the prcs file is always empty with TXT or without.
>> I am 100% sure that the chip is active in BIOS. Any other ideas?
> Not really, sorry. Maybe dmesg has something interesting?
>
> Rusty
This is interesting, since AEM was created on a similar system (T420s
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> qubenix:
>> All tpm related tools believe tpm
>> in disabled, and the prcs file is always empty with TXT or without.
>> I am 100% sure that the chip is active in BIOS. Any other ideas?
> Not really, sorry. Maybe dmesg has something interesting?
>
> Rusty
IIRC) that probably has the same TPM chip.
In this case, I would suggest updating the BIOS then enable TXT and
properly clearing the TPM (w/ power-off) before taking ownership.
Chris
Reply all
Reply to author
Forward
0 new messages