TPM 2.0, Measured Boot & Verified Boot Questions

[Interman90]

I contacted Novacustom because i'm interested in their V54 14" Laptop (with Dasharo UEFI Firmware) and asked them a couple questions.
https://novacustom.com/product/v54-series/

Their answers surprised me a little bit and i want to double check, so that's what this post is for.

1. They told me that it is NOT possible to disable TPM (2.0) in the (Dasharo) UEFI/BIOS.
   They even re-verified that after me pointing out there is an option “disable” (in the right of the picture) to be seen in the dasharo docs.
   They don’t know why that option is there (they suggested i'd ask here) but it’s definitely not possible to disable the TPM Chip they said.

   TCG2 Configuration

   

   • Is it really not possible to disable TPM (2.0)?
   • If so why?
   • And why is there an option "Disable" then?

2. They also said it’s not possible to disable Measured Boot and Verified Boot. True?
   (According to my research disabling TPM 2.0 would also disable Measured Boot. But if you can’t disable TPM that obviously wont help.)

   2.1. AFAIK Measured Boot and Verfied Boot only make sure the UEFI Firmware has not been compromised. Am i right?
   (In this case i would not have to disable them anyway.)

3. Am i right assuming that Linux (in my case Debian based Distros) do not use TPM (2.0) for anything except the user actively sets it up?
   (In other words, by default the OS ignores the Computer has a TPM 2.0 chip)
   Because i do not want to use TPM (2.0) / encrypt anything on my system.

[miczyg1]

Is it really not possible to disable TPM (2.0)?
If so why?
And why is there an option "Disable" then?

It is not possible. All you can do is make firmware not touch it. TPM1.2 had a command to disable/deactivate it, but TPM2.0 doesn't. That's how Intel hardware works. The chipset always routed the TPM access to either fTPM or dTPM.

This is not an option. Text displayed on the right is just a help text. What you see is just a text label:

    text
      help   = STRING_TOKEN(STR_TCG2_DEVICE_STATE_HELP),
      text   = STRING_TOKEN(STR_TCG2_DEVICE_STATE_PROMPT),
        text   = STRING_TOKEN(STR_TCG2_DEVICE_STATE_CONTENT);

With strings defined as:

#string STR_TCG2_DEVICE_STATE_PROMPT        #language en-US "Current TPM Device"
#string STR_TCG2_DEVICE_STATE_HELP          #language en-US "Current TPM Device: Disable, TPM1.2, or TPM2.0"
#string STR_TCG2_DEVICE_STATE_CONTENT       #language en-US ""

So disable would be no TPM detected at all, or TPM1.2 or TPM2.0. The TPM device type string is updated at runtime:

  //
  // Update static data
  //
  switch (PrivateData->TpmDeviceDetected) {
    case TPM_DEVICE_NULL:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"Not Found", NULL);
      break;
    case TPM_DEVICE_1_2:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"TPM 1.2", NULL);
      break;
    case TPM_DEVICE_2_0_DTPM:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"TPM 2.0", NULL);
      break;
    default:
      HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TCG2_DEVICE_STATE_CONTENT), L"Unknown", NULL);
      break;
  }

So it is just a bad description which was developed by upstream EDK2 developers.```

They also said it’s not possible to disable Measured Boot and Verified Boot. True?
(According to my research disabling TPM 2.0 would also disable Measured Boot. But if you can’t disable TPM that obviously wont help.)

Yes, it is not possible to disable any of those. By removing a TPM it will only cause the measurement from measured boot to not be recorded into TPM PCRs, that's all. The measurements will still live in the TPM log area, although it will not be exposed if the TPM is removed (if TPM is socketable on a pin header for example).

AFAIK Measured Boot and Verfied Boot only make sure the UEFI Firmware has not been compromised. Am i right?
(In this case i would not have to disable them anyway.)

That's verified boot task. Measured boot only gives information what were the hashes of executed components and delivers information about final state of the platform in a form of PCR values.

Am i right assuming that Linux (in my case Debian based Distros) do not use TPM (2.0) for anything except the user actively sets it up?
(In other words, by default the OS ignores the Computer has a TPM 2.0 chip)
Because i do not want to use TPM (2.0) / encrypt anything on my system.

There are things like IMA which may leverage TPM for its purposes. The PC does not ignore the TPM, it has a driver and initializes it (probably does a basic, fixed set of operations at the beginning and that's it). Besides it is up to the user to interact with TPM. Windows probably does much more with TPM than Linux.

[pietrushnic]

@miczyg1 Doesn't the HAP bit disable fTPM?

Am i right assuming that Linux (in my case Debian based Distros) do not use TPM (2.0) for anything except the user actively sets it up?

Yes, you have to explicitly tell the system what to do with information stored by TPM, e.g., you can encrypt your disk with a secret sealed to a certain state of TPM using systemd-cryptenroll

[miczyg1]

I have opened PRs that fix the help text, which caused confusion:
Dasharo/edk2#173
Dasharo/edk2#174

[miczyg1]

@miczyg1 Doesn't the HAP bit disable fTPM?

Yes it does, but all NVC laptops have a dTPM. Also the ME is configured to always disable fTPM in our builds, so you are forced to use dTPM anyways. If fTPM is disabled, the TPM access is routed to SPI, otherwise it is always routed to fTPM. It is always routed to one or another. Never totally disabled/blocked.

[pietrushnic]

@miczyg1, is this an onboard soldered dTPM? If dTPM is on the SPI bus, the BIOS and kernel should be able to soft-disable it by not loading any drivers or communicating with that chip. IIUC SPI devices cannot initiate communication itself.

Are we aware if proprietary solutions have the ability to disable dTPMs?

@Interman90 What threat or attack model are you trying to avoid here? Knowing that we can help mitigate potential risks.

[miczyg1]

@miczyg1, is this an onboard soldered dTPM? If dTPM is on the SPI bus, the BIOS and kernel should be able to soft-disable it by not loading any drivers or communicating with that chip. IIUC SPI devices cannot initiate communication itself.

It is soldered. And as I already wrote in my first comment it is only possible to NOT touch the TPM in the firmware. But it doesn't make the TPM disabled.

Are we aware if proprietary solutions have the ability to disable dTPMs?

I'm not, at least.

[mkopec]

Are we aware if proprietary solutions have the ability to disable dTPMs?

Lenovos have option to set the TPM to inactive or disabled. I don't know what it does though...

Maybe disabling SPI TPM in the flash descriptor would work?

[miczyg1]

Maybe disabling SPI TPM in the flash descriptor would work?

That would still route the TPM traffic to fTPM I think. But with ME disabled, the fTPM would simply not communicate with CPU? Hacky but could maybe serve the purpose...

[pietrushnic]

We can consider that as a feature only if the attack model is clearly explained and supported by at least a couple of requests for confirmation from Wessel. This has enough value.

[wessel-novacustom]

We can consider that as a feature only if the attack model is clearly explained and supported by at least a couple of requests for confirmation from Wessel. This has enough value.

If more potential customers reply here with this same request, we can proceed with a feature request. However, I don't think there is enough demand for a TPM disabling feature.

[Interman90]

Text displayed on the right is just a help text. What you see is just a text label ... So disable would be no TPM detected at all ... So it is just a bad description which was developed by upstream EDK2 developers.

Thanks for the clarification.

TPM1.2 had a command to disable/deactivate it, but TPM2.0 doesn't. That's how Intel hardware works. The chipset always routed the TPM access to either fTPM or dTPM

Doesn't the HAP bit disable fTPM?

Yes it does, but all NVC laptops have a dTPM. Also the ME is configured to always disable fTPM in our builds, so you are forced to use dTPM anyways. If fTPM is disabled, the TPM access is routed to SPI, otherwise it is always routed to fTPM. It is always routed to one or another. Never totally disabled/blocked.

Lenovos have option to set the TPM to inactive or disabled. I don't know what it does though... Maybe disabling SPI TPM in the flash descriptor would work?

That would still route the TPM traffic to fTPM I think. But with ME disabled, the fTPM would simply not communicate with CPU? Hacky but could maybe serve the purpose...

I also noticed that on Lenovo Thinkpads there is an option to disable TPM 2.0.
https://download.lenovo.com/bsco/index.html#/ (Select Model e.g. Thinkpad P14s Gen 5 then go to Security -> Security Chip)

So it seems like this would be possible. (Despite TPM 2.0 has no official command to disable it.)
But probably easier on fTPM only devices, which the Thinkpads most likely are?

What threat or attack model are you trying to avoid here?

I'm looking to keep the system simple. If i do not need/want something then i do not want it to be enabled or ideally not present at all.
I don't want TPM because i do NOT want to encrypt ANYTHING on my computer.
Unfortunately it's sometimes hard to say which os and software uses TPM 2.0 (this can also change with updates) and i want to avoid stuff being encrypted, especially without me knowing.
Therefore, if i could disable TPM (2.0) i would be able to sleep way better at night. (My current systems do not have a TPM 2.0 Chip, but i will soon have to replace them, starting NOW with the laptop...)

I also just sent an email to a lenovo thinkpad specialist asking if it would be possible to disconnect the microphone and fingerprint reader hardware side.
Depending on his answer i will have to make my final decision between the Novacustom V54 (can't disable TPM) and Thinkpad P14s Gen 5 Intel (Definitely can't disable Intel ME and/or remove Wifi Chip).
(If i knew Dasharo will implement a feature to disable TPM 2.0 within the next couple months/half year i would order the V54 today.)

[miczyg1]

So it seems like this would be possible. (Despite TPM 2.0 has no official command to disable it.)
But probably easier on fTPM only devices, which the Thinkpads most likely are?

Still we have no idea how it works under the hood without public BIOS code.

I'm looking to keep the system simple. If i do not need/want something then i do not want it to be enabled or ideally not present at all.
I don't want TPM because i do NOT want to encrypt ANYTHING on my computer.
Unfortunately it's sometimes hard to say which os and software uses TPM 2.0 (this can also change with updates) and i want to avoid stuff being encrypted, especially without me knowing.
Therefore, if i could disable TPM (2.0) i would be able to sleep way better at night. (My current systems do not have a TPM 2.0 Chip, but i will soon have to replace them, starting NOW with the laptop...)

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

[Interman90]

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

But unless you are a Firmware developer this is probably to advanced? I'm just a hobby web developer so probably not something i can do myself?

[Interman90]

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

Also lets assume i could do this. Would there be any drawbacks?
What about Firmware Updates? (BTW: Does the Dasharo UEFI Firmware Update itself automatically?)

[miczyg1]

Not that it is simply possible to recompile the firmware with disabled TPM drivers. That should just work.

Also lets assume i could do this. Would there be any drawbacks? What about Firmware Updates? (BTW: Does the Dasharo UEFI Firmware Update itself automatically?)

No, firmware does not update automatically by itself.

[Interman90]

No, firmware does not update automatically by itself.

So basically i could flash a recompiled Dasharo UEFI Firmware with disabled TPM Drivers on the Device and if i ever had to use TPM i would just re-flash it with the "Stock" Dasharo UEFI Firmware?

Almost sounds like a plan. Thank you! :)

[miczyg1]

@Interman90 I have quickly patched the coreboot config to disable everything related to the TPM. The CI will produce a binary for you: https://github.com/Dasharo/coreboot/actions/runs/11799819216?pr=587

However I can not guarantee it will work. It would be better if you had a recovery method in case it doesn't boot.

Flashing can be done in OS (like DTS) using flashrom (but disable the locks beforehand in the Security Options):

flashrom -p internal -w <file> --ifd -i bios

EDIT: The CI failed... Could not find the proper EC artifacts. We will look into it.

[Interman90]

However I can not guarantee it will work. It would be better if you had a recovery method in case it doesn't boot.

What would that be?

EDIT: The CI failed... Could not find the proper EC artifacts. We will look into it.

So what exactly does this mean? Will there be a binary available soon?

Oh man i am really in a dilemma. I NEED to buy a laptop VERY soon. I would love to buy the Novacustom V54 but this TPM 2.0 thing sucks. Thinkpads on the other hand do have the Intel ME which is just as bad if not even worse.

If i knew i can get the TPM chip disabled on the novacustom device within 6 months of purchase and without damaging the device i would be ordering TODAY...

[miczyg1]

What would that be?

This for example: https://shop.3mdeb.com/shop/modules/ch341a-flash-bios-usb-programmer-kit-soic8-sop8/

However I found couple of minutes to test the ROM built from the patched config. The TPM is not visible anymore in FW and OS. But note, it doesn't mean it is not accessible. FW doesn't use it, but OS may still attempt to use it (and should fail hopefully).

So what exactly does this mean? Will there be a binary available soon?

Nothing. CI builds have been resumed after fixing the failures. Fresh link https://github.com/Dasharo/coreboot/actions/runs/11840079933?pr=587
The binaries in the CI will last for 30 days, so be sure to pick it up before it disappears automatically.

I would love to buy the Novacustom V54 but this TPM 2.0 thing sucks.

After seeing such comments, I always keep wondering why am I doing such favors to anyone... Thanks.

If i knew i can get the TPM chip disabled on the novacustom device within 6 months of purchase and without damaging the device i would be ordering TODAY...

Sure, go on, you may order now...

[Interman90]

However I found couple of minutes to test the ROM built from the patched config. The TPM is not visible anymore in FW and OS. But note, it doesn't mean it is not accessible. FW doesn't use it, but OS may still attempt to use it (and should fail hopefully).

Nothing. CI builds have been resumed after fixing the failures. Fresh link https://github.com/Dasharo/coreboot/actions/runs/11840079933?pr=587 The binaries in the CI will last for 30 days, so be sure to pick it up before it disappears automatically.

What is the difference between "dasharo-novacustom-v540tu" and "dasharo-novacustom-v540tnx".
Is tnx for the laptops with nvidia gpu?

I would love to buy the Novacustom V54 but this TPM 2.0 thing sucks.

After seeing such comments, I always keep wondering why am I doing such favors to anyone... Thanks.

Well it was very late and i worded this very badly.
The concept of a "TPM Chip" and "encryption" doesn't suck and isn't a threat. I just hate the implementation.
It should be a removeable chip that you can plug in/out like an M2 SSD.
At least a hardware killswitch if part of the Motherboard/CPU.
At the very very least a software switch in UEFI which i thought was standard (every device has) until i discovered it's not.

Trust me i REALLY appreciate your help (a lot) and if i should go with the Novacustom (I make the decision next week) it is mainly because of it.

[miczyg1]

Is tnx for the laptops with nvidia gpu?

Yes, TNX are models with Nvidia GPU.

It should be a removeable chip that you can plug in/out like an M2 SSD.

I haven't seen a removable TPM on any laptop. Only desktops/servers and SBCs. Laptop mainbaord is too densely-packed with components to allow such space waste like a socket for TPM. So laptop mainboard either have a TPM already soldered on or not.

Besides, you cannot have any board without TPM today, due to Windows requirements.

[pietrushnic]

LetsTrust is an exciting project. The major concern I would have is enabling USB stack at a very early stage of the boot process. It is challenging, probably impossible to have at the first stage of the boot (bootblock), and incompatible with existing security features design (Intel Boot Guard). Second, it would massively increase TCB and expand potential attack vectors.

[mkopec]

https://twpm.dasharo.com/ is even more exciting :)

It should also be noted that TPM is essentially a passive device and if you don't want it it's as simple as... not using it. It's a lock box that you can put secrets in but you're not forced to. Disable it in Linux and don't use applications that depend on it, and it's as good as not having it in the first place. It can't enforce anything by itself.