Closed chimpanzee23 closed 1 day ago
I am seeing a similar situation with Ubuntu 24.04. I have tried multiple versions of Coreboot (24.05, 24.06 and 24.07) with both Intel Management Engine enabled and disabled. In all instances the experimental option for TPM encryption is disabled by the Ubuntu installer.
To try and understand what's happening I loaded an install image for Windows 11. The installer did not block me from starting the installation but due to not having a compatible driver available on the install media I was unable to progress past the initial prompt to load a device driver for Windows 11. That is to say that this would be inconclusive as I don't know at which stage a Windows 11 install verifies the availability of a TPM and Secure Boot.
The specification page for the Starlite MKV does not mention a separate TPM chip although on the overview page there is a mockup of an Infineon Optiga chip. I would have to guess on the Starlite MKV the TPM is firmware based and from my limited knowledge it may depend on Intel ME being enabled.
edk2's implementation of TPM support with coreboot doesn't work with FDE; it's on our radar, but there aren't any timescales at the moment it hasn't been established at which end the problem lies.
Thank you @Sean-StarLabs for the explanation. I will be using LUKS to satisfy device encryption in place of TPM backed encryption with a view to revisiting as and when the situation changes.
Hi @Sean-StarLabs, thank you for the update, good to know it's on your radar. Are you happy for me to leave the issue open to track this and information for anyone else who has the same question?
Also, are you able to confirm whether the StarLite Mk V has a discrete TPM or uses Intel PTT?
Of course. Its PTT
Pretty sure it's fixed with 00bd1d2ebfecc59f98d72892159bdee07ae12d36 . Haven't tested all the possible uses - feel free to re-open if not.
Hi @Sean-StarLabs, I've tested firmware 24.08 with the Intel ME enabled on both openSUSE Aeon and the Ubuntu 24.04.1 live iso and unfortunately the TPM still doesn't seem to be available. My dmesg output on both shows the below:
[ 0.433828] [ T1] tpm_tis MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table
[ 0.433849] [ T1] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -22
[ 0.433866] [ T1] tpm_crb MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table
[ 0.433867] [ T1] tpm_crb MSFT0101:00: probe with driver tpm_crb failed with error -22
[ 0.891559] [ T1] ima: No TPM chip found, activating TPM-bypass!
I would like to use the Trusted Platform Module (TPM) in the StarLite Mk V for measured boot and automatic LUKS decryption.
Running Aeon Desktop, the TPM is not recognised by the OS using the default BIOS settings. Enabling Intel ME allows the OS to recognise the TPM (I assume Intel PTT), but the systemd-abrmd service fails to start and tpm2_selftest fails.