TPM Support Status

[erenoglu]

Dear Arnoldthebat, just wondering if there were any developments on getting TPM support working, either by an emulated tpm or enabling the use of the hardware one?

As we discussed earlier, I can't take ownership of the tpm2 (TIS) on my lenovo x1 carbon 5th gen.

[Crescendo-BLYAT]

@arnoldthebat also, is there any news for Special v74 build?

Don't forget to include swtpm.tar for your builds to fix this TPM issue as mentioned sometimes ago.

[erenoglu]

Thanks @Crescendo-BLYAT, My understanding from the swtpm.tar is that it fixes the login issue. I don't have a login issue on my X1 Carbon 5th gen (tis tpm2.0).

Can you confirm that you can import & bind certificates with swtpm.tar? You can try to import any Certificate Authority.

[Crescendo-BLYAT]

@erenoglu yes & yes.... also fixed the infamous empty flags page & device ownership....

[erenoglu]

Yes, yesterday I tried as well. But I think I needed to blacklist tpm_tis module as well as my kernel insisted on loading it even if it was disabled in bios

[arnoldthebat]

Hi

Since TPM is working in later hardware, its enabled by default in all builds. Bear in mind, you ned to clear TPM in BIOS and then let ChromiumOS claim it on boot. Then device ownership and flags etc work (on my kit anyway)

Software TPM is too disruptive to deploy to the main special build now I have investigated it, so Ill will be looking to create a variant to allow for software TPM only.

On Wed, 22 May 2019 at 22:23, Emre Erenoglu notifications@github.com wrote:

Dear Arnoldthebat, just wondering if there were any developments on getting TPM support working, either by an emulated tpm or enabling the use of the hardware one?

As we discussed earlier, I can't take ownership of the tpm2 (TIS) on my lenovo x1 carbon 5th gen.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/arnoldthebat/chromiumos/issues/274?email_source=notifications&email_token=AAZJKGNEZUDXOZEVLYXFEELPWW2VJA5CNFSM4HOYDFN2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GVKAOQA, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZJKGNWPI36IW2AASG37ITPWW2VJANCNFSM4HOYDFNQ .

[arnoldthebat]

Hi

Ill be releasing R74 imminently. Software TPM will need to be a variant build however since I dont want to disable hardware TPM completely.

On Sun, 26 May 2019 at 04:30, Crescendo notifications@github.com wrote:

@arnoldthebat https://github.com/arnoldthebat also, is there any news for Special v74 build?

Don't forget to include swtpm.tar for your builds to fix this TPM issue as mentioned sometimes ago.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/arnoldthebat/chromiumos/issues/274?email_source=notifications&email_token=AAZJKGNNHPPQWRXIPTCZA5DPXH75LA5CNFSM4HOYDFN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWH5JZQ#issuecomment-495965414, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZJKGPPOGZKWK4MHPXKD3DPXH75LANCNFSM4HOYDFNQ .

[erenoglu]

thanks @arnoldthebat , I'm really wondering what's wrong with my HW TPM since it's impossible to get ChromeOS or ChromiumOS or FydeOS own it (after clearing it in BIOS or Windows), although Windows & Linux can own it just fine :( swtpm worked on my system yesterday so that looks like the only way out for the moment

[arnoldthebat]

Bear with me a little longer then in that case, and Ill get a variant build with SWTPM only...

[Crescendo-BLYAT]

Bear with me a little longer then in that case, and Ill get a variant build with SWTPM only...

couldn't wait for this build as my laptop's hwTPM is crazy... it got sth to do with Acer's implementation of TPM & secure boot...

Chromium unable to acquire it even tho I already cleared the TPM's data via BIOS....

Thank you so much...

[arnoldthebat]

All. Try this test build please: https://chromium.arnoldthebat.co.uk/.archive//chromiumos_image.bin.gz

SWTPM appears to be loading and the service _vtpm shows as running. Its likely I have missed something since certs and chrome://flags are still not loading on my test laptop, so if you could have a review, I would appreciate it. Otherwise Ill try to do some debug this weekend if I get time

[Crescendo-BLYAT]

nice, I'll help you test this one.... :) Thank you so much.

forgot to report: yes the flags is blank with this alternate special build...

so I'm back using your v74 special + eve v74 + swtpm... this works perfectly....

[erenoglu]

Hi @arnoldthebat , check if you have a hardware tpm and if it's module is loaded. If it's loaded, it captures /dev/tpm0 device and the swtpm gets /dev/tpm1

I needed to 1) disable HW tpm from BIOS 2) disable module loading before I could get swtpm to work. Also you need to have the links in /usr/lib64 for libswtp.... and libtpm... (as in the chromfy script). Maybe disabling HW tpm may not be needed since we are disabling the module.

You need to start from fresh state partition, at first boot, in 2nd or 3rd screen where google asks if it can send some diagnostic data, there's a link above to show the password. If that link shows you a password, it's working.

Attached are my related files. (had to add .txt extension to them to upload, you shall remove that) vtpm.conf.txt tis.conf.txt

If this works, I suggest you include this by default. This will help all your chromiumos users utilize the TPM functionality regardless of what hardware they are on. We may need to add other TPM modules to the blacklist like: tpm tpm_bios tpm_tis tpm_nsc tpm_atmel tpm_infineon

[eladavron]

Hi, so it doesn't seem to work in Camd64OS_R76-12239.B-Special on a Surface GO 128GB (which has the TPM2.0 module). Chrome Flags doesn't work, and I think YouTube Android app doesn't work because of it too (though I'm not sure it's this reason). Anything I can do to help with solving this?