Trying to update TPM firmware on 9360 gives me "Blocked by TPM FW Policy" error from firmware

[mjg59]

Trying to either update the TPM 1.2 firmware to the latest, or trying to install TPM 2.0 firmware results in the system rebooting, starting the update, and then producing a "Blocked by TPM FW Policy" error. The same message is generated when trying to perform the update from DOS, so this isn't intrinsically an fwupd issue.

Dell XPS 13 9360.

[hughsie]

@superm1 any ideas here? I know it's not your problem any more, but I figured you might know who to ping.

[superm1]

I would suggest trying to clear the TPM in BIOS setup first and trying it again

[mjg59]

@superm1 Tried that, no change.

[superm1]

@superm1 Tried that, no change.

And this update is intended for this system / tpm right?

If so, then Dell needs to repro and look further into it to solve.

[therealjuanmartinez]

@mjg599 can you confirm the source/name of the update(s) you're trying to run? Especially the v2.0 one.

Will escalate this internally.

[mjg59]

@therealjuanmartinez:

XPS 13 9360
│
└─TPM 1.2:
      New version:        5.81.2.1
      Remote ID:          lvfs
      Summary:            Firmware for the Dell TPM 1.2
      Licence:            Proprietary
      Size:               554.9 kB
      Created:            2016-12-02
      Urgency:            Low
      Vendor:             Dell
      Flags:              is-upgrade
      Description:        
      Initial release

$ sudo fwupdmgr upgrade c6a80ac3a22083423992a3cb15018989f37834d6
TPM 1.2 and all connected devices may not be usable while updating. Continue with update? [Y|n]: 
Downloading…             [***************************************] Less than one minute remaining…
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Updating TPM 1.2…        [***************************************]
Scheduling…              [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]:

After reboot, gives me the "Update failed: Blocked by TPM Policy" error.

 sudo fwupdmgr install https://fwupd.org/downloads/a1a6e10beb96281fa78c62a7d967c8c3a1cf7430-DellTpm2.0_Fw1.3.1.0.cab 
Downloading…             [***************************************] Less than one minute remaining…
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Installing on TPM 2.0…   [***************************************]
Scheduling…              [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]:

fails with the same error. get-history gives:

└─TPM 2.0:
  │   Device ID:          a60b665c769b019e30f31001e91ab31e24d7a035
  │   Previous version:   0.0.0.0
  │   Update State:       Failed
  │   Update Error:       failed to run update on reboot

[therealjuanmartinez]

@mjg59 Could you attach the output (or at least the TPM portion(s)) from?:

fwupdmgr get-devices

Mainly I want to confirm the current FW version

[superm1]

(Presumably you want the current BIOS version too - in case there is something to do with the BIOS version on the machine controlling this policy)

[mjg59]

XPS 13 9360
│
├─CT500MX500SSD4:
│     Device ID:          64ec4cd1e1c9565e79b00f4e7221b1c689b33e96
│     Summary:            ATA Drive
│     Current version:    M3CR020
│     Vendor:             Micron (ATA:0x1344, OUI:00a075)
│     GUIDs:              cd4b908b-edef-5a08-8616-463a2c739755
│                         a67a9709-2b42-519a-9760-5ede74ce8609
│                         e9b83e95-968d-5310-aa2d-ab745ca18d87
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─System Firmware:
│ │   Device ID:          3f0ecc7823ee99c718693e8ecca38f54e8738dc5
│ │   Current version:    2.18.0
│ │   Minimum Version:    2.18.0
│ │   Vendor:             Dell Inc. (DMI:Dell Inc.)
│ │   GUIDs:              5ffdbc0d-f340-441c-a803-8439c8c0ae10
│ │                       230c8b18-8d9b-53ec-838b-6cfc0383493a
│ │                       66d5d415-835d-561c-b687-dcfe4c8b2558
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │ 
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI Revocation Database
│       Current version:  77
│       Minimum Version:  77
│       Vendor:           UEFI:Linux Foundation
│       Install Duration: 1 second
│       GUIDs:            c6682ade-b5ec-57c4-b687-676351208742
│                         f8ba2887-9411-5c36-9cee-88995bb39731
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Needs a reboot after installation
│     
└─TPM 1.2:
      Device ID:          c6a80ac3a22083423992a3cb15018989f37834d6
      Summary:            Platform TPM device
      Current version:    5.81.0.0
      Vendor:             Dell Inc. (PCI:0x1028)
      Update State:       Success
      GUIDs:              f9bdd338-b410-5e73-902d-7b6e4694bb56
                          ff71992e-52f7-5eea-94ef-883e56e034c6
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Supported on remote server
                          • Needs a reboot after installation

[therealjuanmartinez]

The DXE driver is the likely culprit for disallowing the update between those particular TPM FW versions, which is typical when seeing the "Blocked by TPM FW Policy" error.

The FW version you need is 1.3.2.8, and DXE should allow a direct upgrade from the current version. Additionally, it seems you're on a recent/latest BIOS for your platform so that should not be an issue.

Unfortunately, there are no capsule builds available (via LVFS or otherwise) due to the fact that it was published at a time before Dell was fully qualifying most/all TPM releases for Linux release.

Therefore, my suggestion is to retrieve the TPM FW v1.3.2.8 directly from Dell.com for the XPS 13 9360, and use a WinPE key to facilitate installation.

[mjg59]

I tried running the 1.3.2.8 update from https://www.dell.com/support/home/en-us/drivers/DriversDetails?driverId=0DJC8 under FreeDOS (the 32-bit version does not require Windows) and it generates the same error.

[therealjuanmartinez]

Nuvoton has verified the upgrade path from 5.81.0.0 (TPM1.2) -> 1.3.2.8 (TPM2.0) is allowed from FW perspective.

As a result, it's unclear whether they are mistaken or there is something unique happening on your side.

The FW utility link you shared in his issue is an older utility, the latest for FW v1.3.2.8 for his platforms is: https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=8n08g&oscode=wt64a&productcode=xps-13-9360-laptop

You MAY need to run WinPE for this because FreeDOS may not be supported by this FW Update wrapper anymore.

Alternatively there is another TPM1.2 FW Update (though not officially published for your platform): https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=twhk9&oscode=wt64a

It should be supported based on the FW you have now. This is TPM1.2 FW v5.81.2.1, which is a newer TPM1.2 FW to the v5.81.0.0 on your system. Could you give this one a try? Once again, might need to run in WinPE directly.

If the above still doesn't help, let me know and we can look further.

[mjg59]

Same failure with both the 1.3.2.8 and the 5.81.2.1 updates.

[therealjuanmartinez]

Can you confirm that the TPM is not owned?

[mjg59]

I'm clearing the TPM in the firmware before each attempt

[therealjuanmartinez]

Just for clarity can you again confirm the error is still the "Blocked by TPM FW Policy" message, and that you're using WinPE?

[mjg59]

Yes to both

[therealjuanmartinez]

Hi again, I wanted to let you know we're currently working with the component vendor to find whether there are commands that can be run on your end to pull some specific diagnostic information we're looking for. Where we go from there will depend on their response.

[therealjuanmartinez]

Hi again - this is probably a long shot but is there a chance you are still using the same factory install on that machine? And if not, by chance might you have made OEM Ubuntu recovery media using the software tools shipped with that device? The reason I ask is because recovery partition files would make it easier for us to learn what exactly took place during the factory process for that machine. We're still pursuing the action from my last message.

[mjg59]

I'm afraid not - I reimaged it with Fedora. I'm not certain, but I believe I may have switched it between TPM 1.2 and 2.0 a couple of times for development testing in the past.

[fredoche]

FWIW I apparently have the same issue with a tpm 1.2 blocked at 5.81.0.0. Sometimes the GUI "Firmware" reports a version of 255.255.255.255 after clearing or unlocking the TPM.

[hugh712]

@fredoche

Would you please provide the dmidecode log once you observe this issue? sudo dmidecode > dmidecode.log

[fredoche]

Dmidecode when UI shows 5.81.0.0:

... [edit: apparently useless in the end]

I'll try to reproduce the issue with the weird version and post the result here.

[fredoche]

To reproduce, I clicked on "upgrade" in the firmware UI to update to 5.81.2.1 . The UI asked me to reboot, I clicked "Later" and now the UI shows version 255.255.255.255. dmidecode:

[edit: useless ]

[fredoche]

After reboot and a tpm upgrade failure "blocked by tpm fw policy", the UI still shows version 255.255.255.255 and even offers me to "downgrade" to 5.81.2.1.

[hugh712]

hmmmm, there is no tpm info in dmidecode... let me see if I can find a XPS 13 9360 to reproduce this issue

[fredoche]

btw this is on a 9350.

[fredoche]

In the TPM 2 section there is a "Lock status" section. When I click to unlock, the GUI tells me to reboot, yet, after reboot, the GUI has the "Lock status" locked again like nothing happened.

[tim-seoss]

I'm seeing the same issue on an Optiplex 5040 running Debian. Current TPM 1.2 version 5.81.0.0 attempting to update to 5.81.2.1.

I then tried installing the TPM 2.0 update from Window 10, but this also failed in the same way.

[hugh712]

@tim-seoss

Please help to contact dell support on the website [0] , I believe it's a bios issue not fwupd issue since even window is failed to do it, thank you.

[0] https://www.dell.com/support

[tim-seoss]

@hugh712 Thanks for the suggestion, but given that this problem appears to exist across multiple Dell models with the same firmware update... My assumption is that there is an interaction between the firmware update and the platform firmware that requires fixing.

At the very least it needs to have a more helpful error message than "Blocked by TPM FW Policy". My assumption is that you would have orders of magnitude more chance of getting this problem fixed from within Dell, by referring it to the platform firmware team than I ever would as a individual customer in possession of a single machine.

I'll be happy to provide as much technical assistance to Dell on this matter as I can.

[fredoche]

Though I have contacted Dell support but my laptop being out of warranty, support cannot help. @therealjuanmartinez mentionned being in contact with vendor, about this very issue, which seems promising, but maybe the chip support is simply abandonned.

[fredoche]

Hmm, and today, after a round of updates, fwupdmgr does not list the TPM anymore... I created a new bug here https://github.com/fwupd/firmware-dell/issues/144

[fredoche]

Just tried again today, and while it still doesnt work, I noticed this in the fwupdmgr after a failed tentative:

└─TPM 1.2:
  │   Device ID:          a3487e128cf1413519bce8e9a1ab3f5981e61458
  │   Résumé:             UEFI ESRT device
  │   Version actuelle:   5.81.0.0
  │   Fournisseur:        Dell Inc. (PCI:0x1028)
  │   État de mise à jour:Success
  **│   Erreur de mise à jour:Preventing upgrades as alternate**
  │   GUIDs:              d433959e-03ca-524b-92b7-5022eff81a31 ← 0704-1.2
  │                       ff71992e-52f7-5eea-94ef-883e56e034c6 ← system-tpm
  │   Drapeaux de périphérique:• Périphérique interne
  │                       • Le système nécessite une source d'alimentation externe
  │                       • Supported on remote server
  │                       • Needs a reboot after installation
  │                       • Mise à jour possible
  │ 
  └─TPM 2.0:
        Device ID:        eb4a4ec71c680a34c6248dc94ca017f81c772aa8
        Résumé:           UEFI ESRT device
        Version actuelle: 0.0.0.0
        État de mise à jour:Success
        Dernière modification:2023-02-19 14:33
        GUID:             b62a2412-5ac4-5350-b16e-7e8f4655d096 ← 0704-2.0
        Drapeaux de périphérique:• Périphérique interne
                          • Mise à jour possible
                          • Le système nécessite une source d'alimentation externe
                          • Supported on remote server
                          • Needs a reboot after installatio

Notive "Preventing upgrades as alternate". What does it mean?

@hughsie going out on a limb here, yet I'm wondering if the "policy" that blocks update is "Since there is a tpm 2 update, dont bother update the TPM 1.2 and instead you should update to tpm 2 instead" ? And since fwupmgr keeps trying to push the tpm 1.2 update instead of the 2.0, it will always fail? So, could it be that the problem is an UI one, and that, somehow, if fwupdmgr could offer the update to 2.0 (skipping the whole 1.2 thing altogether), the upgrade would work ?

[xyzkernel]

Today I encountered the same problem on my [Precision 7920 Tower]. Tried switching between versions, with no success. I contacted customer service and they said they couldn't update. But I think DELL should have set up a protection program in the module and refused to update.It is the aforementioned [Preventing upgrades as alternate].

[xyzkernel]

Today I encountered the same problem on my [Precision 7920 Tower]. Tried switching between versions, with no success. I contacted customer service and they said they couldn't update. But I think DELL should have set up a protection program in the module and refused to update.It is the aforementioned [Preventing upgrades as alternate].

Even after switching multiple Bios versions, it still failed.