Heads and ME Neutralize compatible?

[0xb100d]

I looked and did not see this elsewhere, sorry if it is a repeat.

1) Does Heads still work if we run the ME_cleaner?

2) Also is this compatible with TPMv2?

3) If I just do ME cleaning and coreboot, can I later install Heads via software only (I believe I read this), or do I have to physically flash it at the same time?

Thank you so much!

[merge]

I looked and did not see this elsewhere, sorry if it is a repeat.

1. Does Heads still work if we run the ME_cleaner?

It does on the x230.

2. Also is this compatible with TPMv2?

why do you ask? on the x230 we don't have TPMv2 hardware. Coreboot supports TPMv2 too.

3. If I just do ME cleaning and coreboot, can I later install Heads via software only (I believe I read this), or do I have to physically flash it at the same time?

if you have IFD unlocked during external flashing of Skulls (for example), you can flash Heads via software.

Thank you so much!

[0xb100d]

@merge

2. Also is this compatible with TPMv2?

why do you ask? on the x230 we don't have TPMv2 hardware. Coreboot supports TPMv2 too.

I thought I read that the x230 can be upgraded to TPMv2? Very disappointing if it can't be done.

https://pcsupport.lenovo.com/ca/en/downloads/ds032441 https://thinkdeploy.blogspot.com/2018/06/upgrading-tpm-spec-12-to-20-on-thinkpad.html

It is a hardware constraint?

[jcholsap]

My understanding is that TPM v2.0 adds a hash check to firmware blocks that the EC verifies for "security". The result probably being, since mods change the hash value, that the EC would do whatever it does with an invalid hash. Maybe ME cleaner would remove this "feature" from the EC? Maybe installing TPM v2.0 starts with taking a hash of your current firmware state? Lots of variables. I'm curious to know what it'll do to your mods if you try it. I'm wondering if the update changes code within the EC.

[0xb100d]

@jcholsap hopefully someone has the courage to test. TPM v2 seems substantially different and more advanced than v1

[0xb100d]

@merge are you sure you the x230 cannot be updated tpmv2?

[ami7az]

I found this by chance, if it's of any help:

SeaBIOS 1.10.0 Available on 20161026. Major changes in this release: Initial support for Trusted Platform Module (TPM) version 2.0

So it should be at least in the skulls-firmware?

The official ThinkPad X230 Product Specifications Reference (PSREF) only speaks of "Security chip Trusted Platform Module, TCG 1.2-compliant", so probably we can't update the TPM hardware, as merge suggested?

But: _"There are five different types of TPM 2.0 implementations:_ Firmware TPMs are software-only solutions that run in a CPU's trusted execution environment. Since these TPMs are entirely software solutions that run in trusted execution environments, these TPMs are more likely to be vulnerable to software bugs. AMD, Intel and Qualcomm have implemented firmware TPMs."

And also: Criticism Attacks