datagutten
commented
6 years ago This would make it much easier to maintain. Return code checking would be useful when the upgrade fails.
Closed texhex closed 6 years ago
datagutten
commented
6 years ago This would make it much easier to maintain. Return code checking would be useful when the upgrade fails.
texhex
commented
6 years ago @datagutten Thanks, so I will add this to my TODO list
One request: Do you happen to have another G3 or G4 model where you could test the new -s -a2.0 command?
I only have G5 devices at the office and they already have 7.63. I will try to get a G3/G4, but this might take some time.
datagutten
commented
6 years ago I tested on a 640 G2, 840 G4 and a 430 G4 today and all worked, but it requires that VTd is disabled before starting the upgrade.
datagutten
commented
6 years ago What about logging the changes made by TPM-BIOS-Settings.txt and reverting them after the upgrade?
texhex
commented
6 years ago I tested on a 640 G2, 840 G4 and a 430 G4 today and all worked, but it requires that VTd is disabled before starting the upgrade.
Good catch! I never noticed this because we turn off VTd by default. Will update the docs right away.
datagutten
commented
6 years ago Sorry, I mistyped, it is VTx. According to the error code list VTx, TXT and SGX need to be disabled. The check for VTx can be disabled with the switch -xVTx, but I suppose there is a good reason to disable it since it is checked by default.
texhex
commented
6 years ago I changed VTd in most TPM-BIOS-Settings.txt with the exception of Models\HP ProDesk 400 G2 and Shared\HP ProBook 6x0 G2. There are no example BIOS-Settings so I can be sure that setting exist.
Also, for Shared\HP EliteDesk 8x0 G3, Intel Software Guard Extensions (SGX) was found inside the BIOS setting but not in TPM-BIOS-Settings.txt, so I added it.
texhex
commented
6 years ago @datagutten As you could imagine, I prepared that comment before the page was refreshed ; )....
Dang it, so it's VTx? This would actually not make any sense to me, since we are turning it on since we started with Windows 10 1607 and never had any issue with it. From the logs, we reinstalled three G3 at a location in Asia today, they got updated to 7.62 and VTx was on. This was the old TPMConfig64.exe (1.x).
texhex
commented
6 years ago @datagutten Sorry for the delay, but it was quite busy the last days. I reverted the change in TPM-BIOS-Settings.txt from VTd to VTx for all models. I would be great if you could provide some example BIOS Settings for the following models so we could provide a matching TPM-BIOS-Settings.txt for them as well:
So far, no reply from my HP support contact, I guess they are busy getting the G5 out of the door.
datagutten
commented
6 years ago I added settings for ProDesk 400 G3 DM now, I have ProBook 640 G2 and ProDesk 400 G2 within reach. I don't have any 650 G2, but I suppose it can use the same settings as 640 G2.
texhex
commented
6 years ago Thanks, the settings for ProDesk 400 G3 look fine, especially as VTx is enabled again (which will be turned off during the TPM update). BIOS settings for 640/650 G2 would be great and I think it's OK to assume that the settings from the 650 G2 can be "recycled" from 640 G2.
I will try to have the code for the new TPM update ready by the weekend (I was offline for two weeks).
texhex
commented
6 years ago @datagutten Thanks for the new PR, I will check it later. I have now received a reply from my technical contact regarding disabling VTx. There is no "real" technical reason behind the decision disabling it, it's just a precautionary measure. However, he does not know again what exactly.
texhex
commented
6 years ago @datagutten Thanks a million! Your PR #65 also includes the BIOS settings for 640 G2 and 650 G2 so we have matching BIOS settings examples for all devices that are able to update the TPM. I will merge it in a second.
texhex
commented
6 years ago Before heading to 5.0 with the new TPM command, I just release 4.0.7 with all your changes. Please see https://github.com/texhex/BiosSledgehammer/releases/tag/v4.0.7
texhex
commented
6 years ago @datagutten The very first version of the new TPM update code is now online (as 5.0 BETA).
It includes the code cleanup, a description of the return code of TPMConfig, the new arguments and an updated TPM-Config.txt in \Shared\TPM SLB 9670. What is missing is copying the \SRC folder because I still somewhat hope that the TPMCOnfig looks in that folder itself. A first version of the documentation is also online: https://github.com/texhex/BiosSledgehammer#50-beta-documentaion-tpm-update
Except for the changes regarding Update-TPM, this is the same version as 4.0.7 so it's safe to test. Do you have any devices you could do a test run? We only receive G5s by now that all have 7.63 installed, so I can't test it. I do not know when the next batch of older devices comes in that I could use for testing.
datagutten
commented
6 years ago I tested today and I need to copy TPMConfig64.exe to the src folder to make it work. It is strange that HP provides a package that does not work out of the box. Before copying the file it failed with correct error handling. After copying it worked without problems.
texhex
commented
6 years ago So much for my hope that maybe the HP devs are smart...
Thanks for test, and good to hear the error handling works as expected. Please give me some days to think about how to implement this "copy folder from source to source" in a way that it can be reused for other cases as well and without breaking anything.
Most likely, I will copy the \SRC folder to the base of the folder where TPMConfig64.exe is (the other way to what you did). Your method is clearly faster because the firmware files are so big, but I would like to keep the path inside command as close as possible to the source layout.
texhex
commented
6 years ago The TPM-Update.txt does now support the setting AdditionalFilesDirectory that can be used to copy files from a subfolder of the source to the root of the update temp folder. This should do the trick, during my mocking tests, it worked. Please pull both the script and Shared\TPM SLB 9670\TPM-Update.txt and try it again, if your time permits. Now it should work "out of the box", without any copying necessary.
If you have a better name for this special setting (AdditionalFilesDirectory), I'm open for suggestions.
texhex
commented
6 years ago I got two older devices today and tested it. It worked as expected, so I think the code is finished.
@datagutten If you could still give it a try, this would be appreciated.
SoftPaq #87492, which includes version 7.63 of the firmware for the SLB 9670 chip (see #56), supports a new parameter so the matching firmware file is automatically selected. Excerpt from SP87492.pdf which is included with the above mentioned SoftPaq:
This would solve the problem of firmware updates were only the build version changed (e.g. 6.41.197 vs 6.41.198) that BIOS Sledgehammer can not difference because Windows only returns Major.Minor (6.41 in this case) for the TPM firmware version. Also, it would make the TPM-Update.txt a lot shorter as all firmware version configuration entries could be removed.
As the
-sparameter expects the BIN files to be in the same folder:We would just need to add one parameter that defines in which sub folder the firmware files are, to copy it together with the update utility to the same local execution folder.
The command to update to TPM 2.0 afterwards would then just be:
Other notes:
@datagutten Thoughts?