firmware icon indicating copy to clipboard operation
firmware copied to clipboard
verified publisher icon MrChromebox

TPM 2.0 with Cr50

Open ChocolateLoverRaj opened this issue 1 year ago • 10 comments

It would be really convenient having automatic LUKS unlocking with TPM on Chromebooks, but it doesn't work rn. Are there plans for it to be implemented?

ChocolateLoverRaj avatar Apr 28 '24 17:04 ChocolateLoverRaj

there's nothing I can do about the fact that the CR50 is not a full TPM 2.0 implementation. I'm not sure if it's sufficient for what you're asking

MrChromebox avatar Apr 28 '24 22:04 MrChromebox

@MrChromebox https://github.com/tpm2-software/tpm2-tools/issues/3434

Blocker for https://github.com/linuxboot/heads/pull/1658#issuecomment-2136000413 (TPM released Disk Unlock Key: sealing of secret in nvram fails)

tlaurion avatar Nov 16 '24 21:11 tlaurion

@MrChromebox tpm2-software/tpm2-tools#3434

Blocker for linuxboot/heads#1658 (comment) (TPM released Disk Unlock Key: sealing of secret in nvram fails)

@tlaurion CR50 is not a fully TPM 2.0 compliant implementation, as per my comment above. I don't think there's anything missing from the firmware init, other TPM 2.0 chips are fine

MrChromebox avatar Nov 17 '24 00:11 MrChromebox

@MrChromebox tpm2-software/tpm2-tools#3434

Blocker for linuxboot/heads#1658 (comment) (TPM released Disk Unlock Key: sealing of secret in nvram fails)

@tlaurion CR50 is not a fully TPM 2.0 compliant implementation, as per my comment above. I don't think there's anything missing from the firmware init, other TPM 2.0 chips are fine

https://github.com/tpm2-software/tpm2-tools/issues/3434#issuecomment-2487391586

Two secrets are sealed with same policy, one succeeds (TPM totp with tpm2), where sealing TPM disk unlock key in seperate nvram region fails.

Two logs provided at https://github.com/linuxboot/heads/pull/1658#issuecomment-2136075503

tlaurion avatar Nov 20 '24 04:11 tlaurion

@tlaurion again I'm not sure what I can do from the firmware init side, or even what you're asking for.

MrChromebox avatar Nov 20 '24 15:11 MrChromebox

@tlaurion again I'm not sure what I can do from the firmware init side, or even what you're asking for.

https://github.com/tpm2-software/tpm2-tools/issues/3434#issuecomment-2489935087

Feature missing from tpm2 implementation, so nothing you can do.

tlaurion avatar Nov 21 '24 02:11 tlaurion

Since the Cr50 is not a full implementation, might it be possible to enable Intel PTT on 8th gen and newer Intel CPUs?

https://www.intel.com/content/www/us/en/support/articles/000094205/processors/intel-core-processors.html

unlike a discrete TPM such as the Cr50 or an Infineon chip on a regular PC, my understaning is PTT exists entirely within the Intel CPU/SoC and no additional chip is needed but it must be enabled in firmware.

Is that something Coreboot / Tianacore could enable?

jay0lee avatar Dec 02 '24 21:12 jay0lee

might it be possible to enable Intel PTT on 8th gen and newer Intel CPUs?

if the PTT was fused off from the factory (as it is on Chromebooks) via the soft straps then there is no way to re-enable it.

MrChromebox avatar Dec 02 '24 21:12 MrChromebox

Out of curiosity, is cr50 completely incapable from a hardware standpoint? I remember buying an offbrand tpm for my main PC that stated was tpm 2.0 but was actually 1.2, it had no vendor support so I had to resort to some obscure guide to update from 1.2 to 2.0, is that not possible here?

LZeugirdor avatar Dec 10 '25 11:12 LZeugirdor

Out of curiosity, is cr50 completely incapable from a hardware standpoint?

it's is 100% capable. there is even a software flag to enable full TPM 2.0 functionality in the CR50 software. But Google builds the CR50 firmware without it, and the CR50 only runs signed Google firmware, so nothing can be done to modify it

MrChromebox avatar Dec 10 '25 13:12 MrChromebox