Solved

TPM chip - clearing without knowing the BIOS pw

Posted on 2015-01-28
10
4,547 Views
Last Modified: 2016-11-23
Hi experts.

Read the description carefully: we have a Dell laptop with the bios setup being locked. We found that out while trying to clear the TPM chip of the device using TPM.msc under windows. Windows told us to reboot but upon rebooting, it at once asked us to enter the bios pw in order to complete the process...which we don't have anymore.

So we talked to Dell and they said they can send us a master password if we show them the invoice together with the system serial and passport copy, which we did. We received the master password but in order to use it, we would need to enter the bios - which we can't because of the attempt to clear the TPM! A vicious circle.
Again: the master password can only be used to reset the real password, but we cannot get to the stage where the reset can be initiated because that damn TPM asks for the bios password, blocking all access to the bios!

Question, finally: is it possible to undo initiation of the TPM clearance? In other words: what happens when we choose to clear the tpm, where is that request saved to - directly to the TPM?

We have phoned Dell and they understand the situation but have no further advice because they don't know what is triggering that pw prompt. They are trying to help and contact internal experts, but that might take time, that's why I ask here in the meanwhile.
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 100 total points
ID: 40576861
Just a comment, will follow this one with interest so please post the outcome.
Suspect Dell will RMA the board.  Removing TPM with an active BIOS admin password will have broken the Trust relationship in the Core Root of Trust for Measurement (CRTM) on the TPM BIOS.  If anything here the fault is with Dell not having a master reset that can be applied at the password entry screen you have reached.  My very unhelpful comment is you should always disable the BIOS admin password before TPM, even if you have to go via Dell to do this. What you've ended up with from the Trusted Platform perspective is a laptop where there's been a brute force attempt to break TPM, the assumption by the CRTM is that you will now be able to prove ownership with the BIOS password otherwise you are locked out for good :(

Hoping I'm not right!
0
 
LVL 63

Expert Comment

by:btan
ID: 40576878
This is quite similar to your query and password are of various
- bios password :  System password (prompted before the system can boot up) and Admin password (prompted when trying to access the BIOS settings) which is stored in chip
- tpm password : TPM security password, and protected crypto keys stored in HDD, which they are all used for the subsequent decryption of the TPM protection enabled HDD.
http://www.experts-exchange.com/Hardware/Components/Q_27022103.html

This is useful (see "Clearing Forgotten Passwords" which it claimed the process erases both the system and administrator passwords, we must be careful on this as it may backfire since touching the jumper ...) http://phubner.eng.ua.edu/Files/Optiplex%20745/advfeat.htm#wp1147926

There are posting on unlocking service online but I do see only as last last resort
http://www.biospro.com/ (BIOS) or http://hdd-tools.com/products/rrs/ (Repair Station for HDD ATA password, and note this is not TPM password (like the dell security suite) and is also for specific model)
0
 
LVL 63

Expert Comment

by:btan
ID: 40576886
Side note caution too - Clearing the TPM resets it to an unowned state and highly likely leading to data loss for the data encrypted w/o backup or recovery. The overall effect is the TPM will be off, and resets back to factory defaults. Hence losing all created keys and data that is protected by those keys.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 54

Author Comment

by:McKnife
ID: 40576928
Masq, I fully agree. btan, I am looking for a way to undo that request, that's all. The problem itself has been solved by disassembling that laptop and removing the battery, by the way.

Question was: is it possible to undo initiation of the TPM clearance? In other words: what happens when we choose to clear the tpm, where is that request saved to - directly to the TPM?
This was just born out of interest, I knew that with that laptop model, removing the battery would help.
0
 
LVL 63

Accepted Solution

by:
btan earned 400 total points
ID: 40577037
I dont think we can revert back once the TPM is cleared (as compared to turning on or off) and rebooted. the original keys used to deployed to the machine is lost and in the unowned state, back to factory reset state.
The clearing is stated as a reset removing the owner authorization value and any keys stored in the TPM, I doubt it is any key in the HDD
https://technet.microsoft.com/en-us/library/jj603122.aspx

also separately, I did a quick check on Intel TPM paper and see related activities as we clear the TPM. It seems like we are in the step 3 already
A TPM administrative sequence invoked from the operating system proceeds as follows:
1. User makes a TPM administrative request through the operating system’s security
software.
2. The operating system requests the BIOS to execute the TPM administrative
command through TPM ACPI methods and then resets the system.
3. The BIOS verifies the physical presence and confirms the command with the
operator.
4. The BIOS executes TPM administrative command(s), inhibits BIOS Setup entry
and boots directly to the operating system which requested the TPM command(s).
http://download.intel.com/support/motherboards/server/sb/g21682003_tpm_hwug.pdf
0
 
LVL 54

Author Comment

by:McKnife
ID: 40577147
You still get me wrong. I am NOT trying to do something AFTER the tpm is cleared, but before.
I am trying to undo the initialization of the clearing process which effectively blocked the BIOS, as I described.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40577154
"I knew that with that laptop model, removing the battery would help."
Now I feel cheated :)  I was sure you'd be dealing with a NVRAM BIOS or you wouldn't have asked!

Yes Btan is right, there are two levels of ID on the TPM, one that's tied to the hardware which should be inviolate and prevents attempts at replacing the chip and the non-volatile EPROM  which is keyed into the OS and reset when ownership is established.  By force clearing the second of these the TPM no longer recognises ownership.  This in turn messes up the BIOS CRTM startup and because TPM-based drive encryption is now disabled anything using it becomes inaccessible.


If you have the rights to use TPM.msc the assumption is you know that this is the consequence of your action which is why you can do this via the OS.  When you send the intitialise clear TPM instruction the chip is set to wipe the ownership key on reboot.  Although there should in theory be a point before the restart that you could reverse/cancel your instruction I have never heard of a way to do this.  Once the machine restarts it's too late.
0
 
LVL 63

Expert Comment

by:btan
ID: 40577344
I think likewise with MASQ too.
I know that you are trying to revert back hence as already stated once restarted and BIOS prompted, it would already halt at step 3 waiting for the BIOS password. There is no way out to revert that process. I dont think there is really any more way out, and not to say undo as the phase is already registered to await confirmation and proceed with TPM clear.
0
 
LVL 54

Author Comment

by:McKnife
ID: 40578424
After I disconnected the battery, the BIOS was accessible and there was no request pending to clear the TPM. So the answer must be that this request is saved to the BIOS, not to the TPM itself.
I was just trying to avoid the disassembly of the machine since with that model, it's really a long process. I first hoped it got saved to the BIOS and tried to flash it, but the flash program didn't let me because it was the newest already and it didn't accept older ones.
So I learned where the request gets saved to, case closed. btan' list from intel's paper seemed to indicate the same.

Thanks
0
 
LVL 63

Expert Comment

by:btan
ID: 40578767
thanks for sharing
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question