10 Replies Latest reply on Nov 12, 2017 2:31 PM by kho

    Unrecoverable error in the TPM hardware

    kho

      Hi,

       

      each time the NUC (NUC7i5BNH) reboots, this entry (source: TPM, ID: 15) is found in the event log (OS Windows 10 Pro 64 bit):

       

      EN

      The device driver for the Trusted Platform Module (TPM) has encountered an unrecoverable error in the TPM hardware that prevents the use of TPM services (such as data encryption). Please contact the computer manufacturer for more help.

       

      DE:

      Beim Gerätetreiber für das Trusted Platform Module (TPM) ist ein nicht behebbarer Fehler in der TPM-Hardware aufgetreten, der die Verwendung der TPM-Dienste (z. B. Datenverschlüsselung) verhindert. Wenden Sie sich an den Computerhersteller, um weitere Hilfe zu erhalten.

       

      Is this a real hardware error in the NUC ?

       

      Regards

      Holger

        • 1. Re: Unrecoverable error in the TPM hardware
          N.Scott.Pearson

          You don't have a true TPM IC in this particular NUC. Instead, you have a TPM emulator (for lack of a better description), called Intel Platform Trust Technology (PTT), running (well, at least trying to run) on the Intel Management Engine (ME). See here for more information: Intel NUC & Compute Stick TPM and PTT Support.

           

          Because it is a ME issue, my suggestion is to install the latest available BIOS using the jumper-based Recovery Method (see here: Intel NUC BIOS Recovery Update Instructions). After this completes, use F2 to enter BIOS Setup (Visual BIOS) and then use F9 (followed by 'Y') to reset the BIOS configuration. Now, make any changes to the BIOS configuration (boot order, etc.) that are absolutely necessary and then exit from Visual BIOS saving the configuration. Hopefully this will have cleared up the error...

           

          Hope this helps,

          ...S

          • 2. Re: Unrecoverable error in the TPM hardware
            kho

            Hi Scott,

             

            I installed the latest BIOS (#0049) , reset all BIOS config to default (F9) but the TPM error is still alive...

             

            Regards

            Holger

            • 3. Re: Unrecoverable error in the TPM hardware
              N.Scott.Pearson

              Have you installed PTT support?

              • 4. Re: Unrecoverable error in the TPM hardware
                kho

                ...I didn't find any extra software to install for PTT support.

                 

                On this page <Trusted Platform Module Information > my NUC Intel® NUC Kit NUC7i5BNH is one of the supported products,

                The App "Intel(R) Management Engine Components" is installed in Version 11.7.0.107, running on Windows 10 Pro.

                 

                What else is missing?

                 

                Regards

                Holger

                • 5. Re: Unrecoverable error in the TPM hardware
                  davmic

                  Have you got anywhere with this?  I am having the same issue occurs at boot up.


                  brand new NUC7i5BNH

                  Intel ME driver 11.7.0.1017

                  Windows 10 Pro, joined to domain

                   

                   

                  TPM
                  [ Guid]{1B6B0772-251B-4D42-917D-FACA166BC059}

                   

                  EventID15
                  Version0
                  Level2
                  Task0
                  Opcode0
                  Keywords0x8000000000000000
                  -TimeCreated

                   

                  [ SystemTime]2017-11-10T07:25:48.384792800Z
                  EventRecordID4879
                  Correlation
                  -Execution

                   

                  [ ProcessID]4
                  [ ThreadID]400
                  ChannelSystem
                  Computermycomputer.domain.local
                  -Security

                   

                  [ UserID]S-1-5-18
                  -EventData

                   

                  locationCode0x1c000529
                  Data3221225524
                  • 6. Re: Unrecoverable error in the TPM hardware
                    N.Scott.Pearson

                    Have you enabled Intel Platform Trust Technology in the BIOS? During power on, when the "Intel NUC" splash screen appears, use F2 to enter BIOS Setup (the Visual BIOS program). Click on Advanced and then Security. In the Security Features section on the right, there should be a checkbox item for Intel Platform Trust Technology. Check this to enable the capability. When you exit from Visual BIOS (either via F10 key or the circled X in the upper right corner of the screen), make sure you save the configuration so that the setting persists.

                     

                    Hope this helps,

                    ...S

                    • 7. Re: Unrecoverable error in the TPM hardware
                      kho

                      Hi Folks,

                       

                      on my NUC (same model) the error is still present (occurs on every reboot) and the flag for Intel Platform Trust Technology is enabled.

                      Holgerbios_security.bmp

                      • 8. Re: Unrecoverable error in the TPM hardware
                        BetLet

                        Update:

                         

                        The #3 item (Ensure SecureBoot ...) in the link below may be the reason this error is being logged.

                         

                        TPM System Fundamentals Testing Prerequisites - Windows 8.1 HCK

                         

                        Just #3 (not #1 for sure, and there's no reason to mess with #2). Run msinfo32 like it mentions, except do NOT 'run as admin'.  The mystery is thanks to MS's vague entry about some driver, but this SecureBoot things sounds about right.

                         

                        -------------

                         

                        First. A TPM is primarily used to store your private keys.  At least for Windows. (And to generate them, too, but Infineon firmware has a bug -- see the ROCA link further below)

                         

                        Is this on the 1709 update?

                         

                        When it says "such as data encryption", not all TPMs do encryption since it's optional (and very, very slow to be done in a physical TPM compared to CPU).  Many APIs are optional.  Whether that's the reason for the entry in the log I don't know.  It may be that, if your system drive is not the proper format (GUID partition type, I -think-) then bitlocker won't work on it (I -think-) and that may be the reason for the error entry.

                         

                        tpm.msc

                         

                        you've probably seen.  It would show something about "The TPM is ready for use. (sic) with reduced functionality." because of that.  If you've got a Infinion TPM (you won't on your NUC if it's using PTT) you'd also see "The TPM firmware on this PC has a known security problem..."

                         

                        Not a big help, but on 1703 I don't get the error log entry on my NUC6, but it has these not-available APIs:

                         

                        TBS detected 2.0 firmware TPM (fTPM) using Intel TEE.

                        Missing Ordinals:

                        TPM_CC_ChangePPS(0x00000125)

                        TPM_CC_PCR_SetAuthPolicy(0x0000012c)

                        TPM_CC_PP_Commands(0x0000012d)

                        TPM_CC_FieldUpgradeStart(0x0000012f)

                        TPM_CC_GetCommandAuditDigest(0x00000133)

                        TPM_CC_SetAlgorithmSet(0x0000013f)

                        TPM_CC_SetCommandCodeAuditStatus(0x00000140)

                        TPM_CC_FieldUpgradeData(0x00000141)

                        TPM_CC_Rewrap(0x00000152)

                        TPM_CC_FirmwareRead(0x00000179)

                        TPM_CC_PCR_SetAuthValue(0x00000183)

                        TPM_CC_NV_Certify(0x00000184)

                        TPM_CC_PolicyPhysicalPresence(0x00000187)

                         

                        The PTT on my NUC6i5 does do encrypt/decrypt.  Compare that with a physical TPM:

                         

                        TBS detected 2.0 discrete TPM (dTPM) using TIS on MMIO/IO.

                        Missing Ordinals:

                        TPM_CC_ChangeEPS(0x00000124)

                        TPM_CC_ChangePPS(0x00000125)

                        TPM_CC_PCR_SetAuthPolicy(0x0000012c)

                        TPM_CC_PP_Commands(0x0000012d)

                        TPM_CC_NV_GlobalWriteLock(0x00000132)

                        TPM_CC_GetCommandAuditDigest(0x00000133)

                        TPM_CC_SetAlgorithmSet(0x0000013f)

                        TPM_CC_SetCommandCodeAuditStatus(0x00000140)

                        TPM_CC_FieldUpgradeData(0x00000141)

                        TPM_CC_GetTime(0x0000014c)

                        TPM_CC_Rewrap(0x00000152)

                        TPM_CC_EncryptDecrypt(0x00000164)  <---------- encrypt/decrypt is not available

                        TPM_CC_FirmwareRead(0x00000179)

                        TPM_CC_PCR_SetAuthValue(0x00000183)

                        TPM_CC_NV_Certify(0x00000184)

                        TPM_CC_PolicyPhysicalPresence(0x00000187)

                        TPM_CC_ZGen_2Phase(0x0000018d)

                         

                        I haven't looked into this for a while, not since before this

                         

                        ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]

                         

                        but will be soon.

                         

                        ---- NOTICE that on the machine with a physical TPM, and 1709, I get the same log entry as you, so this has nothing to do with your TPM being PTT ---

                         

                        In the end, there's nothing you can do.  It's probably nothing too serious.  To poke around the TPM google this applet:

                         

                        Microsoft Tpm2ToolKit V1.0.

                        Stefan Thom, 2014

                        Commands:

                        -GAV  - Get TPM AuthValues

                        -Ppi  - Physical Presence Interface Info

                        -Log  - TCG Log Info

                        -Cap  - Get TPM capabilities

                        -NvK  - Enumerate all persistent keys in NV

                        -NvO  - Enumerate all NV objects

                        -Ord  - Dump missing ordinals

                        -Alg  - Dump supported algorithms and curves

                        -CPh  - Clear with Platform Hierachy

                        -CLA  - Clear with LockoutAuth

                        -CPP  - Clear with Physical Presence Interface

                        -RPR  - Read Platform Configuration Registers

                        -EDP  - Extend debug PCR

                        -RDP  - Reset debug PCR

                        -RCl  - Read Clock

                        -TAK  - Test AES 128bit Key

                        -TEK  - Test ECDSA P-256 Key

                        -THK  - Test HMAC Key

                        -TRK  - Test RSA 2048bit Key

                        -CNG  - Test PCPKSP key creation and usage

                        -DCS  - Dump users 'My' Certificate Store

                        -CCS  - Clear users 'My' Certificate Store

                        -PFX  - Import PFX to users 'My' Certificate Store

                               - Optional parameters for -PFX:

                                 -Fil:[Filename.pfx]

                                 -Pwd:[PfxPassword]

                         

                        Switch:

                        -BoE  - Break into the debugger on entry

                        • 9. Re: Unrecoverable error in the TPM hardware
                          MrMitch

                          I checked on my BN NUC with BIOS 0054 (just released) and don't see any error from the PTT (soft TPM). If re-flashing the BIOS and doing an F9 load defaults does not work, you might want to go to the TPM control panel and clear the TPM from there. From the taskbar search box, type "control" and the old style Windows control panel should appear.

                           

                          You have to be using Windows 10 Pro to see the Bitlocker control panel. Select that and then select TPM Administration in the lower left corner. When that windows appears, select "Clear TPM" in the right side. This should reset the TPM and stop that message hopefully.

                           

                          Thanks.

                          MrMitch ...

                          • 10. Re: Unrecoverable error in the TPM hardware
                            kho

                            Hi MrMitch,

                            I can see the Bitlocker control panel and have the option to encrypt all three partitions on the SDD, but I don't need encription on this computer...

                             

                            In the TPM management there are these entries and on the right hand the option to clear TPM.

                            My question is: Which side effects are possible when I clear the TPM at this point? Or would it be better to to this in the BIOS settings ?

                             

                            Regards

                            Holger