In my BIOS (same mainboard - Version 37) I entered maintenance mode by having the yellow jumper set accordingly. The option to clear the tpm appeared and I activated it.
I also hit the "maintenance" button and saw the clear the tpm checkbox again. Made sure it's activated.
Then I hit the Exit button to save my settings and I wanted me to shut down the system what I did.
Afterwards I tried to take ownership but again - no luck. It still keeps telling me "Authentication Failed". I repeated this now like 5 times and i'm afraid it's not working. Trying to tpm_clear --force from the OS fails because of "Bad physical presence" - That's probably because "Physical Presence" is ensured by having maintenance mode enabled (?) and I cannot boot to an OS in that mode.
I'm told to "power off" The System to set back the normal mode again. Not sure if that means to shut it down by using the button or by removing the power supply but I tried both and it still does not let me use tpm_takeownership.
Of course I also tried the well known secrets with no luck.
I also disabled the ME/AMT in the ctrl+p because - I thought if someone had the power to access the system through the Management Engine it would spoil the maintenance mode? I was able to remotely access the BIOS GUI in Maintenance mode so.. maybe that's one of the reasons for this behaviour?
What else can I do? (And no - replacing RAM or anything does not sound reasonable)
UPDATE: It looks like I'm not the only having issues with taking ownership. I'm using tpm-tools from trousers (IBM)
UPDATE2: I contacted Ken Goldman (IBM Expert for TPM) since he wrote Software that is capable of talking to the tpm so that you can see details that are hidden or less easy to discover otherwise.
Here are the Details for the Nuc Hardware. First the TPM
TPM 1.2 Version Info:
Chip Version: 188.8.131.52
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: STM
Vendor Specific data: 50
TPM Version: 01010000
Manufacturer Info: 53544d20
Now I talked to it to ask what's status it has
getcapability -cap 4 -scap 0108
Result for capability 0x4, subcapability 0x108 is :
Read Pubek: FALSE
Disable Owner Clear: TRUE
Allow Maintenance: FALSE
Physical Presence Lifetime Lock: TRUE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
TPMpost Lock: FALSE
Enable Revoke EK: FALSE
NV Locked: TRUE
Read SRK pub: TRUE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE
Now I was asked to dump the volatile flags of the Chip
I tried -cap 4 -scap 109 and here are the results:
Disable ForceClear: FALSE
Physical Presence Lock: TRUE
bGlobal Lock: FALSE
And so here is the end of the street. And it's a dead end appearently since Physical Presence Lock is TRUE. This prevents any software wise force clear from any Operating System that is booted after the BIOS is exited.
After all this I received a reply from Intel support. I was told to look at some Microsoft Document concerning clearing the TPM from within Windows and also that they would only support Windows on that board but as proven before the operating system has no cards in this game anymore and so fortunately the support told me to have delegated the ticket to the technical department.
Let's hope for the best
UPDATE: I added a picture that shows what I get when I boot with Maintenance mode and hitting its button. You can barely see the part where it says "tpm clear". It looks GRAYED OUT. Maybe that's a sign of that problem?
UPDATE: The text is a bit blurry (it's grayed out the camera does not catch it very well.) So the text is:
Clear User and Admin Passwords
Warning data encrypted with the TPM will no longer ...
Clear Trusted Platform Modoule [ ]
Fixed Disk Boot Sector [Normal]
UPDATE: Today I received a notic from Intel Support that they confirmed the problem on their side. Meanwhile I browser over the thread mentioned above and someone @qnx might have an intermediate solution to the problem which I recite here:
From: Eric Naud <ENaud <at> qnx.com>
Subject: Re: Issues with Taking Ownership [Solved]
Date: 2015-01-15 18:51:37 GMT
Thanks to everyone who provided input. I did manage to resolve the
problem and thought I'd close off this thread since it affects anyone
trying to use the Intel NUC DC53427HYE's TPM.
It's all about the BIOS. In order to properly clear and take ownership
of the TPM you must use BIOS version 32.
There seems to be regressions in later version of the BIOS (up to v38 at
least). I tested v34, v37 and v38 (the latest version available today),
none permitted me to use the TPM in a functional manner. Only v32
I haven't tried that myself, yet and downgrade the Version to 32 in the hope of not having a hardware revision that does not work with it to get the TPM erased and ownable.
did you manage to get the TPM ownable? I'm close to show that TPM what "physical presence" actually means and void my warranty by it. Probably have to buy a new unit after that ;-)