4 Replies Latest reply on Jan 19, 2015 2:04 AM by nucvpro

    How do we clear the TPM of Intel NUC D53427RKE

    zrubciu

      Hello,

       

      I am trying to clear the TPM of a D53427RKE NUC so I can take ownership of it. I am using the latest BIOS version for this model (34).

      After entering maintenance mode in the visual BIOS there is a checkbox "Clear Trusted Platform Module", but no "OK" button.

      If I press F10 to save the setting and exit the TPM is still not cleared.

       

      Thanks in advance.

        • 1. Re: How do we clear the TPM of Intel NUC D53427RKE
          allan_intel

          Thanks for joining the NUC community.

           

          I just tested same NUC model, BIOS was entered in maintenance mode and checked "clear TPM module, that actually erased all stored keys and cleared TPM owner.

           

          See picture below:

          TPM.jpg

           

          Allan.

          • 2. Re: How do we clear the TPM of Intel NUC D53427RKE
            nucvpro

            In my BIOS (same mainboard - Version 37) I entered maintenance mode by having the yellow jumper set accordingly. The option to clear the tpm appeared and I activated it.

             

            I also hit the "maintenance" button and saw the clear the tpm checkbox again. Made sure it's activated.

             

            Then I hit the Exit button to save my settings and I wanted me to shut down the system what I did.

             

            Afterwards I tried to take ownership but again - no luck. It still keeps telling me "Authentication Failed". I repeated this now like 5 times and i'm afraid it's not working. Trying to tpm_clear --force from the OS fails because of "Bad physical presence" - That's probably because "Physical Presence" is ensured by having maintenance mode enabled (?) and I cannot boot to an OS in that mode.

             

            I'm told to "power off" The System to set back the normal mode again. Not sure if that means to shut it down by using the button or by removing the power supply but I tried both and it still does not let me use tpm_takeownership.

             

            Of course I also tried the well known secrets with no luck.

             

            I also disabled the ME/AMT in the ctrl+p because - I thought if someone had the power to access the system through the Management Engine it would spoil the maintenance mode? I was able to remotely access the BIOS GUI in Maintenance mode so.. maybe that's one of the reasons for this behaviour?

             

            What else can I do? (And no - replacing RAM or anything does not sound reasonable)

             

            UPDATE: It looks like I'm not the only having issues with taking ownership. I'm using tpm-tools from trousers (IBM)

             

            http://permalink.gmane.org/gmane.comp.encryption.trousers.user/3368

             

            UPDATE2: I contacted Ken Goldman (IBM Expert for TPM)  since he wrote Software that is capable of talking to the tpm so that you can see details that are hidden or less easy to discover otherwise.

             

            Here are the Details for the Nuc Hardware. First the TPM

             

              TPM 1.2 Version Info:
               Chip Version:        1.2.13.12
               Spec Level:          2
               Errata Revision:     3
               TPM Vendor ID:       STM
               Vendor Specific data: 50
               TPM Version:         01010000
               Manufacturer Info:   53544d20


            Now I talked to it to ask what's status it has

             

            getcapability -cap 4 -scap 0108
            Result for capability 0x4, subcapability 0x108 is :
            Permanent flags:
            Disabled: FALSE
            Ownership: TRUE
            Deactivated: FALSE
            Read Pubek: FALSE
            Disable Owner Clear: TRUE
            Allow Maintenance: FALSE
            Physical Presence Lifetime Lock: TRUE
            Physical Presence HW Enable: FALSE
            Physical Presence CMD Enable: TRUE
            CEKPUsed: FALSE
            TPMpost: FALSE
            TPMpost Lock: FALSE
            FIPS: FALSE
            Operator: FALSE
            Enable Revoke EK: FALSE
            NV Locked: TRUE
            Read SRK pub: TRUE
            TPM established: FALSE
            Maintenance done: FALSE
            Disable full DA logic info: FALSE



            Now I was asked to dump the volatile flags of the Chip


            I tried -cap 4 -scap 109 and here are the results:

             

            Deactivated: FALSE
            Disable ForceClear: FALSE
            Physical Presence Lock: TRUE
            bGlobal Lock: FALSE


            And so here is the end of the street. And it's a dead end appearently since Physical Presence Lock is TRUE. This prevents any software wise force clear from any Operating System that is booted after the BIOS is exited.


            After all this I received a reply from Intel support. I was told to look at some Microsoft Document concerning clearing the TPM from within Windows and also that they would only support Windows on that board but as proven before the operating system has no cards in this game anymore and so fortunately the support told me to have delegated the ticket to the technical department.

             

             

            Let's hope for the best

             

            UPDATE: I added a picture that shows what I get when I boot with Maintenance mode and hitting its button. You can barely see the part where it says "tpm clear". It looks GRAYED OUT. Maybe that's a sign of that problem?

             

            tpm_clear.jpg

             

            UPDATE: The text is a bit blurry (it's grayed out the camera does not catch it very well.) So the text is:

             

            Maintenance Mode

             

            Clear User and Admin Passwords

             

            Greyedout part:

             

            Warning data encrypted with the TPM will no longer ...

            Clear Trusted Platform Modoule [ ]

            Fixed Disk Boot Sector [Normal]

             

            UPDATE: Today I received a notic from Intel Support that they confirmed the problem on their side. Meanwhile I browser over the thread mentioned above and someone @qnx might have an intermediate solution to the problem which I recite here:

             

             

            From: Eric Naud <ENaud <at> qnx.com>

            Subject: Re: Issues with Taking Ownership [Solved]

            Newsgroups: gmane.comp.encryption.trousers.user

            Date: 2015-01-15 18:51:37 GMT

             

            Thanks to everyone who provided input. I did manage to resolve the

            problem and thought I'd close off this thread since it affects anyone

            trying to use the Intel NUC DC53427HYE's TPM.

             

            It's all about the BIOS. In order to properly clear and take ownership

            of the TPM you must use BIOS version 32.

             

            There seems to be regressions in later version of the BIOS (up to v38 at

            least). I tested v34, v37 and v38 (the latest version available today),

            none permitted me to use the TPM in a functional manner. Only v32

            worked.

             

             

            I haven't tried that myself, yet and downgrade the Version to 32 in the hope of not having a hardware revision that does not work with it to get the TPM erased and ownable.

            • 3. Re: How do we clear the TPM of Intel NUC D53427RKE
              nucvpro

              did you manage to get the TPM ownable? I'm close to show that TPM what "physical presence" actually means and void my warranty by it. Probably have to buy a new unit after that ;-)