[Byte Mk II] Trusted Platform Module (TPM) is not usable

[thatv]

Hi I want to utilize the Bytes TPM for disk unlocking but it dosen't show up.

Issue #203 may be related. So i double-checked i'm on the latest firmware via lvfs and enabled the Intel ME as suggested. But i wont show up. I don't have flashed the coreboot image mentioned in #203 to keep my warranty.

Related outputs:

• from bootctl

System:
      Firmware: UEFI 2.70 (EDK II 1.00)
 Firmware Arch: x64
   Secure Boot: disabled (unsupported)
  TPM2 Support: no
  Measured UKI: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 256.7+suse.9.gc7671762b3
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Boot loader sets ESP information
          ESP: /dev/disk/by-partuuid/f21e7f64-5146-4e67-9462-cacec2fb49c4
         File: └─/EFI/systemd/grub.efi

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/f21e7f64-5146-4e67-9462-cacec2fb49c4)
         File: ├─/EFI/systemd/MokManager.efi
               ├─/EFI/systemd/shim.efi
               ├─/EFI/systemd/grub.efi (systemd-boot 256.7+suse.9.gc7671762b3)
               ├─/EFI/BOOT/MokManager.efi
               ├─/EFI/BOOT/fallback.efi
               └─/EFI/BOOT/BOOTX64.EFI

• form dmesg | grep -i tpm

[    1.776714] [      T1] tpm_tis MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table
[    1.776864] [      T1] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -22
[    1.777005] [      T1] tpm_crb MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table
[    1.777022] [      T1] tpm_crb MSFT0101:00: probe with driver tpm_crb failed with error -22
[    1.989687] [      T1] ima: No TPM chip found, activating TPM-bypass!
[    3.474693] [      T1] systemd[1]: systemd 256.7+suse.9.gc7671762b3 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
[   30.882772] [      T1] systemd[1]: systemd 256.7+suse.9.gc7671762b3 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
[   32.667219] [      T1] systemd[1]: TPM PCR Measurements was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
[   32.667365] [      T1] systemd[1]: Make TPM PCR Policy was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
[   32.899172] [      T1] systemd[1]: TPM PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
[   32.919366] [      T1] systemd[1]: Early TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).

• form fwupdgr security --force

Host Security ID: HSI:0! (v1.9.25)

HSI-1
✔ MEI key manifest:              Valid
✔ csme manufacturing mode:       Locked
✔ csme override:                 Locked
✔ csme v0:16.50.0.1120:          Valid
✔ Platform debugging:            Disabled
✔ Supported CPU:                 Valid
✔ UEFI bootservice variables:    Locked
✘ BIOS firmware updates:         Disabled
✘ SPI write:                     Not found
✘ SPI lock:                      Not found
✘ SPI BIOS region:               Not found
✘ TPM v2.0:                      Not found
✘ UEFI secure boot:              Not found

HSI-2
✔ Intel BootGuard:               Enabled
✔ Platform debugging:            Locked
✘ Intel BootGuard ACM protected: Invalid
✘ Intel BootGuard OTP fuse:      Invalid
✘ Intel BootGuard verified boot: Invalid
✘ IOMMU:                         Not found

HSI-3
✔ CET Platform:                  Supported
✔ Pre-boot DMA protection:       Enabled
✘ Intel BootGuard error policy:  Invalid
✘ Suspend-to-idle:               Disabled
✘ Suspend-to-ram:                Enabled

HSI-4
✔ SMAP:                          Enabled
✘ Encrypted RAM:                 Not supported

Runtime Suffix -!
✔ fwupd plugins:                 Untainted
✔ Linux swap:                    Disabled
✔ Linux kernel:                  Untainted
✘ CET OS Support:                Not supported
✘ Linux kernel lockdown:         Disabled

I'am happy to provide further info and/or flashing images.

[Sean-StarLabs]

So i double-checked i'm on the latest firmware via lvfs

You're not on the latest release

I don't have flashed the coreboot image mentioned in #203 to keep my warranty.

Flashing firmware won't void the warranty, but you definitely don't want to flash a version of coreboot for different hardware as it won't boot.

It's the same as #203 though.