Device Security Checks Failed in F38 (TPM 2.0)

Ask Fedora
, , , ,
1

I just upgraded to F38 from F37 and noticed when clicking on the Device Security, ‘Checks Failed’ and Secure Boot was not active.

So, I set secure boot active which resolved one of the issues but ‘Checks Failed’ continues to show. Looking at the Security Events, it is complaining about TPM v2.0 (see screenshot below)

image
image615×772 32 KB

So, I looked at the Technical Report and TPM 2.0 is showing as Fail (Found → Not Found)

Device Security Report
======================

Report details
  Date generated:                                  2023-04-20 11:28:02
  fwupd version:                                   1.8.14

System details
  Hardware model:                                  Dell Inc. XPS 13 9365
  Processor:                                       Intel(R) Core(TM) i7-7Y75 CPU @ 1.30GHz
  OS:                                              Fedora Linux 38 (Workstation Edition)
  Security level:                                  HSI:0 (v1.8.14)

HSI-1 Tests
  TPM v2.0:                                      ! Fail (Not Found)
  UEFI Platform Key:                               Pass (Valid)
  Firmware BIOS Region:                            Pass (Locked)
  Intel Management Engine Version:                 Pass (Valid)
  Firmware Write Protection Lock:                  Pass (Enabled)
  Platform Debugging:                              Pass (Not Enabled)
  Intel Management Engine Manufacturing Mode:      Pass (Locked)
  UEFI Secure Boot:                                Pass (Enabled)
  Firmware Write Protection:                       Pass (Not Enabled)
  Intel Management Engine Override:                Pass (Locked)

HSI-2 Tests
  Intel BootGuard Fuse:                            Pass (Valid)
  Intel BootGuard Verified Boot:                   Pass (Valid)
  Intel BootGuard ACM Protected:                   Pass (Valid)
  Intel BootGuard:                                 Pass (Enabled)
  IOMMU Protection:                              ! Fail (Not Found)
  Platform Debugging:                              Pass (Locked)

HSI-3 Tests
  Pre-boot DMA Protection:                       ! Fail (Not Enabled)
  Intel BootGuard Error Policy:                    Pass (Valid)
  Intel CET:                                     ! Fail (Not Supported)
  Suspend To RAM:                                  Pass (Not Enabled)
  Suspend To Idle:                                 Pass (Enabled)

HSI-4 Tests
  Encrypted RAM:                                 ! Fail (Not Supported)
  Intel SMAP:                                      Pass (Enabled)

Runtime Tests
  Firmware Updater Verification:                   Pass (Not Tainted)
  Linux Swap:                                      Pass (Encrypted)
  Linux Kernel Lockdown:                           Pass (Enabled)
  Linux Kernel Verification:                       Pass (Not Tainted)

Host security events
  2022-11-27 19:28:08   Linux Kernel Lockdown        Pass (Not Enabled → Enabled)
  2022-11-27 19:28:08   UEFI Secure Boot             Pass (Not Enabled → Enabled)
  2022-11-27 19:28:08   TPM v2.0                   ! Fail (Found → Not Found)
  2022-11-26 19:48:26   TPM v2.0                     Pass (Not Found → Found)
  2022-09-26 14:03:27   TPM v2.0                   ! Fail (Found → Not Found)
  2022-09-26 13:20:09   Intel Management Engine VersionPass (Not Valid → Valid)

For information on the contents of this report, see https://fwupd.github.io/hsi.html

I went into my BIOS settings and checked that TPM is enabled (see below)

image
image520×809 97.8 KB

Restarting and checking again, it still shows the same under Device security.

So, I tried the following, but there were no updates for my laptop

sudo fwupdmgr get-devices 
sudo fwupdmgr refresh --force 
sudo fwupdmgr get-updates 
sudo fwupdmgr update

My device is a Dell XPS 13 9365
image

I would appreciate any advice/guidance on how to overcome the Device Security Checks Failed issues. I suspect there may be more than just the TPM issue.

For ease, I am happy for my laptop to be just a Fedora workstation as I do not need Windows, if that is part of the solution.

Thank you in advance.

1 Like
2

If you click the :warning: Checks Failed button, you’ll see a message like this:

This means there are 3 categories of problems:

  • can be fixed with firmware updates,
  • can be resolved with specific BIOS/EFI settings,
  • require hardware replacement to be fixed.

In your case, the version of TPM might be incorrectly reported by the firmware.
Usually you can do nothing about it other than looking for firmware updates and complaining to the hardware vendor if the warranty is still valid.

You can also confirm the TPM status manually:
linux - How to determine if computer has TPM (Trusted Platform Module) available - Unix & Linux Stack Exchange

1 Like
3

Thanks for the quick response @vgaetera

running the following

dmesg | grep -i tpm

the output is as follows

[    0.000000] efi: TPMFinalLog=0x6af82000 SMBIOS=0x6a226000 ACPI=0x6affe000 ACPI 2.0=0x6affe014 ESRT=0x6a1e1018 MEMATTR=0x67b01018 MOKvar=0x6a1ff000 RNG=0x6afa3018 TPMEventLog=0x4e0d1018 
[    0.024440] ACPI: SSDT 0x000000006AFBE000 0003DB (v02 INTEL  Tpm2Tabl 00001000 INTL 20160422)
[    0.024446] ACPI: TPM2 0x000000006AFBD000 000034 (v03 INTEL  EDK2     00000002      01000013)
[    0.024549] ACPI: Reserving TPM2 table memory at [mem 0x6afbd000-0x6afbd033]
[    2.372001] tpm_tis: probe of MSFT0101:00 failed with error -1
[    2.503315] ima: No TPM chip found, activating TPM-bypass!
[    2.915971] systemd[1]: systemd 253.2-1.fc38 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[    6.784569] systemd[1]: systemd 253.2-1.fc38 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[    7.834698] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).

So in this instance, I am unclear whether I should just ignore this and carry on.

Or try and update via W11 drivers if there is any (I am looking to avoid this option). I doubt I will make much progress complaining to the HW Vendor as the laptop is a few years old and out of warranty. Alternatively, carry on looking for some firmware updates.

I am not sure if there is an option for me to look at this line or perhaps a red herring

[    7.834698] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
4

It seems possible that even W11 would not be able to assist.
That laptop was released late 2017 so is about 6 years old. The chip may not be quite new enough for the full support of TPM 2.0 even though the bios indicates so. I seem to recall that there was an early release of TPM 2.0 then a later updated spec so your laptop may be compatible with the earlier version but not the current version.

A bit of research may reveal info about that possibility.
A quick check of wikipedia shows the below and implies it may not have the correct chipset or CPU (intel 7th gen vs intel 8th gen)

image
image727×311 51.1 KB

1 Like
5

Thanks @computersavvy - I tried some more research and came across this post in the Red Hat Customer Portal Knowledgebase but it was restricted to users… so I couldn’t view the solution but sharing here in case it helps others.

https://access.redhat.com/solutions/3716131

Some further digging I found this article and managed to fix this!

https://paolozaino.wordpress.com/2021/02/21/linux-configure-and-use-your-tpm-2-0-module-on-linux/

In my case I followed these steps

cat /sys/class/tpm/tpm*/tpm_version_major
The output confirmed version 2.0

Then
sudo dnf install tpm2-abrmd

Then, whilst you can try either, I went with both
sudo modprobe tpm_tis_spi
sudo modprobe tpm_infineon

Then
sudo dnf install tpm2-tools

Rebooted my laptop

Checked ‘Device Security’ to be presented for the first time with 2 greens…! :slight_smile:
image

1 Like