Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemEnterprise Client Management
All Forum Topics
Options

10 Posts

07-13-2017

Australia

18 Signins

339 Page Views

  • Posts: 10
  • Registered: ‎07-13-2017
  • Location: Australia
  • Views: 339
  • Message 1 of 17

T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-13, 2:56 AM

I have a customer who is saying that T470 systems need Bitlocker recovery key on every reboot.

Windows 8.1 tested with BIOS 1.26, 1.29 and 1.30  and TPM 1.2 and 2.0 with  the same result. Secure boot and UEFI only set.

After some investigation being done we found two error messages generated by PCR 5 and PCR 7.

then I found following info on other forums:

1. PCR 5 is not used with Windows 8.1 - is that true? need Microsoft or Lenovo source on this.

2. PCR 7 is "Computer Manufacturer-Specific" meaning that not every BIOS/UEFI is meant to measure and record values required for PCR 7 - is T470 one of those systems or not?

 

thank you

regards

Reply
Answer
Options

6856 Posts

10-29-2009

United States of America

17788 Signins

165248 Page Views

  • Posts: 6856
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 165248

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-25, 13:44 PM

We found the problem with PCR5.  There will be BIOS updates to fix it, though I don't know the schedule yet.

Reply

Replies(16)
Options

937 Posts

02-20-2009

United States of America

1084 Signins

6436 Page Views

  • Posts: 937
  • Registered: ‎02-20-2009
  • Location: United States of America
  • Views: 6436
  • Message 2 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-13, 3:45 AM

Note that if your T470 is a Kabylake model (7th gen intel processor), it is certified for W10 only. Also, the T470 Skylake based (6th gen intel processor) really are only tested with W7 and W10.

 

I would discourage the use of Win8.1 on a T470.

 

Make sure the BIOS is at the most current level.

 

With that being said, that system has a TPM 2.0 module. You should make sure the OS is installed to a GPT partition, not an MBR partition. If installing W10, the system must be in pure UEFI mode, Secure boot enabled, or you are going to have issues with the TPM.

 

For W7, again it must be installed in a GPT partition, and the Microsoft hotfix that supports TPM 2.0 modules must be part of the intial image from https://support.microsoft.com/en-us/help/2920188/update-to-add-support-for-tpm-2.0-in-windows-7-and-windows-server-2008.

 

 

Reply
Options

10 Posts

07-13-2017

Australia

18 Signins

339 Page Views

  • Posts: 10
  • Registered: ‎07-13-2017
  • Location: Australia
  • Views: 339
  • Message 3 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-13, 3:58 AM

It is WIN,i5-6200U Skylake CPU -  and Lenovo support website shows drivers for 8.1 meaning that it is certified for 8.1.

 

I understand that if the system must have MBR partition in order to work with PCR 5 and 8.1 also supports MBR but then BIOS has to be set for Legacy, meaning it wont work with UEFI that is needed for secure boot. but if that is the case then why PCR 4 is not generating any errors? PCR 4 is using MBR tables as well.

 

going back to PCR 7 - can it be used on T470 system? or to be more precise for PCR 7 to work, the Platform Manufacturer firmware MUST measure the following values in the order listed using the EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]:

  1. SecureBoot variable value

  2. The PK variable value

  3. The KEK variable value

  4. The EFI_IMAGE_SECURITY_DATABASE_GUID/EFI_IMAGE_SECURITY_DATABASE variable value

  5. The EFI_IMAGE_SECURITY_DATABASE_GUID/EFI_IMAGE_SECURITY_DATABASE1 variable value

can those values be mesured by BIOS/UEFI on T470 or not?

Reply
Options

937 Posts

02-20-2009

United States of America

1084 Signins

6436 Page Views

  • Posts: 937
  • Registered: ‎02-20-2009
  • Location: United States of America
  • Views: 6436
  • Message 4 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-13, 14:54 PM

Sometimes we will post drivers (especially if the W8.1 and W10 drivers are the same), but no official Lenovo preload was developed for Windows 8.1...therefore no testing. I don't think Microsoft even bothered with it for their Hardware Compatibility List.

 

For a TPM 2.0 chip, unofficially and unsupported, you should test with a Win 8.1 deployment in pure UEFI mode, first to see if that resolves your problems. Perhaps one machine loaded manually as a test bed.

 

If it does...you are going to have to step away from Legacy mode.

Reply
Options

10 Posts

07-13-2017

Australia

18 Signins

339 Page Views

  • Posts: 10
  • Registered: ‎07-13-2017
  • Location: Australia
  • Views: 339
  • Message 5 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-14, 6:16 AM

like mentionded on my first post, units have been tested with UEFI only...

I dont think that 8.1 is the problem here either.

 

questions are:

PCR 7 - is it supported by T470 UEFI? yes or no?

PCR 5 - what is Lenovo take of that specific Platform Configuration Register to be used with W8.1 on T470? any comments on why this set of PCR's doesnt work on T470 and worked fine on T440 and T450?

Reply
Options

937 Posts

02-20-2009

United States of America

1084 Signins

6436 Page Views

  • Posts: 937
  • Registered: ‎02-20-2009
  • Location: United States of America
  • Views: 6436
  • Message 6 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-14, 12:12 PM

Well, I stand corrected, the T470 is on the supported list for Windows 8.1. That would be assuming the following, which you should follow for a controlled test

 

"Use Optimized OS Defaults" set to ENABLED

default BIOS settings loaded.

Secure Boot MUST be enabled with the TPM 2.0

Pure UEFI mode set, which should have been triggered when you loaded default BIOS settings

MOST current BIOS revision.

Security chip cleared,  TPM 2.0 mode

a manual install of Win 8.1 in pure UEFI mode via external media to a drive that has beeen entirely blanked, no partitions as the testbed. This should install Win 8.1 to a GPT partition, also a must with a TPM 2.0.

(I would also suggest setting the Thunderbolt 3 settings in BIOS to "no security", a change from default settings)

 

List of systems supported is here https://support.lenovo.com/us/en/solutions/ht503593

 

This also does assume the system was built with a 6th gen Skylake processor.

 

I would recommend you do this for a manual function test first to see the differences in behavior from your imaging process...

Reply
Options

6856 Posts

10-29-2009

United States of America

17788 Signins

165248 Page Views

  • Posts: 6856
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 165248
  • Message 7 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-14, 16:50 PM

Knight_84

 

I did a quick test here and it seems that the problem is with PCR5 and not PCR7.  Can you confirm that?

Whether PCR5 and PCR7 are valid to use, I think the confusion comes from legacy vs UEFI.  In UEFI world, I think it's OK to use either or both.  But maybe something is wrong with our implementation (bug), that's what we need to check.

 

Anyway, I appreciate your help to exclude PCR5 from your config and include PCR7 - will that work?  Then try another test with PCR5 included and PCR7 excluded.  This will help make sure we are seeing the same things.  Thanks!  And sorry for this trouble.

Reply
Options

10 Posts

07-13-2017

Australia

18 Signins

339 Page Views

  • Posts: 10
  • Registered: ‎07-13-2017
  • Location: Australia
  • Views: 339
  • Message 8 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-17, 1:12 AM

someotherguy

I already tried excluding PCR's 5 and 7 separately and the issue was still there. It only seems to work without those two PCR's (0,2,4,11).

When you say that "it seems that the problem is with PCR5" - can you share bit more about your findings?

 

rbkirk

Yes the CPU is SkabyLake CPU, Intel i5-6200U

I will do the testing on clean manual 8.1 but when, as you say, OS will be installed on GPT then how can PCR5 measure MBR table? 

Reply
Options

6856 Posts

10-29-2009

United States of America

17788 Signins

165248 Page Views

  • Posts: 6856
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 165248
  • Message 9 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-17, 12:29 PM

Knight_84,

 

Here is the testing I did:

 

1.  Use T470 with BIOS version 1.30, OS Optimized defaults enabled, and load default settings (this includes Secure Boot enabled)

2.  clean-install Win8.1 from Microsoft ISO

3.  set GPO to include PCR7 (leaving other defaults in place)

4.  enable BitLocker

5.  reboot PC  <-- no recovery prompt

6.  disable BitLocker

7.  set GPO to exclude PCR7 and include PCR5 (leaving other defaults in place)

8.  enable BitLocker

9.  reboot PC <-- recovery prompt

 

This is how I concluded that PCR7 is OK, and only PCR5 has a problem.

Also, I know from other customers that PCR7 is a common use case and we don't have anyone else reporting a problem like this.  PCR5 is not a common use case (actually, I never heard anyone try to use it before).

Reply
Answer
Options

6856 Posts

10-29-2009

United States of America

17788 Signins

165248 Page Views

  • Posts: 6856
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 165248
  • Message 10 of 17

Re: T470 20JN Bitlocker Problem with PCR 5 and PCR 7

2017-07-25, 13:44 PM

We found the problem with PCR5.  There will be BIOS updates to fix it, though I don't know the schedule yet.

0 person found this solution to be helpful.

This helped me too

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms