English Community

ThinkPad NotebooksThinkPad: T400 / T500 and newer T series Laptops
All Forum Topics
Options

6271 Posts

10-29-2009

NC

17575 Signins

159815 Page Views

  • Posts: 6271
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 159815
  • Message 11 of 14

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

2018-05-18, 14:46 PM

I checked a T460 here, with TPM 1.2 and Windows 10 1709 installed in UEFI mode.  BitLocker is working fine.  No recovery prompt after reboot or shutdown.

Reply
Options

57 Posts

07-15-2014

US

102 Signins

654 Page Views

  • Posts: 57
  • Registered: ‎07-15-2014
  • Location: US
  • Views: 654
  • Message 12 of 14

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

2019-01-15, 22:57 PM

I have a few TS140s that run BitLocker eDrives without issues. Never noticed the BitLocker event log until this week.

 

The WMIC command above shows that I have TPM 1.2.

 

From this article, I learned that the following command will display the BitLocker parameters:

 

Manage-bde -protectors -get C:

 

Every time I run that command, two events are issued in the BitLocker-API event log:

 

Warning 813 "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid."

 

Info 834 "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event." There is some binary data in the FilteredTcgLog element of the event.0.

 

To summarize all the bits of information:

 

TPM 2.0 is requried for PCR 7 (see above).

- PCR 7 is required for BitLocker to use Secure Boot for integrity validation (MS article).

- BitLocker works without Secure Boot integration (see above).

- The BitLocker-API warnings about missing 'SecureBoot" are apparently normal if TPM 1.2 is in use.

 

Is that about right?

Reply
Options

6271 Posts

10-29-2009

NC

17575 Signins

159815 Page Views

  • Posts: 6271
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 159815
  • Message 13 of 14

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

2019-01-16, 1:14 AM

 wrote:

 

 

TPM 2.0 is requried for PCR 7 (see above).

- PCR 7 is required for BitLocker to use Secure Boot for integrity validation (MS article).

- BitLocker works without Secure Boot integration (see above).

- The BitLocker-API warnings about missing 'SecureBoot" are apparently normal if TPM 1.2 is in use.

 

Is that about right?


TPM PC Client spec defines what is measured by each PCR.  For TPM 2.0, PCR7 is clearly about Secure Boot.  For TPM 1.2 (which pre-dates Secure Boot by years), it is left to the manufacturer (e.g. the BIOS) to decide what to measure in PCR7.  For ThinkPad since around 2014, we are measuring Secure Boot and the related variables regardless of TPM 1.2 vs TPM 2.0.  I confirmed it by leaving Secure Boot enabled, but changing the Secure Boot variables (PK/KEK/db/dbx) – the contents of PCR7 are changed and this will trigger a BitLocker recovery - even on TPM 1.2.  Based on what I know, those messages in Event Viewer are meaningless.  Microsoft is just guessing that TPM 1.2 doesn't measure Secure Boot because the spec doesn't require it to, and they have no other way to know what the BIOS is actually doing.  

 

References:

TPM 1.2 PC Client spec:  https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientImplementation_1-21_1_00.pdf

TPM 2.0 PC Client spec:  https://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

 

Reply
Options

57 Posts

07-15-2014

US

102 Signins

654 Page Views

  • Posts: 57
  • Registered: ‎07-15-2014
  • Location: US
  • Views: 654
  • Message 14 of 14

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

2019-01-16, 1:19 AM
Thanks. I"m going to ignore those Event Log warnings. I did find one useful message in that Event Log, but it was an Error level, raised when BitLocker could not be resumed on the C: drive. (The BCD info got lost somehow: https://www.mcbsys.com/blog/2019/01/bitlocker-wizard-initialization-has-failed/).
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete