locked
What are the steps to enable TPM on Dragonboard 401c? RRS feed

  • Question

  • I am starting here:

    https://developer.microsoft.com/en-us/windows/iot/win10/SetupTPM.htm#fTPM

    But I don't see what state the board must be in to run device manager? And where do I run Device Manager -- on the host or the Dragonboard? If the latter, then what steps do I need to follow to run it there? If the former, how do I attach the dragonboard so that the host's device manager can make the setting change?

    Also, the link above mentions running t2t.exe "on the board". I tried to build t2t from source for ARM using the Github link I found but the build fails with a link error:

    Severity

    Code

    Description

    Project

    File

    Line

    Suppression State

    Error

    LNK2019

    unresolved external symbol __imp_RegGetValueW referenced in function "void __cdecl PlattformRetrieveAuthValues(void)" (?PlattformRetrieveAuthValues@@YAXXZ)

    T2T

    C:\Users\Jim Solderitsch\Documents\secure-boot\security-master\Urchin\T2T\Platform.lib(Platform.obj)

    1

    Or am I supposed to run t2t.exe on the Windows 10 host against the dragonboard?

    Like the last question I asked in the forums about preparing for secure boot (thanks for the info!), I may be missing something basic.

    Thanks in advance.

    Jim

    Monday, June 13, 2016 6:38 PM

Answers

All replies

  • i don't see DragonBoard mentioned on the page, only MBM Pi2 and Pi3

    if you take a look at "TPM configuration" in device portal you see TPM is already enabled on DragonBoard

    Monday, June 13, 2016 6:54 PM
  • I can't find TPM configuration in device portal. Under the HTREE\ROOT\0 there is eventually a sub item:

    Qualcomm TrEE Device
       Microsoft Windows Trusted Runtime Secure Service
       Trusted Platform Module 2.0

    but the information for the TPM 2.0 module is rather cryptic:

    Properties:

    ID : {36DEAA79-C5DD-447C-95E6-B3859589291A}\TREETPM\4&2A596A71&0

    Description : Trusted Platform Module 2.0

    Class : SecurityDevices

    Manufacturer : (Standard)

    StatusCode : 25174026

    Is this what you mean -- the presence of this item means TPM 2.0 is enabled?

    How then do I turn on Bit Locker so that the device file system is protected?

    Thanks for the quick response.


    Monday, June 13, 2016 7:06 PM
  • which build are you running?
    Monday, June 13, 2016 7:19 PM
  • The OS version I see is 10.0.10586.218

    This was an update that happened recently after I flashed a brand new board that I received from Arrow that installed 10.0.10586.0

    Maybe a more basic question to ask is how to check the UEFI version on the board?

    Monday, June 13, 2016 7:26 PM
  • the TPM Configuration in device portal was added with an insider preview build
    Monday, June 13, 2016 7:39 PM
  • That explains it. Looks like the latest official release is 10.0.10586.318 but this is not being distributed yet to IoT installs? I do see that version on my host VM.
    Monday, June 13, 2016 7:47 PM
  • latest release is still 10586.* for every windows 10 device everything else are insider preview builds depending on the ring
    Monday, June 13, 2016 7:51 PM
  • Hi Jim,

    If you would like access to all Windows 10 insider builds (This includes IoT Core and more) you can check out https://insider.windows.com/.

    Sincerely,

    IoTGirl

    Tuesday, June 14, 2016 2:47 AM
  • I was able to build the t2t.exe and urchintest.exe executables for ARM 64 after adding a linker option for the library:

    Advapi32.lib

    as this is where the issue related to the unresolved symbol __imp_RegGetValueW can be fixed.

    After deploying the executables to the DragonBoard after enabling secure boot there and running them, I can confirm that TPM is running there.

    So I was able to answer my own question! NOT. See the next reply.


    Friday, June 24, 2016 3:26 AM
  • BUT...

    It appears that these programs run with success messages even when TPM is not "on" -- Secure Boot was not enabled yet and the RPMB has not yet been provisioned.

    So not sure how the programs get the information that they actually report!! It does not appear that TPM enablement is checked!.

    Sunday, June 26, 2016 10:11 PM
  • Hi Jim,

    There seems to be some confusion here regarding TPM/UEFI.  I have the following response from a member of the IoT Core team.

    From what I’m reading, I suspect he’s mixing the TPM status with enabling Secure Boot on the board.  He can’t use web interface to disable the TPM on his DB, if that’s what he tried to do.  The firmware TPM implementation on the DB will be available to him, regardless of whether RPMB is provisioned or not and whether SB is turned on or not.  So in short, t2t.exe should be reporting status correctly

    Does that clarify the results for you?

    Sincerely,

    IoTGirl

    Wednesday, June 29, 2016 4:32 PM
  • Thanks for the forward from the IoT Core Team. So t2t.exe is accurately reporting TPM status. For the DragonBoard, TPM 2.0 is enabled "out of the box" with no special configuration.

    We suspected that TPM and Secure Boot are distinct. But if Secure Boot is not enabled, then TPM is "on" and available but not being used for anything unless perhaps there is an attestation resource available. We do not have this available since we have no Windows boxes that are equipped with TPM 2.0 -- TPM Base Services at the 2.0 level. We would like to learn how to set up TBS 2.0 but are unsure how to identify which machines on the market have TPM 2.0 available. Windows 10 running on a virtual machine will not be useful in this context I suppose.

    If we do turn on Secure Boot with BitLocker encryption, is TPM used automatically for this?

    Is there any way to turn off TPM usage by the board? Don't need a web method -- is there any method at all?


    Wednesday, June 29, 2016 4:47 PM
  • the tpm chip is always there you cant turn it off

    enabled by firmware

    which reason do you have to turn off that does not affect you?


    Wednesday, June 29, 2016 5:26 PM
  • I was interested to know if it was possible to turn it off. So, for example, the TPM test t2t.exe would fail rather than succeed. If I could turn it off, then that would reduce the security posture of the board and so perhaps make it more susceptible to compromise. If it is not possible to disable, then that is a good security property to note.
    Wednesday, June 29, 2016 5:57 PM
  • you cant disable it (that's why i mentioned in my first posting the page you refer to is not for dragonboard only for mbm and pi)

    Wednesday, June 29, 2016 6:15 PM
  • I am doing more background research and I discovered the distinction between Secure Boot (supported via UEFI) and Trusted Boot (integrated with TPM). See for example:

    https://www.ibm.com/developerworks/community/blogs/smartersecurity/entry/uefi_secure_boot_and_the_tpm20?lang=en

    So I guess my real question is: does the DragonBoard support Trusted Boot. It would appear that setting up secure boot as documented does not involve TPM. Can I arrange for this to happen?

    Wednesday, June 29, 2016 6:29 PM
  • reference
    https://developer.microsoft.com/en-us/windows/iot/win10/tpm

    and

    https://developer.microsoft.com/en-us/windows/iot/win10/sb_bl

    <snip>
    Supported IoT PlatformsThe following Windows 10 IoT Core supported platforms provide firmware TPM capabilities out of the box, along with Secure Boot, Measured Boot and BitLocker capabilities:
    Intel MinnowBoard Max
    Qualcomm DragonBoard 410c</snip>

    i think the real question is more what are you really trying to achieve and based on which facts do you think dragonboad's tpm is/was not involved?

    Wednesday, June 29, 2016 7:36 PM
  • Looking for confirmation that Secure Boot with Bitlocker DOES/DOES NOT involve TPM for the dragonboard. Are Secure Boot and TPM independent of one another in the case of a DragonBoard. TPM seems independent of UEFI variables unless I am missing something basic.

    Looks like Measured Boot might be worth investigating in this context. Any good references on this in an IoT context?

    Looking to tamper proof a deployed application so that it will only run if some baseline of files have not been altered since the time is was deployed.

    Does that make sense?

    Wednesday, June 29, 2016 8:15 PM
  • reference https://developer.microsoft.com/en-us/windows/iot/win10/sb_bl

    <snip>....This device encryption task is set to trigger when the TPM is provisioned and ready, also ensuring...</snip>

    as far as i know you used the test certificates and keys correct?

    have you seen the line "Details on Secure Boot along with key creation and management guidance is available here"

    the link refers to https://technet.microsoft.com/en-us/library/dn747883.aspx which explains how it works and which steps you need to do to create and use your own cert/key and how TPM is involved

    yes, that makes sense ;)

    Wednesday, June 29, 2016 8:47 PM
  • OK, the phrase you quote does say that the device encryption itself will depend on TPM being there and "provisioned and ready". And I have already have verified this is so, confirming with the t2t.exe execution.

    So I can conclude that in the dragonboard's case, Secure Boot enablement -- even with the Test Certs from github site -- does bring the TPM in to the picture. Secure Boot is intertwined with an active TPM. So using my phrasing: Secure Boot with BitLocker DOES involve TPM.

    So I guess I should read more carefully next time and I wouldn't have needed to ask for clarification.

    Thanks for your interest.

    Thursday, June 30, 2016 12:34 AM
  • sometimes its easier to ask or to see the view of other involved  ;)

    you are welcome

    Thursday, June 30, 2016 8:43 AM
  • Hi Jim,

    I have suggested cyberH0me's original answer as the answer to your core question regarding enabling the TPM.  the answer being it is enabled by default.  Please choose a more appropriate answer if you think another provides the detail you were originally looking for.

    Sincerely,

    IoTGirl

    Tuesday, July 5, 2016 10:05 PM