Intel® NUCs
Assistance in Intel® NUC products
13318 Discussions

NUC10 TPM unavailable on first boot without CMOS battery

jamesk
Beginner
‎06-01-2021 12:53 PM
545 Views

I'm using a NUC10i3FNK1 with Ubuntu 18.04 and the latest BIOS installed (0052). Our setup uses the TPM to store encryption keys that are used to decrypt the root filesystem partition during bootup.

 

For testing we wanted to simulate what would happen when the CMOS battery dies (ideally we want everything to continue to work normally when this happens). In order to do this we unplugged the CMOS battery before plugging in the main power supply (BIOS is set to boot automatically after power is applied).

 

On this first boot the NUC fan turned on at full speed for a few seconds before showing the "Intel NUC" boot screen. Next the NUC successfuly launched our initramfs that which retrieves the keys from the TPM. The problem in that the TPM does not appear to be available at this point (no listing in /dev/tpm0, and dmesg shows the following error: "ima: No TPM chip found, activating TPM-bypass!")

 

If I hold down the power button for 20 seconds to force shut down the NUC the TPM is available and all works as expected on the next boot.

 

If I run "reboot" from the initramfs cli, the NUC reboots, but the TPM is not available on the next boot.

 

I'm wondering if anyone has any idea what could be going on here? Is there some kind of hardware/bios bug that prevents the TPM from coming up properly without a CMOS battery?

Labels (1)
Labels:
0 Kudos

Link Copied

3 Replies
AndrewG_Intel
Moderator
‎06-03-2021 11:17 AM
521 Views

Hello @jamesk

Thank you for posting on the Intel® communities.


Please allow us to check this further and we will be posting back as soon as more details are available or if further information is required.


Best regards,

Andrew G.

Intel Customer Support Technician


0 Kudos
Copy link
AndrewG_Intel
Moderator
‎06-09-2021 11:15 AM
493 Views

Hello jamesk

Thank you for your patience in this matter.

 

The coin-cell battery that powers the real-time clock and CMOS (complementary metal-oxide-semiconductor) memory is required to maintain the TPM's monotonic counters. One major function of the monotonic counters is for anti-replay protection of the internal Intel TPM data.

If the battery is removed or exhausted, the Intel TPM data will be deleted in accordance with Trusted Computing Group guidelines.

For more details, please refer to the Trusted Platform Module (TPM) Quick Reference Guide.

 

For any other inquiries, please don't hesitate to contact us back.

Best regards,

Andrew G.

Intel Customer Support Technician

 

0 Kudos
Copy link
AndrewG_Intel
Moderator
‎06-15-2021 07:54 AM
476 Views

Hello jamesk

We have not heard back from you so we will proceed to close this thread now. If you need any additional information, please submit a new question as this thread will no longer be monitored.


Best regards,

Andrew G.

Intel Customer Support Technician


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.