How to check status from TPM/fTPM in Manjaro? (Tuxedo Laptop)

Kobold · 14 January 2022 15:01

Hello, i hope i’m in the right subforum.
I bought a new Linux Laptop from Tuxedo (Pulse15 Gen1) with (fake) advertising to disable TPM.
I found out, there is no easy option to disable this feature… only a Option inside this Bios to switch between AMD fTPM or route to SPI TPM.

I’m not sure how to verify that TPM is really disabled, when i switch to SPI TPM… in hope that there is no SPI TPM Modul inside this Laptop installed and that there is no backroute to AMD fTPM.

So my Question is, how can i find out to check TPM status in Manjaro? I want to get sure there is no TPM is active.

xabbu · 14 January 2022 15:06

You can check your journal for example

sudo journalctl -k --grep=tpm

If you get no messages, your TPM is not active. If you get messages read them, maybe it is a false positive.

Kobold · 14 January 2022 15:09

Thanks, but is there no other way? To get really sure, a message that proof that TPM is disabled.

xabbu · 14 January 2022 15:17

You can try to use it. But if the Kernel doesn’t detect it at boot, you can’t use it.

Btw. a TPM is not bad like AMD PSP.

Kobold · 14 January 2022 15:25

Yeah i know AMD PSP is a remote access backdoor, to bad it can’t be disabled… but i think that TPM is a really bad local DRM Restriction in future… but this is another story

Zesko · 14 January 2022 15:42

sudo bootctl status can show if TPM support is enabled.

Kobold · 14 January 2022 22:49

This don’t work with MBR and is only working with TPM 2.0 (required UEFI) but im using Legacy/MBR and its still possible that TPM 1.2 could be running on this Laptop.

Nachlese · 14 January 2022 22:59

my reasoning would be:
if the module isn’t loaded

(and it is implemented as a module in all of Arch and Manjaro kernels)

then the hardware will not be functional.

so:
lsmod | grep tpm

will show whether that module (and associates) are loaded

If they are
blacklist them.
via /etc/modprobe.d/some_file_in_there

There is a kernel option to add to /etc/default/grub … too
to achieve the very same goal -
but I don’t recall it’s name or syntax right now.

Kobold · 17 January 2022 20:47

lsmod | grep tpm
tpm                    98304  1 trusted
rng_core               16384  1 tpm

This is on my main system, with no TPM Module and no available fTPM.
And i have zero clue what the output means. Is there a Module loaded now?

Edit:
My Laptop isn’t running yet, there is no SSD installed yet… i’m still working with the support
maybe i send this device back i don’t want TPM. But i just have a idea i maybe could boot Manjaro from a USB stick and try to run this commands.

Nachlese · 17 January 2022 20:50

yes, it is.
tpm
and it’s dependency
rng_core

Kobold · 17 January 2022 20:53

And what means this? I still have no clue…

Nachlese · 17 January 2022 20:59

I’m pretty far from being an expert.
If you do not have a tpm module (the tpm hardware)
then it is certainly me who does not know
why that module,
supposedly being there in order to operate that thing, which is not physically present,
is loaded
to operate it (a non existing piece of hardware …)

I do not know!

You are much closer to the hardware than I am.
That’s for sure.

Kobold · 17 January 2022 21:38

Okay im just booted into my Laptop with usb bootstick, i choosed inside bios ftpm and UEFI.

And the this is what the console is telling me:

sudo journalctl -k --grep=tpm                                                                  ✔ 
Jan 17 23:21:21 manjaro kernel: efi: ACPI=0xcc919000 ACPI 2.0=0xcc919014 TPMFinalLog=0xcc8e8000 SMBIOS=0xcd01>
Jan 17 23:21:22 manjaro kernel: ACPI: TPM2 0x00000000CC3B5000 00004C (v04 ALASKA A M I    00000001 AMI  00000>
Jan 17 23:21:22 manjaro kernel: ACPI: Reserving TPM2 table memory at [mem 0xcc3b5000-0xcc3b504b]
    ~  sudo bootctl status                                                                 ✔  2m 50s  
Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled (unknown)
 TPM2 Support: yes
 Boot into FW: supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Boot loader sets ESP information
          ESP: n/a
         File: └─n/a

Random Seed:
 Passed to OS: no
 System Token: not set

lsmod | grep tpm                                                                               ✔  
tpm_crb                20480  0
tpm_tis                16384  0
tpm_tis_core           32768  1 tpm_tis
tpm                    98304  3 tpm_tis,tpm_crb,tpm_tis_core
rng_core               16384  2 ccp,tpm

With Legacy in Laptop Bios active there is no TPM found… i think this means that AMD fTPM is working only in TPM 2.0 Mode and required UEFI Boot… i was in fear that fTPM could maybe activated in 1.2 Mode in Legazy.

I try to switch in Bios next to: Route to SPI TPM with UEFI to verify if its backroute to AMD fTPM.

Kobold · 17 January 2022 21:59

Here are the results:

sudo journalctl -k --grep=tpm                                                                  ✔ 
-- No entries --
    ~  sudo bootctl status                                                                          1 ✘ 
Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled (unknown)
 TPM2 Support: no
 Boot into FW: supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Boot loader sets ESP information
          ESP: n/a
         File: └─n/a

Random Seed:
 Passed to OS: no
 System Token: not set

Boot Loaders Listed in EFI Variables:
    ~  lsmod | grep tpm                                                                               ✔ 
    ~ 

Looks like the TPM is deactivated with Route to SPI TPM. I hope this dont change after a install to SSD.

Kobold · 17 January 2022 22:13

Yeah that could be the Problem… Im still a little bid concerned why my Laptop in legacy (with liveboot)
won’t show this TPM stuff but my Desktop PC i7-6700k and with a empty TPM slot shows this TPM Module loaded up. I really hope your suggestion is right and the TPM Modul just loaded into Kernel just in case there is maybe the Hardware available to get it ready to function.

Nachlese · 17 January 2022 22:24

this is getting too long and too confusing
and beyond my paygrade, too

my rough understanding is.
If the module isn’t loaded
the hardware isn’t functional

if it is - it is

so:
prevent it from being loaded
(either blacklist, or kernel option via the boot loader, or both)
and it won’t be able to interfere with whatever you intend to do

I might be wrong though. …

Kobold · 17 January 2022 22:35

Im just booted from usb liveboot on my Main PC and there is no TPM Modul loaded here.
It just looks differend after install. So i think everything should be fine.

Thanks for the honest feedback.

system · 16 March 2022 02:55

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.