I have a laptop with a tpm and with pre boot bios password and i wonder if its possible to clear the bios password by removing the cmos battery or using the jumpers and boot directly to the os ? or when i do that the tpm also will be cleared ? there is also a master password so i wonder whats is the point of using the tpm if its so easily accessible ? if anyone will use master password or clear the bios password and the data on the tpm will remain anyone will have access to all my data and will able easily boot to the os so whats the point of having tpm then ?
If it's just the bios password lock then all you need to do is to simply reset the bios to it's default settings by removing the cmos battery (that may or may not be a challenge depending on the laptop). If your referring to a bios hard drive lock then that gets more complicated
I'm not using hdd password im using bitlocker the entire drive is encrypted with tpm and of top of that bios boot password. i'm not locked out. I'm just trying to understand how secure the laptop will be if anyone stole it.Because if the bios password will be bypassed somehow the tpm will tell the encryption keys to the os and os will boot without a problem, so is it secure ? Or should i avoid the tpm instead ?
Applying both passwords make your information secured than not having any security at all. There are possible means to break them by those who are familiar with cryptography. As for BIOS password it can easily be disabled in some old systems and the Bitlocker encryption is not that easy to break though. In other words, what you have is safe enough to guarantee that you will not likely have your information seen by other people if your system got missing or stolen.
The real question is if someone gonna reset the bios to defaults by removing the cmos battery or entering the master password or some other way is tpm chip will be reseted to ? Or it still gonna hold the encryption keys ? If yes and the bios will no longer have any password then tpm will simply let the os to bootup without any problems. Or im wrong here ?
So the power on pw is nothing to do with the security here. Simply windows pw is enough when using bitlocker with tpm ?
Yes, because one can NOT boot to WinPE & access data from BL partition. Ofcourse if you password protect BIOS & set first boot device to be internal HD then without password the order cannot even be overridden (so not boot from USB, not that it makes any difference) One CAN boot only to Windows & then must authenticate with password/PIN/fingerprint to the OS Of course if your logon password is week, it could be possibly guessed. Also one CANNOT remove the HD & access the data on another system WITHOUT BL recovery key
AFAIK, a discrete TPM 1.2 chip is PROM, not EEPROM like a chip used for BIOS. It's data is hard-coded and cannot be re-flashed.
The only time you'll actually see TPM being used, is with OEM pc manufactures. Just about all custom built pc's do not have a TPM chip in them, I personally do not think you need to worry that much about upgrading TPM, or being much concerned about it.
To be compliant with the new european privacy policy it's mandatory that you have bitlocker enabled. TPM just stores the key. If you reset the TPM (you can do it on most bios) or if you change significantly your hardware, you will need to use the recovery key. If your system doesn't have TPM, you will need to input a pin or password on every boot, just before windows loads to unlock your system drive AND a different password for login. TPMs are not upgradable unless you replace the hardware, but there are minor firmware updates for some devices. If you have a tpm 1.2 module, it will always be a tpm 1.2 module. If you disable or reset the TPM and you don't know the recovery key, your data is lost forever. Not one single bit is readable by any expert recovery lab or NSA or whatever. The bios password is not related to TPM and on most computers it's stored in nvram. A bios reset will clear the bios password but it won't reset the TPM. On some computers, that password it's stored inside an eeprom and requires soldering and reprogramming chips manually. If you reprogram the eeprom, the TPM will fail to unlock the bitlocker because your computer was modified. If you loose the bios password without bitlocker enabled, you can still read all the data from the HDD. just boot it or put it on a different machine. Bios password doesn't encrypt any data.
A TPM consists of actually three different units. Cryptoprocessor Volatile memory non-volatile memory. AFAIK there is an individual key for each TPM, the endorsement key. By that the PC gets a unique identity. A TPM chip is comparable to a smartcard chip. V2 isn't even backward compatible. It's different hardware. Not if the Trusted Computing Group (TCG) has shared how the keys are generated, it's a US company. I doubt that the random generator is really random...The old question "How can software create random numbers"? I bet a seized PC which is BL encrypted is not safe.....
I don't care about the nsa.. some asshole thief will not gonna decrypt the disk so whatever. Even some skilled hacker probably will not gonna do it right ?
ehh... unless your a bank or a govt with weapons secrets, or even a nuclear power plant, they ain't going to waste their time trying to read a letter you emailed to your gf
Without getting internal info how the keys are generated, rather not, IMHO. I assume the firmware / cryptoprocessor itself is protected enough for reversing it. I posted to doubt the sense of a cypto approach when the user has no influence on creating entropy which is mandatory to obtain true random values. A proper approach comes along with a process which gathers entropy by doing random operations like moving around the mouse pointer or on smartphones drawing random figures on the screen etc... There must be something which is independent from any defined algorithm. Human random movements for instance. In the sense of having a safe encryption it is safe unless you attract focus of 'officials'. Commonly spoken it is safe. I did not post to support the tinfoil head theory or to create paranoia. I strictly related my thoughts to a proper approach.