Bios password and tpm..

Discussion in 'PC Hardware' started by markokk888, Jun 26, 2018.

  1. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    I have a laptop with a tpm and with pre boot bios password and i wonder if its possible to clear the bios password by removing the cmos battery or using the jumpers and boot directly to the os ? or when i do that the tpm also will be cleared ? there is also a master password so i wonder whats is the point of using the tpm if its so easily accessible ?

    if anyone will use master password or clear the bios password and the data on the tpm will remain anyone will have access to all my data and will able easily boot to the os so whats the point of having tpm then ?
     
  2. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,523
    1,366
    90
    If it's just the bios password lock then all you need to do is to simply reset the bios to it's default settings by removing the cmos battery (that may or may not be a challenge depending on the laptop). If your referring to a bios hard drive lock then that gets more complicated
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    I'm not using hdd password im using bitlocker the entire drive is encrypted with tpm and of top of that bios boot password. i'm not locked out. I'm just trying to understand how secure the laptop will be if anyone stole it.Because if the bios password will be bypassed somehow the tpm will tell the encryption keys to the os and os will boot without a problem, so is it secure ? Or should i avoid the tpm instead ?
     
  4. Hadron-Curious

    Hadron-Curious MDL Guru

    Jul 4, 2014
    3,521
    515
    120
    Applying both passwords make your information secured than not having any security at all. There are possible means to break them by those who are familiar with cryptography. As for BIOS password it can easily be disabled in some old systems and the Bitlocker encryption is not that easy to break though. In other words, what you have is safe enough to guarantee that you will not likely have your information seen by other people if your system got missing or stolen.
     
  5. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    The real question is if someone gonna reset the bios to defaults by removing the cmos battery or entering the master password or some other way is tpm chip will be reseted to ? Or it still gonna hold the encryption keys ? If yes and the bios will no longer have any password then tpm will simply let the os to bootup without any problems. Or im wrong here ?
     
  6. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    607
    863
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    So the power on pw is nothing to do with the security here. Simply windows pw is enough when using bitlocker with tpm ?
     
  8. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,900
    1,790
    180
    Yes, because one can NOT boot to WinPE & access data from BL partition.
    Ofcourse if you password protect BIOS & set first boot device to be internal HD then without password the order cannot even be overridden (so not boot from USB, not that it makes any difference)

    One CAN boot only to Windows & then must authenticate with password/PIN/fingerprint to the OS
    Of course if your logon password is week, it could be possibly guessed.
    Also one CANNOT remove the HD & access the data on another system WITHOUT BL recovery key
     
  9. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    Also i wonder how to correctly update the tpm chip software is it in firmware or in driver level ?
     
  10. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    607
    863
    30
    AFAIK, a discrete TPM 1.2 chip is PROM, not EEPROM like a chip used for BIOS. It's data is hard-coded and cannot be re-flashed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    So it's impossible to update it to v2 ?
     
  12. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,523
    1,366
    90
    The only time you'll actually see TPM being used, is with OEM pc manufactures. Just about all custom built pc's do not have a TPM chip in them, I personally do not think you need to worry that much about upgrading TPM, or being much concerned about it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. TigTex

    TigTex MDL Member

    Oct 5, 2009
    112
    80
    10
    To be compliant with the new european privacy policy it's mandatory that you have bitlocker enabled. TPM just stores the key. If you reset the TPM (you can do it on most bios) or if you change significantly your hardware, you will need to use the recovery key. If your system doesn't have TPM, you will need to input a pin or password on every boot, just before windows loads to unlock your system drive AND a different password for login.
    TPMs are not upgradable unless you replace the hardware, but there are minor firmware updates for some devices. If you have a tpm 1.2 module, it will always be a tpm 1.2 module.
    If you disable or reset the TPM and you don't know the recovery key, your data is lost forever. Not one single bit is readable by any expert recovery lab or NSA or whatever.

    The bios password is not related to TPM and on most computers it's stored in nvram. A bios reset will clear the bios password but it won't reset the TPM. On some computers, that password it's stored inside an eeprom and requires soldering and reprogramming chips manually. If you reprogram the eeprom, the TPM will fail to unlock the bitlocker because your computer was modified.
    If you loose the bios password without bitlocker enabled, you can still read all the data from the HDD. just boot it or put it on a different machine. Bios password doesn't encrypt any data.
     
  14. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,206
    11,001
    340
    #14 Yen, Jun 28, 2018
    Last edited: Jun 28, 2018
    A TPM consists of actually three different units.
    Cryptoprocessor
    Volatile memory
    non-volatile memory.

    AFAIK there is an individual key for each TPM, the endorsement key. By that the PC gets a unique identity.
    A TPM chip is comparable to a smartcard chip.


    V2 isn't even backward compatible. It's different hardware.


    Not if the Trusted Computing Group (TCG) has shared how the keys are generated, it's a US company. I doubt that the random generator is really random...The old question "How can software create random numbers"?

    I bet a seized PC which is BL encrypted is not safe.....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,523
    1,366
    90
    Of course it's not safe. You can bet your bottom that M$ has provided a backdoor for the NSA
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. markokk888

    markokk888 MDL Member

    Aug 13, 2012
    212
    39
    10
    I don't care about the nsa.. some asshole thief will not gonna decrypt the disk so whatever. Even some skilled hacker probably will not gonna do it right ?
     
  17. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,523
    1,366
    90
    #17 Joe C, Jun 29, 2018
    Last edited: Jun 29, 2018
    ehh... unless your a bank or a govt with weapons secrets, or even a nuclear power plant, they ain't going to waste their time trying to read a letter you emailed to your gf
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,206
    11,001
    340
    Without getting internal info how the keys are generated, rather not, IMHO.
    I assume the firmware / cryptoprocessor itself is protected enough for reversing it.

    I posted to doubt the sense of a cypto approach when the user has no influence on creating entropy which is mandatory to obtain true random values.
    A proper approach comes along with a process which gathers entropy by doing random operations like moving around the mouse pointer or on smartphones drawing random figures on the screen etc...
    There must be something which is independent from any defined algorithm. Human random movements for instance.

    In the sense of having a safe encryption it is safe unless you attract focus of 'officials'. Commonly spoken it is safe.
    I did not post to support the tinfoil head theory or to create paranoia. I strictly related my thoughts to a proper approach. :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...