Obtained a bios with tpm2.0 support for a gigabyte z97x-ud3h (f10c ga). Got a cheap module (Infineon SLB 9665TT2.0) and managed to update the firmware from TPM20_5.51.2098.0 to TPM20_5.63.3353.0.
With the hash policy set to sha1 (default) in the bios, everything works well. Bitlocker can be enabled. But of course, sha2 (sha256) would be preferred with tpm2.0. With sha2 selected, the registry values are still for sha1: TPMActivePCRBanks=1, TPMDigestAlgID=4. As well, Bitlocker fails to enable, showing: “The BIOS did not correctly communicate with the Trusted Platform Module” Have tried clearing tpm numerous times when switching between sha1/sha2.
The best lead I’ve found is https://community.infineon.com/t5/OPTIGA-TPM/SLB-9665TT2-0-SHA256-Linux-support/td-p/398514
I attempted to do a pcr allocate in linux, but don’t have the appropriate platform authorization. I tried clearing tpm beforehand, but beyond that, I’m not sure how to proceed.
The only way I know to set platform auth to empty buffer is when updating the firmware. Maybe I could flash down to tpm1.2, and back up to 2.0, assuming I could do a pcr allocate before the auth is set? Hesitant to try since there’s a limited number of flashes allowed.
Or more likely, the 9665 can only have one active bank? Perhaps setting the hash policy to sha2 is actually doing sha1+sha2 (though the registry values suggest otherwise)?
tpm2_pcrread does show both 24 sha1 and 24 sha256 banks
Z97XUD3HGA.zip (5.6 MB)