SLB 9665TT2.0 TPM SHA256 not working

Obtained a bios with tpm2.0 support for a gigabyte z97x-ud3h (f10c ga). Got a cheap module (Infineon SLB 9665TT2.0) and managed to update the firmware from TPM20_5.51.2098.0 to TPM20_5.63.3353.0.

With the hash policy set to sha1 (default) in the bios, everything works well. Bitlocker can be enabled. But of course, sha2 (sha256) would be preferred with tpm2.0. With sha2 selected, the registry values are still for sha1: TPMActivePCRBanks=1, TPMDigestAlgID=4. As well, Bitlocker fails to enable, showing: “The BIOS did not correctly communicate with the Trusted Platform Module” Have tried clearing tpm numerous times when switching between sha1/sha2.

The best lead I’ve found is

I attempted to do a pcr allocate in linux, but don’t have the appropriate platform authorization. I tried clearing tpm beforehand, but beyond that, I’m not sure how to proceed.

The only way I know to set platform auth to empty buffer is when updating the firmware. Maybe I could flash down to tpm1.2, and back up to 2.0, assuming I could do a pcr allocate before the auth is set? Hesitant to try since there’s a limited number of flashes allowed.

Or more likely, the 9665 can only have one active bank? Perhaps setting the hash policy to sha2 is actually doing sha1+sha2 (though the registry values suggest otherwise)?

tpm2_pcrread does show both 24 sha1 and 24 sha256 banks


Screenshot 2024-02-11 053455 (5.6 MB)

Update: I managed to disable the sha1 bank, but no matter what hash policy is set to, Windows still shows only sha1. And with only the sha256 bank available, obviously it’s very broken. Looking like it might be a uefi issue; maybe I can swap in an updated module or two…

For reference, I booted into linux and then removed/reinserted the tpm module. PS2 keyboard dropped out, so I had to suspend/resume. Then tpm2_startup -c, and tpm2_pcrallocate sha1:none+sha256:all

Reverted for now, and Windows is back to happily using sha1.

Edit: This is like what I’m seeing: Redirecting

With hash policy set to sha2, the uefi populates the sha256 bank accordingly, but windows still tries using sha1:

Tpm 2.0 need uefi boot with csm disabled.
Did you tried that?