Anyone have any experience repurposing TPM, encrypted drive laptop?

Hi

My dad has repurposed a HP Elitebook laptop from work, put in a new SSD and wants to install Linux on it. The install worked, I can see his Kubuntu install on the hard drive when I explore it with a live usb, but the BIOS of the machine can’t see that there is a drive present. I suspect it was because the machine previously had an encrypted disk and used a TPM for this along with things like the fingerprint reader.

I’ll be honest, I find this archaic 90s-style HP BIOS virtually unnavigable. Does anyone have any experience disabling all of these security features so it can be used as a simple home laptop?

I’m sorry I can’t be more specific about the laptop than “Elitebook,” I can’t find a serial or model number printed anywhere on this thing, I’m kind of hoping that this BIOS is generic enough across HP’s enterprise laptops not to matter.

So this is pre-EFI, or is it just a UEFI that looks like the BIOS of old?

I am wondering if it is possible that Secure Boot could be the culprit, though I see nothing to suggest that Kubuntu does not come with a signed shim, and your install USB booted fine, so that seems less likely.

Alternatively, if the BIOS/EFI was itself managing encryption, it would probably be relying on the drive to encrypt itself; I have seen this referred to as TCG OPAL, ATA Secure, or SED (Self Encrypting Drive).

Maybe the EFI/BIOS is trying to unlock the new drive with the previous drive’s master or user password, and your new drive is crashing or becoming unresponsive because of that?

I think more information is really necessary to find out what is going on here; can you live boot it then run dmidecode and look for the System Information section? It may contain the laptop’s model name/number.

from the laptop you cant. its designed so that if the drive is only readable with tpm enabled. you turn it off the drive cant boot.
you will have to remove the drive and install it in another system to wipe it.

disable tpm in your system and install the drive as a secondary device (not the boot disk)
assuming windows 10 or lower/linux you dont need tpm active to boot the o.s.

make the repurposed drive raw *delete all partition data.
then partition as needed, quick format, yer done.

should work fine after that.

oh and then put the drive in the lappy, boot to bios and load optimized defaults. disable tpm. reboot and install a fresh o.s.

It’s UEFI, this is just what OEM BIOSes tend to look like. My cheap Dell laptop is very much the same (minus the security features).

I ran dmidecode, the laptop Product Name is HP EliteBook Folio 9470m, Version: A1029D1102

I’m getting errors communicating with the TPM chip when the live USB is booting, so I suspect this is related. I’m going to see if I can dig around and find if there’s a way to clear TPM keys?

It’s already a completely new drive, it’s not the one that was previously encrypted. I suspect this is the source of the issue. I’m going to have another explore in this god-awful BIOS to see if I can find a way to completely disable TPM, or at least clear the keys.

Edit: Woo I found the specific TPM button I needed to press, apparently xD It’s booting now. Thanks, guys!

1 Like

When you have time on a future reboot, I would be very curious what the TPM feature you disabled was; a reset of keys, a particular setting, or just disabling TPM support entirely?

I am glad it is working for you, but this is puzzling, it sounds like the TPM is doing something, but not preventing you from booting an external drive (USB)?

I could maybe understand safe guarding only the default boot path (i.e. what happens when there is no user interaction), but it sounds like what you were saying was that you could reach a boot selection/chooser screen in the UEFI, yet it was hiding the internal drive and only showing the USB drive as an option. Is that correct?


Edit:
The HP EliteBook 9470m Notebook PC Maintenance and Service Guide (PDF, no https option) contains this,

Supports Trusted Platform Module (TPM) 1.2 (Infineon, soldered down) and
TPM Enhanced Drive Lock (not supported the People’s Republic of China)

That sounds like our boy right there.

Drive Lock was actually one of the first things I tried, it was already off. The issue was more to do with how the BIOS was laid out. The option to disable the TPM chip was a toggle labelled “hide/show”, which was extremely counter-intuitive for me, but that’s what I had to do.

I don’t understand why merely having the TPM enabled, but disk encryption off would prevent it from booting (that’s how it’s currently configured on my own desktop) but that seems to have been what was causing problems.

I actually tried all of the things you mentioned: turning off both forms of Drive Lock, turning off the anti-theft stuff, resetting keys, re-creating keys, resetting everything to factory defaults. In the end disabling TPM entirely is what did it.