-->

Tuesday, September 28, 2021

Unreadable madness (PCR7 is Not Possible, "Prepare the TPM" is gray, and other insufferables)

 8 million horror stories in the naked internet, broken PC's, shattered dreams.

https://www.google.com/search?q=nvme+%22pcr7%22&ei=cMxTYc_2MsG8-wTjyKTIAw&oq=nvme+%22pcr7%22

And NONE of them apply to me!!! AHHH!!!

Edit: (File this under rude rants)
Why is there
Security-processor-details,
  • TPM,
  • TPMTOOL,
  • TPMDIAGNOSTICS,
  • GET-TPM,
and a cousin MANAGE-BDE -Protectors.
A collectible butt-nugget:
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list
Plus, for a good time go here: (Enroll? Provision? qua (quoi)??) ( "Qu'est-ce que c'est? Huh?)
https://social.technet.microsoft.com/Forums/windows/en-US/ed25aa4d-bc60-468e-98a6-06be5558e2e7/enroll-versus-provision?forum=microsoftintuneprod

If you were stubbornly (doggedly, determinedly, persistently) trying to defeat PCR7 and make it your slave,
THIS might help, but it's more folderol.
What it has going for it is, it isn't from microsoft, so it actually imparts information.
Unfortunately it isn't the info we were looking for but it's related. Sort of.

From an EIGHT-PAGE document



Come into my parlor, said the spider to the Fly


The TLDR of all this folderol is, Windows has a way of snarkily mumbling about this or that feature being disabled, and when you try to assuage the detractor (usually a report about security),

You land in a bog that slowly turns to concrete,

For example "PCR7", what is it, why do I need it, why don't they just enable it.

TCG LOG is important, to someone, somewhere, somehow.
Have it or be browbeaten forever.

https://www.windowsphoneinfo.com/threads/device-standard-encryption-pcr7-binding-issue.549624/







Dell (the company, not the farmer-in)
has decreed that to prepare a TPM you must turn off "Secure boot" and "PTT", whatever that is.

OK fucket, I'm off to open my barn-door.
Most useless
Plus my barn-door is open. WTF??
Clear till judgment day, but never prepare (It's a curse)
The equivalent command might be
So that fat fast-typer who hates GUI and runs linux mostly, knows more than me (like what tpmdiagnostics really does, which so far, isn't much)

Beeesides, "Bitlocker" DMA protection is sooo last-month.
"Kernel" DMA protection is the new rock-star.
https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

I would not know *what* my motherboard supports, since motherboards use different names than OS's.
In other words, I hope you've got lots of friends on Reddit.
I'll die alone with an obsolete two-year-old PC.

https://success.trendmicro.com/solution/1103910-initializing-trusted-platform-module-tpm-for-encryption-management-for-microsoft-bitlocker-install

"TPM Owner Password" is dangerous and ill advised, but you go ahead (whatever)

Have you ever started a new job, and the fat guy sitting next to you treats every bullshit piddly-ass nugget of information like you were pulling it straight from his butt?
This is a lot like that. 
Engineers world-fucking-wide had to go to school to learn this stuff, why should *you* know so easily?
Best change the procedure incase someone explains it too well.


Can you read me?
Do you know who I Am?!



Whatever is wrong, it isn't my TPM 
"Your device is worthy" (I already knew that)
Plus, some snapin DIED suddenly, some unreadable crap on my screen
"You're worthy (but not)"

Ole fatass says:

You won't be able to read this, it says (basically) "You have tons of security but you're not using it"
"The things others do, you can't, it's above your grade"
"we piss on word wrap, readers read this and despair (mwahaha)"

"Device Encryption Support
Reasons for failed automatic device encryption:
 PCR7 binding is not supported,
Hardware Security Test Interface failed and device is not Modern Standby,
Un-allowed DMA capable bus/device(s) detected"

And we just don't like your kind here.
Go back to Windows 10 where you belong, stranger


I knew more before I started to write this.


Now what????

Twilight-zone carousel in Willoughby:



10 zillion ways to die

Ya know, (ahem) if this is so fucking easy, WHY hasn't anyone cut the bullshit of thehistoryoftheworldandeverythinginit(with appendix) and just written the damn steps on a page?

OKOK, it is NOT "7", will 11 do???

I got stuck. If 0,2,4,11 aren't worth spit, why are we even talking about them?
Where is "pcr7"
I washed my hands and said my prayers, and I'm a wolfman anyway. WTF???
Oh, REAL Helpful, Microsoft, you KNOW what's enabled, etc (this is total bullshit already)

I enrolled a custom EFI called "bootmgr.efi" (I think) under "Microsoft" in some directory.
I either shitcanned my OS or I'm fine (Ignore the spontaneous reboot)
And the above (if it works) was totally on a guess, no help at all, thanks, microsoft.

NOW I need to re-read my own blog and see if anything nice happened since I wrote it.
"BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event"
That's damn close but no cigar.
I need a decent tcg-log, prolly some damned-buried BIOS-option.

Fresh from a fitful nap,
Says you can disable automatic encryption on "edrives" (encrypted drives)
Because, windows is already installed and set up.
I still want to rant that this is one more arcane setting in a long series of disparate settings. Plus no one told me to set it; it's just, one more possibility.
OIC, sort of, if you're already using some third-party encryption, you can disable windows' encryption.
I still want to go back to "TCG" (trusted computing group) Log.
Have you heard of flickering light-bulbs, intermittent tubes, that flicker when you tap them??
I can't (I don't think) post the whole message, but, early this morning something successful happened, then it all went to shit again.


That was this morning, after I accidentally pressed a correct button (Think, "Monkeys in space," I think they made a cartoon)
But it's all for naught, unless PCR7 (the snob) approves, and it won't.

I get flashes in my head, a dim bulb flickers on for a second, and then, darkness.
(Maybe I need to put in some "Windows", har-har)

IOW, NO ONE really knows this stuff, and usually they fall back on the old-saw, "reinstall"

Self assured assholes smirking at this old ranter ranting at the air.
To counteract a fellow plebe bleating about drivers,
IOW it worked, I *have* the latest, But it failed ("you are obsolete")
If I have a stroke, I hope my survivors sue you into oblivion

 
Rest, little zombie, in your crypt
Be still and know that we are Microsoft


disparate, quaint and curious, long forgotten (from some tome)
OK, I guess. ???




Defense-yada.gov says, "standard" windows-secure-boot-mode is OK, unless you're on a plane or at the end of a gargantuan network, then use "Custom".
I'm muffing the exact name, so just remember "standard" and "custom" and remember that, unless you know how to customize, uhm,...

Beyond that, some picayune thingy is rejecting my setup, and I have no idea what or why.
It's kind of a marketing thing; scare the hell out of you on Google's front page, 

But like the man said, DIY'ers do this stuff daily.
I'm no DIY'er.

No comments: