TPMFirmwareUpdateSettings lacks an option to force an update
Reported by
samuel.k...@airbnb.com,
Aug 17
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 10895.21.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.35 Safari/537.36 Platform: 10895.21.0 (Official Build) dev-channel samus Steps to reproduce the problem: 1. Have thousands of Chromeboxes in a contact center environment with vulnerable TPMs 2. Need to be able to update the TPMs without touching every single box. What is the expected behavior? I expect there to be an option to force a firmware update. While in 68 a user can now update the firmware if they choose, this doesn't scale to thousands of devices. What went wrong? Need to be able to globally update all TPMs. Did this work before? No Chrome version: 69.0.3497.35 Channel: dev OS Version: 10895.21.0 Flash Version: These devices are all set to clear user data at logout, so we don't need any messaging to the user on backing up local data.
,
Aug 23
,
Sep 11
Mattias FYI
,
Sep 12
A bit of background: 1. The original implementation of the TPM firmware update flow did imply the equivalent of a powerwash, thus dropping enrollment. Triggering this remotely wouldn't have made any sense. 2. The device-state preserving flow is enabled starting in M70 (we had it in M68 originally but it got delayed due to issue 854576 ). With that, enrollment is preserved, but user data still won't survive the update. 3. Adding policies that force the device-state preserving flow are reasonable. I previously suggested this to the enterprise team (including the suggestion to force the update at enrollment time when there is no user data to lose by definition). Is the enterprise team willing to pick this up now? Should be relatively simple, and I'm happy to help with guidance as needed. |
||||
►
Sign in to add a comment |
||||
Comment 1 by zmin@chromium.org
, Aug 17Status: Assigned (was: Unconfirmed)