TPM firmware corruption renders chromebook useless if force re-enrollment is on policy
Reported by
compt...@yavnehacademy.org,
Nov 15
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Steps to reproduce the problem: 1. Enable force re-enrollment on domain policy 2. Start updating chromeos and during reboot or during installation part, force off the chromebook 3. This caused the TPM firmware update process to be abruptly ended, but we didnt force the chromebook off, the battery must have died or something, and this caused the firmware to become corrupt. Just like bios updates tell you not to turn off during update, this must of been what happened with the chromebook, and now we cant get it reinstalled, the firmware gives TPM firmware error during chromeOS installation, and we cant get it on to developer mode because force re-enrollment is on or wason before the update, so this means OS verification cannot be turned off.. What is the expected behavior? The TPM firmware update process which is part of the chromeOS update process, should have a sort of mechanism that verifies if the firmware gets written correctly first, before replacing the current firmware, many devices have this safety feature now where it can hold two firmwares, so that if this happened, it can revert back to the old firmware that worked. If you need me to come up with a solution to how this can be done I can probably explain it but i am sure you guys know how to do it. What went wrong? I explained it in step 3 of the steps to reproduce, if you think i should explain better just email me, thanks. Did this work before? N/A Chrome version: 70.0.3538.77 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: already had engineer and case number on this so this should really be a feature that gets implemented.
,
Nov 19
Thanks for the report, can you let us know: 1) How many devices are currently in this state? 2) Can you attempt USB recovery using the latest Chrome OS 69 recovery image. Even if it fails, logs of the recovery process will be left on the USB drive. Please plug the USB drive into another Chromebook and attach the log files here so we can see where the failure is occurring. +mnissler for his thoughts here.
,
Nov 19
Hi, 1) Currently just one. 2) I am not able to go and grab another chromebook at the moment, can you just tell me the location of the logs? I have software that can see all files inside the chrome os recovery drive, for example I see the following folders in the EXT partition: usr lib64 lib sbin etc bin opt Let me know. Thanks.
,
Nov 19
On the USB drive there will be a root folder named "recovery_logs.NNNNN". This is not on the system partition, I believe it's on the stateful partition. On Chrome OS this is the only partition that will be mounted if the USB drive is inserted.
,
Nov 19
I see.. ok i'll try to get my hands on a chromebook upstairs..
,
Nov 19
Looks like logs are not being written. What screen do you see on recovery? Can you video what you see? Can you also try pressing CTRL+ALT+Refresh (refresh button is where F3 would be) to switch terminals and see what is displayed there?
,
Nov 19
the recovery screen is the normal one.. I insert USB , the chromebook restarts itself to try and start the installation, but screen stays black.. when i remove usb and restart it, this is the screen that I see after pressing tab (attached) as you can see the tpm firmware on top is reason.
,
Nov 19
sorry forgot to say, ctrl alt refresh doesnt do anything in any of the screens.
,
Nov 19
it doesn't look like the recovery process is running. Have you confirmed the USB recovery drive is good and working on other Chromebooks? Are you following instructions at google.com/chromeos/recovery ?
,
Nov 19
yes, 100%, same usb drive used for the other 35 chromebooks.
,
Nov 19
i cant even get into developer mode. OS verification screen says restart and when it restarts it stays black.
,
Nov 19
i also tried different usb drives, we even tried using a local image another support person sent me, it all points to the firmware error not allowing the recovery process to start.
,
Nov 20
you don't need developer mode to do a USB recovery. What happens when you are at the "Chrome OS is missing or damaged" screen and THEN insert the USB drive?
,
Nov 20
I didnt say I was going to use developer mode to do a USB recovery, it was just part of the troubleshooting me and other support person were doing to try and turn off OS verification to see if that could bypass the firmware error and continue to reinstall chrome OS. I am going to upload a video now and share google drive link since it is too large to upload here..
,
Nov 20
the USB has been blinking ever since, for about 40 mins now.
,
Nov 20
I left it there thinking the chromebook was maybe reading from the drive, but it sat there on my desk for 3 hours or more without anything happening and the blinking I/O status kept on, which I highly doubt was really doing anything at all.. let me know what else you want me to try and do.
,
Nov 29
hello.. did you see the video? am I waiting for further instructions? thx
,
Dec 12
TPM firmware update already behaves as described in #1, removing from TPM component.
,
Dec 12
I tried this: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-os-discuss/pz0V63_TzR4 Since it seemed to be the exact error i am getting.. but it doesnt work. Since TPM as you say is behaving exactly as it should, what are the next thing to try? By the way, the root folder only contains this file (screenshot attached), after trying to get the recovery_logs.NNNNN file you mentioned.. which i still cant find.. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mfullante@google.com
, Nov 19Labels: -Type-Bug Type-Feature