Upgrading the TPM in HP Small Form Factor PCs for use in Linux

Posted: Jul 8, 2024

Tags: linux security ssh gpm thrift

I’ve recently bought a few Small Form Factor PCs on eBay to use as part of my backup setup. Its hard to beat the price - I’ve gotten 4 core, 16GB machines with 250G NVMe SSDs for around $50 - $60 shipped. For one of these machines, I wanted to use the TPM to seal my SSH keys, and had to upgrade it from TPM 1.2 to 2.0. These are my notes on how to do that. The HP upgrade tool is really terrible to work with. This should work for any of the HP Prodesk 600 or 800 machines.

Before you Start

Before you get started, check your BIOS – it will show you if your TPM has already been upgraded. In my case, neither of the two machines I bought had their TPM firmware upgraded to support the 2.0 standard. If you need to upgrade, you’re going to need:

  1. A bootable USB drive with the Windows 10 32 bit installer copied over.
  2. A copy of the HP firmware upgrade tool

If you are using Linux, it will be better to do the TPM upgrade before you partition your disk and install your OS. The reason is the TPM upgrade utility won’t work if your device’s SSD has an “unshrinkable” partition with no extra unpartitioned space. The utility will appear to fail silently (more on that in a bit.) The release notes also indicate it will fail if it finds certain kinds of disk encryption in use.

Fortunately, if you’ve already got an OS installed, there is a way to work around the issue with the installer that sounds risky but works fine in practice: delete your partition. Run fdisk, delete the encrypted partition, but don’t create any other partitions or make any new filesystems. Then, go through the rest of the process to upgrade the TPM and then recreate your partition – opt out of any offer by fdisk to ‘overwrite an existing signature’ and you should find your filesystem is still there and usable with all your data. It worked for me. YMMV. Make backups.

The Bootable Windows 10 USB Drive

Another issue I encountered with the HP upgrade utility is that it is some sort of proprietary self-extracting archive, and it does not want to run under the 64 bit Windows 10 installer ISO I was able to download from Microsoft. Luckily, I had a Windows 10 32-bit DVD which I was able to use succesfully. If I didn’t have this, I think I would have had to bite the bullet and install Windows 10 temporarily to see if the runtime compatibility mode tools would work (HP claims the file works under Windows 10 64 bit.) In any case, if you have a Windows 10 32-bit mode ISO and want to try to create a bootable USB drive, here’s the process I followed:

  1. Download Ventoy to make the bootable image.
  2. After downloading Ventoy, run the VentoyWeb.sh script from the ventoy directory. It will want to run as root. If you don’t want to do that, make sure your user has write access to the USB drive device you are going to write to, then comment out these lines in the ventoy shell script:
#uid=$(id -u)
#if [ $uid -ne 0 ]; then
#    print_err "Please use sudo or run the script as root."
#    exit 1
#fi

From there, visit http://localhost:24680 in your browser and install Ventoy on your USB drive.

  1. Copy your Windows (and HP) files over:
# mount /dev/sda1 /mnt/usb
# mount -o loop -t udf /PATH/TO/WINDOWS/ISO.iso /mnt/windows
# rclone copy /mnt/windows /mnt/usb
# cp /PATH/TO/HP/INSTALLER.exe /mnt/usb
# sync
# umount /mnt/usb
# umount /mnt/windows
# eject /dev/sda

Upgrading the TPM

After booting up, you’ll want to select ‘Troubleshoot’ instead of install, then Advanced, then command prompt. You should be able to run the sp81900.exe file you copied over, which will by default extract files to a folder named SWsetup\SP81900. You’ll need to move the TPMConfig.exe utility to the Firmware folder, and then run it.

X:> CD SWSetup\SP81900
X:> MOVE TPMConfig.exe Firmware
X:> CD Firmware
X:> TPMConfig.exe

If you don’t move the utility to the firmware folder, it will complain about not finding any firmware files. If you run the utility and nothing happens, minimize your terminal window – the TPM Config utility is behind it.

At this point, you should have a TPM Config window that shows your current firmware version and what version it wants to upgrade the TPM to. If that looks good, continue. Note that the utility will finish quickly - almost immediately. This is normal as the utility isn’t upgrading the TPM, but staging the upgrade. The upgrade itself will happen after you reboot and will take a few minutes to complete. If you encounter any errors, look for a file called ‘TPMConfig.log’ in the firmware directory; it should have some helpful info. If the installer has a problem with your partitions/disk encryption, you’ll see it in the log file. The entries for me looked like this:

2024/07/07 12:55:22.533|00000518|Information|TpmUpdate::CTPMUpdateInfo::GetTPMInfo|GetTMPFirmwareImageInfo returns 0x00000000
2024/07/07 12:56:02.442|00000518|Information|TpmUpdate::Partition::FindEspPartition|PartitionStyle == PARTITION_STYLE_GPT, PartitionCount: 2
2024/07/07 12:56:02.458|00000518|Information|TpmUpdate::Partition::FindEspPartition|ESP partition found: drive = 0, partition = 0
2024/07/07 12:56:02.590|00000518|Warning    |TpmUpdate::Partition::MountEspPartition|Unable to mount ESP drive on Z, error 1.
2024/07/07 12:56:02.590|00000518|Information|TpmUpdate::Partition::AccessEspPartition|Cannot mount ESP drive.
2024/07/07 12:56:02.673|00000518|Information|TpmUpdate::Partition::FindHp_ToolsPartition|No HP_TOOLS partition found.
2024/07/07 12:56:02.689|00000518|Warning    |CTpmUpdateApp::PrepareEfiFlash|No BIOS recovery partition was found.
2024/07/07 12:56:02.720|00000518|Warning    |TpmUpdate::Partition::CanWeCreateHp_tools|No drive found with < 4 partitions, and unallocated sp
ace or shrinkable partition.
2024/07/07 12:56:02.720|00000518|Information|CTpmUpdateApp::PrepareEfiFlash|Cannot create HP_TOOLS partition.
2024/07/07 12:56:02.740|00000518|Information|OptionsPage::OnWizardNext|Unknown result from PrepareEfiFlash.

I was able to just delete my ‘unshrinkable’ partition and re-run the utility. Despite what the entries seem to indicate (about not having space for a new partition), it did not appear to write any data to my disk and I didn’t lose any data after running the tool and then recreating my partition. There is a ‘-c’ flag that is supposed to cause the utility to create an ‘HP Tools’ partition, which I did not use when invoking the TPMConfig utility. I think that maybe the check for extra space is a bug in that it is probably only supposed to be done with using that flag.

After rebooting, my TPM was upgraded to 2.0 and I was able to use it to unlock my encrypted root partition and seal my SSH keys.

Name: This will be displayed with your post
Email: This isn't visible to or shared with anyone except me (the site owner)
Comment: