03-25-2023 06:03 PM
BitLocker-API events from eventvwr report that "BitLocker determined that the TCG log is invalid for use of Secure Boot. ", also "BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid."
I looked into TCG log and found that after all EV_EFI_VARIABLE_DRIVER_CONFIG events comes EV_EFI_VARIABLE_AUTHORITY with signature from dbx (why?), then comes EV_SEPARATOR and then EV_EFI_VARIABLE_AUTHORITY again, this time valid one. This clearly breaks the TCG spec and makes PCR7 unusable. Windows automatic device encryption relies on PCR7.
I am using latest firmware for my Z690, v 2305. Already tried resetting secure boot keys, clearing tpm and so on. Nothing helps.
Here is the problematic part of PCR7 log (45C7C8AE750ACFBB48FC37527D6412DD644DAED8913CCD8A24C94D856967DF8E is present in dbx):
{
"EventType": "EV_EFI_VARIABLE_AUTHORITY",
"Digest": "4D4A8E2C74133BBDC01A16EAF2DBB5D575AFEB36F5D8DFCF609AE043909E2EE9",
"Event": {
"VariableGUID": "d719b2cb-3d3a-4596-a3bc-dad00e67656f",
"VariableName": "db",
"VariableData": {
"SignatureOwner": "77fa9abd-0359-4d32-bd60-28f4e78f784b",
"SignatureData": "45C7C8AE750ACFBB48FC37527D6412DD644DAED8913CCD8A24C94D856967DF8E"
}
}
},
{
"EventType": "EV_SEPARATOR",
"Digest": "DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119",
"Event": "00:00:00:00"
},
{
"EventType": "EV_EFI_VARIABLE_AUTHORITY",
"Digest": "30BF464EE37F1BC0C7B1A5BF25ECED275347C3AB1492D5623AE9F7663BE07DD5",
"Event": {
"VariableGUID": "d719b2cb-3d3a-4596-a3bc-dad00e67656f",
"VariableName": "db",
"VariableData": {
"SignatureOwner": "77fa9abd-0359-4d32-bd60-28f4e78f784b",
"SignatureData": {
"Handle": {
"value": 3157257934544
},
"Issuer": "CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Subject": "CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"SerialNumberBytes": {
"Length": 10,
"IsEmpty": false,
"Span": null
}
}
}
}
}
06-03-2023 01:40 PM
Hi holmes0, were you able to resolve your issue? I'm having similar symptoms on my H770 although I wasn't able to decode the TCG log.
06-06-2023 05:24 PM
No, I wasn't able to resolve it because it's an issue on the ASUS side. They need to fix their firmware, but I don't think that's going to happen.
07-16-2023 02:22 PM
I'm having the same issue on a x670e Crosshair Hero, BIOS 1415. MSinfo32 reports PCR7 binding is not possible. I've been rummaging around in the BIOS, disabling/re-enabling/clearing the fTPM, Secure Boot, etc., which was a complete waste of time, apparently. This irritates the piss out of me.
I confirmed via the Bitlocker-API log. Have you by chance submitted a support ticket for this?
Asus........ What's the deal with this? This breaks a number of Windows security features.....
07-16-2023 03:11 PM - edited 07-16-2023 03:48 PM
Adding this for Asus support:
https://www.reddit.com/r/ASUS/comments/y8lt0d/has_anyone_gotten_device_encryption_to_work_on_an/
If I forked out $$$$$$$ for a TRX40 and Threadripper and had a stupid problem like this because of crappy coding, I'd be insanely pissed... As it stands though, I've still got over $2500 worth of Asus products in this one machine, and I am thoroughly unimpressed.
I also have a TUF Gaming X570 Pro running BIOS 4408, and interestingly, it doesn't have this problem... Bitlocker binds to PCR 7 and 11.
I'm not using the fTPM on that board, though. I have a discrete TPM plugged into it, so that probably explains why...