TPM Operation BIOS setting

Hiya, could someone explain the options for TPM Operation settings in BIOS?

The first operation, “no operation” sounds at first like it would be similar to setting “TPM Availability” setting to “Hidden”, but then what’s the difference?

The next operation, “Enable” sounds good, but why isn’t it the default?

What are “SetPCRBanks(Algorithm)” and “LogAllDigests” and “ChangeEPS” options and when would someone use them?

And how about all these options: SetPPRequiredFor [Clear|TurnOn|TurnOff|ChangePCRs|ChangeEPS][On|Off]

Are all these options mutually exclusive? It looks like I can only pick one which is confusing.

Thanks!
Alex

It’s non-obvious. I’ve written up a bit about this on this very forum here and here. :slight_smile:

3 Likes

Thanks! All makes sense now. Quoting you here for easier reference:

TPM operation is a bit confusing. It’s more like a button (where selecting something performs an action) rather than a configuration setting.

You can think of it more like, “what will be done to the TPM when I hit save?” Things like “reset it” or “disable SHA1”. You don’t need to perform these actions unless you are having a specific issue with the TPM.

That menu item does not indicate the current state of the TPM.
It lets you specify what action to perform on the TPM when you next reboot.

“No operation” means “do not change anything about the TPM when I exit this page”. It does not mean “the TPM is not operational.”

1 Like