Install Guide

TPM

What is TPM

TPM, short for “Trusted Platform Module”, is a standard type of hardware component included in many PCs to more securely store and process cryptographic data.


More information about the TPM standard is available from the Trusted Computing Group which maintains the TPM standard

Does CloudReady support TPM?

CloudReady’s support for TPM is similar to the way it supports other non-essential features  like bluetooth. In particular:


  • Not all certified models are built with TPM hardware

  • Not all particular TPMs are supported by CloudReady currently

  • TPMs may need to be configured in BIOS prior to use by CloudReady.


TPM is commonly found in enterprise- or business-grade laptops and desktops, and Neverware is always working to add support for a wider variety of TPMs.

Do I need TPM?

In general, CloudReady is designed to function with or without a TPM present, and many certified models do not include any TPM hardware.


The only CloudReady functionality TPM is required for is the use of “hardware-backed” certificates. “Hardware-backed” certificates bind to unique user/device pairings, ensuring that a certificate cannot be moved to an unauthorized device or co-opted for use by a different, unauthorized user.


Some examples where “hardware-backed” certificates are used:


  • EAP-TLS (and other WPA2 Enterprise) wireless authentication

  • Managed or secured VPN configurations

  • Any other use of the “Import and Bind” button in the “Manage Certificates” section of Chromium’s Settings


See Google’s help page on managed certificates for details and examples.
What does CloudReady use TPM for?

In addition to the requirement of using TPM for “hardware-backed” certificates, some other functionality in CloudReady will optionally use TPM whenever an active and supported chip is found, including encryption of user, device, and some system data.


When TPM is not present or is not usable by CloudReady, these features will still function as expected, handled by software rather than TPM hardware. For more info on what functionality TPM is used for in CloudReady, see the Chromium design documentation.

How to use TPM with CloudReady

If you want the TPM in your devices to be used by CloudReady for the functionality listed above, you’ll need to access the BIOS/UEFI settings on each CloudReady machine to make sure the TPM hardware is cleared, visible, and active.


Accessing a device’s BIOS/UEFI settings, and finding the TPM settings inside, varies by manufacturer and model - contact support if you’re not sure what to try on your particular machine. Here are some general tips:


  • Once inside the BIOS/UEFI settings for a device, you can typically find the necessary TPM settings under sections like “Security”, “Device Configuration”, or “Advanced Settings”.

  • Some OEMs, such as HP, refer to a TPM as an “Embedded Security Device”

  • It may be necessary to set an admin password for BIOS access or security controls before TPM settings will be visible to you.


When you find the TPM settings in your device’s BIOS/UEFI settings, you need to make the following changes in this order:


  1. Clear TPM - this ensures the TPM is not “owned” and has no data from previous use.

          + Some OEMs, such as HP, label the command to clear TPM as “Reset to Factory Defaults”

          + If the command to clear or reset TPM is visible but cannot be selected, your TPM is already cleared - skip to step 3.

  2. Save Changes and Exit - Once you choose the clear the TPM, you must save changes, exit the BIOS/UEFI settings, and then allow the machine to restart. Boot immediately back into BIOS/ UEFI for the next step.

  3. Enable TPM - After clearing TPM, make sure any settings in the BIOS that affect TPM being “visible”, “active”, or otherwise interactive with an OS are enabled.

  4. Save Changes, Exit, and Proceed- Now that TPM is cleared, visible, and active, you can proceed with installing CloudReady as normal. Make sure you check for any other special installation notes or BIOS tweaks linked on the certified models list.

Disabling TPM

If you do not want CloudReady to use your device’s TPM chip, you can disable it instead of clearing and activating it as described in the previous section.


To do that, enter the BIOS/UEFI settings as described above, but instead of clearing or enabling any settings, set them to be hidden, deactivated, or disabled in all cases.


See the above sections for more info on what effect this may have.

Get help with TPM

If you are having any issues that you believe may be TPM-related, or have questions, just reach out to our support team in the usual way - chat, email, or phone.