Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TPM chip and recommended whitebox bios settings + ECC

    Scheduled Pinned Locked Moved Hardware
    3 Posts 3 Posters 427 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • HLPPCH
      HLPPC Galactic Empire
      last edited by

      In an effort to make all of my hardware more compatible with a bare metal system, I'd like to get various TPM chips and secure boot to work instead of the built-in AMD fTPM.

      On one of my motherboards, for instance, I have a TPM chip:

      Jenny Watson TPM 2.0 Encryption Security Module Remote Card Windows 11 Upgrade 18 Pin TPM 2.0 Module for Asrock 18Pin LPC to Support Multi-Brand Motherboards

      So far, in pfSense, without the chip, when I switch from fTPM to LPC TPM, my keyboard types extremely slowly, and with the chip, stuff works more correctly.

      I'd like to enhance the security of the system by protecting it during the various reboots necessary to get fq_codel and other iflib features while connected to the public internet. And if I decide to use proxmox. Sometimes, for instance, network booting options pop up in my bios on this specific motherboard, and I'd rather be safer than more sorry.

      To my understanding, sometimes unbound requires sha-1, and if anything I'd like to enhance DNS and VPN security.

      Any suggestions/instructions would be awesome, and if anyone has recommended BIOS settings for ASUS and ASROCK AM4 motherboards, that'd be awesome.

      There are all sorts of CPU features that effect power consumption, CPU throttling, CSTATES, PSTATES, IOMMU, SVM, and DDR4. And from what I've read, some features of machdep may or may not require them. Power saving and hyperthreading seem to drastically effect my middle of nowhere ping, but they also enhance security. I'd like to always have all security mitigations enabled as well, seeing as my CPUs are more than fast enough to handle all traffic, at pretty much any link speed.

      Also, one of my motherboards supports ECC ram, if I upgrade to Zen 3, and in good faith, I'd like to prevent memory errors on my end. How would I configure ECC on pfSense?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        There is no known path for this. I don't think I've ever seen anyone setup pfSense to boot with secure-boot.

        Check the FreeBSD docs for it:
        https://freebsdfoundation.org/freebsd-uefi-secure-boot/

        https://wiki.freebsd.org/SecureBoot

        1 Reply Last reply Reply Quote 0
        • Dobby_D
          Dobby_
          last edited by

          ECC RAM is a nice to have thing and or but for a 24/7 running device it
          makes sense. The TPM module I am using in the PC Engines APU6B4
          I was able to buy one from Dasharo, I was soldering a 10 Pin header
          on the bard and then I connect the TPM module there, together with
          the latest BIOS version (19.01) the BIOS recognizes the TPM module
          but pfSense itselfs is not taking any advantage of the TPM module.

          Perhaps with the next BIOS it could be something is on change at
          this point.

          #~. @Dobby

          Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
          PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
          PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.