From: Roberts, William C <william.c.roberts at intel.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: Clearing TPM
Date: Fri, 30 Sep 2022 19:48:52 +0000 [thread overview]
Message-ID: <5f7e60d36ce99d08f1436ef6a7c5a8bb0cb1f7da.camel@intel.com> (raw)
In-Reply-To: 0389a2458d13073e1e9ce34e99f17e90307cc93c.camel@intel.com
[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]
On Fri, 2022-09-30 at 17:20 +0000, Roberts, William C wrote:
> On Fri, 2022-09-30 at 16:26 +0000, burnsds.accounts(a)protonmail.com
> wrote:
> > I am working a Linux IoT integration with TPM 2.0 and want to write
> > a
> > provisioning script for ensuring the TPM is setup consistently on
> > the
> > device. The script uses tpm2_clear and tpm2_changeauth. Some of
> > my
> > devices show the following error message when calling tpm2_clear:
> >
> > dhub(a)dhub336:~$ sudo tpm2_clear
> > [sudo] password for dhub:
> > WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish()
> > Received TPM Error
> > ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys
> > Finish
> > ErrorCode (0x00000921)
> > ERROR: Esys_Clear(0x921) - tpm:warn(2.0): authorizations for
> > objects
> > subject to DA protection are not allowed at this time because the
> > TPM
> > is in DA lockout mode
> > ERROR: Unable to run tpm2_clear
> >
> > This makes me nervous as some of the devices need to be provisioned
> > in the field. Why is the DA lockout preventing me from clearing
> > the
> > TPM? This is occurring on a NUC10 where the TPM is implemented in
> > the PTT.
>
> Something has gotten auth wrong enough times on a DA protected object
> to trigger DA lockout. Why, I can't tell you. You'd have to
> investigate
> the reason it got into that state. tpm2_dictionarylockout -c will
> clear
> it and requires owner or lockout password.
It was brought to my attention that it requires lockout or platform
auth not owner auth. I always get that wrong too. :-p
>
> > Thanks,
> > Dan Burns
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
next reply other threads:[~2022-09-30 19:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-30 19:48 Roberts, William C [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-10-05 18:47 [tpm2] Re: Clearing TPM Steven Clark
2022-10-05 16:45 accounts
2022-09-30 20:07 Steven Clark
2022-09-30 19:50 Roberts, William C
2022-09-30 17:46 burnsds.accounts
2022-09-30 17:20 Roberts, William C
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5f7e60d36ce99d08f1436ef6a7c5a8bb0cb1f7da.camel@intel.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox