firmware-open icon indicating copy to clipboard operation
firmware-open copied to clipboard

Published 20 hours ago verified publisher icon system76

TPM reports it's locked when trying to clear

Open thomas-zimmerman opened this issue 2 years ago • 7 comments

  • Model: galp7
  • BIOS version: 2023-09-08_42bf7a6
  • EC version: 2023-09-08_42bf7a6
  • OS: Pop!OS 22.04
  • Kernel: 6.5.6

Trying to clear the TPM with tpm2_clear we get a TPM error:

ERROR: esys:src/tss2-esys/api/Esys_Clear:c97:Esys_Clear() Esys Finish ErrorCode (0x00000921)
ERROR: Esys_Clear(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_clear

Steps to reproduce

sudo apt install tpm2-tools
sudo tpm2_clear

Expected behavior

We expect to have the TPM cleared for setting up new keys for LUKS or BitLocker use.

thomas-zimmerman avatar Nov 02 '23 16:11 thomas-zimmerman

Running this on a lemp12 with firmware build 2023-09-08_42bf7a6 gives me this output:

WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x0000098e) 
ERROR: Esys_Clear(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Unable to run tpm2_clear

ahoneybun avatar Nov 02 '23 17:11 ahoneybun

If I run this command I get the lockout mode error like the customer:

tpm2_dictionarylockout --setup-parameters --max-tries=4294967295 --clear-lockout ```

ahoneybun avatar Nov 02 '23 17:11 ahoneybun

My main working platform is gaze18, which originally faced this issue. I did a bunch of experimenting on it before I saw this, like I ran Win11, built/run open firmware, etc. I though maybe it got into this state in the process. Then I got the galp7 literally out of the box, brand new, and it had the same issue. I wonder if it is possible to get in touch with someone from TPM manufacturer, because I see some other issues that I cannot explain. Thanks!

sun2sirius avatar Nov 02 '23 20:11 sun2sirius

Try tpm2_clear -c platform for error 0x00000921

duplexsystem avatar Dec 29 '23 03:12 duplexsystem

Yes, "-c" was the magic switch - thank you!

sun2sirius avatar Dec 29 '23 08:12 sun2sirius

Hi there, I get this output:

sudo tpm2_clear -c platform
WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x000009a2) 
ERROR: Esys_Clear(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Unable to run tpm2_clear

Did I do something wrong?

TobiPeterG avatar Aug 03 '24 12:08 TobiPeterG

Clearing the platform is still working for me; what hardware are you on where you got this error?

> sudo tpm2_clear
WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_Clear(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Unable to run tpm2_clear
> sudo tpm2_clear -c platform

thomas-zimmerman avatar Aug 07 '24 16:08 thomas-zimmerman