Jürgen Repp

@fansari Thank you for the scirpt. During the first provisioning you have assigned an auth value the Endorsement hierarchy. Both EKs (ECC and RSA) are keys under the endorsement hierarchy....

@fansari I could reproduce your error and will create a fix for: https://github.com/tpm2-software/tpm2-tss/issues/2438 As a workaround you could execute the provisioning for the two profiles without auth values for the...

@fansari You should also set TSS2_FAPICONF='/usr/local/etc/tpm2-tss/fapi-config-rsa.json' in create-encryption-key.txt. (Will not be necessary after https://github.com/tpm2-software/tpm2-tss/pull/2435 is merged).

@fansari Did the encryption work after adding TSS2_FAPICONF='/usr/local/etc/tpm2-tss/fapi-config-rsa.json' to create-encryption-key.txt?

@fansari Yes that's intended. The private key is stored in the keystore. If you delete the key with tss2_delete the key is lost. Only the primary keys can be recreated.

@fansari It depends on the hierarchy you are using. The storage primary seed of the SRK will be changed after tpm2_clear. So the SRK can't be recreated afterwards. The endorsement...

@fansari Did you provide the correct password for the endorsement hierarchy? If the first trial for the creation of the EK fails with error BAD_AUTH, FAPI asks for the password...

@fansari Perhaps that's still the problem we already dicussed: https://github.com/tpm2-software/tpm2-tss/issues/2438 Did you still use a password for the owner hierarchy?

@fansari During experimenting with FAPI provisioning where trials with authentication are made it makes sense to increase the auth failed counter temporally to avoid coming into the lockout mode: ```...

@fansari After you have set the lockout auth value by `tss2_provision --authValueLockout=xxx` you must provide the lockout password: `tpm2_clear xxx`.