tpm2-tools
tpm2-tools copied to clipboard
tpm2-software
How to Set Platform Password -- phEnable May not Be SET using hierarchycontrol
I understand the platform password is empty by default. I am assuming the hierarchy is enabled because we can run tpm2_clear and the tpm is wiped.
How can we set the platform password to a new value? we have tried tpm2_changeauth -c p password, but it states it the hiereachy may not be enabled.
we have subsequently tried to enable the platform hierarchy by running: tpm2_hierarchycontrol -C p phEnable set
this fails as well with the error -- phEnable may not be SET using this command.
how do we enable the platform hierarchy and how do we set the password?
I understand the platform password is empty by default. I am assuming the hierarchy is enabled because we can run tpm2_clear and the tpm is wiped.
That actually works on the owner hierarchy.
How can we set the platform password to a new value? we have tried tpm2_changeauth -c p password, but it states it the hiereachy may not be enabled.
To view if the hierarchy is enabled run the below command and look at the phEnable value:
tpm2 getcap properties-variable
<snip>
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
<snip>
we have subsequently tried to enable the platform hierarchy by running: tpm2_hierarchycontrol -C p phEnable set
this fails as well with the error -- phEnable may not be SET using this command.
how do we enable the platform hierarchy and how do we set the password?
Per Command Spec v1.59:
This command may be used to CLEAR phEnable and phEnableNV if platformAuth/platformPolicy is
provided. phEnable may not be SET using this command.
My understanding is that this is always enabled and the OS disables it on boot once it's done using it. I'll have @idesai comment when they return to the office.
Just an FYI, the GitHub manual for tpm2_clear states it is run under the lockout or platform hierarchy and takes those authvalues as an argument.
Just an FYI, the GitHub manual for tpm2_clear states it is run under the lockout or platform hierarchy and takes those authvalues as an argument.
That is correct, TPM2_Clear command takes Platform or Lockout Authorization. My comment on, "It works on Owner hierarchy", is just one of many things that command changes in the TPM. The list as of 1.59 is:
This command removes all TPM context associated with a specific Owner.
The clear operation will:
• flush resident objects (persistent and volatile) in the Storage and Endorsement hierarchies;
• delete any NV Index with TPMA_NV_PLATFORMCREATE == CLEAR;
• change the storage primary seed (SPS) to a new value from the TPM’s random number generator
(RNG),
• change shProof and ehProof,
NOTE 1 The proof values may be set from the RNG or derived from the associated new Primary Seed. If
derived from the Primary Seeds, the derivation of ehProof shall use both the SPS and EPS. The
computation shall use the SPS as an HMAC key and the derived value may then be a parameter
in a second HMAC in which the EPS is the HMAC key. The reference design uses values from
the RNG.
• SET shEnable and ehEnable;
• set ownerAuth, endorsementAuth, and lockoutAuth to the Empty Buffer;
• set ownerPolicy, endorsementPolicy, and lockoutPolicy to the Empty Buffer;
• set Clock to zero;
• set resetCount to zero;
• set restartCount to zero; and
• set Safe to YES.
• increment pcrUpdateCounter
NOTE 2 This permits an application to create a policy session that is invalidated on TPM2_Clear. The
policy needs, ideally as the first term, TPM2_PolicyPCR(). The session is invalidated even if the
PCR selection is empty.
This command requires Platform Authorization or Lockout Authorization. If TPM2_ClearControl() has
disabled this command, the TPM shall return TPM_RC_DISABLED.
If this command is authorized using lockoutAuth, the HMAC in the response shall use the new
lockoutAuth value (that is, the Empty Buffer) when computing the response HMAC.
See 24.6 of: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part3_Commands_pub.pdf
Typically, platform hierarchy is closed in the PEI phase of the bios. The hierarchy is enabled and a random value is chosen as a password. An option to issue a TPM clear using platform hierarchy authorization is available in one of two forms:
- A bios option in the platform settings
- A jumper on the platform that needs to be connected per the platform manual.
The other option to clear the TPM, as stated, is to use the lockout authorization.
