tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Not able to clear tpm or unset lockout password after once setting it

Open vamseekrishna25 opened this issue 1 year ago • 2 comments

I have tried to set lock out auth using below command tpm2_changeauth -c l passwd

After I set lockoutauth

I am not able to use tpm2_clear command

tpm2_clear -c l passwd
WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x00000921) 
ERROR: Esys_Clear(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_clear

when tried to to unset lockout password it is not working and giving below error

tpm2_changeauth -c l -p passwd
WARNING:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:309:Esys_HierarchyChangeAuth_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:114:Esys_HierarchyChangeAuth() Esys Finish ErrorCode (0x00000921) 
ERROR: Esys_HierarchyChangeAuth(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_changeauth

but i dont see tpm is in lockout mode or tpm2_clear being disable using command below

tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            1
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           1
  reserved2:                 0
TPM2_PT_STARTUP_CLEAR:
  phEnable:                  1
  shEnable:                  1
  ehEnable:                  1
  phEnableNV:                1
  reserved1:                 0
  orderly:                   1
TPM2_PT_HR_NV_INDEX: 0x4
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x14
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0x10
TPM2_PT_ALGORITHM_SET: 0x1
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0xA
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0

vamseekrishna25 avatar Feb 06 '24 08:02 vamseekrishna25

An error must have occurred during authorization of the lockout hierarchy before the tpm2_clear -c l passwd. In this case, one error is enough to activate the lockout mode. Spec Part1 Architecture 19.8.5:

"An authorization failure associated with lockoutAuth causes the TPM to enter this special lockout state regardless of the setting of failedTries and maxTries."

You could reset the TPM in the BIOS, or try https://github.com/tpm2-software/tpm2-tools/issues/1956#issuecomment-601617026, or wait until the lockout mode is deactivated.

JuergenReppSIT avatar Feb 07 '24 16:02 JuergenReppSIT

Thank You @JuergenReppSIT.This was very helpful. i am able to try above method of reseting tpm and clear lockout. but i have tried a similar thing on other tpm and i was getting below error when trying to reset tpm using https://github.com/tpm2-software/tpm2-tools/issues/1956#issuecomment-601617026.

cat /sys/class/tpm/tpm0/ppi/response
5 241: Corresponding TPM error

what does this error 241 mean?

vamseekrishna25 avatar Feb 12 '24 06:02 vamseekrishna25