tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard
verified publisher icon tpm2-software

How to execute tpm2_changeeps

Open botellum opened this issue 1 year ago • 5 comments

I have more of a question, and that is how can I run tpm2_changeeps. It always tells me that I have no authorization, or that it is wrong, and I can also run tpm2_changeauth on the plaform hierarchy. My question now is, is there any way to run it? (And if it works with other programs, e.g. with a UEFI application that uses the tcg2 protocol (in uefi shell))

botellum avatar Jul 02 '24 12:07 botellum

@botellum what is the error message you are receiving when you execute tpm2_changeeps with the auth value you did define with tpm2_changeauth?

JuergenReppSIT avatar Jul 03 '24 08:07 JuergenReppSIT

@botellum what is the error message you are receiving when you execute tpm2_changeeps with the auth value you did define with tpm2_changeauth?

tpm2_changeauth doesnt work for me, it says that the auth value is wrong. I know that the auth value is being set at boot by the firmware, but is there any way to still execute a ChangeEPS command? (UEFI Applications or something like that)

Anyway here's the error message I receive when I try to do anything with platform auth: It always says the following if I either try to do something with platform auth or set its auth (phEnable is 1):

WARNING:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:309:Esys_HierarchyChangeAuth_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:114:Esys_HierarchyChangeAuth() Esys Finish ErrorCode (0x000009a2) ERROR: Esys_HierarchyChangeAuth(0x9A2) - tpm:session(1):authorization failure without DA implications ERROR: Unable to run tpm2_changeauth

botellum avatar Jul 03 '24 12:07 botellum

@botellum sorry i thought that you could change the auth value of the platform hierarchy because you wrote:

I can also run tpm2_changeauth on the plaform hierarchy

The remaining possibilities are described in: https://github.com/tpm2-software/tpm2-tools/issues/3183#issuecomment-1372380251

JuergenReppSIT avatar Jul 03 '24 13:07 JuergenReppSIT

@botellum sorry i thought that you could change the auth value of the platform hierarchy because you wrote:

I can also run tpm2_changeauth on the plaform hierarchy

The remaining possibilities are described in: #3183 (comment)

I can clear my tpm module using platform auth but what is that gonna do ?

botellum avatar Jul 03 '24 14:07 botellum

Endorsement seeds can only be changed through a firmware update on a real TPM. This is not a normal event and the manufacturer will need to re-certify all the resulting endorsement keys. In a normal scenario, you can only change the authorization for the endorsement hierarchy. That said, the command may work on the sims.

idesai avatar Jul 15 '24 00:07 idesai

You might want to try the ACPI command defined in the TCG Physical Presence Interface Specification, if it is implemented by your firmware. But as idesai said, you will lose the manufacturer-certified EK and probably never get it back.

zwhfly avatar Aug 29 '25 04:08 zwhfly