Feature Request: Unprovision Fapi

[joholl]

It would be great if we could support unprovisioning the Fapi. That's especially helpful for development using the Fapi.

I suggest:

• removing all objects from the keystore (incl. keys)
• retain the (empty) keystore and log files
• clear all objects from the TPM (incl. SRK, nv indices, and persistent objects)
• clear hierarchy auth values

Of course, deleting any object requires the usual authorization. Keep in mind that the Fapi is targeted at developers, not end users. Therefore it should be made easy to start from scratch.

[ahllamas]

Just for my understanding, is this any different from doing a tpm2_clear and manually removing the keystore, barring the exception of anything done with the platform hierarchy? I'm still getting familiar with the FAPI, and this is normally what I do to reset my test setup.

[JuergenReppSIT]

Just for my understanding, is this any different from doing a tpm2_clear and manually removing the keystore, barring the exception of anything done with the platform hierarchy?

Yes that's true. During development I also often use the following script for unprovisioning instead of tss2_delete -p /:

#!/bin/bash
tpm2_clear
rm -r -f /usr/local/var/lib/tpm2-tss/system/keystore/*
rm -r -f ~/.local/share/tpm2-tss/user/keystore/*
rm -r -f /usr/local/var/run/tpm2-tss/eventlog/*