Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not able to clear tpm or unset lockout password after once setting it #3348

Open
vamseekrishna25 opened this issue Feb 6, 2024 · 2 comments

Comments

@vamseekrishna25
Copy link

I have tried to set lock out auth using below command
tpm2_changeauth -c l passwd

After I set lockoutauth

I am not able to use tpm2_clear command

tpm2_clear -c l passwd
WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x00000921) 
ERROR: Esys_Clear(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_clear

when tried to to unset lockout password it is not working and giving below error

tpm2_changeauth -c l -p passwd
WARNING:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:309:Esys_HierarchyChangeAuth_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:114:Esys_HierarchyChangeAuth() Esys Finish ErrorCode (0x00000921) 
ERROR: Esys_HierarchyChangeAuth(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_changeauth

but i dont see tpm is in lockout mode or tpm2_clear being disable using command below

tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            1
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           1
  reserved2:                 0
TPM2_PT_STARTUP_CLEAR:
  phEnable:                  1
  shEnable:                  1
  ehEnable:                  1
  phEnableNV:                1
  reserved1:                 0
  orderly:                   1
TPM2_PT_HR_NV_INDEX: 0x4
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x14
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0x10
TPM2_PT_ALGORITHM_SET: 0x1
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0xA
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0 
@JuergenReppSIT
Copy link
Member

An error must have occurred during authorization of the lockout hierarchy before the tpm2_clear -c l passwd. In this case, one error is enough to activate the lockout mode.
Spec Part1 Architecture 19.8.5:

"An authorization failure associated with lockoutAuth causes the TPM to enter this special lockout state regardless of the setting of failedTries and maxTries."

You could reset the TPM in the BIOS, or try #1956 (comment),
or wait until the lockout mode is deactivated.

@vamseekrishna25
Copy link
Author

Thank You @JuergenReppSIT.This was very helpful.
i am able to try above method of reseting tpm and clear lockout.
but i have tried a similar thing on other tpm and i was getting below error when trying to reset tpm using #1956 (comment).

cat /sys/class/tpm/tpm0/ppi/response
5 241: Corresponding TPM error

what does this error 241 mean?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants