Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to execute tpm2_changeeps #3412

Open
botellum opened this issue Jul 2, 2024 · 5 comments
Open

How to execute tpm2_changeeps #3412

botellum opened this issue Jul 2, 2024 · 5 comments

Comments

@botellum
Copy link

botellum commented Jul 2, 2024

I have more of a question, and that is how can I run tpm2_changeeps. It always tells me that I have no authorization, or that it is wrong, and I can also run tpm2_changeauth on the plaform hierarchy. My question now is, is there any way to run it? (And if it works with other programs, e.g. with a UEFI application that uses the tcg2 protocol (in uefi shell))

@JuergenReppSIT
Copy link
Member

@botellum what is the error message you are receiving when you execute tpm2_changeeps with the auth value you did define with tpm2_changeauth?

@botellum
Copy link
Author

botellum commented Jul 3, 2024

@botellum what is the error message you are receiving when you execute tpm2_changeeps with the auth value you did define with tpm2_changeauth?

tpm2_changeauth doesnt work for me, it says that the auth value is wrong. I know that the auth value is being set at boot by the firmware, but is there any way to still execute a ChangeEPS command? (UEFI Applications or something like that)

Anyway here's the error message I receive when I try to do anything with platform auth:
It always says the following if I either try to do something with platform auth or set its auth (phEnable is 1):

WARNING:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:309:Esys_HierarchyChangeAuth_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:114:Esys_HierarchyChangeAuth() Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_HierarchyChangeAuth(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Unable to run tpm2_changeauth

@JuergenReppSIT
Copy link
Member

@botellum sorry i thought that you could change the auth value of the platform hierarchy because you wrote:

I can also run tpm2_changeauth on the plaform hierarchy

The remaining possibilities are described in:
#3183 (comment)

@botellum
Copy link
Author

botellum commented Jul 3, 2024

@botellum sorry i thought that you could change the auth value of the platform hierarchy because you wrote:

I can also run tpm2_changeauth on the plaform hierarchy

The remaining possibilities are described in: #3183 (comment)

I can clear my tpm module using platform auth but what is that gonna do ?

@idesai
Copy link
Member

idesai commented Jul 15, 2024

Endorsement seeds can only be changed through a firmware update on a real TPM. This is not a normal event and the manufacturer will need to re-certify all the resulting endorsement keys. In a normal scenario, you can only change the authorization for the endorsement hierarchy.
That said, the command may work on the sims.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants