Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss

Ken Goldman <kgold@...>
 

On 12/26/2018 10:29 PM, James Bottomley wrote:
On Wed, 2018-12-26 at 19:23 +0000, Doug Fraser wrote:
Does anyone know if tssclear supports hardware PresenceDetect clear?
This isn't a property of the command code (or the actual tssclear
command) but the platform and the TPM configuration.

(I want to wipe the device....)

I can use TPM FW update to move it back to 1.2 FW then back to 2.0
FW, and that will also wipe it, but just wiping with tssclear using
the presence detect would be easier.
I don't know if firmware upgrade is guaranteed - depends on your definition of 'wipe it'. E.g., some (maybe all) TPMs persist the
EKs and EK certificates through 1.2 <-> 2.0 cycles.

Also beware that some TPMs limit the number of 1.2 <> 2.0 cycles. Thus, it's not a good soltion if you're doing this often.

I added the tss users list for better information, but TPM2_Clear()
only requires physical presence (PP) if the TPM2_Clear command is in
the physical presence set list. If it is, tssclear will return
TPM_RC_PP. If it does return this, how you signal physical presence is
very platform dependent. The best way is to clear the TPM from the
BIOS/UEFI because it will be wired in correctly to the PP interface. I
know on most Dell systems, holding F12 while executing the command is
supposed to work, but I've never actually tried it.
Agreed. TPM 2.0 was designed so that platform authorization could
take the place of physical presence hardware. Even with 1.2, I suspect that the command physical presence was more often used.

Finally:

1 - Lockout authorization can be used for TPM2_Clear.

2 - Since both platform and lockout support policies, with enough indirection, you can get whatever you want.

Join openssl-tpm2-engine@groups.io to automatically receive all group messages.