There’s a mention in that book, in the Key management Chapter in the Key generation
section that a TPM_CLEAR command will reset the seeds. I’m not sure if it is mentioned
elsewhere. Of course it is also in the spec sheets if you can find it.
The man page for tpm2_clear alludes to it too, but could probably stand to be more
explicit (it says all objects under hierarchies will be lost).
So no, the seeds are not permanent forever. Just until cleared.
tpm2_clear can be authorized in one of two ways: the Platform Hierarchy authorization
value, or the Dictionary Attack lockout reset authorization value. The platform
authorization should be set by the BIOS/Firmware on each boot (as it is cleared on every
shutdown of the TPM) so you don’t have access to this normally, though most BIOS
interfaces should have a menu option to invoke a clear using this value. The dictionary
attack lockout defaults to an empty string authorization value, so functionally anyone can
clear until you set this. As such, it is a good idea to set this authorization value if
you want to rely on being able to re-generate primary keys. If you forget what you set it
to later, invoking clear (with the platform auth via BIOS menu) will reset it.
Also on the note of re-generating primary keys, you may find my previous thread about the
unique data option in tpm2_createprimary helpful if you want to use unique data in
addition to the seed.
On Mar 31, 2020, at 09:56, John S <sedigj(a)gmail.com> wrote:
Hi, have been playing around with tpm2 tools and tss engine for openssl for awhile.
Also reading Practical Guide to TPM 2.0.
I have found all the resources in the tpm2-tools readme and wiki and beyond quite helping
in getting started.
The book (chapter 10) talks about the primary seeds for the hierarchy, and how any amount
of key hierarchies can be extended from the primary keys. Primary keys are derived from
the primary seeds. My understanding is that the seeds are unique and permanent in the tpm
I was anticipating that tpm2_createprimary could be used to get back to the primary key
(given the same inputs/template) no matter what data is cleared or erased.
Running tpm2_createprimary twice yields same result as evidence by the rsa value, as
yields a totally different key, as can be seen from the resulting rsa value.
This is also consistent with the manpage of tpm2_clear:
"Clears lockout, endorsement and owner hierarchy authorization values." and
"NOTE: All objects created under the respective hierarchies are lost."
This makes tpm2_clear seem like an exceptionally dangerous command, if I run it once
(inadvertently perhaps), I've now destroyed all use of all keys ever created on the
system. Yet, based on what I thought I understood about the primary seeds, I'd always
be able to derive back to a key value.
So, what I am I missing?
Feel free to link in references.
A side question:
I am unable to create a primary Platform key (owner, endorsement, and null work). Looks
like authorization is expected.
Is this an expected result based on how the TPM is configured from the chip vendor? In
this case Infineon
Here is the output:
$ tpm2_createprimary -C p -c platform_primary.ctx
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish
ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization failure without DA
ERROR: Unable to run tpm2_createprimary
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org