From: John S [mailto:email@example.com]
Sent: Tuesday, March 31, 2020 10:58 AM
Subject: [tpm2] Relating tpm2_createprimary, Primary Seeds, and tpm2_clear
Hi, have been playing around with tpm2 tools and tss engine for openssl for
Also reading Practical Guide to TPM 2.0.
I have found all the resources in the tpm2-tools readme and wiki and beyond
quite helping in getting started.
The book (chapter 10) talks about the primary seeds for the hierarchy, and how
any amount of key hierarchies can be extended from the primary keys. Primary
keys are derived from the primary seeds. My understanding is that the seeds are
unique and permanent in the tpm hardware.
In practice yes, but be aware that the command set does allow for changeEPS and changePPS
To change the Endorsement and Platform seeds. Tpm2_clear changes the owner or
Storage Primary Seed (SPS).
I was anticipating that tpm2_createprimary could be used to get back to the
primary key (given the same inputs/template) no matter what data is cleared or
Running tpm2_createprimary twice yields same result as evidence by the rsa
value, as expected.
yields a totally different key, as can be seen from the resulting rsa value.
This is also consistent with the manpage of tpm2_clear:
"Clears lockout, endorsement and owner hierarchy authorization values." and
"NOTE: All objects created under the respective hierarchies are lost."
This makes tpm2_clear seem like an exceptionally dangerous command, if I run it
once (inadvertently perhaps), I've now destroyed all use of all keys ever created
on the system. Yet, based on what I thought I understood about the primary
seeds, I'd always be able to derive back to a key value.
So, what I am I missing?
Feel free to link in references.
Clear rolls the primary seed (SPS) which is the Owner Hierarchy seed.
Generally you would a password/auth on Owner hiearchy, so you wouldn't just
Issue that command. And you can disable that command all together with TPM2_ClearControl
Or the tools command tpm2_clearcontrol.
A side question:
I am unable to create a primary Platform key (owner, endorsement, and null
work). Looks like authorization is expected.
Is this an expected result based on how the TPM is configured from the chip
vendor? In this case Infineon Here is the output:
$ tpm2_createprimary -C p -c platform_primary.ctx
esys/api/Esys_CreatePrimary.c:393:Esys_CreatePrimary_Finish() Received TPM
Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization failure
without DA implications
ERROR: Unable to run tpm2_createprimary
IIRC/IIUC the platform hierarchy has a password enabled by the firmware/OS at
boot. So that auth failure would be expected.
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org