From: Rowan Moul [mailto:email@example.com]
Sent: Tuesday, March 31, 2020 12:40 PM
To: John S <sedigj(a)gmail.com>
Subject: [tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear
There’s a mention in that book, in the Key management Chapter in the Key
generation section that a TPM_CLEAR command will reset the seeds. I’m not sure
Not seeds (plural), tpm2_clear only resets the Owner seed aka Storage Primary Seed
if it is mentioned elsewhere. Of course it is also in the spec sheets
if you can find
The man page for tpm2_clear alludes to it too, but could probably stand to be
more explicit (it says all objects under hierarchies will be lost).
That sounds like it should be upfront, bolded, and corrected that it rolls the SPS.
So only Owner Hierarchy objects are lost.
So no, the seeds are not permanent forever. Just until cleared.
Platform and Endorsement seeds generally are stable, but the command set
Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
ever seen a production TPM support this, but be aware that it exists.
tpm2_clear can be authorized in one of two ways: the Platform
authorization value, or the Dictionary Attack lockout reset authorization value.
The platform authorization should be set by the BIOS/Firmware on each boot (as
it is cleared on every shutdown of the TPM) so you don’t have access to this
normally, though most BIOS interfaces should have a menu option to invoke a
clear using this value. The dictionary attack lockout defaults to an empty string
authorization value, so functionally anyone can clear until you set this. As such, it
is a good idea to set this authorization value if you want to rely on being able to
re-generate primary keys. If you forget what you set it to later, invoking clear
(with the platform auth via BIOS menu) will reset it.
You can even disable it with tpm2_clearcontrol.
Also on the note of re-generating primary keys, you may find my
about the unique data option in tpm2_createprimary helpful if you want to use
unique data in addition to the seed.
> On Mar 31, 2020, at 09:56, John S <sedigj(a)gmail.com> wrote:
> Hi, have been playing around with tpm2 tools and tss engine for openssl for
> Also reading Practical Guide to TPM 2.0.
> I have found all the resources in the tpm2-tools readme and wiki and beyond
quite helping in getting started.
> The book (chapter 10) talks about the primary seeds for the hierarchy, and how
any amount of key hierarchies can be extended from the primary keys. Primary
keys are derived from the primary seeds. My understanding is that the seeds are
unique and permanent in the tpm hardware.
> I was anticipating that tpm2_createprimary could be used to get back to the
primary key (given the same inputs/template) no matter what data is cleared or
> Running tpm2_createprimary twice yields same result as evidence by the rsa
value, as expected.
> But running:
> yields a totally different key, as can be seen from the resulting rsa value.
> This is also consistent with the manpage of tpm2_clear:
> "Clears lockout, endorsement and owner hierarchy authorization values."
"NOTE: All objects created under the respective hierarchies are lost."
> This makes tpm2_clear seem like an exceptionally dangerous command, if I run
it once (inadvertently perhaps), I've now destroyed all use of all keys ever
created on the system. Yet, based on what I thought I understood about the
primary seeds, I'd always be able to derive back to a key value.
> So, what I am I missing?
> Feel free to link in references.
> A side question:
> I am unable to create a primary Platform key (owner, endorsement, and null
work). Looks like authorization is expected.
> Is this an expected result based on how the TPM is configured from the
> chip vendor? In this case Infineon Here is the output:
> $ tpm2_createprimary -C p -c platform_primary.ctx
> mary_Finish() Received TPM Error
> ry() Esys Finish ErrorCode (0x000009a2)
> ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization
> failure without DA implications
> ERROR: Unable to run tpm2_createprimary
> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org