Note: Without platform auth (the case in relevant scenarios), NV indices cannot be given delete protection. This means that the device credential can only be given confidentiality, not integrity or availability guarantees. The NV index can always be undefined and then defined again.
The only protection available is owner auth, which means the owner password for the entire TPM.
This is part of implementing the FDO TPM Spec.
Note: Without platform auth (the case in relevant scenarios), NV indices cannot be given delete protection. This means that the device credential can only be given confidentiality, not integrity or availability guarantees. The NV index can always be undefined and then defined again.
The only protection available is owner auth, which means the owner password for the entire TPM.