JuergenReppSIT
commented
3 months ago @botellum what is the error message you are receiving when you execute tpm2_changeeps with the auth value you did define with tpm2_changeauth?
Open botellum opened 3 months ago
JuergenReppSIT
commented
3 months ago @botellum what is the error message you are receiving when you execute tpm2_changeeps with the auth value you did define with tpm2_changeauth?
botellum
commented
3 months ago @botellum what is the error message you are receiving when you execute
tpm2_changeepswith the auth value you did define withtpm2_changeauth?
tpm2_changeauth doesnt work for me, it says that the auth value is wrong. I know that the auth value is being set at boot by the firmware, but is there any way to still execute a ChangeEPS command? (UEFI Applications or something like that)
Anyway here's the error message I receive when I try to do anything with platform auth: It always says the following if I either try to do something with platform auth or set its auth (phEnable is 1):
WARNING:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:309:Esys_HierarchyChangeAuth_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_HierarchyChangeAuth.c:114:Esys_HierarchyChangeAuth() Esys Finish ErrorCode (0x000009a2) ERROR: Esys_HierarchyChangeAuth(0x9A2) - tpm:session(1):authorization failure without DA implications ERROR: Unable to run tpm2_changeauth
JuergenReppSIT
commented
3 months ago @botellum sorry i thought that you could change the auth value of the platform hierarchy because you wrote:
I can also run tpm2_changeauth on the plaform hierarchy
The remaining possibilities are described in: https://github.com/tpm2-software/tpm2-tools/issues/3183#issuecomment-1372380251
botellum
commented
3 months ago @botellum sorry i thought that you could change the auth value of the platform hierarchy because you wrote:
I can also run tpm2_changeauth on the plaform hierarchy
The remaining possibilities are described in: #3183 (comment)
I can clear my tpm module using platform auth but what is that gonna do ?
idesai
commented
2 months ago Endorsement seeds can only be changed through a firmware update on a real TPM. This is not a normal event and the manufacturer will need to re-certify all the resulting endorsement keys. In a normal scenario, you can only change the authorization for the endorsement hierarchy. That said, the command may work on the sims.
I have more of a question, and that is how can I run tpm2_changeeps. It always tells me that I have no authorization, or that it is wrong, and I can also run tpm2_changeauth on the plaform hierarchy. My question now is, is there any way to run it? (And if it works with other programs, e.g. with a UEFI application that uses the tcg2 protocol (in uefi shell))