Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to Set Platform Password -- phEnable May not Be SET using hierarchycontrol #3183

Open
dadiestfish2077 opened this issue Jan 2, 2023 · 4 comments
Open

How to Set Platform Password -- phEnable May not Be SET using hierarchycontrol #3183

dadiestfish2077 opened this issue Jan 2, 2023 · 4 comments

Comments

@dadiestfish2077
Copy link

I understand the platform password is empty by default. I am assuming the hierarchy is enabled because we can run tpm2_clear and the tpm is wiped.

How can we set the platform password to a new value? we have tried tpm2_changeauth -c p password, but it states it the hiereachy may not be enabled.

we have subsequently tried to enable the platform hierarchy by running: tpm2_hierarchycontrol -C p phEnable set

this fails as well with the error -- phEnable may not be SET using this command.

how do we enable the platform hierarchy and how do we set the password?
@williamcroberts
Copy link
Member

williamcroberts commented Jan 2, 2023
edited
Loading

I understand the platform password is empty by default. I am assuming the hierarchy is enabled because we can run tpm2_clear and the tpm is wiped.

That actually works on the owner hierarchy.

How can we set the platform password to a new value? we have tried tpm2_changeauth -c p password, but it states it the hiereachy may not be enabled.

To view if the hierarchy is enabled run the below command and look at the phEnable value:

tpm2 getcap properties-variable
<snip>
TPM2_PT_STARTUP_CLEAR:
  phEnable:                  1
<snip>

we have subsequently tried to enable the platform hierarchy by running: tpm2_hierarchycontrol -C p phEnable set

this fails as well with the error -- phEnable may not be SET using this command.

how do we enable the platform hierarchy and how do we set the password?

Per Command Spec v1.59:

This command may be used to CLEAR phEnable and phEnableNV if platformAuth/platformPolicy is
provided. phEnable may not be SET using this command.

My understanding is that this is always enabled and the OS disables it on boot once it's done using it. I'll have @idesai comment when they return to the office.

@stickybits123
Copy link

stickybits123 commented Jan 3, 2023
edited
Loading

Just an FYI, the GitHub manual for tpm2_clear states it is run under the lockout or platform hierarchy and takes those authvalues as an argument.

@williamcroberts
Copy link
Member

Just an FYI, the GitHub manual for tpm2_clear states it is run under the lockout or platform hierarchy and takes those authvalues as an argument.

That is correct, TPM2_Clear command takes Platform or Lockout Authorization. My comment on, "It works on Owner hierarchy", is just one of many things that command changes in the TPM. The list as of 1.59 is:

This command removes all TPM context associated with a specific Owner.
The clear operation will:
• flush resident objects (persistent and volatile) in the Storage and Endorsement hierarchies;
• delete any NV Index with TPMA_NV_PLATFORMCREATE == CLEAR;
• change the storage primary seed (SPS) to a new value from the TPM’s random number generator
(RNG),
• change shProof and ehProof,
NOTE 1 The proof values may be set from the RNG or derived from the associated new Primary Seed. If
derived from the Primary Seeds, the derivation of ehProof shall use both the SPS and EPS. The
computation shall use the SPS as an HMAC key and the derived value may then be a parameter
in a second HMAC in which the EPS is the HMAC key. The reference design uses values from
the RNG.
• SET shEnable and ehEnable;
• set ownerAuth, endorsementAuth, and lockoutAuth to the Empty Buffer;
• set ownerPolicy, endorsementPolicy, and lockoutPolicy to the Empty Buffer;
• set Clock to zero;
• set resetCount to zero;
• set restartCount to zero; and
• set Safe to YES.
• increment pcrUpdateCounter
NOTE 2 This permits an application to create a policy session that is invalidated on TPM2_Clear. The
policy needs, ideally as the first term, TPM2_PolicyPCR(). The session is invalidated even if the
PCR selection is empty.
This command requires Platform Authorization or Lockout Authorization. If TPM2_ClearControl() has
disabled this command, the TPM shall return TPM_RC_DISABLED.
If this command is authorized using lockoutAuth, the HMAC in the response shall use the new
lockoutAuth value (that is, the Empty Buffer) when computing the response HMAC.

See 24.6 of: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part3_Commands_pub.pdf

@idesai
Copy link
Member

idesai commented Jan 5, 2023
edited
Loading

Typically, platform hierarchy is closed in the PEI phase of the bios. The hierarchy is enabled and a random value is chosen as a password. An option to issue a TPM clear using platform hierarchy authorization is available in one of two forms:

  1. A bios option in the platform settings
  2. A jumper on the platform that needs to be connected per the platform manual.

The other option to clear the TPM, as stated, is to use the lockout authorization.

@JuergenReppSIT JuergenReppSIT mentioned this issue Jul 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@idesai @williamcroberts @dadiestfish2077 @stickybits123