You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to find a wat to protect data stored in tpm from being cleared without a valid password.
No access to platform hierarchy (UEFI sets some random password and no way to overcome this)
tpm2_clear can be restricted by setting a lockout password
We can also protect a tpm nvindex from being written by an unauthorized user by defining nvindex with a password set
tpm2 nvdefine -C o -p myNVpassword -a "authread|ownerread|authwrite|write_stclear" $NVINDEX
tpm2_nvwrite $NVINDEX -i filetowrite -P myNVpassword # This would fail if someone who doesnt know the password tries to write
However the password is not required to run tpm2_nvundefine for the same handle. Anyone without the handle password can run
tpm2_nvundefine $NVINDEX
Is there a way to restrict tpm2_nvundefine for owner hierarchy ?
I see a policydelete option, but all the examples seem to use platform hierarchy when using policy delete and it gives inconsistent attributes when using owner hierarchy + olicydelete for nvdefine.
The text was updated successfully, but these errors were encountered:
I am trying to find a wat to protect data stored in tpm from being cleared without a valid password.
No access to platform hierarchy (UEFI sets some random password and no way to overcome this)
tpm2_clear can be restricted by setting a lockout password
We can also protect a tpm nvindex from being written by an unauthorized user by defining nvindex with a password set
However the password is not required to run tpm2_nvundefine for the same handle. Anyone without the handle password can run
Is there a way to restrict tpm2_nvundefine for owner hierarchy ?
I see a policydelete option, but all the examples seem to use platform hierarchy when using policy delete and it gives inconsistent attributes when using owner hierarchy + olicydelete for nvdefine.
The text was updated successfully, but these errors were encountered: