Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting up DA lockout configuration / manually recovering from DA lockout mode #3371

Closed
jclsn opened this issue Mar 22, 2024 · 1 comment
Closed

Setting up DA lockout configuration / manually recovering from DA lockout mode #3371

jclsn opened this issue Mar 22, 2024 · 1 comment

Comments

@jclsn
Copy link

jclsn commented Mar 22, 2024
edited

I know this behavior is expected, but I still need a way to exit the lockout mode manually.

I have entered this mode by power cycling the machine and the chip too often. This is necessary for testing purposes. I haven't set an auth password and kept everything in the default state. The documentation states the following

19.11.4 Recovering from Lockout Mode
The TPM can recover from Lockout mode in three ways.
1) TPM2_DictionaryAttackLockReset() sets failedTries to zero. This command requires Lockout
Authorization. The TPM does not have to be in Lockout mode in order to use this command.
2) The TPM decrements failedTries by one if no TPM resets are recorded during recoveryTime.
NOTE 1
 If the TPM is in Lockout mode, then the TPM will always leave Lockout mode when failedTries
decrements because failedTries will no longer be equal to maxTries.
NOTE 2
 The failure count is not decremented below zero.
3) failedTries is set to zero if the owner changes.
Configuration and programmatic recovery of the dictionary attack logic requires proof of knowledge of
Lockout Authorization. When the TPM owner is changed by changing the SPS, lockoutAuth is set to the
EmptyAuth and lockoutPolicy is set to the Empty Buffer

So there seems to be a way to do this. Trying a

tpm2_dictionarylockout --setup-parameters --max-tries=99 --clear-lockout

Put me in lockout mode as well though, because

ERROR: Esys_DictionaryAttackLockReset(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented

So what is the default password? I can I change these settings or exit the lockout mode?

NOTE: "Authorizations default to the EMPTY PASSWORD when not specified".

What is the EMPTY PASSWORD? ^^
@AndreasFuchsTPM
Copy link
Member

Empty password is a password of length zero.
If you do not provide a -p parameter, that is the password that tpm2 tools will use.
I guess you have a password set but do not remember it or it was set by Windows or some other software ?
I suggest to go into BIOS and clear the TPM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndreasFuchsTPM @jclsn