3

I want to use BeagleBone Black with TPM enabled through CryptoCape.

I am following this tutorial in a way I can clear the TPM, because of its compliance mode.

When I run tpm_clear -l debug I get a prompt to enter the owner password, which I do not know. This way, I am getting an Authentication failed message and I am not succeeding.

tpm_clear -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Enter owner password: 
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_TPM_ClearOwner failed: 0x00000001 - layer=tpm, code=0001 (1), Authentication failed
Tspi_Context_FreeMemory success
Tspi_Context_Close success

Does anyone know how to do this without the owner password?

Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60

1 Answers1

1

Not knowing the owner password will require physical presence to be asserted on the host platform:

An example of an implementation of the hardware method is a button on the front of the platform wired to a pin on the TPM. Pressing the button causes the pin to change the polarity and would cause the TPM to set its internal physical presence flag. Using this hardware method, commands requiring the indication of physical presence could be executed at any time (in the pre OS environment or from the OS environment) as long as the button were pressed.

Providing a wire along with a button or switch to the outside of the platform is not feasible in some cases due to cost, form factor, usage, or other issues. For this reason, a second method of asserting physical presence called the “command method” is defined. For the command method, firmware presents a user interface (UI) to explain the operation that has been requested. A physically present user confirms or rejects the operation by pressing a key on the keyboard. The command method then authorizes the TPM command to be sent to the TPM. No further check for physical presence is done in the TPM. The TPM performs the TPM operation if the user confirmed it through the UI.

Look for the hardware button on your board, hopefully it has it. If not, CryptoCape probably supports the command method, but I'm not familiar enough to say how.

mnistic
  • 10,866
  • 2
  • 19
  • 33