Hello Florian, I am using the simulator(mssim config) and removing the persistent data(NVChip), But it seems of no help, I see the following error after the clean up WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode Do you have any preliminary steps to run the tools based out FAPI implementation before running the tool as mentioned in the man pages. Regards Phani Srinivas S From: Florian.Schreiner(a)infineon.com Sent: Thursday, August 6, 2020 7:03 PM To: Phani Srinivas ; tpm2(a)lists.01.org Subject: RE: Debugging tpm2 tools based of FAPI This email originated from outside of your organization. Please do not click on links or open attachments unless you recognize the sender and know the content is safe. Hi Phani, I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks. The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM blocks any further requests until a time runs out. The time increases as more false authorizations are being executed. Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout. A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally. There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin. As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security. Best, Florian Infineon Technologies AG Security Architect IFAG DSS ESS TCE Office: +49 89 234 21833 Mobile: +49 (160) 90105611 Fax: +49 (89) 234 152183300 Florian.Schreiner(a)infineon.com 81726 Munich Germany www.infineon.com Discoveries Facebook Twitter LinkedIn Part of your life. Part of tomorrow. Infineon Technologies AG Chairman of the Supervisory Board: Dr. Wolfgang Eder Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider Registered Office: Neubiberg Commercial Register: München HRB 126492 This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it. From: Phani Srinivas > Sent: Donnerstag, 6. August 2020 15:17 To: tpm2(a)lists.01.org Subject: [tpm2] Debugging tpm2 tools based of FAPI Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe. Hello All, I was successful in making the FAPI integration tests work and tried out some of the scenarios in creating the keys and perform the key operations But when I used the tools based out of FAPI, I see the following errors export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321 root(a)edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented And later I have removed the NVChip created in simulator dir, and ran again I see a different error ./tss2_provision WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of fapi to make them work. I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work. Regards Phani Srinivas S R&D Prinicipal Engineer ABB