[tpm2] Re: tpm2_clear

[tpm2] Re: tpm2_clear

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 928 bytes --]

I don't know if we ever updated those examples fully for 4.0, it looks like we did,
But also the man page for tpm2_create has examples. So if you run into issues, consult that
as well:
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_create.1.md

> -----Original Message-----
> From: Struk, Tadeusz
> Sent: Thursday, May 7, 2020 5:06 PM
> To: Lester Cordeiro <lester.corderio(a)ufomoviez.com>; Roberts, William C
> <william.c.roberts(a)intel.com>; Florian.Schreiner(a)infineon.com;
> andreas.fuchs(a)sit.fraunhofer.de; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: tpm2_clear
> 
> On 5/7/20 11:08 AM, Lester Cordeiro wrote:
> >>
> >
> > hi,
> >
> >     is it possible to provide an example on how to create RSA key
> > under SRK? Like what tpm2 tools should i use and what arguments?
> >
> 
> See here: https://github.com/tpm2-software/tpm2-tools/wiki/Creating-Objects
> --
> Tadeusz

[tpm2] Re: tpm2_clear

[Tadeusz Struk]

[-- Attachment #1: Type: text/plain, Size: 298 bytes --]

On 5/7/20 11:08 AM, Lester Cordeiro wrote:
>>
> 
> hi,
> 
>     is it possible to provide an example on how to create RSA key under
> SRK? Like what tpm2 tools should i use and what arguments?
> 

See here: https://github.com/tpm2-software/tpm2-tools/wiki/Creating-Objects
-- 
Tadeusz

[tpm2] Re: tpm2_clear

[Lester Cordeiro]

[-- Attachment #1: Type: text/plain, Size: 600 bytes --]


On 07/05/20 9:02 pm, Roberts, William C wrote:
> Most enterprise situations that I have seen, set the owner password or as Andreas mentioned
> Disable it via clearcontrol. Their also usually exists a key, known as the SRK, which is at the
> persistent address of 0x81000001, that has no auth value. Then folks can create keys under
> that as they see fit. So the disgruntled employee could nuke his keys, but no one else's.

hi,

     is it possible to provide an example on how to create RSA key under 
SRK? Like what tpm2 tools should i use and what arguments?

Regards,

Lester

[tpm2] Re: tpm2_clear

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3907 bytes --]

> -----Original Message-----
> From: Roberts, William C [mailto:william.c.roberts(a)intel.com]
> Sent: Thursday, May 7, 2020 10:33 AM
> To: Florian.Schreiner(a)infineon.com; andreas.fuchs(a)sit.fraunhofer.de;
> lester.corderio(a)ufomoviez.com; tpm2(a)lists.01.org
> Subject: [tpm2] Re: tpm2_clear
> 
> Most enterprise situations that I have seen, set the owner password or as
> Andreas mentioned Disable it via clearcontrol. Their also usually exists a key,

Let me make this more clear, admin sets/does these things, the regular user just makes
Keys under the SRK.

> known as the SRK, which is at the persistent address of 0x81000001, that has no
> auth value. Then folks can create keys under that as they see fit. So the
> disgruntled employee could nuke his keys, but no one else's.
> 
> 
> > -----Original Message-----
> > From: Florian.Schreiner(a)infineon.com
> > [mailto:Florian.Schreiner(a)infineon.com]
> > Sent: Thursday, May 7, 2020 6:01 AM
> > To: andreas.fuchs(a)sit.fraunhofer.de; lester.corderio(a)ufomoviez.com;
> > tpm2(a)lists.01.org
> > Subject: [tpm2] Re: tpm2_clear
> >
> > Hi,
> >
> > maybe it helps to mention that the tpm2_clear command only affects the
> > keys stored in the storage hierarchy, which should by normally anyway
> > in the ownership of the user. Then it according to the design, that a
> > user/employee would only be able to delete his own keys.
> > Keys from another party like the platform owner should for example be
> > stored in the TPM platform hierarchy, which is more protected as there
> > is no clear command (e.g. TPM2_ChangePPS command is not available or
> blocked in BIOS).
> >
> > Best,
> > Florian
> >
> > -----Original Message-----
> > From: Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de>
> > Sent: Donnerstag, 7. Mai 2020 12:11
> > To: lester.corderio(a)ufomoviez.com; tpm2(a)lists.01.org
> > Subject: [tpm2] Re: tpm2_clear
> >
> > Caution: This e-mail originated outside Infineon Technologies. Do not
> > click on links or open attachments unless you validate it is safe
> > <http://iweb.infineon.com/en-
> US/Support/security/CDC/pse/Pages/pce.aspx>.
> >
> >
> > The purpose of tpm2_clear is for decommissioning so there is no way to
> recover.
> >
> > You can call tpm2_clearcontrol to disable "owner-authorized" clearing,
> > so that you cannot clear from OS anymore.
> > Then, the only way to clear the TPM is via BIOS which you can secure
> > with a password.
> >
> > That's as secure as it gets.
> > ________________________________________
> > From: lester.corderio(a)ufomoviez.com [lester.corderio(a)ufomoviez.com]
> > Sent: Thursday, May 07, 2020 11:51
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] tpm2_clear
> >
> > hi, i am complete newbie to TPM so please excuse me if my question is
> > silly, i wanted to know if anyone uses tpm2_clear command is all the
> > data and keys lost?? so what if a disgrunted employee takes access and
> > clears the TPM how can we recover from this?
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_clear

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3133 bytes --]

Most enterprise situations that I have seen, set the owner password or as Andreas mentioned
Disable it via clearcontrol. Their also usually exists a key, known as the SRK, which is at the
persistent address of 0x81000001, that has no auth value. Then folks can create keys under
that as they see fit. So the disgruntled employee could nuke his keys, but no one else's.


> -----Original Message-----
> From: Florian.Schreiner(a)infineon.com [mailto:Florian.Schreiner(a)infineon.com]
> Sent: Thursday, May 7, 2020 6:01 AM
> To: andreas.fuchs(a)sit.fraunhofer.de; lester.corderio(a)ufomoviez.com;
> tpm2(a)lists.01.org
> Subject: [tpm2] Re: tpm2_clear
> 
> Hi,
> 
> maybe it helps to mention that the tpm2_clear command only affects the keys
> stored in the storage hierarchy, which should by normally anyway in the
> ownership of the user. Then it according to the design, that a user/employee
> would only be able to delete his own keys.
> Keys from another party like the platform owner should for example be stored in
> the TPM platform hierarchy, which is more protected as there is no clear
> command (e.g. TPM2_ChangePPS command is not available or blocked in BIOS).
> 
> Best,
> Florian
> 
> -----Original Message-----
> From: Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de>
> Sent: Donnerstag, 7. Mai 2020 12:11
> To: lester.corderio(a)ufomoviez.com; tpm2(a)lists.01.org
> Subject: [tpm2] Re: tpm2_clear
> 
> Caution: This e-mail originated outside Infineon Technologies. Do not click on links
> or open attachments unless you validate it is safe <http://iweb.infineon.com/en-
> US/Support/security/CDC/pse/Pages/pce.aspx>.
> 
> 
> The purpose of tpm2_clear is for decommissioning so there is no way to recover.
> 
> You can call tpm2_clearcontrol to disable "owner-authorized" clearing, so that
> you cannot clear from OS anymore.
> Then, the only way to clear the TPM is via BIOS which you can secure with a
> password.
> 
> That's as secure as it gets.
> ________________________________________
> From: lester.corderio(a)ufomoviez.com [lester.corderio(a)ufomoviez.com]
> Sent: Thursday, May 07, 2020 11:51
> To: tpm2(a)lists.01.org
> Subject: [tpm2] tpm2_clear
> 
> hi, i am complete newbie to TPM so please excuse me if my question is silly, i
> wanted to know if anyone uses tpm2_clear command is all the data and keys
> lost?? so what if a disgrunted employee takes access and clears the TPM how can
> we recover from this?
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_clear

[Florian.Schreiner]

[-- Attachment #1: Type: text/plain, Size: 2146 bytes --]

Hi, 

maybe it helps to mention that the tpm2_clear command only affects the keys stored in the storage hierarchy, which should by normally anyway in the ownership of the user. Then it according to the design, that a user/employee would only be able to delete his own keys. 
Keys from another party like the platform owner should for example be stored in the TPM platform hierarchy, which is more protected as there is no clear command (e.g. TPM2_ChangePPS command is not available or blocked in BIOS). 

Best,
Florian 

-----Original Message-----
From: Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> 
Sent: Donnerstag, 7. Mai 2020 12:11
To: lester.corderio(a)ufomoviez.com; tpm2(a)lists.01.org
Subject: [tpm2] Re: tpm2_clear

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe <http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.


The purpose of tpm2_clear is for decommissioning so there is no way to recover.

You can call tpm2_clearcontrol to disable "owner-authorized" clearing, so that you cannot clear from OS anymore.
Then, the only way to clear the TPM is via BIOS which you can secure with a password.

That's as secure as it gets.
________________________________________
From: lester.corderio(a)ufomoviez.com [lester.corderio(a)ufomoviez.com]
Sent: Thursday, May 07, 2020 11:51
To: tpm2(a)lists.01.org
Subject: [tpm2] tpm2_clear

hi, i am complete newbie to TPM so please excuse me if my question is silly, i wanted to know if anyone uses tpm2_clear command is all the data and keys lost?? so what if a disgrunted employee takes access and clears the TPM how can we recover from this?
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_clear

[lester.corderio]

[-- Attachment #1: Type: text/plain, Size: 61 bytes --]

thank you very much for the explanation i have understood now

[tpm2] Re: tpm2_clear

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

The purpose of tpm2_clear is for decommissioning so there is no way to recover.

You can call tpm2_clearcontrol to disable "owner-authorized" clearing, so that you cannot clear from OS anymore.
Then, the only way to clear the TPM is via BIOS which you can secure with a password.

That's as secure as it gets.
________________________________________
From: lester.corderio(a)ufomoviez.com [lester.corderio(a)ufomoviez.com]
Sent: Thursday, May 07, 2020 11:51
To: tpm2(a)lists.01.org
Subject: [tpm2] tpm2_clear

hi, i am complete newbie to TPM so please excuse me if my question is silly, i wanted to know if anyone uses tpm2_clear command is all the data and keys lost?? so what if a disgrunted employee takes access and clears the TPM how can we recover from this?
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s