You're on the right track, tpm2_clear
clears the owner hierarchy, that is the SRK and all its child keys.
According to the command specification (sec. 24.6) there are multiple reasons why tpm2_clear
could fail.
1. The platform hierarchy is disabled
This error is quite subtle because it is not mentioned explicitly in the command description for TPM2_Clear
. By default, TPM2_Clear
operates on the platform hierarchy. However, the platform hierarchy can be disabled (phEnable
bit clear) via the command TPM2_HierarchyControl
:
tpm2_hierarchycontrol -C p phEnable clear
Any future use of the platform hierarchy should result in the return code TPM2_RC_HANDLE = 0x0000010B
. However, there is no TPM command to re-enable the platform hierarchy. Architecture specification (Sec 13.3):
When phEnable is CLEAR, a _TPM_Init is required to SET it.
It seems you need to reset your TPM (toggling the hardware reset signal or power off) to re-enable the platform hierarchy.
If this does not solve your problem, see the next potential issue.
2. TPM2_Clear
Command is disabled
This is probably not your problem, because it would yield another error (return code TPM_RC_DISABLED = 0x0000120
).
The TPM2_Clear
command can be disabled (disableClear
bit set). This is done via the command TPM2_ClearControl
. To enable clearing, call tpm2_clearcontrol -Cp c
. Like tpm2_clear
, tpm2_clearcontrol
requires platform authorization.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…