I'm trying to follow this tutorial but I'm using Ubuntu 21.04: https://run.tournament.org.il/ubuntu-20-04-and-tpm2-encrypted-system-disk/
When I run the second command:
sudo tpm2_nvdefine -s 64 0x1500016
I get the error:
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:337:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000009a2)
ERROR: Failed to define NV area at index 0x1500016
ERROR: Esys_NV_DefineSpace(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Failed to create NV index 0x1500016.
ERROR: Unable to run tpm2_nvdefine
I have also tried:
sudo tpm2_clear
which resulted in:
WARNING:esys:src/tss2-esys/api/Esys_Clear.c:291:Esys_Clear_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_Clear(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Unable to run tpm2_clear
which lead me to look at the status:
$ sudo tpm2_getcap properties-variable | egrep 'TPM2_PT_(MAX|LOCKOUT).*'
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0xA
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x1C20
I have also tried:
sudo tpm2_dictionarylockout --setup-parameters --max-tries=4294967295 --clear-lockout
which also results in a similar error:
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackLockReset.c:288:Esys_DictionaryAttackLockReset_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_DictionaryAttackLockReset.c:98:Esys_DictionaryAttackLockReset() Esys Finish ErrorCode (0x00000921)
ERROR: Esys_DictionaryAttackLockReset(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_dictionarylockout
I have also tried the first command from the tpm2-tools tutorial on disk encryption here: https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
which says:
sudo tpm2_createprimary -Q -C o -c prim.ctx
and results in a similar error:
WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:393:Esys_CreatePrimary_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Unable to run tpm2_createprimary
I've google all these errors but can't find an understandable explanation. There's a lot of information out there but from tpm-tools and/or with completely incorrect parameters. It seems that the tpm2_* commands change very quickly!
Does this mean my TPM has been disabled or locked out?
I notice that tpm2_takeownership is no longer in the Ubuntu package (and not in 20.04 either) so other solutions I've found around the internet won't work (unless I install it from source), but I figure this isn't expected if it isn't in the package.
Other things (like tpm2_pcrread) thrown no errors. So is it possible that my TPM is readable but not writeable? How can I reset it or is this a manufacturer's setting or something I need to do in BIOS to make it writeable?
I got the same errors when setting up TPM on ubuntu 20.04. My situation was that my previous OS was Windows 10 with TPM setup for bitlocker for all drives.
For me, the solution was to reset the TPM using
Then, the TPM was reset and commands worked as expected.
EDIT: According to one of the comments in the link in the OP: https://run.tournament.org.il/ubuntu-20-04-and-tpm2-encrypted-system-disk/, the TPM is locked to a certain combination of bootloader and hardware by Windows 10 bitlocker (i.e. Windows 10 has ownership of the TPM). So, if one is using a new OS, the TPM needs be reset to be used.