Take ownership on TPM 2.0

Question

When I try to take the ownership on my TPM 2.0, I run the tpm2_takeownership command. For the first time, I got this error:

 ./tpm2_takeownership -e 0123 -o 0123 -l 0123
......Change Hierarchy Owner Auth Succ......
......Change Hierarchy Endorsement Auth Succ......
......Change Hierarchy Lockout Auth Error. TPM Error:0x98e......

Now, when I want to change any authorizations, it fails :

./tpm2_takeownership -l 0123 -o 0123 -e 0123 -L 0123 -O 0123 -E 0123
......Change Hierarchy Owner Auth Error. TPM Error:0x9a2......

Or

./tpm2_takeownership -c

Start to clear the Hierarchy auth....

ClearControl Failed ! ErrorCode: 0x9a2

I didn’t find any informations about the error code, so I checked the sources, and I found this code (line 127). All these defines are of the same type as the error code printed in the tpm2_takeownership command. (line 91) It goes up to error 0x97F, but there are no signs of the error code 0x9a2 and 0x98e.

The version of my tpm2-tools function:

./tpm2_verifysignature, version 1.0.0
./tpm2_getpubek, version 1.0.0
./tpm2_nvreadlock, version 1.0.0
./tpm2_evictcontrol, version 1.0.0
./tpm2_loadexternal, version 1.0.0
./tpm2_nvwrite, version 1.0.0
./tpm2_nvdefine, version 1.0.0
./tpm2_rsaencrypt, version 1.0.0
./tpm2_quote, version 1.0.0
./tpm2_listpersistent, version 1.0.0
./tpm2_activatecredential, version 1.0.0
./tpm2_unseal, version 1.0.0
./tpm2_getpubak, version 1.0.0
./tpm2_getrandom, version 1.0.0
./tpm2_load, version 1.0.0
./tpm2_createprimary, version 1.0.0
./tpm2_takeownership, version 1.0.0
./tpm2_hash, version 1.0.0
./tpm2_encryptdecrypt, version 1.0.0
./tpm2_makecredential, version 1.0.0
./tpm2_nvread, version 1.0.0
./tpm2_readpublic, version 1.0.0
./tpm2_listpcrs, version 1.0.0
./tpm2_akparse, version 1.0.0
./tpm2_nvrelease, version 1.0.0
./tpm2_hmac, version 1.0.0
./tpm2_sign, version 1.0.0
./tpm2_nvlist, version 1.0.0
./tpm2_create, version 1.0.0
./tpm2_rsadecrypt, version 1.0.0
./tpm2_certify, version 1.0.0
./tpm2_getmanufec, version 1.0.0

The tpm module is loaded :

lsmod| grep tpm
tpm_crb                16384  0

The resourcemgr daemon is running:

ps aux | grep resourcemgr
root     10720  0.0  0.0 170672  1024 ?        Sl   juin16   0:00 resourcemgr

And finally I use the Intel Stack, I think the problem doesn't come from here, as it passes all the tests(~/TPM2.0-TSS/test/tpmtest/tpmtest)

I am currently stuck at this point, so any ideas what these two errors mean (0x9a2 and 0x98e).

Edit: So, I ran a few tests on the TPM2.0-TSS, and especially clock tests:

    CLOCK/TIME TEST:
Q - QUIT THIS TEST GROUP
D - PRINT DESCRIPTION ON ALL CASES IN THIS GROUP
0 - RUN ALL TEST CASES
Please select an action:0

RUN ALL TEST CASES:

CLOCK/TIME TEST:
        passing case:   PASSED!

Current Time:498603768, Current Clock Info:565355598
        passing case:   FAILED!  TPM Error: 0x9a2

And, I have the same error code on this test than I have when I run tpm2_takeownership. Does this mean, the internal clock may cause damages?

EDIT 2: Actually I also have got this 0x9a2 error on these tests:

34 - ASYMMETRIC ENCRYPT/DECRYPT TESTS
35 - VERIFY SIGNATURE WITH EXTERNAL KEY TEST
36 - VERIFY SIGNATURE WITH CREATED KEY TEST
37 - NV EXTENSION TEST
38 - PCR EXTENDED TEST

Answer 1

The 0x9a2 means the platform auth of the owner auth is not null. It may be from the BIOS itself, or from a previous takeownership.

The solution is to clear theses authorizations. On a NUC NUC5i3MYHE, there is a jumper.

• Pull out the jumper and power off.
• Reboot. You will reach a ConfigMenu.
• Press [4]Clear the TPM. Be careful, if you had already created keys, you won't be able to recover them.

Now, the 3 authorizations are null, and you can take ownership, and run the tests.