On 12/12/19 11:51 AM, James Bottomley wrote: > TPM2_Clear reprovisions the SPS ... that would make all currently > exported TPM keys go invalid. I know these tests should be connected > to a vTPM, so doing this should be safe, but if this accidentally got > executed on your laptop all TPM relying functions would be disrupted, > which doesn't seem to be the best thing to hard wire into a test. That is true, but it will need to be executed as root, and root should know what she/he is doing ;) > > What about doing a TPM2_DictionaryAttackLockReset instead, which is the > least invasive route to fixing the problem ... provided you know what > the lockout authorization is. I can change tpm2_clear to tpm2_dictionarylockout -c if we want to make it foolproof. In this case we can assume that the lockout auth is empty. -- Tadeusz
