On 12/12/19 12:54 PM, James Bottomley wrote: > Not in the modern kernel resource manager world: anyone who is in the > tpm group can access the tpmrm device and we haven't added a dangerous > command filter like we promised we would, so unless they have actually > set lockout or platform authorization, they'll find they can execute it The default for the tpm2_* tools with '-T device' switch is to talk to /dev/tpm0. If one would try to run it, by mistake, it would fail with: $ tpm2_clear -T device ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Permission denied To point it to /dev/tpmrm0 it would need to be: $ tpm2_clear -T device:/dev/tpmrm0 -- Tadeusz
