I’m trying to get TrouSerS TSS working on my laptop.
Currently, I think I need to use this library, instead of libtpm-2.0 from IBM, to take ownership of the TPM. During this process, I *think* the storage root key (SRK) will be written to /usr/local/var/tpm/system.data. This is good, because so far it is quite beyond my comprehension how one might load the SRK.
I had already taken ownership of the TPM with IBM’s libtpm-2.0. This is a problem, since the TSS specification dictates that there can be only one TSS. Thus, I cleared the owner with the `clearown` utility from libtpm-2.0.
Now we want to clear all keys from the TPM, which requires physical presence to be demonstrated to the laptop. The process for doing this:
- Power down the laptop.
- Hold down the blue Fn key while powering on the laptop.
- Once the splash screen comes with a message about hitting the “blue Access IBM key,” release Fn and press “Access IBM”!
- Press F1 to enter the BIOS setup.
- There will now be a new option under Security -> IBM Security Chip entitled something like “Clear Encryption Keys.” Clear away. You’re done.
I was then able to take ownership of the TPM with Tspi_TPM_TakeOwnership01.c, which is included in the testsuites of TrouSerS. I received a strange error message on my first attempt. It had to do with the inability to generate a nonce during the call to Tspi_TPM_GetPubEndorsementKey(). I did not save the exact error message. To fix this problem, I cleared the TPM using the IBM BIOS utility once more. I was then able to take ownership successfully. I wanted to try to recreate the problem, but I was unsuccessful. I suspected the problem was either: (1) failure to do a hard reboot after clearing the TPM’s owner, or (2) failure to have tcsd running. However I retried both these scenarios, and got meaningful error messages: TCPA_DEACTIVATED and TSS_E_COMM_FAILURE, respectively.