Hi Luke, Hi Anthony,
The functionality differs a bit between tpm2_changeauth(TPM 2.0) and tpm2_takeownership
TPM2_ChangeAuth helps to change the authorization of the hierarchies. You would be most
interested in changing the auth of the OWNER hierarchy, where typically user keys are
created. While the EK lives under the Endorsement Hierarchy that comes with more
About provisioning and EK, our developer's community has made a tutorial on Github
here - https://github.com/tpm2dev/tpm.dev.tutorials/tree/master/Enrollment
Endorsement key and hierarchy described here -
If you don't find some information in the tutorials, please feel free to open an issue
on Github, just make sure it is on the right repo :) It is completely driven by
Founder of TPM.dev
From: @rubynerd <x(a)rubynerd.net>
Sent: Wednesday, June 30, 2021 1:17 PM
To: Anthony Arrascue <AArrascue(a)neuroloop.de>
Cc: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Re: Re-provision TPM
I'm also new to the tpm2-tools project, and whilst I cannot advise on most of the asks
in your email, I can confirm the tpm2_takeownership command was changed to
tpm2_changeauth, which offers similar functionality.
Further information is available in the changelog:
There's quite a bit of movement between what's currently in source control and the
snippets floating around on StackOverflow, the changelog is a really good resource for
reconciling these. One thing to note: if you're building this from source, the
commands have changed from "tpm2_commandname" to "tpm2 commandname",
which was another pitfall I fell into during my explorations.
Regarding the specifics of EKs and the differences/functionality of the APIs themselves,
I'm afraid I'm woefully out of my depth!
Hope this helps,
On Wed, Jun 30, 2021 at 11:07 AM Anthony Arrascue
A way of re-provisioning (on a different OS image) that worked for me is the following:
#This clears the persistent storage
#To change profile from ECC to RSA
sed -i 's/"profile_name":
#Delete existing keystores
rm -rf ~/.local/share/tpm2-tss/user/keystore
rm -rf /usr/local/var/lib/tpm2-tss/system/keystore
#Before we provision we need to generate an EK
tpm2_createprimary -C e -g sha256 -G rsa -c endorsementprimary.ctx
tpm2_create -C endorsementprimary.ctx -g sha256 -G rsa -u rsak.pub -r rsak.priv
tpm2_load -C endorsementprimary.ctx -u rsak.pub -r rsak.priv -n
rsak.name<http://rsak.name> -c rsak.ctx
tpm2_evictcontrol -c rsak.ctx 0x81010001
Without the tpm2_createprimary I would get an error when I use tss2_provision (something
like “key cannot be signed”. I cannot remember the error message, but it contained the
Some questions that came to my mind:
1. Can all of this be done using only Fapi (no tpm2 commands)
2. Why is generating an EK required for provisioning? (which documentation describes
3. Previous versions of the tpm2-tools had also a tpm2_takeownership. What happened
with it and how to provision with owner’s authorization?
Thank you very much for your comments.
From: Anthony Arrascue
Sent: Tuesday, 1 June 2021 19:18
Subject: Re-provision TPM
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC
encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely
P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the
ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it
seems this is not the way to proceed. I get the message that the TPM has been already
provisioned. What is the correct way of "changing" profile? Is it even possible
or do I need to reset the TPM?
Thank you for your help.
tpm2 mailing list -- firstname.lastname@example.org<mailto:email@example.com>
To unsubscribe send an email to