Hi Anthony, I'm also new to the tpm2-tools project, and whilst I cannot advise on most of the asks in your email, I can confirm the tpm2_takeownership command was changed to tpm2_changeauth, which offers similar functionality. Further information is available in the changelog: https://github.com/tpm2-software/tpm2-tools/blame/master/doc/CHANGELOG.md... There's quite a bit of movement between what's currently in source control and the snippets floating around on StackOverflow, the changelog is a really good resource for reconciling these. One thing to note: if you're building this from source, the commands have changed from "tpm2_commandname" to "tpm2 commandname", which was another pitfall I fell into during my explorations. Regarding the specifics of EKs and the differences/functionality of the APIs themselves, I'm afraid I'm woefully out of my depth! Hope this helps, Luke On Wed, Jun 30, 2021 at 11:07 AM Anthony Arrascue <AArrascue(a)neuroloop.de&gt; wrote:

Hi Luke, Hi Anthony, The functionality differs a bit between tpm2_changeauth(TPM 2.0) and tpm2_takeownership (TPM 1.2) TPM2_ChangeAuth helps to change the authorization of the hierarchies. You would be most interested in changing the auth of the OWNER hierarchy, where typically user keys are created. While the EK lives under the Endorsement Hierarchy that comes with more constrains. About provisioning and EK, our developer's community has made a tutorial on Github here - https://github.com/tpm2dev/tpm.dev.tutorials/tree/master/Enrollment Endorsement key and hierarchy described here - https://github.com/tpm2dev/tpm.dev.tutorials/tree/master/Intro#key-hierar... If you don't find some information in the tutorials, please feel free to open an issue on Github, just make sure it is on the right repo :) It is completely driven by developers. Dimi Tomov -- Founder of TPM.dev ________________________________ From: @rubynerd <x(a)rubynerd.net&gt; Sent: Wednesday, June 30, 2021 1:17 PM To: Anthony Arrascue <AArrascue(a)neuroloop.de&gt; Cc: tpm2(a)lists.01.org <tpm2(a)lists.01.org&gt; Subject: [tpm2] Re: Re-provision TPM Hi Anthony, I'm also new to the tpm2-tools project, and whilst I cannot advise on most of the asks in your email, I can confirm the tpm2_takeownership command was changed to tpm2_changeauth, which offers similar functionality. Further information is available in the changelog: https://github.com/tpm2-software/tpm2-tools/blame/master/doc/CHANGELOG.md... There's quite a bit of movement between what's currently in source control and the snippets floating around on StackOverflow, the changelog is a really good resource for reconciling these. One thing to note: if you're building this from source, the commands have changed from "tpm2_commandname" to "tpm2 commandname", which was another pitfall I fell into during my explorations. Regarding the specifics of EKs and the differences/functionality of the APIs themselves, I'm afraid I'm woefully out of my depth! Hope this helps, Luke On Wed, Jun 30, 2021 at 11:07 AM Anthony Arrascue <AArrascue@neuroloop.de<mailto:AArrascue@neuroloop.de>> wrote: A way of re-provisioning (on a different OS image) that worked for me is the following: tpm2_startup #This clears the persistent storage tpm2_clear #To change profile from ECC to RSA sed -i 's/"profile_name": "P_ECCP256SHA256"/"profile_name": "P_RSA2048SHA256"/g' /usr/local/etc/tpm2-tss/fapi-config.json #Delete existing keystores rm -rf ~/.local/share/tpm2-tss/user/keystore rm -rf /usr/local/var/lib/tpm2-tss/system/keystore #Before we provision we need to generate an EK tpm2_createprimary -C e -g sha256 -G rsa -c endorsementprimary.ctx tpm2_create -C endorsementprimary.ctx -g sha256 -G rsa -u rsak.pub -r rsak.priv tpm2_load -C endorsementprimary.ctx -u rsak.pub -r rsak.priv -n rsak.name<http://rsak.name> -c rsak.ctx tpm2_evictcontrol -c rsak.ctx 0x81010001 tss2_provision Without the tpm2_createprimary I would get an error when I use tss2_provision (something like “key cannot be signed”. I cannot remember the error message, but it contained the word EK). Some questions that came to my mind: 1. Can all of this be done using only Fapi (no tpm2 commands) 2. Why is generating an EK required for provisioning? (which documentation describes this step) 3. Previous versions of the tpm2-tools had also a tpm2_takeownership. What happened with it and how to provision with owner’s authorization? Thank you very much for your comments. Best, Anthony From: Anthony Arrascue Sent: Tuesday, 1 June 2021 19:18 To: 'tpm2@lists.01.org<mailto:tpm2@lists.01.org>' <tpm2@lists.01.org<mailto:tpm2@lists.01.org>> Subject: Re-provision TPM Hello, I am learning about the TSS and TPM techonologies. I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256). However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me. So here is my question: * I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM? Thank you for your help. Anthony Arrascue _______________________________________________ tpm2 mailing list -- tpm2@lists.01.org<mailto:tpm2@lists.01.org> To unsubscribe send an email to tpm2-leave@lists.01.org<mailto:tpm2-leave@lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s