plenordic.blogg.se - How to uninstall zorin os encrypted data

Owning the TPM means setting the password that ensures that only the authorized user can access and manage the TPM. We must also own the TPM to protect our data. This is a security limitation that prevents any user from clearing the TPM. This happens because we can’t clear the TPM from the Linux system, but from BIOS only. Tspi_TPM_ClearOwner failed: 0x0000002d – layer=tpm, code=002d (45), Bad physical presence value We can also receive an error like the following: But since the TPM owner has been cleared, there is no owner password and we can set a new one without entering the old one.

To enable the TPM afterwards, we need the owner password. When clearing the TPM we’ll return it to the default state, which is unowned, disabled and inactive, as already mentioned. This would require us to reboot the computer for changes to take effect. After reboot the TPM will be in the default state: unowned, disabled and inactive. You need to reboot to complete this operation. But if the TPM has been initialized before, we would receive the output that can be seen below: The first thing to do would be to actually enable the TPM in BIOS. This can happen if we forget to actually enable the TPM in BIOS. We can see that the TPM is disabled, which is why we can’t clear it.

Tspi_TPM_ClearOwner failed: 0x00000007 – layer=tpm, code=0007 (7), TPM is disabled

But the TPM is not checking the integrity of the kernel only, but also the integrity of all BIOS components, bootloader, and other OS components. The TPM is primarily used to check during boot if the kernel is unmodified, because otherwise an attacker could change our kernel with a malicious one, since the /boot partition is not encrypted when used with LUKS. We must remember that the TPM won’t actually be used to encrypt/decrypt our data on the hard drive it’s just a hardware that contains secret keys that are used by the software component to actually do the encryption and decryption on the fly. That command wipes all the ownership information from the TPM, invalidates all the keys and data tied to the TPM and even disables and deactivates the TPM.

First we must initialize the TPM physical chip with the tpm_clear command, which returns the TPM to the default state, which is unowned, disabled and inactive.