Search code examples
encryptioncngtpmbitlocker

TPM Owner password and lockout password with Windows 10 & linux

I've setup a dual boot so I have windows 10 and ubuntu.

Following steps on this page I'm able to retrieve the lockout password and the owner password of my TPM in the windows 10 registry. Result looks like this :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin
OwnerAuthStatus    REG_DWORD    0x1
LastAuthLevel    REG_DWORD    0x4
OwnerAuthFull    REG_SZ    iTcW8t1B+tIKmP/uxXPL94QF2Jw=
LockoutHash    REG_SZ    Ki1RiIu8d+eqeDoEFYcAqIoi1n4=
SRKPub    REG_BINARY    A3FEFDE6DBAA425D24717422C46C7E9C85C433CB
StorageOwnerAuth    REG_SZ
TPMCleared    REG_DWORD    0x0

OwnerAuthFull and LockoutHash are both base64 encoded so I can decode them using this link for instance (it give 893716F2DD41FAD20A98FFEEC573CBF78405D89C in hexa for the owner password).

After that booting on the ubuntu I'm trying to interact with the TPM using these passwords. I'm using tpm2-tools to interact with the TPM under ubuntu. Tpm2-tools works pretty well when the linux controls the TPM and sets up these passwords. But here I'm trying to let Windows have control of the TPM and still be able to communicate with it under Ubuntu. For instance when I run these commands (which works when ubuntu controls the TPM).

$ tpm2_createprimary --hierarchy e -g sha256 -G rsa -C primary.ctx
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
  raw: 0x30072
$ tpm2_create -g sha256 -G rsa -u key.pub -r key.priv  -c primary.ctx
algorithm:
  value: sha256
  raw: 0xb
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
  raw: 0x60072
type:
  value: rsa
  raw: 0x1
  rsa: d14e5b7473972e4430b780dff0ec31a3a021fa0049ea1bafc17e2de4e232cba3afcdd8504c9f7dc2fa57df04ec1f64759f6bb0d8563c1ac53a7ce8d563ab7437f1f4b760960acfde7c414355c371ac8c94bba0e004bb08b499f115ba5e8efd655174c87309d64a23e198f6fce8e5451a851b7e96f7c172ba3d4be8e339176d136752e5d038ad9979585008e35bdedfdabe3236b92c60d5c4eabcafaabc8c65401aab5b479d8471d20ca18631c31404b38f3d373b5612ca906599914865cf281e550a748685fed4d60a7aa9c955d374c1d0852bb36ce9d39209e66fada20e4c473765160988470e93b63d81361613e3f5b918da167048ff8afe5e74768544fe03
$ tpm2_load -c primary.ctx  -u key.pub  -r key.priv -n key.name -C key.ctx

Load succ.
LoadedHandle: 0x80000100

$ tpm2_evictcontrol --auth o -c key.ctx --persistent 0x81010003 -P hex:893716F2DD41FAD20A98FFEEC573CBF78405D89C
persistentHandle: 0x81010003
ERROR: Tss2_Sys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications

I get 

 ERROR: Tss2_Sys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications
.

Does anybody knows why I get this error / why this password doesn't work? Where could I get the right password ? Well any pointer on how to solve this problem is appreciated! Thx!

Solution

  • I think I got my answer, in fact Windows make a sha1 hash of the password then converts it to base64 and then stores it in the registry if gpedit is configured like so : https://msdn.microsoft.com/en-us/library/windows/desktop/aa376421(v=vs.85).aspx