Password protected "clear TPM"


During my master thesis I have to understand to some degree how one can use the TPM for security.
I have been testing on a Thinkpad x270. With Linux and tpm2-tools I have managed to take the ownership and set owner password etc.

But when booting the machine into BIOS settings I can just clear the TPM (delete all passwords and keys), without any form of authentication.
So my question is, is it possible to protect the “clear TPM” mechanism with a password, such that anybody cannot just boot into BIOS and clear all the stored crypto keys and owner password etc?


1 Like

I’m by no means a security expert but in my opinion the clean state is the secure state otherwise someone would have infinite tries in guessing your owner password and getting to your keys.
Not sure about TPMs but with Smart Cards normally you 3 tries for the Pin then I think 9 tries for the Admin Pin and then all the content of the SmartCard gets wiped.
That’s why Backups of the Keys are important, so you don’t lose access to what every you encrypted with them.
If you want to protect your TPM from being cleared just set a BIOS password something that should be done any way.

According to the PureBoot documentation:

Changing the TPM Admin password

The TPM Admin password is used less frequently but you might be prompted for this password if you were to flash a brand new PureBoot firmware and erase any existing settings, or when selecting a new default boot option. To change the TPM admin password you need to reset the TPM completely, which will erase any existing secrets, so you will end up configuring a new HOTP password for your Librem Key as well. To do this from the main PureBoot menu select Options → TPM/TOTP/HOTP Options → Reset the TPM and follow the prompts.