tpm_clear Command
Purpose
Returns the Trusted Platform Module (TPM) to the default state (unowned, disabled, and inactive).
Syntax
tpm_clear [ -f ] [ -h ] [ -l [ none | error | info | debug ] ] [ -u ] [ -v ] [ -z ]
Description
The tpm_clear command requests the system TPM to perform a clear operation (through the TPM_OwnerClear API), which clears all the ownership information. Consequently, it invalidates all keys and the data that is tied to the TPM and disables and deactivates the TPM. This operation prompts for the owner password. The -f (or --force) option relies on the physical presence to authorize the command (through the TPM_ForceClear API) by skipping the owner password prompt.
Note: The TPM_OwnerClear API
can be disabled until the current owner is cleared by using the -f (or --force)
option with the tpm_setclearable command. The TPM_ForceClear API
can be disabled for the current boot cycle with the tpm_setclearable command.
This command requires you to reboot the system to complete the operation.
Flags
| Item | Description |
|---|---|
| -f (or --force) | Lets the TPM rely on the physical presence for authorization, thus, skipping the owner password prompt. |
| -h (or --help) | Displays the command usage information. |
| -l (or --log) [ none | error | info | debug ] | Sets the logging level to none, error, info, or debug as specified. |
| -u (or --unicode) | Uses the Trusted Computing Group Software Stack (TSS) UNICODE encoding for the passwords to comply with the applications that are using the TSS popup boxes. |
| -v (or --version) | Displays the command version information. |
| -z (or --well-known) | Changes the password to a new one when the current owner password is a secret of all zeros (20 bytes of zeros). It must be specified which password (owner, storage root key, or both) needs to be changed. |