[SOLVED] TPM+Pin - Changing Lockout Parameter

ATX · June 2, 2024, 11:16am

Received my Framework 16 recently - I’ve deployed Arch with full disk encryption using secure boot and TPM+PIN.

I’m struggling to configure the number of TPM PIN attempts you get before it locks out though - the default appears to be 3:

$ sudo tpm2_getcap properties-variable | grep AUTH
TPM2_PT_MAX_AUTH_FAIL: 0x3

I’ve already triggered the lockout once, so am keen to increase this!

I can see that on Windows (bitlocker w/ TPM+PIN) the TPM lockout is configurable - so there must be a way to increase this from the OS - but my searching so far has not helped find a solution. I’ve not found a way to change this in the BIOS either.

If anyone knows how to do this, I’d be really grateful for any pointers!

Thanks

ATX · June 2, 2024, 11:35am

In standard fashion, as soon as I posted this I managed to work it out. Pasted below in case anyone else needs this in the future:

$ sudo tpm2_getcap properties-variable | grep AUTH
TPM2_PT_MAX_AUTH_FAIL: 0x3
$ sudo tpm2_dictionarylockout -s -l 600 -t 600 -n 10
$ sudo tpm2_getcap properties-variable | grep AUTH
TPM2_PT_MAX_AUTH_FAIL: 0xA

The command above sets the lockout period to 600 seconds (10 mins), and increases the number of permitted attempts to 10.

I think the ‘dictionary’ term was throwing me off (isn’t it a lockout to protect against all brute force attacks, not just dictionary?) but it definitely seems to be the right way to do it.

Loell_Framework · June 8, 2024, 5:16am

Thanks for updating and providing the solution for your thread, marking as solved.