% tpm2_clearcontrol(1) tpm2-tools | General Commands Manual


tpm2_clearcontrol(1) - Set/ Clear TPMA_PERMANENT.disableClear attribute to effectively block/ unblock lockout authorization handle for issuing TPM clear.


tpm2_clearcontrol [OPTIONS] [ARGUMENT]


tpm2_clearcontrol(1) - Allows user with knowledge of either lockout auth and or platform hierarchy auth to set disableClear which prevents the lockout authorization's capability to execute tpm2_clear. Only user with authorization knowledge of the platform hierarchy can clear the disableClear. By default it attempts to clear the disableClear bit.

Note: Platform hierarchy auth handle can always be used to clear the TPM with tpm2_clear command.


  • -C, --hierarchy=OBJECT:

    Specifies what auth handle, either platform hierarchy or lockout the tool should operate on. By default it operates on the platform hierarchy handle. Specify the handle as p|l|platform|lockout.

    NOTE : Operating on platform hierarchy require platform authentication.

  • -P, --auth=AUTH:

    The authorization value of the hierarchy specified with -C. This tool only respects the Password and HMAC options.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.

  • ARGUMENT ** Specify an integer 0|1 or string c|s to clear or set the disableClear attribute.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Set the disableClear to block the lockout authorization's access to TPM clear

tpm2_clearcontrol -C l s

Clear the disableClear to unblock lockout authorization for TPM clear

tpm2_clearcontrol -C p c