From b20e4b7f46763afe8e35e4d2de37db9aa0152345 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Fri, 15 May 2026 21:03:45 -0400
Subject: [PATCH 1/5] initrd: fix TPM1 counter auth regression and defend lock
 cascade failure

PR #2068 (tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap,
merged at d3d80530) changed increment_tpm_counter from hardcoded
-pwdc '' (empty counter auth) to -pwdc "${tpm_passphrase:-}" (owner
passphrase from cache/prompt), but left check_tpm_counter using empty
-pwdc when called from kexec-sign-config.sh without a $3 passphrase
argument.  This caused every counter increment to compute
SHA1(owner_pass) while the counter was created with SHA1("") -
persistent TPM_AUTH_FAIL.

Per TCG TPM Main Spec Part 3, TPM_CreateCounter uses owner auth
(-pwdo) but TPM_IncrementCounter uses the counter's own authData,
not the owner password.  The correct design for Heads' rollback
counter is empty auth: rollback security comes from the signed
/boot/kexec_rollback.txt and TPM sealing, not counter access control.

The repeated auth failures (3 per boot x ~5 boots via the
_tpm_auth_retry loop) triggered TPM 1.2 dictionary-attack lockout
(TPM_DEFEND_LOCK_RUNNING), which persisted through forceclear on
some implementations, causing tpm takeown to fail and TPM reset to
abort - a cascade failure from the counter auth mismatch.

Changes:
- initrd/bin/tpmr.sh (_tpm_auth_retry, tpm2_counter_inc, tpm2_seal,
  tpm1_seal): add 'defend' and '0x98e|0x149' to auth detection grep
  patterns so defend lock and TPM2 RC codes are treated as retryable
  auth failures rather than fatal errors
- initrd/bin/tpmr.sh (tpm1_reset): detect defend lock after takeown
  failure and cycle physical presence to clear the lock state before
  retrying; full AC power cycle remains the fallback if software
  presence is insufficient
- initrd/bin/tpmr.sh (tpm1_counter_increment): detect -pwdc '' and
  call tpm directly, bypassing _tpm_auth_retry which injected the
  owner passphrase.  Use || return to survive set -e on expected
  auth failure.
- initrd/etc/functions.sh (check_tpm_counter): pass -pwdc '' instead
  of -pwdc "${tpm_passphrase:-}" so counters use SHA1("") per TCG
  spec.  Document that $3 is intentionally ignored.
- initrd/etc/functions.sh (increment_tpm_counter): try -pwdc '' first
  for TPM1.  If that fails on a readable counter (created by PR #2068
  era code), prompt for owner passphrase and retry as migration
  fallback with clear WARN explaining the one-time migration and
  TPM reset option.
- initrd/etc/functions.sh (increment_tpm_counter): remove the
  TPM1-specific owner-passphrase prompt block added by PR #2068
- initrd/etc/functions.sh (increment_tpm_counter): DIE-path fallback
  counter_create: -pwdc '' for consistency
- initrd/bin/oem-factory-reset.sh: counter_create -pwdc '' for
  consistency with the empty-auth design
- doc/tpm.md: document TPM1 boot chain, tpmtotp tool selection,
  auth retry patterns, defend lock recovery, and physical presence

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 doc/tpm.md                      | 96 ++++++++++++++++++++++++++++++++-
 initrd/bin/oem-factory-reset.sh |  2 +-
 initrd/bin/tpmr.sh              | 75 +++++++++++++++++++++-----
 initrd/etc/functions.sh         | 44 +++++++++------
 4 files changed, 185 insertions(+), 32 deletions(-)

diff --git a/doc/tpm.md b/doc/tpm.md
index 90f7ec064..f20bf0f8f 100644
--- a/doc/tpm.md
+++ b/doc/tpm.md
@@ -10,8 +10,35 @@ See also: [architecture.md](architecture.md), [boot-process.md](boot-process.md)
 ## tpmr — unified TPM abstraction
 
 `initrd/bin/tpmr.sh` is a shell script wrapper that presents a single interface
-over both TPM 1.2 (`tpm` / `trousers`) and TPM 2.0 (`tpm2-tools`). All Heads
-scripts call `tpmr.sh` rather than invoking `tpm` or `tpm2` directly.
+over both TPM 1.2 and TPM 2.0. All Heads scripts call `tpmr.sh` rather than
+invoking TPM tools directly.
+
+### Boot chain and TPM tool selection
+
+```text
+initrd/init  (PID 1)
+  └─ CONFIG_BOOTSCRIPT → /bin/gui-init.sh          [board config]
+       ├─ source /etc/functions.sh                   [shared TPM helpers]
+       ├─ source /etc/gui_functions.sh               [whiptail wrappers]
+       └─ calls initrd/bin/tpmr.sh                   [TPM abstraction]
+            ├─ TPM1: calls `tpm` (tpmtotp util/tpm)  [CONFIG_TPM2_TOOLS != y]
+            │          modules/tpmtotp → output: totp hotp qrenc util/tpm
+            │
+            └─ TPM2: calls tpm2_* (tpm2-tools)       [CONFIG_TPM2_TOOLS=y]
+                       modules/tpm2-tss + modules/tpm2-tools
+```
+
+TPM1 support comes exclusively from the `tpmtotp` module (`modules/tpmtotp`),
+which builds `util/tpm` as part of its outputs. This binary is installed to
+the initrd as `tpm` and supports subcommands such as `physicalpresence`,
+`forceclear`, `takeown -pwdo`, `counter_create`, `counter_increment`, etc.
+
+TPM2 support comes from `modules/tpm2-tss` (TSS software stack) and
+`modules/tpm2-tools` (command-line tools like `tpm2_nvdefine`,
+`tpm2_getcap`, `tpm2_nvincrement`).
+
+Both TPM1 and TPM2 boards may also enable `CONFIG_TPMTOTP=y` for the
+`totp` and `hotp` utilities, which are independent of the TPM version.
 
 ### PCR sizes
 
@@ -398,3 +425,68 @@ To verify that a new board's coreboot config matches the expected RoT:
 | Auth sessions | Not used | Required for policy-based unseal |
 | `kexec_finalize` | No-op | Extends PCRs, then `tpm2 shutdown` |
 | `startsession` | No-op | Creates encryption session |
+
+### TPM1 auth retry and error detection
+
+`_tpm_auth_retry()` in `initrd/bin/tpmr.sh` provides shared retry logic for
+both TPM1 and TPM2 operations that need authorization. On auth failure
+(wrong passphrase), the passphrase cache is shredded and the user is
+re-prompted up to 3 times before giving up.
+
+Auth failure is detected by grepping the command output for known error
+patterns.  TPM1 (tpmtotp) errors go to stdout via `printf()` with
+`TPM_GetErrMsg()` strings.  TPM2 (tpm2-tools) errors go to stderr via
+`LOG_ERR()` and may include raw TPM response codes.
+
+| Pattern | Type | TPM version | Example error |
+| --- | --- | --- | --- |
+| `authorization|auth|bad|permission` | English words | TPM1+TPM2 | `TPM_AUTHFAIL`, `bad passphrase` |
+| `defend` | English word | TPM1 | `Defend lock running` |
+| `0x98e|0x149` | Hex codes | TPM2 | `TPM2_RC_AUTH_FAIL`, `TPM2_RC_NV_AUTHORIZATION` |
+
+### TPM1 reset defend lock
+
+`TPM_DEFEND_LOCK_RUNNING` (`tpm_error.h`: `TPM_BASE + TPM_NON_FATAL + 3`)
+is a standard TPM 1.2 error raised when the TPM's dictionary-attack
+protection is active. After too many failed authorization attempts, the
+TPM enters a time-out period and refuses all authorization operations —
+including `tpm takeown` even after a successful `tpm forceclear`
+(forceclear clears the owner but not the dictionary attack counter on
+some implementations).
+
+tpmtotp's `tpm takeown` outputs:
+```
+Error Defend lock running from TPM_TakeOwnership
+```
+
+`tpm1_reset()` in `initrd/bin/tpmr.sh` detects "defend lock" in the
+`takeown` output and cycles physical presence (`physicaldisable` /
+`physicalenable` / `physicalpresence` / `physicalsetdeactivated`) to
+reset the TPM state machine and clear the lock on chips that honour
+software presence.  `TPM_ResetLockValue` (in tpmtotp's `util/resetlockvalue.c`)
+exists but requires owner auth — after forceclear there is no owner,
+so it cannot be used.
+
+If the cycling also fails, only a full AC power cycle (not just reboot)
+will clear the defend lock.  The timeout duration is chip-specific and
+not documented in the tpmtotp source.
+
+### TPM1 physical presence
+
+TPM1.2 forceclear requires physical presence to be asserted. The
+`tpm1_reset()` function does this with `tpm physicalpresence -s` (software
+presence). On some platforms (e.g., Dell OptiPlex, some Infineon TPMs),
+software physical presence may not work — the TPM firmware only accepts
+hardware-asserted presence (GPIO set by BIOS). In that case, `forceclear`
+returns success but may not fully reset the TPM, or `takeown` may fail
+with unexpected errors.
+
+When software physical presence fails, the LOG shows:
+```
+tpm1_reset: unable to set physical presence
+```
+
+This is logged but not fatal — `tpm forceclear` is still attempted.
+If the TPM firmware ignores software physical presence, the reset fails
+and the user must use the platform's hardware TPM reset mechanism
+(typically a BIOS option or jumper).
diff --git a/initrd/bin/oem-factory-reset.sh b/initrd/bin/oem-factory-reset.sh
index ece2f8f59..5dc315965 100755
--- a/initrd/bin/oem-factory-reset.sh
+++ b/initrd/bin/oem-factory-reset.sh
@@ -868,7 +868,7 @@ generate_checksums() {
 	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
 			tpmr.sh counter_create \
-				-pwdc "${TPM_PASS:-}" \
+				-pwdc '' \
 				-la -3135106223 |
 				tee /tmp/counter >/dev/null 2>&1 ||
 				whiptail_error_die "Unable to create TPM counter"
diff --git a/initrd/bin/tpmr.sh b/initrd/bin/tpmr.sh
index 46f4581d8..00e5bf379 100755
--- a/initrd/bin/tpmr.sh
+++ b/initrd/bin/tpmr.sh
@@ -354,7 +354,7 @@ tpm2_counter_inc() {
 		rm -f "$tmp_err_file"
 		shred -n 10 -z -u /tmp/secret/tpm_owner_passphrase 2>/dev/null || true
 		DEBUG "tpm2_counter_inc attempt $attempt failed. Stderr: $tmp_err_content"
-		if ! echo "$tmp_err_content" | grep -qiE 'authorization|auth|bad|permission|0x98e|0x149'; then
+		if ! echo "$tmp_err_content" | grep -qiE 'authorization|auth|bad|permission|defend|0x98e|0x149'; then
 			DIE "Can't increment TPM counter for $index, access denied."
 		fi
 		WARN "Authentication failed, retrying..."
@@ -370,16 +370,26 @@ tpm2_counter_inc() {
 # Caching: prompt_tpm_owner_password reuses cached passphrase if available.
 # On auth failure the cache is shredded; next prompt will ask the user.
 #
+# Error stream selection:
+#   TPM1 (tpmtotp):   errors go to stdout via printf() — capture stdout+stderr
+#   TPM2 (tpm2-tools): errors go to stderr via LOG_ERR() — capture stderr only
+#
+# Auth detection grep patterns:
+#   English words  — TPM1 (TPM_GetErrMsg returns "Authentication failed...")
+#                  — TPM2 (tpm2-tools LOG_ERR returns "TPM2_RC_AUTH_FAIL...")
+#   defend         — TPM1 "Defend lock running" (TPM_DEFEND_LOCK_RUNNING)
+#   0x98e, 0x149  — TPM2 raw hex codes (TPM2_RC_AUTH_FAIL, TPM2_RC_NV_AUTHORIZATION)
+#
 # Usage: _tpm_auth_retry <label> <error_stream> <tpm_type> <pw_flag> <cmd...>
 #   <label>:        short name for debug (e.g. "counter_create")
-#   <error_stream>: "stdout" (TPM1) or "stderr" (TPM2)
+#   <error_stream>: "stdout" (TPM1: tpmtotp printf) or "stderr" (TPM2: tpm2-tools LOG_ERR)
 #   <tpm_type>:    "tpm1" or "tpm2"
 #   <pw_flag>:     passphrase flag for TPM1 (-pwdo or -pwdc), ignored for TPM2
 #   <cmd...>:       the tpm command and its non-auth arguments
 #
 # Exit codes:
 #   0: success
-#   1: non-auth error (e.g., "out of resources" 0x15) — caller should check
+#   1: non-auth error (e.g., TPM1 "out of resources" 0x15) — caller should check
 _tpm_auth_retry() {
 	local label="$1" error_stream="$2" tpm_type="$3" pw_flag="$4"
 	shift 4
@@ -417,7 +427,7 @@ _tpm_auth_retry() {
 		DEBUG "_tpm_auth_retry $label attempt $attempt failed: $out_content"
 		rm -f "$tmp_file"
 		shred -n 10 -z -u /tmp/secret/tpm_owner_passphrase 2>/dev/null || true
-		if echo "$out_content" | grep -qiE 'authorization|auth|bad|permission'; then
+		if echo "$out_content" | grep -qiE 'authorization|auth|bad|permission|defend|0x98e|0x149'; then
 			WARN "$label failed (bad passphrase?). Retrying..."
 		else
 			# Non-auth error (e.g., out of resources 0x15)
@@ -443,17 +453,33 @@ tpm1_counter_read() {
 
 # tpm1_counter_increment - Increment a TPM1 rollback counter.
 # Args: -ix <index> [ -pwdc <passphrase> ]
+#
+# Auth behaviour:
+#   -pwdc ''       : empty counter auth (SHA1 of ""), correct per TCG spec.
+#                    Calls tpm directly without retry — caller handles fallback.
+#   -pwdc <pass>   : owner passphrase auth via _tpm_auth_retry (migration).
+#   (no -pwdc)     : owner passphrase auth via _tpm_auth_retry (backward compat).
 tpm1_counter_increment() {
 	TRACE_FUNC
 	local counter_id=""
+	local pwdc_provided="n"
+	local pwdc_value=""
 	while [ $# -gt 0 ]; do
 		case "$1" in
 			-ix) counter_id="$2"; shift 2 ;;
-			-pwdc) shift 2 ;;  # passphrase handled by _tpm_auth_retry
+			-pwdc) pwdc_provided="y"; pwdc_value="$2"; shift 2 ;;
 			*) shift ;;
 		esac
 	done
-	_tpm_auth_retry "counter_increment" "stdout" "tpm1" "-pwdc" tpm counter_increment -ix "$counter_id"
+	if [ "$pwdc_provided" = "y" ] && [ -z "$pwdc_value" ]; then
+		# Empty counter auth per TCG spec.
+		# Call tpm directly: no retry needed, caller handles fallback.
+		# Use || return so set -e doesn't kill the script on auth failure.
+		tpm counter_increment -ix "$counter_id" -pwdc '' || return $?
+	else
+		_tpm_auth_retry "counter_increment" "stdout" "tpm1" "-pwdc" \
+			tpm counter_increment -ix "$counter_id"
+	fi
 }
 
 tpm2_counter_create() {
@@ -641,7 +667,7 @@ tpm2_seal() {
 		rm -f "$tmp_err_file"
 		DEBUG "Failed attempt $attempt to write sealed secret to NVRAM from tpm2_seal. Stderr: $tmp_err_content"
 		shred -n 10 -z -u /tmp/secret/tpm_owner_passphrase 2>/dev/null || true
-		if echo "$tmp_err_content" | grep -qiE 'authorization|auth|bad|permission'; then
+		if echo "$tmp_err_content" | grep -qiE 'authorization|auth|bad|permission|defend|0x98e|0x149'; then
 			if [ "$attempt" -ge 3 ]; then
 				DIE "Unable to write sealed secret to TPM NVRAM after 3 attempts. Reset the TPM and try again."
 			fi
@@ -759,7 +785,7 @@ tpm1_seal() {
 			rm -f "$tmp_def_out"
 			DEBUG "tpm1_seal nv_definespace failed (attempt $attempt): $def_out_content"
 			# If auth failure, retry after re-prompt; otherwise bail out.
-			if echo "$def_out_content" | grep -qiE 'authorization|auth|bad|permission'; then
+			if echo "$def_out_content" | grep -qiE 'authorization|auth|bad|permission|defend'; then
 				shred -n 10 -z -u /tmp/secret/tpm_owner_passphrase 2>/dev/null || true
 				WARN "nv_definespace failed (bad passphrase?). Retrying..."
 				continue
@@ -788,7 +814,7 @@ tpm1_seal() {
 		fi
 		DEBUG "tpm1_seal nv_writevalue(post-define) output: $tmp_out_content"
 		shred -n 10 -z -u /tmp/secret/tpm_owner_passphrase 2>/dev/null || true
-		if echo "$tmp_out_content" | grep -qiE 'authorization|auth|bad|permission'; then
+		if echo "$tmp_out_content" | grep -qiE 'authorization|auth|bad|permission|defend'; then
 			if [ "$attempt" -ge 3 ]; then
 				DIE "Unable to write sealed secret to TPM NVRAM after 3 attempts"
 			fi
@@ -1075,9 +1101,34 @@ tpm1_reset() {
 	DO_WITH_DEBUG tpm physicalenable >/dev/null 2>&1 || LOG "tpm1_reset: unable to physicalenable after clear"
 
 	# 3. Take ownership with the new TPM owner passphrase.
-	if ! DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_passphrase" >/dev/null 2>&1; then
-		LOG "tpm1_reset: tpm takeown failed after forceclear"
-		return 1
+	# TPM_DEFEND_LOCK_RUNNING is a standard TPM 1.2 error raised after
+	# too many failed authorization attempts (see tpm_error.h).  The TPM
+	# enters a time-out period and refuses all authorization operations —
+	# including takeown, even after a successful forceclear (forceclear
+	# clears the owner but not the dictionary attack counter on some
+	# implementations).  
+	# TPM_ResetLockValue requires owner auth, which does not exist after
+	# forceclear, so we cannot call it.  Cycle physical presence
+	# (physicaldisable + physicalenable) to reset the TPM state machine
+	# on chips that honour software presence.  If the lock persists,
+	# only a full AC power cycle (not just reboot) will clear it.
+	local takeown_rc takeown_out
+	takeown_out="$(DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_passphrase" 2>&1)" && takeown_rc=0 || takeown_rc=$?
+	if [ $takeown_rc -ne 0 ]; then
+		if echo "$takeown_out" | grep -qi "defend lock"; then
+			LOG "tpm1_reset: defend lock detected after forceclear — cycling physical presence to clear"
+			DO_WITH_DEBUG tpm physicaldisable >/dev/null 2>&1 || true
+			DO_WITH_DEBUG tpm physicalenable >/dev/null 2>&1 || true
+			DO_WITH_DEBUG tpm physicalpresence -s >/dev/null 2>&1 || true
+			DO_WITH_DEBUG tpm physicalsetdeactivated -c >/dev/null 2>&1 || true
+			if ! DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_passphrase" >/dev/null 2>&1; then
+				LOG "tpm1_reset: tpm takeown still failed after defend lock recovery"
+				return 1
+			fi
+		else
+			LOG "tpm1_reset: tpm takeown failed after forceclear"
+			return 1
+		fi
 	fi
 
 	# 4. Leave TPM enabled, present, and not deactivated.
diff --git a/initrd/etc/functions.sh b/initrd/etc/functions.sh
index f9b0694fd..acfe1bcf5 100644
--- a/initrd/etc/functions.sh
+++ b/initrd/etc/functions.sh
@@ -1848,7 +1848,8 @@ check_tpm_counter() {
 	TRACE_FUNC
 
 	LABEL=${2:-3135106223}
-	tpm_passphrase="$3"
+	# $3 (tpm_passphrase) was used by pre-PR #2068 code but is now intentionally
+	# ignored — counters are created with empty auth (-pwdc '') per TCG spec.
 	# if the /boot.hashes file already exists, read the TPM counter ID
 	# from it.
 	if [ -r "$1" ]; then
@@ -1872,7 +1873,7 @@ check_tpm_counter() {
 		(
 			set +e
 			tpmr.sh counter_create \
-				-pwdc "${tpm_passphrase:-}" \
+				-pwdc '' \
 				-la "$LABEL" \
 				>/tmp/counter 2> >(tee >(SINK_LOG "tpm counter_create stderr") >&2)
 			echo $? > /tmp/counter_create_rc
@@ -2051,23 +2052,13 @@ increment_tpm_counter() {
 	fi
 
 	# Prefer explicit passphrase, otherwise reuse cached TPM owner passphrase.
+	# TPM2 uses owner-auth fallback in tpm2_counter_inc; TPM1 uses empty counter
+	# auth (SHA1("")) per TCG spec — no owner passphrase needed for increment.
 	if [ -z "$tpm_passphrase" ] && [ -s /tmp/secret/tpm_owner_passphrase ]; then
 		tpm_passphrase="$(cat /tmp/secret/tpm_owner_passphrase)"
 		DEBUG "increment_tpm_counter: using cached TPM owner passphrase"
 	fi
 
-	# TPM1 counter_increment requires owner auth in practice on this path.
-	# origin/master typically reached this with cached owner passphrase already set,
-	# but the newer reseal/update flows can call this later in the session after
-	# that cache is absent. Prompt once and cache to avoid empty -pwdc failures.
-	if [ "$CONFIG_TPM2_TOOLS" != "y" ] && [ -z "$tpm_passphrase" ]; then
-		WARN "TPM Owner Passphrase is required to update rollback counter before signing updated boot hashes."
-		DEBUG "increment_tpm_counter: TPM1 path has no cached/provided owner passphrase; prompting now"
-		prompt_tpm_owner_password
-		tpm_passphrase="$tpm_owner_passphrase"
-		DEBUG "increment_tpm_counter: TPM1 owner passphrase obtained and cached"
-	fi
-
 	# Try to increment the counter.  We normally hide the verbose
 	# output of tpmr.sh commands to avoid overwhelming the console, but we
 	# must *not* swallow any interactive prompts.  The previous implementation
@@ -2094,7 +2085,11 @@ increment_tpm_counter() {
 			increment_ok="y"
 		fi
 	else
-		# TPM1 path uses owner auth in practice.
+		# TPM1 counter uses empty auth (SHA1 of "") per TCG spec.
+		# The counter's auth is separate from the owner passphrase.
+		# If empty auth fails on a readable counter, the counter was
+		# created by pre-fix code with owner-passphrase auth — prompt
+		# for owner passphrase and retry as migration fallback.
 		# NOTE: tpmtotp C code prints ALL output (success + errors) to stdout.
 		# We must capture stdout to detect failures properly.
 		# DO_WITH_DEBUG internally captures the command's stderr (tee /dev/stderr
@@ -2104,10 +2099,25 @@ increment_tpm_counter() {
 		if (
 			set -o pipefail
 			DO_WITH_DEBUG --mask-position 5 \
-				tpmr.sh counter_increment -ix "$counter_id" -pwdc "${tpm_passphrase:-}" \
+				tpmr.sh counter_increment -ix "$counter_id" -pwdc '' \
 					2>/dev/null | tee /tmp/counter-"$counter_id" >/dev/null
 		); then
 			increment_ok="y"
+		elif [ "$counter_present" = "y" ]; then
+			if [ -z "$tpm_passphrase" ]; then
+				WARN "TPM Owner Passphrase required to increment counter created by previous Heads version"
+				prompt_tpm_owner_password
+				tpm_passphrase="$tpm_owner_passphrase"
+			fi
+			if (
+				set -o pipefail
+				DO_WITH_DEBUG --mask-position 5 \
+					tpmr.sh counter_increment -ix "$counter_id" -pwdc "${tpm_passphrase}" \
+						2>/dev/null | tee /tmp/counter-"$counter_id" >/dev/null
+			); then
+				increment_ok="y"
+				WARN "TPM counter created by older firmware (uses owner passphrase). This is a one-time migration; operation continues with owner-passphrase auth. Reset TPM in menu (Options -> TPM/TOTP/HOTP Options -> Reset the TPM) to create a new empty-auth counter (recommended), or leave as-is."
+			fi
 		fi
 	fi
 
@@ -2126,7 +2136,7 @@ increment_tpm_counter() {
 		if (
 			set -o pipefail
 			DO_WITH_DEBUG --mask-position 3 \
-				tpmr.sh counter_create -pwdc "${tpm_passphrase:-}" -la 3135106223 \
+				tpmr.sh counter_create -pwdc '' -la 3135106223 \
 				2> >(tee >(SINK_LOG "tpm counter_create stderr") >&2) |
 				tee /tmp/new-counter >/dev/null
 		); then

From f7376c2c8b9065ccbc51f20c1169e559e94aceb8 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Sun, 17 May 2026 11:58:01 -0400
Subject: [PATCH 2/5] initrd: add TPM DA lockout gating, bad_auth test helpers,
 doc and review fixes

Add preflight dictionary attack (DA) lockout guard to
increment_tpm_counter, querying da_state before every counter
increment. DIE on active lockout, WARN when count nears threshold.

Add tpm1_da_state and tpm2_da_state for unified DA state query:
  - TPM1: reads TPM_CAP_DA_LOGIC (0x19); actionDependValue>0 +
    state=1 = locked; DA: line timer=field maps to actionDependValue
  - TPM2: reads getcap properties-variable (no single DA query);
    count >= max_auth = locked; estimate = (counter - max_auth + 1)
    * interval; DA: line timer=present when locked, absent when clean
  - Both output machine-parsable DA: line for the preflight guard

Fix da_timer sed pattern: use sed -n with /p so da_timer stays
empty when DA: line has no timer= field (TPM2 count < threshold).
Without -n, non-matching lines echoed the full line as da_timer.

Add tpm1_bad_auth and tpm2_bad_auth for testing:
  - Uses NV index auth (-P) not owner auth (-C o -P) for TPM2
    because NV auth failure produces TPM2_RC_AUTH_FAIL (0x98e) and
    increments LOCKOUT_COUNTER; owner auth may not increment on
    some TPM2 implementations
  - Intentionally wrong password TPM_DEFEND_LOCK_TEST_WRONG_PASSWORD
  - Shows DA state before and after; uses || true to survive set -e

Add tpm-reset.sh as a TPM reset frontend via tpmr.sh wrapper.

Add DA documentation in doc/tpm.md covering diagnosis, testing,
escalation, TPM1 vs TPM2 DA parameter configurability.

Review fixes:
  - Fix TPM2 property names: TPM_PT_ -> TPM2_PT_ prefix in doc/tpm.md
  - Remove misplaced design decision comment from tpm2_da_state
    (belongs in tpm2_bad_auth where it already exists)
  - Add DEBUG logging at every decision point across preflight guard
    and all DA state functions for runtime traceability
  - Document design decisions inline: timer logic, estimate formula,
    empty auth retry bypass, NV vs owner auth

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 doc/tpm.md              | 142 ++++++++++++++++++++---
 initrd/bin/tpm-reset.sh |   9 ++
 initrd/bin/tpmr.sh      | 244 +++++++++++++++++++++++++++++++++++++---
 initrd/etc/functions.sh |  51 ++++++++-
 4 files changed, 413 insertions(+), 33 deletions(-)

diff --git a/doc/tpm.md b/doc/tpm.md
index f20bf0f8f..7e6a37396 100644
--- a/doc/tpm.md
+++ b/doc/tpm.md
@@ -24,8 +24,8 @@ initrd/init  (PID 1)
             ├─ TPM1: calls `tpm` (tpmtotp util/tpm)  [CONFIG_TPM2_TOOLS != y]
             │          modules/tpmtotp → output: totp hotp qrenc util/tpm
             │
-            └─ TPM2: calls tpm2_* (tpm2-tools)       [CONFIG_TPM2_TOOLS=y]
-                       modules/tpm2-tss + modules/tpm2-tools
+             └─ TPM2: calls `tpm2` (single binary, subcommands)  [CONFIG_TPM2_TOOLS=y]
+                        modules/tpm2-tss + modules/tpm2-tools
 ```
 
 TPM1 support comes exclusively from the `tpmtotp` module (`modules/tpmtotp`),
@@ -34,8 +34,8 @@ the initrd as `tpm` and supports subcommands such as `physicalpresence`,
 `forceclear`, `takeown -pwdo`, `counter_create`, `counter_increment`, etc.
 
 TPM2 support comes from `modules/tpm2-tss` (TSS software stack) and
-`modules/tpm2-tools` (command-line tools like `tpm2_nvdefine`,
-`tpm2_getcap`, `tpm2_nvincrement`).
+`modules/tpm2-tools` (`tpm2` binary with subcommands like `getcap`,
+`nvdefine`, `nvincrement`).
 
 Both TPM1 and TPM2 boards may also enable `CONFIG_TPMTOTP=y` for the
 `totp` and `hotp` utilities, which are independent of the TPM version.
@@ -449,10 +449,10 @@ patterns.  TPM1 (tpmtotp) errors go to stdout via `printf()` with
 `TPM_DEFEND_LOCK_RUNNING` (`tpm_error.h`: `TPM_BASE + TPM_NON_FATAL + 3`)
 is a standard TPM 1.2 error raised when the TPM's dictionary-attack
 protection is active. After too many failed authorization attempts, the
-TPM enters a time-out period and refuses all authorization operations —
+TPM enters a time-out period and refuses all authorization operations --
 including `tpm takeown` even after a successful `tpm forceclear`
 (forceclear clears the owner but not the dictionary attack counter on
-some implementations).
+some implementations, particularly Infineon TPMs).
 
 tpmtotp's `tpm takeown` outputs:
 ```
@@ -460,16 +460,100 @@ Error Defend lock running from TPM_TakeOwnership
 ```
 
 `tpm1_reset()` in `initrd/bin/tpmr.sh` detects "defend lock" in the
-`takeown` output and cycles physical presence (`physicaldisable` /
-`physicalenable` / `physicalpresence` / `physicalsetdeactivated`) to
-reset the TPM state machine and clear the lock on chips that honour
-software presence.  `TPM_ResetLockValue` (in tpmtotp's `util/resetlockvalue.c`)
-exists but requires owner auth — after forceclear there is no owner,
-so it cannot be used.
-
-If the cycling also fails, only a full AC power cycle (not just reboot)
-will clear the defend lock.  The timeout duration is chip-specific and
-not documented in the tpmtotp source.
+`takeown` output and attempts one recovery: cycling physical presence
+(`physicaldisable` / `physicalenable` / `physicalpresence` /
+`physicalsetdeactivated`) to re-assert PP before retrying `takeown`.
+This works on some chipsets where software presence was not properly
+honoured by the first `forceclear`.
+
+If PP cycling also fails, no software-based recovery is available.
+Further attempts (second forceclear, `TPM_ResetLockValue` with empty
+auth, sleep+retry) will not help.  Use `tpmr.sh da_state` from the
+recovery shell to check the current DA state:
+
+- **TPM1**: `actionDependValue` reports remaining lockout seconds.
+- **TPM2**: the human-readable summary shows estimated unlock time
+  based on `recoveryTime` (seconds before one failure is forgotten).
+
+Alternatively, reset the TPM to clear the DA state entirely:
+`tpm-reset.sh` from the recovery shell, or GUI menu `Options ->
+TPM/TOTP/HOTP Options -> Reset the TPM` for full reprovision.
+
+#### DA lockout duration escalation
+
+TPM 1.2 dictionary attack timeouts escalate with the failure count
+(approximate; varies by vendor and TPM firmware version per Dell and
+Microsoft documentation):
+
+| Failures accumulated | Typical lockout time |
+|---------------------|---------------------|
+| 1-2 | None (counter only) |
+| 3-5 | 10 seconds |
+| 6-9 | 1 hour |
+| 10-12 | Several hours |
+| 13+ | Up to 24 hours |
+
+Each time the TPM fully locks out and the timer expires, the DA counter
+resets.  If failures continue to accumulate across boots without
+waiting for the timer to expire, the escalation can reach 24 hours.
+This is what happened with the counter auth regression (3 failures per
+boot x many boots): the DA counter reached the maximum threshold.
+
+#### Diagnosing DA state
+
+Use `tpmr.sh da_state` from the recovery shell to query the current DA
+state.  Available for both TPM1 and TPM2:
+
+| Information | TPM1 | TPM2 |
+|-------------|------|------|
+| Locked? | `state`: 0=inactive, 1=locked | `TPM2_PT_LOCKOUT_COUNTER` > `TPM2_PT_MAX_AUTH_FAIL` |
+| Current failures | `currentCount` | `TPM2_PT_LOCKOUT_COUNTER` |
+| Lockout threshold | `thresholdCount` | `TPM2_PT_MAX_AUTH_FAIL` |
+| Lockout interval | -- | `TPM2_PT_LOCKOUT_INTERVAL` |
+| Time remaining | `actionDependValue` (seconds) | `TPM2_PT_LOCKOUT_RECOVERY` |
+
+The recovery shell can run `tpmr.sh da_state` at any time to check
+whether the TPM is locked and how much lockout time remains.
+
+#### DA parameter configurability
+
+TPM2 DA parameters are configured during `tpm2_reset()` (called by
+`tpm-reset.sh` and the GUI `reset_tpm()`).  Heads sets:
+- `maxTries=10`: auth failures before lockout
+- `recoveryTime=3600`: seconds before one failure is forgotten (counter
+  decrements by 1 per interval)
+- `lockoutRecovery=0`: seconds lockout auth blocked after failure
+
+TPM1 has no software-accessible command to configure DA parameters
+(tpmtotp's `setcapability` does not expose DA threshold or timeout
+sub-capabilities).  The DA policy is determined by the TPM firmware
+and cannot be changed through software on TPM1.
+
+#### Testing DA lockout
+
+Use `tpmr.sh bad_auth` from the recovery shell to test dictionary attack
+lockout behavior by deliberately triggering an auth failure:
+
+- **TPM1**: increments the rollback counter with a wrong password via
+  `tpm counter_increment -pwdc <wrong>`.  Each call increments the DA
+  counter by 1 until lockout is triggered at `currentCount >= thresholdCount`.
+- **TPM2**: increments an existing NV counter with a wrong password via
+  `tpm2 nvincrement -P <wrong>`.  Requires a counter created by a prior
+  `reset_tpm()` GUI flow.  Each call increments `TPM2_PT_LOCKOUT_COUNTER`
+  by 1 until lockout is triggered.
+
+Both show DA state before and after the attempt, and the `DA:` machine
+line is logged by the preflight guard in `increment_tpm_counter`.
+
+#### Preventing future lockouts
+
+Heads' counter auth regression (PR #2068) caused 3 TPM auth failures
+per boot by passing the owner passphrase as the counter auth while the
+counter was created with empty auth.  This was fixed in PR #2117 by
+restoring empty counter auth for both creation and increment,
+preventing any auth failures from counter operations.  All TPM1 boards
+that ran the regression code are affected identically; this is not
+platform-specific.
 
 ### TPM1 physical presence
 
@@ -490,3 +574,29 @@ This is logged but not fatal — `tpm forceclear` is still attempted.
 If the TPM firmware ignores software physical presence, the reset fails
 and the user must use the platform's hardware TPM reset mechanism
 (typically a BIOS option or jumper).
+
+### TPM reset methods
+
+Heads has two TPM reset methods with different scope:
+
+**`tpm-reset.sh`** (CLI, recovery shell):
+- Prompts for new owner passphrase, calls `tpmr.sh reset`
+- TPM clear + re-ownership only
+- No counter creation, no /boot signing, no TOTP/HOTP generation
+- Intended for headless recovery or clearing a defend lock before running
+  the full GUI flow
+
+**`reset_tpm()`** (GUI, via Options -> TPM/TOTP/HOTP -> Reset the TPM in
+`initrd/bin/gui-init.sh`):
+- Prompts for new owner passphrase, calls `tpmr.sh reset`
+- Removes stale `/boot/kexec_rollback.txt` and `/boot/kexec_primhdl_hash.txt`
+- Creates new TPM rollback counter via `check_tpm_counter()`
+- Increments the new counter
+- Re-signs /boot with the GPG signing key
+- Generates new TOTP/HOTP secrets
+- Reseals TPM Disk Unlock Key (DUK) to LUKS
+- Regenerates TPM2 encrypted sessions
+
+After `tpm-reset.sh`, the TPM is cleared but the system is not fully
+provisioned — the user must complete the GUI `reset_tpm()` or OEM Factory
+Reset to restore counter, signing, and secrets.
diff --git a/initrd/bin/tpm-reset.sh b/initrd/bin/tpm-reset.sh
index 047d49ef0..426012863 100755
--- a/initrd/bin/tpm-reset.sh
+++ b/initrd/bin/tpm-reset.sh
@@ -6,3 +6,12 @@ NOTE "This will erase all keys and secrets from the TPM"
 prompt_new_owner_password
 
 tpmr.sh reset "$tpm_owner_passphrase"
+
+# TODO: move the TPM reset + full reprovision flow (counter creation, /boot
+# signing, TOTP/HOTP generation, DUK reseal) from gui-init.sh's reset_tpm()
+# into a reusable function in functions.sh.  Then tpm-reset.sh and the GUI
+# reset_tpm() can both call the same code, eliminating the inconsistency
+# between CLI and GUI reset paths.
+
+NOTE "TPM cleared. The TPM rollback counter was destroyed. /boot/kexec_rollback.txt still references the old counter."
+NOTE "Restore full functionality from the GUI: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
diff --git a/initrd/bin/tpmr.sh b/initrd/bin/tpmr.sh
index 00e5bf379..679af70ba 100755
--- a/initrd/bin/tpmr.sh
+++ b/initrd/bin/tpmr.sh
@@ -472,9 +472,11 @@ tpm1_counter_increment() {
 		esac
 	done
 	if [ "$pwdc_provided" = "y" ] && [ -z "$pwdc_value" ]; then
-		# Empty counter auth per TCG spec.
-		# Call tpm directly: no retry needed, caller handles fallback.
-		# Use || return so set -e doesn't kill the script on auth failure.
+		# Empty counter auth per TCG spec: this is the normal counter
+		# increment (no secret). Bypass _tpm_auth_retry because the
+		# empty string is intentional, not a user input error.
+		# Use || return so set -e doesn't kill the script on DA failure.
+		DEBUG "tpm1_counter_increment: empty auth, calling tpm directly"
 		tpm counter_increment -ix "$counter_id" -pwdc '' || return $?
 	else
 		_tpm_auth_retry "counter_increment" "stdout" "tpm1" "-pwdc" \
@@ -1077,6 +1079,63 @@ tpm2_reset() {
 		>/dev/null 2>&1 || LOG "tpm2_reset: unable to set lockout password"
 }
 
+# Query TPM1 dictionary attack state via TPM_CAP_DA_LOGIC capability.
+# Parses raw capability output into human-readable summary and machine
+# parsable DA: line.  The preflight guard in increment_tpm_counter
+# (functions.sh) reads the DA: field values to decide DIE (locked) vs
+# WARN (nearing threshold) vs proceed.
+#
+# Timer logic:
+#   actionDependValue > 0 AND state = 1 => actively locked
+#   actionDependValue = 0 AND state = 0 => not locked (count may still
+#     be >= threshold; counter resets on correct empty auth)
+#
+# BusyBox compatibility: uses sed -n with /p so timer field is absent
+# from DA: when actionDependValue is unavailable.
+tpm1_da_state() {
+	TRACE_FUNC
+	# TPM_CAP_DA_LOGIC = 0x19, subcap 0x0000 (owner auth DA info)
+	local da_out
+	da_out="$(tpm getcapability -cap 0x19 -scap 0x0000 2>/dev/null)" || true
+	if [ -z "$da_out" ]; then
+		DEBUG "tpm1_da_state: getcapability returned empty (not supported?)"
+		echo "TPM DA state: unavailable"
+		return 1
+	fi
+	echo "$da_out"
+	local state current threshold action_timer
+	state=$(echo "$da_out" | grep 'State' | awk '{print $NF}')
+	current=$(echo "$da_out" | grep 'currentCount' | awk '{print $NF}')
+	threshold=$(echo "$da_out" | grep 'thresholdCount' | awk '{print $NF}')
+	action_timer=$(echo "$da_out" | grep 'actionDependValue' | awk '{print $NF}')
+	DEBUG "tpm1_da_state: state=$state current=$current threshold=$threshold timer=$action_timer"
+	echo ""
+	echo "DA policy:"
+	echo "  thresholdCount (max failures before defend): $threshold"
+	echo "  currentCount (current failure count): $current"
+	echo "  actionDependValue (lockout seconds remaining): ${action_timer:-0}"
+	echo "  state (DA logic: 0=inactive, 1=active): $state"
+	if [ "$state" = "1" ]; then
+		if [ -n "$action_timer" ] && [ "$action_timer" -ge 3600 ] 2>/dev/null; then
+			echo "=> TPM DEFEND LOCK ACTIVE (~$((action_timer / 3600)) hour(s) remaining)"
+		elif [ -n "$action_timer" ] && [ "$action_timer" -ge 60 ] 2>/dev/null; then
+			echo "=> TPM DEFEND LOCK ACTIVE (~$((action_timer / 60)) min remaining)"
+		else
+			echo "=> TPM DEFEND LOCK ACTIVE (${action_timer:-?}s remaining)"
+		fi
+	elif [ -n "$current" ] && [ -n "$threshold" ] && [ "$current" -ge "$threshold" ] 2>/dev/null; then
+		DEBUG "tpm1_da_state: above threshold, not locked (timer=$action_timer)"
+		echo "=> Above threshold: $current/$threshold failures (auth failures will trigger lockout)"
+	elif [ -n "$current" ] && [ -n "$threshold" ]; then
+		echo "=> Within lockout threshold ($current/$threshold failures used)"
+	else
+		echo "=> DA state: limited info (state=$state)"
+	fi
+	# Machine-parsable line for callers (preflight guard, scripts)
+	# timer= field only present when actionDependValue is available
+	echo "DA: state=${state:-} current=${current:-} threshold=${threshold:-} timer=${action_timer:-}"
+}
+
 tpm1_reset() {
 	TRACE_FUNC
 	tpm_owner_passphrase="$1"
@@ -1103,28 +1162,32 @@ tpm1_reset() {
 	# 3. Take ownership with the new TPM owner passphrase.
 	# TPM_DEFEND_LOCK_RUNNING is a standard TPM 1.2 error raised after
 	# too many failed authorization attempts (see tpm_error.h).  The TPM
-	# enters a time-out period and refuses all authorization operations —
-	# including takeown, even after a successful forceclear (forceclear
-	# clears the owner but not the dictionary attack counter on some
-	# implementations).  
-	# TPM_ResetLockValue requires owner auth, which does not exist after
-	# forceclear, so we cannot call it.  Cycle physical presence
-	# (physicaldisable + physicalenable) to reset the TPM state machine
-	# on chips that honour software presence.  If the lock persists,
-	# only a full AC power cycle (not just reboot) will clear it.
+	# enters a time-out period (varies by chip: minutes to hours) and
+	# refuses all authorization operations.  forceclear clears the owner
+	# but not the dictionary attack counter on some implementations, so
+	# takeown may still fail after forceclear.
+	#
+	# Recovery: cycle physical presence once — this works on some chipsets
+	# where software presence was not properly asserted before forceclear.
+	# If that fails, the lockout must resolve naturally (wait with power on
+	# for the DA timer to expire, or hardware TPM reset via BIOS/jumper).
+	# AC power cycling behavior is implementation-specific.
 	local takeown_rc takeown_out
 	takeown_out="$(DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_passphrase" 2>&1)" && takeown_rc=0 || takeown_rc=$?
 	if [ $takeown_rc -ne 0 ]; then
 		if echo "$takeown_out" | grep -qi "defend lock"; then
-			LOG "tpm1_reset: defend lock detected after forceclear — cycling physical presence to clear"
+			LOG "tpm1_reset: defend lock detected after forceclear"
+			LOG "tpm1_reset: cycling physical presence to assert PP before retry"
 			DO_WITH_DEBUG tpm physicaldisable >/dev/null 2>&1 || true
 			DO_WITH_DEBUG tpm physicalenable >/dev/null 2>&1 || true
 			DO_WITH_DEBUG tpm physicalpresence -s >/dev/null 2>&1 || true
 			DO_WITH_DEBUG tpm physicalsetdeactivated -c >/dev/null 2>&1 || true
-			if ! DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_passphrase" >/dev/null 2>&1; then
-				LOG "tpm1_reset: tpm takeown still failed after defend lock recovery"
-				return 1
+			if DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_passphrase" >/dev/null 2>&1; then
+				return 0
 			fi
+			LOG "tpm1_reset: physical presence cycling did not clear defend lock"
+			LOG "tpm1_reset: run 'tpmr.sh da_state' for expected delay, or try tpm-reset.sh to clear TPM"
+			return 1
 		else
 			LOG "tpm1_reset: tpm takeown failed after forceclear"
 			return 1
@@ -1167,6 +1230,141 @@ tpm2_shutdown() {
 	tpm2 shutdown -Q --clear
 }
 
+# Query TPM2 dictionary attack state via getcap properties-variable.
+# TPM2 has no single DA state query (unlike TPM1's TPM_CAP_DA_LOGIC).
+# We read four properties and derive lockout status.
+#
+# Lockout logic:
+#   count >= max_auth => locked (no auth will succeed)
+#   count < max_auth => within threshold (one bad auth may push over)
+#   estimate = (counter - max_auth + 1) * interval
+#   When locked, DA: line includes timer=<estimate> for the preflight guard.
+#   When not locked, DA: line has no timer= field (sed -n /p returns empty).
+tpm2_da_state() {
+	TRACE_FUNC
+	local cap_out da_out counter_hex max_auth_hex counter max_auth
+	cap_out="$(tpm2 getcap properties-variable 2>/dev/null)" || {
+		WARN "Unable to query TPM2 dictionary attack state"
+		DEBUG "tpm2_da_state: getcap properties-variable failed (no TPM access?)"
+		return 1
+	}
+	da_out="$(echo "$cap_out" | grep -E \
+		'TPM2_PT_LOCKOUT_COUNTER|TPM2_PT_MAX_AUTH_FAIL|TPM2_PT_LOCKOUT_INTERVAL|TPM2_PT_LOCKOUT_RECOVERY')" || true
+	if [ -z "$da_out" ]; then
+		DEBUG "tpm2_da_state: no matching properties found in getcap output"
+		echo "TPM2 DA state: unavailable"
+		return 1
+	fi
+	echo "$da_out"
+	counter_hex=$(echo "$da_out" | grep 'LOCKOUT_COUNTER' | sed 's/.*0x//')
+	max_auth_hex=$(echo "$da_out" | grep 'MAX_AUTH_FAIL' | sed 's/.*0x//')
+	interval_hex=$(echo "$da_out" | grep 'LOCKOUT_INTERVAL' | sed 's/.*0x//')
+	recovery_hex=$(echo "$da_out" | grep 'LOCKOUT_RECOVERY' | sed 's/.*0x//')
+	counter=$((0x${counter_hex:-0}))
+	max_auth=$((0x${max_auth_hex:-0}))
+	interval=$((0x${interval_hex:-0}))
+	recovery=$((0x${recovery_hex:-0}))
+	echo ""
+	echo "DA policy:"
+	echo "  maxTries (max auth fails before lockout): $max_auth"
+	if [ "$interval" -ge 60 ]; then
+		echo "  recoveryTime (seconds before one failure is forgotten): $interval ($((interval / 60)) min)"
+	else
+		echo "  recoveryTime (seconds before one failure is forgotten): $interval"
+	fi
+	echo "  lockoutRecovery (seconds lockout auth blocked after failure): $recovery"
+	echo "  failedTries (current auth failure count): $counter"
+	if [ -n "$counter_hex" ] && [ -n "$max_auth_hex" ] && [ "$counter" -ge "$max_auth" ] 2>/dev/null; then
+		DEBUG "tpm2_da_state: LOCKOUT ACTIVE (counter=$counter threshold=$max_auth)"
+		echo "=> TPM LOCKOUT ACTIVE ($counter/$max_auth failures)"
+		# counter drops by 1 every recoveryTime seconds.
+		# When counter < maxTries, TPM unlocks. So we need (counter - maxTries + 1) decrements.
+		local need=$((counter - max_auth + 1))
+		local estimate=$((need * interval))
+		if [ "$estimate" -ge 3600 ]; then
+			echo "=> Estimated unlock in ~$((estimate / 3600)) hour(s) (if no new failures)"
+		elif [ "$estimate" -ge 60 ]; then
+			echo "=> Estimated unlock in ~$((estimate / 60)) min (if no new failures)"
+		else
+			echo "=> Estimated unlock in ~${estimate}s (if no new failures)"
+		fi
+		echo "DA: current=${counter:-} threshold=${max_auth:-} timer=${estimate}"
+	else
+		DEBUG "tpm2_da_state: within threshold (counter=$counter threshold=$max_auth)"
+		echo "=> Within lockout threshold ($counter/$max_auth failures used)"
+		echo "DA: current=${counter:-} threshold=${max_auth:-}"
+	fi
+}
+
+
+# bad_auth - Deliberately attempt a counter increment with wrong auth.
+# For testing the DA state detection and preflight guard.
+#
+# Design decisions:
+#   - Wrong password is TPM_DEFEND_LOCK_TEST_WRONG_PASSWORD (self-documenting).
+#   - We use || true to prevent set -e from killing the script on auth failure.
+#   - Shows DA state before and after so user can see the counter increment.
+# Reads counter ID from /boot/kexec_rollback.txt or takes one as argument.
+tpm1_bad_auth() {
+	TRACE_FUNC
+	local counter_id="${1:-}"
+	if [ -z "$counter_id" ] && [ -r /boot/kexec_rollback.txt ]; then
+		counter_id=$(grep -Eo 'counter-[0-9a-fA-F]+' /boot/kexec_rollback.txt | \
+			sed 's/counter-//' | head -1)
+	fi
+	DEBUG "=== BAD AUTH TEST (TPM1) ==="
+	DEBUG "Counter: ${counter_id:-<none>}"
+	DEBUG "DA state BEFORE bad auth:"
+	tpm1_da_state
+	if [ -z "$counter_id" ]; then
+		DEBUG "No counter ID found. Use tpmr.sh bad_auth <counter_id>."
+		return 1
+	fi
+	# Verify the counter exists before attempting bad auth
+	if ! tpm counter_read -ix "$counter_id" >/dev/null 2>&1; then
+		DEBUG "Counter $counter_id does not exist on this TPM."
+		return 1
+	fi
+	DEBUG "Attempting increment with wrong passphrase..."
+	# Intentionally wrong auth: tpm will fail but we want the DA counter to increment.
+	# Use || true so set -e does not abort on expected failure.
+	tpm counter_increment -ix "$counter_id" -pwdc "TPM_DEFEND_LOCK_TEST_WRONG_PASSWORD" 2>&1 || true
+	DEBUG "DA state AFTER bad auth:"
+	tpm1_da_state
+}
+
+# TPM2 bad_auth: same purpose but uses NV index auth (-P) not owner auth.
+# Design decision: NV index auth failure produces TPM2_RC_AUTH_FAIL (0x98e)
+# and does increment LOCKOUT_COUNTER.  Owner auth failure (-C o -P) may not
+# increment the counter on some TPM2 implementations, so we use -P directly.
+tpm2_bad_auth() {
+	TRACE_FUNC
+	local counter_id="${1:-}"
+	if [ -z "$counter_id" ] && [ -r /boot/kexec_rollback.txt ]; then
+		counter_id=$(grep -Eo 'counter-[0-9a-fA-F]+' /boot/kexec_rollback.txt | \
+			sed 's/counter-//' | head -1)
+	fi
+	DEBUG "=== BAD AUTH TEST (TPM2) ==="
+	DEBUG "Counter: ${counter_id:-<none>}"
+	DEBUG "DA state BEFORE bad auth:"
+	tpm2_da_state
+	if [ -z "$counter_id" ]; then
+		DEBUG "No counter ID found. Use tpmr.sh bad_auth <counter_id>."
+		return 1
+	fi
+	# Verify the counter exists before attempting bad auth
+	if ! tpm2 nvread "0x$counter_id" >/dev/null 2>&1; then
+		DEBUG "Counter 0x$counter_id does not exist on this TPM."
+		return 1
+	fi
+	DEBUG "Attempting increment with wrong passphrase..."
+	# Intentionally wrong auth at NV index level (not owner auth).
+	# Use || true so set -e does not abort on expected TPM2_RC_AUTH_FAIL.
+	tpm2 nvincrement -P "TPM_DEFEND_LOCK_TEST_WRONG_PASSWORD" "0x$counter_id" 2>&1 || true
+	DEBUG "DA state AFTER bad auth:"
+	tpm2_da_state
+}
+
 if [ "$CONFIG_TPM" != "y" ]; then
 	DIE "No TPM!"
 fi
@@ -1235,12 +1433,20 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		shift
 		tpm1_unseal "$@"
 		;;
+	bad_auth)
+		shift
+		tpm1_bad_auth "$@"
+		;;
 	reset)
 		shift
 		INFO "TPM: Resetting TPM"
 		tpm1_reset "$@"
 		STATUS_OK "TPM reset completed"
 		;;
+	da_state)
+		shift
+		tpm1_da_state "$@"
+		;;
 	kexec_finalize) ;; # Nothing on TPM1.
 	shutdown) ;;       # Nothing on TPM1.
 	*)
@@ -1291,6 +1497,9 @@ counter_increment)
 counter_create)
 	tpm2_counter_create "$@"
 	;;
+da_state)
+	tpm2_da_state "$@"
+	;;
 destroy)
 	tpm2_destroy "$@"
 	;;
@@ -1303,6 +1512,9 @@ startsession)
 unseal)
 	tpm2_unseal "$@"
 	;;
+bad_auth)
+	tpm2_bad_auth "$@"
+	;;
 reset)
 	INFO "TPM: Resetting TPM"
 	tpm2_reset "$@"
diff --git a/initrd/etc/functions.sh b/initrd/etc/functions.sh
index acfe1bcf5..cebdb029e 100644
--- a/initrd/etc/functions.sh
+++ b/initrd/etc/functions.sh
@@ -2056,7 +2056,56 @@ increment_tpm_counter() {
 	# auth (SHA1("")) per TCG spec — no owner passphrase needed for increment.
 	if [ -z "$tpm_passphrase" ] && [ -s /tmp/secret/tpm_owner_passphrase ]; then
 		tpm_passphrase="$(cat /tmp/secret/tpm_owner_passphrase)"
-		DEBUG "increment_tpm_counter: using cached TPM owner passphrase"
+	fi
+
+	# Preflight DA state check: query da_state before every counter increment.
+	# TPM1: timer=0 means state inactive; timer>0 means locked.
+	# TPM2: timer absent when count<threshold; timer>0 when locked (estimate).
+	# TPM1 timer>0 or TPM2 timer>0: DIE with remaining time.
+	# TPM1 timer=0, count>=threshold: above threshold but not locked, WARN.
+	# TPM2 no timer, count>=threshold: locked (shouldn't happen, DIE).
+	# Both: count>=threshold-1 without lockout: WARN.
+	if [ "$CONFIG_TPM" = "y" ]; then
+		local da_line da_current da_threshold da_timer
+		da_line="$(tpmr.sh da_state 2>/dev/null | grep '^DA: ')"
+		da_current=$(echo "$da_line" | sed 's/.*current=\([^ ]*\).*/\1/')
+		da_threshold=$(echo "$da_line" | sed 's/.*threshold=\([^ ]*\).*/\1/')
+		# With sed -n /p, da_timer stays empty when timer= field absent (TPM2 clean)
+		da_timer=$(echo "$da_line" | sed -n 's/.*timer=\([^ ]*\).*/\1/p')
+		if [ -n "$da_current" ] && [ -n "$da_threshold" ]; then
+			if [ -n "$da_timer" ] && [ "$da_timer" -gt 0 ] 2>/dev/null; then
+				# TPM1 state=1 or TPM2 count>=threshold -- actively locked
+				local timer_display="${da_timer}s"
+				if [ "$da_timer" -ge 3600 ] 2>/dev/null; then
+					timer_display="~$((da_timer / 3600)) hour(s)"
+				elif [ "$da_timer" -ge 60 ] 2>/dev/null; then
+					timer_display="~$((da_timer / 60)) min"
+				fi
+				DEBUG "increment_tpm_counter: DA $da_current/$da_threshold (locked, ${timer_display})"
+				DIE "TPM dictionary attack lockout active (DA $da_current/$da_threshold, ${timer_display} remaining). Reset TPM from GUI: Options -> TPM/TOTP/HOTP Options -> Reset the TPM."
+			fi
+			if [ "$da_current" -ge "$da_threshold" ] 2>/dev/null; then
+				if [ -z "$da_timer" ]; then
+					# TPM2 with count>=threshold but no timer estimate.
+					# This can't happen on Heads-provisioned TPMs but guard defensively.
+					DEBUG "increment_tpm_counter: DA $da_current/$da_threshold (TPM2 locked, no timer)"
+					DIE "TPM dictionary attack lockout active (DA $da_current/$da_threshold). Reset TPM from GUI: Options -> TPM/TOTP/HOTP Options -> Reset the TPM."
+				else
+					# TPM1: timer=0, state=0, count above threshold but not locked.
+					# The increment will succeed with correct empty auth, but warn user
+					# that the next BAD auth will trigger lockout.
+					DEBUG "increment_tpm_counter: DA $da_current/$da_threshold (above threshold)"
+					WARN "DA counter above threshold ($da_current/$da_threshold). Auth failures will trigger lockout."
+				fi
+			elif [ "$da_current" -ge $((da_threshold - 1)) ] 2>/dev/null; then
+				DEBUG "increment_tpm_counter: DA $da_current/$da_threshold (nearing threshold)"
+				WARN "DA counter nearing threshold ($da_current/$da_threshold). One more auth failure may trigger lockout."
+			else
+				DEBUG "increment_tpm_counter: DA $da_current/$da_threshold"
+			fi
+		else
+			DEBUG "increment_tpm_counter: TPM DA state unavailable or limited"
+		fi
 	fi
 
 	# Try to increment the counter.  We normally hide the verbose

From 30a42016a09c7bc331ff8b19e466ecf8e64e6ef4 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Sun, 17 May 2026 13:18:24 -0400
Subject: [PATCH 3/5] address review comments on PR #2117

- Fix TPM2 time remaining table entry: estimate is derived from
  LOCKOUT_COUNTER vs MAX_AUTH_FAIL times LOCKOUT_INTERVAL, not
  LOCKOUT_RECOVERY (which is the lockout-auth-blocked-after-failure
  timer, not the remaining-until-unlock)
- Reword migration WARN: 'older Heads version' not 'older firmware'
  (the migration case is caused by previous Heads code, not platform
  firmware)
- Remove fragile PR #2117 reference from preventing-future-lockouts
  section: describe the fix generically (restoring empty counter auth)
  so the doc is correct regardless of branch context

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 doc/tpm.md              | 15 +++++++--------
 initrd/etc/functions.sh |  2 +-
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/doc/tpm.md b/doc/tpm.md
index 7e6a37396..7ff8cc0a4 100644
--- a/doc/tpm.md
+++ b/doc/tpm.md
@@ -510,7 +510,7 @@ state.  Available for both TPM1 and TPM2:
 | Current failures | `currentCount` | `TPM2_PT_LOCKOUT_COUNTER` |
 | Lockout threshold | `thresholdCount` | `TPM2_PT_MAX_AUTH_FAIL` |
 | Lockout interval | -- | `TPM2_PT_LOCKOUT_INTERVAL` |
-| Time remaining | `actionDependValue` (seconds) | `TPM2_PT_LOCKOUT_RECOVERY` |
+| Time remaining | `actionDependValue` (seconds) | Estimate from `LOCKOUT_COUNTER` vs `MAX_AUTH_FAIL` times `LOCKOUT_INTERVAL` |
 
 The recovery shell can run `tpmr.sh da_state` at any time to check
 whether the TPM is locked and how much lockout time remains.
@@ -547,13 +547,12 @@ line is logged by the preflight guard in `increment_tpm_counter`.
 
 #### Preventing future lockouts
 
-Heads' counter auth regression (PR #2068) caused 3 TPM auth failures
-per boot by passing the owner passphrase as the counter auth while the
-counter was created with empty auth.  This was fixed in PR #2117 by
-restoring empty counter auth for both creation and increment,
-preventing any auth failures from counter operations.  All TPM1 boards
-that ran the regression code are affected identically; this is not
-platform-specific.
+Heads' counter auth regression caused 3 TPM auth failures per boot by
+passing the owner passphrase as the counter auth while the counter was
+created with empty auth.  Restoring empty counter auth for both creation
+and increment (as per TCG spec) prevents auth failures from counter
+operations.  All TPM1 boards that ran the regression code are affected
+identically; this is not platform-specific.
 
 ### TPM1 physical presence
 
diff --git a/initrd/etc/functions.sh b/initrd/etc/functions.sh
index cebdb029e..46a650330 100644
--- a/initrd/etc/functions.sh
+++ b/initrd/etc/functions.sh
@@ -2165,7 +2165,7 @@ increment_tpm_counter() {
 						2>/dev/null | tee /tmp/counter-"$counter_id" >/dev/null
 			); then
 				increment_ok="y"
-				WARN "TPM counter created by older firmware (uses owner passphrase). This is a one-time migration; operation continues with owner-passphrase auth. Reset TPM in menu (Options -> TPM/TOTP/HOTP Options -> Reset the TPM) to create a new empty-auth counter (recommended), or leave as-is."
+				WARN "TPM counter created by older Heads version (uses owner passphrase). This is a one-time migration; operation continues with owner-passphrase auth. Reset TPM in menu (Options -> TPM/TOTP/HOTP Options -> Reset the TPM) to create a new empty-auth counter (recommended), or leave as-is."
 			fi
 		fi
 	fi

From 214950875902f4f00cbf0ad7daf498f197df5bf4 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Sun, 17 May 2026 14:00:57 -0400
Subject: [PATCH 4/5] initrd/bin/tpmr.sh: validate tpm1_da_state output before
 printing

When TPM1 does not support TPM_CAP_DA_LOGIC (0x19), tpm getcapability
may print raw TSS error text to stdout instead of returning empty.
The empty-string check missed this because error text is non-empty.

Fix: check that the output contains the 'State' field (expected for
valid DA capability data) before echoing. If missing, return
'unavailable' and suppress the raw TSS garbage.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/tpmr.sh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/initrd/bin/tpmr.sh b/initrd/bin/tpmr.sh
index 679af70ba..b5e9510eb 100755
--- a/initrd/bin/tpmr.sh
+++ b/initrd/bin/tpmr.sh
@@ -1095,10 +1095,13 @@ tpm2_reset() {
 tpm1_da_state() {
 	TRACE_FUNC
 	# TPM_CAP_DA_LOGIC = 0x19, subcap 0x0000 (owner auth DA info)
-	local da_out
-	da_out="$(tpm getcapability -cap 0x19 -scap 0x0000 2>/dev/null)" || true
-	if [ -z "$da_out" ]; then
-		DEBUG "tpm1_da_state: getcapability returned empty (not supported?)"
+	# Not all TPM1 implementations support this capability.
+	# TrouSerS may print raw TSS errors on failure; validate output.
+	local da_out rc
+	da_out="$(tpm getcapability -cap 0x19 -scap 0x0000 2>/dev/null)" || rc=$?
+	if [ -z "$da_out" ] || ! echo "$da_out" | grep -q 'State'; then
+		[ -n "${rc-}" ] && DEBUG "tpm1_da_state: getcapability exit=$rc"
+		DEBUG "tpm1_da_state: DA state not available (unsupported or locked down)"
 		echo "TPM DA state: unavailable"
 		return 1
 	fi

From fc3ec6371dccba92b512254249d123f8ff8af643 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Sun, 17 May 2026 14:36:59 -0400
Subject: [PATCH 5/5] doc: document TPM1 DA state query hardware limitations

TPM_CAP_DA_LOGIC (0x19) was added late in TPM 1.2 spec rev 103.
Older Infineon TPMs (X230-era SLB9635/9645) and some Atmel chips
do not implement it and return TPM_BAD_MODE (exit 44).

Document this limitation in:
- tpm1_da_state function comment: specific TPM models affected
- increment_tpm_counter preflight guard: note that da_state may
  return unavailable on older TPM1
- doc/tpm.md: explain why some TPM1 hardware shows 'unavailable'

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 doc/tpm.md              | 6 ++++++
 initrd/bin/tpmr.sh      | 4 +++-
 initrd/etc/functions.sh | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/doc/tpm.md b/doc/tpm.md
index 7ff8cc0a4..c9b3fc308 100644
--- a/doc/tpm.md
+++ b/doc/tpm.md
@@ -515,6 +515,12 @@ state.  Available for both TPM1 and TPM2:
 The recovery shell can run `tpmr.sh da_state` at any time to check
 whether the TPM is locked and how much lockout time remains.
 
+Note: TPM1 DA state query relies on `TPM_CAP_DA_LOGIC` (0x19), a late
+TPM 1.2 spec addition (rev 103).  Older Infineon TPMs (e.g. X230-era
+SLB9635/9645) and some Atmel chips do not support this capability.
+On such hardware `da_state` returns `unavailable` and the preflight
+guard silently skips; TPM2 is unaffected.
+
 #### DA parameter configurability
 
 TPM2 DA parameters are configured during `tpm2_reset()` (called by
diff --git a/initrd/bin/tpmr.sh b/initrd/bin/tpmr.sh
index b5e9510eb..c4aa98805 100755
--- a/initrd/bin/tpmr.sh
+++ b/initrd/bin/tpmr.sh
@@ -1095,7 +1095,9 @@ tpm2_reset() {
 tpm1_da_state() {
 	TRACE_FUNC
 	# TPM_CAP_DA_LOGIC = 0x19, subcap 0x0000 (owner auth DA info)
-	# Not all TPM1 implementations support this capability.
+	# This capability was added late in TPM 1.2 spec rev 103.
+	# Older Infineon (X230-era SLB9635/9645) and some Atmel TPMs
+	# do not implement it and return TPM_BAD_MODE (exit 44).
 	# TrouSerS may print raw TSS errors on failure; validate output.
 	local da_out rc
 	da_out="$(tpm getcapability -cap 0x19 -scap 0x0000 2>/dev/null)" || rc=$?
diff --git a/initrd/etc/functions.sh b/initrd/etc/functions.sh
index 46a650330..b9c730a5c 100644
--- a/initrd/etc/functions.sh
+++ b/initrd/etc/functions.sh
@@ -2060,6 +2060,8 @@ increment_tpm_counter() {
 
 	# Preflight DA state check: query da_state before every counter increment.
 	# TPM1: timer=0 means state inactive; timer>0 means locked.
+	#        NOTE: many older TPM1 chips (Infineon X230-era) don't support
+	#        TPM_CAP_DA_LOGIC; da_state returns unavailable -> guard skips.
 	# TPM2: timer absent when count<threshold; timer>0 when locked (estimate).
 	# TPM1 timer>0 or TPM2 timer>0: DIE with remaining time.
 	# TPM1 timer=0, count>=threshold: above threshold but not locked, WARN.