tpm2_gettime(1)

1tpm2_gettime(1)             General Commands Manual            tpm2_gettime(1)
2
3
4

6       tpm2_gettime(1)  -  Get  the  current  time and clock from the TPM in a
7       signed form.
8

10       tpm2_gettime [OPTIONS] [ARGUMENT]
11

13       tpm2_gettime(1) - Provides a signed copy of the current time and  clock
14       from  the  TPM.  It returns both a signature, and the data in the stan‐
15       dard TPM attestation form, a TPMS_ATTEST structure.
16
17       It outputs to stdout, in YAML format, the TPMS_TIME_INFO structure from
18       the  TPM.   The  structure contains the current setting of Time, Clock,
19       resetCount, and restartCount.  The structure is output as YAML  defined
20       as:
21
22              time: 13673142     # 64 bit value of time since last _TPM_Init or TPM2_Startup
23                                 # in ms.
24              clock_info:
25                clock: 13673142  # 64 bit value of time TPM has been powered on in ms.
26                reset_count: 0   # 32 bit value of the number of TPM Resets since the last
27                                 # TPM2_Clear.
28                restart_count: 0 # 32 bit value of the number of times that TPM2_Shutdown or
29                                 # _TPM_Hash_Start have occurred since the last TPM Reset or
30                                 # TPM2_Clear.
31                safe: yes        # boolean yes|no value that no value of Clock greater than
32                                 # the current value of Clock has been previously reported by
33                                 # the TPM.
34

36       · -c, --key-context=OBJECT:
37
38         Context  object  pointing  to the the key used for signing.  Either a
39         file or a handle number.  See section "Context Object Format".
40
41       · -p, --authAUTH:
42
43         Optional authorization value to use the key specified by -c.   Autho‐
44         rization  values  should  follow  the "authorization formatting stan‐
45         dards", see section "Authorization Formatting".
46
47       · -P, --endorse-authAUTH:
48
49         Optional authorization value for the endorsement  hierarchy.   Autho‐
50         rization  values  should  follow  the "authorization formatting stan‐
51         dards", see section "Authorization Formatting".
52
53       · -g, --hash-algorithm=ALGORITHM:
54
55         The hash algorithm used to digest  the  message.   Algorithms  should
56         follow  the  "formatting  standards",  see  section "Algorithm Speci‐
57         fiers".  Also, see section "Supported Hash Algorithms" for a list  of
58         supported hash algorithms.
59
60       · -s, --scheme=ALGORITHM:
61
62         The  signing  scheme  used  to  sign the message.  Optional.  Signing
63         schemes should follow the "formatting standards", see section  "Algo‐
64         rithm Specifiers".  Also, see section "Supported Signing Schemes" for
65         a list of supported signature schemes.  If specified,  the  signature
66         scheme  must match the key type.  If left unspecified, a default sig‐
67         nature scheme for the key type will be used.
68
69       · -q, --qualification=FILE_OR_HEX_STR:
70
71         Optional, the policy qualifier data that the signer can choose to in‐
72         clude in the signature.  Can be either a hex string or path.
73
74       · -o, --signature=FILE:
75
76         The signature file, records the signature structure.
77
78       · -f, --format=FORMAT:
79
80         Format  selection for the signature output file.  See section "Signa‐
81         ture Format Specifiers".
82
83       · --attestation=FILE:
84
85         The attestation data of the type TPMS_ATTEST signed with signing key.
86
87       · ARGUMENT the command line argument specifies the file data for sign.
88
89   References

91       The type of a context object, whether it is a handle or file  name,  is
92       determined according to the following logic in-order:
93
94       · If the argument is a file path, then the file is loaded as a restored
95         TPM transient object.
96
97       · If the argument is a prefix match on one of:
98
99         · owner: the owner hierarchy
100
101         · platform: the platform hierarchy
102
103         · endorsement: the endorsement hierarchy
104
105         · lockout: the lockout control persistent object
106
107       · If the argument argument can be loaded as a number it will  be  treat
108         as a handle, e.g.  0x81010013 and used directly.OBJECT.
109

111       Authorization  for  use  of an object in TPM2.0 can come in 3 different
112       forms: 1.  Password 2.  HMAC 3.  Sessions
113
114       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
115       fied".
116
117   Passwords
118       Passwords  are  interpreted  in  the following forms below using prefix
119       identifiers.
120
121       Note: By default passwords are assumed to be in the  string  form  when
122       they do not have a prefix.
123
124   String
125       A  string  password,  specified  by  prefix "str:" or it's absence (raw
126       string without prefix) is not interpreted, and is directly used for au‐
127       thorization.
128
129   Examples
130              foobar
131              str:foobar
132
133   Hex-string
134       A  hex-string  password, specified by prefix "hex:" is converted from a
135       hexidecimal form into a byte array form, thus allowing  passwords  with
136       non-printable and/or terminal un-friendly characters.
137
138   Example
139              hex:0x1122334455667788
140
141   File
142       A  file  based password, specified be prefix "file:" should be the path
143       of a file containing the password to be read by the tool or  a  "-"  to
144       use  stdin.   Storing  passwords in files prevents information leakage,
145       passwords passed as options can be read from the process list or common
146       shell history features.
147
148   Examples
149              # to use stdin and be prompted
150              file:-
151
152              # to use a file from a path
153              file:path/to/password/file
154
155              # to echo a password via stdin:
156              echo foobar | tpm2_tool -p file:-
157
158              # to use a bash here-string via stdin:
159
160              tpm2_tool -p file:- <<< foobar
161
162   Sessions
163       When  using  a policy session to authorize the use of an object, prefix
164       the option argument with the session keyword.  Then indicate a path  to
165       a session file that was created with tpm2_startauthsession(1).  Option‐
166       ally, if the session requires an auth value to be sent with the session
167       handle  (eg policy password), then append a + and a string as described
168       in the Passwords section.
169
170   Examples
171       To use a session context file called session.ctx.
172
173              session:session.ctx
174
175       To use a session context file called session.ctx AND send the authvalue
176       mypassword.
177
178              session:session.ctx+mypassword
179
180       To use a session context file called session.ctx AND send the HEX auth‐
181       value 0x11223344.
182
183              session:session.ctx+hex:11223344
184
185   PCR Authorizations
186       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
187       language.       The     PCR     minilanguage     is     as     follows:
188       <pcr-spec>=<raw-pcr-file>
189
190       The PCR spec is documented in in the section "PCR bank specifiers".
191
192       The raw-pcr-file is an optional the output of the raw PCR  contents  as
193       returned by tpm2_pcrread(1).
194
195       PCR bank specifiers (common/pcr.md)
196
197   Examples
198       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
199       er of:
200
201              pcr:sha256:0,1,2,3
202
203       specifying AUTH.
204

206       Options that take algorithms support "nice-names".
207
208       There are two major algorithm specification string classes, simple  and
209       complex.  Only certain algorithms will be accepted by the TPM, based on
210       usage and conditions.
211
212   Simple specifiers
213       These are strings with no additional specification data.  When creating
214       objects,  non-specified  portions of an object are assumed to defaults.
215       You can find the list of known "Simple Specifiers Below".
216
217   Asymmetric
218       · rsa
219
220       · ecc
221
222   Symmetric
223       · aes
224
225       · camellia
226
227   Hashing Algorithms
228       · sha1
229
230       · sha256
231
232       · sha384
233
234       · sha512
235
236       · sm3_256
237
238       · sha3_256
239
240       · sha3_384
241
242       · sha3_512
243
244   Keyed Hash
245       · hmac
246
247       · xor
248
249   Signing Schemes
250       · rsassa
251
252       · rsapss
253
254       · ecdsa
255
256       · ecdaa
257
258       · ecschnorr
259
260   Asymmetric Encryption Schemes
261       · oaep
262
263       · rsaes
264
265       · ecdh
266
267   Modes
268       · ctr
269
270       · ofb
271
272       · cbc
273
274       · cfb
275
276       · ecb
277
278   Misc
279       · null
280
281   Complex Specifiers
282       Objects, when specified for creation by the TPM,  have  numerous  algo‐
283       rithms  to  populate  in the public data.  Things like type, scheme and
284       asymmetric details, key size, etc.  Below is  the  general  format  for
285       specifying this data: <type>:<scheme>:<symmetric-details>
286
287   Type Specifiers
288       This  portion  of the complex algorithm specifier is required.  The re‐
289       maining scheme and symmetric details will default  based  on  the  type
290       specified and the type of the object being created.
291
292       · aes - Default AES: aes128
293
294       · aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
295         If mode is not specified, defaults to null.
296
297       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
298
299       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
300
301       · ecc - Elliptical Curve, defaults to ecc256.
302
303       · ecc192 - 192 bit ECC
304
305       · ecc224 - 224 bit ECC
306
307       · ecc256 - 256 bit ECC
308
309       · ecc384 - 384 bit ECC
310
311       · ecc521 - 521 bit ECC
312
313       · rsa - Default RSA: rsa2048
314
315       · rsa1024 - RSA with 1024 bit keysize.
316
317       · rsa2048 - RSA with 2048 bit keysize.
318
319       · rsa4096 - RSA with 4096 bit keysize.
320
321   Scheme Specifiers
322       Next, is an optional field, it can be skipped.
323
324       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
325       Most signing schemes take a hash algorithm directly following the sign‐
326       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
327       Some take no arguments, and some take multiple arguments.
328
329   Hash Optional Scheme Specifiers
330       These  scheme  specifiers are followed by a dash and a valid hash algo‐
331       rithm, For example: oaep-sha256.
332
333       · oaep
334
335       · ecdh
336
337       · rsassa
338
339       · rsapss
340
341       · ecdsa
342
343       · ecschnorr
344
345   Multiple Option Scheme Specifiers
346       This scheme specifier is followed by a count  (max  size  UINT16)  then
347       folloed  by a dash(-) and a valid hash algorithm.  * ecdaa For example,
348       ecdaa4-sha256.  If no count is specified, it defaults to 4.
349
350   No Option Scheme Specifiers
351       This scheme specifier takes NO arguments.  * rsaes
352
353   Symmetric Details Specifiers
354       This field is optional, and defaults based on the type of object  being
355       created  and it's attributes.  Generally, any valid Symmetric specifier
356       from the Type Specifiers list should work.  If not specified, an  asym‐
357       metric objects symmetric details defaults to aes128cfb.
358
359   Examples
360   Create an rsa2048 key with an rsaes asymmetric encryption scheme
361       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
362
363   Create an ecc256 key with an ecdaa signing scheme with a count of 4
364       and sha384 hash
365
366       /tpm2_create -C parent.ctx -G ecc256:ec‐
367       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
368

370       This collection of options are common to many programs and provide  in‐
371       formation that many users may expect.
372
373       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
374         attempts to invoke the manpager for the  tool,  however,  on  failure
375         will  output  a short tool summary.  This is the same behavior if the
376         "man" option argument is specified, however if explicit "man" is  re‐
377         quested,  the  tool  will  provide errors from man on stderr.  If the
378         "no-man" option if specified, or the manpager fails,  the  short  op‐
379         tions will be output to stdout.
380
381         To  successfully use the manpages feature requires the manpages to be
382         installed or on MANPATH, See man(1) for more details.
383
384       · -v, --version: Display version information for this  tool,  supported
385         tctis and exit.
386
387       · -V,  --verbose:  Increase the information that the tool prints to the
388         console during its execution.  When using this option  the  file  and
389         line number are printed.
390
391       · -Q, --quiet: Silence normal tool output to stdout.
392
393       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
394         if an errata fixup needs to be applied to commands sent to  the  TPM.
395         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
396         formation many users may expect.
397

399       The TCTI or "Transmission Interface"  is  the  communication  mechanism
400       with  the TPM.  TCTIs can be changed for communication with TPMs across
401       different mediums.
402
403       To control the TCTI, the tools respect:
404
405       1. The command line option -T or --tcti
406
407       2. The environment variable: TPM2TOOLS_TCTI.
408
409       Note: The command line option always overrides  the  environment  vari‐
410       able.
411
412       The current known TCTIs are:
413
414       · tabrmd      -     The     resource     manager,     called     tabrmd
415         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
416         abrmd as a tcti name are synonymous.
417
418       · mssim  - Typically used for communicating to the TPM software simula‐
419         tor.
420
421       · device - Used when talking directly to a TPM device file.
422
423       · none - Do not initalize a connection with the TPM.  Some tools  allow
424         for off-tpm options and thus support not using a TCTI.  Tools that do
425         not support it will error when attempted to be used  without  a  TCTI
426         connection.   Does  not  support ANY options and MUST BE presented as
427         the exact text of "none".
428
429       The arguments to either the command  line  option  or  the  environment
430       variable are in the form:
431
432       <tcti-name>:<tcti-option-config>
433
434       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
435       tion-config> results in the default being used for that portion respec‐
436       tively.
437
438   TCTI Defaults
439       When  a  TCTI  is not specified, the default TCTI is searched for using
440       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
441       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
442       what TCTI will be chosen as the default by using the -v option to print
443       the  version information.  The "default-tcti" key-value pair will indi‐
444       cate which of the aforementioned TCTIs is the default.
445
446   Custom TCTIs
447       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
448       tools internally use dlopen(3), and the raw tcti-name value is used for
449       the lookup.  Thus, this could be a path to the shared library, or a li‐
450       brary name as understood by dlopen(3) semantics.
451

453       This collection of options are used to configure the various known TCTI
454       modules available:
455
456       · device: For the device TCTI, the TPM character device file for use by
457         the device TCTI can be specified.  The default is /dev/tpm0.
458
459         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
460         vice:/dev/tpm0"
461
462       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
463         number  used  by  the  simulator  can  be specified.  The default are
464         127.0.0.1 and 2321.
465
466         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
467         TI="mssim:host=localhost,port=2321"
468
469       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
470         ries of simple key value pairs separated by a  ','  character.   Each
471         key and value string are separated by a '=' character.
472
473         · TCTI abrmd supports two keys:
474
475           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
476              string).
477
478           2. 'bus_type' : The type of the dbus instance (a string) limited to
479              'session' and 'system'.
480
481         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
482         ample.FooBar:
483
484         \--tcti=tabrmd:bus_name=com.example.FooBar
485
486         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
487         sion:
488
489         \--tcti:bus_type=session
490
491         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
492         ules.  # Signature Format Specifiers
493
494       Format selection for the signature output file.  tss (the default) will
495       output a binary blob according to the TPM 2.0 specification and any po‐
496       tential compiler padding.  The option plain will output the plain  sig‐
497       nature data as defined by the used cryptographic algorithm.
498

500   Create a key and get attested TPM time
501              tpm2_createprimary -C e -c primary.ctx
502
503              tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx
504
505              tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx
506
507              tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data
508

510       Tools can return any of the following codes:
511
512       · 0 - Success.
513
514       · 1 - General non-specific error.
515
516       · 2 - Options handling error.
517
518       · 3 - Authentication error.
519
520       · 4 - TCTI related error.
521
522       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
523

525       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
526

528       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
529
530
531
532tpm2-tools                                                     tpm2_gettime(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP