1tpm2_policycountertimer(1)  General Commands Manual tpm2_policycountertimer(1)
2
3
4

NAME

6       tpm2_policycountertimer(1) - Enables policy authorization by evaluating
7       the comparison operation on  the  TPM  parameters  time,  clock,  reset
8       count, restart count and TPM clock safe flag.
9

SYNOPSIS

11       tpm2_policycountertimer [OPTIONS] [ARGUMENT]
12

DESCRIPTION

14       tpm2_policycountertimer(1) - Enables policy authorization by evaluating
15       the comparison operation on  the  TPM  parameters  time,  clock,  reset
16       count, restart count and TPM clock safe flag.  If time/clock, it is in‐
17       put as milliseconds value.  The parameter and the value is given  as  a
18       command line argument as below:
19
20              tpm2_policycountertimer -S session.ctx safe
21              tpm2_policycountertimer -S session.ctx clock=<N ms>
22              tpm2_policycountertimer -S session.ctx time=<N ms>
23              tpm2_policycountertimer -S session.ctx resets=<N>
24              tpm2_policycountertimer -S session.ctx restarts=<N>
25
26       By  default  comparison tests for equality and also by default it tests
27       for time.
28

OPTIONS

30       · -L, --policy=FILE:
31
32         File to save the policy digest.
33
34       · -S, --session=FILE:
35
36         The policy session file generated via the  -S  option  to  tpm2_star‐
37         tauthsession or saved off of a previous tool run.
38
39       · --eq
40
41         if value of current time in the TPM = value of specified input time.
42
43       · --neq
44
45       if value of current time in the TPM != value of specified input time.
46
47       · --sgt
48
49       if  signed value of current time in the TPM > signed value of specified
50       input time.
51
52       · --ugt
53
54       if unsigned value of current time in the TPM > unsigned value of speci‐
55       fied input time.
56
57       · --slt
58
59       if  signed value of current time in the TPM < signed value of specified
60       input time.
61
62       · --ult
63
64       if unsigned value of current time in the TPM < unsigned value of speci‐
65       fied input time.
66
67       · --sge
68
69       if signed value of current time in the TPM >= signed value of specified
70       input time.
71
72       · --uge
73
74       if unsigned value of current time in the TPM >= unsigned value of spec‐
75       ified input time.
76
77       · --sle
78
79       if  signed value of current time in the TPM <= unsigned value of speci‐
80       fied input time.
81
82       · --ule
83
84       if unsigned value of current time in the TPM <= unsigned value of spec‐
85       ified input time.
86
87       · --bs
88
89         if  all bits set in value of current time in the TPM are set in value
90         of specified input time.
91
92       · --bc
93
94         if all bits set in value of current time in the TPM are clear in val‐
95         ue of specified input time.
96
97   References

COMMON OPTIONS

99       This  collection of options are common to many programs and provide in‐
100       formation that many users may expect.
101
102       · -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
103         attempts  to  invoke  the  manpager for the tool, however, on failure
104         will output a short tool summary.  This is the same behavior  if  the
105         "man"  option argument is specified, however if explicit "man" is re‐
106         quested, the tool will provide errors from man  on  stderr.   If  the
107         "no-man"  option  if  specified, or the manpager fails, the short op‐
108         tions will be output to stdout.
109
110         To successfully use the manpages feature requires the manpages to  be
111         installed or on MANPATH, See man(1) for more details.
112
113       · -v,  --version:  Display version information for this tool, supported
114         tctis and exit.
115
116       · -V, --verbose: Increase the information that the tool prints  to  the
117         console  during  its  execution.  When using this option the file and
118         line number are printed.
119
120       · -Q, --quiet: Silence normal tool output to stdout.
121
122       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
123         if  an  errata fixup needs to be applied to commands sent to the TPM.
124         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
125         formation many users may expect.
126

TCTI Configuration

128       The  TCTI  or  "Transmission  Interface" is the communication mechanism
129       with the TPM.  TCTIs can be changed for communication with TPMs  across
130       different mediums.
131
132       To control the TCTI, the tools respect:
133
134       1. The command line option -T or --tcti
135
136       2. The environment variable: TPM2TOOLS_TCTI.
137
138       Note:  The  command  line option always overrides the environment vari‐
139       able.
140
141       The current known TCTIs are:
142
143       · tabrmd     -     The     resource     manager,     called      tabrmd
144         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
145         abrmd as a tcti name are synonymous.
146
147       · mssim - Typically used for communicating to the TPM software  simula‐
148         tor.
149
150       · device - Used when talking directly to a TPM device file.
151
152       · none  - Do not initalize a connection with the TPM.  Some tools allow
153         for off-tpm options and thus support not using a TCTI.  Tools that do
154         not  support  it  will error when attempted to be used without a TCTI
155         connection.  Does not support ANY options and MUST  BE  presented  as
156         the exact text of "none".
157
158       The  arguments  to  either  the  command line option or the environment
159       variable are in the form:
160
161       <tcti-name>:<tcti-option-config>
162
163       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
164       tion-config> results in the default being used for that portion respec‐
165       tively.
166
167   TCTI Defaults
168       When a TCTI is not specified, the default TCTI is  searched  for  using
169       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
170       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
171       what TCTI will be chosen as the default by using the -v option to print
172       the version information.  The "default-tcti" key-value pair will  indi‐
173       cate which of the aforementioned TCTIs is the default.
174
175   Custom TCTIs
176       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
177       tools internally use dlopen(3), and the raw tcti-name value is used for
178       the lookup.  Thus, this could be a path to the shared library, or a li‐
179       brary name as understood by dlopen(3) semantics.
180

TCTI OPTIONS

182       This collection of options are used to configure the various known TCTI
183       modules available:
184
185       · device: For the device TCTI, the TPM character device file for use by
186         the device TCTI can be specified.  The default is /dev/tpm0.
187
188         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
189         vice:/dev/tpm0"
190
191       · mssim:  For  the  mssim  TCTI, the domain name or IP address and port
192         number used by the simulator  can  be  specified.   The  default  are
193         127.0.0.1 and 2321.
194
195         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
196         TI="mssim:host=localhost,port=2321"
197
198       · abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
199         ries  of  simple  key value pairs separated by a ',' character.  Each
200         key and value string are separated by a '=' character.
201
202         · TCTI abrmd supports two keys:
203
204           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
205              string).
206
207           2. 'bus_type' : The type of the dbus instance (a string) limited to
208              'session' and 'system'.
209
210         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
211         ample.FooBar:
212
213         \--tcti=tabrmd:bus_name=com.example.FooBar
214
215         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
216         sion:
217
218         \--tcti:bus_type=session
219
220         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
221         ules.
222

EXAMPLES

224       Create a sealing object with an authorization policy that evaluates on‐
225       ly for first minute of TPM restart.
226
227   Create the policy and the sealing object
228              tpm2_startauthsession -S session.ctx
229
230              tpm2_policycountertimer -S session.ctx -L policy.countertimer --ult 60000
231
232              tpm2_flushcontext session.ctx
233
234              tpm2_createprimary -C o -c prim.ctx -Q
235
236              echo "SUPERSECRET" | \
237              tpm2_create -Q -u key.pub -r key.priv -i- -C prim.ctx \
238              -L policy.countertimer -a "fixedtpm|fixedparent" -c key.ctx
239
240   Unsealing should work in the first minute after TPM restart
241              tpm2_startauthsession -S session.ctx --policy-session
242
243              tpm2_policycountertimer -S session.ctx --ult 60000
244
245              tpm2_unseal -c key.ctx -p session:session.ctx
246
247              tpm2_flushcontext session.ctx
248

Returns

250       Tools can return any of the following codes:
251
252       · 0 - Success.
253
254       · 1 - General non-specific error.
255
256       · 2 - Options handling error.
257
258       · 3 - Authentication error.
259
260       · 4 - TCTI related error.
261
262       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
263

Limitations

265       It expects a session to be already established  via  tpm2_startauthses‐
266       sion(1) and requires one of the following:
267
268       · direct device access
269
270       · extended session support with tpm2-abrmd.
271
272       Without  it, most resource managers will not save session state between
273       command invocations.
274

BUGS

276       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
277

HELP

279       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
280
281
282
283tpm2-tools                                          tpm2_policycountertimer(1)
Impressum