tpm2_policynv(1)

1tpm2_policynv(1)            General Commands Manual           tpm2_policynv(1)
2
3
4

6       tpm2_policynv(1) - Evaluates policy authorization by comparing a speci‐
7       fied value against the contents in the specified NV Index.
8

10       tpm2_policynv [OPTIONS] [ARGUMENT] [ARGUMENT]
11

13       tpm2_policynv(1) - This command evaluates policy authorization by  com‐
14       paring the contents written to an NV index against the one specified in
15       the tool options.  The tool takes two arguments  -  (1)  The  NV  index
16       specified  as  raw  handle  or  an  offset value to the nv handle range
17       "TPM2_HR_NV_INDEX" and (2) Comparison operator for magnitude comparison
18       and  or bit test operations.  In the specification the NV index holding
19       the data is called operandA and the data that  the  user  specifies  to
20       compare  is  called operandB.  The comparison operator can be specified
21       as follows: * "eq" if operandA  =  operandB  *  "neq"  if  operandA  !=
22       operandB  *  "sgt"  if signed operandA > signed operandB * "ugt" if un‐
23       signed operandA > unsigned operandB * "slt" if signed operandA < signed
24       operandB  *  "ult"  if unsigned operandA < unsigned operandB * "sge" if
25       signed operandA >= signed operandB * "uge" if unsigned operandA >=  un‐
26       signed operandB * "sle" if signed operandA <= unsigned operandB * "ule"
27       if unsigned operandA <= unsigned operandB * "bs" if  all  bits  set  in
28       operandA  are  set  in  operandB * "bc" if all bits set in operandA are
29       clear in operandB
30

32       · -C, --hierarchy=OBJECT:
33         Specifies the hierarchy used to authorize.  Supported options are:
34
35         · o for TPM_RH_OWNER
36
37         · p for TPM_RH_PLATFORM
38
39         · <num> where a hierarchy handle or nv-index may be used.
40
41         When -C isn't explicitly passed the index handle will be used to  au‐
42         thorize  against  the  index.  The index auth value is set via the -p
43         option to tpm2_nvdefine(1).
44
45       · -P, --auth=AUTH:
46
47         Specifies the authorization value for the hierarchy.
48
49       · -L, --policy=FILE:
50
51         File to save the policy digest.
52
53       · -S, --session=FILE:
54
55         The policy session file generated via the  -S  option  to  tpm2_star‐
56         tauthsession or saved off of a previous tool run.
57
58       · --offset=NATURAL_NUMBER:
59
60         The  offset  within  the NV index to start comparing at.  The size of
61         the data starting at offset and ending at size of NV index shall  not
62         exceed the size of the operand specified in the options.
63
64       · -i, --input=FILE:
65
66         Specifies  the  input file with data to compare to NV Index contents.
67         In the standard specification, this is termed as operand or  operandB
68         more  specifically .  It can be specified as a file input or stdin if
69         option value is a "-".
70
71   References

73       This collection of options are common to many programs and provide  in‐
74       formation that many users may expect.
75
76       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
77         attempts to invoke the manpager for the  tool,  however,  on  failure
78         will  output  a short tool summary.  This is the same behavior if the
79         "man" option argument is specified, however if explicit "man" is  re‐
80         quested,  the  tool  will  provide errors from man on stderr.  If the
81         "no-man" option if specified, or the manpager fails,  the  short  op‐
82         tions will be output to stdout.
83
84         To  successfully use the manpages feature requires the manpages to be
85         installed or on MANPATH, See man(1) for more details.
86
87       · -v, --version: Display version information for this  tool,  supported
88         tctis and exit.
89
90       · -V,  --verbose:  Increase the information that the tool prints to the
91         console during its execution.  When using this option  the  file  and
92         line number are printed.
93
94       · -Q, --quiet: Silence normal tool output to stdout.
95
96       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
97         if an errata fixup needs to be applied to commands sent to  the  TPM.
98         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
99         formation many users may expect.
100

102       The TCTI or "Transmission Interface"  is  the  communication  mechanism
103       with  the TPM.  TCTIs can be changed for communication with TPMs across
104       different mediums.
105
106       To control the TCTI, the tools respect:
107
108       1. The command line option -T or --tcti
109
110       2. The environment variable: TPM2TOOLS_TCTI.
111
112       Note: The command line option always overrides  the  environment  vari‐
113       able.
114
115       The current known TCTIs are:
116
117       · tabrmd      -     The     resource     manager,     called     tabrmd
118         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
119         abrmd as a tcti name are synonymous.
120
121       · mssim  - Typically used for communicating to the TPM software simula‐
122         tor.
123
124       · device - Used when talking directly to a TPM device file.
125
126       · none - Do not initalize a connection with the TPM.  Some tools  allow
127         for off-tpm options and thus support not using a TCTI.  Tools that do
128         not support it will error when attempted to be used  without  a  TCTI
129         connection.   Does  not  support ANY options and MUST BE presented as
130         the exact text of "none".
131
132       The arguments to either the command  line  option  or  the  environment
133       variable are in the form:
134
135       <tcti-name>:<tcti-option-config>
136
137       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
138       tion-config> results in the default being used for that portion respec‐
139       tively.
140
141   TCTI Defaults
142       When  a  TCTI  is not specified, the default TCTI is searched for using
143       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
144       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
145       what TCTI will be chosen as the default by using the -v option to print
146       the  version information.  The "default-tcti" key-value pair will indi‐
147       cate which of the aforementioned TCTIs is the default.
148
149   Custom TCTIs
150       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
151       tools internally use dlopen(3), and the raw tcti-name value is used for
152       the lookup.  Thus, this could be a path to the shared library, or a li‐
153       brary name as understood by dlopen(3) semantics.
154

156       This collection of options are used to configure the various known TCTI
157       modules available:
158
159       · device: For the device TCTI, the TPM character device file for use by
160         the device TCTI can be specified.  The default is /dev/tpm0.
161
162         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
163         vice:/dev/tpm0"
164
165       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
166         number  used  by  the  simulator  can  be specified.  The default are
167         127.0.0.1 and 2321.
168
169         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
170         TI="mssim:host=localhost,port=2321"
171
172       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
173         ries of simple key value pairs separated by a  ','  character.   Each
174         key and value string are separated by a '=' character.
175
176         · TCTI abrmd supports two keys:
177
178           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
179              string).
180
181           2. 'bus_type' : The type of the dbus instance (a string) limited to
182              'session' and 'system'.
183
184         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
185         ample.FooBar:
186
187         \--tcti=tabrmd:bus_name=com.example.FooBar
188
189         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
190         sion:
191
192         \--tcti:bus_type=session
193
194         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
195         ules.
196

198       Test if NV index content value is equal to an input number.  To do this
199       we  first  create  an  NV  index of size 1 byte and write a value.  Eg.
200       0xAA.  Next we attempt to create a policy that  becomes  valid  if  the
201       equality  comparison  operation of the NV index content against the one
202       specified in the tool options.
203
204   Define the test NV Index and write the value 0xAA to it
205              nv_test_index=0x01500001
206              tpm2_nvdefine -C o -p nvpass $nv_test_index -a "authread|authwrite" -s 1
207              echo "aa" | xxd -r -p | tpm2_nvwrite -P nvpass -i- $nv_test_index
208
209   Attempt defining policynv with wrong comparison value specified in
210       options.
211
212              tpm2_startauthsession -S session.ctx --policy-session
213              ### This should fail
214              echo 0xBB | tpm2_policynv -S session.ctx -L policy.nv -i- 0x1500001 eq -P nvpass
215              tpm2_flushcontext session.ctx
216
217   Attempt defining policynv with right comparison value specified in
218       options.
219
220              tpm2_startauthsession -S session.ctx --policy-session
221              ### This should pass
222              echo 0xAA | tpm2_policynv -S session.ctx -L policy.nv -i- 0x1500001 eq -P nvpass
223              tpm2_flushcontext session.ctx
224

226       Tools can return any of the following codes:
227
228       · 0 - Success.
229
230       · 1 - General non-specific error.
231
232       · 2 - Options handling error.
233
234       · 3 - Authentication error.
235
236       · 4 - TCTI related error.
237
238       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
239

241       It expects a session to be already established  via  tpm2_startauthses‐
242       sion(1) and requires one of the following:
243
244       · direct device access
245
246       · extended session support with tpm2-abrmd.
247
248       Without  it, most resource managers will not save session state between
249       command invocations.
250

252       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
253

255       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
256
257
258
259tpm2-tools                                                    tpm2_policynv(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

Limitations

BUGS

HELP