1tpm2_gettime(1) General Commands Manual tpm2_gettime(1)
2
3
4
6 tpm2_gettime(1) - Get the current time and clock from the TPM in a
7 signed form.
8
10 tpm2_gettime [OPTIONS] [ARGUMENT]
11
13 tpm2_gettime(1) - Provides a signed copy of the current time and clock
14 from the TPM. It returns both a signature, and the data in the stan‐
15 dard TPM attestation form, a TPMS_ATTEST structure.
16
17 It outputs to stdout, in YAML format, the TPMS_TIME_INFO structure from
18 the TPM. The structure contains the current setting of Time, Clock,
19 resetCount, and restartCount. The structure is output as YAML defined
20 as:
21
22 time: 13673142 # 64 bit value of time since last _TPM_Init or TPM2_Startup
23 # in ms.
24 clock_info:
25 clock: 13673142 # 64 bit value of time TPM has been powered on in ms.
26 reset_count: 0 # 32 bit value of the number of TPM Resets since the last
27 # TPM2_Clear.
28 restart_count: 0 # 32 bit value of the number of times that TPM2_Shutdown or
29 # _TPM_Hash_Start have occurred since the last TPM Reset or
30 # TPM2_Clear.
31 safe: yes # boolean yes|no value that no value of Clock greater than
32 # the current value of Clock has been previously reported by
33 # the TPM.
34
36 · -c, --key-context=OBJECT:
37
38 Context object pointing to the the key used for signing. Either a
39 file or a handle number. See section "Context Object Format".
40
41 · -p, --authAUTH:
42
43 Optional authorization value to use the key specified by -c. Autho‐
44 rization values should follow the "authorization formatting stan‐
45 dards", see section "Authorization Formatting".
46
47 · -P, --endorse-authAUTH:
48
49 Optional authorization value for the endorsement hierarchy. Autho‐
50 rization values should follow the "authorization formatting stan‐
51 dards", see section "Authorization Formatting".
52
53 · -g, --hash-algorithm=ALGORITHM:
54
55 The hash algorithm used to digest the message. Algorithms should
56 follow the "formatting standards", see section "Algorithm Speci‐
57 fiers". Also, see section "Supported Hash Algorithms" for a list of
58 supported hash algorithms.
59
60 · -s, --scheme=ALGORITHM:
61
62 The signing scheme used to sign the message. Optional. Signing
63 schemes should follow the "formatting standards", see section "Algo‐
64 rithm Specifiers". Also, see section "Supported Signing Schemes" for
65 a list of supported signature schemes. If specified, the signature
66 scheme must match the key type. If left unspecified, a default sig‐
67 nature scheme for the key type will be used.
68
69 · -q, --qualification=FILE_OR_HEX_STR:
70
71 Optional, the policy qualifier data that the signer can choose to in‐
72 clude in the signature. Can be either a hex string or path.
73
74 · -o, --signature=FILE:
75
76 The signature file, records the signature structure.
77
78 · -f, --format=FORMAT:
79
80 Format selection for the signature output file. See section "Signa‐
81 ture Format Specifiers".
82
83 · --attestation=FILE:
84
85 The attestation data of the type TPMS_ATTEST signed with signing key.
86
87 · ARGUMENT the command line argument specifies the file data for sign.
88
89 References
91 The type of a context object, whether it is a handle or file name, is
92 determined according to the following logic in-order:
93
94 · If the argument is a file path, then the file is loaded as a restored
95 TPM transient object.
96
97 · If the argument is a prefix match on one of:
98
99 · owner: the owner hierarchy
100
101 · platform: the platform hierarchy
102
103 · endorsement: the endorsement hierarchy
104
105 · lockout: the lockout control persistent object
106
107 · If the argument argument can be loaded as a number it will be treat
108 as a handle, e.g. 0x81010013 and used directly.OBJECT.
109
111 Authorization for use of an object in TPM2.0 can come in 3 different
112 forms: 1. Password 2. HMAC 3. Sessions
113
114 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
115 fied".
116
117 Passwords
118 Passwords are interpreted in the following forms below using prefix
119 identifiers.
120
121 Note: By default passwords are assumed to be in the string form when
122 they do not have a prefix.
123
124 String
125 A string password, specified by prefix "str:" or it's absence (raw
126 string without prefix) is not interpreted, and is directly used for au‐
127 thorization.
128
129 Examples
130 foobar
131 str:foobar
132
133 Hex-string
134 A hex-string password, specified by prefix "hex:" is converted from a
135 hexidecimal form into a byte array form, thus allowing passwords with
136 non-printable and/or terminal un-friendly characters.
137
138 Example
139 hex:0x1122334455667788
140
141 File
142 A file based password, specified be prefix "file:" should be the path
143 of a file containing the password to be read by the tool or a "-" to
144 use stdin. Storing passwords in files prevents information leakage,
145 passwords passed as options can be read from the process list or common
146 shell history features.
147
148 Examples
149 # to use stdin and be prompted
150 file:-
151
152 # to use a file from a path
153 file:path/to/password/file
154
155 # to echo a password via stdin:
156 echo foobar | tpm2_tool -p file:-
157
158 # to use a bash here-string via stdin:
159
160 tpm2_tool -p file:- <<< foobar
161
162 Sessions
163 When using a policy session to authorize the use of an object, prefix
164 the option argument with the session keyword. Then indicate a path to
165 a session file that was created with tpm2_startauthsession(1). Option‐
166 ally, if the session requires an auth value to be sent with the session
167 handle (eg policy password), then append a + and a string as described
168 in the Passwords section.
169
170 Examples
171 To use a session context file called session.ctx.
172
173 session:session.ctx
174
175 To use a session context file called session.ctx AND send the authvalue
176 mypassword.
177
178 session:session.ctx+mypassword
179
180 To use a session context file called session.ctx AND send the HEX auth‐
181 value 0x11223344.
182
183 session:session.ctx+hex:11223344
184
185 PCR Authorizations
186 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
187 language. The PCR minilanguage is as follows:
188 <pcr-spec>=<raw-pcr-file>
189
190 The PCR spec is documented in in the section "PCR bank specifiers".
191
192 The raw-pcr-file is an optional the output of the raw PCR contents as
193 returned by tpm2_pcrread(1).
194
195 PCR bank specifiers (common/pcr.md)
196
197 Examples
198 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
199 er of:
200
201 pcr:sha256:0,1,2,3
202
203 specifying AUTH.
204
206 Options that take algorithms support "nice-names".
207
208 There are two major algorithm specification string classes, simple and
209 complex. Only certain algorithms will be accepted by the TPM, based on
210 usage and conditions.
211
212 Simple specifiers
213 These are strings with no additional specification data. When creating
214 objects, non-specified portions of an object are assumed to defaults.
215 You can find the list of known "Simple Specifiers Below".
216
217 Asymmetric
218 · rsa
219
220 · ecc
221
222 Symmetric
223 · aes
224
225 · camellia
226
227 Hashing Algorithms
228 · sha1
229
230 · sha256
231
232 · sha384
233
234 · sha512
235
236 · sm3_256
237
238 · sha3_256
239
240 · sha3_384
241
242 · sha3_512
243
244 Keyed Hash
245 · hmac
246
247 · xor
248
249 Signing Schemes
250 · rsassa
251
252 · rsapss
253
254 · ecdsa
255
256 · ecdaa
257
258 · ecschnorr
259
260 Asymmetric Encryption Schemes
261 · oaep
262
263 · rsaes
264
265 · ecdh
266
267 Modes
268 · ctr
269
270 · ofb
271
272 · cbc
273
274 · cfb
275
276 · ecb
277
278 Misc
279 · null
280
281 Complex Specifiers
282 Objects, when specified for creation by the TPM, have numerous algo‐
283 rithms to populate in the public data. Things like type, scheme and
284 asymmetric details, key size, etc. Below is the general format for
285 specifying this data: <type>:<scheme>:<symmetric-details>
286
287 Type Specifiers
288 This portion of the complex algorithm specifier is required. The re‐
289 maining scheme and symmetric details will default based on the type
290 specified and the type of the object being created.
291
292 · aes - Default AES: aes128
293
294 · aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
295 If mode is not specified, defaults to null.
296
297 · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
298
299 · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
300
301 · ecc - Elliptical Curve, defaults to ecc256.
302
303 · ecc192 - 192 bit ECC
304
305 · ecc224 - 224 bit ECC
306
307 · ecc256 - 256 bit ECC
308
309 · ecc384 - 384 bit ECC
310
311 · ecc521 - 521 bit ECC
312
313 · rsa - Default RSA: rsa2048
314
315 · rsa1024 - RSA with 1024 bit keysize.
316
317 · rsa2048 - RSA with 2048 bit keysize.
318
319 · rsa4096 - RSA with 4096 bit keysize.
320
321 Scheme Specifiers
322 Next, is an optional field, it can be skipped.
323
324 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
325 Most signing schemes take a hash algorithm directly following the sign‐
326 ing scheme. If the hash algorithm is missing, it defaults to sha256.
327 Some take no arguments, and some take multiple arguments.
328
329 Hash Optional Scheme Specifiers
330 These scheme specifiers are followed by a dash and a valid hash algo‐
331 rithm, For example: oaep-sha256.
332
333 · oaep
334
335 · ecdh
336
337 · rsassa
338
339 · rsapss
340
341 · ecdsa
342
343 · ecschnorr
344
345 Multiple Option Scheme Specifiers
346 This scheme specifier is followed by a count (max size UINT16) then
347 folloed by a dash(-) and a valid hash algorithm. * ecdaa For example,
348 ecdaa4-sha256. If no count is specified, it defaults to 4.
349
350 No Option Scheme Specifiers
351 This scheme specifier takes NO arguments. * rsaes
352
353 Symmetric Details Specifiers
354 This field is optional, and defaults based on the type of object being
355 created and it's attributes. Generally, any valid Symmetric specifier
356 from the Type Specifiers list should work. If not specified, an asym‐
357 metric objects symmetric details defaults to aes128cfb.
358
359 Examples
360 Create an rsa2048 key with an rsaes asymmetric encryption scheme
361 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
362
363 Create an ecc256 key with an ecdaa signing scheme with a count of 4
364 and sha384 hash
365
366 /tpm2_create -C parent.ctx -G ecc256:ec‐
367 daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
368
370 This collection of options are common to many programs and provide in‐
371 formation that many users may expect.
372
373 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
374 attempts to invoke the manpager for the tool, however, on failure
375 will output a short tool summary. This is the same behavior if the
376 "man" option argument is specified, however if explicit "man" is re‐
377 quested, the tool will provide errors from man on stderr. If the
378 "no-man" option if specified, or the manpager fails, the short op‐
379 tions will be output to stdout.
380
381 To successfully use the manpages feature requires the manpages to be
382 installed or on MANPATH, See man(1) for more details.
383
384 · -v, --version: Display version information for this tool, supported
385 tctis and exit.
386
387 · -V, --verbose: Increase the information that the tool prints to the
388 console during its execution. When using this option the file and
389 line number are printed.
390
391 · -Q, --quiet: Silence normal tool output to stdout.
392
393 · -Z, --enable-errata: Enable the application of errata fixups. Useful
394 if an errata fixup needs to be applied to commands sent to the TPM.
395 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
396 formation many users may expect.
397
399 The TCTI or "Transmission Interface" is the communication mechanism
400 with the TPM. TCTIs can be changed for communication with TPMs across
401 different mediums.
402
403 To control the TCTI, the tools respect:
404
405 1. The command line option -T or --tcti
406
407 2. The environment variable: TPM2TOOLS_TCTI.
408
409 Note: The command line option always overrides the environment vari‐
410 able.
411
412 The current known TCTIs are:
413
414 · tabrmd - The resource manager, called tabrmd
415 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
416 abrmd as a tcti name are synonymous.
417
418 · mssim - Typically used for communicating to the TPM software simula‐
419 tor.
420
421 · device - Used when talking directly to a TPM device file.
422
423 · none - Do not initalize a connection with the TPM. Some tools allow
424 for off-tpm options and thus support not using a TCTI. Tools that do
425 not support it will error when attempted to be used without a TCTI
426 connection. Does not support ANY options and MUST BE presented as
427 the exact text of "none".
428
429 The arguments to either the command line option or the environment
430 variable are in the form:
431
432 <tcti-name>:<tcti-option-config>
433
434 Specifying an empty string for either the <tcti-name> or <tcti-op‐
435 tion-config> results in the default being used for that portion respec‐
436 tively.
437
438 TCTI Defaults
439 When a TCTI is not specified, the default TCTI is searched for using
440 dlopen(3) semantics. The tools will search for tabrmd, device and
441 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
442 what TCTI will be chosen as the default by using the -v option to print
443 the version information. The "default-tcti" key-value pair will indi‐
444 cate which of the aforementioned TCTIs is the default.
445
446 Custom TCTIs
447 Any TCTI that implements the dynamic TCTI interface can be loaded. The
448 tools internally use dlopen(3), and the raw tcti-name value is used for
449 the lookup. Thus, this could be a path to the shared library, or a li‐
450 brary name as understood by dlopen(3) semantics.
451
453 This collection of options are used to configure the various known TCTI
454 modules available:
455
456 · device: For the device TCTI, the TPM character device file for use by
457 the device TCTI can be specified. The default is /dev/tpm0.
458
459 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
460 vice:/dev/tpm0"
461
462 · mssim: For the mssim TCTI, the domain name or IP address and port
463 number used by the simulator can be specified. The default are
464 127.0.0.1 and 2321.
465
466 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
467 TI="mssim:host=localhost,port=2321"
468
469 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
470 ries of simple key value pairs separated by a ',' character. Each
471 key and value string are separated by a '=' character.
472
473 · TCTI abrmd supports two keys:
474
475 1. 'bus_name' : The name of the tabrmd service on the bus (a
476 string).
477
478 2. 'bus_type' : The type of the dbus instance (a string) limited to
479 'session' and 'system'.
480
481 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
482 ample.FooBar:
483
484 \--tcti=tabrmd:bus_name=com.example.FooBar
485
486 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
487 sion:
488
489 \--tcti:bus_type=session
490
491 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
492 ules. # Signature Format Specifiers
493
494 Format selection for the signature output file. tss (the default) will
495 output a binary blob according to the TPM 2.0 specification and any po‐
496 tential compiler padding. The option plain will output the plain sig‐
497 nature data as defined by the used cryptographic algorithm.
498
500 Create a key and get attested TPM time
501 tpm2_createprimary -C e -c primary.ctx
502
503 tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx
504
505 tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx
506
507 tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data
508
510 Tools can return any of the following codes:
511
512 · 0 - Success.
513
514 · 1 - General non-specific error.
515
516 · 2 - Options handling error.
517
518 · 3 - Authentication error.
519
520 · 4 - TCTI related error.
521
522 · 5 - Non supported scheme. Applicable to tpm2_testparams.
523
525 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
526
528 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
529
530
531
532tpm2-tools tpm2_gettime(1)