tpm2_nvread(1)

1tpm2_nvread(1)              General Commands Manual             tpm2_nvread(1)
2
3
4

NAME

6       tpm2_nvread(1) - Read the data stored in a Non-Volatile (NV)s index.
7

SYNOPSIS

9       tpm2_nvread [OPTIONS] [ARGUMENT]
10

DESCRIPTION

12       tpm2_nvread(1)  -  Read  the data stored in a Non-Volatile (NV)s index.
13       The index can be specified as raw handle or an offset value to  the  nv
14       handle range “TPM2_HR_NV_INDEX”.
15

OPTIONS

17       • -C, --hierarchy=OBJECT:
18         Specifies the hierarchy used to authorize.  Supported options are:
19
20         • o for TPM_RH_OWNER
21
22         • p for TPM_RH_PLATFORM
23
24         • <num> where a hierarchy handle or nv-index may be used.
25
26         When  -C isn’t explicitly passed the index handle will be used to au‐
27         thorize against the index.  The index auth value is set  via  the  -p
28         option to tpm2_nvdefine(1).
29
30       • -o, --output=FILE:
31
32         File to write data
33
34       • -P, --auth=AUTH:
35
36         Specifies the authorization value for the hierarchy.
37
38       • -s, --size=NATURAL_NUMBER:
39
40         Specifies  the  size  of data to be read in bytes, starting from 0 if
41         offset is not specified.  If not specified, the size of the  data  as
42         reported by the public portion of the index will be used.
43
44       • --offset=NATURAL_NUMBER:
45
46         The offset within the NV index to start reading from.
47
48       • --cphash=FILE
49
50         File path to record the hash of the command parameters.  This is com‐
51         monly termed as cpHash.  NOTE: When this option is selected, The tool
52         will  not  actually  execute the command, it simply returns a cpHash,
53         unless rphash is also required.
54
55       • --rphash=FILE
56
57         File path to record the hash of the  response  parameters.   This  is
58         commonly termed as rpHash.
59
60       • -n, --name=FILE:
61
62         The  name of the NV index that must be provided when only calculating
63         the cpHash without actually dispatching the command to the TPM.
64
65       • -S, --session=FILE:
66
67         The session created using tpm2_startauthsession.  This can be used to
68         specify  an  auxiliary session for auditing and or encryption/decryp‐
69         tion of the parameters.
70
71       • --print-yaml:
72
73         Output the content of the NV index in a human readable format, useful
74         for  displaying  the  content of counter, bits and extend and pin in‐
75         dices.  When this argument is provided size and offset is ignored.
76
77       • ARGUMENT the command line argument specifies the NV index  or  offset
78         number.
79
80   References

Context Object Format

82       The  type  of a context object, whether it is a handle or file name, is
83       determined according to the following logic in-order:
84
85       • If the argument is a file path, then the file is loaded as a restored
86         TPM transient object.
87
88       • If the argument is a prefix match on one of:
89
90         • owner: the owner hierarchy
91
92         • platform: the platform hierarchy
93
94         • endorsement: the endorsement hierarchy
95
96         • lockout: the lockout control persistent object
97
98       • If  the  argument argument can be loaded as a number it will be treat
99         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
100

Authorization Formatting

102       Authorization for use of an object in TPM2.0 can come  in  3  different
103       forms: 1.  Password 2.  HMAC 3.  Sessions
104
105       NOTE:  “Authorizations  default  to  the EMPTY PASSWORD when not speci‐
106       fied”.
107
108   Passwords
109       Passwords are interpreted in the following  forms  below  using  prefix
110       identifiers.
111
112       Note:  By  default  passwords are assumed to be in the string form when
113       they do not have a prefix.
114
115   String
116       A string password, specified by prefix  “str:”  or  it’s  absence  (raw
117       string without prefix) is not interpreted, and is directly used for au‐
118       thorization.
119
120   Examples
121              foobar
122              str:foobar
123
124   Hex-string
125       A hex-string password, specified by prefix “hex:” is converted  from  a
126       hexidecimal  form  into a byte array form, thus allowing passwords with
127       non-printable and/or terminal un-friendly characters.
128
129   Example
130              hex:1122334455667788
131
132   File
133       A file based password, specified be prefix “file:” should be  the  path
134       of  a  file  containing the password to be read by the tool or a “-” to
135       use stdin.  Storing passwords in files  prevents  information  leakage,
136       passwords passed as options can be read from the process list or common
137       shell history features.
138
139   Examples
140              # to use stdin and be prompted
141              file:-
142
143              # to use a file from a path
144              file:path/to/password/file
145
146              # to echo a password via stdin:
147              echo foobar | tpm2_tool -p file:-
148
149              # to use a bash here-string via stdin:
150
151              tpm2_tool -p file:- <<< foobar
152
153   Sessions
154       When using a policy session to authorize the use of an  object,  prefix
155       the  option argument with the session keyword.  Then indicate a path to
156       a session file that was created with tpm2_startauthsession(1).  Option‐
157       ally, if the session requires an auth value to be sent with the session
158       handle (eg policy password), then append a + and a string as  described
159       in the Passwords section.
160
161   Examples
162       To use a session context file called session.ctx.
163
164              session:session.ctx
165
166       To use a session context file called session.ctx AND send the authvalue
167       mypassword.
168
169              session:session.ctx+mypassword
170
171       To use a session context file called session.ctx AND send the HEX auth‐
172       value 0x11223344.
173
174              session:session.ctx+hex:11223344
175
176   PCR Authorizations
177       You  can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
178       language.      The     PCR     minilanguage     is     as      follows:
179       <pcr-spec>=<raw-pcr-file>
180
181       The PCR spec is documented in in the section “PCR bank specifiers”.
182
183       The  raw-pcr-file  is  an optional argument that contains the output of
184       the raw PCR contents as returned by tpm2_pcrread(1).
185
186       PCR bank specifiers (pcr.md)
187
188   Examples
189       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
190       er of:
191
192              pcr:sha256:0,1,2,3
193
194       specifying AUTH.
195

COMMON OPTIONS

197       This  collection of options are common to many programs and provide in‐
198       formation that many users may expect.
199
200       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
201         attempts  to  invoke  the  manpager for the tool, however, on failure
202         will output a short tool summary.  This is the same behavior  if  the
203         “man”  option argument is specified, however if explicit “man” is re‐
204         quested, the tool will provide errors from man  on  stderr.   If  the
205         “no-man”  option  if  specified, or the manpager fails, the short op‐
206         tions will be output to stdout.
207
208         To successfully use the manpages feature requires the manpages to  be
209         installed or on MANPATH, See man(1) for more details.
210
211       • -v,  --version:  Display version information for this tool, supported
212         tctis and exit.
213
214       • -V, --verbose: Increase the information that the tool prints  to  the
215         console  during  its  execution.  When using this option the file and
216         line number are printed.
217
218       • -Q, --quiet: Silence normal tool output to stdout.
219
220       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
221         if  an  errata fixup needs to be applied to commands sent to the TPM.
222         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
223         formation many users may expect.
224

TCTI Configuration

226       The  TCTI  or  “Transmission  Interface” is the communication mechanism
227       with the TPM.  TCTIs can be changed for communication with TPMs  across
228       different mediums.
229
230       To control the TCTI, the tools respect:
231
232       1. The command line option -T or --tcti
233
234       2. The environment variable: TPM2TOOLS_TCTI.
235
236       Note:  The  command  line option always overrides the environment vari‐
237       able.
238
239       The current known TCTIs are:
240
241       • tabrmd     -     The     resource     manager,     called      tabrmd
242         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
243         abrmd as a tcti name are synonymous.
244
245       • mssim - Typically used for communicating to the TPM software  simula‐
246         tor.
247
248       • device - Used when talking directly to a TPM device file.
249
250       • none  - Do not initalize a connection with the TPM.  Some tools allow
251         for off-tpm options and thus support not using a TCTI.  Tools that do
252         not  support  it  will error when attempted to be used without a TCTI
253         connection.  Does not support ANY options and MUST  BE  presented  as
254         the exact text of “none”.
255
256       The  arguments  to  either  the  command line option or the environment
257       variable are in the form:
258
259       <tcti-name>:<tcti-option-config>
260
261       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
262       tion-config> results in the default being used for that portion respec‐
263       tively.
264
265   TCTI Defaults
266       When a TCTI is not specified, the default TCTI is  searched  for  using
267       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
268       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
269       what TCTI will be chosen as the default by using the -v option to print
270       the version information.  The “default-tcti” key-value pair will  indi‐
271       cate which of the aforementioned TCTIs is the default.
272
273   Custom TCTIs
274       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
275       tools internally use dlopen(3), and the raw tcti-name value is used for
276       the lookup.  Thus, this could be a path to the shared library, or a li‐
277       brary name as understood by dlopen(3) semantics.
278

TCTI OPTIONS

280       This collection of options are used to configure the various known TCTI
281       modules available:
282
283       • device: For the device TCTI, the TPM character device file for use by
284         the device TCTI can be specified.  The default is /dev/tpm0.
285
286         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
287         vice:/dev/tpm0”
288
289       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
290         number used by the simulator  can  be  specified.   The  default  are
291         127.0.0.1 and 2321.
292
293         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
294         TI=“mssim:host=localhost,port=2321”
295
296       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
297         ries  of  simple  key value pairs separated by a `,' character.  Each
298         key and value string are separated by a `=' character.
299
300         • TCTI abrmd supports two keys:
301
302           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
303              string).
304
305           2. `bus_type' : The type of the dbus instance (a string) limited to
306              `session' and `system'.
307
308         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
309         ample.FooBar:
310
311                \--tcti=tabrmd:bus_name=com.example.FooBar
312
313         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
314         sion:
315
316                \--tcti:bus_type=session
317
318         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
319         ules.d)
320

EXAMPLES

322   Read 32 bytes from an index starting at offset 0
323              tpm2_nvdefine -C o -s 32 -a "ownerread|policywrite|ownerwrite" 1
324
325              echo "please123abc" > nv.dat
326
327              tpm2_nvwrite -C o -i nv.dat 1
328
329              tpm2_nvread -C o -s 32 1
330

Returns

332       Tools can return any of the following codes:
333
334       • 0 - Success.
335
336       • 1 - General non-specific error.
337
338       • 2 - Options handling error.
339
340       • 3 - Authentication error.
341
342       • 4 - TCTI related error.
343
344       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
345

BUGS

347       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
348

HELP

350       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
351       fo/tpm2)
352
353
354
355tpm2-tools                                                      tpm2_nvread(1)