1tpm2_quote(1) General Commands Manual tpm2_quote(1)
2
6 tpm2_quote(1) - Provide a quote and signature from the TPM.
7
9 tpm2_quote [OPTIONS]
10
12 tpm2_quote(1) - Provide quote and signature for given list of PCRs in
13 given algorithm/banks.
14
16 • -c, --key-context=OBJECT:
17 Context object for the quote signing key.
19 • -p, --auth=AUTH:
21 Specifies the authorization value for AK specified by option -C.
23 • -l, --pcr-list=PCR:
25 The list of PCR banks and selected PCRs’ ids for each bank. Also see
27 NOTES section below.
28 • -m, --message=FILE:
30 Message output file, records the quote message that makes up the data
32 that is signed by the TPM.
33 • -s, --signature=FILE:
35 Signature output file, records the signature in the format specified
37 via the -f option.
38 • -f, --format=FORMAT:
40 Format selection for the signature output file.
42 • -o, --pcr=FILE.
44 PCR output file, optional, records the list of PCR values as defined
46 by -l.
47 • -F, --pcrs_format=FORMAT:
49 Format selection for the binary blob in the PCR output file. `val‐
51 ues' will output a binary blob of the PCR values. `serialized' will
52 output a binary blob of the PCR values in the form of serialized data
53 structure in little endian format. Optional. Default is `serial‐
54 ized'.
55 • -q, --qualification=HEX_STRING_OR_PATH:
57 Data given as a Hex string or binary file to qualify the quote, op‐
59 tional. This is typically used to add a nonce against replay at‐
60 tacks.
61 • -g, --hash-algorithm:
63 Hash algorithm for signature. Defaults to sha256.
65 • --scheme=ALGORITHM:
67 The signing scheme used to sign the message. Optional. Signing
69 schemes should follow the “formatting standards”, see section “Algo‐
70 rithm Specifiers”. Also, see section “Supported Signing Schemes” for
71 a list of supported signature schemes. If specified, the signature
72 scheme must match the key type. If left unspecified, a default sig‐
73 nature scheme for the key type will be used.
74 • --cphash=FILE
76 File path to record the hash of the command parameters. This is com‐
78 monly termed as cpHash. NOTE: When this option is selected, The tool
79 will not actually execute the command, it simply returns a cpHash.
80 References
83 The type of a context object, whether it is a handle or file name, is
84 determined according to the following logic in-order:
85 • If the argument is a file path, then the file is loaded as a restored
87 TPM transient object.
88 • If the argument is a prefix match on one of:
90 • owner: the owner hierarchy
92 • platform: the platform hierarchy
94 • endorsement: the endorsement hierarchy
96 • lockout: the lockout control persistent object
98 • If the argument argument can be loaded as a number it will be treat
100 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
101
103 Authorization for use of an object in TPM2.0 can come in 3 different
104 forms: 1. Password 2. HMAC 3. Sessions
105 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
107 fied”.
108 Passwords
110 Passwords are interpreted in the following forms below using prefix
111 identifiers.
112 Note: By default passwords are assumed to be in the string form when
114 they do not have a prefix.
115 String
117 A string password, specified by prefix “str:” or it’s absence (raw
118 string without prefix) is not interpreted, and is directly used for au‐
119 thorization.
120 Examples
122 foobar
123 str:foobar
124 Hex-string
126 A hex-string password, specified by prefix “hex:” is converted from a
127 hexidecimal form into a byte array form, thus allowing passwords with
128 non-printable and/or terminal un-friendly characters.
129 Example
131 hex:1122334455667788
132 File
134 A file based password, specified be prefix “file:” should be the path
135 of a file containing the password to be read by the tool or a “-” to
136 use stdin. Storing passwords in files prevents information leakage,
137 passwords passed as options can be read from the process list or common
138 shell history features.
139 Examples
141 # to use stdin and be prompted
142 file:-
143 # to use a file from a path
145 file:path/to/password/file
146 # to echo a password via stdin:
148 echo foobar | tpm2_tool -p file:-
149 # to use a bash here-string via stdin:
151 tpm2_tool -p file:- <<< foobar
153 Sessions
155 When using a policy session to authorize the use of an object, prefix
156 the option argument with the session keyword. Then indicate a path to
157 a session file that was created with tpm2_startauthsession(1). Option‐
158 ally, if the session requires an auth value to be sent with the session
159 handle (eg policy password), then append a + and a string as described
160 in the Passwords section.
161 Examples
163 To use a session context file called session.ctx.
164 session:session.ctx
166 To use a session context file called session.ctx AND send the authvalue
168 mypassword.
169 session:session.ctx+mypassword
171 To use a session context file called session.ctx AND send the HEX auth‐
173 value 0x11223344.
174 session:session.ctx+hex:11223344
176 PCR Authorizations
178 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
179 language. The PCR minilanguage is as follows:
180 <pcr-spec>=<raw-pcr-file>
181 The PCR spec is documented in in the section “PCR bank specifiers”.
183 The raw-pcr-file is an optional argument that contains the output of
185 the raw PCR contents as returned by tpm2_pcrread(1).
186 PCR bank specifiers (pcr.md)
188 Examples
190 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
191 er of:
192 pcr:sha256:0,1,2,3
194 specifying AUTH.
196
198 Format selection for the signature output file. tss (the default) will
199 output a binary blob according to the TPM 2.0 specification and any po‐
200 tential compiler padding. The option plain will output the plain sig‐
201 nature data as defined by the used cryptographic algorithm. signature
202 FORMAT.
203
205 PCR Bank Selection lists follow the below specification:
206 <BANK>:<PCR>[,<PCR>] or <BANK>:all
208 multiple banks may be separated by `+'.
210 For example:
212 sha1:3,4+sha256:all
214 will select PCRs 3 and 4 from the SHA1 bank and PCRs 0 to 23 from the
216 SHA256 bank.
217 Note
219 PCR Selections allow for up to 5 hash to pcr selection mappings. This
220 is a limitation in design in the single call to the tpm to get the pcr
221 values.
222
224 This collection of options are common to many programs and provide in‐
225 formation that many users may expect.
226 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
228 attempts to invoke the manpager for the tool, however, on failure
229 will output a short tool summary. This is the same behavior if the
230 “man” option argument is specified, however if explicit “man” is re‐
231 quested, the tool will provide errors from man on stderr. If the
232 “no-man” option if specified, or the manpager fails, the short op‐
233 tions will be output to stdout.
234 To successfully use the manpages feature requires the manpages to be
236 installed or on MANPATH, See man(1) for more details.
237 • -v, --version: Display version information for this tool, supported
239 tctis and exit.
240 • -V, --verbose: Increase the information that the tool prints to the
242 console during its execution. When using this option the file and
243 line number are printed.
244 • -Q, --quiet: Silence normal tool output to stdout.
246 • -Z, --enable-errata: Enable the application of errata fixups. Useful
248 if an errata fixup needs to be applied to commands sent to the TPM.
249 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
250 formation many users may expect.
251
253 The TCTI or “Transmission Interface” is the communication mechanism
254 with the TPM. TCTIs can be changed for communication with TPMs across
255 different mediums.
256 To control the TCTI, the tools respect:
258 1. The command line option -T or --tcti
260 2. The environment variable: TPM2TOOLS_TCTI.
262 Note: The command line option always overrides the environment vari‐
264 able.
265 The current known TCTIs are:
267 • tabrmd - The resource manager, called tabrmd
269 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
270 abrmd as a tcti name are synonymous.
271 • mssim - Typically used for communicating to the TPM software simula‐
273 tor.
274 • device - Used when talking directly to a TPM device file.
276 • none - Do not initalize a connection with the TPM. Some tools allow
278 for off-tpm options and thus support not using a TCTI. Tools that do
279 not support it will error when attempted to be used without a TCTI
280 connection. Does not support ANY options and MUST BE presented as
281 the exact text of “none”.
282 The arguments to either the command line option or the environment
284 variable are in the form:
285 <tcti-name>:<tcti-option-config>
287 Specifying an empty string for either the <tcti-name> or <tcti-op‐
289 tion-config> results in the default being used for that portion respec‐
290 tively.
291 TCTI Defaults
293 When a TCTI is not specified, the default TCTI is searched for using
294 dlopen(3) semantics. The tools will search for tabrmd, device and
295 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
296 what TCTI will be chosen as the default by using the -v option to print
297 the version information. The “default-tcti” key-value pair will indi‐
298 cate which of the aforementioned TCTIs is the default.
299 Custom TCTIs
301 Any TCTI that implements the dynamic TCTI interface can be loaded. The
302 tools internally use dlopen(3), and the raw tcti-name value is used for
303 the lookup. Thus, this could be a path to the shared library, or a li‐
304 brary name as understood by dlopen(3) semantics.
305
307 This collection of options are used to configure the various known TCTI
308 modules available:
309 • device: For the device TCTI, the TPM character device file for use by
311 the device TCTI can be specified. The default is /dev/tpm0.
312 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
314 vice:/dev/tpm0”
315 • mssim: For the mssim TCTI, the domain name or IP address and port
317 number used by the simulator can be specified. The default are
318 127.0.0.1 and 2321.
319 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
321 TI=“mssim:host=localhost,port=2321”
322 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
324 ries of simple key value pairs separated by a `,' character. Each
325 key and value string are separated by a `=' character.
326 • TCTI abrmd supports two keys:
328 1. `bus_name' : The name of the tabrmd service on the bus (a
330 string).
331 2. `bus_type' : The type of the dbus instance (a string) limited to
333 `session' and `system'.
334 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
336 ample.FooBar:
337 \--tcti=tabrmd:bus_name=com.example.FooBar
339 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
341 sion:
342 \--tcti:bus_type=session
344 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
346 ules.
347
349 tpm2_createprimary -C e -c primary.ctx
350 tpm2_create -C primary.ctx -u key.pub -r key.priv
352 tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
354 tpm2_quote -Q -c key.ctx -l 0x0004:16,17,18+0x000b:16,17,18
356
358 The maximum number of PCR that can be quoted at once is associated with
359 the maximum length of a bank.
360 On most TPMs, it means that this tool can quote up to 24 PCRs at once.
362 That this performs a detached signature.
364
366 Tools can return any of the following codes:
367 • 0 - Success.
369 • 1 - General non-specific error.
371 • 2 - Options handling error.
373 • 3 - Authentication error.
375 • 4 - TCTI related error.
377 • 5 - Non supported scheme. Applicable to tpm2_testparams.
379
381 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
382
384 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
385 fo/tpm2)
386tpm2-tools tpm2_quote(1)