1tpm2_quote(1)               General Commands Manual              tpm2_quote(1)
2
3
4

NAME

6       tpm2_quote(1) - Provide a quote and signature from the TPM.
7

SYNOPSIS

9       tpm2_quote [OPTIONS]
10

DESCRIPTION

12       tpm2_quote(1)  Provide  quote  and  signature for given list of PCRs in
13       given algorithm/banks.
14

OPTIONS

16       · -k, –ak-handle=AK_HANDLE:
17
18         Handle of existing AK.
19
20       · -c, –ak-context=AK_CONTEXT_FILE:
21
22         Filename for the existing AK's context.
23
24       · -P, –ak-password=AK_PASSWORD:
25
26         specifies the password of AK_HANDLE.   Passwords  should  follow  the
27         password formatting standards, see section “Password Formatting”.
28
29       · -l, –id-list=PCR_ID_LIST
30
31         The comma separated list of selected PCRs' ids, 0~23 e.g.  “4,5,6”.
32
33       · -L, –sel-list=PCR_SELECTION_LIST:
34
35         The  list of pcr banks and selected PCRs' ids for each bank.  PCR_SE‐
36         LECTION_LIST values should follow the pcr bank specifiers  standards,
37         see section “PCR Bank Specfiers”.
38
39       · -m, –message:
40
41         message output file, records the quote message that makes up the data
42         that is signed by the TPM.
43
44       · -s, –signature:
45
46         signature output file, records the signature in the format  specified
47         via the -f option.
48
49       · -f, –format
50
51         Format  selection for the signature output file.  See section “Signa‐
52         ture Format Specifiers”.
53
54       · -q, –qualify-data:
55
56         Data given as a Hex string to qualify the quote, optional.   This  is
57         typically used to add a nonce against replay attacks.
58
59       · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
60         dle from a policy session for authorization.
61
62       · -G, –sig-hash-algorithm:
63
64         Hash algorithm for signature.
65

COMMON OPTIONS

67       This collection of options are common to many programs and provide  in‐
68       formation that many users may expect.
69
70       · -h,  –help: Display the tools manpage.  This requires the manpages to
71         be installed or on MANPATH, See man(1) for more details.
72
73       · -v, –version: Display version information for  this  tool,  supported
74         tctis and exit.
75
76       · -V,  –verbose:  Increase  the information that the tool prints to the
77         console during its execution.  When using this option  the  file  and
78         line number are printed.
79
80       · -Q, –quiet: Silence normal tool output to stdout.
81
82       · -Z,  –enable-errata: Enable the application of errata fixups.  Useful
83         if an errata fixup needs to be applied to commands sent to  the  TPM.
84         # TCTI ENVIRONMENT
85
86       This  collection of environment variables that may be used to configure
87       the various TCTI modules available.
88
89       The values passed through  these  variables  can  be  overridden  on  a
90       per-command basis using the available command line options, see the TC‐
91       TI_OPTIONS section.
92
93       The variables respected depend on how the software was configured.
94
95       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with  the
96         next  component down the TSS stack.  In most configurations this will
97         be the TPM but it could be a simulator or proxy.  The  current  known
98         TCTIs are:
99
100         · tabrmd    -    The    new    resource    manager,   called   tabrmd
101           (https://github.com/01org/tpm2-abrmd).
102
103         · socket - Typically used with the old resource manager,  or  talking
104           directly to a simulator.
105
106         · device - Used when talking directly to a TPM device file.
107
108       · TPM2TOOLS_DEVICE_FILE:  When  using  the device TCTI, specify the TPM
109         device file.  The default is “/dev/tpm0”.
110
111         Note: Using the tpm directly requires the users to ensure  that  con‐
112         current access does not occur and that they manage the tpm resources.
113         These tasks are usually managed by a resource  manager.   Linux  4.12
114         and  greater  supports an in kernel resource manager at “/dev/tpmrm”,
115         typically “/dev/tpmrm0”.
116
117       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
118         main name or IP address used.  The default is 127.0.0.1.
119
120       · TPM2TOOLS_SOCKET_PORT:  When  using the socket TCTI, specify the port
121         number used.  The default is 2321.
122

TCTI OPTIONS

124       This collection of options are used to configure the varous  TCTI  mod‐
125       ules available.  They override any environment variables.
126
127       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
128         cation with the next component down the TSS stack.  In most  configu‐
129         rations    this    will    be    the    resource    manager:   tabrmd
130         (https://github.com/01org/tpm2-abrmd) Optionally, tcti  specific  op‐
131         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
132
133         · For the device TCTI, the TPM device file for use by the device TCTI
134           can be specified.  The  default  is  /dev/tpm0.   Example:  -T  de‐
135           vice:/dev/tpm0
136
137         · For  the socket TCTI, the domain name or IP address and port number
138           used by the socket can be specified.  The default are 127.0.0.1 and
139           2321.  Example: -T socket:127.0.0.1:2321
140
141         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
142

Password Formatting

144       Passwords  are  interpreted  in  two  forms,  string and hex-string.  A
145       string password is not interpreted, and is directly used for authoriza‐
146       tion.   A  hex-string, is converted from a hexidecimal form into a byte
147       array form, thus allowing passwords with non-printable and/or  terminal
148       un-friendly characters.
149
150       By  default  passwords  are assumed to be in the string form.  Password
151       form is specified with special prefix values, they are:
152
153       · str: - Used to indicate it is a raw string.  Useful  for  escaping  a
154         password that starts with the “hex:” prefix.
155
156       · hex: - Used when specifying a password in hex string format.
157

PCR Bank Specfiers

159       PCR Bank Selection lists follow the below specification:
160
161              <BANK>:<PCR>[,<PCR>]
162
163       multiple banks may be separated by `+'.
164
165       For example:
166
167              sha:3,4+sha256:5,6
168
169       will  select  PCRs  3 and 4 from the SHA bank and PCRs 5 and 6 from the
170       SHA256 bank.
171
172   Note
173       PCR Selections allow for up to 5 hash to pcr selection mappings.   This
174       is  a  limitaion in design in the single call to the tpm to get the pcr
175       values.
176

Signature Format Specifiers

178       Format selection for the signature output file.  tss (the default) will
179       output a binary blob according to the TPM 2.0 specification and any po‐
180       tential compiler padding.  The option plain will output the plain  sig‐
181       nature data as defined by the used cryptographic algorithm.  # EXAMPLES
182
183              tpm2_quote -k 0x81010002 -P abc123 -g sha1 -l 16,17,18
184              tpm2_quote -c ak.context -P "str:abc123" -g sha1 -l 16,17,18
185              tpm2_quote -k 0x81010002 -g sha1 -l 16,17,18
186              tpm2_quote -c ak.context -g sha1 -l 16,17,18
187              tpm2_quote -k 0x81010002 -P "hex:123abc" -L sha1:16,17,18+sha256:16,17,18 -q 11aa22bb
188

RETURNS

190       0 on success or 1 on failure.
191

BUGS

193       Github Issues (https://github.com/01org/tpm2-tools/issues)
194

HELP

196       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
197
198
199
200tpm2-tools                      SEPTEMBER 2017                   tpm2_quote(1)
Impressum