1tpm2_quote(1) General Commands Manual tpm2_quote(1)
2
3
4
6 tpm2_quote(1) - Provide a quote and signature from the TPM.
7
9 tpm2_quote [OPTIONS]
10
12 tpm2_quote(1) Provide quote and signature for given list of PCRs in
13 given algorithm/banks.
14
16 · -k, –ak-handle=AK_HANDLE:
17
18 Handle of existing AK.
19
20 · -c, –ak-context=AK_CONTEXT_FILE:
21
22 Filename for the existing AK's context.
23
24 · -P, –ak-password=AK_PASSWORD:
25
26 specifies the password of AK_HANDLE. Passwords should follow the
27 password formatting standards, see section “Password Formatting”.
28
29 · -l, –id-list=PCR_ID_LIST
30
31 The comma separated list of selected PCRs' ids, 0~23 e.g. “4,5,6”.
32
33 · -L, –sel-list=PCR_SELECTION_LIST:
34
35 The list of pcr banks and selected PCRs' ids for each bank. PCR_SE‐
36 LECTION_LIST values should follow the pcr bank specifiers standards,
37 see section “PCR Bank Specfiers”.
38
39 · -m, –message:
40
41 message output file, records the quote message that makes up the data
42 that is signed by the TPM.
43
44 · -s, –signature:
45
46 signature output file, records the signature in the format specified
47 via the -f option.
48
49 · -f, –format
50
51 Format selection for the signature output file. See section “Signa‐
52 ture Format Specifiers”.
53
54 · -q, –qualify-data:
55
56 Data given as a Hex string to qualify the quote, optional. This is
57 typically used to add a nonce against replay attacks.
58
59 · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
60 dle from a policy session for authorization.
61
62 · -G, –sig-hash-algorithm:
63
64 Hash algorithm for signature.
65
67 This collection of options are common to many programs and provide in‐
68 formation that many users may expect.
69
70 · -h, –help: Display the tools manpage. This requires the manpages to
71 be installed or on MANPATH, See man(1) for more details.
72
73 · -v, –version: Display version information for this tool, supported
74 tctis and exit.
75
76 · -V, –verbose: Increase the information that the tool prints to the
77 console during its execution. When using this option the file and
78 line number are printed.
79
80 · -Q, –quiet: Silence normal tool output to stdout.
81
82 · -Z, –enable-errata: Enable the application of errata fixups. Useful
83 if an errata fixup needs to be applied to commands sent to the TPM.
84 # TCTI ENVIRONMENT
85
86 This collection of environment variables that may be used to configure
87 the various TCTI modules available.
88
89 The values passed through these variables can be overridden on a
90 per-command basis using the available command line options, see the TC‐
91 TI_OPTIONS section.
92
93 The variables respected depend on how the software was configured.
94
95 · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the
96 next component down the TSS stack. In most configurations this will
97 be the TPM but it could be a simulator or proxy. The current known
98 TCTIs are:
99
100 · tabrmd - The new resource manager, called tabrmd
101 (https://github.com/01org/tpm2-abrmd).
102
103 · socket - Typically used with the old resource manager, or talking
104 directly to a simulator.
105
106 · device - Used when talking directly to a TPM device file.
107
108 · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
109 device file. The default is “/dev/tpm0”.
110
111 Note: Using the tpm directly requires the users to ensure that con‐
112 current access does not occur and that they manage the tpm resources.
113 These tasks are usually managed by a resource manager. Linux 4.12
114 and greater supports an in kernel resource manager at “/dev/tpmrm”,
115 typically “/dev/tpmrm0”.
116
117 · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
118 main name or IP address used. The default is 127.0.0.1.
119
120 · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
121 number used. The default is 2321.
122
124 This collection of options are used to configure the varous TCTI mod‐
125 ules available. They override any environment variables.
126
127 · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
128 cation with the next component down the TSS stack. In most configu‐
129 rations this will be the resource manager: tabrmd
130 (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific op‐
131 tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
132
133 · For the device TCTI, the TPM device file for use by the device TCTI
134 can be specified. The default is /dev/tpm0. Example: -T de‐
135 vice:/dev/tpm0
136
137 · For the socket TCTI, the domain name or IP address and port number
138 used by the socket can be specified. The default are 127.0.0.1 and
139 2321. Example: -T socket:127.0.0.1:2321
140
141 · For the abrmd TCTI, it takes no options. Example: -T abrmd
142
144 Passwords are interpreted in two forms, string and hex-string. A
145 string password is not interpreted, and is directly used for authoriza‐
146 tion. A hex-string, is converted from a hexidecimal form into a byte
147 array form, thus allowing passwords with non-printable and/or terminal
148 un-friendly characters.
149
150 By default passwords are assumed to be in the string form. Password
151 form is specified with special prefix values, they are:
152
153 · str: - Used to indicate it is a raw string. Useful for escaping a
154 password that starts with the “hex:” prefix.
155
156 · hex: - Used when specifying a password in hex string format.
157
159 PCR Bank Selection lists follow the below specification:
160
161 <BANK>:<PCR>[,<PCR>]
162
163 multiple banks may be separated by `+'.
164
165 For example:
166
167 sha:3,4+sha256:5,6
168
169 will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
170 SHA256 bank.
171
172 Note
173 PCR Selections allow for up to 5 hash to pcr selection mappings. This
174 is a limitaion in design in the single call to the tpm to get the pcr
175 values.
176
178 Format selection for the signature output file. tss (the default) will
179 output a binary blob according to the TPM 2.0 specification and any po‐
180 tential compiler padding. The option plain will output the plain sig‐
181 nature data as defined by the used cryptographic algorithm. # EXAMPLES
182
183 tpm2_quote -k 0x81010002 -P abc123 -g sha1 -l 16,17,18
184 tpm2_quote -c ak.context -P "str:abc123" -g sha1 -l 16,17,18
185 tpm2_quote -k 0x81010002 -g sha1 -l 16,17,18
186 tpm2_quote -c ak.context -g sha1 -l 16,17,18
187 tpm2_quote -k 0x81010002 -P "hex:123abc" -L sha1:16,17,18+sha256:16,17,18 -q 11aa22bb
188
190 0 on success or 1 on failure.
191
193 Github Issues (https://github.com/01org/tpm2-tools/issues)
194
196 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
197
198
199
200tpm2-tools SEPTEMBER 2017 tpm2_quote(1)