1tpm2_verifysignature(1) General Commands Manual tpm2_verifysignature(1)
2
3
4
6 tpm2_verifysignature(1) - Validates a signature using the TPM.
7
9 tpm2_verifysignature [OPTIONS]
10
12 tpm2_verifysignature(1) uses loaded keys to validate a signature on a
13 message with the message digest passed to the TPM. If the signature
14 check succeeds, then the TPM will produce a TPMT_TK_VERIFIED. Other‐
15 wise, the TPM shall return TPM_RC_SIGNATURE. If KEY_HANDLE references
16 an asymmetric key, only the public portion of the key needs to be load‐
17 ed. If KEY_HANDLE references a symmetric key, both the public and pri‐
18 vate portions need to be loaded.
19
21 · -k, –key-handle=KEY_HANDLE:
22
23 Handle of key that will used in the validation.
24
25 · -c, –key-context=KEY_CONTEXT_FILE:
26
27 Filename of the key context used for the operation.
28
29 · -g, –halg=HASH_ALGORITHM:
30
31 The hash algorithm used to digest the message. Algorithms should
32 follow the “formatting standards, see section”Algorithm Specifiers“.
33 Also, see section”Supported Hash Algorithms" for a list of supported
34 hash algorithms.
35
36 · -m, –msg=MSG_FILE:
37
38 The message file, containing the content to be digested.
39
40 · -D, –digest=DIGEST_FILE:
41
42 The input hash file, containing the hash of the message. If this op‐
43 tion is selected, then the message (-m) and algorithm (-g) options do
44 not need to be specified.
45
46 · -s, –sig=SIG_FILE:
47
48 The input signature file of the signature to be validated.
49
50 · -r, –raw:
51
52 Set the input signature file to raw type. The default is TPMT_SIGNA‐
53 TURE.
54
55 · -t, –ticket=TICKET_FILE:
56
57 The ticket file to record the validation structure.
58
59 · -S, –input-session-handle=SESSION_HANDLE:
60
61 Optional Input session handle from a policy session for authoriza‐
62 tion.
63
65 This collection of options are common to many programs and provide in‐
66 formation that many users may expect.
67
68 · -h, –help: Display the tools manpage. This requires the manpages to
69 be installed or on MANPATH, See man(1) for more details.
70
71 · -v, –version: Display version information for this tool, supported
72 tctis and exit.
73
74 · -V, –verbose: Increase the information that the tool prints to the
75 console during its execution. When using this option the file and
76 line number are printed.
77
78 · -Q, –quiet: Silence normal tool output to stdout.
79
80 · -Z, –enable-errata: Enable the application of errata fixups. Useful
81 if an errata fixup needs to be applied to commands sent to the TPM.
82 # TCTI ENVIRONMENT
83
84 This collection of environment variables that may be used to configure
85 the various TCTI modules available.
86
87 The values passed through these variables can be overridden on a
88 per-command basis using the available command line options, see the TC‐
89 TI_OPTIONS section.
90
91 The variables respected depend on how the software was configured.
92
93 · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the
94 next component down the TSS stack. In most configurations this will
95 be the TPM but it could be a simulator or proxy. The current known
96 TCTIs are:
97
98 · tabrmd - The new resource manager, called tabrmd
99 (https://github.com/01org/tpm2-abrmd).
100
101 · socket - Typically used with the old resource manager, or talking
102 directly to a simulator.
103
104 · device - Used when talking directly to a TPM device file.
105
106 · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
107 device file. The default is “/dev/tpm0”.
108
109 Note: Using the tpm directly requires the users to ensure that con‐
110 current access does not occur and that they manage the tpm resources.
111 These tasks are usually managed by a resource manager. Linux 4.12
112 and greater supports an in kernel resource manager at “/dev/tpmrm”,
113 typically “/dev/tpmrm0”.
114
115 · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
116 main name or IP address used. The default is 127.0.0.1.
117
118 · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
119 number used. The default is 2321.
120
122 This collection of options are used to configure the varous TCTI mod‐
123 ules available. They override any environment variables.
124
125 · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
126 cation with the next component down the TSS stack. In most configu‐
127 rations this will be the resource manager: tabrmd
128 (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific op‐
129 tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
130
131 · For the device TCTI, the TPM device file for use by the device TCTI
132 can be specified. The default is /dev/tpm0. Example: -T de‐
133 vice:/dev/tpm0
134
135 · For the socket TCTI, the domain name or IP address and port number
136 used by the socket can be specified. The default are 127.0.0.1 and
137 2321. Example: -T socket:127.0.0.1:2321
138
139 · For the abrmd TCTI, it takes no options. Example: -T abrmd
140
142 Passwords are interpreted in two forms, string and hex-string. A
143 string password is not interpreted, and is directly used for authoriza‐
144 tion. A hex-string, is converted from a hexidecimal form into a byte
145 array form, thus allowing passwords with non-printable and/or terminal
146 un-friendly characters.
147
148 By default passwords are assumed to be in the string form. Password
149 form is specified with special prefix values, they are:
150
151 · str: - Used to indicate it is a raw string. Useful for escaping a
152 password that starts with the “hex:” prefix.
153
154 · hex: - Used when specifying a password in hex string format.
155
157 Supported hash algorithms are:
158
159 · 0x4 or sha1 for TPM_ALG_SHA1 (default)
160
161 · 0xB or sha256 for TPM_ALG_SHA256
162
163 · 0xC or sha384 for TPM_ALG_SHA384
164
165 · 0xD or sha512 for TPM_ALG_SHA512
166
167 · 0x12 or sm3_256 for TPM_ALG_SM3_256
168
169 NOTE: Your TPM may not support all algorithms.
170
172 Options that take algorithms support “nice-names”. Nice names, like
173 sha1 can be used in place of the raw hex for sha1: 0x4. The nice names
174 are converted by stripping the leading TPM_ALG_ from the Algorithm Name
175 field and converting it to lower case. For instance TPM_ALG_SHA3_256
176 becomes sha3_256.
177
178 The algorithms can be found at: <https://trustedcomputinggroup.org/wp-
179 content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
180
182 tpm2_verifysignature -k 0x81010001 -g sha256 -m <filePath> -s <filePath> -t <filePath>
183 tpm2_verifysignature -k 0x81010001 -D <filePath> -s <filePath> -t <filePath>
184 tpm2_verifysignature -c key.context -g sha256 -m <filePath> -s <filePath> -t <filePath>
185
186 RETURNS
187
188 0 on success or 1 on failure.
189
190 BUGS
191
192 Github Issues (https://github.com/01org/tpm2-tools/issues)
193
194 HELP
195
196 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
197
198
199
200tpm2-tools SEPTEMBER 2017 tpm2_verifysignature(1)