1tpm2_verifysignature(1)     General Commands Manual    tpm2_verifysignature(1)
2
3
4

NAME

6       tpm2_verifysignature(1) - Validates a signature using the TPM.
7

SYNOPSIS

9       tpm2_verifysignature [OPTIONS]
10

DESCRIPTION

12       tpm2_verifysignature(1)  uses  loaded keys to validate a signature on a
13       message with the message digest passed to the TPM.   If  the  signature
14       check  succeeds,  then the TPM will produce a TPMT_TK_VERIFIED.  Other‐
15       wise, the TPM shall return TPM_RC_SIGNATURE.  If KEY_HANDLE  references
16       an asymmetric key, only the public portion of the key needs to be load‐
17       ed.  If KEY_HANDLE references a symmetric key, both the public and pri‐
18       vate portions need to be loaded.
19

OPTIONS

21       · -k, –key-handle=KEY_HANDLE:
22
23         Handle of key that will used in the validation.
24
25       · -c, –key-context=KEY_CONTEXT_FILE:
26
27         Filename of the key context used for the operation.
28
29       · -g, –halg=HASH_ALGORITHM:
30
31         The  hash  algorithm  used  to digest the message.  Algorithms should
32         follow the “formatting standards, see section”Algorithm  Specifiers“.
33         Also,  see section”Supported Hash Algorithms" for a list of supported
34         hash algorithms.
35
36       · -m, –msg=MSG_FILE:
37
38         The message file, containing the content to be digested.
39
40       · -D, –digest=DIGEST_FILE:
41
42         The input hash file, containing the hash of the message.  If this op‐
43         tion is selected, then the message (-m) and algorithm (-g) options do
44         not need to be specified.
45
46       · -s, –sig=SIG_FILE:
47
48         The input signature file of the signature to be validated.
49
50       · -r, –raw:
51
52         Set the input signature file to raw type.  The default is TPMT_SIGNA‐
53         TURE.
54
55       · -t, –ticket=TICKET_FILE:
56
57         The ticket file to record the validation structure.
58
59       · -S, –input-session-handle=SESSION_HANDLE:
60
61         Optional  Input  session  handle from a policy session for authoriza‐
62         tion.
63

COMMON OPTIONS

65       This collection of options are common to many programs and provide  in‐
66       formation that many users may expect.
67
68       · -h,  –help: Display the tools manpage.  This requires the manpages to
69         be installed or on MANPATH, See man(1) for more details.
70
71       · -v, –version: Display version information for  this  tool,  supported
72         tctis and exit.
73
74       · -V,  –verbose:  Increase  the information that the tool prints to the
75         console during its execution.  When using this option  the  file  and
76         line number are printed.
77
78       · -Q, –quiet: Silence normal tool output to stdout.
79
80       · -Z,  –enable-errata: Enable the application of errata fixups.  Useful
81         if an errata fixup needs to be applied to commands sent to  the  TPM.
82         # TCTI ENVIRONMENT
83
84       This  collection of environment variables that may be used to configure
85       the various TCTI modules available.
86
87       The values passed through  these  variables  can  be  overridden  on  a
88       per-command basis using the available command line options, see the TC‐
89       TI_OPTIONS section.
90
91       The variables respected depend on how the software was configured.
92
93       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with  the
94         next  component down the TSS stack.  In most configurations this will
95         be the TPM but it could be a simulator or proxy.  The  current  known
96         TCTIs are:
97
98         · tabrmd    -    The    new    resource    manager,   called   tabrmd
99           (https://github.com/01org/tpm2-abrmd).
100
101         · socket - Typically used with the old resource manager,  or  talking
102           directly to a simulator.
103
104         · device - Used when talking directly to a TPM device file.
105
106       · TPM2TOOLS_DEVICE_FILE:  When  using  the device TCTI, specify the TPM
107         device file.  The default is “/dev/tpm0”.
108
109         Note: Using the tpm directly requires the users to ensure  that  con‐
110         current access does not occur and that they manage the tpm resources.
111         These tasks are usually managed by a resource  manager.   Linux  4.12
112         and  greater  supports an in kernel resource manager at “/dev/tpmrm”,
113         typically “/dev/tpmrm0”.
114
115       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
116         main name or IP address used.  The default is 127.0.0.1.
117
118       · TPM2TOOLS_SOCKET_PORT:  When  using the socket TCTI, specify the port
119         number used.  The default is 2321.
120

TCTI OPTIONS

122       This collection of options are used to configure the varous  TCTI  mod‐
123       ules available.  They override any environment variables.
124
125       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
126         cation with the next component down the TSS stack.  In most  configu‐
127         rations    this    will    be    the    resource    manager:   tabrmd
128         (https://github.com/01org/tpm2-abrmd) Optionally, tcti  specific  op‐
129         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
130
131         · For the device TCTI, the TPM device file for use by the device TCTI
132           can be specified.  The  default  is  /dev/tpm0.   Example:  -T  de‐
133           vice:/dev/tpm0
134
135         · For  the socket TCTI, the domain name or IP address and port number
136           used by the socket can be specified.  The default are 127.0.0.1 and
137           2321.  Example: -T socket:127.0.0.1:2321
138
139         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
140

Password Formatting

142       Passwords  are  interpreted  in  two  forms,  string and hex-string.  A
143       string password is not interpreted, and is directly used for authoriza‐
144       tion.   A  hex-string, is converted from a hexidecimal form into a byte
145       array form, thus allowing passwords with non-printable and/or  terminal
146       un-friendly characters.
147
148       By  default  passwords  are assumed to be in the string form.  Password
149       form is specified with special prefix values, they are:
150
151       · str: - Used to indicate it is a raw string.  Useful  for  escaping  a
152         password that starts with the “hex:” prefix.
153
154       · hex: - Used when specifying a password in hex string format.
155

Supported Hash Algorithms

157       Supported hash algorithms are:
158
159       · 0x4 or sha1 for TPM_ALG_SHA1 (default)
160
161       · 0xB or sha256 for TPM_ALG_SHA256
162
163       · 0xC or sha384 for TPM_ALG_SHA384
164
165       · 0xD or sha512 for TPM_ALG_SHA512
166
167       · 0x12 or sm3_256 for TPM_ALG_SM3_256
168
169       NOTE: Your TPM may not support all algorithms.
170

Algorithm Specfiers

172       Options  that  take  algorithms support “nice-names”.  Nice names, like
173       sha1 can be used in place of the raw hex for sha1: 0x4.  The nice names
174       are converted by stripping the leading TPM_ALG_ from the Algorithm Name
175       field and converting it to lower case.  For  instance  TPM_ALG_SHA3_256
176       becomes sha3_256.
177
178       The  algorithms can be found at: <https://trustedcomputinggroup.org/wp-
179       content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
180

EXAMPLES

182              tpm2_verifysignature -k 0x81010001 -g sha256 -m <filePath> -s <filePath> -t <filePath>
183              tpm2_verifysignature -k 0x81010001 -D <filePath> -s <filePath> -t <filePath>
184              tpm2_verifysignature -c key.context -g sha256 -m <filePath> -s <filePath> -t <filePath>
185
186       RETURNS
187
188       0 on success or 1 on failure.
189
190       BUGS
191
192       Github Issues (https://github.com/01org/tpm2-tools/issues)
193
194       HELP
195
196       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
197
198
199
200tpm2-tools                      SEPTEMBER 2017         tpm2_verifysignature(1)
Impressum