1tpm2_activatecredential(1) General Commands Manual tpm2_activatecredential(1)
2
6 tpm2_activatecredential(1) - verify that an object is protected with a
7 specific key.
8
10 tpm2_activatecredential [OPTIONS]
11
13 Verify that the given content is protected with given keyHandle for
14 given handle, and then decrypt and return the secret, if any passwd op‐
15 tion is missing, assume NULL. Currently only support using TCG profile
16 compliant EK as the keyHandle.
17
19 These options control the object verification:
20 · -H, –handle=HANDLE: HANDLE of the object associated with the created
22 certificate by CA.
23 · -k, –key-handle=KEY_HANDLE: The KEY_HANDLE of Loaded key used to de‐
25 crypt the the random seed.
26 · -C, –key-context=KEY_CONTEXT_FILE: KEY_CONTEXT_FILE is the path to a
28 context file.
29 · -P, –password=PASSWORD: Use PASSWORD for providing an authorization
31 value for the KEY_HANDLE. Passwords should follow the “password for‐
32 matting standards, see section”Password Formatting“.
33 · -e, –endorse-password=ENDORSE_PASSWORD: The endorsement password, op‐
35 tional. Follows the same formating guidelines as the handle password
36 option -P.
37 · -f, –in-file=INPUT_FILE: Input file path, containing the two struc‐
39 tures needed by tpm2_activatecredential function. This is created
40 via the tpm2_makecredential(1) command.
41 · -o, –out-file=OUTPUT_FILE: Output file path, record the secret to de‐
43 crypt the certificate.
44
46 This collection of options are common to many programs and provide in‐
47 formation that many users may expect.
48 · -h, –help: Display the tools manpage. This requires the manpages to
50 be installed or on MANPATH, See man(1) for more details.
51 · -v, –version: Display version information for this tool, supported
53 tctis and exit.
54 · -V, –verbose: Increase the information that the tool prints to the
56 console during its execution. When using this option the file and
57 line number are printed.
58 · -Q, –quiet: Silence normal tool output to stdout.
60 · -Z, –enable-errata: Enable the application of errata fixups. Useful
62 if an errata fixup needs to be applied to commands sent to the TPM.
63 # TCTI ENVIRONMENT
64 This collection of environment variables that may be used to configure
66 the various TCTI modules available.
67 The values passed through these variables can be overridden on a
69 per-command basis using the available command line options, see the TC‐
70 TI_OPTIONS section.
71 The variables respected depend on how the software was configured.
73 · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the
75 next component down the TSS stack. In most configurations this will
76 be the TPM but it could be a simulator or proxy. The current known
77 TCTIs are:
78 · tabrmd - The new resource manager, called tabrmd
80 (https://github.com/01org/tpm2-abrmd).
81 · socket - Typically used with the old resource manager, or talking
83 directly to a simulator.
84 · device - Used when talking directly to a TPM device file.
86 · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
88 device file. The default is “/dev/tpm0”.
89 Note: Using the tpm directly requires the users to ensure that con‐
91 current access does not occur and that they manage the tpm resources.
92 These tasks are usually managed by a resource manager. Linux 4.12
93 and greater supports an in kernel resource manager at “/dev/tpmrm”,
94 typically “/dev/tpmrm0”.
95 · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
97 main name or IP address used. The default is 127.0.0.1.
98 · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
100 number used. The default is 2321.
101
103 This collection of options are used to configure the varous TCTI mod‐
104 ules available. They override any environment variables.
105 · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
107 cation with the next component down the TSS stack. In most configu‐
108 rations this will be the resource manager: tabrmd
109 (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific op‐
110 tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
111 · For the device TCTI, the TPM device file for use by the device TCTI
113 can be specified. The default is /dev/tpm0. Example: -T de‐
114 vice:/dev/tpm0
115 · For the socket TCTI, the domain name or IP address and port number
117 used by the socket can be specified. The default are 127.0.0.1 and
118 2321. Example: -T socket:127.0.0.1:2321
119 · For the abrmd TCTI, it takes no options. Example: -T abrmd
121
123 Passwords are interpreted in two forms, string and hex-string. A
124 string password is not interpreted, and is directly used for authoriza‐
125 tion. A hex-string, is converted from a hexidecimal form into a byte
126 array form, thus allowing passwords with non-printable and/or terminal
127 un-friendly characters.
128 By default passwords are assumed to be in the string form. Password
130 form is specified with special prefix values, they are:
131 · str: - Used to indicate it is a raw string. Useful for escaping a
133 password that starts with the “hex:” prefix.
134 · hex: - Used when specifying a password in hex string format.
136
138 tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P abc123 -e abc123 -f <filePath> -o <filePath>
139 tpm2_activatecredential -c ak.context -C ek.context -P abc123 -e abc123 -f <filePath> -o <filePath>
140 tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P 123abc -e 1a1b1c -X -f <filePath> -o <filePath>
141
143 0 on success or 1 on failure.
144
146 Github Issues (https://github.com/01org/tpm2-tools/issues)
147
149 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
150tpm2-tools AUGUST 2017 tpm2_activatecredential(1)