1tpm2_certify(1)             General Commands Manual            tpm2_certify(1)
2
3
4

NAME

6       tpm2_certify(1) - prove that an object is loaded in the tpm.
7

SYNOPSIS

9       tpm2_certify [OPTIONS]
10

DESCRIPTION

12       tpm2_certify(1) proves that an object with a specific NAME is loaded in
13       the TPM.  By certifying that the object is  loaded,  the  TPM  warrants
14       that  a public area with a given NAME is self-consistent and associated
15       with a valid sensitive area.  If a relying party has a public area that
16       has  the same NAME as a NAME certified with this command, then the val‐
17       ues in that public area are correct.  The object may be any object that
18       is loaded with TPM2_Load() or TPM2_CreatePrimary().  An object that on‐
19       ly has its public area loaded cannot be certified.
20

OPTIONS

22       These options control the ceritifcation:
23
24       · -H, –obj-handle=OBJECT_HANDLE: The handle of the object to be  certi‐
25         fied.
26
27       · -C, –obj-context=FILE: Use FILE for providing the object context.
28
29       · -k, –key-handle=KEY_HANDLE: Handle of the key used to sign the attes‐
30         tation structure.
31
32       · -c, –key-context=KEY_CONTEXT: Filename of the  key  context  used  to
33         sign the attestation structure.
34
35       · -P,  –pwdo=OBJECT_PASSWORD:  Use OBJECT_PASSWORD for providing an au‐
36         thorization value for the object specified in  OBJECT_HANDLE.   Pass‐
37         words  should  follow  the  “password  formatting standards, see sec‐
38         tion”Password Formatting“.
39
40       · -K, –pwdk=KEY_PASSWORD: Use KEY_PASSWORD for providing an  authoriza‐
41         tion  value  for  the  key specified in KEY_HANDLE.  Follows the same
42         formatting guidelines as the object handle password or -P option.
43
44       · -a, –attest-file=ATTEST_FILE: Output file name  for  the  attestation
45         data.
46
47       · -s, –sig-file=SIG_FILE: Output file name for the signature data.
48
49       · -f, –format
50
51         Format  selection for the signature output file.  See section “Signa‐
52         ture Format Specifiers”.
53

COMMON OPTIONS

55       This collection of options are common to many programs and provide  in‐
56       formation that many users may expect.
57
58       · -h,  –help: Display the tools manpage.  This requires the manpages to
59         be installed or on MANPATH, See man(1) for more details.
60
61       · -v, –version: Display version information for  this  tool,  supported
62         tctis and exit.
63
64       · -V,  –verbose:  Increase  the information that the tool prints to the
65         console during its execution.  When using this option  the  file  and
66         line number are printed.
67
68       · -Q, –quiet: Silence normal tool output to stdout.
69
70       · -Z,  –enable-errata: Enable the application of errata fixups.  Useful
71         if an errata fixup needs to be applied to commands sent to  the  TPM.
72         # TCTI ENVIRONMENT
73
74       This  collection of environment variables that may be used to configure
75       the various TCTI modules available.
76
77       The values passed through  these  variables  can  be  overridden  on  a
78       per-command basis using the available command line options, see the TC‐
79       TI_OPTIONS section.
80
81       The variables respected depend on how the software was configured.
82
83       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with  the
84         next  component down the TSS stack.  In most configurations this will
85         be the TPM but it could be a simulator or proxy.  The  current  known
86         TCTIs are:
87
88         · tabrmd    -    The    new    resource    manager,   called   tabrmd
89           (https://github.com/01org/tpm2-abrmd).
90
91         · socket - Typically used with the old resource manager,  or  talking
92           directly to a simulator.
93
94         · device - Used when talking directly to a TPM device file.
95
96       · TPM2TOOLS_DEVICE_FILE:  When  using  the device TCTI, specify the TPM
97         device file.  The default is “/dev/tpm0”.
98
99         Note: Using the tpm directly requires the users to ensure  that  con‐
100         current access does not occur and that they manage the tpm resources.
101         These tasks are usually managed by a resource  manager.   Linux  4.12
102         and  greater  supports an in kernel resource manager at “/dev/tpmrm”,
103         typically “/dev/tpmrm0”.
104
105       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
106         main name or IP address used.  The default is 127.0.0.1.
107
108       · TPM2TOOLS_SOCKET_PORT:  When  using the socket TCTI, specify the port
109         number used.  The default is 2321.
110

TCTI OPTIONS

112       This collection of options are used to configure the varous  TCTI  mod‐
113       ules available.  They override any environment variables.
114
115       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
116         cation with the next component down the TSS stack.  In most  configu‐
117         rations    this    will    be    the    resource    manager:   tabrmd
118         (https://github.com/01org/tpm2-abrmd) Optionally, tcti  specific  op‐
119         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
120
121         · For the device TCTI, the TPM device file for use by the device TCTI
122           can be specified.  The  default  is  /dev/tpm0.   Example:  -T  de‐
123           vice:/dev/tpm0
124
125         · For  the socket TCTI, the domain name or IP address and port number
126           used by the socket can be specified.  The default are 127.0.0.1 and
127           2321.  Example: -T socket:127.0.0.1:2321
128
129         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
130

Password Formatting

132       Passwords  are  interpreted  in  two  forms,  string and hex-string.  A
133       string password is not interpreted, and is directly used for authoriza‐
134       tion.   A  hex-string, is converted from a hexidecimal form into a byte
135       array form, thus allowing passwords with non-printable and/or  terminal
136       un-friendly characters.
137
138       By  default  passwords  are assumed to be in the string form.  Password
139       form is specified with special prefix values, they are:
140
141       · str: - Used to indicate it is a raw string.  Useful  for  escaping  a
142         password that starts with the “hex:” prefix.
143
144       · hex: - Used when specifying a password in hex string format.
145

Signature Format Specifiers

147       Format selection for the signature output file.  tss (the default) will
148       output a binary blob according to the TPM 2.0 specification and any po‐
149       tential  compiler padding.  The option plain will output the plain sig‐
150       nature data as defined by the used cryptographic algorithm.  # EXAMPLES
151
152              tpm2_certify -H 0x81010002 -k 0x81010001 -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
153              tpm2_certify -C obj.context -c key.context -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
154              tpm2_certify -H 0x81010002 -k 0x81010001 -P 0011 -K 00FF -X -g 0x00B -a <fileName> -s <fileName>
155

RETURNS

157       0 on success or 1 on failure.
158

BUGS

160       Github Issues (https://github.com/01org/tpm2-tools/issues)
161

HELP

163       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
164
165
166
167tpm2-tools                      SEPTEMBER 2017                 tpm2_certify(1)
Impressum