1tpm2_hmac(1)                General Commands Manual               tpm2_hmac(1)
2
3
4

NAME

6       tpm2_hmac(1) - Performs an HMAC operation with the TPM.
7

SYNOPSIS

9       tpm2_hmac [OPTIONS] FILE
10

DESCRIPTION

12       tpm2_hmac(1)  -  performs an HMAC operation on FILE and returns the re‐
13       sults.  If FILE is not specified, then data is read from stdin.
14

OPTIONS

16       · -k, –key-handle=KEY_CONTEXT_FILE: The key handle  for  the  symmetric
17         signing key providing the HMAC key.
18
19       · -c,  –key-context=KEY_CONTEXT_FILE:  The  filename of the key context
20         used for the operation.
21
22       · -P, –pwdk=KEY_PASSWORD: The password for  key,  optional.   Passwords
23         should  follow  the “password formatting standards, see section”Pass‐
24         word Formatting“.
25
26       · -g, –halg=HASH_ALGORITHM: The  hash  algorithm  to  use.   Algorithms
27         should follow the “formatting standards, see section”Algorithm Speci‐
28         fiers“. Also, see section”Supported Hash Algorithms" for  a  list  of
29         supported hash algorithms.
30
31       · -o,  –outfile=OUT_FILE  Optional file record of the HMAC result.  De‐
32         faults to stdout.
33
34       · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
35         dle from a policy session for authorization.
36

COMMON OPTIONS

38       This  collection of options are common to many programs and provide in‐
39       formation that many users may expect.
40
41       · -h, –help: Display the tools manpage.  This requires the manpages  to
42         be installed or on MANPATH, See man(1) for more details.
43
44       · -v,  –version:  Display  version information for this tool, supported
45         tctis and exit.
46
47       · -V, –verbose: Increase the information that the tool  prints  to  the
48         console  during  its  execution.  When using this option the file and
49         line number are printed.
50
51       · -Q, –quiet: Silence normal tool output to stdout.
52
53       · -Z, –enable-errata: Enable the application of errata fixups.   Useful
54         if  an  errata fixup needs to be applied to commands sent to the TPM.
55         # TCTI ENVIRONMENT
56
57       This collection of environment variables that may be used to  configure
58       the various TCTI modules available.
59
60       The  values  passed  through  these  variables  can  be overridden on a
61       per-command basis using the available command line options, see the TC‐
62       TI_OPTIONS section.
63
64       The variables respected depend on how the software was configured.
65
66       · TPM2TOOLS_TCTI_NAME:  Select the TCTI used for communication with the
67         next component down the TSS stack.  In most configurations this  will
68         be  the  TPM but it could be a simulator or proxy.  The current known
69         TCTIs are:
70
71         · tabrmd   -   The    new    resource    manager,    called    tabrmd
72           (https://github.com/01org/tpm2-abrmd).
73
74         · socket  -  Typically used with the old resource manager, or talking
75           directly to a simulator.
76
77         · device - Used when talking directly to a TPM device file.
78
79       · TPM2TOOLS_DEVICE_FILE: When using the device TCTI,  specify  the  TPM
80         device file.  The default is “/dev/tpm0”.
81
82         Note:  Using  the tpm directly requires the users to ensure that con‐
83         current access does not occur and that they manage the tpm resources.
84         These  tasks  are  usually managed by a resource manager.  Linux 4.12
85         and greater supports an in kernel resource manager  at  “/dev/tpmrm”,
86         typically “/dev/tpmrm0”.
87
88       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
89         main name or IP address used.  The default is 127.0.0.1.
90
91       · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify  the  port
92         number used.  The default is 2321.
93

TCTI OPTIONS

95       This  collection  of options are used to configure the varous TCTI mod‐
96       ules available.  They override any environment variables.
97
98       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
99         cation  with the next component down the TSS stack.  In most configu‐
100         rations   this    will    be    the    resource    manager:    tabrmd
101         (https://github.com/01org/tpm2-abrmd)  Optionally,  tcti specific op‐
102         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
103
104         · For the device TCTI, the TPM device file for use by the device TCTI
105           can  be  specified.   The  default  is  /dev/tpm0.  Example: -T de‐
106           vice:/dev/tpm0
107
108         · For the socket TCTI, the domain name or IP address and port  number
109           used by the socket can be specified.  The default are 127.0.0.1 and
110           2321.  Example: -T socket:127.0.0.1:2321
111
112         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
113

Password Formatting

115       Passwords are interpreted in  two  forms,  string  and  hex-string.   A
116       string password is not interpreted, and is directly used for authoriza‐
117       tion.  A hex-string, is converted from a hexidecimal form into  a  byte
118       array  form, thus allowing passwords with non-printable and/or terminal
119       un-friendly characters.
120
121       By default passwords are assumed to be in the  string  form.   Password
122       form is specified with special prefix values, they are:
123
124       · str:  -  Used  to indicate it is a raw string.  Useful for escaping a
125         password that starts with the “hex:” prefix.
126
127       · hex: - Used when specifying a password in hex string format.
128

Supported Hash Algorithms

130       Supported hash algorithms are:
131
132       · 0x4 or sha1 for TPM_ALG_SHA1 (default)
133
134       · 0xB or sha256 for TPM_ALG_SHA256
135
136       · 0xC or sha384 for TPM_ALG_SHA384
137
138       · 0xD or sha512 for TPM_ALG_SHA512
139
140       · 0x12 or sm3_256 for TPM_ALG_SM3_256
141
142       NOTE: Your TPM may not support all algorithms.
143

Algorithm Specfiers

145       Options that take algorithms support “nice-names”.   Nice  names,  like
146       sha1 can be used in place of the raw hex for sha1: 0x4.  The nice names
147       are converted by stripping the leading TPM_ALG_ from the Algorithm Name
148       field  and  converting it to lower case.  For instance TPM_ALG_SHA3_256
149       becomes sha3_256.
150
151       The algorithms can be found at:  <https://trustedcomputinggroup.org/wp-
152       content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
153

EXAMPLES

155       Perform  a  SHA1 HMAC on data.in and send output and possibly ticket to
156       stdout:
157
158              tpm2_hmac -k 0x81010002 -P abc123 -g sha1 data.in
159
160       Perform a SHA1 HMAC on data.in read as a file to stdin and send  output
161       to a file:
162
163              tpm2_hmac -c key.context -P abc123 -g sha1 -o hash.out << data.in
164
165       Perform  a  SHA256 HMAC on stdin and send result and possibly ticket to
166       stdout:
167
168       cat data.in | tpm2_hmac -k 0x81010002 -g sha256 -o hash.out ```
169

RETURNS

171       0 on success or 1 on failure.
172

BUGS

174       Github Issues (https://github.com/01org/tpm2-tools/issues)
175

HELP

177       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
178
179
180
181tpm2-tools                      SEPTEMBER 2017                    tpm2_hmac(1)
Impressum