1tpm2_hierarchycontrol(1) General Commands Manual tpm2_hierarchycontrol(1)
2
3
4
6 tpm2_hierarchycontrol(1) - Enable and disable use of a hierarchy and
7 its associated NV storage.
8
10 tpm2_hierarchycontrol [OPTIONS] VARIABLE OPERATION
11
13 tpm2_hierarchycontrol(1) - Allows user change phEnable, phEnableNV,
14 shEnable and ehEnable when the proper authorization is provided. Au‐
15 thorization should be one out of owner hierarchy auth, endorsement hi‐
16 erarchy auth and platform hierarchy auth. As an argument the tool
17 takes the VARIABLE as TPMA_STARTUP_CLEAR bit and _OPERATION_ as string
18 clear|set to clear or set the VARIABLE bit.
19
20 Note: If password option is missing, assume NULL.
21
23 · -C, --hierarchy=OBJECT:
24 Specifies the handle used to authorize. Defaults to the "platform"
25 hierarchy. Supported options are:
26
27 · o for TPM_RH_OWNER
28
29 · p for TPM_RH_PLATFORM
30
31 · <num> where a raw number can be used.
32
33 · -P, --hierarchy-auth=AUTH:
34
35 Specifies the authorization value for the hierarchy.
36
37 References
39 The type of a context object, whether it is a handle or file name, is
40 determined according to the following logic in-order:
41
42 · If the argument is a file path, then the file is loaded as a restored
43 TPM transient object.
44
45 · If the argument is a prefix match on one of:
46
47 · owner: the owner hierarchy
48
49 · platform: the platform hierarchy
50
51 · endorsement: the endorsement hierarchy
52
53 · lockout: the lockout control persistent object
54
55 · If the argument argument can be loaded as a number it will be treat
56 as a handle, e.g. 0x81010013 and used directly.OBJECT.
57
59 Authorization for use of an object in TPM2.0 can come in 3 different
60 forms: 1. Password 2. HMAC 3. Sessions
61
62 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
63 fied".
64
65 Passwords
66 Passwords are interpreted in the following forms below using prefix
67 identifiers.
68
69 Note: By default passwords are assumed to be in the string form when
70 they do not have a prefix.
71
72 String
73 A string password, specified by prefix "str:" or it's absence (raw
74 string without prefix) is not interpreted, and is directly used for au‐
75 thorization.
76
77 Examples
78 foobar
79 str:foobar
80
81 Hex-string
82 A hex-string password, specified by prefix "hex:" is converted from a
83 hexidecimal form into a byte array form, thus allowing passwords with
84 non-printable and/or terminal un-friendly characters.
85
86 Example
87 hex:0x1122334455667788
88
89 File
90 A file based password, specified be prefix "file:" should be the path
91 of a file containing the password to be read by the tool or a "-" to
92 use stdin. Storing passwords in files prevents information leakage,
93 passwords passed as options can be read from the process list or common
94 shell history features.
95
96 Examples
97 # to use stdin and be prompted
98 file:-
99
100 # to use a file from a path
101 file:path/to/password/file
102
103 # to echo a password via stdin:
104 echo foobar | tpm2_tool -p file:-
105
106 # to use a bash here-string via stdin:
107
108 tpm2_tool -p file:- <<< foobar
109
110 Sessions
111 When using a policy session to authorize the use of an object, prefix
112 the option argument with the session keyword. Then indicate a path to
113 a session file that was created with tpm2_startauthsession(1). Option‐
114 ally, if the session requires an auth value to be sent with the session
115 handle (eg policy password), then append a + and a string as described
116 in the Passwords section.
117
118 Examples
119 To use a session context file called session.ctx.
120
121 session:session.ctx
122
123 To use a session context file called session.ctx AND send the authvalue
124 mypassword.
125
126 session:session.ctx+mypassword
127
128 To use a session context file called session.ctx AND send the HEX auth‐
129 value 0x11223344.
130
131 session:session.ctx+hex:11223344
132
133 PCR Authorizations
134 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
135 language. The PCR minilanguage is as follows:
136 <pcr-spec>=<raw-pcr-file>
137
138 The PCR spec is documented in in the section "PCR bank specifiers".
139
140 The raw-pcr-file is an optional the output of the raw PCR contents as
141 returned by tpm2_pcrread(1).
142
143 PCR bank specifiers (common/pcr.md)
144
145 Examples
146 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
147 er of:
148
149 pcr:sha256:0,1,2,3
150
151 specifying AUTH.
152
154 This collection of options are common to many programs and provide in‐
155 formation that many users may expect.
156
157 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
158 attempts to invoke the manpager for the tool, however, on failure
159 will output a short tool summary. This is the same behavior if the
160 "man" option argument is specified, however if explicit "man" is re‐
161 quested, the tool will provide errors from man on stderr. If the
162 "no-man" option if specified, or the manpager fails, the short op‐
163 tions will be output to stdout.
164
165 To successfully use the manpages feature requires the manpages to be
166 installed or on MANPATH, See man(1) for more details.
167
168 · -v, --version: Display version information for this tool, supported
169 tctis and exit.
170
171 · -V, --verbose: Increase the information that the tool prints to the
172 console during its execution. When using this option the file and
173 line number are printed.
174
175 · -Q, --quiet: Silence normal tool output to stdout.
176
177 · -Z, --enable-errata: Enable the application of errata fixups. Useful
178 if an errata fixup needs to be applied to commands sent to the TPM.
179 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
180 formation many users may expect.
181
183 The TCTI or "Transmission Interface" is the communication mechanism
184 with the TPM. TCTIs can be changed for communication with TPMs across
185 different mediums.
186
187 To control the TCTI, the tools respect:
188
189 1. The command line option -T or --tcti
190
191 2. The environment variable: TPM2TOOLS_TCTI.
192
193 Note: The command line option always overrides the environment vari‐
194 able.
195
196 The current known TCTIs are:
197
198 · tabrmd - The resource manager, called tabrmd
199 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
200 abrmd as a tcti name are synonymous.
201
202 · mssim - Typically used for communicating to the TPM software simula‐
203 tor.
204
205 · device - Used when talking directly to a TPM device file.
206
207 · none - Do not initalize a connection with the TPM. Some tools allow
208 for off-tpm options and thus support not using a TCTI. Tools that do
209 not support it will error when attempted to be used without a TCTI
210 connection. Does not support ANY options and MUST BE presented as
211 the exact text of "none".
212
213 The arguments to either the command line option or the environment
214 variable are in the form:
215
216 <tcti-name>:<tcti-option-config>
217
218 Specifying an empty string for either the <tcti-name> or <tcti-op‐
219 tion-config> results in the default being used for that portion respec‐
220 tively.
221
222 TCTI Defaults
223 When a TCTI is not specified, the default TCTI is searched for using
224 dlopen(3) semantics. The tools will search for tabrmd, device and
225 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
226 what TCTI will be chosen as the default by using the -v option to print
227 the version information. The "default-tcti" key-value pair will indi‐
228 cate which of the aforementioned TCTIs is the default.
229
230 Custom TCTIs
231 Any TCTI that implements the dynamic TCTI interface can be loaded. The
232 tools internally use dlopen(3), and the raw tcti-name value is used for
233 the lookup. Thus, this could be a path to the shared library, or a li‐
234 brary name as understood by dlopen(3) semantics.
235
237 This collection of options are used to configure the various known TCTI
238 modules available:
239
240 · device: For the device TCTI, the TPM character device file for use by
241 the device TCTI can be specified. The default is /dev/tpm0.
242
243 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
244 vice:/dev/tpm0"
245
246 · mssim: For the mssim TCTI, the domain name or IP address and port
247 number used by the simulator can be specified. The default are
248 127.0.0.1 and 2321.
249
250 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
251 TI="mssim:host=localhost,port=2321"
252
253 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
254 ries of simple key value pairs separated by a ',' character. Each
255 key and value string are separated by a '=' character.
256
257 · TCTI abrmd supports two keys:
258
259 1. 'bus_name' : The name of the tabrmd service on the bus (a
260 string).
261
262 2. 'bus_type' : The type of the dbus instance (a string) limited to
263 'session' and 'system'.
264
265 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
266 ample.FooBar:
267
268 \--tcti=tabrmd:bus_name=com.example.FooBar
269
270 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
271 sion:
272
273 \--tcti:bus_type=session
274
275 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
276 ules.
277
279 Set phEnableNV with platform hierarchy and its authorization
280 tpm2_hierarchycontrol -C p phEnableNV set -P pass
281
282 clear phEnableNV with platform hierarchy
283 tpm2_hierarchycontrol -C p phEnableNV clear
284
285 Set shEnable with platform hierarchy
286 tpm2_hierarchycontrol -C p shEnable set
287
288 Set shEnable with owner hierarchy
289 tpm2_hierarchycontrol -C o shEnable set
290
291 Check current TPMA_STARTUP_CLEAR Bits
292 tpm2_getcap properties-variable
293
295 Tools can return any of the following codes:
296
297 · 0 - Success.
298
299 · 1 - General non-specific error.
300
301 · 2 - Options handling error.
302
303 · 3 - Authentication error.
304
305 · 4 - TCTI related error.
306
307 · 5 - Non supported scheme. Applicable to tpm2_testparams.
308
310 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
311
313 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
314
315
316
317tpm2-tools July 2019 tpm2_hierarchycontrol(1)