1tpm2_policynamehash(1) General Commands Manual tpm2_policynamehash(1)
2
3
4
6 tpm2_policynamehash(1) - Couples a policy with names of specific ob‐
7 jects.
8
10 tpm2_policynamehash [OPTIONS]
11
13 tpm2_policynamehash(1) - Couples a policy with names of specific ob‐
14 jects. This is a deferred assertion where the hash of the names of all
15 object handles in a TPM command is checked against the one specified in
16 the policy.
17
19 · -L, --policy=FILE:
20
21 File to save the compounded policy digest.
22
23 · -S, --session=FILE:
24
25 The policy session file generated via the -S option to tpm2_star‐
26 tauthsession(1).
27
28 · -n, --name=FILE:
29
30 The file containing the name hash of the referenced objects.
31
32 References
34 This collection of options are common to many programs and provide in‐
35 formation that many users may expect.
36
37 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
38 attempts to invoke the manpager for the tool, however, on failure
39 will output a short tool summary. This is the same behavior if the
40 "man" option argument is specified, however if explicit "man" is re‐
41 quested, the tool will provide errors from man on stderr. If the
42 "no-man" option if specified, or the manpager fails, the short op‐
43 tions will be output to stdout.
44
45 To successfully use the manpages feature requires the manpages to be
46 installed or on MANPATH, See man(1) for more details.
47
48 · -v, --version: Display version information for this tool, supported
49 tctis and exit.
50
51 · -V, --verbose: Increase the information that the tool prints to the
52 console during its execution. When using this option the file and
53 line number are printed.
54
55 · -Q, --quiet: Silence normal tool output to stdout.
56
57 · -Z, --enable-errata: Enable the application of errata fixups. Useful
58 if an errata fixup needs to be applied to commands sent to the TPM.
59 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
60 formation many users may expect.
61
63 The TCTI or "Transmission Interface" is the communication mechanism
64 with the TPM. TCTIs can be changed for communication with TPMs across
65 different mediums.
66
67 To control the TCTI, the tools respect:
68
69 1. The command line option -T or --tcti
70
71 2. The environment variable: TPM2TOOLS_TCTI.
72
73 Note: The command line option always overrides the environment vari‐
74 able.
75
76 The current known TCTIs are:
77
78 · tabrmd - The resource manager, called tabrmd
79 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
80 abrmd as a tcti name are synonymous.
81
82 · mssim - Typically used for communicating to the TPM software simula‐
83 tor.
84
85 · device - Used when talking directly to a TPM device file.
86
87 · none - Do not initalize a connection with the TPM. Some tools allow
88 for off-tpm options and thus support not using a TCTI. Tools that do
89 not support it will error when attempted to be used without a TCTI
90 connection. Does not support ANY options and MUST BE presented as
91 the exact text of "none".
92
93 The arguments to either the command line option or the environment
94 variable are in the form:
95
96 <tcti-name>:<tcti-option-config>
97
98 Specifying an empty string for either the <tcti-name> or <tcti-op‐
99 tion-config> results in the default being used for that portion respec‐
100 tively.
101
102 TCTI Defaults
103 When a TCTI is not specified, the default TCTI is searched for using
104 dlopen(3) semantics. The tools will search for tabrmd, device and
105 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
106 what TCTI will be chosen as the default by using the -v option to print
107 the version information. The "default-tcti" key-value pair will indi‐
108 cate which of the aforementioned TCTIs is the default.
109
110 Custom TCTIs
111 Any TCTI that implements the dynamic TCTI interface can be loaded. The
112 tools internally use dlopen(3), and the raw tcti-name value is used for
113 the lookup. Thus, this could be a path to the shared library, or a li‐
114 brary name as understood by dlopen(3) semantics.
115
117 This collection of options are used to configure the various known TCTI
118 modules available:
119
120 · device: For the device TCTI, the TPM character device file for use by
121 the device TCTI can be specified. The default is /dev/tpm0.
122
123 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
124 vice:/dev/tpm0"
125
126 · mssim: For the mssim TCTI, the domain name or IP address and port
127 number used by the simulator can be specified. The default are
128 127.0.0.1 and 2321.
129
130 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
131 TI="mssim:host=localhost,port=2321"
132
133 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
134 ries of simple key value pairs separated by a ',' character. Each
135 key and value string are separated by a '=' character.
136
137 · TCTI abrmd supports two keys:
138
139 1. 'bus_name' : The name of the tabrmd service on the bus (a
140 string).
141
142 2. 'bus_type' : The type of the dbus instance (a string) limited to
143 'session' and 'system'.
144
145 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
146 ample.FooBar:
147
148 \--tcti=tabrmd:bus_name=com.example.FooBar
149
150 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
151 sion:
152
153 \--tcti:bus_type=session
154
155 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
156 ules.
157
159 Restrict key duplication to specific new parent and specific duplicable
160 key.
161
163 openssl genrsa -out signing_key_private.pem 2048
164
165 openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
166
167 tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx \
168 -n signing_key.name
169
170 tpm2_startauthsession -S session.ctx -g sha256
171
172 tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name
173
174 tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate
175
176 tpm2_flushcontext session.ctx
177
178 tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx -Q
179
180 ## The duplicable key
181 tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r key.prv -u key.pub \
182 -L policy.dat -a "sensitivedataorigin|sign|decrypt"
183
184 tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
185
187 tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \
188 -u new_parent.pub \
189 -a "decrypt|fixedparent|fixedtpm|restricted|sensitivedataorigin"
190
191 tpm2_loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx
192
194 parent and key
195
196 tpm2_readpublic -Q -c new_parent.ctx -n new_parent.name
197
198 tpm2_readpublic -Q -c key.ctx -n key.name
199
200 cat key.name new_parent.name | openssl dgst -sha256 -binary > name.hash
201
202 tpm2_startauthsession -S session.ctx -g sha256
203
204 tpm2_policynamehash -L policy.namehash -S session.ctx -n name.hash
205
206 tpm2_flushcontext session.ctx
207
208 openssl dgst -sha256 -sign signing_key_private.pem \
209 -out policynamehash.signature policy.namehash
210
211 tpm2_startauthsession -S session.ctx -g sha256
212
213 tpm2_policyauthorize -S session.ctx -L authorized.policy -i policy.namehash \
214 -n signing_key.name
215
216 tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate
217
218 tpm2_flushcontext session.ctx
219
221 tpm2_verifysignature -c signing_key.ctx -g sha256 -m policy.namehash \
222 -s policynamehash.signature -t verification.tkt -f rsassa
223
224 tpm2_startauthsession -S session.ctx --policy-session -g sha256
225
226 tpm2_policynamehash -S session.ctx -n name.hash
227
228 tpm2_policyauthorize -S session.ctx -i policy.namehash -n signing_key.name \
229 -t verification.tkt
230
231 tpm2_policycommandcode -S session.ctx TPM2_CC_Duplicate
232
233 tpm2_duplicate -C new_parent.ctx -c key.ctx -G null -p "session:session.ctx" \
234 -r dupprv.bin -s dupseed.dat
235
236 tpm2_flushcontext session.ctx
237
239 Tools can return any of the following codes:
240
241 · 0 - Success.
242
243 · 1 - General non-specific error.
244
245 · 2 - Options handling error.
246
247 · 3 - Authentication error.
248
249 · 4 - TCTI related error.
250
251 · 5 - Non supported scheme. Applicable to tpm2_testparams.
252
254 It expects a session to be already established via tpm2_startauthses‐
255 sion(1) and requires one of the following:
256
257 · direct device access
258
259 · extended session support with tpm2-abrmd.
260
261 Without it, most resource managers will not save session state between
262 command invocations.
263
265 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
266
268 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
269
270
271
272tpm2-tools tpm2_policynamehash(1)