1tpm2_setclock(1) General Commands Manual tpm2_setclock(1)
2
3
4
6 tpm2_setclock(1) - Sets the time on the TPM.
7
9 tpm2_setclock [OPTIONS] TIME
10
12 tpm2_setclock(1) - Sets the clock on the TPM to a time in the future.
13 The sole argument is the clock time as a number to set.
14
16 · -c, --hierarchy=OBJECT:
17
18 The hierarchy to use for authorization, either platform or owner.
19 Defaults to the owner hierarchy if not specified.
20
21 · -p, --auth=AUTH:
22
23 Specifies the authorization value for the hierarchy specified by op‐
24 tion -c.
25
26 References
28 The type of a context object, whether it is a handle or file name, is
29 determined according to the following logic in-order:
30
31 · If the argument is a file path, then the file is loaded as a restored
32 TPM transient object.
33
34 · If the argument is a prefix match on one of:
35
36 · owner: the owner hierarchy
37
38 · platform: the platform hierarchy
39
40 · endorsement: the endorsement hierarchy
41
42 · lockout: the lockout control persistent object
43
44 · If the argument argument can be loaded as a number it will be treat
45 as a handle, e.g. 0x81010013 and used directly.OBJECT.
46
48 Authorization for use of an object in TPM2.0 can come in 3 different
49 forms: 1. Password 2. HMAC 3. Sessions
50
51 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
52 fied".
53
54 Passwords
55 Passwords are interpreted in the following forms below using prefix
56 identifiers.
57
58 Note: By default passwords are assumed to be in the string form when
59 they do not have a prefix.
60
61 String
62 A string password, specified by prefix "str:" or it's absence (raw
63 string without prefix) is not interpreted, and is directly used for au‐
64 thorization.
65
66 Examples
67 foobar
68 str:foobar
69
70 Hex-string
71 A hex-string password, specified by prefix "hex:" is converted from a
72 hexidecimal form into a byte array form, thus allowing passwords with
73 non-printable and/or terminal un-friendly characters.
74
75 Example
76 hex:0x1122334455667788
77
78 File
79 A file based password, specified be prefix "file:" should be the path
80 of a file containing the password to be read by the tool or a "-" to
81 use stdin. Storing passwords in files prevents information leakage,
82 passwords passed as options can be read from the process list or common
83 shell history features.
84
85 Examples
86 # to use stdin and be prompted
87 file:-
88
89 # to use a file from a path
90 file:path/to/password/file
91
92 # to echo a password via stdin:
93 echo foobar | tpm2_tool -p file:-
94
95 # to use a bash here-string via stdin:
96
97 tpm2_tool -p file:- <<< foobar
98
99 Sessions
100 When using a policy session to authorize the use of an object, prefix
101 the option argument with the session keyword. Then indicate a path to
102 a session file that was created with tpm2_startauthsession(1). Option‐
103 ally, if the session requires an auth value to be sent with the session
104 handle (eg policy password), then append a + and a string as described
105 in the Passwords section.
106
107 Examples
108 To use a session context file called session.ctx.
109
110 session:session.ctx
111
112 To use a session context file called session.ctx AND send the authvalue
113 mypassword.
114
115 session:session.ctx+mypassword
116
117 To use a session context file called session.ctx AND send the HEX auth‐
118 value 0x11223344.
119
120 session:session.ctx+hex:11223344
121
122 PCR Authorizations
123 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
124 language. The PCR minilanguage is as follows:
125 <pcr-spec>=<raw-pcr-file>
126
127 The PCR spec is documented in in the section "PCR bank specifiers".
128
129 The raw-pcr-file is an optional the output of the raw PCR contents as
130 returned by tpm2_pcrread(1).
131
132 PCR bank specifiers (common/pcr.md)
133
134 Examples
135 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
136 er of:
137
138 pcr:sha256:0,1,2,3
139
140 specifying AUTH.
141
143 This collection of options are common to many programs and provide in‐
144 formation that many users may expect.
145
146 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
147 attempts to invoke the manpager for the tool, however, on failure
148 will output a short tool summary. This is the same behavior if the
149 "man" option argument is specified, however if explicit "man" is re‐
150 quested, the tool will provide errors from man on stderr. If the
151 "no-man" option if specified, or the manpager fails, the short op‐
152 tions will be output to stdout.
153
154 To successfully use the manpages feature requires the manpages to be
155 installed or on MANPATH, See man(1) for more details.
156
157 · -v, --version: Display version information for this tool, supported
158 tctis and exit.
159
160 · -V, --verbose: Increase the information that the tool prints to the
161 console during its execution. When using this option the file and
162 line number are printed.
163
164 · -Q, --quiet: Silence normal tool output to stdout.
165
166 · -Z, --enable-errata: Enable the application of errata fixups. Useful
167 if an errata fixup needs to be applied to commands sent to the TPM.
168 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
169 formation many users may expect.
170
172 The TCTI or "Transmission Interface" is the communication mechanism
173 with the TPM. TCTIs can be changed for communication with TPMs across
174 different mediums.
175
176 To control the TCTI, the tools respect:
177
178 1. The command line option -T or --tcti
179
180 2. The environment variable: TPM2TOOLS_TCTI.
181
182 Note: The command line option always overrides the environment vari‐
183 able.
184
185 The current known TCTIs are:
186
187 · tabrmd - The resource manager, called tabrmd
188 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
189 abrmd as a tcti name are synonymous.
190
191 · mssim - Typically used for communicating to the TPM software simula‐
192 tor.
193
194 · device - Used when talking directly to a TPM device file.
195
196 · none - Do not initalize a connection with the TPM. Some tools allow
197 for off-tpm options and thus support not using a TCTI. Tools that do
198 not support it will error when attempted to be used without a TCTI
199 connection. Does not support ANY options and MUST BE presented as
200 the exact text of "none".
201
202 The arguments to either the command line option or the environment
203 variable are in the form:
204
205 <tcti-name>:<tcti-option-config>
206
207 Specifying an empty string for either the <tcti-name> or <tcti-op‐
208 tion-config> results in the default being used for that portion respec‐
209 tively.
210
211 TCTI Defaults
212 When a TCTI is not specified, the default TCTI is searched for using
213 dlopen(3) semantics. The tools will search for tabrmd, device and
214 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
215 what TCTI will be chosen as the default by using the -v option to print
216 the version information. The "default-tcti" key-value pair will indi‐
217 cate which of the aforementioned TCTIs is the default.
218
219 Custom TCTIs
220 Any TCTI that implements the dynamic TCTI interface can be loaded. The
221 tools internally use dlopen(3), and the raw tcti-name value is used for
222 the lookup. Thus, this could be a path to the shared library, or a li‐
223 brary name as understood by dlopen(3) semantics.
224
226 This collection of options are used to configure the various known TCTI
227 modules available:
228
229 · device: For the device TCTI, the TPM character device file for use by
230 the device TCTI can be specified. The default is /dev/tpm0.
231
232 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
233 vice:/dev/tpm0"
234
235 · mssim: For the mssim TCTI, the domain name or IP address and port
236 number used by the simulator can be specified. The default are
237 127.0.0.1 and 2321.
238
239 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
240 TI="mssim:host=localhost,port=2321"
241
242 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
243 ries of simple key value pairs separated by a ',' character. Each
244 key and value string are separated by a '=' character.
245
246 · TCTI abrmd supports two keys:
247
248 1. 'bus_name' : The name of the tabrmd service on the bus (a
249 string).
250
251 2. 'bus_type' : The type of the dbus instance (a string) limited to
252 'session' and 'system'.
253
254 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
255 ample.FooBar:
256
257 \--tcti=tabrmd:bus_name=com.example.FooBar
258
259 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
260 sion:
261
262 \--tcti:bus_type=session
263
264 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
265 ules.
266
268 Set the clock
269 Set the clock using the owner password.
270
271 tpm2_setclock -p ownerpw 13673142
272
274 Tools can return any of the following codes:
275
276 · 0 - Success.
277
278 · 1 - General non-specific error.
279
280 · 2 - Options handling error.
281
282 · 3 - Authentication error.
283
284 · 4 - TCTI related error.
285
286 · 5 - Non supported scheme. Applicable to tpm2_testparams.
287
289 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
290
292 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
293
294
295
296tpm2-tools tpm2_setclock(1)