1tpm2_setclock(1)            General Commands Manual           tpm2_setclock(1)
2
3
4

NAME

6       tpm2_setclock(1) - Sets the time on the TPM.
7

SYNOPSIS

9       tpm2_setclock [OPTIONS] TIME
10

DESCRIPTION

12       tpm2_setclock(1)  -  Sets the clock on the TPM to a time in the future.
13       The sole argument is the clock time as a number to set.
14

OPTIONS

16       · -c, --hierarchy=OBJECT:
17
18         The hierarchy to use for authorization,  either  platform  or  owner.
19         Defaults to the owner hierarchy if not specified.
20
21       · -p, --auth=AUTH:
22
23         Specifies  the authorization value for the hierarchy specified by op‐
24         tion -c.
25
26   References

Context Object Format

28       The type of a context object, whether it is a handle or file  name,  is
29       determined according to the following logic in-order:
30
31       · If the argument is a file path, then the file is loaded as a restored
32         TPM transient object.
33
34       · If the argument is a prefix match on one of:
35
36         · owner: the owner hierarchy
37
38         · platform: the platform hierarchy
39
40         · endorsement: the endorsement hierarchy
41
42         · lockout: the lockout control persistent object
43
44       · If the argument argument can be loaded as a number it will  be  treat
45         as a handle, e.g.  0x81010013 and used directly.OBJECT.
46

Authorization Formatting

48       Authorization  for  use  of an object in TPM2.0 can come in 3 different
49       forms: 1.  Password 2.  HMAC 3.  Sessions
50
51       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
52       fied".
53
54   Passwords
55       Passwords  are  interpreted  in  the following forms below using prefix
56       identifiers.
57
58       Note: By default passwords are assumed to be in the  string  form  when
59       they do not have a prefix.
60
61   String
62       A  string  password,  specified  by  prefix "str:" or it's absence (raw
63       string without prefix) is not interpreted, and is directly used for au‐
64       thorization.
65
66   Examples
67              foobar
68              str:foobar
69
70   Hex-string
71       A  hex-string  password, specified by prefix "hex:" is converted from a
72       hexidecimal form into a byte array form, thus allowing  passwords  with
73       non-printable and/or terminal un-friendly characters.
74
75   Example
76              hex:0x1122334455667788
77
78   File
79       A  file  based password, specified be prefix "file:" should be the path
80       of a file containing the password to be read by the tool or  a  "-"  to
81       use  stdin.   Storing  passwords in files prevents information leakage,
82       passwords passed as options can be read from the process list or common
83       shell history features.
84
85   Examples
86              # to use stdin and be prompted
87              file:-
88
89              # to use a file from a path
90              file:path/to/password/file
91
92              # to echo a password via stdin:
93              echo foobar | tpm2_tool -p file:-
94
95              # to use a bash here-string via stdin:
96
97              tpm2_tool -p file:- <<< foobar
98
99   Sessions
100       When  using  a policy session to authorize the use of an object, prefix
101       the option argument with the session keyword.  Then indicate a path  to
102       a session file that was created with tpm2_startauthsession(1).  Option‐
103       ally, if the session requires an auth value to be sent with the session
104       handle  (eg policy password), then append a + and a string as described
105       in the Passwords section.
106
107   Examples
108       To use a session context file called session.ctx.
109
110              session:session.ctx
111
112       To use a session context file called session.ctx AND send the authvalue
113       mypassword.
114
115              session:session.ctx+mypassword
116
117       To use a session context file called session.ctx AND send the HEX auth‐
118       value 0x11223344.
119
120              session:session.ctx+hex:11223344
121
122   PCR Authorizations
123       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
124       language.       The     PCR     minilanguage     is     as     follows:
125       <pcr-spec>=<raw-pcr-file>
126
127       The PCR spec is documented in in the section "PCR bank specifiers".
128
129       The raw-pcr-file is an optional the output of the raw PCR  contents  as
130       returned by tpm2_pcrread(1).
131
132       PCR bank specifiers (common/pcr.md)
133
134   Examples
135       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
136       er of:
137
138              pcr:sha256:0,1,2,3
139
140       specifying AUTH.
141

COMMON OPTIONS

143       This collection of options are common to many programs and provide  in‐
144       formation that many users may expect.
145
146       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
147         attempts to invoke the manpager for the  tool,  however,  on  failure
148         will  output  a short tool summary.  This is the same behavior if the
149         "man" option argument is specified, however if explicit "man" is  re‐
150         quested,  the  tool  will  provide errors from man on stderr.  If the
151         "no-man" option if specified, or the manpager fails,  the  short  op‐
152         tions will be output to stdout.
153
154         To  successfully use the manpages feature requires the manpages to be
155         installed or on MANPATH, See man(1) for more details.
156
157       · -v, --version: Display version information for this  tool,  supported
158         tctis and exit.
159
160       · -V,  --verbose:  Increase the information that the tool prints to the
161         console during its execution.  When using this option  the  file  and
162         line number are printed.
163
164       · -Q, --quiet: Silence normal tool output to stdout.
165
166       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
167         if an errata fixup needs to be applied to commands sent to  the  TPM.
168         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
169         formation many users may expect.
170

TCTI Configuration

172       The TCTI or "Transmission Interface"  is  the  communication  mechanism
173       with  the TPM.  TCTIs can be changed for communication with TPMs across
174       different mediums.
175
176       To control the TCTI, the tools respect:
177
178       1. The command line option -T or --tcti
179
180       2. The environment variable: TPM2TOOLS_TCTI.
181
182       Note: The command line option always overrides  the  environment  vari‐
183       able.
184
185       The current known TCTIs are:
186
187       · tabrmd      -     The     resource     manager,     called     tabrmd
188         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
189         abrmd as a tcti name are synonymous.
190
191       · mssim  - Typically used for communicating to the TPM software simula‐
192         tor.
193
194       · device - Used when talking directly to a TPM device file.
195
196       · none - Do not initalize a connection with the TPM.  Some tools  allow
197         for off-tpm options and thus support not using a TCTI.  Tools that do
198         not support it will error when attempted to be used  without  a  TCTI
199         connection.   Does  not  support ANY options and MUST BE presented as
200         the exact text of "none".
201
202       The arguments to either the command  line  option  or  the  environment
203       variable are in the form:
204
205       <tcti-name>:<tcti-option-config>
206
207       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
208       tion-config> results in the default being used for that portion respec‐
209       tively.
210
211   TCTI Defaults
212       When  a  TCTI  is not specified, the default TCTI is searched for using
213       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
214       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
215       what TCTI will be chosen as the default by using the -v option to print
216       the  version information.  The "default-tcti" key-value pair will indi‐
217       cate which of the aforementioned TCTIs is the default.
218
219   Custom TCTIs
220       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
221       tools internally use dlopen(3), and the raw tcti-name value is used for
222       the lookup.  Thus, this could be a path to the shared library, or a li‐
223       brary name as understood by dlopen(3) semantics.
224

TCTI OPTIONS

226       This collection of options are used to configure the various known TCTI
227       modules available:
228
229       · device: For the device TCTI, the TPM character device file for use by
230         the device TCTI can be specified.  The default is /dev/tpm0.
231
232         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
233         vice:/dev/tpm0"
234
235       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
236         number  used  by  the  simulator  can  be specified.  The default are
237         127.0.0.1 and 2321.
238
239         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
240         TI="mssim:host=localhost,port=2321"
241
242       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
243         ries of simple key value pairs separated by a  ','  character.   Each
244         key and value string are separated by a '=' character.
245
246         · TCTI abrmd supports two keys:
247
248           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
249              string).
250
251           2. 'bus_type' : The type of the dbus instance (a string) limited to
252              'session' and 'system'.
253
254         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
255         ample.FooBar:
256
257         \--tcti=tabrmd:bus_name=com.example.FooBar
258
259         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
260         sion:
261
262         \--tcti:bus_type=session
263
264         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
265         ules.
266

EXAMPLES

268   Set the clock
269       Set the clock using the owner password.
270
271              tpm2_setclock -p ownerpw 13673142
272

Returns

274       Tools can return any of the following codes:
275
276       · 0 - Success.
277
278       · 1 - General non-specific error.
279
280       · 2 - Options handling error.
281
282       · 3 - Authentication error.
283
284       · 4 - TCTI related error.
285
286       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
287

BUGS

289       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
290

HELP

292       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
293
294
295
296tpm2-tools                                                    tpm2_setclock(1)
Impressum