tpm2_activatecredential(1)

1tpm2_activatecredential(1)  General Commands Manual tpm2_activatecredential(1)
2
3
4

6       tpm2_activatecredential(1) - Enables access to the credential qualifier
7       to recover the credential secret.
8

10       tpm2_activatecredential [OPTIONS]
11

13       tpm2_activatecredential(1) - Enables the association  of  a  credential
14       with an object in a way that ensures that the TPM has validated the pa‐
15       rameters of the credentialed object.  In an attestation scheme  ,  this
16       guarantees  the  registrar  that the attestation key belongs to the TPM
17       with a qualified parent key in the TPM.
18

20       · -c, --credentialedkey-context=OBJECT:
21
22         Object associated with the created certificate by CA.
23
24       · -C, --credentialkey-context=OBJECT:
25
26         The loaded object used to decrypt the random seed.
27
28       · -p, --credentialedkey-auth=AUTH:
29
30         The auth value of the credentialed object specified with -c.
31
32       · -P, --credentialkey-auth=AUTH:
33
34         The auth value of the credential object specified with -C.
35
36       · -i, --credential-blob=FILE:
37
38         The input file path containing the credential blob and secret created
39         with the tpm2_makecredential(1) tool.
40
41       · -o, --certinfo-data=FILE:
42
43         The output file path to save the decrypted credential secret informa‐
44         tion.
45
46       · --cphash=FILE
47
48         File path to record the hash of the command parameters.  This is com‐
49         monly termed as cpHash.  NOTE: When this option is selected, The tool
50         will not actually execute the command, it simply returns a cpHash.
51
52   References

54       The type of a context object, whether it is a handle or file  name,  is
55       determined according to the following logic in-order:
56
57       · If the argument is a file path, then the file is loaded as a restored
58         TPM transient object.
59
60       · If the argument is a prefix match on one of:
61
62         · owner: the owner hierarchy
63
64         · platform: the platform hierarchy
65
66         · endorsement: the endorsement hierarchy
67
68         · lockout: the lockout control persistent object
69
70       · If the argument argument can be loaded as a number it will  be  treat
71         as a handle, e.g.  0x81010013 and used directly.OBJECT.
72

74       Authorization  for  use  of an object in TPM2.0 can come in 3 different
75       forms: 1.  Password 2.  HMAC 3.  Sessions
76
77       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
78       fied".
79
80   Passwords
81       Passwords  are  interpreted  in  the following forms below using prefix
82       identifiers.
83
84       Note: By default passwords are assumed to be in the  string  form  when
85       they do not have a prefix.
86
87   String
88       A  string  password,  specified  by  prefix "str:" or it's absence (raw
89       string without prefix) is not interpreted, and is directly used for au‐
90       thorization.
91
92   Examples
93              foobar
94              str:foobar
95
96   Hex-string
97       A  hex-string  password, specified by prefix "hex:" is converted from a
98       hexidecimal form into a byte array form, thus allowing  passwords  with
99       non-printable and/or terminal un-friendly characters.
100
101   Example
102              hex:0x1122334455667788
103
104   File
105       A  file  based password, specified be prefix "file:" should be the path
106       of a file containing the password to be read by the tool or  a  "-"  to
107       use  stdin.   Storing  passwords in files prevents information leakage,
108       passwords passed as options can be read from the process list or common
109       shell history features.
110
111   Examples
112              # to use stdin and be prompted
113              file:-
114
115              # to use a file from a path
116              file:path/to/password/file
117
118              # to echo a password via stdin:
119              echo foobar | tpm2_tool -p file:-
120
121              # to use a bash here-string via stdin:
122
123              tpm2_tool -p file:- <<< foobar
124
125   Sessions
126       When  using  a policy session to authorize the use of an object, prefix
127       the option argument with the session keyword.  Then indicate a path  to
128       a session file that was created with tpm2_startauthsession(1).  Option‐
129       ally, if the session requires an auth value to be sent with the session
130       handle  (eg policy password), then append a + and a string as described
131       in the Passwords section.
132
133   Examples
134       To use a session context file called session.ctx.
135
136              session:session.ctx
137
138       To use a session context file called session.ctx AND send the authvalue
139       mypassword.
140
141              session:session.ctx+mypassword
142
143       To use a session context file called session.ctx AND send the HEX auth‐
144       value 0x11223344.
145
146              session:session.ctx+hex:11223344
147
148   PCR Authorizations
149       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
150       language.       The     PCR     minilanguage     is     as     follows:
151       <pcr-spec>=<raw-pcr-file>
152
153       The PCR spec is documented in in the section "PCR bank specifiers".
154
155       The raw-pcr-file is an optional the output of the raw PCR  contents  as
156       returned by tpm2_pcrread(1).
157
158       PCR bank specifiers (common/pcr.md)
159
160   Examples
161       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
162       er of:
163
164              pcr:sha256:0,1,2,3
165
166       specifying AUTH.
167

169       This collection of options are common to many programs and provide  in‐
170       formation that many users may expect.
171
172       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
173         attempts to invoke the manpager for the  tool,  however,  on  failure
174         will  output  a short tool summary.  This is the same behavior if the
175         "man" option argument is specified, however if explicit "man" is  re‐
176         quested,  the  tool  will  provide errors from man on stderr.  If the
177         "no-man" option if specified, or the manpager fails,  the  short  op‐
178         tions will be output to stdout.
179
180         To  successfully use the manpages feature requires the manpages to be
181         installed or on MANPATH, See man(1) for more details.
182
183       · -v, --version: Display version information for this  tool,  supported
184         tctis and exit.
185
186       · -V,  --verbose:  Increase the information that the tool prints to the
187         console during its execution.  When using this option  the  file  and
188         line number are printed.
189
190       · -Q, --quiet: Silence normal tool output to stdout.
191
192       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
193         if an errata fixup needs to be applied to commands sent to  the  TPM.
194         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
195         formation many users may expect.
196

198       The TCTI or "Transmission Interface"  is  the  communication  mechanism
199       with  the TPM.  TCTIs can be changed for communication with TPMs across
200       different mediums.
201
202       To control the TCTI, the tools respect:
203
204       1. The command line option -T or --tcti
205
206       2. The environment variable: TPM2TOOLS_TCTI.
207
208       Note: The command line option always overrides  the  environment  vari‐
209       able.
210
211       The current known TCTIs are:
212
213       · tabrmd      -     The     resource     manager,     called     tabrmd
214         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
215         abrmd as a tcti name are synonymous.
216
217       · mssim  - Typically used for communicating to the TPM software simula‐
218         tor.
219
220       · device - Used when talking directly to a TPM device file.
221
222       · none - Do not initalize a connection with the TPM.  Some tools  allow
223         for off-tpm options and thus support not using a TCTI.  Tools that do
224         not support it will error when attempted to be used  without  a  TCTI
225         connection.   Does  not  support ANY options and MUST BE presented as
226         the exact text of "none".
227
228       The arguments to either the command  line  option  or  the  environment
229       variable are in the form:
230
231       <tcti-name>:<tcti-option-config>
232
233       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
234       tion-config> results in the default being used for that portion respec‐
235       tively.
236
237   TCTI Defaults
238       When  a  TCTI  is not specified, the default TCTI is searched for using
239       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
240       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
241       what TCTI will be chosen as the default by using the -v option to print
242       the  version information.  The "default-tcti" key-value pair will indi‐
243       cate which of the aforementioned TCTIs is the default.
244
245   Custom TCTIs
246       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
247       tools internally use dlopen(3), and the raw tcti-name value is used for
248       the lookup.  Thus, this could be a path to the shared library, or a li‐
249       brary name as understood by dlopen(3) semantics.
250

252       This collection of options are used to configure the various known TCTI
253       modules available:
254
255       · device: For the device TCTI, the TPM character device file for use by
256         the device TCTI can be specified.  The default is /dev/tpm0.
257
258         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
259         vice:/dev/tpm0"
260
261       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
262         number  used  by  the  simulator  can  be specified.  The default are
263         127.0.0.1 and 2321.
264
265         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
266         TI="mssim:host=localhost,port=2321"
267
268       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
269         ries of simple key value pairs separated by a  ','  character.   Each
270         key and value string are separated by a '=' character.
271
272         · TCTI abrmd supports two keys:
273
274           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
275              string).
276
277           2. 'bus_type' : The type of the dbus instance (a string) limited to
278              'session' and 'system'.
279
280         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
281         ample.FooBar:
282
283         \--tcti=tabrmd:bus_name=com.example.FooBar
284
285         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
286         sion:
287
288         \--tcti:bus_type=session
289
290         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
291         ules.
292

294              echo "12345678" > secret.data
295
296              tpm2_createek -Q -c 0x81010001 -G rsa -u ek.pub
297
298              tpm2_createak -C 0x81010001 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \
299              -n ak.name -p akpass> ak.out
300
301              file_size=`stat --printf="%s" ak.name`
302              loaded_key_name=`cat ak.name | xxd -p -c $file_size`
303
304              tpm2_makecredential -Q -e ek.pub  -s secret.data -n $loaded_key_name \
305              -o mkcred.out
306
307              tpm2_startauthsession --policy-session -S session.ctx
308
309              TPM2_RH_ENDORSEMENT=0x4000000B
310              tpm2_policysecret -S session.ctx -c $TPM2_RH_ENDORSEMENT
311
312              tpm2_activatecredential -Q -c ak.ctx -C 0x81010001 -i mkcred.out \
313              -o actcred.out -p akpass -P"session:session.ctx"
314
315              tpm2_flushcontext session.ctx
316

318       Tools can return any of the following codes:
319
320       · 0 - Success.
321
322       · 1 - General non-specific error.
323
324       · 2 - Options handling error.
325
326       · 3 - Authentication error.
327
328       · 4 - TCTI related error.
329
330       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
331

333       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
334

336       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
337
338
339
340tpm2-tools                                          tpm2_activatecredential(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP