1tpm2_changeeps(1) General Commands Manual tpm2_changeeps(1)
2
3
4
6 tpm2_changeeps(1) - Replaces the active endorsement primary seed with a
7 new one generated off the TPM2 RNG.
8
10 tpm2_changeeps [OPTIONS]
11
13 tpm2_changeeps(1) - Replaces the active endorsement primary seed with a
14 new one generated off the TPM2 RNG. The Transient and Persistent ob‐
15 jects under the endorsement hierarchy are lost. This command requires
16 platform auth.
17
19 · -p, --auth specifies the AUTH for the platform. hierarchy.
20
21 References
23 Authorization for use of an object in TPM2.0 can come in 3 different
24 forms: 1. Password 2. HMAC 3. Sessions
25
26 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
27 fied".
28
29 Passwords
30 Passwords are interpreted in the following forms below using prefix
31 identifiers.
32
33 Note: By default passwords are assumed to be in the string form when
34 they do not have a prefix.
35
36 String
37 A string password, specified by prefix "str:" or it's absence (raw
38 string without prefix) is not interpreted, and is directly used for au‐
39 thorization.
40
41 Examples
42 foobar
43 str:foobar
44
45 Hex-string
46 A hex-string password, specified by prefix "hex:" is converted from a
47 hexidecimal form into a byte array form, thus allowing passwords with
48 non-printable and/or terminal un-friendly characters.
49
50 Example
51 hex:0x1122334455667788
52
53 File
54 A file based password, specified be prefix "file:" should be the path
55 of a file containing the password to be read by the tool or a "-" to
56 use stdin. Storing passwords in files prevents information leakage,
57 passwords passed as options can be read from the process list or common
58 shell history features.
59
60 Examples
61 # to use stdin and be prompted
62 file:-
63
64 # to use a file from a path
65 file:path/to/password/file
66
67 # to echo a password via stdin:
68 echo foobar | tpm2_tool -p file:-
69
70 # to use a bash here-string via stdin:
71
72 tpm2_tool -p file:- <<< foobar
73
74 Sessions
75 When using a policy session to authorize the use of an object, prefix
76 the option argument with the session keyword. Then indicate a path to
77 a session file that was created with tpm2_startauthsession(1). Option‐
78 ally, if the session requires an auth value to be sent with the session
79 handle (eg policy password), then append a + and a string as described
80 in the Passwords section.
81
82 Examples
83 To use a session context file called session.ctx.
84
85 session:session.ctx
86
87 To use a session context file called session.ctx AND send the authvalue
88 mypassword.
89
90 session:session.ctx+mypassword
91
92 To use a session context file called session.ctx AND send the HEX auth‐
93 value 0x11223344.
94
95 session:session.ctx+hex:11223344
96
97 PCR Authorizations
98 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
99 language. The PCR minilanguage is as follows:
100 <pcr-spec>=<raw-pcr-file>
101
102 The PCR spec is documented in in the section "PCR bank specifiers".
103
104 The raw-pcr-file is an optional the output of the raw PCR contents as
105 returned by tpm2_pcrread(1).
106
107 PCR bank specifiers (common/pcr.md)
108
109 Examples
110 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
111 er of:
112
113 pcr:sha256:0,1,2,3
114
115 specifying AUTH.
116
118 The TCTI or "Transmission Interface" is the communication mechanism
119 with the TPM. TCTIs can be changed for communication with TPMs across
120 different mediums.
121
122 To control the TCTI, the tools respect:
123
124 1. The command line option -T or --tcti
125
126 2. The environment variable: TPM2TOOLS_TCTI.
127
128 Note: The command line option always overrides the environment vari‐
129 able.
130
131 The current known TCTIs are:
132
133 · tabrmd - The resource manager, called tabrmd
134 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
135 abrmd as a tcti name are synonymous.
136
137 · mssim - Typically used for communicating to the TPM software simula‐
138 tor.
139
140 · device - Used when talking directly to a TPM device file.
141
142 · none - Do not initalize a connection with the TPM. Some tools allow
143 for off-tpm options and thus support not using a TCTI. Tools that do
144 not support it will error when attempted to be used without a TCTI
145 connection. Does not support ANY options and MUST BE presented as
146 the exact text of "none".
147
148 The arguments to either the command line option or the environment
149 variable are in the form:
150
151 <tcti-name>:<tcti-option-config>
152
153 Specifying an empty string for either the <tcti-name> or <tcti-op‐
154 tion-config> results in the default being used for that portion respec‐
155 tively.
156
157 TCTI Defaults
158 When a TCTI is not specified, the default TCTI is searched for using
159 dlopen(3) semantics. The tools will search for tabrmd, device and
160 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
161 what TCTI will be chosen as the default by using the -v option to print
162 the version information. The "default-tcti" key-value pair will indi‐
163 cate which of the aforementioned TCTIs is the default.
164
165 Custom TCTIs
166 Any TCTI that implements the dynamic TCTI interface can be loaded. The
167 tools internally use dlopen(3), and the raw tcti-name value is used for
168 the lookup. Thus, this could be a path to the shared library, or a li‐
169 brary name as understood by dlopen(3) semantics.
170
172 This collection of options are used to configure the various known TCTI
173 modules available:
174
175 · device: For the device TCTI, the TPM character device file for use by
176 the device TCTI can be specified. The default is /dev/tpm0.
177
178 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
179 vice:/dev/tpm0"
180
181 · mssim: For the mssim TCTI, the domain name or IP address and port
182 number used by the simulator can be specified. The default are
183 127.0.0.1 and 2321.
184
185 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
186 TI="mssim:host=localhost,port=2321"
187
188 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
189 ries of simple key value pairs separated by a ',' character. Each
190 key and value string are separated by a '=' character.
191
192 · TCTI abrmd supports two keys:
193
194 1. 'bus_name' : The name of the tabrmd service on the bus (a
195 string).
196
197 2. 'bus_type' : The type of the dbus instance (a string) limited to
198 'session' and 'system'.
199
200 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
201 ample.FooBar:
202
203 \--tcti=tabrmd:bus_name=com.example.FooBar
204
205 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
206 sion:
207
208 \--tcti:bus_type=session
209
210 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
211 ules.
212
214 Change the endorsement primary seed where the platform auth is NULL.
215 tpm2_changeeps
216
218 Tools can return any of the following codes:
219
220 · 0 - Success.
221
222 · 1 - General non-specific error.
223
224 · 2 - Options handling error.
225
226 · 3 - Authentication error.
227
228 · 4 - TCTI related error.
229
230 · 5 - Non supported scheme. Applicable to tpm2_testparams.
231
233 It expects a session to be already established via tpm2_startauthses‐
234 sion(1) and requires one of the following:
235
236 · direct device access
237
238 · extended session support with tpm2-abrmd.
239
240 Without it, most resource managers will not save session state between
241 command invocations.
242
244 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
245
247 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
248
249
250
251tpm2-tools tpm2_changeeps(1)