1tpm2_changeeps(1)           General Commands Manual          tpm2_changeeps(1)
2
3
4

NAME

6       tpm2_changeeps(1) - Replaces the active endorsement primary seed with a
7       new one generated off the TPM2 RNG.
8

SYNOPSIS

10       tpm2_changeeps [OPTIONS]
11

DESCRIPTION

13       tpm2_changeeps(1) - Replaces the active endorsement primary seed with a
14       new  one  generated off the TPM2 RNG.  The Transient and Persistent ob‐
15       jects under the endorsement hierarchy are lost.  This command  requires
16       platform auth.
17

OPTIONS

19       · -p, --auth specifies the AUTH for the platform.  hierarchy.
20
21   References

Authorization Formatting

23       Authorization  for  use  of an object in TPM2.0 can come in 3 different
24       forms: 1.  Password 2.  HMAC 3.  Sessions
25
26       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
27       fied".
28
29   Passwords
30       Passwords  are  interpreted  in  the following forms below using prefix
31       identifiers.
32
33       Note: By default passwords are assumed to be in the  string  form  when
34       they do not have a prefix.
35
36   String
37       A  string  password,  specified  by  prefix "str:" or it's absence (raw
38       string without prefix) is not interpreted, and is directly used for au‐
39       thorization.
40
41   Examples
42              foobar
43              str:foobar
44
45   Hex-string
46       A  hex-string  password, specified by prefix "hex:" is converted from a
47       hexidecimal form into a byte array form, thus allowing  passwords  with
48       non-printable and/or terminal un-friendly characters.
49
50   Example
51              hex:0x1122334455667788
52
53   File
54       A  file  based password, specified be prefix "file:" should be the path
55       of a file containing the password to be read by the tool or  a  "-"  to
56       use  stdin.   Storing  passwords in files prevents information leakage,
57       passwords passed as options can be read from the process list or common
58       shell history features.
59
60   Examples
61              # to use stdin and be prompted
62              file:-
63
64              # to use a file from a path
65              file:path/to/password/file
66
67              # to echo a password via stdin:
68              echo foobar | tpm2_tool -p file:-
69
70              # to use a bash here-string via stdin:
71
72              tpm2_tool -p file:- <<< foobar
73
74   Sessions
75       When  using  a policy session to authorize the use of an object, prefix
76       the option argument with the session keyword.  Then indicate a path  to
77       a session file that was created with tpm2_startauthsession(1).  Option‐
78       ally, if the session requires an auth value to be sent with the session
79       handle  (eg policy password), then append a + and a string as described
80       in the Passwords section.
81
82   Examples
83       To use a session context file called session.ctx.
84
85              session:session.ctx
86
87       To use a session context file called session.ctx AND send the authvalue
88       mypassword.
89
90              session:session.ctx+mypassword
91
92       To use a session context file called session.ctx AND send the HEX auth‐
93       value 0x11223344.
94
95              session:session.ctx+hex:11223344
96
97   PCR Authorizations
98       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
99       language.       The     PCR     minilanguage     is     as     follows:
100       <pcr-spec>=<raw-pcr-file>
101
102       The PCR spec is documented in in the section "PCR bank specifiers".
103
104       The raw-pcr-file is an optional the output of the raw PCR  contents  as
105       returned by tpm2_pcrread(1).
106
107       PCR bank specifiers (common/pcr.md)
108
109   Examples
110       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
111       er of:
112
113              pcr:sha256:0,1,2,3
114
115       specifying AUTH.
116

TCTI Configuration

118       The TCTI or "Transmission Interface"  is  the  communication  mechanism
119       with  the TPM.  TCTIs can be changed for communication with TPMs across
120       different mediums.
121
122       To control the TCTI, the tools respect:
123
124       1. The command line option -T or --tcti
125
126       2. The environment variable: TPM2TOOLS_TCTI.
127
128       Note: The command line option always overrides  the  environment  vari‐
129       able.
130
131       The current known TCTIs are:
132
133       · tabrmd      -     The     resource     manager,     called     tabrmd
134         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
135         abrmd as a tcti name are synonymous.
136
137       · mssim  - Typically used for communicating to the TPM software simula‐
138         tor.
139
140       · device - Used when talking directly to a TPM device file.
141
142       · none - Do not initalize a connection with the TPM.  Some tools  allow
143         for off-tpm options and thus support not using a TCTI.  Tools that do
144         not support it will error when attempted to be used  without  a  TCTI
145         connection.   Does  not  support ANY options and MUST BE presented as
146         the exact text of "none".
147
148       The arguments to either the command  line  option  or  the  environment
149       variable are in the form:
150
151       <tcti-name>:<tcti-option-config>
152
153       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
154       tion-config> results in the default being used for that portion respec‐
155       tively.
156
157   TCTI Defaults
158       When  a  TCTI  is not specified, the default TCTI is searched for using
159       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
160       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
161       what TCTI will be chosen as the default by using the -v option to print
162       the  version information.  The "default-tcti" key-value pair will indi‐
163       cate which of the aforementioned TCTIs is the default.
164
165   Custom TCTIs
166       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
167       tools internally use dlopen(3), and the raw tcti-name value is used for
168       the lookup.  Thus, this could be a path to the shared library, or a li‐
169       brary name as understood by dlopen(3) semantics.
170

TCTI OPTIONS

172       This collection of options are used to configure the various known TCTI
173       modules available:
174
175       · device: For the device TCTI, the TPM character device file for use by
176         the device TCTI can be specified.  The default is /dev/tpm0.
177
178         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
179         vice:/dev/tpm0"
180
181       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
182         number  used  by  the  simulator  can  be specified.  The default are
183         127.0.0.1 and 2321.
184
185         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
186         TI="mssim:host=localhost,port=2321"
187
188       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
189         ries of simple key value pairs separated by a  ','  character.   Each
190         key and value string are separated by a '=' character.
191
192         · TCTI abrmd supports two keys:
193
194           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
195              string).
196
197           2. 'bus_type' : The type of the dbus instance (a string) limited to
198              'session' and 'system'.
199
200         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
201         ample.FooBar:
202
203         \--tcti=tabrmd:bus_name=com.example.FooBar
204
205         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
206         sion:
207
208         \--tcti:bus_type=session
209
210         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
211         ules.
212

EXAMPLES

214   Change the endorsement primary seed where the platform auth is NULL.
215              tpm2_changeeps
216

Returns

218       Tools can return any of the following codes:
219
220       · 0 - Success.
221
222       · 1 - General non-specific error.
223
224       · 2 - Options handling error.
225
226       · 3 - Authentication error.
227
228       · 4 - TCTI related error.
229
230       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
231

Limitations

233       It expects a session to be already established  via  tpm2_startauthses‐
234       sion(1) and requires one of the following:
235
236       · direct device access
237
238       · extended session support with tpm2-abrmd.
239
240       Without  it, most resource managers will not save session state between
241       command invocations.
242

BUGS

244       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
245

HELP

247       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
248
249
250
251tpm2-tools                                                   tpm2_changeeps(1)
Impressum