1tpm2_policyauthorize(1)     General Commands Manual    tpm2_policyauthorize(1)
2
3
4

NAME

6       tpm2_policyauthorize(1) - Allows for mutable policies by tethering to a
7       signing authority.
8

SYNOPSIS

10       tpm2_policyauthorize [OPTIONS]
11

DESCRIPTION

13       tpm2_policyauthorize(1) - This command allows for policies to change by
14       associating  the  policy to a signing authority and allowing the policy
15       contents to change.
16
17       1. If the input session is a trial session this tool generates a policy
18          digest  that  associates  a signing authority's public key name with
19          the policy being authorized.
20
21       2. If the input session is real policy session  tpm2_policyauthorize(1)
22          looks  for a verification ticket from the TPM to attest that the TPM
23          has verified the signature on the policy digest  before  authorizing
24          the policy in the policy digest.
25

OPTIONS

27       · -L, --policy=FILE:
28
29         File to save the policy digest.
30
31       · -S, --session=FILE:
32
33         The  policy  session  file  generated via the -S option to tpm2_star‐
34         tauthsession(1).
35
36       · -i, --input=FILE:
37
38         The policy digest that has to be authorized.
39
40       · -q, --qualification=FILE_OR_HEX:
41
42         The policy qualifier data signed in conjunction with the input policy
43         digest.  This is unique data that the signer can choose to include in
44         the signature and can either be a path or hex string.
45
46       · -n, --name=FILE:
47
48         File containing the name of the verifying public key.  This ties  the
49         final  policy  digest  with  a  signer.   This  can be retrieved with
50         tpm2_readpublic(1)
51
52       · -t, --ticket=FILE:
53
54         The ticket file to record the validation structure.  This is generat‐
55         ed with tpm2_verifysignature(1).
56
57   References

COMMON OPTIONS

59       This  collection of options are common to many programs and provide in‐
60       formation that many users may expect.
61
62       · -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
63         attempts  to  invoke  the  manpager for the tool, however, on failure
64         will output a short tool summary.  This is the same behavior  if  the
65         "man"  option argument is specified, however if explicit "man" is re‐
66         quested, the tool will provide errors from man  on  stderr.   If  the
67         "no-man"  option  if  specified, or the manpager fails, the short op‐
68         tions will be output to stdout.
69
70         To successfully use the manpages feature requires the manpages to  be
71         installed or on MANPATH, See man(1) for more details.
72
73       · -v,  --version:  Display version information for this tool, supported
74         tctis and exit.
75
76       · -V, --verbose: Increase the information that the tool prints  to  the
77         console  during  its  execution.  When using this option the file and
78         line number are printed.
79
80       · -Q, --quiet: Silence normal tool output to stdout.
81
82       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
83         if  an  errata fixup needs to be applied to commands sent to the TPM.
84         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
85         formation many users may expect.
86

TCTI Configuration

88       The  TCTI  or  "Transmission  Interface" is the communication mechanism
89       with the TPM.  TCTIs can be changed for communication with TPMs  across
90       different mediums.
91
92       To control the TCTI, the tools respect:
93
94       1. The command line option -T or --tcti
95
96       2. The environment variable: TPM2TOOLS_TCTI.
97
98       Note:  The  command  line option always overrides the environment vari‐
99       able.
100
101       The current known TCTIs are:
102
103       · tabrmd     -     The     resource     manager,     called      tabrmd
104         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
105         abrmd as a tcti name are synonymous.
106
107       · mssim - Typically used for communicating to the TPM software  simula‐
108         tor.
109
110       · device - Used when talking directly to a TPM device file.
111
112       · none  - Do not initalize a connection with the TPM.  Some tools allow
113         for off-tpm options and thus support not using a TCTI.  Tools that do
114         not  support  it  will error when attempted to be used without a TCTI
115         connection.  Does not support ANY options and MUST  BE  presented  as
116         the exact text of "none".
117
118       The  arguments  to  either  the  command line option or the environment
119       variable are in the form:
120
121       <tcti-name>:<tcti-option-config>
122
123       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
124       tion-config> results in the default being used for that portion respec‐
125       tively.
126
127   TCTI Defaults
128       When a TCTI is not specified, the default TCTI is  searched  for  using
129       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
130       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
131       what TCTI will be chosen as the default by using the -v option to print
132       the version information.  The "default-tcti" key-value pair will  indi‐
133       cate which of the aforementioned TCTIs is the default.
134
135   Custom TCTIs
136       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
137       tools internally use dlopen(3), and the raw tcti-name value is used for
138       the lookup.  Thus, this could be a path to the shared library, or a li‐
139       brary name as understood by dlopen(3) semantics.
140

TCTI OPTIONS

142       This collection of options are used to configure the various known TCTI
143       modules available:
144
145       · device: For the device TCTI, the TPM character device file for use by
146         the device TCTI can be specified.  The default is /dev/tpm0.
147
148         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
149         vice:/dev/tpm0"
150
151       · mssim:  For  the  mssim  TCTI, the domain name or IP address and port
152         number used by the simulator  can  be  specified.   The  default  are
153         127.0.0.1 and 2321.
154
155         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
156         TI="mssim:host=localhost,port=2321"
157
158       · abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
159         ries  of  simple  key value pairs separated by a ',' character.  Each
160         key and value string are separated by a '=' character.
161
162         · TCTI abrmd supports two keys:
163
164           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
165              string).
166
167           2. 'bus_type' : The type of the dbus instance (a string) limited to
168              'session' and 'system'.
169
170         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
171         ample.FooBar:
172
173         \--tcti=tabrmd:bus_name=com.example.FooBar
174
175         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
176         sion:
177
178         \--tcti:bus_type=session
179
180         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
181         ules.
182

EXAMPLES

184       Starts a trial session, builds a PCR policy.  This PCR policy digest is
185       then an input to the tpm2_policyauthorize(1) along with policy qualifi‐
186       er  data and a signer public.  The resultant policy digest is then used
187       in creation of objects.
188
189       Subsequently when the PCR change and so does the PCR policy digest, the
190       actual  policy digest from the tpm2_policyauthorize(1) used in creation
191       of the object will not change.  At runtime the new PCR policy needs  to
192       be satisfied along with verification of the signature on the PCR policy
193       digest using tpm2_policyauthorize(1)
194
195   Create a signing authority
196              openssl genrsa -out signing_key_private.pem 2048
197
198              openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
199
200              tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name
201
202   Create a policy to be authorized like a PCR policy
203              tpm2_pcrread -opcr0.sha256 sha256:0
204
205              tpm2_startauthsession -S session.ctx
206
207              tpm2_policypcr -S session.ctx -l sha256:0 -f pcr0.sha256 -L pcr.policy
208
209              tpm2_flushcontext session.ctx
210
211   Sign the policy
212              openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy
213
214   Authorize the policy in the policy digest
215              tpm2_startauthsession -S session.ctx
216
217              tpm2_policyauthorize -S session.ctx -L authorized.policy -i pcr.policy -n signing_key.name
218
219              tpm2_flushcontext session.ctx
220
221   Create a TPM object like a sealing object with the authorized policy
222       based authentication
223
224              tpm2_createprimary -C o -g sha256 -G rsa -c prim.ctx
225
226              tpm2_create -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub -i- -C prim.ctx -L authorized.policy <<< "secret to seal"
227
228   Satisfy policy and unseal the secret
229              tpm2_verifysignature -c signing_key.ctx -g sha256 -m pcr.policy -s pcr.signature -t verification.tkt -f rsassa
230
231              tpm2_startauthsession \--policy-session -S session.ctx
232
233              tpm2_policypcr -S session.ctx -l sha256:0 -L pcr.policy
234
235              tpm2_policyauthorize -S session.ctx -L authorized.policy -i pcr.policy -n signing_key.name -t verification.tkt
236
237              tpm2_load -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub -c sealing_key.ctx
238
239              unsealed=$(tpm2_unseal -p"session:session.ctx" -c sealing_key.ctx)
240
241              echo $unsealed
242
243              tpm2_flushcontext session.ctx
244

Returns

246       Tools can return any of the following codes:
247
248       · 0 - Success.
249
250       · 1 - General non-specific error.
251
252       · 2 - Options handling error.
253
254       · 3 - Authentication error.
255
256       · 4 - TCTI related error.
257
258       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
259

Limitations

261       It expects a session to be already established  via  tpm2_startauthses‐
262       sion(1) and requires one of the following:
263
264       · direct device access
265
266       · extended session support with tpm2-abrmd.
267
268       Without  it, most resource managers will not save session state between
269       command invocations.
270

BUGS

272       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
273

HELP

275       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
276
277
278
279tpm2-tools                                             tpm2_policyauthorize(1)
Impressum