1tpm2_policycphash(1) General Commands Manual tpm2_policycphash(1)
2
6 tpm2_policycphash(1) - Couples a policy with command parameters of the
7 command.
8
10 tpm2_policycphash [OPTIONS]
11
13 tpm2_policycphash(1) - Couples a policy with command parameters of the
14 command. This is a deferred assertion where the hash of the command
15 parameters in a TPM command is checked against the one specified in the
16 policy.
17
19 · -L, --policy=FILE:
20 File to save the compounded policy digest.
22 · -S, --session=FILE:
24 The policy session file generated via the -S option to tpm2_star‐
26 tauthsession(1).
27 · --cphash=FILE:
29 The file containing the command parameter hash of the command.
31 References
34 This collection of options are common to many programs and provide in‐
35 formation that many users may expect.
36 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
38 attempts to invoke the manpager for the tool, however, on failure
39 will output a short tool summary. This is the same behavior if the
40 "man" option argument is specified, however if explicit "man" is re‐
41 quested, the tool will provide errors from man on stderr. If the
42 "no-man" option if specified, or the manpager fails, the short op‐
43 tions will be output to stdout.
44 To successfully use the manpages feature requires the manpages to be
46 installed or on MANPATH, See man(1) for more details.
47 · -v, --version: Display version information for this tool, supported
49 tctis and exit.
50 · -V, --verbose: Increase the information that the tool prints to the
52 console during its execution. When using this option the file and
53 line number are printed.
54 · -Q, --quiet: Silence normal tool output to stdout.
56 · -Z, --enable-errata: Enable the application of errata fixups. Useful
58 if an errata fixup needs to be applied to commands sent to the TPM.
59 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
60 formation many users may expect.
61
63 The TCTI or "Transmission Interface" is the communication mechanism
64 with the TPM. TCTIs can be changed for communication with TPMs across
65 different mediums.
66 To control the TCTI, the tools respect:
68 1. The command line option -T or --tcti
70 2. The environment variable: TPM2TOOLS_TCTI.
72 Note: The command line option always overrides the environment vari‐
74 able.
75 The current known TCTIs are:
77 · tabrmd - The resource manager, called tabrmd
79 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
80 abrmd as a tcti name are synonymous.
81 · mssim - Typically used for communicating to the TPM software simula‐
83 tor.
84 · device - Used when talking directly to a TPM device file.
86 · none - Do not initalize a connection with the TPM. Some tools allow
88 for off-tpm options and thus support not using a TCTI. Tools that do
89 not support it will error when attempted to be used without a TCTI
90 connection. Does not support ANY options and MUST BE presented as
91 the exact text of "none".
92 The arguments to either the command line option or the environment
94 variable are in the form:
95 <tcti-name>:<tcti-option-config>
97 Specifying an empty string for either the <tcti-name> or <tcti-op‐
99 tion-config> results in the default being used for that portion respec‐
100 tively.
101 TCTI Defaults
103 When a TCTI is not specified, the default TCTI is searched for using
104 dlopen(3) semantics. The tools will search for tabrmd, device and
105 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
106 what TCTI will be chosen as the default by using the -v option to print
107 the version information. The "default-tcti" key-value pair will indi‐
108 cate which of the aforementioned TCTIs is the default.
109 Custom TCTIs
111 Any TCTI that implements the dynamic TCTI interface can be loaded. The
112 tools internally use dlopen(3), and the raw tcti-name value is used for
113 the lookup. Thus, this could be a path to the shared library, or a li‐
114 brary name as understood by dlopen(3) semantics.
115
117 This collection of options are used to configure the various known TCTI
118 modules available:
119 · device: For the device TCTI, the TPM character device file for use by
121 the device TCTI can be specified. The default is /dev/tpm0.
122 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
124 vice:/dev/tpm0"
125 · mssim: For the mssim TCTI, the domain name or IP address and port
127 number used by the simulator can be specified. The default are
128 127.0.0.1 and 2321.
129 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
131 TI="mssim:host=localhost,port=2321"
132 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
134 ries of simple key value pairs separated by a ',' character. Each
135 key and value string are separated by a '=' character.
136 · TCTI abrmd supports two keys:
138 1. 'bus_name' : The name of the tabrmd service on the bus (a
140 string).
141 2. 'bus_type' : The type of the dbus instance (a string) limited to
143 'session' and 'system'.
144 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
146 ample.FooBar:
147 \--tcti=tabrmd:bus_name=com.example.FooBar
149 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
151 sion:
152 \--tcti:bus_type=session
154 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
156 ules.
157
159 Restrict the value that can be set through tpm2_nvsetbits.
160 Define NV index object with authorized policy
162 openssl genrsa -out signing_key_private.pem 2048
163 openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
164 tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx \
165 -n signing_key.name
166 tpm2_startauthsession -S session.ctx -g sha256
167 tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name
168 tpm2_flushcontext session.ctx
169 tpm2_nvdefine 1 -a "policywrite|authwrite|ownerread|nt=bits" -L authorized.policy
170 Create policycphash
172 tpm2_nvsetbits 1 -i 1 --cphash cp.hash
173 tpm2_startauthsession -S session.ctx -g sha256
174 tpm2_policycphash -S session.ctx -L policy.cphash --cphash cp.hash
175 tpm2_flushcontext session.ctx
176 Sign and verify policycphash
178 openssl dgst -sha256 -sign signing_key_private.pem \
179 -out policycphash.signature policy.cphash
180 tpm2_verifysignature -c signing_key.ctx -g sha256 -m policy.cphash \
181 -s policycphash.signature -t verification.tkt -f rsassa
182 Satisfy policycphash and execute nvsetbits
184 tpm2_startauthsession -S session.ctx --policy-session -g sha256
185 tpm2_policycphash -S session.ctx --cphash cp.hash
186 tpm2_policyauthorize -S session.ctx -i policy.cphash -n signing_key.name \
187 -t verification.tkt
188 tpm2_nvsetbits 1 -i 1 -P "session:session.ctx"
189 tpm2_flushcontext session.ctx
190
192 Tools can return any of the following codes:
193 · 0 - Success.
195 · 1 - General non-specific error.
197 · 2 - Options handling error.
199 · 3 - Authentication error.
201 · 4 - TCTI related error.
203 · 5 - Non supported scheme. Applicable to tpm2_testparams.
205
207 It expects a session to be already established via tpm2_startauthses‐
208 sion(1) and requires one of the following:
209 · direct device access
211 · extended session support with tpm2-abrmd.
213 Without it, most resource managers will not save session state between
215 command invocations.
216
218 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
219
221 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
222tpm2-tools tpm2_policycphash(1)