tpm2_gettime(1)

1tpm2_gettime(1)             General Commands Manual            tpm2_gettime(1)
2
3
4

6       tpm2_gettime(1)  -  Get  the  current  time and clock from the TPM in a
7       signed form.
8

10       tpm2_gettime [OPTIONS] [ARGUMENT]
11

13       tpm2_gettime(1) - Provides a signed copy of the current time and  clock
14       from  the  TPM.  It returns both a signature, and the data in the stan‐
15       dard TPM attestation form, a TPMS_ATTEST structure.
16
17       It outputs to stdout, in YAML format, the TPMS_TIME_INFO structure from
18       the  TPM.   The  structure contains the current setting of Time, Clock,
19       resetCount, and restartCount.  The structure is output as YAML  defined
20       as:
21
22              time: 13673142     # 64 bit value of time since last _TPM_Init or TPM2_Startup
23                                 # in ms.
24              clock_info:
25                clock: 13673142  # 64 bit value of time TPM has been powered on in ms.
26                reset_count: 0   # 32 bit value of the number of TPM Resets since the last
27                                 # TPM2_Clear.
28                restart_count: 0 # 32 bit value of the number of times that TPM2_Shutdown or
29                                 # _TPM_Hash_Start have occurred since the last TPM Reset or
30                                 # TPM2_Clear.
31                safe: yes        # boolean yes|no value that no value of Clock greater than
32                                 # the current value of Clock has been previously reported by
33                                 # the TPM.
34

36       • -c, --key-context=OBJECT:
37
38         Context  object  pointing  to the the key used for signing.  Either a
39         file or a handle number.  See section "Context Object Format".
40
41       • -p, --authAUTH:
42
43         Optional authorization value to use the key specified by -c.   Autho‐
44         rization  values  should  follow  the "authorization formatting stan‐
45         dards", see section "Authorization Formatting".
46
47       • -P, --endorse-authAUTH:
48
49         Optional authorization value for the endorsement  hierarchy.   Autho‐
50         rization  values  should  follow  the "authorization formatting stan‐
51         dards", see section "Authorization Formatting".
52
53       • -g, --hash-algorithm=ALGORITHM:
54
55         The hash algorithm used to digest  the  message.   Algorithms  should
56         follow  the  "formatting  standards",  see  section "Algorithm Speci‐
57         fiers".  Also, see section "Supported Hash Algorithms" for a list  of
58         supported hash algorithms.
59
60       • -s, --scheme=ALGORITHM:
61
62         The  signing  scheme  used  to  sign the message.  Optional.  Signing
63         schemes should follow the "formatting standards", see section  "Algo‐
64         rithm Specifiers".  Also, see section "Supported Signing Schemes" for
65         a list of supported signature schemes.  If specified,  the  signature
66         scheme  must match the key type.  If left unspecified, a default sig‐
67         nature scheme for the key type will be used.
68
69       • -q, --qualification=FILE_OR_HEX_STR:
70
71         Optional, the policy qualifier data that the signer can choose to in‐
72         clude in the signature.  Can be either a hex string or path.
73
74       • -o, --signature=FILE:
75
76         The signature file, records the signature structure.
77
78       • -f, --format=FORMAT:
79
80         Format  selection for the signature output file.  See section "Signa‐
81         ture Format Specifiers".
82
83       • --attestation=FILE:
84
85         The attestation data of the type TPMS_ATTEST signed with signing key.
86
87       • --cphash=FILE
88
89         File path to record the hash of the command parameters.  This is com‐
90         monly termed as cpHash.  NOTE: When this option is selected, The tool
91         will not actually execute the command, it simply returns a cpHash.
92
93       • ARGUMENT the command line argument specifies the file data for sign.
94
95   References

97       The type of a context object, whether it is a handle or file  name,  is
98       determined according to the following logic in-order:
99
100       • If the argument is a file path, then the file is loaded as a restored
101         TPM transient object.
102
103       • If the argument is a prefix match on one of:
104
105         • owner: the owner hierarchy
106
107         • platform: the platform hierarchy
108
109         • endorsement: the endorsement hierarchy
110
111         • lockout: the lockout control persistent object
112
113       • If the argument argument can be loaded as a number it will  be  treat
114         as a handle, e.g.  0x81010013 and used directly.OBJECT.
115

117       Authorization  for  use  of an object in TPM2.0 can come in 3 different
118       forms: 1.  Password 2.  HMAC 3.  Sessions
119
120       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
121       fied".
122
123   Passwords
124       Passwords  are  interpreted  in  the following forms below using prefix
125       identifiers.
126
127       Note: By default passwords are assumed to be in the  string  form  when
128       they do not have a prefix.
129
130   String
131       A  string  password,  specified  by  prefix "str:" or it's absence (raw
132       string without prefix) is not interpreted, and is directly used for au‐
133       thorization.
134
135   Examples
136              foobar
137              str:foobar
138
139   Hex-string
140       A  hex-string  password, specified by prefix "hex:" is converted from a
141       hexidecimal form into a byte array form, thus allowing  passwords  with
142       non-printable and/or terminal un-friendly characters.
143
144   Example
145              hex:0x1122334455667788
146
147   File
148       A  file  based password, specified be prefix "file:" should be the path
149       of a file containing the password to be read by the tool or  a  "-"  to
150       use  stdin.   Storing  passwords in files prevents information leakage,
151       passwords passed as options can be read from the process list or common
152       shell history features.
153
154   Examples
155              # to use stdin and be prompted
156              file:-
157
158              # to use a file from a path
159              file:path/to/password/file
160
161              # to echo a password via stdin:
162              echo foobar | tpm2_tool -p file:-
163
164              # to use a bash here-string via stdin:
165
166              tpm2_tool -p file:- <<< foobar
167
168   Sessions
169       When  using  a policy session to authorize the use of an object, prefix
170       the option argument with the session keyword.  Then indicate a path  to
171       a session file that was created with tpm2_startauthsession(1).  Option‐
172       ally, if the session requires an auth value to be sent with the session
173       handle  (eg policy password), then append a + and a string as described
174       in the Passwords section.
175
176   Examples
177       To use a session context file called session.ctx.
178
179              session:session.ctx
180
181       To use a session context file called session.ctx AND send the authvalue
182       mypassword.
183
184              session:session.ctx+mypassword
185
186       To use a session context file called session.ctx AND send the HEX auth‐
187       value 0x11223344.
188
189              session:session.ctx+hex:11223344
190
191   PCR Authorizations
192       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
193       language.       The     PCR     minilanguage     is     as     follows:
194       <pcr-spec>=<raw-pcr-file>
195
196       The PCR spec is documented in in the section "PCR bank specifiers".
197
198       The raw-pcr-file is an optional the output of the raw PCR  contents  as
199       returned by tpm2_pcrread(1).
200
201       PCR bank specifiers (common/pcr.md)
202
203   Examples
204       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
205       er of:
206
207              pcr:sha256:0,1,2,3
208
209       specifying AUTH.
210

212       Options that take algorithms support "nice-names".
213
214       There are two major algorithm specification string classes, simple  and
215       complex.  Only certain algorithms will be accepted by the TPM, based on
216       usage and conditions.
217
218   Simple specifiers
219       These are strings with no additional specification data.  When creating
220       objects,  non-specified  portions of an object are assumed to defaults.
221       You can find the list of known "Simple Specifiers Below".
222
223   Asymmetric
224       • rsa
225
226       • ecc
227
228   Symmetric
229       • aes
230
231       • camellia
232
233   Hashing Algorithms
234       • sha1
235
236       • sha256
237
238       • sha384
239
240       • sha512
241
242       • sm3_256
243
244       • sha3_256
245
246       • sha3_384
247
248       • sha3_512
249
250   Keyed Hash
251       • hmac
252
253       • xor
254
255   Signing Schemes
256       • rsassa
257
258       • rsapss
259
260       • ecdsa
261
262       • ecdaa
263
264       • ecschnorr
265
266   Asymmetric Encryption Schemes
267       • oaep
268
269       • rsaes
270
271       • ecdh
272
273   Modes
274       • ctr
275
276       • ofb
277
278       • cbc
279
280       • cfb
281
282       • ecb
283
284   Misc
285       • null
286
287   Complex Specifiers
288       Objects, when specified for creation by the TPM,  have  numerous  algo‐
289       rithms  to  populate  in the public data.  Things like type, scheme and
290       asymmetric details, key size, etc.  Below is  the  general  format  for
291       specifying this data: <type>:<scheme>:<symmetric-details>
292
293   Type Specifiers
294       This  portion  of the complex algorithm specifier is required.  The re‐
295       maining scheme and symmetric details will default  based  on  the  type
296       specified and the type of the object being created.
297
298       • aes - Default AES: aes128
299
300       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
301         If mode is not specified, defaults to null.
302
303       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
304
305       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
306
307       • ecc - Elliptical Curve, defaults to ecc256.
308
309       • ecc192 - 192 bit ECC
310
311       • ecc224 - 224 bit ECC
312
313       • ecc256 - 256 bit ECC
314
315       • ecc384 - 384 bit ECC
316
317       • ecc521 - 521 bit ECC
318
319       • rsa - Default RSA: rsa2048
320
321       • rsa1024 - RSA with 1024 bit keysize.
322
323       • rsa2048 - RSA with 2048 bit keysize.
324
325       • rsa4096 - RSA with 4096 bit keysize.
326
327   Scheme Specifiers
328       Next, is an optional field, it can be skipped.
329
330       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
331       Most signing schemes take a hash algorithm directly following the sign‐
332       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
333       Some take no arguments, and some take multiple arguments.
334
335   Hash Optional Scheme Specifiers
336       These  scheme  specifiers are followed by a dash and a valid hash algo‐
337       rithm, For example: oaep-sha256.
338
339       • oaep
340
341       • ecdh
342
343       • rsassa
344
345       • rsapss
346
347       • ecdsa
348
349       • ecschnorr
350
351   Multiple Option Scheme Specifiers
352       This scheme specifier is followed by a count  (max  size  UINT16)  then
353       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
354       ecdaa4-sha256.  If no count is specified, it defaults to 4.
355
356   No Option Scheme Specifiers
357       This scheme specifier takes NO arguments.  * rsaes
358
359   Symmetric Details Specifiers
360       This field is optional, and defaults based on the type of object  being
361       created  and it's attributes.  Generally, any valid Symmetric specifier
362       from the Type Specifiers list should work.  If not specified, an  asym‐
363       metric objects symmetric details defaults to aes128cfb.
364
365   Examples
366   Create an rsa2048 key with an rsaes asymmetric encryption scheme
367       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
368
369   Create an ecc256 key with an ecdaa signing scheme with a count of 4
370       and sha384 hash
371
372       /tpm2_create -C parent.ctx -G ecc256:ec‐
373       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
374

376       This collection of options are common to many programs and provide  in‐
377       formation that many users may expect.
378
379       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
380         attempts to invoke the manpager for the  tool,  however,  on  failure
381         will  output  a short tool summary.  This is the same behavior if the
382         "man" option argument is specified, however if explicit "man" is  re‐
383         quested,  the  tool  will  provide errors from man on stderr.  If the
384         "no-man" option if specified, or the manpager fails,  the  short  op‐
385         tions will be output to stdout.
386
387         To  successfully use the manpages feature requires the manpages to be
388         installed or on MANPATH, See man(1) for more details.
389
390       • -v, --version: Display version information for this  tool,  supported
391         tctis and exit.
392
393       • -V,  --verbose:  Increase the information that the tool prints to the
394         console during its execution.  When using this option  the  file  and
395         line number are printed.
396
397       • -Q, --quiet: Silence normal tool output to stdout.
398
399       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
400         if an errata fixup needs to be applied to commands sent to  the  TPM.
401         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
402         formation many users may expect.
403

405       The TCTI or "Transmission Interface"  is  the  communication  mechanism
406       with  the TPM.  TCTIs can be changed for communication with TPMs across
407       different mediums.
408
409       To control the TCTI, the tools respect:
410
411       1. The command line option -T or --tcti
412
413       2. The environment variable: TPM2TOOLS_TCTI.
414
415       Note: The command line option always overrides  the  environment  vari‐
416       able.
417
418       The current known TCTIs are:
419
420       • tabrmd      -     The     resource     manager,     called     tabrmd
421         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
422         abrmd as a tcti name are synonymous.
423
424       • mssim  - Typically used for communicating to the TPM software simula‐
425         tor.
426
427       • device - Used when talking directly to a TPM device file.
428
429       • none - Do not initalize a connection with the TPM.  Some tools  allow
430         for off-tpm options and thus support not using a TCTI.  Tools that do
431         not support it will error when attempted to be used  without  a  TCTI
432         connection.   Does  not  support ANY options and MUST BE presented as
433         the exact text of "none".
434
435       The arguments to either the command  line  option  or  the  environment
436       variable are in the form:
437
438       <tcti-name>:<tcti-option-config>
439
440       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
441       tion-config> results in the default being used for that portion respec‐
442       tively.
443
444   TCTI Defaults
445       When  a  TCTI  is not specified, the default TCTI is searched for using
446       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
447       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
448       what TCTI will be chosen as the default by using the -v option to print
449       the  version information.  The "default-tcti" key-value pair will indi‐
450       cate which of the aforementioned TCTIs is the default.
451
452   Custom TCTIs
453       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
454       tools internally use dlopen(3), and the raw tcti-name value is used for
455       the lookup.  Thus, this could be a path to the shared library, or a li‐
456       brary name as understood by dlopen(3) semantics.
457

459       This collection of options are used to configure the various known TCTI
460       modules available:
461
462       • device: For the device TCTI, the TPM character device file for use by
463         the device TCTI can be specified.  The default is /dev/tpm0.
464
465         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
466         vice:/dev/tpm0"
467
468       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
469         number  used  by  the  simulator  can  be specified.  The default are
470         127.0.0.1 and 2321.
471
472         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
473         TI="mssim:host=localhost,port=2321"
474
475       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
476         ries of simple key value pairs separated by a  ','  character.   Each
477         key and value string are separated by a '=' character.
478
479         • TCTI abrmd supports two keys:
480
481           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
482              string).
483
484           2. 'bus_type' : The type of the dbus instance (a string) limited to
485              'session' and 'system'.
486
487         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
488         ample.FooBar:
489
490         \--tcti=tabrmd:bus_name=com.example.FooBar
491
492         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
493         sion:
494
495         \--tcti:bus_type=session
496
497         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
498         ules.  # Signature Format Specifiers
499
500       Format selection for the signature output file.  tss (the default) will
501       output a binary blob according to the TPM 2.0 specification and any po‐
502       tential compiler padding.  The option plain will output the plain  sig‐
503       nature data as defined by the used cryptographic algorithm.
504

506   Create a key and get attested TPM time
507              tpm2_createprimary -C e -c primary.ctx
508
509              tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx
510
511              tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx
512
513              tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data
514

516       Tools can return any of the following codes:
517
518       • 0 - Success.
519
520       • 1 - General non-specific error.
521
522       • 2 - Options handling error.
523
524       • 3 - Authentication error.
525
526       • 4 - TCTI related error.
527
528       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
529

531       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
532

534       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
535
536
537
538tpm2-tools                                                     tpm2_gettime(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP