tpm2_nvextend(1)

1tpm2_nvextend(1)            General Commands Manual           tpm2_nvextend(1)
2
3
4

6       tpm2_nvextend(1) - Extend an Non-Volatile (NV) index like it was a PCR.
7

9       tpm2_nvextend [OPTIONS] [ARGUMENT]
10

12       tpm2_nvextend(1) - Extend an Non-Volatile (NV) index like it was a PCR.
13       The NV index must be of type "extend" which is specified via  the  "nt"
14       field  when creating the NV space with tpm2_nvdefine(1).  The index can
15       be specified as raw handle or an offset value to the  NV  handle  range
16       "TPM2_HR_NV_INDEX" as an argument.
17

19       • -C, --hierarchy=OBJECT:
20         Specifies the hierarchy used to authorize.  Supported options are:
21
22         • o for TPM_RH_OWNER
23
24         • p for TPM_RH_PLATFORM
25
26         • <num> where a hierarchy handle or nv-index may be used.
27
28         When  -C isn't explicitly passed the index handle will be used to au‐
29         thorize against the index.  The index auth value is set  via  the  -p
30         option to tpm2_nvdefine(1).
31
32       • -P, --auth=AUTH:
33
34         Specifies the authorization value for the hierarchy.
35
36       • -i, --input=FILE:
37
38         Specifies the input file with data to extend to the NV index.
39
40       • --cphash=FILE
41
42         File path to record the hash of the command parameters.  This is com‐
43         monly termed as cpHash.  NOTE: When this option is selected, The tool
44         will  not  actually  execute the command, it simply returns a cpHash,
45         unless rphash is also required.
46
47       • --rphash=FILE
48
49         File path to record the hash of the  response  parameters.   This  is
50         commonly termed as rpHash.
51
52       • -S, --session=FILE:
53
54         The  session  created using tpm2_startauthsession.  Multiple of these
55         can be specified.  For example, you can have one session for auditing
56         and another for encryption/decryption of the parameters.
57
58       • ARGUMENT  the  command line argument specifies the NV index or offset
59         number.
60
61   References

63       The type of a context object, whether it is a handle or file  name,  is
64       determined according to the following logic in-order:
65
66       • If the argument is a file path, then the file is loaded as a restored
67         TPM transient object.
68
69       • If the argument is a prefix match on one of:
70
71         • owner: the owner hierarchy
72
73         • platform: the platform hierarchy
74
75         • endorsement: the endorsement hierarchy
76
77         • lockout: the lockout control persistent object
78
79       • If the argument argument can be loaded as a number it will  be  treat
80         as a handle, e.g.  0x81010013 and used directly.OBJECT.
81

83       Authorization  for  use  of an object in TPM2.0 can come in 3 different
84       forms: 1.  Password 2.  HMAC 3.  Sessions
85
86       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
87       fied".
88
89   Passwords
90       Passwords  are  interpreted  in  the following forms below using prefix
91       identifiers.
92
93       Note: By default passwords are assumed to be in the  string  form  when
94       they do not have a prefix.
95
96   String
97       A  string  password,  specified  by  prefix "str:" or it's absence (raw
98       string without prefix) is not interpreted, and is directly used for au‐
99       thorization.
100
101   Examples
102              foobar
103              str:foobar
104
105   Hex-string
106       A  hex-string  password, specified by prefix "hex:" is converted from a
107       hexidecimal form into a byte array form, thus allowing  passwords  with
108       non-printable and/or terminal un-friendly characters.
109
110   Example
111              hex:0x1122334455667788
112
113   File
114       A  file  based password, specified be prefix "file:" should be the path
115       of a file containing the password to be read by the tool or  a  "-"  to
116       use  stdin.   Storing  passwords in files prevents information leakage,
117       passwords passed as options can be read from the process list or common
118       shell history features.
119
120   Examples
121              # to use stdin and be prompted
122              file:-
123
124              # to use a file from a path
125              file:path/to/password/file
126
127              # to echo a password via stdin:
128              echo foobar | tpm2_tool -p file:-
129
130              # to use a bash here-string via stdin:
131
132              tpm2_tool -p file:- <<< foobar
133
134   Sessions
135       When  using  a policy session to authorize the use of an object, prefix
136       the option argument with the session keyword.  Then indicate a path  to
137       a session file that was created with tpm2_startauthsession(1).  Option‐
138       ally, if the session requires an auth value to be sent with the session
139       handle  (eg policy password), then append a + and a string as described
140       in the Passwords section.
141
142   Examples
143       To use a session context file called session.ctx.
144
145              session:session.ctx
146
147       To use a session context file called session.ctx AND send the authvalue
148       mypassword.
149
150              session:session.ctx+mypassword
151
152       To use a session context file called session.ctx AND send the HEX auth‐
153       value 0x11223344.
154
155              session:session.ctx+hex:11223344
156
157   PCR Authorizations
158       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
159       language.       The     PCR     minilanguage     is     as     follows:
160       <pcr-spec>=<raw-pcr-file>
161
162       The PCR spec is documented in in the section "PCR bank specifiers".
163
164       The raw-pcr-file is an optional the output of the raw PCR  contents  as
165       returned by tpm2_pcrread(1).
166
167       PCR bank specifiers (common/pcr.md)
168
169   Examples
170       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
171       er of:
172
173              pcr:sha256:0,1,2,3
174
175       specifying AUTH.
176

178       This collection of options are common to many programs and provide  in‐
179       formation that many users may expect.
180
181       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
182         attempts to invoke the manpager for the  tool,  however,  on  failure
183         will  output  a short tool summary.  This is the same behavior if the
184         "man" option argument is specified, however if explicit "man" is  re‐
185         quested,  the  tool  will  provide errors from man on stderr.  If the
186         "no-man" option if specified, or the manpager fails,  the  short  op‐
187         tions will be output to stdout.
188
189         To  successfully use the manpages feature requires the manpages to be
190         installed or on MANPATH, See man(1) for more details.
191
192       • -v, --version: Display version information for this  tool,  supported
193         tctis and exit.
194
195       • -V,  --verbose:  Increase the information that the tool prints to the
196         console during its execution.  When using this option  the  file  and
197         line number are printed.
198
199       • -Q, --quiet: Silence normal tool output to stdout.
200
201       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
202         if an errata fixup needs to be applied to commands sent to  the  TPM.
203         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
204         formation many users may expect.
205

207       The TCTI or "Transmission Interface"  is  the  communication  mechanism
208       with  the TPM.  TCTIs can be changed for communication with TPMs across
209       different mediums.
210
211       To control the TCTI, the tools respect:
212
213       1. The command line option -T or --tcti
214
215       2. The environment variable: TPM2TOOLS_TCTI.
216
217       Note: The command line option always overrides  the  environment  vari‐
218       able.
219
220       The current known TCTIs are:
221
222       • tabrmd      -     The     resource     manager,     called     tabrmd
223         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
224         abrmd as a tcti name are synonymous.
225
226       • mssim  - Typically used for communicating to the TPM software simula‐
227         tor.
228
229       • device - Used when talking directly to a TPM device file.
230
231       • none - Do not initalize a connection with the TPM.  Some tools  allow
232         for off-tpm options and thus support not using a TCTI.  Tools that do
233         not support it will error when attempted to be used  without  a  TCTI
234         connection.   Does  not  support ANY options and MUST BE presented as
235         the exact text of "none".
236
237       The arguments to either the command  line  option  or  the  environment
238       variable are in the form:
239
240       <tcti-name>:<tcti-option-config>
241
242       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
243       tion-config> results in the default being used for that portion respec‐
244       tively.
245
246   TCTI Defaults
247       When  a  TCTI  is not specified, the default TCTI is searched for using
248       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
249       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
250       what TCTI will be chosen as the default by using the -v option to print
251       the  version information.  The "default-tcti" key-value pair will indi‐
252       cate which of the aforementioned TCTIs is the default.
253
254   Custom TCTIs
255       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
256       tools internally use dlopen(3), and the raw tcti-name value is used for
257       the lookup.  Thus, this could be a path to the shared library, or a li‐
258       brary name as understood by dlopen(3) semantics.
259

261       This collection of options are used to configure the various known TCTI
262       modules available:
263
264       • device: For the device TCTI, the TPM character device file for use by
265         the device TCTI can be specified.  The default is /dev/tpm0.
266
267         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
268         vice:/dev/tpm0"
269
270       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
271         number  used  by  the  simulator  can  be specified.  The default are
272         127.0.0.1 and 2321.
273
274         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
275         TI="mssim:host=localhost,port=2321"
276
277       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
278         ries of simple key value pairs separated by a  ','  character.   Each
279         key and value string are separated by a '=' character.
280
281         • TCTI abrmd supports two keys:
282
283           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
284              string).
285
286           2. 'bus_type' : The type of the dbus instance (a string) limited to
287              'session' and 'system'.
288
289         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
290         ample.FooBar:
291
292         \--tcti=tabrmd:bus_name=com.example.FooBar
293
294         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
295         sion:
296
297         \--tcti:bus_type=session
298
299         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
300         ules.
301

303   OR 0xbadc0de into an index of 0's
304              tpm2_nvdefine -C o -a "nt=extend|ownerread|policywrite|ownerwrite|writedefine" 1
305
306              echo 'my data' | tpm2_nvextend -C o -i- 1
307
308              tpm2_nvread -C o 1 | xxd -p -c32
309              db7472e3fe3309b011ec11565bce4ea6668cc8ecdef7e6fdcda5206687af3f43
310

312       Tools can return any of the following codes:
313
314       • 0 - Success.
315
316       • 1 - General non-specific error.
317
318       • 2 - Options handling error.
319
320       • 3 - Authentication error.
321
322       • 4 - TCTI related error.
323
324       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
325

327       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
328

330       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
331
332
333
334tpm2-tools                                                    tpm2_nvextend(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP