tpm2_readpublic(1)

1tpm2_readpublic(1)          General Commands Manual         tpm2_readpublic(1)
2
3
4

6       tpm2_readpublic(1) - Read the public area of a loaded object.
7

9       tpm2_readpublic [OPTIONS]
10

12       tpm2_readpublic(1) - Reads the public area of a loaded object.
13

15       • -c, --object-context=OBJECT:
16
17         Context object for the object to read.
18
19       • -n, --name=FILE:
20
21         An optional file to save the name structure of the object.
22
23       • -f, --format:
24
25         Format selection for the public key output file.  'tss' (the default)
26         will output a binary blob according to  the  TPM  2.0  Specification.
27         'pem'  will  output  an  OpenSSL  compatible  PEM encoded public key.
28         'der' will output an  OpenSSL  compatible  DER  encoded  public  key.
29         'tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
30         by TPM 2.0 specs.
31
32         Public key format.
33
34       • -o, --output=FILE:
35
36         The output file path, recording the public portion of the object.
37
38       • -t, --serialized-handle=HANDLE:
39
40         If the object to be read is a persistent object specified  by  a  raw
41         handle,  optionally  save  the serialized handle for use later.  This
42         routine does NOT verify the name of the object being  read.   Callers
43         should  ensure  that  the contents of name match the expected objects
44         name.
45
46       • -q, --qualified-name=FILE:
47
48         Saves the qualified name of the object to FILE.  The  qualified  name
49         of the object is the name algorithm hash of the parents qualified and
50         the objects name.  Thus the qualified name of the  object  serves  as
51         proof of the objects parents.
52
53   References

55       The  type  of a context object, whether it is a handle or file name, is
56       determined according to the following logic in-order:
57
58       • If the argument is a file path, then the file is loaded as a restored
59         TPM transient object.
60
61       • If the argument is a prefix match on one of:
62
63         • owner: the owner hierarchy
64
65         • platform: the platform hierarchy
66
67         • endorsement: the endorsement hierarchy
68
69         • lockout: the lockout control persistent object
70
71       • If  the  argument argument can be loaded as a number it will be treat
72         as a handle, e.g.  0x81010013 and used directly.OBJECT.
73

75       This collection of options are common to many programs and provide  in‐
76       formation that many users may expect.
77
78       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
79         attempts to invoke the manpager for the  tool,  however,  on  failure
80         will  output  a short tool summary.  This is the same behavior if the
81         "man" option argument is specified, however if explicit "man" is  re‐
82         quested,  the  tool  will  provide errors from man on stderr.  If the
83         "no-man" option if specified, or the manpager fails,  the  short  op‐
84         tions will be output to stdout.
85
86         To  successfully use the manpages feature requires the manpages to be
87         installed or on MANPATH, See man(1) for more details.
88
89       • -v, --version: Display version information for this  tool,  supported
90         tctis and exit.
91
92       • -V,  --verbose:  Increase the information that the tool prints to the
93         console during its execution.  When using this option  the  file  and
94         line number are printed.
95
96       • -Q, --quiet: Silence normal tool output to stdout.
97
98       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
99         if an errata fixup needs to be applied to commands sent to  the  TPM.
100         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
101         formation many users may expect.
102

104       The TCTI or "Transmission Interface"  is  the  communication  mechanism
105       with  the TPM.  TCTIs can be changed for communication with TPMs across
106       different mediums.
107
108       To control the TCTI, the tools respect:
109
110       1. The command line option -T or --tcti
111
112       2. The environment variable: TPM2TOOLS_TCTI.
113
114       Note: The command line option always overrides  the  environment  vari‐
115       able.
116
117       The current known TCTIs are:
118
119       • tabrmd      -     The     resource     manager,     called     tabrmd
120         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
121         abrmd as a tcti name are synonymous.
122
123       • mssim  - Typically used for communicating to the TPM software simula‐
124         tor.
125
126       • device - Used when talking directly to a TPM device file.
127
128       • none - Do not initalize a connection with the TPM.  Some tools  allow
129         for off-tpm options and thus support not using a TCTI.  Tools that do
130         not support it will error when attempted to be used  without  a  TCTI
131         connection.   Does  not  support ANY options and MUST BE presented as
132         the exact text of "none".
133
134       The arguments to either the command  line  option  or  the  environment
135       variable are in the form:
136
137       <tcti-name>:<tcti-option-config>
138
139       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
140       tion-config> results in the default being used for that portion respec‐
141       tively.
142
143   TCTI Defaults
144       When  a  TCTI  is not specified, the default TCTI is searched for using
145       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
146       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
147       what TCTI will be chosen as the default by using the -v option to print
148       the  version information.  The "default-tcti" key-value pair will indi‐
149       cate which of the aforementioned TCTIs is the default.
150
151   Custom TCTIs
152       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
153       tools internally use dlopen(3), and the raw tcti-name value is used for
154       the lookup.  Thus, this could be a path to the shared library, or a li‐
155       brary name as understood by dlopen(3) semantics.
156

158       This collection of options are used to configure the various known TCTI
159       modules available:
160
161       • device: For the device TCTI, the TPM character device file for use by
162         the device TCTI can be specified.  The default is /dev/tpm0.
163
164         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
165         vice:/dev/tpm0"
166
167       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
168         number  used  by  the  simulator  can  be specified.  The default are
169         127.0.0.1 and 2321.
170
171         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
172         TI="mssim:host=localhost,port=2321"
173
174       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
175         ries of simple key value pairs separated by a  ','  character.   Each
176         key and value string are separated by a '=' character.
177
178         • TCTI abrmd supports two keys:
179
180           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
181              string).
182
183           2. 'bus_type' : The type of the dbus instance (a string) limited to
184              'session' and 'system'.
185
186         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
187         ample.FooBar:
188
189         \--tcti=tabrmd:bus_name=com.example.FooBar
190
191         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
192         sion:
193
194         \--tcti:bus_type=session
195
196         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
197         ules.  # EXAMPLES
198
199   Create a primary object and read the public structure in an openssl
200       compliant format
201
202              tpm2_createprimary -c primary.ctx
203              tpm2_readpublic -c primary.ctx -o output.dat -f pem
204
205   Serialize an existing persistent object handle to disk for later use
206       This work-flow is primarily intended for existing  persistent  TPM  ob‐
207       jects.   This work-flow does not verify that the name of the serialized
208       object matches the expected, and thus the serialized  handle  could  be
209       pointing  to  an attacker controlled object if no verification is done.
210       If you are creating an object from scratch, save the serialized  handle
211       when making the object persistent.
212
213       We assume that an object has already been persisted, for example via:
214
215              # We assume that an object has already been persisted, for example
216              tpm2_createprimary -c primary.ctx
217
218              # context files have all the information for the TPM to verify the object
219              tpm2_evictcontrol -c primary.ctx
220              persistent-handle: 0x81000001
221              action: persisted
222
223       Next use the persistent handle to get a serialized handle:
224
225              # The persistent handle output could be at an attacker controlled object,
226              # best practice is to use the option "-o: for tpm2_evictcontrol to get a
227              # serialized handle instead.
228
229              tpm2_readpublic -c 0x81000001 -o output.dat -f pem -t primary.handle
230
231              # use this verified handle in an encrypted session with the tpm
232              tpm2_startauthsession --policy-session -S session.ctx -c primary.handle
233
234       For new objects, its best to use all serialized handles.
235

237       Tools can return any of the following codes:
238
239       • 0 - Success.
240
241       • 1 - General non-specific error.
242
243       • 2 - Options handling error.
244
245       • 3 - Authentication error.
246
247       • 4 - TCTI related error.
248
249       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
250

252       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
253

255       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
256
257
258
259tpm2-tools                                                  tpm2_readpublic(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

Returns

BUGS

HELP