tpm2_startauthsession(1)

1tpm2_startauthsession(1)    General Commands Manual   tpm2_startauthsession(1)
2
3
4

6       tpm2_startauthsession(1) - Start a session with the TPM.
7

9       tpm2_startauthsession [OPTIONS]
10

12       tpm2_startauthsession(1)  - Starts a session with the TPM.  The default
13       is to start a trial session unless the -a option is  specified.   Saves
14       the  policy session data to a file.  This file can then be used in sub‐
15       sequent tools that can use a policy file for  authorization  or  policy
16       events.
17
18       This  will  not work with resource managers (RMs) outside of tpm2-abrmd
19       (https://%20github.com/tpm2-software/tpm2-abrmd),  as  most  RMs   will
20       flush session handles when a client disconnects from the IPC channel.
21
22       This  will  work  with direct TPM access, but note that internally this
23       calls a ContextSave and a ContextLoad on the session handle,  thus  the
24       session cannot be saved/loaded again.
25

27       • --policy-session:
28
29         Start  a  policy session of type TPM_SE_POLICY.  Default without this
30         option is TPM_SE_TRIAL.
31
32         NOTE: A trial session is used when building a  policy  and  a  policy
33         session is used when authenticating with a policy.
34
35       • --audit-session:
36
37         Start  an HMAC session to be used as an audit session.  Default with‐
38         out this option is TPM2_SE_TRIAL.
39
40       • --hmac-session:
41
42         Start an HMAC session of type TPM_SE_HMAC.  Default without this  op‐
43         tion is TPM2_SE_TRIAL.
44
45       • -g, --hash-algorithm=ALGORITHM:
46
47         The hash algorithm used in computation of the policy digest.
48
49       • -c, --key-context=OBJECT:
50
51         Set  the  tpmkey  and bind objects to be the same.  Session parameter
52         encryption is turned on.  Session parameter decryption is turned  on.
53         Parameter encryption/decryption symmetric-key set to AES-CFB.
54
55       • -S, --session=FILE:
56
57         The name of the policy session file, required.
58
59       • --bind-context=FILE:
60
61         Set  the  bind  object.   Session  parameter  encryption is off.  Use
62         tpm2_sessionconfig to turn on.  Session parameter decryption is  off.
63         Use  tpm2_sessionconfig  to turn on.  Parameter encryption/decryption
64         symmetric-key set to AES-CFB.
65
66       • --bind-auth=AUTH:
67
68         Set the authorization value for the bind object.
69
70       • --tpmkey-context=FILE:
71
72         Set the tpmkey object.  Session parameter  encryption  is  off.   Use
73         tpm2_sessionconfig  to turn on.  Session parameter decryption is off.
74         Use tpm2_sessionconfig to turn on.   Parameter  encryption/decryption
75         symmetric-key set to AES-CFB.
76
77   References

79       The  type  of a context object, whether it is a handle or file name, is
80       determined according to the following logic in-order:
81
82       • If the argument is a file path, then the file is loaded as a restored
83         TPM transient object.
84
85       • If the argument is a prefix match on one of:
86
87         • owner: the owner hierarchy
88
89         • platform: the platform hierarchy
90
91         • endorsement: the endorsement hierarchy
92
93         • lockout: the lockout control persistent object
94
95       • If  the  argument argument can be loaded as a number it will be treat
96         as a handle, e.g.  0x81010013 and used directly.OBJECT.
97

99       Authorization for use of an object in TPM2.0 can come  in  3  different
100       forms: 1.  Password 2.  HMAC 3.  Sessions
101
102       NOTE:  "Authorizations  default  to  the EMPTY PASSWORD when not speci‐
103       fied".
104
105   Passwords
106       Passwords are interpreted in the following  forms  below  using  prefix
107       identifiers.
108
109       Note:  By  default  passwords are assumed to be in the string form when
110       they do not have a prefix.
111
112   String
113       A string password, specified by prefix  "str:"  or  it's  absence  (raw
114       string without prefix) is not interpreted, and is directly used for au‐
115       thorization.
116
117   Examples
118              foobar
119              str:foobar
120
121   Hex-string
122       A hex-string password, specified by prefix "hex:" is converted  from  a
123       hexidecimal  form  into a byte array form, thus allowing passwords with
124       non-printable and/or terminal un-friendly characters.
125
126   Example
127              hex:0x1122334455667788
128
129   File
130       A file based password, specified be prefix "file:" should be  the  path
131       of  a  file  containing the password to be read by the tool or a "-" to
132       use stdin.  Storing passwords in files  prevents  information  leakage,
133       passwords passed as options can be read from the process list or common
134       shell history features.
135
136   Examples
137              # to use stdin and be prompted
138              file:-
139
140              # to use a file from a path
141              file:path/to/password/file
142
143              # to echo a password via stdin:
144              echo foobar | tpm2_tool -p file:-
145
146              # to use a bash here-string via stdin:
147
148              tpm2_tool -p file:- <<< foobar
149
150   Sessions
151       When using a policy session to authorize the use of an  object,  prefix
152       the  option argument with the session keyword.  Then indicate a path to
153       a session file that was created with tpm2_startauthsession(1).  Option‐
154       ally, if the session requires an auth value to be sent with the session
155       handle (eg policy password), then append a + and a string as  described
156       in the Passwords section.
157
158   Examples
159       To use a session context file called session.ctx.
160
161              session:session.ctx
162
163       To use a session context file called session.ctx AND send the authvalue
164       mypassword.
165
166              session:session.ctx+mypassword
167
168       To use a session context file called session.ctx AND send the HEX auth‐
169       value 0x11223344.
170
171              session:session.ctx+hex:11223344
172
173   PCR Authorizations
174       You  can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
175       language.      The     PCR     minilanguage     is     as      follows:
176       <pcr-spec>=<raw-pcr-file>
177
178       The PCR spec is documented in in the section "PCR bank specifiers".
179
180       The  raw-pcr-file  is an optional the output of the raw PCR contents as
181       returned by tpm2_pcrread(1).
182
183       PCR bank specifiers (common/pcr.md)
184
185   Examples
186       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
187       er of:
188
189              pcr:sha256:0,1,2,3
190
191       specifying AUTH.
192

194       This  collection of options are common to many programs and provide in‐
195       formation that many users may expect.
196
197       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
198         attempts  to  invoke  the  manpager for the tool, however, on failure
199         will output a short tool summary.  This is the same behavior  if  the
200         "man"  option argument is specified, however if explicit "man" is re‐
201         quested, the tool will provide errors from man  on  stderr.   If  the
202         "no-man"  option  if  specified, or the manpager fails, the short op‐
203         tions will be output to stdout.
204
205         To successfully use the manpages feature requires the manpages to  be
206         installed or on MANPATH, See man(1) for more details.
207
208       • -v,  --version:  Display version information for this tool, supported
209         tctis and exit.
210
211       • -V, --verbose: Increase the information that the tool prints  to  the
212         console  during  its  execution.  When using this option the file and
213         line number are printed.
214
215       • -Q, --quiet: Silence normal tool output to stdout.
216
217       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
218         if  an  errata fixup needs to be applied to commands sent to the TPM.
219         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
220         formation many users may expect.
221

223       The  TCTI  or  "Transmission  Interface" is the communication mechanism
224       with the TPM.  TCTIs can be changed for communication with TPMs  across
225       different mediums.
226
227       To control the TCTI, the tools respect:
228
229       1. The command line option -T or --tcti
230
231       2. The environment variable: TPM2TOOLS_TCTI.
232
233       Note:  The  command  line option always overrides the environment vari‐
234       able.
235
236       The current known TCTIs are:
237
238       • tabrmd     -     The     resource     manager,     called      tabrmd
239         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
240         abrmd as a tcti name are synonymous.
241
242       • mssim - Typically used for communicating to the TPM software  simula‐
243         tor.
244
245       • device - Used when talking directly to a TPM device file.
246
247       • none  - Do not initalize a connection with the TPM.  Some tools allow
248         for off-tpm options and thus support not using a TCTI.  Tools that do
249         not  support  it  will error when attempted to be used without a TCTI
250         connection.  Does not support ANY options and MUST  BE  presented  as
251         the exact text of "none".
252
253       The  arguments  to  either  the  command line option or the environment
254       variable are in the form:
255
256       <tcti-name>:<tcti-option-config>
257
258       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
259       tion-config> results in the default being used for that portion respec‐
260       tively.
261
262   TCTI Defaults
263       When a TCTI is not specified, the default TCTI is  searched  for  using
264       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
265       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
266       what TCTI will be chosen as the default by using the -v option to print
267       the version information.  The "default-tcti" key-value pair will  indi‐
268       cate which of the aforementioned TCTIs is the default.
269
270   Custom TCTIs
271       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
272       tools internally use dlopen(3), and the raw tcti-name value is used for
273       the lookup.  Thus, this could be a path to the shared library, or a li‐
274       brary name as understood by dlopen(3) semantics.
275

277       This collection of options are used to configure the various known TCTI
278       modules available:
279
280       • device: For the device TCTI, the TPM character device file for use by
281         the device TCTI can be specified.  The default is /dev/tpm0.
282
283         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
284         vice:/dev/tpm0"
285
286       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
287         number used by the simulator  can  be  specified.   The  default  are
288         127.0.0.1 and 2321.
289
290         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
291         TI="mssim:host=localhost,port=2321"
292
293       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
294         ries  of  simple  key value pairs separated by a ',' character.  Each
295         key and value string are separated by a '=' character.
296
297         • TCTI abrmd supports two keys:
298
299           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
300              string).
301
302           2. 'bus_type' : The type of the dbus instance (a string) limited to
303              'session' and 'system'.
304
305         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
306         ample.FooBar:
307
308         \--tcti=tabrmd:bus_name=com.example.FooBar
309
310         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
311         sion:
312
313         \--tcti:bus_type=session
314
315         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
316         ules.  # EXAMPLES
317
318   Start a trial session and save the session data to a file
319              tpm2_startauthsession -S mysession.ctx
320
321   Start a policy session and save the session data to a file
322              tpm2_startauthsession --policy-session -S mysession.ctx
323
324   Start an encrypted and bound policy session and save the
325       session data to a file
326
327              tpm2_createprimary -c primary.ctx
328              tpm2_startauthsession --policy-session -c primary.ctx -S mysession.ctx
329

331       Tools can return any of the following codes:
332
333       • 0 - Success.
334
335       • 1 - General non-specific error.
336
337       • 2 - Options handling error.
338
339       • 3 - Authentication error.
340
341       • 4 - TCTI related error.
342
343       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
344

346       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
347

349       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
350
351
352
353tpm2-tools                                            tpm2_startauthsession(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

Returns

BUGS

HELP