tpm2_pcrread(1)

1tpm2_pcrread(1)             General Commands Manual            tpm2_pcrread(1)
2
3
4

6       tpm2_pcrread(1) - List PCR values.
7

9       tpm2_pcrread [OPTIONS] PCR_LIST_OR_ALG
10

12       tpm2_pcrread(1)   -   Displays  PCR  values.   Without  any  arguments,
13       tpm2_pcrread(1) outputs all PCRs and their hash  banks.   One  can  use
14       specify  the  hash algorithm or a pcr list as an argument to filter the
15       output.
16
17       To only output PCR banks with a given algorithm,  specify  the  hashing
18       algorithm  as  the  argument.  Algorithms should follow the “formatting
19       standards”, see section  “Algorithm  Specifiers”.   Also,  see  section
20       “Supported Hash Algorithms” for a list of supported hash algorithms.
21
22       To output a list of PCR banks (sha1, sha256, etc) and ids (0, 1, 2 etc)
23       specify a PCR selection list as the argument as specified  via  section
24       “PCR Bank Specifiers”.
25
26       Also read NOTES section below.
27
28       Output  is written in a YAML format to stdout, with each algorithm fol‐
29       lowed by a PCR index and its value.  As a simple  example  assume  just
30       sha1 and sha256 support and only 1 PCR.  The output would be:
31
32              $ tpm2_pcrread sha1:0+sha256:0
33              sha1 :
34                0  : 0000000000000000000000000000000000000003
35              sha256 :
36                0  : 0000000000000000000000000000000000000000000000000000000000000003
37

39       • -o, --output=FILE:
40
41         The output file to write the PCR values in binary format, optional.
42
43       • -F, --pcrs_format=FORMAT:
44
45         Format  selection  for the binary blob in the PCR output file.  `val‐
46         ues' will output a binary blob of the PCR values.  `serialized'  will
47         output a binary blob of the PCR values in the form of serialized data
48         structure in little endian format.  Optional.  Default is `values'.
49

51       This collection of options are common to many programs and provide  in‐
52       formation that many users may expect.
53
54       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
55         attempts to invoke the manpager for the  tool,  however,  on  failure
56         will  output  a short tool summary.  This is the same behavior if the
57         “man” option argument is specified, however if explicit “man” is  re‐
58         quested,  the  tool  will  provide errors from man on stderr.  If the
59         “no-man” option if specified, or the manpager fails,  the  short  op‐
60         tions will be output to stdout.
61
62         To  successfully use the manpages feature requires the manpages to be
63         installed or on MANPATH, See man(1) for more details.
64
65       • -v, --version: Display version information for this  tool,  supported
66         tctis and exit.
67
68       • -V,  --verbose:  Increase the information that the tool prints to the
69         console during its execution.  When using this option  the  file  and
70         line number are printed.
71
72       • -Q, --quiet: Silence normal tool output to stdout.
73
74       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
75         if an errata fixup needs to be applied to commands sent to  the  TPM.
76         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
77

79       The  TCTI  or  “Transmission  Interface” is the communication mechanism
80       with the TPM.  TCTIs can be changed for communication with TPMs  across
81       different mediums.
82
83       To control the TCTI, the tools respect:
84
85       1. The command line option -T or --tcti
86
87       2. The environment variable: TPM2TOOLS_TCTI.
88
89       Note:  The  command  line option always overrides the environment vari‐
90       able.
91
92       The current known TCTIs are:
93
94       • tabrmd     -     The     resource     manager,     called      tabrmd
95         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
96         abrmd as a tcti name are synonymous.
97
98       • mssim - Typically used for communicating to the TPM software  simula‐
99         tor.
100
101       • device - Used when talking directly to a TPM device file.
102
103       • none  - Do not initalize a connection with the TPM.  Some tools allow
104         for off-tpm options and thus support not using a TCTI.  Tools that do
105         not  support  it  will error when attempted to be used without a TCTI
106         connection.  Does not support ANY options and MUST  BE  presented  as
107         the exact text of “none”.
108
109       The  arguments  to  either  the  command line option or the environment
110       variable are in the form:
111
112       <tcti-name>:<tcti-option-config>
113
114       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
115       tion-config> results in the default being used for that portion respec‐
116       tively.
117
118   TCTI Defaults
119       When a TCTI is not specified, the default TCTI is  searched  for  using
120       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
121       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
122       what TCTI will be chosen as the default by using the -v option to print
123       the version information.  The “default-tcti” key-value pair will  indi‐
124       cate which of the aforementioned TCTIs is the default.
125
126   Custom TCTIs
127       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
128       tools internally use dlopen(3), and the raw tcti-name value is used for
129       the lookup.  Thus, this could be a path to the shared library, or a li‐
130       brary name as understood by dlopen(3) semantics.
131

133       This collection of options are used to configure the various known TCTI
134       modules available:
135
136       • device: For the device TCTI, the TPM character device file for use by
137         the device TCTI can be specified.  The default is /dev/tpm0.
138
139         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
140         vice:/dev/tpm0”
141
142       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
143         number used by the simulator  can  be  specified.   The  default  are
144         127.0.0.1 and 2321.
145
146         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
147         TI=“mssim:host=localhost,port=2321”
148
149       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
150         ries  of  simple  key value pairs separated by a `,' character.  Each
151         key and value string are separated by a `=' character.
152
153         • TCTI abrmd supports two keys:
154
155           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
156              string).
157
158           2. `bus_type' : The type of the dbus instance (a string) limited to
159              `session' and `system'.
160
161         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
162         ample.FooBar:
163
164                \--tcti=tabrmd:bus_name=com.example.FooBar
165
166         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
167         sion:
168
169                \--tcti:bus_type=session
170
171         NOTE: abrmd and tabrmd are synonymous.
172
173       PCR bank specifiers (common/pcr.md)
174

176       Supported hash algorithms are:
177
178       • 0x4 or sha1 for TPM_ALG_SHA1
179
180       • 0xB or sha256 for TPM_ALG_SHA256 (default)
181
182       • 0xC or sha384 for TPM_ALG_SHA384
183
184       • 0xD or sha512 for TPM_ALG_SHA512
185
186       • 0x12 or sm3_256 for TPM_ALG_SM3_256
187
188       NOTE: Your TPM may not support all algorithms.
189

191       Options that take algorithms support “nice-names”.
192
193       There are two major algorithm specification string classes, simple  and
194       complex.  Only certain algorithms will be accepted by the TPM, based on
195       usage and conditions.
196
197   Simple specifiers
198       These are strings with no additional specification data.  When creating
199       objects,  non-specified  portions of an object are assumed to defaults.
200       You can find the list of known “Simple Specifiers Below”.
201
202   Asymmetric
203       • rsa
204
205       • ecc
206
207   Symmetric
208       • aes
209
210       • camellia
211
212   Hashing Algorithms
213       • sha1
214
215       • sha256
216
217       • sha384
218
219       • sha512
220
221       • sm3_256
222
223       • sha3_256
224
225       • sha3_384
226
227       • sha3_512
228
229   Keyed Hash
230       • hmac
231
232       • xor
233
234   Signing Schemes
235       • rsassa
236
237       • rsapss
238
239       • ecdsa
240
241       • ecdaa
242
243       • ecschnorr
244
245   Asymmetric Encryption Schemes
246       • oaep
247
248       • rsaes
249
250       • ecdh
251
252   Modes
253       • ctr
254
255       • ofb
256
257       • cbc
258
259       • cfb
260
261       • ecb
262
263   Misc
264       • null
265
266   Complex Specifiers
267       Objects, when specified for creation by the TPM,  have  numerous  algo‐
268       rithms  to  populate  in the public data.  Things like type, scheme and
269       asymmetric details, key size, etc.  Below is  the  general  format  for
270       specifying this data: <type>:<scheme>:<symmetric-details>
271
272   Type Specifiers
273       This  portion  of the complex algorithm specifier is required.  The re‐
274       maining scheme and symmetric details will default  based  on  the  type
275       specified and the type of the object being created.
276
277       • aes - Default AES: aes128
278
279       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
280         If mode is not specified, defaults to null.
281
282       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
283
284       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
285
286       • ecc - Elliptical Curve, defaults to ecc256.
287
288       • ecc192 - 192 bit ECC
289
290       • ecc224 - 224 bit ECC
291
292       • ecc256 - 256 bit ECC
293
294       • ecc384 - 384 bit ECC
295
296       • ecc521 - 521 bit ECC
297
298       • rsa - Default RSA: rsa2048
299
300       • rsa1024 - RSA with 1024 bit keysize.
301
302       • rsa2048 - RSA with 2048 bit keysize.
303
304       • rsa4096 - RSA with 4096 bit keysize.
305
306   Scheme Specifiers
307       Next, is an optional field, it can be skipped.
308
309       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
310       Most signing schemes take a hash algorithm directly following the sign‐
311       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
312       Some take no arguments, and some take multiple arguments.
313
314   Hash Optional Scheme Specifiers
315       These  scheme  specifiers are followed by a dash and a valid hash algo‐
316       rithm, For example: oaep-sha256.
317
318       • oaep
319
320       • ecdh
321
322       • rsassa
323
324       • rsapss
325
326       • ecdsa
327
328       • ecschnorr
329
330   Multiple Option Scheme Specifiers
331       This scheme specifier is followed by a count  (max  size  UINT16)  then
332       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
333       ecdaa4-sha256.  If no count is specified, it defaults to 4.
334
335   No Option Scheme Specifiers
336       This scheme specifier takes NO arguments.  * rsaes
337
338   Symmetric Details Specifiers
339       This field is optional, and defaults based on the type of object  being
340       created  and it’s attributes.  Generally, any valid Symmetric specifier
341       from the Type Specifiers list should work.  If not specified, an  asym‐
342       metric objects symmetric details defaults to aes128cfb.
343
344   Examples
345   Create an rsa2048 key with an rsaes asymmetric encryption scheme
346       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
347
348   Create  an  ecc256  key  with an ecdaa signing scheme with a count of 4 and
349       sha384 hash
350       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
351       key.priv
352

354   Display all PCR values
355              tpm2_pcrread
356
357   Display the PCR values with a specified bank
358              tpm2_pcrread sha1
359
360   Display the PCR values with specified banks and store in a file
361              tpm2_pcrread -o pcrs sha1:16,17,18+sha256:16,17,18
362
363   Display the supported PCR bank algorithms and exit
364              tpm2_pcrread
365

367       The maximum number of PCR that can be dumped at once is associated with
368       the maximum length of a bank.
369
370       On most TPMs, it means that this tool can dump up to 24 PCRs at once.
371

373       Tools can return any of the following codes:
374
375       • 0 - Success.
376
377       • 1 - General non-specific error.
378
379       • 2 - Options handling error.
380
381       • 3 - Authentication error.
382
383       • 4 - TCTI related error.
384
385       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
386

388       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
389

391       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
392
393
394
395tpm2-tools                                                     tpm2_pcrread(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

Supported Hash Algorithms

Algorithm Specifiers

EXAMPLES

NOTES

Returns

BUGS

HELP