1tpm2_policycountertimer(1) General Commands Manual tpm2_policycountertimer(1)
2
6 tpm2_policycountertimer(1) - Enables policy authorization by evaluating
7 the comparison operation on the TPM parameters time, clock, reset
8 count, restart count and TPM clock safe flag.
9
11 tpm2_policycountertimer [OPTIONS] [ARGUMENT]
12
14 tpm2_policycountertimer(1) - Enables policy authorization by evaluating
15 the comparison operation on the TPM parameters time, clock, reset
16 count, restart count and TPM clock safe flag. If time/clock, it is in‐
17 put as milliseconds value. The parameter and the value is given as a
18 command line argument as below:
19 tpm2_policycountertimer -S session.ctx safe
21 tpm2_policycountertimer -S session.ctx clock=<N ms>
22 tpm2_policycountertimer -S session.ctx time=<N ms>
23 tpm2_policycountertimer -S session.ctx resets=<N>
24 tpm2_policycountertimer -S session.ctx restarts=<N>
25 By default comparison tests for equality and also by default it tests
27 for time.
28
30 • -L, --policy=FILE:
31 File to save the policy digest.
33 • -S, --session=FILE:
35 The policy session file generated via the -S option to tpm2_star‐
37 tauthsession or saved off of a previous tool run.
38 • –eq
40 if value of current time in the TPM = value of specified input time.
42 • –neq
44 if value of current time in the TPM != value of specified input time.
46 • –sgt
48 if signed value of current time in the TPM > signed value of specified
50 input time.
51 • –ugt
53 if unsigned value of current time in the TPM > unsigned value of speci‐
55 fied input time.
56 • –slt
58 if signed value of current time in the TPM < signed value of specified
60 input time.
61 • –ult
63 if unsigned value of current time in the TPM < unsigned value of speci‐
65 fied input time.
66 • –sge
68 if signed value of current time in the TPM >= signed value of specified
70 input time.
71 • –uge
73 if unsigned value of current time in the TPM >= unsigned value of spec‐
75 ified input time.
76 • –sle
78 if signed value of current time in the TPM <= unsigned value of speci‐
80 fied input time.
81 • –ule
83 if unsigned value of current time in the TPM <= unsigned value of spec‐
85 ified input time.
86 • –bs
88 if all bits set in value of current time in the TPM are set in value
90 of specified input time.
91 • –bc
93 if all bits set in value of current time in the TPM are clear in val‐
95 ue of specified input time.
96 References
99 This collection of options are common to many programs and provide in‐
100 formation that many users may expect.
101 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
103 attempts to invoke the manpager for the tool, however, on failure
104 will output a short tool summary. This is the same behavior if the
105 “man” option argument is specified, however if explicit “man” is re‐
106 quested, the tool will provide errors from man on stderr. If the
107 “no-man” option if specified, or the manpager fails, the short op‐
108 tions will be output to stdout.
109 To successfully use the manpages feature requires the manpages to be
111 installed or on MANPATH, See man(1) for more details.
112 • -v, --version: Display version information for this tool, supported
114 tctis and exit.
115 • -V, --verbose: Increase the information that the tool prints to the
117 console during its execution. When using this option the file and
118 line number are printed.
119 • -Q, --quiet: Silence normal tool output to stdout.
121 • -Z, --enable-errata: Enable the application of errata fixups. Useful
123 if an errata fixup needs to be applied to commands sent to the TPM.
124 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
125 formation many users may expect.
126
128 The TCTI or “Transmission Interface” is the communication mechanism
129 with the TPM. TCTIs can be changed for communication with TPMs across
130 different mediums.
131 To control the TCTI, the tools respect:
133 1. The command line option -T or --tcti
135 2. The environment variable: TPM2TOOLS_TCTI.
137 Note: The command line option always overrides the environment vari‐
139 able.
140 The current known TCTIs are:
142 • tabrmd - The resource manager, called tabrmd
144 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
145 abrmd as a tcti name are synonymous.
146 • mssim - Typically used for communicating to the TPM software simula‐
148 tor.
149 • device - Used when talking directly to a TPM device file.
151 • none - Do not initalize a connection with the TPM. Some tools allow
153 for off-tpm options and thus support not using a TCTI. Tools that do
154 not support it will error when attempted to be used without a TCTI
155 connection. Does not support ANY options and MUST BE presented as
156 the exact text of “none”.
157 The arguments to either the command line option or the environment
159 variable are in the form:
160 <tcti-name>:<tcti-option-config>
162 Specifying an empty string for either the <tcti-name> or <tcti-op‐
164 tion-config> results in the default being used for that portion respec‐
165 tively.
166 TCTI Defaults
168 When a TCTI is not specified, the default TCTI is searched for using
169 dlopen(3) semantics. The tools will search for tabrmd, device and
170 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
171 what TCTI will be chosen as the default by using the -v option to print
172 the version information. The “default-tcti” key-value pair will indi‐
173 cate which of the aforementioned TCTIs is the default.
174 Custom TCTIs
176 Any TCTI that implements the dynamic TCTI interface can be loaded. The
177 tools internally use dlopen(3), and the raw tcti-name value is used for
178 the lookup. Thus, this could be a path to the shared library, or a li‐
179 brary name as understood by dlopen(3) semantics.
180
182 This collection of options are used to configure the various known TCTI
183 modules available:
184 • device: For the device TCTI, the TPM character device file for use by
186 the device TCTI can be specified. The default is /dev/tpm0.
187 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
189 vice:/dev/tpm0”
190 • mssim: For the mssim TCTI, the domain name or IP address and port
192 number used by the simulator can be specified. The default are
193 127.0.0.1 and 2321.
194 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
196 TI=“mssim:host=localhost,port=2321”
197 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
199 ries of simple key value pairs separated by a `,' character. Each
200 key and value string are separated by a `=' character.
201 • TCTI abrmd supports two keys:
203 1. `bus_name' : The name of the tabrmd service on the bus (a
205 string).
206 2. `bus_type' : The type of the dbus instance (a string) limited to
208 `session' and `system'.
209 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
211 ample.FooBar:
212 \--tcti=tabrmd:bus_name=com.example.FooBar
214 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
216 sion:
217 \--tcti:bus_type=session
219 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
221 ules.
222
224 Create a sealing object with an authorization policy that evaluates on‐
225 ly for first minute of TPM restart.
226 Create the policy and the sealing object
228 tpm2_startauthsession -S session.ctx
229 tpm2_policycountertimer -S session.ctx -L policy.countertimer --ult 60000
231 tpm2_flushcontext session.ctx
233 tpm2_createprimary -C o -c prim.ctx -Q
235 echo "SUPERSECRET" | \
237 tpm2_create -Q -u key.pub -r key.priv -i- -C prim.ctx \
238 -L policy.countertimer -a "fixedtpm|fixedparent" -c key.ctx
239 Unsealing should work in the first minute after TPM restart
241 tpm2_startauthsession -S session.ctx --policy-session
242 tpm2_policycountertimer -S session.ctx --ult 60000
244 tpm2_unseal -c key.ctx -p session:session.ctx
246 tpm2_flushcontext session.ctx
248
250 Tools can return any of the following codes:
251 • 0 - Success.
253 • 1 - General non-specific error.
255 • 2 - Options handling error.
257 • 3 - Authentication error.
259 • 4 - TCTI related error.
261 • 5 - Non supported scheme. Applicable to tpm2_testparams.
263
265 It expects a session to be already established via tpm2_startauthses‐
266 sion(1) and requires one of the following:
267 • direct device access
269 • extended session support with tpm2-abrmd.
271 Without it, most resource managers will not save session state between
273 command invocations.
274
276 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
277
279 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
280tpm2-tools tpm2_policycountertimer(1)