tpm2_policynamehash(1)

1tpm2_policynamehash(1)      General Commands Manual     tpm2_policynamehash(1)
2
3
4

6       tpm2_policynamehash(1)  -  Couples  a policy with names of specific ob‐
7       jects.
8

10       tpm2_policynamehash [OPTIONS]
11

13       tpm2_policynamehash(1) - Couples a policy with names  of  specific  ob‐
14       jects.  This is a deferred assertion where the hash of the names of all
15       object handles in a TPM command is checked against the one specified in
16       the policy.
17

19       • -L, --policy=FILE:
20
21         File to save the compounded policy digest.
22
23       • -S, --session=FILE:
24
25         The  policy  session  file  generated via the -S option to tpm2_star‐
26         tauthsession(1).
27
28       • -n, --name=FILE:
29
30         The file containing the name hash of the referenced objects.
31
32   References

34       This collection of options are common to many programs and provide  in‐
35       formation that many users may expect.
36
37       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
38         attempts to invoke the manpager for the  tool,  however,  on  failure
39         will  output  a short tool summary.  This is the same behavior if the
40         “man” option argument is specified, however if explicit “man” is  re‐
41         quested,  the  tool  will  provide errors from man on stderr.  If the
42         “no-man” option if specified, or the manpager fails,  the  short  op‐
43         tions will be output to stdout.
44
45         To  successfully use the manpages feature requires the manpages to be
46         installed or on MANPATH, See man(1) for more details.
47
48       • -v, --version: Display version information for this  tool,  supported
49         tctis and exit.
50
51       • -V,  --verbose:  Increase the information that the tool prints to the
52         console during its execution.  When using this option  the  file  and
53         line number are printed.
54
55       • -Q, --quiet: Silence normal tool output to stdout.
56
57       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
58         if an errata fixup needs to be applied to commands sent to  the  TPM.
59         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
60         formation many users may expect.
61

63       The TCTI or “Transmission Interface”  is  the  communication  mechanism
64       with  the TPM.  TCTIs can be changed for communication with TPMs across
65       different mediums.
66
67       To control the TCTI, the tools respect:
68
69       1. The command line option -T or --tcti
70
71       2. The environment variable: TPM2TOOLS_TCTI.
72
73       Note: The command line option always overrides  the  environment  vari‐
74       able.
75
76       The current known TCTIs are:
77
78       • tabrmd      -     The     resource     manager,     called     tabrmd
79         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
80         abrmd as a tcti name are synonymous.
81
82       • mssim  - Typically used for communicating to the TPM software simula‐
83         tor.
84
85       • device - Used when talking directly to a TPM device file.
86
87       • none - Do not initalize a connection with the TPM.  Some tools  allow
88         for off-tpm options and thus support not using a TCTI.  Tools that do
89         not support it will error when attempted to be used  without  a  TCTI
90         connection.   Does  not  support ANY options and MUST BE presented as
91         the exact text of “none”.
92
93       The arguments to either the command  line  option  or  the  environment
94       variable are in the form:
95
96       <tcti-name>:<tcti-option-config>
97
98       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
99       tion-config> results in the default being used for that portion respec‐
100       tively.
101
102   TCTI Defaults
103       When  a  TCTI  is not specified, the default TCTI is searched for using
104       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
105       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
106       what TCTI will be chosen as the default by using the -v option to print
107       the  version information.  The “default-tcti” key-value pair will indi‐
108       cate which of the aforementioned TCTIs is the default.
109
110   Custom TCTIs
111       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
112       tools internally use dlopen(3), and the raw tcti-name value is used for
113       the lookup.  Thus, this could be a path to the shared library, or a li‐
114       brary name as understood by dlopen(3) semantics.
115

117       This collection of options are used to configure the various known TCTI
118       modules available:
119
120       • device: For the device TCTI, the TPM character device file for use by
121         the device TCTI can be specified.  The default is /dev/tpm0.
122
123         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
124         vice:/dev/tpm0”
125
126       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
127         number  used  by  the  simulator  can  be specified.  The default are
128         127.0.0.1 and 2321.
129
130         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
131         TI=“mssim:host=localhost,port=2321”
132
133       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
134         ries of simple key value pairs separated by a  `,'  character.   Each
135         key and value string are separated by a `=' character.
136
137         • TCTI abrmd supports two keys:
138
139           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
140              string).
141
142           2. `bus_type' : The type of the dbus instance (a string) limited to
143              `session' and `system'.
144
145         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
146         ample.FooBar:
147
148                \--tcti=tabrmd:bus_name=com.example.FooBar
149
150         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
151         sion:
152
153                \--tcti:bus_type=session
154
155         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
156         ules.
157

159       Restrict key duplication to specific new parent and specific duplicable
160       key.
161

163              openssl genrsa -out signing_key_private.pem 2048
164
165              openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
166
167              tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx \
168              -n signing_key.name
169
170              tpm2_startauthsession -S session.ctx -g sha256
171
172              tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name
173
174              tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate
175
176              tpm2_flushcontext session.ctx
177
178              tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx -Q
179
180              ## The duplicable key
181              tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r key.prv -u key.pub \
182              -L policy.dat -a "sensitivedataorigin|sign|decrypt"
183
184              tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
185

187              tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \
188              -u new_parent.pub \
189              -a "decrypt|fixedparent|fixedtpm|restricted|sensitivedataorigin"
190
191              tpm2_loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx
192

194
195              tpm2_readpublic -Q -c new_parent.ctx -n new_parent.name
196
197              tpm2_readpublic -Q -c key.ctx -n key.name
198
199              cat key.name new_parent.name | openssl dgst -sha256 -binary > name.hash
200
201              tpm2_startauthsession -S session.ctx -g sha256
202
203              tpm2_policynamehash -L policy.namehash -S session.ctx -n name.hash
204
205              tpm2_flushcontext session.ctx
206
207              openssl dgst -sha256 -sign signing_key_private.pem \
208              -out policynamehash.signature policy.namehash
209
210              tpm2_startauthsession -S session.ctx -g sha256
211
212              tpm2_policyauthorize -S session.ctx -L authorized.policy -i policy.namehash \
213              -n signing_key.name
214
215              tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate
216
217              tpm2_flushcontext session.ctx
218

220              tpm2_verifysignature -c signing_key.ctx -g sha256 -m policy.namehash \
221              -s policynamehash.signature -t verification.tkt -f rsassa
222
223              tpm2_startauthsession -S session.ctx --policy-session -g sha256
224
225              tpm2_policynamehash -S session.ctx -n name.hash
226
227              tpm2_policyauthorize -S session.ctx -i policy.namehash -n signing_key.name \
228              -t verification.tkt
229
230              tpm2_policycommandcode -S session.ctx TPM2_CC_Duplicate
231
232              tpm2_duplicate -C new_parent.ctx -c key.ctx -G null -p "session:session.ctx" \
233              -r dupprv.bin -s dupseed.dat
234
235              tpm2_flushcontext session.ctx
236

238       Tools can return any of the following codes:
239
240       • 0 - Success.
241
242       • 1 - General non-specific error.
243
244       • 2 - Options handling error.
245
246       • 3 - Authentication error.
247
248       • 4 - TCTI related error.
249
250       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
251

253       It expects a session to be already established  via  tpm2_startauthses‐
254       sion(1) and requires one of the following:
255
256       • direct device access
257
258       • extended session support with tpm2-abrmd.
259
260       Without  it, most resource managers will not save session state between
261       command invocations.
262

264       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
265

267       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
268
269
270
271tpm2-tools                                              tpm2_policynamehash(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Generate a duplicable object

Create the new parent

Modify the duplicable key policy to namehash policy to restrict parent and key

Satisfy the policy and attempt key duplication

Returns

Limitations

BUGS

HELP