1tpm2_print(1) General Commands Manual tpm2_print(1)
2
6 tpm2_print(1) - Prints TPM data structures
7
9 tpm2_print [OPTIONS] [ARGUMENT or STDIN]
10
12 tpm2_print(1) - Decodes a TPM data structure and prints enclosed ele‐
13 ments to stdout as YAML. A file path containing a TPM object may be
14 specified as the path argument. Reads from stdin if unspecified.
15
17 • -t, --type:
18 Required. Type of data structure. The option supports the following
19 arguments:
20 • TPMS_ATTEST
22 • TPMS_CONTEXT
24 • TPM2B_PUBLIC
26 • TPMT_PUBLIC
28 • ARGUMENT the command line argument specifies the path of the TPM da‐
30 ta.
31 • -f, --format:
33 Format selection for the public key output file. `tss' (the default)
35 will output a binary blob according to the TPM 2.0 Specification.
36 `pem' will output an OpenSSL compatible PEM encoded public key.
37 `der' will output an OpenSSL compatible DER encoded public key.
38 `tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
39 by TPM 2.0 specs.
40 Public key format. This only works if option --type/-t is set to
42 TPM2B_PUBLIC or TPMT_PUBLIC.
43 References
46 The type of a context object, whether it is a handle or file name, is
47 determined according to the following logic in-order:
48 • If the argument is a file path, then the file is loaded as a restored
50 TPM transient object.
51 • If the argument is a prefix match on one of:
53 • owner: the owner hierarchy
55 • platform: the platform hierarchy
57 • endorsement: the endorsement hierarchy
59 • lockout: the lockout control persistent object
61 • If the argument argument can be loaded as a number it will be treat
63 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
64
66 Authorization for use of an object in TPM2.0 can come in 3 different
67 forms: 1. Password 2. HMAC 3. Sessions
68 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
70 fied”.
71 Passwords
73 Passwords are interpreted in the following forms below using prefix
74 identifiers.
75 Note: By default passwords are assumed to be in the string form when
77 they do not have a prefix.
78 String
80 A string password, specified by prefix “str:” or it’s absence (raw
81 string without prefix) is not interpreted, and is directly used for au‐
82 thorization.
83 Examples
85 foobar
86 str:foobar
87 Hex-string
89 A hex-string password, specified by prefix “hex:” is converted from a
90 hexidecimal form into a byte array form, thus allowing passwords with
91 non-printable and/or terminal un-friendly characters.
92 Example
94 hex:0x1122334455667788
95 File
97 A file based password, specified be prefix “file:” should be the path
98 of a file containing the password to be read by the tool or a “-” to
99 use stdin. Storing passwords in files prevents information leakage,
100 passwords passed as options can be read from the process list or common
101 shell history features.
102 Examples
104 # to use stdin and be prompted
105 file:-
106 # to use a file from a path
108 file:path/to/password/file
109 # to echo a password via stdin:
111 echo foobar | tpm2_tool -p file:-
112 # to use a bash here-string via stdin:
114 tpm2_tool -p file:- <<< foobar
116 Sessions
118 When using a policy session to authorize the use of an object, prefix
119 the option argument with the session keyword. Then indicate a path to
120 a session file that was created with tpm2_startauthsession(1). Option‐
121 ally, if the session requires an auth value to be sent with the session
122 handle (eg policy password), then append a + and a string as described
123 in the Passwords section.
124 Examples
126 To use a session context file called session.ctx.
127 session:session.ctx
129 To use a session context file called session.ctx AND send the authvalue
131 mypassword.
132 session:session.ctx+mypassword
134 To use a session context file called session.ctx AND send the HEX auth‐
136 value 0x11223344.
137 session:session.ctx+hex:11223344
139 PCR Authorizations
141 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
142 language. The PCR minilanguage is as follows:
143 <pcr-spec>=<raw-pcr-file>
144 The PCR spec is documented in in the section “PCR bank specifiers”.
146 The raw-pcr-file is an optional argument that contains the output of
148 the raw PCR contents as returned by tpm2_pcrread(1).
149 PCR bank specifiers (pcr.md)
151 Examples
153 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
154 er of:
155 pcr:sha256:0,1,2,3
157 specifying AUTH.
159
161 This collection of options are common to many programs and provide in‐
162 formation that many users may expect.
163 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
165 attempts to invoke the manpager for the tool, however, on failure
166 will output a short tool summary. This is the same behavior if the
167 “man” option argument is specified, however if explicit “man” is re‐
168 quested, the tool will provide errors from man on stderr. If the
169 “no-man” option if specified, or the manpager fails, the short op‐
170 tions will be output to stdout.
171 To successfully use the manpages feature requires the manpages to be
173 installed or on MANPATH, See man(1) for more details.
174 • -v, --version: Display version information for this tool, supported
176 tctis and exit.
177 • -V, --verbose: Increase the information that the tool prints to the
179 console during its execution. When using this option the file and
180 line number are printed.
181 • -Q, --quiet: Silence normal tool output to stdout.
183 • -Z, --enable-errata: Enable the application of errata fixups. Useful
185 if an errata fixup needs to be applied to commands sent to the TPM.
186 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
187 formation many users may expect.
188
190 The TCTI or “Transmission Interface” is the communication mechanism
191 with the TPM. TCTIs can be changed for communication with TPMs across
192 different mediums.
193 To control the TCTI, the tools respect:
195 1. The command line option -T or --tcti
197 2. The environment variable: TPM2TOOLS_TCTI.
199 Note: The command line option always overrides the environment vari‐
201 able.
202 The current known TCTIs are:
204 • tabrmd - The resource manager, called tabrmd
206 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
207 abrmd as a tcti name are synonymous.
208 • mssim - Typically used for communicating to the TPM software simula‐
210 tor.
211 • device - Used when talking directly to a TPM device file.
213 • none - Do not initalize a connection with the TPM. Some tools allow
215 for off-tpm options and thus support not using a TCTI. Tools that do
216 not support it will error when attempted to be used without a TCTI
217 connection. Does not support ANY options and MUST BE presented as
218 the exact text of “none”.
219 The arguments to either the command line option or the environment
221 variable are in the form:
222 <tcti-name>:<tcti-option-config>
224 Specifying an empty string for either the <tcti-name> or <tcti-op‐
226 tion-config> results in the default being used for that portion respec‐
227 tively.
228 TCTI Defaults
230 When a TCTI is not specified, the default TCTI is searched for using
231 dlopen(3) semantics. The tools will search for tabrmd, device and
232 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
233 what TCTI will be chosen as the default by using the -v option to print
234 the version information. The “default-tcti” key-value pair will indi‐
235 cate which of the aforementioned TCTIs is the default.
236 Custom TCTIs
238 Any TCTI that implements the dynamic TCTI interface can be loaded. The
239 tools internally use dlopen(3), and the raw tcti-name value is used for
240 the lookup. Thus, this could be a path to the shared library, or a li‐
241 brary name as understood by dlopen(3) semantics.
242
244 This collection of options are used to configure the various known TCTI
245 modules available:
246 • device: For the device TCTI, the TPM character device file for use by
248 the device TCTI can be specified. The default is /dev/tpm0.
249 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
251 vice:/dev/tpm0”
252 • mssim: For the mssim TCTI, the domain name or IP address and port
254 number used by the simulator can be specified. The default are
255 127.0.0.1 and 2321.
256 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
258 TI=“mssim:host=localhost,port=2321”
259 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
261 ries of simple key value pairs separated by a `,' character. Each
262 key and value string are separated by a `=' character.
263 • TCTI abrmd supports two keys:
265 1. `bus_name' : The name of the tabrmd service on the bus (a
267 string).
268 2. `bus_type' : The type of the dbus instance (a string) limited to
270 `session' and `system'.
271 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
273 ample.FooBar:
274 \--tcti=tabrmd:bus_name=com.example.FooBar
276 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
278 sion:
279 \--tcti:bus_type=session
281 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
283 ules.
284 References
287 This collection of options are common to many programs and provide in‐
288 formation that many users may expect.
289 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
291 attempts to invoke the manpager for the tool, however, on failure
292 will output a short tool summary. This is the same behavior if the
293 “man” option argument is specified, however if explicit “man” is re‐
294 quested, the tool will provide errors from man on stderr. If the
295 “no-man” option if specified, or the manpager fails, the short op‐
296 tions will be output to stdout.
297 To successfully use the manpages feature requires the manpages to be
299 installed or on MANPATH, See man(1) for more details.
300 • -v, --version: Display version information for this tool, supported
302 tctis and exit.
303 • -V, --verbose: Increase the information that the tool prints to the
305 console during its execution. When using this option the file and
306 line number are printed.
307 • -Q, --quiet: Silence normal tool output to stdout.
309 • -Z, --enable-errata: Enable the application of errata fixups. Useful
311 if an errata fixup needs to be applied to commands sent to the TPM.
312 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
313 formation many users may expect.
314
316 The TCTI or “Transmission Interface” is the communication mechanism
317 with the TPM. TCTIs can be changed for communication with TPMs across
318 different mediums.
319 To control the TCTI, the tools respect:
321 1. The command line option -T or --tcti
323 2. The environment variable: TPM2TOOLS_TCTI.
325 Note: The command line option always overrides the environment vari‐
327 able.
328 The current known TCTIs are:
330 • tabrmd - The resource manager, called tabrmd
332 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
333 abrmd as a tcti name are synonymous.
334 • mssim - Typically used for communicating to the TPM software simula‐
336 tor.
337 • device - Used when talking directly to a TPM device file.
339 • none - Do not initalize a connection with the TPM. Some tools allow
341 for off-tpm options and thus support not using a TCTI. Tools that do
342 not support it will error when attempted to be used without a TCTI
343 connection. Does not support ANY options and MUST BE presented as
344 the exact text of “none”.
345 The arguments to either the command line option or the environment
347 variable are in the form:
348 <tcti-name>:<tcti-option-config>
350 Specifying an empty string for either the <tcti-name> or <tcti-op‐
352 tion-config> results in the default being used for that portion respec‐
353 tively.
354 TCTI Defaults
356 When a TCTI is not specified, the default TCTI is searched for using
357 dlopen(3) semantics. The tools will search for tabrmd, device and
358 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
359 what TCTI will be chosen as the default by using the -v option to print
360 the version information. The “default-tcti” key-value pair will indi‐
361 cate which of the aforementioned TCTIs is the default.
362 Custom TCTIs
364 Any TCTI that implements the dynamic TCTI interface can be loaded. The
365 tools internally use dlopen(3), and the raw tcti-name value is used for
366 the lookup. Thus, this could be a path to the shared library, or a li‐
367 brary name as understood by dlopen(3) semantics.
368
370 This collection of options are used to configure the various known TCTI
371 modules available:
372 • device: For the device TCTI, the TPM character device file for use by
374 the device TCTI can be specified. The default is /dev/tpm0.
375 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
377 vice:/dev/tpm0”
378 • mssim: For the mssim TCTI, the domain name or IP address and port
380 number used by the simulator can be specified. The default are
381 127.0.0.1 and 2321.
382 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
384 TI=“mssim:host=localhost,port=2321”
385 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
387 ries of simple key value pairs separated by a `,' character. Each
388 key and value string are separated by a `=' character.
389 • TCTI abrmd supports two keys:
391 1. `bus_name' : The name of the tabrmd service on the bus (a
393 string).
394 2. `bus_type' : The type of the dbus instance (a string) limited to
396 `session' and `system'.
397 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
399 ample.FooBar:
400 \--tcti=tabrmd:bus_name=com.example.FooBar
402 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
404 sion:
405 \--tcti:bus_type=session
407 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
409 ules.
410
412 Print a TPM Quote
413 Setup a key to generate a qoute from
414 tpm2_createprimary -C e -c primary.ctx
415 tpm2_create -C primary.ctx -u key.pub -r key.priv
416 tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
417 tpm2_quote -c key.ctx -l 0x0004:16,17,18+0x000b:16,17,18 -g sha256 -m msg.dat
418 Print a Quote
420 tpm2_print -t TPMS_ATTEST msg.dat
421 Print a public file
423 tpm2_print -t TPM2B_PUBLIC key.pub
424 Print a tpmt public file
426 tpm2_readpublic -c key.ctx -f tpmt -o key.tpmt
427 tpm2_print -t TPMT_PUBLIC key.tpmt
428 Print a TPM2B_PUBLIC file and convert to PEM format
430 tpm2 print -t TPM2B_PUBLIC -f pem key.pub
431
433 Tools can return any of the following codes:
434 • 0 - Success.
436 • 1 - General non-specific error.
438 • 2 - Options handling error.
440 • 3 - Authentication error.
442 • 4 - TCTI related error.
444 • 5 - Non supported scheme. Applicable to tpm2_testparams.
446
448 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
449
451 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
452tpm2-tools tpm2_print(1)