tpm2_getcommandauditdigest(1)

1tpm2_getcommandauditdigest(1)General Commands Manuatlpm2_getcommandauditdigest(1)
2
3
4

6       tpm2_getcommandauditdigest(1)  - Retrieve the command audit attestation
7       data from the TPM.
8

10       tpm2_getcommandauditdigest [OPTIONS]
11

13       tpm2_getcommandauditdigest(1) - Retrieve the command audit  attestation
14       data  from  the TPM.  The attestation data includes the audit digest of
15       the commands in the setlist setup using the command  tpm2_setcommandau‐
16       ditstatus.   Also  the attestation data includes the digest of the list
17       of commands setup for audit.  The audit digest algorith is setup in the
18       tpm2_setcommandauditstatus.
19

21       • -P, --hierarchy-auth=AUTH:
22
23         Specifies the authorization value for the endorsement hierarchy.
24
25       • -c, --key-context=OBJECT:
26
27         Context object for the signing key that signs the attestation data.
28
29       • -p, --auth=AUTH:
30
31         Specifies the authorization value for key specified by option -c.
32
33       • -q, --qualification=HEX_STRING_OR_PATH:
34
35         Data  given  as a Hex string or binary file to qualify the quote, op‐
36         tional.  This is typically used to add a  nonce  against  replay  at‐
37         tacks.
38
39       • -s, --signature=FILE:
40
41         Signature  output file, records the signature in the format specified
42         via the -f option.
43
44       • -m, --message=FILE:
45
46         Message output file, records the quote message that makes up the data
47         that is signed by the TPM.  This is the command audit digest attesta‐
48         tion data.
49
50       • -f, --format=FORMAT:
51
52         Format selection for the signature output file.
53
54       • -g, --hash-algorithm:
55
56         Hash algorithm for signature.  Defaults to sha256.
57
58   References

60       The type of a context object, whether it is a handle or file  name,  is
61       determined according to the following logic in-order:
62
63       • If the argument is a file path, then the file is loaded as a restored
64         TPM transient object.
65
66       • If the argument is a prefix match on one of:
67
68         • owner: the owner hierarchy
69
70         • platform: the platform hierarchy
71
72         • endorsement: the endorsement hierarchy
73
74         • lockout: the lockout control persistent object
75
76       • If the argument argument can be loaded as a number it will  be  treat
77         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
78

80       Authorization  for  use  of an object in TPM2.0 can come in 3 different
81       forms: 1.  Password 2.  HMAC 3.  Sessions
82
83       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
84       fied”.
85
86   Passwords
87       Passwords  are  interpreted  in  the following forms below using prefix
88       identifiers.
89
90       Note: By default passwords are assumed to be in the  string  form  when
91       they do not have a prefix.
92
93   String
94       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
95       string without prefix) is not interpreted, and is directly used for au‐
96       thorization.
97
98   Examples
99              foobar
100              str:foobar
101
102   Hex-string
103       A  hex-string  password, specified by prefix “hex:” is converted from a
104       hexidecimal form into a byte array form, thus allowing  passwords  with
105       non-printable and/or terminal un-friendly characters.
106
107   Example
108              hex:0x1122334455667788
109
110   File
111       A  file  based password, specified be prefix “file:” should be the path
112       of a file containing the password to be read by the tool or  a  “-”  to
113       use  stdin.   Storing  passwords in files prevents information leakage,
114       passwords passed as options can be read from the process list or common
115       shell history features.
116
117   Examples
118              # to use stdin and be prompted
119              file:-
120
121              # to use a file from a path
122              file:path/to/password/file
123
124              # to echo a password via stdin:
125              echo foobar | tpm2_tool -p file:-
126
127              # to use a bash here-string via stdin:
128
129              tpm2_tool -p file:- <<< foobar
130
131   Sessions
132       When  using  a policy session to authorize the use of an object, prefix
133       the option argument with the session keyword.  Then indicate a path  to
134       a session file that was created with tpm2_startauthsession(1).  Option‐
135       ally, if the session requires an auth value to be sent with the session
136       handle  (eg policy password), then append a + and a string as described
137       in the Passwords section.
138
139   Examples
140       To use a session context file called session.ctx.
141
142              session:session.ctx
143
144       To use a session context file called session.ctx AND send the authvalue
145       mypassword.
146
147              session:session.ctx+mypassword
148
149       To use a session context file called session.ctx AND send the HEX auth‐
150       value 0x11223344.
151
152              session:session.ctx+hex:11223344
153
154   PCR Authorizations
155       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
156       language.       The     PCR     minilanguage     is     as     follows:
157       <pcr-spec>=<raw-pcr-file>
158
159       The PCR spec is documented in in the section “PCR bank specifiers”.
160
161       The raw-pcr-file is an optional argument that contains  the  output  of
162       the raw PCR contents as returned by tpm2_pcrread(1).
163
164       PCR bank specifiers (pcr.md)
165
166   Examples
167       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
168       er of:
169
170              pcr:sha256:0,1,2,3
171
172       specifying AUTH.
173

175       Format selection for the signature output file.  tss (the default) will
176       output a binary blob according to the TPM 2.0 specification and any po‐
177       tential compiler padding.  The option plain will output the plain  sig‐
178       nature  data as defined by the used cryptographic algorithm.  signature
179       FORMAT.
180

182       This collection of options are common to many programs and provide  in‐
183       formation that many users may expect.
184
185       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
186         attempts to invoke the manpager for the  tool,  however,  on  failure
187         will  output  a short tool summary.  This is the same behavior if the
188         “man” option argument is specified, however if explicit “man” is  re‐
189         quested,  the  tool  will  provide errors from man on stderr.  If the
190         “no-man” option if specified, or the manpager fails,  the  short  op‐
191         tions will be output to stdout.
192
193         To  successfully use the manpages feature requires the manpages to be
194         installed or on MANPATH, See man(1) for more details.
195
196       • -v, --version: Display version information for this  tool,  supported
197         tctis and exit.
198
199       • -V,  --verbose:  Increase the information that the tool prints to the
200         console during its execution.  When using this option  the  file  and
201         line number are printed.
202
203       • -Q, --quiet: Silence normal tool output to stdout.
204
205       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
206         if an errata fixup needs to be applied to commands sent to  the  TPM.
207         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
208         formation many users may expect.
209

211       The TCTI or “Transmission Interface”  is  the  communication  mechanism
212       with  the TPM.  TCTIs can be changed for communication with TPMs across
213       different mediums.
214
215       To control the TCTI, the tools respect:
216
217       1. The command line option -T or --tcti
218
219       2. The environment variable: TPM2TOOLS_TCTI.
220
221       Note: The command line option always overrides  the  environment  vari‐
222       able.
223
224       The current known TCTIs are:
225
226       • tabrmd      -     The     resource     manager,     called     tabrmd
227         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
228         abrmd as a tcti name are synonymous.
229
230       • mssim  - Typically used for communicating to the TPM software simula‐
231         tor.
232
233       • device - Used when talking directly to a TPM device file.
234
235       • none - Do not initalize a connection with the TPM.  Some tools  allow
236         for off-tpm options and thus support not using a TCTI.  Tools that do
237         not support it will error when attempted to be used  without  a  TCTI
238         connection.   Does  not  support ANY options and MUST BE presented as
239         the exact text of “none”.
240
241       The arguments to either the command  line  option  or  the  environment
242       variable are in the form:
243
244       <tcti-name>:<tcti-option-config>
245
246       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
247       tion-config> results in the default being used for that portion respec‐
248       tively.
249
250   TCTI Defaults
251       When  a  TCTI  is not specified, the default TCTI is searched for using
252       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
253       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
254       what TCTI will be chosen as the default by using the -v option to print
255       the  version information.  The “default-tcti” key-value pair will indi‐
256       cate which of the aforementioned TCTIs is the default.
257
258   Custom TCTIs
259       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
260       tools internally use dlopen(3), and the raw tcti-name value is used for
261       the lookup.  Thus, this could be a path to the shared library, or a li‐
262       brary name as understood by dlopen(3) semantics.
263

265       This collection of options are used to configure the various known TCTI
266       modules available:
267
268       • device: For the device TCTI, the TPM character device file for use by
269         the device TCTI can be specified.  The default is /dev/tpm0.
270
271         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
272         vice:/dev/tpm0”
273
274       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
275         number  used  by  the  simulator  can  be specified.  The default are
276         127.0.0.1 and 2321.
277
278         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
279         TI=“mssim:host=localhost,port=2321”
280
281       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
282         ries of simple key value pairs separated by a  `,'  character.   Each
283         key and value string are separated by a `=' character.
284
285         • TCTI abrmd supports two keys:
286
287           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
288              string).
289
290           2. `bus_type' : The type of the dbus instance (a string) limited to
291              `session' and `system'.
292
293         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
294         ample.FooBar:
295
296                \--tcti=tabrmd:bus_name=com.example.FooBar
297
298         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
299         sion:
300
301                \--tcti:bus_type=session
302
303         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
304         ules.
305

307              tpm2_getcommandauditdigest -P ekpass -c key.ctx -p keypass -m att.data -s att.sig
308

310       Tools can return any of the following codes:
311
312       • 0 - Success.
313
314       • 1 - General non-specific error.
315
316       • 2 - Options handling error.
317
318       • 3 - Authentication error.
319
320       • 4 - TCTI related error.
321
322       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
323

325       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
326

328       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
329
330
331
332tpm2-tools                                       tpm2_getcommandauditdigest(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Signature Format Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP