tpm2_gettime(1)

1tpm2_gettime(1)             General Commands Manual            tpm2_gettime(1)
2
3
4

6       tpm2_gettime(1)  -  Get  the  current  time and clock from the TPM in a
7       signed form.
8

10       tpm2_gettime [OPTIONS] [ARGUMENT]
11

13       tpm2_gettime(1) - Provides a signed copy of the current time and  clock
14       from  the  TPM.  It returns both a signature, and the data in the stan‐
15       dard TPM attestation form, a TPMS_ATTEST structure.
16
17       It outputs to stdout, in YAML format, the TPMS_TIME_INFO structure from
18       the  TPM.   The  structure contains the current setting of Time, Clock,
19       resetCount, and restartCount.  The structure is output as YAML  defined
20       as:
21
22              time: 13673142     # 64 bit value of time since last _TPM_Init or TPM2_Startup
23                                 # in ms.
24              clock_info:
25                clock: 13673142  # 64 bit value of time TPM has been powered on in ms.
26                reset_count: 0   # 32 bit value of the number of TPM Resets since the last
27                                 # TPM2_Clear.
28                restart_count: 0 # 32 bit value of the number of times that TPM2_Shutdown or
29                                 # _TPM_Hash_Start have occurred since the last TPM Reset or
30                                 # TPM2_Clear.
31                safe: yes        # boolean yes|no value that no value of Clock greater than
32                                 # the current value of Clock has been previously reported by
33                                 # the TPM.
34

36       • -c, --key-context=OBJECT:
37
38         Context  object  pointing  to the the key used for signing.  Either a
39         file or a handle number.  See section “Context Object Format”.
40
41       • -p, --auth_AUTH_:
42
43         Optional authorization value to use the key specified by -c.   Autho‐
44         rization  values  should  follow  the “authorization formatting stan‐
45         dards”, see section “Authorization Formatting”.
46
47       • -P, --endorse-auth_AUTH_:
48
49         Optional authorization value for the endorsement  hierarchy.   Autho‐
50         rization  values  should  follow  the “authorization formatting stan‐
51         dards”, see section “Authorization Formatting”.
52
53       • -g, --hash-algorithm=ALGORITHM:
54
55         The hash algorithm used to digest  the  message.   Algorithms  should
56         follow  the  “formatting  standards”,  see  section “Algorithm Speci‐
57         fiers”.  Also, see section “Supported Hash Algorithms” for a list  of
58         supported hash algorithms.
59
60       • -s, --scheme=ALGORITHM:
61
62         The  signing  scheme  used  to  sign the message.  Optional.  Signing
63         schemes should follow the “formatting standards”, see section  “Algo‐
64         rithm Specifiers”.  Also, see section “Supported Signing Schemes” for
65         a list of supported signature schemes.  If specified,  the  signature
66         scheme  must match the key type.  If left unspecified, a default sig‐
67         nature scheme for the key type will be used.
68
69       • -q, --qualification=FILE_OR_HEX_STR:
70
71         Optional, the policy qualifier data that the signer can choose to in‐
72         clude in the signature.  Can be either a hex string or path.
73
74       • -o, --signature=FILE:
75
76         The signature file, records the signature structure.
77
78       • -f, --format=FORMAT:
79
80         Format  selection for the signature output file.  See section “Signa‐
81         ture Format Specifiers”.
82
83       • –attestation=FILE:
84
85         The attestation data of the type TPMS_ATTEST signed with signing key.
86
87       • --cphash=FILE
88
89         File path to record the hash of the command parameters.  This is com‐
90         monly termed as cpHash.  NOTE: When this option is selected, The tool
91         will not actually execute the command, it simply returns a cpHash.
92
93       • ARGUMENT the command line argument specifies the file data for sign.
94
95   References

97       The type of a context object, whether it is a handle or file  name,  is
98       determined according to the following logic in-order:
99
100       • If the argument is a file path, then the file is loaded as a restored
101         TPM transient object.
102
103       • If the argument is a prefix match on one of:
104
105         • owner: the owner hierarchy
106
107         • platform: the platform hierarchy
108
109         • endorsement: the endorsement hierarchy
110
111         • lockout: the lockout control persistent object
112
113       • If the argument argument can be loaded as a number it will  be  treat
114         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
115

117       Authorization  for  use  of an object in TPM2.0 can come in 3 different
118       forms: 1.  Password 2.  HMAC 3.  Sessions
119
120       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
121       fied”.
122
123   Passwords
124       Passwords  are  interpreted  in  the following forms below using prefix
125       identifiers.
126
127       Note: By default passwords are assumed to be in the  string  form  when
128       they do not have a prefix.
129
130   String
131       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
132       string without prefix) is not interpreted, and is directly used for au‐
133       thorization.
134
135   Examples
136              foobar
137              str:foobar
138
139   Hex-string
140       A  hex-string  password, specified by prefix “hex:” is converted from a
141       hexidecimal form into a byte array form, thus allowing  passwords  with
142       non-printable and/or terminal un-friendly characters.
143
144   Example
145              hex:0x1122334455667788
146
147   File
148       A  file  based password, specified be prefix “file:” should be the path
149       of a file containing the password to be read by the tool or  a  “-”  to
150       use  stdin.   Storing  passwords in files prevents information leakage,
151       passwords passed as options can be read from the process list or common
152       shell history features.
153
154   Examples
155              # to use stdin and be prompted
156              file:-
157
158              # to use a file from a path
159              file:path/to/password/file
160
161              # to echo a password via stdin:
162              echo foobar | tpm2_tool -p file:-
163
164              # to use a bash here-string via stdin:
165
166              tpm2_tool -p file:- <<< foobar
167
168   Sessions
169       When  using  a policy session to authorize the use of an object, prefix
170       the option argument with the session keyword.  Then indicate a path  to
171       a session file that was created with tpm2_startauthsession(1).  Option‐
172       ally, if the session requires an auth value to be sent with the session
173       handle  (eg policy password), then append a + and a string as described
174       in the Passwords section.
175
176   Examples
177       To use a session context file called session.ctx.
178
179              session:session.ctx
180
181       To use a session context file called session.ctx AND send the authvalue
182       mypassword.
183
184              session:session.ctx+mypassword
185
186       To use a session context file called session.ctx AND send the HEX auth‐
187       value 0x11223344.
188
189              session:session.ctx+hex:11223344
190
191   PCR Authorizations
192       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
193       language.       The     PCR     minilanguage     is     as     follows:
194       <pcr-spec>=<raw-pcr-file>
195
196       The PCR spec is documented in in the section “PCR bank specifiers”.
197
198       The raw-pcr-file is an optional argument that contains  the  output  of
199       the raw PCR contents as returned by tpm2_pcrread(1).
200
201       PCR bank specifiers (pcr.md)
202
203   Examples
204       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
205       er of:
206
207              pcr:sha256:0,1,2,3
208
209       specifying AUTH.
210

212       Options that take algorithms support “nice-names”.
213
214       There are two major algorithm specification string classes, simple  and
215       complex.  Only certain algorithms will be accepted by the TPM, based on
216       usage and conditions.
217
218   Simple specifiers
219       These are strings with no additional specification data.  When creating
220       objects,  non-specified  portions of an object are assumed to defaults.
221       You can find the list of known “Simple Specifiers Below”.
222
223   Asymmetric
224       • rsa
225
226       • ecc
227
228   Symmetric
229       • aes
230
231       • camellia
232
233   Hashing Algorithms
234       • sha1
235
236       • sha256
237
238       • sha384
239
240       • sha512
241
242       • sm3_256
243
244       • sha3_256
245
246       • sha3_384
247
248       • sha3_512
249
250   Keyed Hash
251       • hmac
252
253       • xor
254
255   Signing Schemes
256       • rsassa
257
258       • rsapss
259
260       • ecdsa
261
262       • ecdaa
263
264       • ecschnorr
265
266   Asymmetric Encryption Schemes
267       • oaep
268
269       • rsaes
270
271       • ecdh
272
273   Modes
274       • ctr
275
276       • ofb
277
278       • cbc
279
280       • cfb
281
282       • ecb
283
284   Misc
285       • null
286
287   Complex Specifiers
288       Objects, when specified for creation by the TPM,  have  numerous  algo‐
289       rithms  to  populate  in the public data.  Things like type, scheme and
290       asymmetric details, key size, etc.  Below is  the  general  format  for
291       specifying this data: <type>:<scheme>:<symmetric-details>
292
293   Type Specifiers
294       This  portion  of the complex algorithm specifier is required.  The re‐
295       maining scheme and symmetric details will default  based  on  the  type
296       specified and the type of the object being created.
297
298       • aes - Default AES: aes128
299
300       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
301         If mode is not specified, defaults to null.
302
303       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
304
305       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
306
307       • ecc - Elliptical Curve, defaults to ecc256.
308
309       • ecc192 - 192 bit ECC
310
311       • ecc224 - 224 bit ECC
312
313       • ecc256 - 256 bit ECC
314
315       • ecc384 - 384 bit ECC
316
317       • ecc521 - 521 bit ECC
318
319       • rsa - Default RSA: rsa2048
320
321       • rsa1024 - RSA with 1024 bit keysize.
322
323       • rsa2048 - RSA with 2048 bit keysize.
324
325       • rsa4096 - RSA with 4096 bit keysize.
326
327   Scheme Specifiers
328       Next, is an optional field, it can be skipped.
329
330       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
331       Most signing schemes take a hash algorithm directly following the sign‐
332       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
333       Some take no arguments, and some take multiple arguments.
334
335   Hash Optional Scheme Specifiers
336       These  scheme  specifiers are followed by a dash and a valid hash algo‐
337       rithm, For example: oaep-sha256.
338
339       • oaep
340
341       • ecdh
342
343       • rsassa
344
345       • rsapss
346
347       • ecdsa
348
349       • ecschnorr
350
351   Multiple Option Scheme Specifiers
352       This scheme specifier is followed by a count  (max  size  UINT16)  then
353       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
354       ecdaa4-sha256.  If no count is specified, it defaults to 4.
355
356   No Option Scheme Specifiers
357       This scheme specifier takes NO arguments.  * rsaes
358
359   Symmetric Details Specifiers
360       This field is optional, and defaults based on the type of object  being
361       created  and it’s attributes.  Generally, any valid Symmetric specifier
362       from the Type Specifiers list should work.  If not specified, an  asym‐
363       metric objects symmetric details defaults to aes128cfb.
364
365   Examples
366   Create an rsa2048 key with an rsaes asymmetric encryption scheme
367       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
368
369   Create  an  ecc256  key  with an ecdaa signing scheme with a count of 4 and
370       sha384 hash
371       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
372       key.priv cryptographic algorithms ALGORITHM.
373

375       This  collection of options are common to many programs and provide in‐
376       formation that many users may expect.
377
378       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
379         attempts  to  invoke  the  manpager for the tool, however, on failure
380         will output a short tool summary.  This is the same behavior  if  the
381         “man”  option argument is specified, however if explicit “man” is re‐
382         quested, the tool will provide errors from man  on  stderr.   If  the
383         “no-man”  option  if  specified, or the manpager fails, the short op‐
384         tions will be output to stdout.
385
386         To successfully use the manpages feature requires the manpages to  be
387         installed or on MANPATH, See man(1) for more details.
388
389       • -v,  --version:  Display version information for this tool, supported
390         tctis and exit.
391
392       • -V, --verbose: Increase the information that the tool prints  to  the
393         console  during  its  execution.  When using this option the file and
394         line number are printed.
395
396       • -Q, --quiet: Silence normal tool output to stdout.
397
398       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
399         if  an  errata fixup needs to be applied to commands sent to the TPM.
400         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
401         formation many users may expect.
402

404       The  TCTI  or  “Transmission  Interface” is the communication mechanism
405       with the TPM.  TCTIs can be changed for communication with TPMs  across
406       different mediums.
407
408       To control the TCTI, the tools respect:
409
410       1. The command line option -T or --tcti
411
412       2. The environment variable: TPM2TOOLS_TCTI.
413
414       Note:  The  command  line option always overrides the environment vari‐
415       able.
416
417       The current known TCTIs are:
418
419       • tabrmd     -     The     resource     manager,     called      tabrmd
420         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
421         abrmd as a tcti name are synonymous.
422
423       • mssim - Typically used for communicating to the TPM software  simula‐
424         tor.
425
426       • device - Used when talking directly to a TPM device file.
427
428       • none  - Do not initalize a connection with the TPM.  Some tools allow
429         for off-tpm options and thus support not using a TCTI.  Tools that do
430         not  support  it  will error when attempted to be used without a TCTI
431         connection.  Does not support ANY options and MUST  BE  presented  as
432         the exact text of “none”.
433
434       The  arguments  to  either  the  command line option or the environment
435       variable are in the form:
436
437       <tcti-name>:<tcti-option-config>
438
439       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
440       tion-config> results in the default being used for that portion respec‐
441       tively.
442
443   TCTI Defaults
444       When a TCTI is not specified, the default TCTI is  searched  for  using
445       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
446       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
447       what TCTI will be chosen as the default by using the -v option to print
448       the version information.  The “default-tcti” key-value pair will  indi‐
449       cate which of the aforementioned TCTIs is the default.
450
451   Custom TCTIs
452       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
453       tools internally use dlopen(3), and the raw tcti-name value is used for
454       the lookup.  Thus, this could be a path to the shared library, or a li‐
455       brary name as understood by dlopen(3) semantics.
456

458       This collection of options are used to configure the various known TCTI
459       modules available:
460
461       • device: For the device TCTI, the TPM character device file for use by
462         the device TCTI can be specified.  The default is /dev/tpm0.
463
464         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
465         vice:/dev/tpm0”
466
467       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
468         number used by the simulator  can  be  specified.   The  default  are
469         127.0.0.1 and 2321.
470
471         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
472         TI=“mssim:host=localhost,port=2321”
473
474       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
475         ries  of  simple  key value pairs separated by a `,' character.  Each
476         key and value string are separated by a `=' character.
477
478         • TCTI abrmd supports two keys:
479
480           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
481              string).
482
483           2. `bus_type' : The type of the dbus instance (a string) limited to
484              `session' and `system'.
485
486         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
487         ample.FooBar:
488
489                \--tcti=tabrmd:bus_name=com.example.FooBar
490
491         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
492         sion:
493
494                \--tcti:bus_type=session
495
496         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
497         ules.  # Signature Format Specifiers
498
499       Format selection for the signature output file.  tss (the default) will
500       output a binary blob according to the TPM 2.0 specification and any po‐
501       tential  compiler padding.  The option plain will output the plain sig‐
502       nature data as defined by the used cryptographic algorithm.
503

505   Create a key and get attested TPM time
506              tpm2_createprimary -C e -c primary.ctx
507
508              tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx
509
510              tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx
511
512              tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data
513

515       Tools can return any of the following codes:
516
517       • 0 - Success.
518
519       • 1 - General non-specific error.
520
521       • 2 - Options handling error.
522
523       • 3 - Authentication error.
524
525       • 4 - TCTI related error.
526
527       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
528

530       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
531

533       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
534
535
536
537tpm2-tools                                                     tpm2_gettime(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP