1tpm2_quote(1) General Commands Manual tpm2_quote(1)
2
6 tpm2_quote(1) - Provide a quote and signature from the TPM.
7
9 tpm2_quote [OPTIONS]
10
12 tpm2_quote(1) - Provide quote and signature for given list of PCRs in
13 given algorithm/banks.
14
16 • -c, --key-context=OBJECT:
17 Context object for the quote signing key.
19 • -p, --auth=AUTH:
21 Specifies the authorization value for AK specified by option -C.
23 • -l, --pcr-list=PCR:
25 The list of PCR banks and selected PCRs’ ids for each bank. Also see
27 NOTES section below.
28 • -m, --message=FILE:
30 Message output file, records the quote message that makes up the data
32 that is signed by the TPM.
33 • -s, --signature=FILE:
35 Signature output file, records the signature in the format specified
37 via the -f option.
38 • -f, --format=FORMAT:
40 Format selection for the signature output file.
42 • -o, --pcr=FILE.
44 PCR output file, optional, records the list of PCR values as defined
46 by -l.
47 • -F, --pcrs_format=FORMAT:
49 Format selection for the binary blob in the PCR output file. `val‐
51 ues' will output a binary blob of the PCR values. `serialized' will
52 output a binary blob of the PCR values in the form of serialized data
53 structure in little endian format. Optional. Default is `serial‐
54 ized'.
55 • -q, --qualification=HEX_STRING_OR_PATH:
57 Data given as a Hex string or binary file to qualify the quote, op‐
59 tional. This is typically used to add a nonce against replay at‐
60 tacks.
61 • -g, --hash-algorithm:
63 Hash algorithm for signature. Defaults to sha256.
65 • --cphash=FILE
67 File path to record the hash of the command parameters. This is com‐
69 monly termed as cpHash. NOTE: When this option is selected, The tool
70 will not actually execute the command, it simply returns a cpHash.
71 References
74 The type of a context object, whether it is a handle or file name, is
75 determined according to the following logic in-order:
76 • If the argument is a file path, then the file is loaded as a restored
78 TPM transient object.
79 • If the argument is a prefix match on one of:
81 • owner: the owner hierarchy
83 • platform: the platform hierarchy
85 • endorsement: the endorsement hierarchy
87 • lockout: the lockout control persistent object
89 • If the argument argument can be loaded as a number it will be treat
91 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
92
94 Authorization for use of an object in TPM2.0 can come in 3 different
95 forms: 1. Password 2. HMAC 3. Sessions
96 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
98 fied”.
99 Passwords
101 Passwords are interpreted in the following forms below using prefix
102 identifiers.
103 Note: By default passwords are assumed to be in the string form when
105 they do not have a prefix.
106 String
108 A string password, specified by prefix “str:” or it’s absence (raw
109 string without prefix) is not interpreted, and is directly used for au‐
110 thorization.
111 Examples
113 foobar
114 str:foobar
115 Hex-string
117 A hex-string password, specified by prefix “hex:” is converted from a
118 hexidecimal form into a byte array form, thus allowing passwords with
119 non-printable and/or terminal un-friendly characters.
120 Example
122 hex:0x1122334455667788
123 File
125 A file based password, specified be prefix “file:” should be the path
126 of a file containing the password to be read by the tool or a “-” to
127 use stdin. Storing passwords in files prevents information leakage,
128 passwords passed as options can be read from the process list or common
129 shell history features.
130 Examples
132 # to use stdin and be prompted
133 file:-
134 # to use a file from a path
136 file:path/to/password/file
137 # to echo a password via stdin:
139 echo foobar | tpm2_tool -p file:-
140 # to use a bash here-string via stdin:
142 tpm2_tool -p file:- <<< foobar
144 Sessions
146 When using a policy session to authorize the use of an object, prefix
147 the option argument with the session keyword. Then indicate a path to
148 a session file that was created with tpm2_startauthsession(1). Option‐
149 ally, if the session requires an auth value to be sent with the session
150 handle (eg policy password), then append a + and a string as described
151 in the Passwords section.
152 Examples
154 To use a session context file called session.ctx.
155 session:session.ctx
157 To use a session context file called session.ctx AND send the authvalue
159 mypassword.
160 session:session.ctx+mypassword
162 To use a session context file called session.ctx AND send the HEX auth‐
164 value 0x11223344.
165 session:session.ctx+hex:11223344
167 PCR Authorizations
169 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
170 language. The PCR minilanguage is as follows:
171 <pcr-spec>=<raw-pcr-file>
172 The PCR spec is documented in in the section “PCR bank specifiers”.
174 The raw-pcr-file is an optional argument that contains the output of
176 the raw PCR contents as returned by tpm2_pcrread(1).
177 PCR bank specifiers (pcr.md)
179 Examples
181 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
182 er of:
183 pcr:sha256:0,1,2,3
185 specifying AUTH.
187
189 Format selection for the signature output file. tss (the default) will
190 output a binary blob according to the TPM 2.0 specification and any po‐
191 tential compiler padding. The option plain will output the plain sig‐
192 nature data as defined by the used cryptographic algorithm. signature
193 FORMAT.
194
196 PCR Bank Selection lists follow the below specification:
197 <BANK>:<PCR>[,<PCR>] or <BANK>:all
199 multiple banks may be separated by `+'.
201 For example:
203 sha1:3,4+sha256:all
205 will select PCRs 3 and 4 from the SHA1 bank and PCRs 0 to 23 from the
207 SHA256 bank.
208 Note
210 PCR Selections allow for up to 5 hash to pcr selection mappings. This
211 is a limitation in design in the single call to the tpm to get the pcr
212 values.
213
215 This collection of options are common to many programs and provide in‐
216 formation that many users may expect.
217 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
219 attempts to invoke the manpager for the tool, however, on failure
220 will output a short tool summary. This is the same behavior if the
221 “man” option argument is specified, however if explicit “man” is re‐
222 quested, the tool will provide errors from man on stderr. If the
223 “no-man” option if specified, or the manpager fails, the short op‐
224 tions will be output to stdout.
225 To successfully use the manpages feature requires the manpages to be
227 installed or on MANPATH, See man(1) for more details.
228 • -v, --version: Display version information for this tool, supported
230 tctis and exit.
231 • -V, --verbose: Increase the information that the tool prints to the
233 console during its execution. When using this option the file and
234 line number are printed.
235 • -Q, --quiet: Silence normal tool output to stdout.
237 • -Z, --enable-errata: Enable the application of errata fixups. Useful
239 if an errata fixup needs to be applied to commands sent to the TPM.
240 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
241 formation many users may expect.
242
244 The TCTI or “Transmission Interface” is the communication mechanism
245 with the TPM. TCTIs can be changed for communication with TPMs across
246 different mediums.
247 To control the TCTI, the tools respect:
249 1. The command line option -T or --tcti
251 2. The environment variable: TPM2TOOLS_TCTI.
253 Note: The command line option always overrides the environment vari‐
255 able.
256 The current known TCTIs are:
258 • tabrmd - The resource manager, called tabrmd
260 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
261 abrmd as a tcti name are synonymous.
262 • mssim - Typically used for communicating to the TPM software simula‐
264 tor.
265 • device - Used when talking directly to a TPM device file.
267 • none - Do not initalize a connection with the TPM. Some tools allow
269 for off-tpm options and thus support not using a TCTI. Tools that do
270 not support it will error when attempted to be used without a TCTI
271 connection. Does not support ANY options and MUST BE presented as
272 the exact text of “none”.
273 The arguments to either the command line option or the environment
275 variable are in the form:
276 <tcti-name>:<tcti-option-config>
278 Specifying an empty string for either the <tcti-name> or <tcti-op‐
280 tion-config> results in the default being used for that portion respec‐
281 tively.
282 TCTI Defaults
284 When a TCTI is not specified, the default TCTI is searched for using
285 dlopen(3) semantics. The tools will search for tabrmd, device and
286 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
287 what TCTI will be chosen as the default by using the -v option to print
288 the version information. The “default-tcti” key-value pair will indi‐
289 cate which of the aforementioned TCTIs is the default.
290 Custom TCTIs
292 Any TCTI that implements the dynamic TCTI interface can be loaded. The
293 tools internally use dlopen(3), and the raw tcti-name value is used for
294 the lookup. Thus, this could be a path to the shared library, or a li‐
295 brary name as understood by dlopen(3) semantics.
296
298 This collection of options are used to configure the various known TCTI
299 modules available:
300 • device: For the device TCTI, the TPM character device file for use by
302 the device TCTI can be specified. The default is /dev/tpm0.
303 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
305 vice:/dev/tpm0”
306 • mssim: For the mssim TCTI, the domain name or IP address and port
308 number used by the simulator can be specified. The default are
309 127.0.0.1 and 2321.
310 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
312 TI=“mssim:host=localhost,port=2321”
313 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
315 ries of simple key value pairs separated by a `,' character. Each
316 key and value string are separated by a `=' character.
317 • TCTI abrmd supports two keys:
319 1. `bus_name' : The name of the tabrmd service on the bus (a
321 string).
322 2. `bus_type' : The type of the dbus instance (a string) limited to
324 `session' and `system'.
325 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
327 ample.FooBar:
328 \--tcti=tabrmd:bus_name=com.example.FooBar
330 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
332 sion:
333 \--tcti:bus_type=session
335 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
337 ules.
338
340 tpm2_createprimary -C e -c primary.ctx
341 tpm2_create -C primary.ctx -u key.pub -r key.priv
343 tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
345 tpm2_quote -Q -c key.ctx -l 0x0004:16,17,18+0x000b:16,17,18
347
349 The maximum number of PCR that can be quoted at once is associated with
350 the maximum length of a bank.
351 On most TPMs, it means that this tool can quote up to 24 PCRs at once.
353 That this performs a detached signature.
355
357 Tools can return any of the following codes:
358 • 0 - Success.
360 • 1 - General non-specific error.
362 • 2 - Options handling error.
364 • 3 - Authentication error.
366 • 4 - TCTI related error.
368 • 5 - Non supported scheme. Applicable to tpm2_testparams.
370
372 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
373
375 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
376tpm2-tools tpm2_quote(1)