1tpm2_getsessionauditdigest(1)General Commands Manuatlpm2_getsessionauditdigest(1)
2
3
4

NAME

6       tpm2_getsessionauditdigest(1)  - Retrieve the command audit attestation
7       data from the TPM.
8

SYNOPSIS

10       tpm2_getsessionauditdigest [OPTIONS]
11

DESCRIPTION

13       tpm2_getsessionauditdigest(1) - Retrieve the session audit  digest  at‐
14       testation data from the TPM.  The attestation data includes the session
15       audit digest and a signature over the session audit digest.   The  ses‐
16       sion itself is started with the tpm2_startauthsession command.
17

OPTIONS

19-P, --hierarchy-auth=AUTH:
20
21         Specifies the authorization value for the endorsement hierarchy.
22
23-c, --key-context=OBJECT:
24
25         Context object for the signing key that signs the attestation data.
26
27-p, --auth=AUTH:
28
29         Specifies the authorization value for key specified by option -c.
30
31-q, --qualification=HEX_STRING_OR_PATH:
32
33         Data  given  as a Hex string or binary file to qualify the quote, op‐
34         tional.  This is typically used to add a  nonce  against  replay  at‐
35         tacks.
36
37-s, --signature=FILE:
38
39         Signature  output file, records the signature in the format specified
40         via the -f option.
41
42-m, --message=FILE:
43
44         Message output file, records the quote message that makes up the data
45         that is signed by the TPM.  This is the command audit digest attesta‐
46         tion data.
47
48-f, --format=FORMAT:
49
50         Format selection for the signature output file.
51
52-g, --hash-algorithm:
53
54         Hash algorithm for signature.  Defaults to sha256.
55
56-S, --session=FILE:
57
58         The path of the session that enables and records the audit digests.
59
60   References

Context Object Format

62       The type of a context object, whether it is a handle or file  name,  is
63       determined according to the following logic in-order:
64
65       • If the argument is a file path, then the file is loaded as a restored
66         TPM transient object.
67
68       • If the argument is a prefix match on one of:
69
70         • owner: the owner hierarchy
71
72         • platform: the platform hierarchy
73
74         • endorsement: the endorsement hierarchy
75
76         • lockout: the lockout control persistent object
77
78       • If the argument argument can be loaded as a number it will  be  treat
79         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
80

Authorization Formatting

82       Authorization  for  use  of an object in TPM2.0 can come in 3 different
83       forms: 1.  Password 2.  HMAC 3.  Sessions
84
85       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
86       fied”.
87
88   Passwords
89       Passwords  are  interpreted  in  the following forms below using prefix
90       identifiers.
91
92       Note: By default passwords are assumed to be in the  string  form  when
93       they do not have a prefix.
94
95   String
96       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
97       string without prefix) is not interpreted, and is directly used for au‐
98       thorization.
99
100   Examples
101              foobar
102              str:foobar
103
104   Hex-string
105       A  hex-string  password, specified by prefix “hex:” is converted from a
106       hexidecimal form into a byte array form, thus allowing  passwords  with
107       non-printable and/or terminal un-friendly characters.
108
109   Example
110              hex:0x1122334455667788
111
112   File
113       A  file  based password, specified be prefix “file:” should be the path
114       of a file containing the password to be read by the tool or  a  “-”  to
115       use  stdin.   Storing  passwords in files prevents information leakage,
116       passwords passed as options can be read from the process list or common
117       shell history features.
118
119   Examples
120              # to use stdin and be prompted
121              file:-
122
123              # to use a file from a path
124              file:path/to/password/file
125
126              # to echo a password via stdin:
127              echo foobar | tpm2_tool -p file:-
128
129              # to use a bash here-string via stdin:
130
131              tpm2_tool -p file:- <<< foobar
132
133   Sessions
134       When  using  a policy session to authorize the use of an object, prefix
135       the option argument with the session keyword.  Then indicate a path  to
136       a session file that was created with tpm2_startauthsession(1).  Option‐
137       ally, if the session requires an auth value to be sent with the session
138       handle  (eg policy password), then append a + and a string as described
139       in the Passwords section.
140
141   Examples
142       To use a session context file called session.ctx.
143
144              session:session.ctx
145
146       To use a session context file called session.ctx AND send the authvalue
147       mypassword.
148
149              session:session.ctx+mypassword
150
151       To use a session context file called session.ctx AND send the HEX auth‐
152       value 0x11223344.
153
154              session:session.ctx+hex:11223344
155
156   PCR Authorizations
157       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
158       language.       The     PCR     minilanguage     is     as     follows:
159       <pcr-spec>=<raw-pcr-file>
160
161       The PCR spec is documented in in the section “PCR bank specifiers”.
162
163       The raw-pcr-file is an optional argument that contains  the  output  of
164       the raw PCR contents as returned by tpm2_pcrread(1).
165
166       PCR bank specifiers (pcr.md)
167
168   Examples
169       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
170       er of:
171
172              pcr:sha256:0,1,2,3
173
174       specifying AUTH.
175

Signature Format Specifiers

177       Format selection for the signature output file.  tss (the default) will
178       output a binary blob according to the TPM 2.0 specification and any po‐
179       tential compiler padding.  The option plain will output the plain  sig‐
180       nature  data as defined by the used cryptographic algorithm.  signature
181       FORMAT.
182

COMMON OPTIONS

184       This collection of options are common to many programs and provide  in‐
185       formation that many users may expect.
186
187-h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
188         attempts to invoke the manpager for the  tool,  however,  on  failure
189         will  output  a short tool summary.  This is the same behavior if the
190         “man” option argument is specified, however if explicit “man” is  re‐
191         quested,  the  tool  will  provide errors from man on stderr.  If the
192         “no-man” option if specified, or the manpager fails,  the  short  op‐
193         tions will be output to stdout.
194
195         To  successfully use the manpages feature requires the manpages to be
196         installed or on MANPATH, See man(1) for more details.
197
198-v, --version: Display version information for this  tool,  supported
199         tctis and exit.
200
201-V,  --verbose:  Increase the information that the tool prints to the
202         console during its execution.  When using this option  the  file  and
203         line number are printed.
204
205-Q, --quiet: Silence normal tool output to stdout.
206
207-Z, --enable-errata: Enable the application of errata fixups.  Useful
208         if an errata fixup needs to be applied to commands sent to  the  TPM.
209         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
210         formation many users may expect.
211

TCTI Configuration

213       The TCTI or “Transmission Interface”  is  the  communication  mechanism
214       with  the TPM.  TCTIs can be changed for communication with TPMs across
215       different mediums.
216
217       To control the TCTI, the tools respect:
218
219       1. The command line option -T or --tcti
220
221       2. The environment variable: TPM2TOOLS_TCTI.
222
223       Note: The command line option always overrides  the  environment  vari‐
224       able.
225
226       The current known TCTIs are:
227
228       • tabrmd      -     The     resource     manager,     called     tabrmd
229         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
230         abrmd as a tcti name are synonymous.
231
232       • mssim  - Typically used for communicating to the TPM software simula‐
233         tor.
234
235       • device - Used when talking directly to a TPM device file.
236
237       • none - Do not initalize a connection with the TPM.  Some tools  allow
238         for off-tpm options and thus support not using a TCTI.  Tools that do
239         not support it will error when attempted to be used  without  a  TCTI
240         connection.   Does  not  support ANY options and MUST BE presented as
241         the exact text of “none”.
242
243       The arguments to either the command  line  option  or  the  environment
244       variable are in the form:
245
246       <tcti-name>:<tcti-option-config>
247
248       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
249       tion-config> results in the default being used for that portion respec‐
250       tively.
251
252   TCTI Defaults
253       When  a  TCTI  is not specified, the default TCTI is searched for using
254       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
255       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
256       what TCTI will be chosen as the default by using the -v option to print
257       the  version information.  The “default-tcti” key-value pair will indi‐
258       cate which of the aforementioned TCTIs is the default.
259
260   Custom TCTIs
261       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
262       tools internally use dlopen(3), and the raw tcti-name value is used for
263       the lookup.  Thus, this could be a path to the shared library, or a li‐
264       brary name as understood by dlopen(3) semantics.
265

TCTI OPTIONS

267       This collection of options are used to configure the various known TCTI
268       modules available:
269
270device: For the device TCTI, the TPM character device file for use by
271         the device TCTI can be specified.  The default is /dev/tpm0.
272
273         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
274         vice:/dev/tpm0”
275
276mssim: For the mssim TCTI, the domain name or  IP  address  and  port
277         number  used  by  the  simulator  can  be specified.  The default are
278         127.0.0.1 and 2321.
279
280         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
281         TI=“mssim:host=localhost,port=2321”
282
283abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
284         ries of simple key value pairs separated by a  `,'  character.   Each
285         key and value string are separated by a `=' character.
286
287         • TCTI abrmd supports two keys:
288
289           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
290              string).
291
292           2. `bus_type' : The type of the dbus instance (a string) limited to
293              `session' and `system'.
294
295         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
296         ample.FooBar:
297
298                \--tcti=tabrmd:bus_name=com.example.FooBar
299
300         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
301         sion:
302
303                \--tcti:bus_type=session
304
305         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
306         ules.
307

EXAMPLES

309              tpm2_createprimary -Q -C e -c prim.ctx
310
311              tpm2_create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
312              -r signing_key.priv
313
314              tpm2_startauthsession -S session.ctx --audit-session
315
316              tpm2_getrandom 8 -S session.ctx
317
318              tpm2_getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
319              -S session.ctx
320

Returns

322       Tools can return any of the following codes:
323
324       • 0 - Success.
325
326       • 1 - General non-specific error.
327
328       • 2 - Options handling error.
329
330       • 3 - Authentication error.
331
332       • 4 - TCTI related error.
333
334       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
335

BUGS

337       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
338

HELP

340       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
341
342
343
344tpm2-tools                                       tpm2_getsessionauditdigest(1)
Impressum