1tpm2_getcommandauditdigest(1)General Commands Manuatlpm2_getcommandauditdigest(1)
2
3
4

NAME

6       tpm2_getcommandauditdigest(1)  - Retrieve the command audit attestation
7       data from the TPM.
8

SYNOPSIS

10       tpm2_getcommandauditdigest [OPTIONS]
11

DESCRIPTION

13       tpm2_getcommandauditdigest(1) - Retrieve the command audit  attestation
14       data  from  the TPM.  The attestation data includes the audit digest of
15       the commands in the setlist setup using the command  tpm2_setcommandau‐
16       ditstatus.   Also  the attestation data includes the digest of the list
17       of commands setup for audit.  The audit digest algorith is setup in the
18       tpm2_setcommandauditstatus.
19

OPTIONS

21-P, --hierarchy-auth=AUTH:
22
23         Specifies the authorization value for the endorsement hierarchy.
24
25-c, --key-context=OBJECT:
26
27         Context object for the signing key that signs the attestation data.
28
29-p, --auth=AUTH:
30
31         Specifies the authorization value for key specified by option -c.
32
33-q, --qualification=HEX_STRING_OR_PATH:
34
35         Data  given  as a Hex string or binary file to qualify the quote, op‐
36         tional.  This is typically used to add a  nonce  against  replay  at‐
37         tacks.
38
39-s, --signature=FILE:
40
41         Signature  output file, records the signature in the format specified
42         via the -f option.
43
44-m, --message=FILE:
45
46         Message output file, records the quote message that makes up the data
47         that is signed by the TPM.  This is the command audit digest attesta‐
48         tion data.
49
50-f, --format=FORMAT:
51
52         Format selection for the signature output file.
53
54-g, --hash-algorithm:
55
56         Hash algorithm for signature.  Defaults to sha256.
57
58--scheme=ALGORITHM:
59
60         The signing scheme used to  sign  the  message.   Optional.   Signing
61         schemes  should follow the “formatting standards”, see section “Algo‐
62         rithm Specifiers”.  Also, see section “Supported Signing Schemes” for
63         a  list  of supported signature schemes.  If specified, the signature
64         scheme must match the key type.  If left unspecified, a default  sig‐
65         nature scheme for the key type will be used.
66
67   References

Context Object Format

69       The  type  of a context object, whether it is a handle or file name, is
70       determined according to the following logic in-order:
71
72       • If the argument is a file path, then the file is loaded as a restored
73         TPM transient object.
74
75       • If the argument is a prefix match on one of:
76
77         • owner: the owner hierarchy
78
79         • platform: the platform hierarchy
80
81         • endorsement: the endorsement hierarchy
82
83         • lockout: the lockout control persistent object
84
85       • If  the  argument argument can be loaded as a number it will be treat
86         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
87

Authorization Formatting

89       Authorization for use of an object in TPM2.0 can come  in  3  different
90       forms: 1.  Password 2.  HMAC 3.  Sessions
91
92       NOTE:  “Authorizations  default  to  the EMPTY PASSWORD when not speci‐
93       fied”.
94
95   Passwords
96       Passwords are interpreted in the following  forms  below  using  prefix
97       identifiers.
98
99       Note:  By  default  passwords are assumed to be in the string form when
100       they do not have a prefix.
101
102   String
103       A string password, specified by prefix  “str:”  or  it’s  absence  (raw
104       string without prefix) is not interpreted, and is directly used for au‐
105       thorization.
106
107   Examples
108              foobar
109              str:foobar
110
111   Hex-string
112       A hex-string password, specified by prefix “hex:” is converted  from  a
113       hexidecimal  form  into a byte array form, thus allowing passwords with
114       non-printable and/or terminal un-friendly characters.
115
116   Example
117              hex:1122334455667788
118
119   File
120       A file based password, specified be prefix “file:” should be  the  path
121       of  a  file  containing the password to be read by the tool or a “-” to
122       use stdin.  Storing passwords in files  prevents  information  leakage,
123       passwords passed as options can be read from the process list or common
124       shell history features.
125
126   Examples
127              # to use stdin and be prompted
128              file:-
129
130              # to use a file from a path
131              file:path/to/password/file
132
133              # to echo a password via stdin:
134              echo foobar | tpm2_tool -p file:-
135
136              # to use a bash here-string via stdin:
137
138              tpm2_tool -p file:- <<< foobar
139
140   Sessions
141       When using a policy session to authorize the use of an  object,  prefix
142       the  option argument with the session keyword.  Then indicate a path to
143       a session file that was created with tpm2_startauthsession(1).  Option‐
144       ally, if the session requires an auth value to be sent with the session
145       handle (eg policy password), then append a + and a string as  described
146       in the Passwords section.
147
148   Examples
149       To use a session context file called session.ctx.
150
151              session:session.ctx
152
153       To use a session context file called session.ctx AND send the authvalue
154       mypassword.
155
156              session:session.ctx+mypassword
157
158       To use a session context file called session.ctx AND send the HEX auth‐
159       value 0x11223344.
160
161              session:session.ctx+hex:11223344
162
163   PCR Authorizations
164       You  can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
165       language.      The     PCR     minilanguage     is     as      follows:
166       <pcr-spec>=<raw-pcr-file>
167
168       The PCR spec is documented in in the section “PCR bank specifiers”.
169
170       The  raw-pcr-file  is  an optional argument that contains the output of
171       the raw PCR contents as returned by tpm2_pcrread(1).
172
173       PCR bank specifiers (pcr.md)
174
175   Examples
176       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
177       er of:
178
179              pcr:sha256:0,1,2,3
180
181       specifying AUTH.
182

Signature Format Specifiers

184       Format selection for the signature output file.  tss (the default) will
185       output a binary blob according to the TPM 2.0 specification and any po‐
186       tential  compiler padding.  The option plain will output the plain sig‐
187       nature data as defined by the used cryptographic algorithm.   signature
188       FORMAT.
189

COMMON OPTIONS

191       This  collection of options are common to many programs and provide in‐
192       formation that many users may expect.
193
194-h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
195         attempts  to  invoke  the  manpager for the tool, however, on failure
196         will output a short tool summary.  This is the same behavior  if  the
197         “man”  option argument is specified, however if explicit “man” is re‐
198         quested, the tool will provide errors from man  on  stderr.   If  the
199         “no-man”  option  if  specified, or the manpager fails, the short op‐
200         tions will be output to stdout.
201
202         To successfully use the manpages feature requires the manpages to  be
203         installed or on MANPATH, See man(1) for more details.
204
205-v,  --version:  Display version information for this tool, supported
206         tctis and exit.
207
208-V, --verbose: Increase the information that the tool prints  to  the
209         console  during  its  execution.  When using this option the file and
210         line number are printed.
211
212-Q, --quiet: Silence normal tool output to stdout.
213
214-Z, --enable-errata: Enable the application of errata fixups.  Useful
215         if  an  errata fixup needs to be applied to commands sent to the TPM.
216         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
217         formation many users may expect.
218

TCTI Configuration

220       The  TCTI  or  “Transmission  Interface” is the communication mechanism
221       with the TPM.  TCTIs can be changed for communication with TPMs  across
222       different mediums.
223
224       To control the TCTI, the tools respect:
225
226       1. The command line option -T or --tcti
227
228       2. The environment variable: TPM2TOOLS_TCTI.
229
230       Note:  The  command  line option always overrides the environment vari‐
231       able.
232
233       The current known TCTIs are:
234
235       • tabrmd     -     The     resource     manager,     called      tabrmd
236         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
237         abrmd as a tcti name are synonymous.
238
239       • mssim - Typically used for communicating to the TPM software  simula‐
240         tor.
241
242       • device - Used when talking directly to a TPM device file.
243
244       • none  - Do not initalize a connection with the TPM.  Some tools allow
245         for off-tpm options and thus support not using a TCTI.  Tools that do
246         not  support  it  will error when attempted to be used without a TCTI
247         connection.  Does not support ANY options and MUST  BE  presented  as
248         the exact text of “none”.
249
250       The  arguments  to  either  the  command line option or the environment
251       variable are in the form:
252
253       <tcti-name>:<tcti-option-config>
254
255       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
256       tion-config> results in the default being used for that portion respec‐
257       tively.
258
259   TCTI Defaults
260       When a TCTI is not specified, the default TCTI is  searched  for  using
261       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
262       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
263       what TCTI will be chosen as the default by using the -v option to print
264       the version information.  The “default-tcti” key-value pair will  indi‐
265       cate which of the aforementioned TCTIs is the default.
266
267   Custom TCTIs
268       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
269       tools internally use dlopen(3), and the raw tcti-name value is used for
270       the lookup.  Thus, this could be a path to the shared library, or a li‐
271       brary name as understood by dlopen(3) semantics.
272

TCTI OPTIONS

274       This collection of options are used to configure the various known TCTI
275       modules available:
276
277device: For the device TCTI, the TPM character device file for use by
278         the device TCTI can be specified.  The default is /dev/tpm0.
279
280         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
281         vice:/dev/tpm0”
282
283mssim:  For  the  mssim  TCTI, the domain name or IP address and port
284         number used by the simulator  can  be  specified.   The  default  are
285         127.0.0.1 and 2321.
286
287         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
288         TI=“mssim:host=localhost,port=2321”
289
290abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
291         ries  of  simple  key value pairs separated by a `,' character.  Each
292         key and value string are separated by a `=' character.
293
294         • TCTI abrmd supports two keys:
295
296           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
297              string).
298
299           2. `bus_type' : The type of the dbus instance (a string) limited to
300              `session' and `system'.
301
302         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
303         ample.FooBar:
304
305                \--tcti=tabrmd:bus_name=com.example.FooBar
306
307         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
308         sion:
309
310                \--tcti:bus_type=session
311
312         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
313         ules.
314

EXAMPLES

316              tpm2_getcommandauditdigest -P ekpass -c key.ctx -p keypass -m att.data -s att.sig
317

Returns

319       Tools can return any of the following codes:
320
321       • 0 - Success.
322
323       • 1 - General non-specific error.
324
325       • 2 - Options handling error.
326
327       • 3 - Authentication error.
328
329       • 4 - TCTI related error.
330
331       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
332

BUGS

334       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
335

HELP

337       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin
338       fo/tpm2)
339
340
341
342tpm2-tools                                       tpm2_getcommandauditdigest(1)
Impressum