1tpm2_gettime(1) General Commands Manual tpm2_gettime(1)
2
6 tpm2_gettime(1) - Get the current time and clock from the TPM in a
7 signed form.
8
10 tpm2_gettime [OPTIONS] [ARGUMENT]
11
13 tpm2_gettime(1) - Provides a signed copy of the current time and clock
14 from the TPM. It returns both a signature, and the data in the stan‐
15 dard TPM attestation form, a TPMS_ATTEST structure.
16 It outputs to stdout, in YAML format, the TPMS_TIME_INFO structure from
18 the TPM. The structure contains the current setting of Time, Clock,
19 resetCount, and restartCount. The structure is output as YAML defined
20 as:
21 time: 13673142 # 64 bit value of time since last _TPM_Init or TPM2_Startup
23 # in ms.
24 clock_info:
25 clock: 13673142 # 64 bit value of time TPM has been powered on in ms.
26 reset_count: 0 # 32 bit value of the number of TPM Resets since the last
27 # TPM2_Clear.
28 restart_count: 0 # 32 bit value of the number of times that TPM2_Shutdown or
29 # _TPM_Hash_Start have occurred since the last TPM Reset or
30 # TPM2_Clear.
31 safe: yes # boolean yes|no value that no value of Clock greater than
32 # the current value of Clock has been previously reported by
33 # the TPM.
34
36 • -c, --key-context=OBJECT:
37 Context object pointing to the the key used for signing. Either a
39 file or a handle number. See section “Context Object Format”.
40 • -p, --auth_AUTH_:
42 Optional authorization value to use the key specified by -c. Autho‐
44 rization values should follow the “authorization formatting stan‐
45 dards”, see section “Authorization Formatting”.
46 • -P, --endorse-auth_AUTH_:
48 Optional authorization value for the endorsement hierarchy. Autho‐
50 rization values should follow the “authorization formatting stan‐
51 dards”, see section “Authorization Formatting”.
52 • -g, --hash-algorithm=ALGORITHM:
54 The hash algorithm used to digest the message. Algorithms should
56 follow the “formatting standards”, see section “Algorithm Speci‐
57 fiers”. Also, see section “Supported Hash Algorithms” for a list of
58 supported hash algorithms.
59 • -s, --scheme=ALGORITHM:
61 The signing scheme used to sign the message. Optional. Signing
63 schemes should follow the “formatting standards”, see section “Algo‐
64 rithm Specifiers”. Also, see section “Supported Signing Schemes” for
65 a list of supported signature schemes. If specified, the signature
66 scheme must match the key type. If left unspecified, a default sig‐
67 nature scheme for the key type will be used.
68 • -q, --qualification=FILE_OR_HEX_STR:
70 Optional, the policy qualifier data that the signer can choose to in‐
72 clude in the signature. Can be either a hex string or path.
73 • -o, --signature=FILE:
75 The signature file, records the signature structure.
77 • -f, --format=FORMAT:
79 Format selection for the signature output file. See section “Signa‐
81 ture Format Specifiers”.
82 • –attestation=FILE:
84 The attestation data of the type TPMS_ATTEST signed with signing key.
86 • --cphash=FILE
88 File path to record the hash of the command parameters. This is com‐
90 monly termed as cpHash. NOTE: When this option is selected, The tool
91 will not actually execute the command, it simply returns a cpHash.
92 • ARGUMENT the command line argument specifies the file data for sign.
94 References
97 The type of a context object, whether it is a handle or file name, is
98 determined according to the following logic in-order:
99 • If the argument is a file path, then the file is loaded as a restored
101 TPM transient object.
102 • If the argument is a prefix match on one of:
104 • owner: the owner hierarchy
106 • platform: the platform hierarchy
108 • endorsement: the endorsement hierarchy
110 • lockout: the lockout control persistent object
112 • If the argument argument can be loaded as a number it will be treat
114 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
115
117 Authorization for use of an object in TPM2.0 can come in 3 different
118 forms: 1. Password 2. HMAC 3. Sessions
119 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
121 fied”.
122 Passwords
124 Passwords are interpreted in the following forms below using prefix
125 identifiers.
126 Note: By default passwords are assumed to be in the string form when
128 they do not have a prefix.
129 String
131 A string password, specified by prefix “str:” or it’s absence (raw
132 string without prefix) is not interpreted, and is directly used for au‐
133 thorization.
134 Examples
136 foobar
137 str:foobar
138 Hex-string
140 A hex-string password, specified by prefix “hex:” is converted from a
141 hexidecimal form into a byte array form, thus allowing passwords with
142 non-printable and/or terminal un-friendly characters.
143 Example
145 hex:1122334455667788
146 File
148 A file based password, specified be prefix “file:” should be the path
149 of a file containing the password to be read by the tool or a “-” to
150 use stdin. Storing passwords in files prevents information leakage,
151 passwords passed as options can be read from the process list or common
152 shell history features.
153 Examples
155 # to use stdin and be prompted
156 file:-
157 # to use a file from a path
159 file:path/to/password/file
160 # to echo a password via stdin:
162 echo foobar | tpm2_tool -p file:-
163 # to use a bash here-string via stdin:
165 tpm2_tool -p file:- <<< foobar
167 Sessions
169 When using a policy session to authorize the use of an object, prefix
170 the option argument with the session keyword. Then indicate a path to
171 a session file that was created with tpm2_startauthsession(1). Option‐
172 ally, if the session requires an auth value to be sent with the session
173 handle (eg policy password), then append a + and a string as described
174 in the Passwords section.
175 Examples
177 To use a session context file called session.ctx.
178 session:session.ctx
180 To use a session context file called session.ctx AND send the authvalue
182 mypassword.
183 session:session.ctx+mypassword
185 To use a session context file called session.ctx AND send the HEX auth‐
187 value 0x11223344.
188 session:session.ctx+hex:11223344
190 PCR Authorizations
192 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
193 language. The PCR minilanguage is as follows:
194 <pcr-spec>=<raw-pcr-file>
195 The PCR spec is documented in in the section “PCR bank specifiers”.
197 The raw-pcr-file is an optional argument that contains the output of
199 the raw PCR contents as returned by tpm2_pcrread(1).
200 PCR bank specifiers (pcr.md)
202 Examples
204 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
205 er of:
206 pcr:sha256:0,1,2,3
208 specifying AUTH.
210
212 Options that take algorithms support “nice-names”.
213 There are two major algorithm specification string classes, simple and
215 complex. Only certain algorithms will be accepted by the TPM, based on
216 usage and conditions.
217 Simple specifiers
219 These are strings with no additional specification data. When creating
220 objects, non-specified portions of an object are assumed to defaults.
221 You can find the list of known “Simple Specifiers” below.
222 Asymmetric
224 • rsa
225 • ecc
227 Symmetric
229 • aes
230 • camellia
232 • sm4
234 Hashing Algorithms
236 • sha1
237 • sha256
239 • sha384
241 • sha512
243 • sm3_256
245 • sha3_256
247 • sha3_384
249 • sha3_512
251 Keyed Hash
253 • hmac
254 • xor
256 Signing Schemes
258 • rsassa
259 • rsapss
261 • ecdsa
263 • ecdaa
265 • ecschnorr
267 • sm2
269 Asymmetric Encryption Schemes
271 • oaep
272 • rsaes
274 • ecdh
276 Modes
278 • ctr
279 • ofb
281 • cbc
283 • cfb
285 • ecb
287 Misc
289 • null
290 Complex Specifiers
292 Objects, when specified for creation by the TPM, have numerous algo‐
293 rithms to populate in the public data. Things like type, scheme and
294 asymmetric details, key size, etc. Below is the general format for
295 specifying this data: <type>:<scheme>:<symmetric-details>
296 Type Specifiers
298 This portion of the complex algorithm specifier is required. The re‐
299 maining scheme and symmetric details will default based on the type
300 specified and the type of the object being created.
301 • aes - Default AES: aes128
303 • aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
305 If mode is not specified, defaults to null.
306 • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
308 • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
310 • sm4 - Default SM4: sm4128
312 • sm4128 or sm4_128 <mode> - 128 bit SM4 with optional mode
314 (ctr|ofb|cbc|cfb|ecb). If mode is not specified, defaults to null.
315 • ecc - Elliptical Curve, defaults to ecc256.
317 • ecc192 or ecc_nist_p192 - 192 bit ECC NIST curve
319 • ecc224 or ecc_nist_p224 - 224 bit ECC NIST curve
321 • ecc256 or ecc_nist_p256 - 256 bit ECC NIST curve
323 • ecc384 or ecc_nist_p384 - 384 bit ECC NIST curve
325 • ecc521 or ecc_nist_p521 - 521 bit ECC NIST curve
327 • ecc_sm2 or ecc_sm2_p256 - 256 bit SM2 curve
329 • rsa - Default RSA: rsa2048
331 • rsa1024 - RSA with 1024 bit keysize.
333 • rsa2048 - RSA with 2048 bit keysize.
335 • rsa3072 - RSA with 3072 bit keysize.
337 • rsa4096 - RSA with 4096 bit keysize.
339 Scheme Specifiers
341 Next, is an optional field, it can be skipped.
342 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
344 Most signing schemes take a hash algorithm directly following the sign‐
345 ing scheme. If the hash algorithm is missing, it defaults to sha256.
346 Some take no arguments, and some take multiple arguments.
347 Hash Optional Scheme Specifiers
349 These scheme specifiers are followed by a dash and a valid hash algo‐
350 rithm, For example: oaep-sha256.
351 • oaep
353 • ecdh
355 • rsassa
357 • rsapss
359 • ecdsa
361 • ecschnorr
363 • sm2
365 Multiple Option Scheme Specifiers
367 This scheme specifier is followed by a count (max size UINT16) then
368 followed by a dash(-) and a valid hash algorithm. * ecdaa For example,
369 ecdaa4-sha256. If no count is specified, it defaults to 4.
370 No Option Scheme Specifiers
372 This scheme specifier takes NO arguments. * rsaes
373 Symmetric Details Specifiers
375 This field is optional, and defaults based on the type of object being
376 created and it’s attributes. Generally, any valid Symmetric specifier
377 from the Type Specifiers list should work. If not specified, an asym‐
378 metric objects symmetric details defaults to aes128cfb.
379 Examples
381 Create an rsa2048 key with an rsaes asymmetric encryption scheme
382 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
383 Create an ecc256 key with an ecdaa signing scheme with a count of 4 and
385 sha384 hash
386 /tpm2_create -C parent.ctx -G ecc256:ecdaa4-sha384 -u key.pub -r
387 key.priv cryptographic algorithms ALGORITHM.
388
390 This collection of options are common to many programs and provide in‐
391 formation that many users may expect.
392 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
394 attempts to invoke the manpager for the tool, however, on failure
395 will output a short tool summary. This is the same behavior if the
396 “man” option argument is specified, however if explicit “man” is re‐
397 quested, the tool will provide errors from man on stderr. If the
398 “no-man” option if specified, or the manpager fails, the short op‐
399 tions will be output to stdout.
400 To successfully use the manpages feature requires the manpages to be
402 installed or on MANPATH, See man(1) for more details.
403 • -v, --version: Display version information for this tool, supported
405 tctis and exit.
406 • -V, --verbose: Increase the information that the tool prints to the
408 console during its execution. When using this option the file and
409 line number are printed.
410 • -Q, --quiet: Silence normal tool output to stdout.
412 • -Z, --enable-errata: Enable the application of errata fixups. Useful
414 if an errata fixup needs to be applied to commands sent to the TPM.
415 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
416 formation many users may expect.
417
419 The TCTI or “Transmission Interface” is the communication mechanism
420 with the TPM. TCTIs can be changed for communication with TPMs across
421 different mediums.
422 To control the TCTI, the tools respect:
424 1. The command line option -T or --tcti
426 2. The environment variable: TPM2TOOLS_TCTI.
428 Note: The command line option always overrides the environment vari‐
430 able.
431 The current known TCTIs are:
433 • tabrmd - The resource manager, called tabrmd
435 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
436 abrmd as a tcti name are synonymous.
437 • mssim - Typically used for communicating to the TPM software simula‐
439 tor.
440 • device - Used when talking directly to a TPM device file.
442 • none - Do not initalize a connection with the TPM. Some tools allow
444 for off-tpm options and thus support not using a TCTI. Tools that do
445 not support it will error when attempted to be used without a TCTI
446 connection. Does not support ANY options and MUST BE presented as
447 the exact text of “none”.
448 The arguments to either the command line option or the environment
450 variable are in the form:
451 <tcti-name>:<tcti-option-config>
453 Specifying an empty string for either the <tcti-name> or <tcti-op‐
455 tion-config> results in the default being used for that portion respec‐
456 tively.
457 TCTI Defaults
459 When a TCTI is not specified, the default TCTI is searched for using
460 dlopen(3) semantics. The tools will search for tabrmd, device and
461 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
462 what TCTI will be chosen as the default by using the -v option to print
463 the version information. The “default-tcti” key-value pair will indi‐
464 cate which of the aforementioned TCTIs is the default.
465 Custom TCTIs
467 Any TCTI that implements the dynamic TCTI interface can be loaded. The
468 tools internally use dlopen(3), and the raw tcti-name value is used for
469 the lookup. Thus, this could be a path to the shared library, or a li‐
470 brary name as understood by dlopen(3) semantics.
471
473 This collection of options are used to configure the various known TCTI
474 modules available:
475 • device: For the device TCTI, the TPM character device file for use by
477 the device TCTI can be specified. The default is /dev/tpm0.
478 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
480 vice:/dev/tpm0”
481 • mssim: For the mssim TCTI, the domain name or IP address and port
483 number used by the simulator can be specified. The default are
484 127.0.0.1 and 2321.
485 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
487 TI=“mssim:host=localhost,port=2321”
488 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
490 ries of simple key value pairs separated by a `,' character. Each
491 key and value string are separated by a `=' character.
492 • TCTI abrmd supports two keys:
494 1. `bus_name' : The name of the tabrmd service on the bus (a
496 string).
497 2. `bus_type' : The type of the dbus instance (a string) limited to
499 `session' and `system'.
500 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
502 ample.FooBar:
503 \--tcti=tabrmd:bus_name=com.example.FooBar
505 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
507 sion:
508 \--tcti:bus_type=session
510 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
512 ules. # Signature Format Specifiers
513 Format selection for the signature output file. tss (the default) will
515 output a binary blob according to the TPM 2.0 specification and any po‐
516 tential compiler padding. The option plain will output the plain sig‐
517 nature data as defined by the used cryptographic algorithm.
518
520 Create a key and get attested TPM time
521 tpm2_createprimary -C e -c primary.ctx
522 tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx
524 tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx
526 tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data
528
530 Tools can return any of the following codes:
531 • 0 - Success.
533 • 1 - General non-specific error.
535 • 2 - Options handling error.
537 • 3 - Authentication error.
539 • 4 - TCTI related error.
541 • 5 - Non supported scheme. Applicable to tpm2_testparams.
543
545 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
546
548 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
549 fo/tpm2)
550tpm2-tools tpm2_gettime(1)