1tpm2_nvsetbits(1) General Commands Manual tpm2_nvsetbits(1)
2
3
4
6 tpm2_nvsetbits(1) - Bitwise OR bits into a Non-Volatile (NV).
7
9 tpm2_nvsetbits [OPTIONS] [ARGUMENT]
10
12 tpm2_nvsetbits(1) - Bitwise OR bits into a Non-Volatile (NV). The NV
13 index must be of type “bits” which is specified via the “nt” field when
14 creating the NV space with tpm2_nvdefine(1). The index can be speci‐
15 fied as raw handle or an offset value to the NV handle range
16 “TPM2_HR_NV_INDEX”.
17
19 • -C, --hierarchy=OBJECT:
20 Specifies the hierarchy used to authorize. Supported options are:
21
22 • o for TPM_RH_OWNER
23
24 • p for TPM_RH_PLATFORM
25
26 • <num> where a hierarchy handle or nv-index may be used.
27
28 When -C isn’t explicitly passed the index handle will be used to au‐
29 thorize against the index. The index auth value is set via the -p
30 option to tpm2_nvdefine(1).
31
32 • -P, --auth=AUTH:
33
34 Specifies the authorization value for the hierarchy.
35
36 • -i, --bits=BITS:
37
38 Specifies the bit value as a number to bitwise OR into the current
39 value of the NV index.
40
41 • --cphash=FILE
42
43 File path to record the hash of the command parameters. This is com‐
44 monly termed as cpHash. NOTE: When this option is selected, The tool
45 will not actually execute the command, it simply returns a cpHash,
46 unless rphash is also required.
47
48 • --rphash=FILE
49
50 File path to record the hash of the response parameters. This is
51 commonly termed as rpHash.
52
53 • -S, --session=FILE:
54
55 The session created using tpm2_startauthsession. This can be used to
56 specify an auxiliary session for auditing and or encryption/decryp‐
57 tion of the parameters.
58
59 • -n, --name=FILE:
60
61 The name of the NV index that must be provided when only calculating
62 the cpHash without actually dispatching the command to the TPM.
63
64 • ARGUMENT the command line argument specifies the NV index or offset
65 number.
66
67 References
69 The type of a context object, whether it is a handle or file name, is
70 determined according to the following logic in-order:
71
72 • If the argument is a file path, then the file is loaded as a restored
73 TPM transient object.
74
75 • If the argument is a prefix match on one of:
76
77 • owner: the owner hierarchy
78
79 • platform: the platform hierarchy
80
81 • endorsement: the endorsement hierarchy
82
83 • lockout: the lockout control persistent object
84
85 • If the argument argument can be loaded as a number it will be treat
86 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
87
89 Authorization for use of an object in TPM2.0 can come in 3 different
90 forms: 1. Password 2. HMAC 3. Sessions
91
92 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
93 fied”.
94
95 Passwords
96 Passwords are interpreted in the following forms below using prefix
97 identifiers.
98
99 Note: By default passwords are assumed to be in the string form when
100 they do not have a prefix.
101
102 String
103 A string password, specified by prefix “str:” or it’s absence (raw
104 string without prefix) is not interpreted, and is directly used for au‐
105 thorization.
106
107 Examples
108 foobar
109 str:foobar
110
111 Hex-string
112 A hex-string password, specified by prefix “hex:” is converted from a
113 hexidecimal form into a byte array form, thus allowing passwords with
114 non-printable and/or terminal un-friendly characters.
115
116 Example
117 hex:1122334455667788
118
119 File
120 A file based password, specified be prefix “file:” should be the path
121 of a file containing the password to be read by the tool or a “-” to
122 use stdin. Storing passwords in files prevents information leakage,
123 passwords passed as options can be read from the process list or common
124 shell history features.
125
126 Examples
127 # to use stdin and be prompted
128 file:-
129
130 # to use a file from a path
131 file:path/to/password/file
132
133 # to echo a password via stdin:
134 echo foobar | tpm2_tool -p file:-
135
136 # to use a bash here-string via stdin:
137
138 tpm2_tool -p file:- <<< foobar
139
140 Sessions
141 When using a policy session to authorize the use of an object, prefix
142 the option argument with the session keyword. Then indicate a path to
143 a session file that was created with tpm2_startauthsession(1). Option‐
144 ally, if the session requires an auth value to be sent with the session
145 handle (eg policy password), then append a + and a string as described
146 in the Passwords section.
147
148 Examples
149 To use a session context file called session.ctx.
150
151 session:session.ctx
152
153 To use a session context file called session.ctx AND send the authvalue
154 mypassword.
155
156 session:session.ctx+mypassword
157
158 To use a session context file called session.ctx AND send the HEX auth‐
159 value 0x11223344.
160
161 session:session.ctx+hex:11223344
162
163 PCR Authorizations
164 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
165 language. The PCR minilanguage is as follows:
166 <pcr-spec>=<raw-pcr-file>
167
168 The PCR spec is documented in in the section “PCR bank specifiers”.
169
170 The raw-pcr-file is an optional argument that contains the output of
171 the raw PCR contents as returned by tpm2_pcrread(1).
172
173 PCR bank specifiers (pcr.md)
174
175 Examples
176 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
177 er of:
178
179 pcr:sha256:0,1,2,3
180
181 specifying AUTH.
182
184 This collection of options are common to many programs and provide in‐
185 formation that many users may expect.
186
187 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
188 attempts to invoke the manpager for the tool, however, on failure
189 will output a short tool summary. This is the same behavior if the
190 “man” option argument is specified, however if explicit “man” is re‐
191 quested, the tool will provide errors from man on stderr. If the
192 “no-man” option if specified, or the manpager fails, the short op‐
193 tions will be output to stdout.
194
195 To successfully use the manpages feature requires the manpages to be
196 installed or on MANPATH, See man(1) for more details.
197
198 • -v, --version: Display version information for this tool, supported
199 tctis and exit.
200
201 • -V, --verbose: Increase the information that the tool prints to the
202 console during its execution. When using this option the file and
203 line number are printed.
204
205 • -Q, --quiet: Silence normal tool output to stdout.
206
207 • -Z, --enable-errata: Enable the application of errata fixups. Useful
208 if an errata fixup needs to be applied to commands sent to the TPM.
209 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
210 formation many users may expect.
211
213 The TCTI or “Transmission Interface” is the communication mechanism
214 with the TPM. TCTIs can be changed for communication with TPMs across
215 different mediums.
216
217 To control the TCTI, the tools respect:
218
219 1. The command line option -T or --tcti
220
221 2. The environment variable: TPM2TOOLS_TCTI.
222
223 Note: The command line option always overrides the environment vari‐
224 able.
225
226 The current known TCTIs are:
227
228 • tabrmd - The resource manager, called tabrmd
229 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
230 abrmd as a tcti name are synonymous.
231
232 • mssim - Typically used for communicating to the TPM software simula‐
233 tor.
234
235 • device - Used when talking directly to a TPM device file.
236
237 • none - Do not initalize a connection with the TPM. Some tools allow
238 for off-tpm options and thus support not using a TCTI. Tools that do
239 not support it will error when attempted to be used without a TCTI
240 connection. Does not support ANY options and MUST BE presented as
241 the exact text of “none”.
242
243 The arguments to either the command line option or the environment
244 variable are in the form:
245
246 <tcti-name>:<tcti-option-config>
247
248 Specifying an empty string for either the <tcti-name> or <tcti-op‐
249 tion-config> results in the default being used for that portion respec‐
250 tively.
251
252 TCTI Defaults
253 When a TCTI is not specified, the default TCTI is searched for using
254 dlopen(3) semantics. The tools will search for tabrmd, device and
255 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
256 what TCTI will be chosen as the default by using the -v option to print
257 the version information. The “default-tcti” key-value pair will indi‐
258 cate which of the aforementioned TCTIs is the default.
259
260 Custom TCTIs
261 Any TCTI that implements the dynamic TCTI interface can be loaded. The
262 tools internally use dlopen(3), and the raw tcti-name value is used for
263 the lookup. Thus, this could be a path to the shared library, or a li‐
264 brary name as understood by dlopen(3) semantics.
265
267 This collection of options are used to configure the various known TCTI
268 modules available:
269
270 • device: For the device TCTI, the TPM character device file for use by
271 the device TCTI can be specified. The default is /dev/tpm0.
272
273 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
274 vice:/dev/tpm0”
275
276 • mssim: For the mssim TCTI, the domain name or IP address and port
277 number used by the simulator can be specified. The default are
278 127.0.0.1 and 2321.
279
280 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
281 TI=“mssim:host=localhost,port=2321”
282
283 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
284 ries of simple key value pairs separated by a `,' character. Each
285 key and value string are separated by a `=' character.
286
287 • TCTI abrmd supports two keys:
288
289 1. `bus_name' : The name of the tabrmd service on the bus (a
290 string).
291
292 2. `bus_type' : The type of the dbus instance (a string) limited to
293 `session' and `system'.
294
295 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
296 ample.FooBar:
297
298 \--tcti=tabrmd:bus_name=com.example.FooBar
299
300 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
301 sion:
302
303 \--tcti:bus_type=session
304
305 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
306 ules.
307
309 OR 0xbadc0de into an index of 0’s
310 tpm2_nvdefine -C o -a "nt=bits|ownerread|policywrite|ownerwrite|writedefine" 1
311
312 tpm2_nvsetbits -C o -i 0xbadc0de 1
313
314 tpm2_nvread -C o 1 | xxd -p | sed s/'^0*'/0x/
315 0xbadc0de
316
318 Tools can return any of the following codes:
319
320 • 0 - Success.
321
322 • 1 - General non-specific error.
323
324 • 2 - Options handling error.
325
326 • 3 - Authentication error.
327
328 • 4 - TCTI related error.
329
330 • 5 - Non supported scheme. Applicable to tpm2_testparams.
331
333 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
334
336 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
337 fo/tpm2)
338
339
340
341tpm2-tools tpm2_nvsetbits(1)