tpm2_nvsetbits(1)

1tpm2_nvsetbits(1)           General Commands Manual          tpm2_nvsetbits(1)
2
3
4

NAME

6       tpm2_nvsetbits(1) - Bitwise OR bits into a Non-Volatile (NV).
7

SYNOPSIS

9       tpm2_nvsetbits [OPTIONS] [ARGUMENT]
10

DESCRIPTION

12       tpm2_nvsetbits(1)  -  Bitwise OR bits into a Non-Volatile (NV).  The NV
13       index must be of type “bits” which is specified via the “nt” field when
14       creating  the  NV space with tpm2_nvdefine(1).  The index can be speci‐
15       fied as  raw  handle  or  an  offset  value  to  the  NV  handle  range
16       “TPM2_HR_NV_INDEX”.
17

OPTIONS

19       • -C, --hierarchy=OBJECT:
20         Specifies the hierarchy used to authorize.  Supported options are:
21
22         • o for TPM_RH_OWNER
23
24         • p for TPM_RH_PLATFORM
25
26         • <num> where a hierarchy handle or nv-index may be used.
27
28         When  -C isn’t explicitly passed the index handle will be used to au‐
29         thorize against the index.  The index auth value is set  via  the  -p
30         option to tpm2_nvdefine(1).
31
32       • -P, --auth=AUTH:
33
34         Specifies the authorization value for the hierarchy.
35
36       • -i, --bits=BITS:
37
38         Specifies  the  bit  value as a number to bitwise OR into the current
39         value of the NV index.
40
41       • --cphash=FILE
42
43         File path to record the hash of the command parameters.  This is com‐
44         monly termed as cpHash.  NOTE: When this option is selected, The tool
45         will not actually execute the command, it simply  returns  a  cpHash,
46         unless rphash is also required.
47
48       • --rphash=FILE
49
50         File  path  to  record  the hash of the response parameters.  This is
51         commonly termed as rpHash.
52
53       • -S, --session=FILE:
54
55         The session created using tpm2_startauthsession.  This can be used to
56         specify  an  auxiliary session for auditing and or encryption/decryp‐
57         tion of the parameters.
58
59       • -n, --name=FILE:
60
61         The name of the NV index that must be provided when only  calculating
62         the cpHash without actually dispatching the command to the TPM.
63
64       • ARGUMENT  the  command line argument specifies the NV index or offset
65         number.
66
67   References

Context Object Format

69       The type of a context object, whether it is a handle or file  name,  is
70       determined according to the following logic in-order:
71
72       • If the argument is a file path, then the file is loaded as a restored
73         TPM transient object.
74
75       • If the argument is a prefix match on one of:
76
77         • owner: the owner hierarchy
78
79         • platform: the platform hierarchy
80
81         • endorsement: the endorsement hierarchy
82
83         • lockout: the lockout control persistent object
84
85       • If the argument argument can be loaded as a number it will  be  treat
86         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
87

Authorization Formatting

89       Authorization  for  use  of an object in TPM2.0 can come in 3 different
90       forms: 1.  Password 2.  HMAC 3.  Sessions
91
92       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
93       fied”.
94
95   Passwords
96       Passwords  are  interpreted  in  the following forms below using prefix
97       identifiers.
98
99       Note: By default passwords are assumed to be in the  string  form  when
100       they do not have a prefix.
101
102   String
103       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
104       string without prefix) is not interpreted, and is directly used for au‐
105       thorization.
106
107   Examples
108              foobar
109              str:foobar
110
111   Hex-string
112       A  hex-string  password, specified by prefix “hex:” is converted from a
113       hexidecimal form into a byte array form, thus allowing  passwords  with
114       non-printable and/or terminal un-friendly characters.
115
116   Example
117              hex:1122334455667788
118
119   File
120       A  file  based password, specified be prefix “file:” should be the path
121       of a file containing the password to be read by the tool or  a  “-”  to
122       use  stdin.   Storing  passwords in files prevents information leakage,
123       passwords passed as options can be read from the process list or common
124       shell history features.
125
126   Examples
127              # to use stdin and be prompted
128              file:-
129
130              # to use a file from a path
131              file:path/to/password/file
132
133              # to echo a password via stdin:
134              echo foobar | tpm2_tool -p file:-
135
136              # to use a bash here-string via stdin:
137
138              tpm2_tool -p file:- <<< foobar
139
140   Sessions
141       When  using  a policy session to authorize the use of an object, prefix
142       the option argument with the session keyword.  Then indicate a path  to
143       a session file that was created with tpm2_startauthsession(1).  Option‐
144       ally, if the session requires an auth value to be sent with the session
145       handle  (eg policy password), then append a + and a string as described
146       in the Passwords section.
147
148   Examples
149       To use a session context file called session.ctx.
150
151              session:session.ctx
152
153       To use a session context file called session.ctx AND send the authvalue
154       mypassword.
155
156              session:session.ctx+mypassword
157
158       To use a session context file called session.ctx AND send the HEX auth‐
159       value 0x11223344.
160
161              session:session.ctx+hex:11223344
162
163   PCR Authorizations
164       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
165       language.       The     PCR     minilanguage     is     as     follows:
166       <pcr-spec>=<raw-pcr-file>
167
168       The PCR spec is documented in in the section “PCR bank specifiers”.
169
170       The raw-pcr-file is an optional argument that contains  the  output  of
171       the raw PCR contents as returned by tpm2_pcrread(1).
172
173       PCR bank specifiers (pcr.md)
174
175   Examples
176       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
177       er of:
178
179              pcr:sha256:0,1,2,3
180
181       specifying AUTH.
182

COMMON OPTIONS

184       This collection of options are common to many programs and provide  in‐
185       formation that many users may expect.
186
187       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
188         attempts to invoke the manpager for the  tool,  however,  on  failure
189         will  output  a short tool summary.  This is the same behavior if the
190         “man” option argument is specified, however if explicit “man” is  re‐
191         quested,  the  tool  will  provide errors from man on stderr.  If the
192         “no-man” option if specified, or the manpager fails,  the  short  op‐
193         tions will be output to stdout.
194
195         To  successfully use the manpages feature requires the manpages to be
196         installed or on MANPATH, See man(1) for more details.
197
198       • -v, --version: Display version information for this  tool,  supported
199         tctis and exit.
200
201       • -V,  --verbose:  Increase the information that the tool prints to the
202         console during its execution.  When using this option  the  file  and
203         line number are printed.
204
205       • -Q, --quiet: Silence normal tool output to stdout.
206
207       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
208         if an errata fixup needs to be applied to commands sent to  the  TPM.
209         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
210         formation many users may expect.
211

TCTI Configuration

213       The TCTI or “Transmission Interface”  is  the  communication  mechanism
214       with  the TPM.  TCTIs can be changed for communication with TPMs across
215       different mediums.
216
217       To control the TCTI, the tools respect:
218
219       1. The command line option -T or --tcti
220
221       2. The environment variable: TPM2TOOLS_TCTI.
222
223       Note: The command line option always overrides  the  environment  vari‐
224       able.
225
226       The current known TCTIs are:
227
228       • tabrmd      -     The     resource     manager,     called     tabrmd
229         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
230         abrmd as a tcti name are synonymous.
231
232       • mssim  - Typically used for communicating to the TPM software simula‐
233         tor.
234
235       • device - Used when talking directly to a TPM device file.
236
237       • none - Do not initalize a connection with the TPM.  Some tools  allow
238         for off-tpm options and thus support not using a TCTI.  Tools that do
239         not support it will error when attempted to be used  without  a  TCTI
240         connection.   Does  not  support ANY options and MUST BE presented as
241         the exact text of “none”.
242
243       The arguments to either the command  line  option  or  the  environment
244       variable are in the form:
245
246       <tcti-name>:<tcti-option-config>
247
248       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
249       tion-config> results in the default being used for that portion respec‐
250       tively.
251
252   TCTI Defaults
253       When  a  TCTI  is not specified, the default TCTI is searched for using
254       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
255       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
256       what TCTI will be chosen as the default by using the -v option to print
257       the  version information.  The “default-tcti” key-value pair will indi‐
258       cate which of the aforementioned TCTIs is the default.
259
260   Custom TCTIs
261       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
262       tools internally use dlopen(3), and the raw tcti-name value is used for
263       the lookup.  Thus, this could be a path to the shared library, or a li‐
264       brary name as understood by dlopen(3) semantics.
265

TCTI OPTIONS

267       This collection of options are used to configure the various known TCTI
268       modules available:
269
270       • device: For the device TCTI, the TPM character device file for use by
271         the device TCTI can be specified.  The default is /dev/tpm0.
272
273         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
274         vice:/dev/tpm0”
275
276       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
277         number  used  by  the  simulator  can  be specified.  The default are
278         127.0.0.1 and 2321.
279
280         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
281         TI=“mssim:host=localhost,port=2321”
282
283       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
284         ries of simple key value pairs separated by a  `,'  character.   Each
285         key and value string are separated by a `=' character.
286
287         • TCTI abrmd supports two keys:
288
289           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
290              string).
291
292           2. `bus_type' : The type of the dbus instance (a string) limited to
293              `session' and `system'.
294
295         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
296         ample.FooBar:
297
298                \--tcti=tabrmd:bus_name=com.example.FooBar
299
300         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
301         sion:
302
303                \--tcti:bus_type=session
304
305         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
306         ules.
307

EXAMPLES

309   OR 0xbadc0de into an index of 0’s
310              tpm2_nvdefine -C o -a "nt=bits|ownerread|policywrite|ownerwrite|writedefine" 1
311
312              tpm2_nvsetbits -C o -i 0xbadc0de 1
313
314              tpm2_nvread -C o 1 | xxd -p | sed s/'^0*'/0x/
315              0xbadc0de
316

Returns

318       Tools can return any of the following codes:
319
320       • 0 - Success.
321
322       • 1 - General non-specific error.
323
324       • 2 - Options handling error.
325
326       • 3 - Authentication error.
327
328       • 4 - TCTI related error.
329
330       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
331

BUGS

333       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
334

HELP

336       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
337       fo/tpm2)
338
339
340
341tpm2-tools                                                   tpm2_nvsetbits(1)