tpm2_nvwritelock(1)

1tpm2_nvwritelock(1)         General Commands Manual        tpm2_nvwritelock(1)
2
3
4

NAME

6       tpm2_nvwritelock(1)  -  Lock  the  Non-Volatile  (NV) index for further
7       writes.
8

SYNOPSIS

10       tpm2_nvwritelock [OPTIONS] [ARGUMENT]
11

DESCRIPTION

13       tpm2_nvwritelock(1) - Lock the  Non-Volatile  (NV)  index  for  further
14       writes.  The lock on the NV index is unlocked when the TPM is restarted
15       and the NV index becomes writable again.  The index can be specified as
16       raw  handle  or  an offset value to the nv handle range “TPM2_HR_NV_IN‐
17       DEX”.
18

OPTIONS

20       • -C, --hierarchy=OBJECT:
21         Specifies the hierarchy used to authorize.  Supported options are:
22
23         • o for TPM_RH_OWNER
24
25         • p for TPM_RH_PLATFORM
26
27         • <num> where a hierarchy handle or nv-index may be used.
28
29         When -C isn’t explicitly passed the index handle will be used to  au‐
30         thorize  against  the  index.  The index auth value is set via the -p
31         option to tpm2_nvdefine(1).
32
33       • -P, --auth=AUTH:
34
35         Specifies the authorization value for the hierarchy.
36
37       • --global:
38
39         Lock all NV indices with attribute TPMA_NV_GLOBALLOCK.   This  option
40         does not require an NV index or offset as an argument.
41
42       • --cphash=FILE
43
44         File path to record the hash of the command parameters.  This is com‐
45         monly termed as cpHash.  NOTE: When this option is selected, The tool
46         will not actually execute the command, it simply returns a cpHash un‐
47         less rphash is also required.
48
49       • --rphash=FILE
50
51         File path to record the hash of the  response  parameters.   This  is
52         commonly termed as rpHash.
53
54       • -S, --session=FILE:
55
56         The session created using tpm2_startauthsession.  This can be used to
57         specify an auxiliary session for auditing and  or  encryption/decryp‐
58         tion of the parameters.
59
60       • -n, --name=FILE:
61
62         The  name of the NV index that must be provided when only calculating
63         the cpHash without actually dispatching the command to the TPM.
64
65       • ARGUMENT the command line argument specifies the NV index  or  offset
66         number.
67
68   References

Context Object Format

70       The  type  of a context object, whether it is a handle or file name, is
71       determined according to the following logic in-order:
72
73       • If the argument is a file path, then the file is loaded as a restored
74         TPM transient object.
75
76       • If the argument is a prefix match on one of:
77
78         • owner: the owner hierarchy
79
80         • platform: the platform hierarchy
81
82         • endorsement: the endorsement hierarchy
83
84         • lockout: the lockout control persistent object
85
86       • If  the  argument argument can be loaded as a number it will be treat
87         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
88

Authorization Formatting

90       Authorization for use of an object in TPM2.0 can come  in  3  different
91       forms: 1.  Password 2.  HMAC 3.  Sessions
92
93       NOTE:  “Authorizations  default  to  the EMPTY PASSWORD when not speci‐
94       fied”.
95
96   Passwords
97       Passwords are interpreted in the following  forms  below  using  prefix
98       identifiers.
99
100       Note:  By  default  passwords are assumed to be in the string form when
101       they do not have a prefix.
102
103   String
104       A string password, specified by prefix  “str:”  or  it’s  absence  (raw
105       string without prefix) is not interpreted, and is directly used for au‐
106       thorization.
107
108   Examples
109              foobar
110              str:foobar
111
112   Hex-string
113       A hex-string password, specified by prefix “hex:” is converted  from  a
114       hexidecimal  form  into a byte array form, thus allowing passwords with
115       non-printable and/or terminal un-friendly characters.
116
117   Example
118              hex:1122334455667788
119
120   File
121       A file based password, specified be prefix “file:” should be  the  path
122       of  a  file  containing the password to be read by the tool or a “-” to
123       use stdin.  Storing passwords in files  prevents  information  leakage,
124       passwords passed as options can be read from the process list or common
125       shell history features.
126
127   Examples
128              # to use stdin and be prompted
129              file:-
130
131              # to use a file from a path
132              file:path/to/password/file
133
134              # to echo a password via stdin:
135              echo foobar | tpm2_tool -p file:-
136
137              # to use a bash here-string via stdin:
138
139              tpm2_tool -p file:- <<< foobar
140
141   Sessions
142       When using a policy session to authorize the use of an  object,  prefix
143       the  option argument with the session keyword.  Then indicate a path to
144       a session file that was created with tpm2_startauthsession(1).  Option‐
145       ally, if the session requires an auth value to be sent with the session
146       handle (eg policy password), then append a + and a string as  described
147       in the Passwords section.
148
149   Examples
150       To use a session context file called session.ctx.
151
152              session:session.ctx
153
154       To use a session context file called session.ctx AND send the authvalue
155       mypassword.
156
157              session:session.ctx+mypassword
158
159       To use a session context file called session.ctx AND send the HEX auth‐
160       value 0x11223344.
161
162              session:session.ctx+hex:11223344
163
164   PCR Authorizations
165       You  can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
166       language.      The     PCR     minilanguage     is     as      follows:
167       <pcr-spec>=<raw-pcr-file>
168
169       The PCR spec is documented in in the section “PCR bank specifiers”.
170
171       The  raw-pcr-file  is  an optional argument that contains the output of
172       the raw PCR contents as returned by tpm2_pcrread(1).
173
174       PCR bank specifiers (pcr.md)
175
176   Examples
177       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
178       er of:
179
180              pcr:sha256:0,1,2,3
181
182       specifying AUTH.
183

COMMON OPTIONS

185       This  collection of options are common to many programs and provide in‐
186       formation that many users may expect.
187
188       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
189         attempts  to  invoke  the  manpager for the tool, however, on failure
190         will output a short tool summary.  This is the same behavior  if  the
191         “man”  option argument is specified, however if explicit “man” is re‐
192         quested, the tool will provide errors from man  on  stderr.   If  the
193         “no-man”  option  if  specified, or the manpager fails, the short op‐
194         tions will be output to stdout.
195
196         To successfully use the manpages feature requires the manpages to  be
197         installed or on MANPATH, See man(1) for more details.
198
199       • -v,  --version:  Display version information for this tool, supported
200         tctis and exit.
201
202       • -V, --verbose: Increase the information that the tool prints  to  the
203         console  during  its  execution.  When using this option the file and
204         line number are printed.
205
206       • -Q, --quiet: Silence normal tool output to stdout.
207
208       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
209         if  an  errata fixup needs to be applied to commands sent to the TPM.
210         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
211         formation many users may expect.
212

TCTI Configuration

214       The  TCTI  or  “Transmission  Interface” is the communication mechanism
215       with the TPM.  TCTIs can be changed for communication with TPMs  across
216       different mediums.
217
218       To control the TCTI, the tools respect:
219
220       1. The command line option -T or --tcti
221
222       2. The environment variable: TPM2TOOLS_TCTI.
223
224       Note:  The  command  line option always overrides the environment vari‐
225       able.
226
227       The current known TCTIs are:
228
229       • tabrmd     -     The     resource     manager,     called      tabrmd
230         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
231         abrmd as a tcti name are synonymous.
232
233       • mssim - Typically used for communicating to the TPM software  simula‐
234         tor.
235
236       • device - Used when talking directly to a TPM device file.
237
238       • none  - Do not initalize a connection with the TPM.  Some tools allow
239         for off-tpm options and thus support not using a TCTI.  Tools that do
240         not  support  it  will error when attempted to be used without a TCTI
241         connection.  Does not support ANY options and MUST  BE  presented  as
242         the exact text of “none”.
243
244       The  arguments  to  either  the  command line option or the environment
245       variable are in the form:
246
247       <tcti-name>:<tcti-option-config>
248
249       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
250       tion-config> results in the default being used for that portion respec‐
251       tively.
252
253   TCTI Defaults
254       When a TCTI is not specified, the default TCTI is  searched  for  using
255       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
256       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
257       what TCTI will be chosen as the default by using the -v option to print
258       the version information.  The “default-tcti” key-value pair will  indi‐
259       cate which of the aforementioned TCTIs is the default.
260
261   Custom TCTIs
262       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
263       tools internally use dlopen(3), and the raw tcti-name value is used for
264       the lookup.  Thus, this could be a path to the shared library, or a li‐
265       brary name as understood by dlopen(3) semantics.
266

TCTI OPTIONS

268       This collection of options are used to configure the various known TCTI
269       modules available:
270
271       • device: For the device TCTI, the TPM character device file for use by
272         the device TCTI can be specified.  The default is /dev/tpm0.
273
274         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
275         vice:/dev/tpm0”
276
277       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
278         number used by the simulator  can  be  specified.   The  default  are
279         127.0.0.1 and 2321.
280
281         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
282         TI=“mssim:host=localhost,port=2321”
283
284       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
285         ries  of  simple  key value pairs separated by a `,' character.  Each
286         key and value string are separated by a `=' character.
287
288         • TCTI abrmd supports two keys:
289
290           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
291              string).
292
293           2. `bus_type' : The type of the dbus instance (a string) limited to
294              `session' and `system'.
295
296         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
297         ample.FooBar:
298
299                \--tcti=tabrmd:bus_name=com.example.FooBar
300
301         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
302         sion:
303
304                \--tcti:bus_type=session
305
306         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
307         ules.
308

EXAMPLES

310   Lock an index
311              tpm2_nvdefine -C o -s 32 \
312                -a "ownerread|policywrite|ownerwrite|writedefine" 1
313
314              echo "foobar" > nv.writelock
315
316              tpm2_nvwrite -C o -i nv.writelock 1
317
318              tpm2_nvwritelock -C o 1
319
320              # fails with "NV access locked"
321              tpm2_nvwrite -C o -i nv.writelock 1
322
323   Global Lock
324              tpm2_nvdefine -C o -s 32 \
325                -a "ownerread|policywrite|ownerwrite|globallock" 1
326
327              tpm2_nvwritelock -C o --global
328
329              # this command fails with "NV access locked".
330              echo foo | tpm2_nvwrite -C o -i- 1
331

Returns

333       Tools can return any of the following codes:
334
335       • 0 - Success.
336
337       • 1 - General non-specific error.
338
339       • 2 - Options handling error.
340
341       • 3 - Authentication error.
342
343       • 4 - TCTI related error.
344
345       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
346

BUGS

348       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
349

HELP

351       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
352       fo/tpm2)
353
354
355
356tpm2-tools                                                 tpm2_nvwritelock(1)