1tpm2_pcrallocate(1)         General Commands Manual        tpm2_pcrallocate(1)
2
3
4

NAME

6       tpm2_pcrallocate(1) - Configure PCRs and bank algorithms.
7

SYNOPSIS

9       tpm2_pcrallocate [OPTIONS] [*ARGUMENT]
10

DESCRIPTION

12       tpm2_pcrallocate(1)  -  Allow  the user to specify a PCR allocation for
13       the TPM.  An allocation is the enabling or disabling of PCRs  and  it’s
14       banks.   A  PCR  can have multiple banks, where each bank is associated
15       with a specific hashing algorithm.  Allocation is specified in the  ar‐
16       gument.
17
18       If  no allocation is given, then SHA1 and SHA256 banks with PCRs 0 - 23
19       are allocated.
20
21       Allocation is a list of banks and selected  pcrs.   The  values  should
22       follow  the pcr bank specifiers standards, see section “PCR Bank Speci‐
23       fiers”.
24
25       The new allocations become effective after the next reboot.
26
27       Note: This command requires platform authorization.
28

OPTIONS

30-P, --auth=AUTH:
31
32         Optional authorization value.  Authorization values should follow the
33         “authorization formatting standards”, see section “Authorization For‐
34         matting”.
35
36ARGUMENT the command line argument specifies the PCR allocation.
37
38--cphash=FILE
39
40         File path to record the hash of the command parameters.  This is com‐
41         monly termed as cpHash.  NOTE: When this option is selected, The tool
42         will not actually execute the command, it simply returns a cpHash.
43
44   References

Context Object Format

46       The type of a context object, whether it is a handle or file  name,  is
47       determined according to the following logic in-order:
48
49       • If the argument is a file path, then the file is loaded as a restored
50         TPM transient object.
51
52       • If the argument is a prefix match on one of:
53
54         • owner: the owner hierarchy
55
56         • platform: the platform hierarchy
57
58         • endorsement: the endorsement hierarchy
59
60         • lockout: the lockout control persistent object
61
62       • If the argument argument can be loaded as a number it will  be  treat
63         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
64

Authorization Formatting

66       Authorization  for  use  of an object in TPM2.0 can come in 3 different
67       forms: 1.  Password 2.  HMAC 3.  Sessions
68
69       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
70       fied”.
71
72   Passwords
73       Passwords  are  interpreted  in  the following forms below using prefix
74       identifiers.
75
76       Note: By default passwords are assumed to be in the  string  form  when
77       they do not have a prefix.
78
79   String
80       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
81       string without prefix) is not interpreted, and is directly used for au‐
82       thorization.
83
84   Examples
85              foobar
86              str:foobar
87
88   Hex-string
89       A  hex-string  password, specified by prefix “hex:” is converted from a
90       hexidecimal form into a byte array form, thus allowing  passwords  with
91       non-printable and/or terminal un-friendly characters.
92
93   Example
94              hex:1122334455667788
95
96   File
97       A  file  based password, specified be prefix “file:” should be the path
98       of a file containing the password to be read by the tool or  a  “-”  to
99       use  stdin.   Storing  passwords in files prevents information leakage,
100       passwords passed as options can be read from the process list or common
101       shell history features.
102
103   Examples
104              # to use stdin and be prompted
105              file:-
106
107              # to use a file from a path
108              file:path/to/password/file
109
110              # to echo a password via stdin:
111              echo foobar | tpm2_tool -p file:-
112
113              # to use a bash here-string via stdin:
114
115              tpm2_tool -p file:- <<< foobar
116
117   Sessions
118       When  using  a policy session to authorize the use of an object, prefix
119       the option argument with the session keyword.  Then indicate a path  to
120       a session file that was created with tpm2_startauthsession(1).  Option‐
121       ally, if the session requires an auth value to be sent with the session
122       handle  (eg policy password), then append a + and a string as described
123       in the Passwords section.
124
125   Examples
126       To use a session context file called session.ctx.
127
128              session:session.ctx
129
130       To use a session context file called session.ctx AND send the authvalue
131       mypassword.
132
133              session:session.ctx+mypassword
134
135       To use a session context file called session.ctx AND send the HEX auth‐
136       value 0x11223344.
137
138              session:session.ctx+hex:11223344
139
140   PCR Authorizations
141       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
142       language.       The     PCR     minilanguage     is     as     follows:
143       <pcr-spec>=<raw-pcr-file>
144
145       The PCR spec is documented in in the section “PCR bank specifiers”.
146
147       The raw-pcr-file is an optional argument that contains  the  output  of
148       the raw PCR contents as returned by tpm2_pcrread(1).
149
150       PCR bank specifiers (pcr.md)
151
152   Examples
153       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
154       er of:
155
156              pcr:sha256:0,1,2,3
157
158       specifying AUTH.
159

Algorithm Specifiers

161       Options that take algorithms support “nice-names”.
162
163       There are two major algorithm specification string classes, simple  and
164       complex.  Only certain algorithms will be accepted by the TPM, based on
165       usage and conditions.
166
167   Simple specifiers
168       These are strings with no additional specification data.  When creating
169       objects,  non-specified  portions of an object are assumed to defaults.
170       You can find the list of known “Simple Specifiers” below.
171
172   Asymmetric
173       • rsa
174
175       • ecc
176
177   Symmetric
178       • aes
179
180       • camellia
181
182       • sm4
183
184   Hashing Algorithms
185       • sha1
186
187       • sha256
188
189       • sha384
190
191       • sha512
192
193       • sm3_256
194
195       • sha3_256
196
197       • sha3_384
198
199       • sha3_512
200
201   Keyed Hash
202       • hmac
203
204       • xor
205
206   Signing Schemes
207       • rsassa
208
209       • rsapss
210
211       • ecdsa
212
213       • ecdaa
214
215       • ecschnorr
216
217       • sm2
218
219   Asymmetric Encryption Schemes
220       • oaep
221
222       • rsaes
223
224       • ecdh
225
226   Modes
227       • ctr
228
229       • ofb
230
231       • cbc
232
233       • cfb
234
235       • ecb
236
237   Misc
238       • null
239
240   Complex Specifiers
241       Objects, when specified for creation by the TPM,  have  numerous  algo‐
242       rithms  to  populate  in the public data.  Things like type, scheme and
243       asymmetric details, key size, etc.  Below is  the  general  format  for
244       specifying this data: <type>:<scheme>:<symmetric-details>
245
246   Type Specifiers
247       This  portion  of the complex algorithm specifier is required.  The re‐
248       maining scheme and symmetric details will default  based  on  the  type
249       specified and the type of the object being created.
250
251       • aes - Default AES: aes128
252
253       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
254         If mode is not specified, defaults to null.
255
256       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
257
258       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
259
260       • sm4 - Default SM4: sm4128
261
262       • sm4128  or  sm4_128  <mode>  -  128  bit  SM4  with   optional   mode
263         (ctr|ofb|cbc|cfb|ecb).  If mode is not specified, defaults to null.
264
265       • ecc - Elliptical Curve, defaults to ecc256.
266
267       • ecc192 or ecc_nist_p192 - 192 bit ECC NIST curve
268
269       • ecc224 or ecc_nist_p224 - 224 bit ECC NIST curve
270
271       • ecc256 or ecc_nist_p256 - 256 bit ECC NIST curve
272
273       • ecc384 or ecc_nist_p384 - 384 bit ECC NIST curve
274
275       • ecc521 or ecc_nist_p521 - 521 bit ECC NIST curve
276
277       • ecc_sm2 or ecc_sm2_p256 - 256 bit SM2 curve
278
279       • rsa - Default RSA: rsa2048
280
281       • rsa1024 - RSA with 1024 bit keysize.
282
283       • rsa2048 - RSA with 2048 bit keysize.
284
285       • rsa3072 - RSA with 3072 bit keysize.
286
287       • rsa4096 - RSA with 4096 bit keysize.
288
289   Scheme Specifiers
290       Next, is an optional field, it can be skipped.
291
292       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
293       Most signing schemes take a hash algorithm directly following the sign‐
294       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
295       Some take no arguments, and some take multiple arguments.
296
297   Hash Optional Scheme Specifiers
298       These scheme specifiers are followed by a dash and a valid  hash  algo‐
299       rithm, For example: oaep-sha256.
300
301       • oaep
302
303       • ecdh
304
305       • rsassa
306
307       • rsapss
308
309       • ecdsa
310
311       • ecschnorr
312
313       • sm2
314
315   Multiple Option Scheme Specifiers
316       This  scheme  specifier  is  followed by a count (max size UINT16) then
317       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
318       ecdaa4-sha256.  If no count is specified, it defaults to 4.
319
320   No Option Scheme Specifiers
321       This scheme specifier takes NO arguments.  * rsaes
322
323   Symmetric Details Specifiers
324       This  field is optional, and defaults based on the type of object being
325       created and it’s attributes.  Generally, any valid Symmetric  specifier
326       from  the Type Specifiers list should work.  If not specified, an asym‐
327       metric objects symmetric details defaults to aes128cfb.
328
329   Examples
330   Create an rsa2048 key with an rsaes asymmetric encryption scheme
331       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
332
333   Create an ecc256 key with an ecdaa signing scheme with a  count  of  4  and
334       sha384 hash
335       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
336       key.priv cryptographic algorithms ALGORITHM.
337

Object Attributes

339       Object Attributes are used to control various properties of created ob‐
340       jects.   When  specified  as an option, either the raw bitfield mask or
341       “nice-names” may be used.  The values can be found in Table 31  Part  2
342       of the TPM2.0 specification, which can be found here:
343
344       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
345       Rev-2.0-Part-2-Structures-01.38.pdf>
346
347       Nice names are calculated by taking the name field of table 31 and  re‐
348       moving  the  prefix TPMA_OBJECT_ and lowercasing the result.  Thus, TP‐
349       MA_OBJECT_FIXEDTPM becomes fixedtpm.  Nice names can  be  joined  using
350       the bitwise or “|” symbol.
351
352       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
353       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
354
355       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
356

PCR Bank Specifiers

358       PCR Bank Selection lists follow the below specification:
359
360              <BANK>:<PCR>[,<PCR>] or <BANK>:all
361
362       multiple banks may be separated by `+'.
363
364       For example:
365
366              sha1:3,4+sha256:all
367
368       will select PCRs 3 and 4 from the SHA1 bank and PCRs 0 to 23  from  the
369       SHA256 bank.
370
371   Note
372       PCR  Selections allow for up to 5 hash to pcr selection mappings.  This
373       is a limitation in design in the single call to the tpm to get the  pcr
374       values.
375

COMMON OPTIONS

377       This  collection of options are common to many programs and provide in‐
378       formation that many users may expect.
379
380-h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
381         attempts  to  invoke  the  manpager for the tool, however, on failure
382         will output a short tool summary.  This is the same behavior  if  the
383         “man”  option argument is specified, however if explicit “man” is re‐
384         quested, the tool will provide errors from man  on  stderr.   If  the
385         “no-man”  option  if  specified, or the manpager fails, the short op‐
386         tions will be output to stdout.
387
388         To successfully use the manpages feature requires the manpages to  be
389         installed or on MANPATH, See man(1) for more details.
390
391-v,  --version:  Display version information for this tool, supported
392         tctis and exit.
393
394-V, --verbose: Increase the information that the tool prints  to  the
395         console  during  its  execution.  When using this option the file and
396         line number are printed.
397
398-Q, --quiet: Silence normal tool output to stdout.
399
400-Z, --enable-errata: Enable the application of errata fixups.  Useful
401         if  an  errata fixup needs to be applied to commands sent to the TPM.
402         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
403         formation many users may expect.
404

TCTI Configuration

406       The  TCTI  or  “Transmission  Interface” is the communication mechanism
407       with the TPM.  TCTIs can be changed for communication with TPMs  across
408       different mediums.
409
410       To control the TCTI, the tools respect:
411
412       1. The command line option -T or --tcti
413
414       2. The environment variable: TPM2TOOLS_TCTI.
415
416       Note:  The  command  line option always overrides the environment vari‐
417       able.
418
419       The current known TCTIs are:
420
421       • tabrmd     -     The     resource     manager,     called      tabrmd
422         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
423         abrmd as a tcti name are synonymous.
424
425       • mssim - Typically used for communicating to the TPM software  simula‐
426         tor.
427
428       • device - Used when talking directly to a TPM device file.
429
430       • none  - Do not initalize a connection with the TPM.  Some tools allow
431         for off-tpm options and thus support not using a TCTI.  Tools that do
432         not  support  it  will error when attempted to be used without a TCTI
433         connection.  Does not support ANY options and MUST  BE  presented  as
434         the exact text of “none”.
435
436       The  arguments  to  either  the  command line option or the environment
437       variable are in the form:
438
439       <tcti-name>:<tcti-option-config>
440
441       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
442       tion-config> results in the default being used for that portion respec‐
443       tively.
444
445   TCTI Defaults
446       When a TCTI is not specified, the default TCTI is  searched  for  using
447       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
448       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
449       what TCTI will be chosen as the default by using the -v option to print
450       the version information.  The “default-tcti” key-value pair will  indi‐
451       cate which of the aforementioned TCTIs is the default.
452
453   Custom TCTIs
454       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
455       tools internally use dlopen(3), and the raw tcti-name value is used for
456       the lookup.  Thus, this could be a path to the shared library, or a li‐
457       brary name as understood by dlopen(3) semantics.
458

TCTI OPTIONS

460       This collection of options are used to configure the various known TCTI
461       modules available:
462
463device: For the device TCTI, the TPM character device file for use by
464         the device TCTI can be specified.  The default is /dev/tpm0.
465
466         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
467         vice:/dev/tpm0”
468
469mssim:  For  the  mssim  TCTI, the domain name or IP address and port
470         number used by the simulator  can  be  specified.   The  default  are
471         127.0.0.1 and 2321.
472
473         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
474         TI=“mssim:host=localhost,port=2321”
475
476abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
477         ries  of  simple  key value pairs separated by a `,' character.  Each
478         key and value string are separated by a `=' character.
479
480         • TCTI abrmd supports two keys:
481
482           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
483              string).
484
485           2. `bus_type' : The type of the dbus instance (a string) limited to
486              `session' and `system'.
487
488         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
489         ample.FooBar:
490
491                \--tcti=tabrmd:bus_name=com.example.FooBar
492
493         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
494         sion:
495
496                \--tcti:bus_type=session
497
498         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
499         ules.
500

EXAMPLES

502   To allocate the two default banks (SHA1 and SHA256)
503              tpm2_pcrallocate
504
505   To make a custom allocation with a platform authorization
506              tpm2_pcrallocate -P abc sha1:7,8,9,10,16,17,18,19+sha256:all
507
508   To completly switch from SHA1 bank to SHA256 with a platform authorization
509              tpm2_pcrallocate -P abc sha1:none+sha256:all
510

Returns

512       Tools can return any of the following codes:
513
514       • 0 - Success.
515
516       • 1 - General non-specific error.
517
518       • 2 - Options handling error.
519
520       • 3 - Authentication error.
521
522       • 4 - TCTI related error.
523
524       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
525

BUGS

527       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
528

HELP

530       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin
531       fo/tpm2)
532
533
534
535tpm2-tools                                                 tpm2_pcrallocate(1)
Impressum