1tpm2_pcrevent(1) General Commands Manual tpm2_pcrevent(1)
2
6 tpm2_pcrevent(1) - Hashes a file and optionally extends a pcr.
7
9 tpm2_pcrevent [OPTIONS] FILE PCR_INDEX
10
12 tpm2_pcrevent(1) - Hashes FILE if specified or stdin. It uses all of
13 the hashing algorithms that the TPM supports.
14 Optionally, if a PCR index is specified, it extends that PCR for all
16 supported algorithms with the hash digest. FILE and _PCR_INDEX_ argu‐
17 ments don’t need to come in any particular order.
18 In either case, it outputs to stdout the hash algorithm used and the
20 digest value, one per line:
21 alg:digest
23 Where alg is the algorithm used (like sha1) and digest is the digest
25 resulting from the hash computation of alg on the data.
26 See sections 23.1 and sections 17 of the TPM2.0 Specification
28 (https://trustedcomputinggroup.org/wp-content/uploads/TPM-
29 Rev-2.0-Part-3-Commands-01.38.pdf)
30
32 These options control extending the pcr:
33 • -P, --auth=AUTH:
35 Specifies the authorization value for PCR.
37 • --cphash=FILE
39 File path to record the hash of the command parameters. This is com‐
41 monly termed as cpHash. NOTE: When this option is selected, The tool
42 will not actually execute the command, it simply returns a cpHash.
43
45 This collection of options are common to many programs and provide in‐
46 formation that many users may expect.
47 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
49 attempts to invoke the manpager for the tool, however, on failure
50 will output a short tool summary. This is the same behavior if the
51 “man” option argument is specified, however if explicit “man” is re‐
52 quested, the tool will provide errors from man on stderr. If the
53 “no-man” option if specified, or the manpager fails, the short op‐
54 tions will be output to stdout.
55 To successfully use the manpages feature requires the manpages to be
57 installed or on MANPATH, See man(1) for more details.
58 • -v, --version: Display version information for this tool, supported
60 tctis and exit.
61 • -V, --verbose: Increase the information that the tool prints to the
63 console during its execution. When using this option the file and
64 line number are printed.
65 • -Q, --quiet: Silence normal tool output to stdout.
67 • -Z, --enable-errata: Enable the application of errata fixups. Useful
69 if an errata fixup needs to be applied to commands sent to the TPM.
70 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
71
73 The TCTI or “Transmission Interface” is the communication mechanism
74 with the TPM. TCTIs can be changed for communication with TPMs across
75 different mediums.
76 To control the TCTI, the tools respect:
78 1. The command line option -T or --tcti
80 2. The environment variable: TPM2TOOLS_TCTI.
82 Note: The command line option always overrides the environment vari‐
84 able.
85 The current known TCTIs are:
87 • tabrmd - The resource manager, called tabrmd
89 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
90 abrmd as a tcti name are synonymous.
91 • mssim - Typically used for communicating to the TPM software simula‐
93 tor.
94 • device - Used when talking directly to a TPM device file.
96 • none - Do not initalize a connection with the TPM. Some tools allow
98 for off-tpm options and thus support not using a TCTI. Tools that do
99 not support it will error when attempted to be used without a TCTI
100 connection. Does not support ANY options and MUST BE presented as
101 the exact text of “none”.
102 The arguments to either the command line option or the environment
104 variable are in the form:
105 <tcti-name>:<tcti-option-config>
107 Specifying an empty string for either the <tcti-name> or <tcti-op‐
109 tion-config> results in the default being used for that portion respec‐
110 tively.
111 TCTI Defaults
113 When a TCTI is not specified, the default TCTI is searched for using
114 dlopen(3) semantics. The tools will search for tabrmd, device and
115 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
116 what TCTI will be chosen as the default by using the -v option to print
117 the version information. The “default-tcti” key-value pair will indi‐
118 cate which of the aforementioned TCTIs is the default.
119 Custom TCTIs
121 Any TCTI that implements the dynamic TCTI interface can be loaded. The
122 tools internally use dlopen(3), and the raw tcti-name value is used for
123 the lookup. Thus, this could be a path to the shared library, or a li‐
124 brary name as understood by dlopen(3) semantics.
125
127 This collection of options are used to configure the various known TCTI
128 modules available:
129 • device: For the device TCTI, the TPM character device file for use by
131 the device TCTI can be specified. The default is /dev/tpm0.
132 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
134 vice:/dev/tpm0”
135 • mssim: For the mssim TCTI, the domain name or IP address and port
137 number used by the simulator can be specified. The default are
138 127.0.0.1 and 2321.
139 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
141 TI=“mssim:host=localhost,port=2321”
142 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
144 ries of simple key value pairs separated by a `,' character. Each
145 key and value string are separated by a `=' character.
146 • TCTI abrmd supports two keys:
148 1. `bus_name' : The name of the tabrmd service on the bus (a
150 string).
151 2. `bus_type' : The type of the dbus instance (a string) limited to
153 `session' and `system'.
154 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
156 ample.FooBar:
157 \--tcti=tabrmd:bus_name=com.example.FooBar
159 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
161 sion:
162 \--tcti:bus_type=session
164 NOTE: abrmd and tabrmd are synonymous.
166
168 Authorization for use of an object in TPM2.0 can come in 3 different
169 forms: 1. Password 2. HMAC 3. Sessions
170 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
172 fied”.
173 Passwords
175 Passwords are interpreted in the following forms below using prefix
176 identifiers.
177 Note: By default passwords are assumed to be in the string form when
179 they do not have a prefix.
180 String
182 A string password, specified by prefix “str:” or it’s absence (raw
183 string without prefix) is not interpreted, and is directly used for au‐
184 thorization.
185 Examples
187 foobar
188 str:foobar
189 Hex-string
191 A hex-string password, specified by prefix “hex:” is converted from a
192 hexidecimal form into a byte array form, thus allowing passwords with
193 non-printable and/or terminal un-friendly characters.
194 Example
196 hex:1122334455667788
197 File
199 A file based password, specified be prefix “file:” should be the path
200 of a file containing the password to be read by the tool or a “-” to
201 use stdin. Storing passwords in files prevents information leakage,
202 passwords passed as options can be read from the process list or common
203 shell history features.
204 Examples
206 # to use stdin and be prompted
207 file:-
208 # to use a file from a path
210 file:path/to/password/file
211 # to echo a password via stdin:
213 echo foobar | tpm2_tool -p file:-
214 # to use a bash here-string via stdin:
216 tpm2_tool -p file:- <<< foobar
218 Sessions
220 When using a policy session to authorize the use of an object, prefix
221 the option argument with the session keyword. Then indicate a path to
222 a session file that was created with tpm2_startauthsession(1). Option‐
223 ally, if the session requires an auth value to be sent with the session
224 handle (eg policy password), then append a + and a string as described
225 in the Passwords section.
226 Examples
228 To use a session context file called session.ctx.
229 session:session.ctx
231 To use a session context file called session.ctx AND send the authvalue
233 mypassword.
234 session:session.ctx+mypassword
236 To use a session context file called session.ctx AND send the HEX auth‐
238 value 0x11223344.
239 session:session.ctx+hex:11223344
241 PCR Authorizations
243 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
244 language. The PCR minilanguage is as follows:
245 <pcr-spec>=<raw-pcr-file>
246 The PCR spec is documented in in the section “PCR bank specifiers”.
248 The raw-pcr-file is an optional argument that contains the output of
250 the raw PCR contents as returned by tpm2_pcrread(1).
251 PCR bank specifiers (pcr.md)
253 Examples
255 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
256 er of:
257 pcr:sha256:0,1,2,3
259
261 Hash a file
262 echo "foo" > data
263 tpm2_pcrevent data
264 Hash a file and extend PCR 8
266 echo "foo" > data
267 tpm2_pcrevent 8 data
268
270 Tools can return any of the following codes:
271 • 0 - Success.
273 • 1 - General non-specific error.
275 • 2 - Options handling error.
277 • 3 - Authentication error.
279 • 4 - TCTI related error.
281 • 5 - Non supported scheme. Applicable to tpm2_testparams.
283
285 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
286
288 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
289 fo/tpm2)
290tpm2-tools tpm2_pcrevent(1)