tpm2_policycountertimer(1)

1tpm2_policycountertimer(1)  General Commands Manual tpm2_policycountertimer(1)
2
3
4

NAME

6       tpm2_policycountertimer(1) - Enables policy authorization by evaluating
7       the comparison operation on  the  TPM  parameters  time,  clock,  reset
8       count, restart count and TPM clock safe flag.
9

SYNOPSIS

11       tpm2_policycountertimer [OPTIONS] [ARGUMENT]
12

DESCRIPTION

14       tpm2_policycountertimer(1) - Enables policy authorization by evaluating
15       the comparison operation on  the  TPM  parameters  time,  clock,  reset
16       count, restart count and TPM clock safe flag.  If time/clock, it is in‐
17       put as milliseconds value.  The parameter and the value is given  as  a
18       command line argument as below:
19
20              tpm2_policycountertimer -S session.ctx safe
21              tpm2_policycountertimer -S session.ctx clock=<N ms>
22              tpm2_policycountertimer -S session.ctx time=<N ms>
23              tpm2_policycountertimer -S session.ctx resets=<N>
24              tpm2_policycountertimer -S session.ctx restarts=<N>
25
26       By  default  comparison tests for equality and also by default it tests
27       for time.
28

OPTIONS

30       • -L, --policy=FILE:
31
32         File to save the policy digest.
33
34       • -S, --session=FILE:
35
36         The policy session file generated via the  -S  option  to  tpm2_star‐
37         tauthsession or saved off of a previous tool run.
38
39       • –eq
40
41         if value of current time in the TPM = value of specified input time.
42
43       • –neq
44
45       if value of current time in the TPM != value of specified input time.
46
47       • –sgt
48
49       if  signed value of current time in the TPM > signed value of specified
50       input time.
51
52       • –ugt
53
54       if unsigned value of current time in the TPM > unsigned value of speci‐
55       fied input time.
56
57       • –slt
58
59       if  signed value of current time in the TPM < signed value of specified
60       input time.
61
62       • –ult
63
64       if unsigned value of current time in the TPM < unsigned value of speci‐
65       fied input time.
66
67       • –sge
68
69       if signed value of current time in the TPM >= signed value of specified
70       input time.
71
72       • –uge
73
74       if unsigned value of current time in the TPM >= unsigned value of spec‐
75       ified input time.
76
77       • –sle
78
79       if  signed value of current time in the TPM <= unsigned value of speci‐
80       fied input time.
81
82       • –ule
83
84       if unsigned value of current time in the TPM <= unsigned value of spec‐
85       ified input time.
86
87       • –bs
88
89         if  all bits set in value of current time in the TPM are set in value
90         of specified input time.
91
92       • –bc
93
94         if all bits set in value of current time in the TPM are clear in val‐
95         ue of specified input time.
96
97       • --cphash=FILE
98
99         File path to record the hash of the command parameters.  This is com‐
100         monly termed as cpHash.  NOTE: When this option is selected, The tool
101         will not actually execute the command, it simply returns a cpHash.
102
103   References

COMMON OPTIONS

105       This  collection of options are common to many programs and provide in‐
106       formation that many users may expect.
107
108       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
109         attempts  to  invoke  the  manpager for the tool, however, on failure
110         will output a short tool summary.  This is the same behavior  if  the
111         “man”  option argument is specified, however if explicit “man” is re‐
112         quested, the tool will provide errors from man  on  stderr.   If  the
113         “no-man”  option  if  specified, or the manpager fails, the short op‐
114         tions will be output to stdout.
115
116         To successfully use the manpages feature requires the manpages to  be
117         installed or on MANPATH, See man(1) for more details.
118
119       • -v,  --version:  Display version information for this tool, supported
120         tctis and exit.
121
122       • -V, --verbose: Increase the information that the tool prints  to  the
123         console  during  its  execution.  When using this option the file and
124         line number are printed.
125
126       • -Q, --quiet: Silence normal tool output to stdout.
127
128       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
129         if  an  errata fixup needs to be applied to commands sent to the TPM.
130         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
131         formation many users may expect.
132

TCTI Configuration

134       The  TCTI  or  “Transmission  Interface” is the communication mechanism
135       with the TPM.  TCTIs can be changed for communication with TPMs  across
136       different mediums.
137
138       To control the TCTI, the tools respect:
139
140       1. The command line option -T or --tcti
141
142       2. The environment variable: TPM2TOOLS_TCTI.
143
144       Note:  The  command  line option always overrides the environment vari‐
145       able.
146
147       The current known TCTIs are:
148
149       • tabrmd     -     The     resource     manager,     called      tabrmd
150         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
151         abrmd as a tcti name are synonymous.
152
153       • mssim - Typically used for communicating to the TPM software  simula‐
154         tor.
155
156       • device - Used when talking directly to a TPM device file.
157
158       • none  - Do not initalize a connection with the TPM.  Some tools allow
159         for off-tpm options and thus support not using a TCTI.  Tools that do
160         not  support  it  will error when attempted to be used without a TCTI
161         connection.  Does not support ANY options and MUST  BE  presented  as
162         the exact text of “none”.
163
164       The  arguments  to  either  the  command line option or the environment
165       variable are in the form:
166
167       <tcti-name>:<tcti-option-config>
168
169       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
170       tion-config> results in the default being used for that portion respec‐
171       tively.
172
173   TCTI Defaults
174       When a TCTI is not specified, the default TCTI is  searched  for  using
175       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
176       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
177       what TCTI will be chosen as the default by using the -v option to print
178       the version information.  The “default-tcti” key-value pair will  indi‐
179       cate which of the aforementioned TCTIs is the default.
180
181   Custom TCTIs
182       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
183       tools internally use dlopen(3), and the raw tcti-name value is used for
184       the lookup.  Thus, this could be a path to the shared library, or a li‐
185       brary name as understood by dlopen(3) semantics.
186

TCTI OPTIONS

188       This collection of options are used to configure the various known TCTI
189       modules available:
190
191       • device: For the device TCTI, the TPM character device file for use by
192         the device TCTI can be specified.  The default is /dev/tpm0.
193
194         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
195         vice:/dev/tpm0”
196
197       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
198         number used by the simulator  can  be  specified.   The  default  are
199         127.0.0.1 and 2321.
200
201         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
202         TI=“mssim:host=localhost,port=2321”
203
204       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
205         ries  of  simple  key value pairs separated by a `,' character.  Each
206         key and value string are separated by a `=' character.
207
208         • TCTI abrmd supports two keys:
209
210           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
211              string).
212
213           2. `bus_type' : The type of the dbus instance (a string) limited to
214              `session' and `system'.
215
216         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
217         ample.FooBar:
218
219                \--tcti=tabrmd:bus_name=com.example.FooBar
220
221         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
222         sion:
223
224                \--tcti:bus_type=session
225
226         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
227         ules.
228

EXAMPLES

230       Create a sealing object with an authorization policy that evaluates on‐
231       ly for first minute of TPM restart.
232
233   Create the policy and the sealing object
234              tpm2_startauthsession -S session.ctx
235
236              tpm2_policycountertimer -S session.ctx -L policy.countertimer --ult 60000
237
238              tpm2_flushcontext session.ctx
239
240              tpm2_createprimary -C o -c prim.ctx -Q
241
242              echo "SUPERSECRET" | \
243              tpm2_create -Q -u key.pub -r key.priv -i- -C prim.ctx \
244              -L policy.countertimer -a "fixedtpm|fixedparent" -c key.ctx
245
246   Unsealing should work in the first minute after TPM restart
247              tpm2_startauthsession -S session.ctx --policy-session
248
249              tpm2_policycountertimer -S session.ctx --ult 60000
250
251              tpm2_unseal -c key.ctx -p session:session.ctx
252
253              tpm2_flushcontext session.ctx
254

Returns

256       Tools can return any of the following codes:
257
258       • 0 - Success.
259
260       • 1 - General non-specific error.
261
262       • 2 - Options handling error.
263
264       • 3 - Authentication error.
265
266       • 4 - TCTI related error.
267
268       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
269

Limitations

271       It expects a session to be already established  via  tpm2_startauthses‐
272       sion(1) and requires one of the following:
273
274       • direct device access
275
276       • extended session support with tpm2-abrmd.
277
278       Without  it, most resource managers will not save session state between
279       command invocations.
280

BUGS

282       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
283

HELP

285       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
286       fo/tpm2)
287
288
289
290tpm2-tools                                          tpm2_policycountertimer(1)