1tpm2_policyor(1) General Commands Manual tpm2_policyor(1)
2
6 tpm2_policyor(1) - logically OR’s two policies together.
7
9 tpm2_policyor [OPTIONS]
10
12 tpm2_policyor(1) - Generates a policy_or event with the TPM. It ex‐
13 pects a session to be already established via tpm2_startauthsession(1).
14 If the input session is a trial session this tool generates a policy
15 digest that compounds two or more input policy digests such that the
16 resulting policy digest requires at least one of the policy events be‐
17 ing true. If the input session is real policy session tpm2_policyor(1)
18 authenticates the object successfully if at least one of the policy
19 events are true.
20
22 • -L, --policy=FILE:
23 File to save the compounded policy digest.
25 • -S, --session=FILE:
27 The policy session file generated via the -S option to tpm2_star‐
29 tauthsession(1).
30 • ARGUMENT the command line argument specifies the list of files for
32 the policy digests that has to be compounded resulting in individual
33 policies being added to final policy digest that can authenticate the
34 object. The list begins with the policy digest hash alg. Example
35 sha256:policy1,policy2
36 • -l, --policy-list=POLICY_FILE_LIST:
38 This option is DEPRECATED yet is retained for backwards compatibili‐
40 ty. Use the argument method instead. NOTE: When -l and an argument
41 is specified it’s the same as specifying it all at once. For in‐
42 stance: tpm2_policyor -l sha256:file1 sha256:file2 is the same as
43 tpm2_policyor sha256:file1,file2.
44 References
47 This collection of options are common to many programs and provide in‐
48 formation that many users may expect.
49 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
51 attempts to invoke the manpager for the tool, however, on failure
52 will output a short tool summary. This is the same behavior if the
53 “man” option argument is specified, however if explicit “man” is re‐
54 quested, the tool will provide errors from man on stderr. If the
55 “no-man” option if specified, or the manpager fails, the short op‐
56 tions will be output to stdout.
57 To successfully use the manpages feature requires the manpages to be
59 installed or on MANPATH, See man(1) for more details.
60 • -v, --version: Display version information for this tool, supported
62 tctis and exit.
63 • -V, --verbose: Increase the information that the tool prints to the
65 console during its execution. When using this option the file and
66 line number are printed.
67 • -Q, --quiet: Silence normal tool output to stdout.
69 • -Z, --enable-errata: Enable the application of errata fixups. Useful
71 if an errata fixup needs to be applied to commands sent to the TPM.
72 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
73 formation many users may expect.
74
76 The TCTI or “Transmission Interface” is the communication mechanism
77 with the TPM. TCTIs can be changed for communication with TPMs across
78 different mediums.
79 To control the TCTI, the tools respect:
81 1. The command line option -T or --tcti
83 2. The environment variable: TPM2TOOLS_TCTI.
85 Note: The command line option always overrides the environment vari‐
87 able.
88 The current known TCTIs are:
90 • tabrmd - The resource manager, called tabrmd
92 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
93 abrmd as a tcti name are synonymous.
94 • mssim - Typically used for communicating to the TPM software simula‐
96 tor.
97 • device - Used when talking directly to a TPM device file.
99 • none - Do not initalize a connection with the TPM. Some tools allow
101 for off-tpm options and thus support not using a TCTI. Tools that do
102 not support it will error when attempted to be used without a TCTI
103 connection. Does not support ANY options and MUST BE presented as
104 the exact text of “none”.
105 The arguments to either the command line option or the environment
107 variable are in the form:
108 <tcti-name>:<tcti-option-config>
110 Specifying an empty string for either the <tcti-name> or <tcti-op‐
112 tion-config> results in the default being used for that portion respec‐
113 tively.
114 TCTI Defaults
116 When a TCTI is not specified, the default TCTI is searched for using
117 dlopen(3) semantics. The tools will search for tabrmd, device and
118 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
119 what TCTI will be chosen as the default by using the -v option to print
120 the version information. The “default-tcti” key-value pair will indi‐
121 cate which of the aforementioned TCTIs is the default.
122 Custom TCTIs
124 Any TCTI that implements the dynamic TCTI interface can be loaded. The
125 tools internally use dlopen(3), and the raw tcti-name value is used for
126 the lookup. Thus, this could be a path to the shared library, or a li‐
127 brary name as understood by dlopen(3) semantics.
128
130 This collection of options are used to configure the various known TCTI
131 modules available:
132 • device: For the device TCTI, the TPM character device file for use by
134 the device TCTI can be specified. The default is /dev/tpm0.
135 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
137 vice:/dev/tpm0”
138 • mssim: For the mssim TCTI, the domain name or IP address and port
140 number used by the simulator can be specified. The default are
141 127.0.0.1 and 2321.
142 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
144 TI=“mssim:host=localhost,port=2321”
145 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
147 ries of simple key value pairs separated by a `,' character. Each
148 key and value string are separated by a `=' character.
149 • TCTI abrmd supports two keys:
151 1. `bus_name' : The name of the tabrmd service on the bus (a
153 string).
154 2. `bus_type' : The type of the dbus instance (a string) limited to
156 `session' and `system'.
157 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
159 ample.FooBar:
160 \--tcti=tabrmd:bus_name=com.example.FooBar
162 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
164 sion:
165 \--tcti:bus_type=session
167 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
169 ules.
170
172 Create an authorization policy for a sealing object that compounds a
173 pcr policy and a policypassword in an OR fashion and show satisfying
174 either policies could unseal the secret.
175 Create policypcr as first truth value for compounding the policies
177 tpm2_startauthsession -S session.ctx
178 tpm2_policypcr -S session.ctx -L policy.pcr -l sha256:0,1,2,3
179 tpm2_flushcontext session.ctx
180 Create policypassword as second truth value for compounding the policies
182 tpm2_startauthsession -S session.ctx
183 tpm2_policypassword -S session.ctx -L policy.pass
184 tpm2_flushcontext session.ctx
185 Compound the two policies in an OR fashion with tpm2_policyor command
187 tpm2_startauthsession -S session.ctx
188 tpm2_policyor -S session.ctx -L policy.or sha256:policy.pass,policy.pcr
189 tpm2_flushcontext session.ctx
190 Create a sealing object and attach the auth policy from tpm2_policyor com‐
192 mand
193 tpm2_createprimary -c prim.ctx -Q
194 echo "secret" | tpm2_create -C prim.ctx -c key.ctx -u key.pub -r key.priv \
195 -L policy.or -i-
196 Satisfy auth policy using password and unseal the secret
198 tpm2_startauthsession -S session.ctx --policy-session
199 tpm2_policypassword -S session.ctx
200 tpm2_policyor -S session.ctx sha256:policy.pass,policy.pcr
201 tpm2_unseal -c key.ctx -p session:session.ctx
202 tpm2_flushcontext session.ctx
203 Satisfy auth policy using pcr and unseal the secret
205 tpm2_startauthsession -S session.ctx --policy-session
206 tpm2_policypcr -S session.ctx -l sha256:0,1,2,3
207 tpm2_policyor -S session.ctx sha256:policy.pass,policy.pcr
208 tpm2_unseal -c key.ctx -p session:session.ctx
209 tpm2_flushcontext session.ctx
210
212 Tools can return any of the following codes:
213 • 0 - Success.
215 • 1 - General non-specific error.
217 • 2 - Options handling error.
219 • 3 - Authentication error.
221 • 4 - TCTI related error.
223 • 5 - Non supported scheme. Applicable to tpm2_testparams.
225
227 It expects a session to be already established via tpm2_startauthses‐
228 sion(1) and requires one of the following:
229 • direct device access
231 • extended session support with tpm2-abrmd.
233 Without it, most resource managers will not save session state between
235 command invocations.
236
238 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
239
241 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
242 fo/tpm2)
243tpm2-tools tpm2_policyor(1)