1tpm2_print(1) General Commands Manual tpm2_print(1)
2
6 tpm2_print(1) - Prints TPM data structures
7
9 tpm2_print [OPTIONS] [ARGUMENT or STDIN]
10
12 tpm2_print(1) - Decodes a TPM data structure and prints enclosed ele‐
13 ments to stdout as YAML. A file path containing a TPM object or a TSS2
14 Private Key in the PEM format may be specified as the path argument.
15 Reads from stdin if unspecified.
16
18 • -t, --type:
19 Required. Type of data structure. The option supports the following
20 arguments:
21 • TPMS_ATTEST
23 • TPMS_CONTEXT
25 • TPM2B_PUBLIC
27 • TPMT_PUBLIC
29 • TSSPRIVKEY_OBJ
31 • ESYS_TR
33 • ARGUMENT the command line argument specifies the path of the TPM da‐
35 ta.
36 • -f, --format:
38 Format selection for the public key output file. `tss' (the default)
40 will output a binary blob according to the TPM 2.0 Specification.
41 `pem' will output an OpenSSL compatible PEM encoded public key.
42 `der' will output an OpenSSL compatible DER encoded public key.
43 `tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
44 by TPM 2.0 specs.
45 Public key format. This only works if option --type/-t is set to
47 TPM2B_PUBLIC or TPMT_PUBLIC.
48 References
51 The type of a context object, whether it is a handle or file name, is
52 determined according to the following logic in-order:
53 • If the argument is a file path, then the file is loaded as a restored
55 TPM transient object.
56 • If the argument is a prefix match on one of:
58 • owner: the owner hierarchy
60 • platform: the platform hierarchy
62 • endorsement: the endorsement hierarchy
64 • lockout: the lockout control persistent object
66 • If the argument argument can be loaded as a number it will be treat
68 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
69
71 Authorization for use of an object in TPM2.0 can come in 3 different
72 forms: 1. Password 2. HMAC 3. Sessions
73 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
75 fied”.
76 Passwords
78 Passwords are interpreted in the following forms below using prefix
79 identifiers.
80 Note: By default passwords are assumed to be in the string form when
82 they do not have a prefix.
83 String
85 A string password, specified by prefix “str:” or it’s absence (raw
86 string without prefix) is not interpreted, and is directly used for au‐
87 thorization.
88 Examples
90 foobar
91 str:foobar
92 Hex-string
94 A hex-string password, specified by prefix “hex:” is converted from a
95 hexidecimal form into a byte array form, thus allowing passwords with
96 non-printable and/or terminal un-friendly characters.
97 Example
99 hex:1122334455667788
100 File
102 A file based password, specified be prefix “file:” should be the path
103 of a file containing the password to be read by the tool or a “-” to
104 use stdin. Storing passwords in files prevents information leakage,
105 passwords passed as options can be read from the process list or common
106 shell history features.
107 Examples
109 # to use stdin and be prompted
110 file:-
111 # to use a file from a path
113 file:path/to/password/file
114 # to echo a password via stdin:
116 echo foobar | tpm2_tool -p file:-
117 # to use a bash here-string via stdin:
119 tpm2_tool -p file:- <<< foobar
121 Sessions
123 When using a policy session to authorize the use of an object, prefix
124 the option argument with the session keyword. Then indicate a path to
125 a session file that was created with tpm2_startauthsession(1). Option‐
126 ally, if the session requires an auth value to be sent with the session
127 handle (eg policy password), then append a + and a string as described
128 in the Passwords section.
129 Examples
131 To use a session context file called session.ctx.
132 session:session.ctx
134 To use a session context file called session.ctx AND send the authvalue
136 mypassword.
137 session:session.ctx+mypassword
139 To use a session context file called session.ctx AND send the HEX auth‐
141 value 0x11223344.
142 session:session.ctx+hex:11223344
144 PCR Authorizations
146 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
147 language. The PCR minilanguage is as follows:
148 <pcr-spec>=<raw-pcr-file>
149 The PCR spec is documented in in the section “PCR bank specifiers”.
151 The raw-pcr-file is an optional argument that contains the output of
153 the raw PCR contents as returned by tpm2_pcrread(1).
154 PCR bank specifiers (pcr.md)
156 Examples
158 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
159 er of:
160 pcr:sha256:0,1,2,3
162 specifying AUTH.
164
166 This collection of options are common to many programs and provide in‐
167 formation that many users may expect.
168 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
170 attempts to invoke the manpager for the tool, however, on failure
171 will output a short tool summary. This is the same behavior if the
172 “man” option argument is specified, however if explicit “man” is re‐
173 quested, the tool will provide errors from man on stderr. If the
174 “no-man” option if specified, or the manpager fails, the short op‐
175 tions will be output to stdout.
176 To successfully use the manpages feature requires the manpages to be
178 installed or on MANPATH, See man(1) for more details.
179 • -v, --version: Display version information for this tool, supported
181 tctis and exit.
182 • -V, --verbose: Increase the information that the tool prints to the
184 console during its execution. When using this option the file and
185 line number are printed.
186 • -Q, --quiet: Silence normal tool output to stdout.
188 • -Z, --enable-errata: Enable the application of errata fixups. Useful
190 if an errata fixup needs to be applied to commands sent to the TPM.
191 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
192 formation many users may expect.
193
195 The TCTI or “Transmission Interface” is the communication mechanism
196 with the TPM. TCTIs can be changed for communication with TPMs across
197 different mediums.
198 To control the TCTI, the tools respect:
200 1. The command line option -T or --tcti
202 2. The environment variable: TPM2TOOLS_TCTI.
204 Note: The command line option always overrides the environment vari‐
206 able.
207 The current known TCTIs are:
209 • tabrmd - The resource manager, called tabrmd
211 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
212 abrmd as a tcti name are synonymous.
213 • mssim - Typically used for communicating to the TPM software simula‐
215 tor.
216 • device - Used when talking directly to a TPM device file.
218 • none - Do not initalize a connection with the TPM. Some tools allow
220 for off-tpm options and thus support not using a TCTI. Tools that do
221 not support it will error when attempted to be used without a TCTI
222 connection. Does not support ANY options and MUST BE presented as
223 the exact text of “none”.
224 The arguments to either the command line option or the environment
226 variable are in the form:
227 <tcti-name>:<tcti-option-config>
229 Specifying an empty string for either the <tcti-name> or <tcti-op‐
231 tion-config> results in the default being used for that portion respec‐
232 tively.
233 TCTI Defaults
235 When a TCTI is not specified, the default TCTI is searched for using
236 dlopen(3) semantics. The tools will search for tabrmd, device and
237 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
238 what TCTI will be chosen as the default by using the -v option to print
239 the version information. The “default-tcti” key-value pair will indi‐
240 cate which of the aforementioned TCTIs is the default.
241 Custom TCTIs
243 Any TCTI that implements the dynamic TCTI interface can be loaded. The
244 tools internally use dlopen(3), and the raw tcti-name value is used for
245 the lookup. Thus, this could be a path to the shared library, or a li‐
246 brary name as understood by dlopen(3) semantics.
247
249 This collection of options are used to configure the various known TCTI
250 modules available:
251 • device: For the device TCTI, the TPM character device file for use by
253 the device TCTI can be specified. The default is /dev/tpm0.
254 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
256 vice:/dev/tpm0”
257 • mssim: For the mssim TCTI, the domain name or IP address and port
259 number used by the simulator can be specified. The default are
260 127.0.0.1 and 2321.
261 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
263 TI=“mssim:host=localhost,port=2321”
264 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
266 ries of simple key value pairs separated by a `,' character. Each
267 key and value string are separated by a `=' character.
268 • TCTI abrmd supports two keys:
270 1. `bus_name' : The name of the tabrmd service on the bus (a
272 string).
273 2. `bus_type' : The type of the dbus instance (a string) limited to
275 `session' and `system'.
276 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
278 ample.FooBar:
279 \--tcti=tabrmd:bus_name=com.example.FooBar
281 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
283 sion:
284 \--tcti:bus_type=session
286 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
288 ules.
289 References
292 This collection of options are common to many programs and provide in‐
293 formation that many users may expect.
294 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
296 attempts to invoke the manpager for the tool, however, on failure
297 will output a short tool summary. This is the same behavior if the
298 “man” option argument is specified, however if explicit “man” is re‐
299 quested, the tool will provide errors from man on stderr. If the
300 “no-man” option if specified, or the manpager fails, the short op‐
301 tions will be output to stdout.
302 To successfully use the manpages feature requires the manpages to be
304 installed or on MANPATH, See man(1) for more details.
305 • -v, --version: Display version information for this tool, supported
307 tctis and exit.
308 • -V, --verbose: Increase the information that the tool prints to the
310 console during its execution. When using this option the file and
311 line number are printed.
312 • -Q, --quiet: Silence normal tool output to stdout.
314 • -Z, --enable-errata: Enable the application of errata fixups. Useful
316 if an errata fixup needs to be applied to commands sent to the TPM.
317 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
318 formation many users may expect.
319
321 The TCTI or “Transmission Interface” is the communication mechanism
322 with the TPM. TCTIs can be changed for communication with TPMs across
323 different mediums.
324 To control the TCTI, the tools respect:
326 1. The command line option -T or --tcti
328 2. The environment variable: TPM2TOOLS_TCTI.
330 Note: The command line option always overrides the environment vari‐
332 able.
333 The current known TCTIs are:
335 • tabrmd - The resource manager, called tabrmd
337 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
338 abrmd as a tcti name are synonymous.
339 • mssim - Typically used for communicating to the TPM software simula‐
341 tor.
342 • device - Used when talking directly to a TPM device file.
344 • none - Do not initalize a connection with the TPM. Some tools allow
346 for off-tpm options and thus support not using a TCTI. Tools that do
347 not support it will error when attempted to be used without a TCTI
348 connection. Does not support ANY options and MUST BE presented as
349 the exact text of “none”.
350 The arguments to either the command line option or the environment
352 variable are in the form:
353 <tcti-name>:<tcti-option-config>
355 Specifying an empty string for either the <tcti-name> or <tcti-op‐
357 tion-config> results in the default being used for that portion respec‐
358 tively.
359 TCTI Defaults
361 When a TCTI is not specified, the default TCTI is searched for using
362 dlopen(3) semantics. The tools will search for tabrmd, device and
363 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
364 what TCTI will be chosen as the default by using the -v option to print
365 the version information. The “default-tcti” key-value pair will indi‐
366 cate which of the aforementioned TCTIs is the default.
367 Custom TCTIs
369 Any TCTI that implements the dynamic TCTI interface can be loaded. The
370 tools internally use dlopen(3), and the raw tcti-name value is used for
371 the lookup. Thus, this could be a path to the shared library, or a li‐
372 brary name as understood by dlopen(3) semantics.
373
375 This collection of options are used to configure the various known TCTI
376 modules available:
377 • device: For the device TCTI, the TPM character device file for use by
379 the device TCTI can be specified. The default is /dev/tpm0.
380 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
382 vice:/dev/tpm0”
383 • mssim: For the mssim TCTI, the domain name or IP address and port
385 number used by the simulator can be specified. The default are
386 127.0.0.1 and 2321.
387 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
389 TI=“mssim:host=localhost,port=2321”
390 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
392 ries of simple key value pairs separated by a `,' character. Each
393 key and value string are separated by a `=' character.
394 • TCTI abrmd supports two keys:
396 1. `bus_name' : The name of the tabrmd service on the bus (a
398 string).
399 2. `bus_type' : The type of the dbus instance (a string) limited to
401 `session' and `system'.
402 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
404 ample.FooBar:
405 \--tcti=tabrmd:bus_name=com.example.FooBar
407 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
409 sion:
410 \--tcti:bus_type=session
412 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
414 ules.
415
417 Print a TPM Quote
418 Setup a key to generate a qoute from
419 tpm2_createprimary -C e -c primary.ctx
420 tpm2_create -C primary.ctx -u key.pub -r key.priv
421 tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
422 tpm2_quote -c key.ctx -l 0x0004:16,17,18+0x000b:16,17,18 -g sha256 -m msg.dat
423 Print a Quote
425 tpm2_print -t TPMS_ATTEST msg.dat
426 Print a public file
428 tpm2_print -t TPM2B_PUBLIC key.pub
429 Print a tpmt public file
431 tpm2_readpublic -c key.ctx -f tpmt -o key.tpmt
432 tpm2_print -t TPMT_PUBLIC key.tpmt
433 Print a TPM2B_PUBLIC file and convert to PEM format
435 tpm2 print -t TPM2B_PUBLIC -f pem key.pub
436 Print public portion of TSSPRIVKEY PEM file and convert to PEM format
438 tpm2 print -t TSSPRIVKEY_OBJ tssprivkey.pem
439 tpm2 print -t TSSPRIVKEY_OBJ tssprivkey.pem -f pem > publickey.pem
440 Print the name of a serialized ESYS_TR handle.
442 Serialized ESYS_TR handles are returned from tools like tpm2_evictcon‐
443 trol’s -o and tpm2_readpublic’s -t options.
444 tpm2_createprimary -c primary.ctx
446 tpm2_evictcontrol -c primary.ctx -o primary.tr
447 tpm2 print -t ESYS_TR primary.tr
448
450 Tools can return any of the following codes:
451 • 0 - Success.
453 • 1 - General non-specific error.
455 • 2 - Options handling error.
457 • 3 - Authentication error.
459 • 4 - TCTI related error.
461 • 5 - Non supported scheme. Applicable to tpm2_testparams.
463
465 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
466
468 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
469 fo/tpm2)
470tpm2-tools tpm2_print(1)