tpm2_setcommandauditstatus(1)

1tpm2_setcommandauditstatus(1)General Commands Manuatlpm2_setcommandauditstatus(1)
2
3
4

NAME

6       tpm2_setcommandauditstatus(1)  - Add or remove TPM2 commands to the au‐
7       dited commands list.
8

SYNOPSIS

10       tpm2_setcommandauditstatus [OPTIONS] [ARGUMENT]
11

DESCRIPTION

13       tpm2_setcommandauditstatus(1) - Add or remove TPM2 commands to the  au‐
14       dited commands list.
15
16       As  an  argument  it takes the command as an integer or friendly string
17       value.  Friendly string to COMMAND CODE mapping can be found in section
18       COMMAND CODE MAPPINGS.
19

OPTIONS

21       • -C, --hierarchy=OBJECT:
22         Specify  either owner or platform hierarchy.  Defaults to TPM_RH_OWN‐
23         ER, when no value has been specified.  Supported options are:
24
25         • o for TPM_RH_OWNER
26
27         • p for TPM_RH_PLATFORM
28
29       • -P, --hierarchy-auth=AUTH: Specifies the authorization value for  the
30         hierarchy.   Authorization  values  should  follow the “authorization
31         formatting standards”, see section “Authorization Formatting”.
32
33       • -c, --clear-list: Specifies that the TPM command specified has to  be
34         taken  off the audit list.  When not specified, the default behaviour
35         is to add the TPM command to the audit list.
36
37       • -g, --hash-algorithm=ALGORITHM:
38
39         Sets up the hashing algorithm for the audit digest.  When not  speci‐
40         fied, the default audit digest algorithm is set to SHA256.
41
42       • ARGUMENT the command line argument specifies TPM2 command code.
43
44   References

COMMON OPTIONS

46       This  collection of options are common to many programs and provide in‐
47       formation that many users may expect.
48
49       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
50         attempts  to  invoke  the  manpager for the tool, however, on failure
51         will output a short tool summary.  This is the same behavior  if  the
52         “man”  option argument is specified, however if explicit “man” is re‐
53         quested, the tool will provide errors from man  on  stderr.   If  the
54         “no-man”  option  if  specified, or the manpager fails, the short op‐
55         tions will be output to stdout.
56
57         To successfully use the manpages feature requires the manpages to  be
58         installed or on MANPATH, See man(1) for more details.
59
60       • -v,  --version:  Display version information for this tool, supported
61         tctis and exit.
62
63       • -V, --verbose: Increase the information that the tool prints  to  the
64         console  during  its  execution.  When using this option the file and
65         line number are printed.
66
67       • -Q, --quiet: Silence normal tool output to stdout.
68
69       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
70         if  an  errata fixup needs to be applied to commands sent to the TPM.
71         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
72         formation many users may expect.
73

TCTI Configuration

75       The  TCTI  or  “Transmission  Interface” is the communication mechanism
76       with the TPM.  TCTIs can be changed for communication with TPMs  across
77       different mediums.
78
79       To control the TCTI, the tools respect:
80
81       1. The command line option -T or --tcti
82
83       2. The environment variable: TPM2TOOLS_TCTI.
84
85       Note:  The  command  line option always overrides the environment vari‐
86       able.
87
88       The current known TCTIs are:
89
90       • tabrmd     -     The     resource     manager,     called      tabrmd
91         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
92         abrmd as a tcti name are synonymous.
93
94       • mssim - Typically used for communicating to the TPM software  simula‐
95         tor.
96
97       • device - Used when talking directly to a TPM device file.
98
99       • none  - Do not initalize a connection with the TPM.  Some tools allow
100         for off-tpm options and thus support not using a TCTI.  Tools that do
101         not  support  it  will error when attempted to be used without a TCTI
102         connection.  Does not support ANY options and MUST  BE  presented  as
103         the exact text of “none”.
104
105       The  arguments  to  either  the  command line option or the environment
106       variable are in the form:
107
108       <tcti-name>:<tcti-option-config>
109
110       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
111       tion-config> results in the default being used for that portion respec‐
112       tively.
113
114   TCTI Defaults
115       When a TCTI is not specified, the default TCTI is  searched  for  using
116       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
117       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
118       what TCTI will be chosen as the default by using the -v option to print
119       the version information.  The “default-tcti” key-value pair will  indi‐
120       cate which of the aforementioned TCTIs is the default.
121
122   Custom TCTIs
123       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
124       tools internally use dlopen(3), and the raw tcti-name value is used for
125       the lookup.  Thus, this could be a path to the shared library, or a li‐
126       brary name as understood by dlopen(3) semantics.
127

TCTI OPTIONS

129       This collection of options are used to configure the various known TCTI
130       modules available:
131
132       • device: For the device TCTI, the TPM character device file for use by
133         the device TCTI can be specified.  The default is /dev/tpm0.
134
135         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
136         vice:/dev/tpm0”
137
138       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
139         number used by the simulator  can  be  specified.   The  default  are
140         127.0.0.1 and 2321.
141
142         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
143         TI=“mssim:host=localhost,port=2321”
144
145       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
146         ries  of  simple  key value pairs separated by a `,' character.  Each
147         key and value string are separated by a `=' character.
148
149         • TCTI abrmd supports two keys:
150
151           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
152              string).
153
154           2. `bus_type' : The type of the dbus instance (a string) limited to
155              `session' and `system'.
156
157         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
158         ample.FooBar:
159
160                \--tcti=tabrmd:bus_name=com.example.FooBar
161
162         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
163         sion:
164
165                \--tcti:bus_type=session
166
167         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
168         ules.
169
170       hash algorithm options (common/hash.md) collection of options to speci‐
171       fy hash algorithm.
172

COMMAND CODE MAPPINGS

174       The friendly strings below can be used en lieu of the raw integer  val‐
175       ues.
176
177       -TPM2_CC_AC_GetCapability: 0x194 -TPM2_CC_AC_Send: 0x195 -TPM2_CC_Acti‐
178       vateCredential: 0x147 -TPM2_CC_Certify: 0x148 -TPM2_CC_CertifyCreation:
179       0x14a     -TPM2_CC_ChangeEPS:     0x124    -TPM2_CC_ChangePPS:    0x125
180       -TPM2_CC_Clear:  0x126  -TPM2_CC_ClearControl:  0x127   -TPM2_CC_Clock‐
181       RateAdjust:   0x130  -TPM2_CC_ClockSet:  0x128  -TPM2_CC_Commit:  0x18b
182       -TPM2_CC_ContextLoad: 0x161 -TPM2_CC_ContextSave:  0x162  -TPM2_CC_Cre‐
183       ate:  0x153  -TPM2_CC_CreateLoaded: 0x191 -TPM2_CC_CreatePrimary: 0x131
184       -TPM2_CC_DictionaryAttackLockReset: 0x139  -TPM2_CC_DictionaryAttackPa‐
185       rameters:   0x13a  -TPM2_CC_Duplicate:  0x14b  -TPM2_CC_ECC_Parameters:
186       0x178    -TPM2_CC_ECDH_KeyGen:    0x163    -TPM2_CC_ECDH_ZGen:    0x154
187       -TPM2_CC_EC_Ephemeral:     0x18e     -TPM2_CC_EncryptDecrypt:     0x164
188       -TPM2_CC_EncryptDecrypt2: 0x193  -TPM2_CC_EventSequenceComplete:  0x185
189       -TPM2_CC_EvictControl:     0x120    -TPM2_CC_FieldUpgradeData:    0x141
190       -TPM2_CC_FieldUpgradeStart:    0x12f    -TPM2_CC_FirmwareRead:    0x179
191       -TPM2_CC_FlushContext:      0x165     -TPM2_CC_GetCapability:     0x17a
192       -TPM2_CC_GetCommandAuditDigest:   0x133    -TPM2_CC_GetRandom:    0x17b
193       -TPM2_CC_GetSessionAuditDigest:   0x14d  -TPM2_CC_GetTestResult:  0x17c
194       -TPM2_CC_GetTime: 0x14c  -TPM2_CC_Hash:  0x17d  -TPM2_CC_HashSequenceS‐
195       tart:  0x186 -TPM2_CC_HierarchyChangeAuth: 0x129 -TPM2_CC_HierarchyCon‐
196       trol:   0x121   -TPM2_CC_HMAC:   0x155    -TPM2_CC_HMAC_Start:    0x15b
197       -TPM2_CC_Import:      0x156     -TPM2_CC_IncrementalSelfTest:     0x142
198       -TPM2_CC_Load: 0x157 -TPM2_CC_LoadExternal: 0x167  -TPM2_CC_MakeCreden‐
199       tial:  0x168  -TPM2_CC_NV_Certify:  0x184 -TPM2_CC_NV_ChangeAuth: 0x13b
200       -TPM2_CC_NV_DefineSpace:      0x12a      -TPM2_CC_NV_Extend:      0x136
201       -TPM2_CC_NV_GlobalWriteLock:    0x132    -TPM2_CC_NV_Increment:   0x134
202       -TPM2_CC_NV_Read: 0x14e -TPM2_CC_NV_ReadLock:  0x14f  -TPM2_CC_NV_Read‐
203       Public:  0x169  -TPM2_CC_NV_SetBits:  0x135  -TPM2_CC_NV_UndefineSpace:
204       0x122 -TPM2_CC_NV_UndefineSpaceSpecial: 0x11f -TPM2_CC_NV_Write:  0x137
205       -TPM2_CC_NV_WriteLock:     0x138    -TPM2_CC_ObjectChangeAuth:    0x150
206       -TPM2_CC_PCR_Allocate: 0x12b -TPM2_CC_PCR_Event: 0x13c -TPM2_CC_PCR_Ex‐
207       tend:   0x182   -TPM2_CC_PCR_Read:   0x17e   -TPM2_CC_PCR_Reset:  0x13d
208       -TPM2_CC_PCR_SetAuthPolicy:  0x12c   -TPM2_CC_PCR_SetAuthValue:   0x183
209       -TPM2_CC_Policy_AC_SendSelect:  0x196  -TPM2_CC_PolicyAuthorize:  0x16a
210       -TPM2_CC_PolicyAuthorizeNV:   0x192   -TPM2_CC_PolicyAuthValue:   0x16b
211       -TPM2_CC_PolicyCommandCode:  0x16c  -TPM2_CC_PolicyCounterTimer:  0x16d
212       -TPM2_CC_PolicyCpHash:  0x16e  -TPM2_CC_PolicyDuplicationSelect:  0x188
213       -TPM2_CC_PolicyGetDigest:    0x189    -TPM2_CC_PolicyLocality:    0x16f
214       -TPM2_CC_PolicyNameHash: 0x170 -TPM2_CC_PolicyNV: 0x149  -TPM2_CC_Poli‐
215       cyNvWritten:  0x18f  -TPM2_CC_PolicyOR:  0x171 -TPM2_CC_PolicyPassword:
216       0x18c -TPM2_CC_PolicyPCR: 0x17f -TPM2_CC_PolicyPhysicalPresence:  0x187
217       -TPM2_CC_PolicyRestart:      0x180     -TPM2_CC_PolicySecret:     0x151
218       -TPM2_CC_PolicySigned:     0x160     -TPM2_CC_PolicyTemplate:     0x190
219       -TPM2_CC_PolicyTicket:      0x172      -TPM2_CC_PP_Commands:      0x12d
220       -TPM2_CC_Quote: 0x158  -TPM2_CC_ReadClock:  0x181  -TPM2_CC_ReadPublic:
221       0x173     -TPM2_CC_Rewrap:     0x152     -TPM2_CC_RSA_Decrypt:    0x159
222       -TPM2_CC_RSA_Encrypt: 0x174 -TPM2_CC_SelfTest: 0x143 -TPM2_CC_Sequence‐
223       Complete:  0x13e  -TPM2_CC_SequenceUpdate: 0x15c -TPM2_CC_SetAlgorithm‐
224       Set: 0x13f -TPM2_CC_SetCommandCodeAuditStatus: 0x140 -TPM2_CC_SetPrima‐
225       ryPolicy:   0x12e   -TPM2_CC_Shutdown:   0x145   -TPM2_CC_Sign:   0x15d
226       -TPM2_CC_StartAuthSession: 0x176 -TPM2_CC_Startup: 0x144 -TPM2_CC_Stir‐
227       Random:   0x146   -TPM2_CC_TestParms:   0x18a   -TPM2_CC_Unseal:  0x15e
228       -TPM2_CC_Vendor_TCG_Test:  0x20000000  -TPM2_CC_VerifySignature:  0x177
229       -TPM2_CC_ZGen_2Phase: 0x18d
230

EXAMPLES

232       Add TPM2_CC_Unseal to the list of audited commands.
233
234              tpm2_setcommandauditstatus TPM2_CC_Unseal
235

Returns

237       Tools can return any of the following codes:
238
239       • 0 - Success.
240
241       • 1 - General non-specific error.
242
243       • 2 - Options handling error.
244
245       • 3 - Authentication error.
246
247       • 4 - TCTI related error.
248
249       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
250

Limitations

252       It  expects  a session to be already established via tpm2_startauthses‐
253       sion(1) and requires one of the following:
254
255       • direct device access
256
257       • extended session support with tpm2-abrmd.
258
259       Without it, most resource managers will not save session state  between
260       command invocations.
261

BUGS

263       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
264

HELP

266       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
267       fo/tpm2)
268
269
270
271tpm2-tools                                       tpm2_setcommandauditstatus(1)