tpm2_setprimarypolicy(1)

1tpm2_setprimarypolicy(1)    General Commands Manual   tpm2_setprimarypolicy(1)
2
3
4

NAME

6       tpm2_setprimarypolicy(1)  - Sets the authorization policy for the lock‐
7       out (lockoutPolicy), the platform hierarchy (platformPolicy), the stor‐
8       age  hierarchy  (ownerPolicy),  and the endorsement hierarchy (endorse‐
9       mentPolicy).
10

SYNOPSIS

12       tpm2_setprimarypolicy [OPTIONS]
13

DESCRIPTION

15       tpm2_setprimarypolicy(1) - Sets the authorization policy for the  lock‐
16       out (lockoutPolicy), the platform hierarchy (platformPolicy), the stor‐
17       age hierarchy (ownerPolicy), and the  endorsement  hierarchy  (endorse‐
18       mentPolicy).
19

OPTIONS

21       These options control creating the policy authorization session:
22
23       • -C, --hierarchy=OBJECT:
24
25         Specifies  the  hierarchy  whose authorization policy is to be setup.
26         It can be specified as o|p|e|l
27
28       • -P, --auth=AUTH:
29
30         Specifies the authorization value for the hierarchy.
31
32       • -L, --policy=FILE:
33
34         The file path of the authorization policy data.
35
36       • -g, --hash-algorithm=ALGORITHM:
37
38         The hash algorithm used in computation of the policy digest.
39
40       • --cphash=FILE
41
42         File path to record the hash of the command parameters.  This is com‐
43         monly termed as cpHash.  NOTE: When this option is selected, The tool
44         will not actually execute the command, it simply returns a cpHash.
45
46   References

Context Object Format

48       The type of a context object, whether it is a handle or file  name,  is
49       determined according to the following logic in-order:
50
51       • If the argument is a file path, then the file is loaded as a restored
52         TPM transient object.
53
54       • If the argument is a prefix match on one of:
55
56         • owner: the owner hierarchy
57
58         • platform: the platform hierarchy
59
60         • endorsement: the endorsement hierarchy
61
62         • lockout: the lockout control persistent object
63
64       • If the argument argument can be loaded as a number it will  be  treat
65         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
66

Authorization Formatting

68       Authorization  for  use  of an object in TPM2.0 can come in 3 different
69       forms: 1.  Password 2.  HMAC 3.  Sessions
70
71       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
72       fied”.
73
74   Passwords
75       Passwords  are  interpreted  in  the following forms below using prefix
76       identifiers.
77
78       Note: By default passwords are assumed to be in the  string  form  when
79       they do not have a prefix.
80
81   String
82       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
83       string without prefix) is not interpreted, and is directly used for au‐
84       thorization.
85
86   Examples
87              foobar
88              str:foobar
89
90   Hex-string
91       A  hex-string  password, specified by prefix “hex:” is converted from a
92       hexidecimal form into a byte array form, thus allowing  passwords  with
93       non-printable and/or terminal un-friendly characters.
94
95   Example
96              hex:1122334455667788
97
98   File
99       A  file  based password, specified be prefix “file:” should be the path
100       of a file containing the password to be read by the tool or  a  “-”  to
101       use  stdin.   Storing  passwords in files prevents information leakage,
102       passwords passed as options can be read from the process list or common
103       shell history features.
104
105   Examples
106              # to use stdin and be prompted
107              file:-
108
109              # to use a file from a path
110              file:path/to/password/file
111
112              # to echo a password via stdin:
113              echo foobar | tpm2_tool -p file:-
114
115              # to use a bash here-string via stdin:
116
117              tpm2_tool -p file:- <<< foobar
118
119   Sessions
120       When  using  a policy session to authorize the use of an object, prefix
121       the option argument with the session keyword.  Then indicate a path  to
122       a session file that was created with tpm2_startauthsession(1).  Option‐
123       ally, if the session requires an auth value to be sent with the session
124       handle  (eg policy password), then append a + and a string as described
125       in the Passwords section.
126
127   Examples
128       To use a session context file called session.ctx.
129
130              session:session.ctx
131
132       To use a session context file called session.ctx AND send the authvalue
133       mypassword.
134
135              session:session.ctx+mypassword
136
137       To use a session context file called session.ctx AND send the HEX auth‐
138       value 0x11223344.
139
140              session:session.ctx+hex:11223344
141
142   PCR Authorizations
143       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
144       language.       The     PCR     minilanguage     is     as     follows:
145       <pcr-spec>=<raw-pcr-file>
146
147       The PCR spec is documented in in the section “PCR bank specifiers”.
148
149       The raw-pcr-file is an optional argument that contains  the  output  of
150       the raw PCR contents as returned by tpm2_pcrread(1).
151
152       PCR bank specifiers (pcr.md)
153
154   Examples
155       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
156       er of:
157
158              pcr:sha256:0,1,2,3
159
160       specifying AUTH.
161

Algorithm Specifiers

163       Options that take algorithms support “nice-names”.
164
165       There are two major algorithm specification string classes, simple  and
166       complex.  Only certain algorithms will be accepted by the TPM, based on
167       usage and conditions.
168
169   Simple specifiers
170       These are strings with no additional specification data.  When creating
171       objects,  non-specified  portions of an object are assumed to defaults.
172       You can find the list of known “Simple Specifiers” below.
173
174   Asymmetric
175       • rsa
176
177       • ecc
178
179   Symmetric
180       • aes
181
182       • camellia
183
184       • sm4
185
186   Hashing Algorithms
187       • sha1
188
189       • sha256
190
191       • sha384
192
193       • sha512
194
195       • sm3_256
196
197       • sha3_256
198
199       • sha3_384
200
201       • sha3_512
202
203   Keyed Hash
204       • hmac
205
206       • xor
207
208   Signing Schemes
209       • rsassa
210
211       • rsapss
212
213       • ecdsa
214
215       • ecdaa
216
217       • ecschnorr
218
219       • sm2
220
221   Asymmetric Encryption Schemes
222       • oaep
223
224       • rsaes
225
226       • ecdh
227
228   Modes
229       • ctr
230
231       • ofb
232
233       • cbc
234
235       • cfb
236
237       • ecb
238
239   Misc
240       • null
241
242   Complex Specifiers
243       Objects, when specified for creation by the TPM,  have  numerous  algo‐
244       rithms  to  populate  in the public data.  Things like type, scheme and
245       asymmetric details, key size, etc.  Below is  the  general  format  for
246       specifying this data: <type>:<scheme>:<symmetric-details>
247
248   Type Specifiers
249       This  portion  of the complex algorithm specifier is required.  The re‐
250       maining scheme and symmetric details will default  based  on  the  type
251       specified and the type of the object being created.
252
253       • aes - Default AES: aes128
254
255       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
256         If mode is not specified, defaults to null.
257
258       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
259
260       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
261
262       • sm4 - Default SM4: sm4128
263
264       • sm4128  or  sm4_128  <mode>  -  128  bit  SM4  with   optional   mode
265         (ctr|ofb|cbc|cfb|ecb).  If mode is not specified, defaults to null.
266
267       • ecc - Elliptical Curve, defaults to ecc256.
268
269       • ecc192 or ecc_nist_p192 - 192 bit ECC NIST curve
270
271       • ecc224 or ecc_nist_p224 - 224 bit ECC NIST curve
272
273       • ecc256 or ecc_nist_p256 - 256 bit ECC NIST curve
274
275       • ecc384 or ecc_nist_p384 - 384 bit ECC NIST curve
276
277       • ecc521 or ecc_nist_p521 - 521 bit ECC NIST curve
278
279       • ecc_sm2 or ecc_sm2_p256 - 256 bit SM2 curve
280
281       • rsa - Default RSA: rsa2048
282
283       • rsa1024 - RSA with 1024 bit keysize.
284
285       • rsa2048 - RSA with 2048 bit keysize.
286
287       • rsa3072 - RSA with 3072 bit keysize.
288
289       • rsa4096 - RSA with 4096 bit keysize.
290
291   Scheme Specifiers
292       Next, is an optional field, it can be skipped.
293
294       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
295       Most signing schemes take a hash algorithm directly following the sign‐
296       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
297       Some take no arguments, and some take multiple arguments.
298
299   Hash Optional Scheme Specifiers
300       These scheme specifiers are followed by a dash and a valid  hash  algo‐
301       rithm, For example: oaep-sha256.
302
303       • oaep
304
305       • ecdh
306
307       • rsassa
308
309       • rsapss
310
311       • ecdsa
312
313       • ecschnorr
314
315       • sm2
316
317   Multiple Option Scheme Specifiers
318       This  scheme  specifier  is  followed by a count (max size UINT16) then
319       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
320       ecdaa4-sha256.  If no count is specified, it defaults to 4.
321
322   No Option Scheme Specifiers
323       This scheme specifier takes NO arguments.  * rsaes
324
325   Symmetric Details Specifiers
326       This  field is optional, and defaults based on the type of object being
327       created and it’s attributes.  Generally, any valid Symmetric  specifier
328       from  the Type Specifiers list should work.  If not specified, an asym‐
329       metric objects symmetric details defaults to aes128cfb.
330
331   Examples
332   Create an rsa2048 key with an rsaes asymmetric encryption scheme
333       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
334
335   Create an ecc256 key with an ecdaa signing scheme with a  count  of  4  and
336       sha384 hash
337       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
338       key.priv cryptographic algorithms ALGORITHM.
339

COMMON OPTIONS

341       This collection of options are common to many programs and provide  in‐
342       formation that many users may expect.
343
344       • -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
345         attempts to invoke the manpager for the  tool,  however,  on  failure
346         will  output  a short tool summary.  This is the same behavior if the
347         “man” option argument is specified, however if explicit “man” is  re‐
348         quested,  the  tool  will  provide errors from man on stderr.  If the
349         “no-man” option if specified, or the manpager fails,  the  short  op‐
350         tions will be output to stdout.
351
352         To  successfully use the manpages feature requires the manpages to be
353         installed or on MANPATH, See man(1) for more details.
354
355       • -v, --version: Display version information for this  tool,  supported
356         tctis and exit.
357
358       • -V,  --verbose:  Increase the information that the tool prints to the
359         console during its execution.  When using this option  the  file  and
360         line number are printed.
361
362       • -Q, --quiet: Silence normal tool output to stdout.
363
364       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
365         if an errata fixup needs to be applied to commands sent to  the  TPM.
366         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
367         formation many users may expect.
368

TCTI Configuration

370       The TCTI or “Transmission Interface”  is  the  communication  mechanism
371       with  the TPM.  TCTIs can be changed for communication with TPMs across
372       different mediums.
373
374       To control the TCTI, the tools respect:
375
376       1. The command line option -T or --tcti
377
378       2. The environment variable: TPM2TOOLS_TCTI.
379
380       Note: The command line option always overrides  the  environment  vari‐
381       able.
382
383       The current known TCTIs are:
384
385       • tabrmd      -     The     resource     manager,     called     tabrmd
386         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
387         abrmd as a tcti name are synonymous.
388
389       • mssim  - Typically used for communicating to the TPM software simula‐
390         tor.
391
392       • device - Used when talking directly to a TPM device file.
393
394       • none - Do not initalize a connection with the TPM.  Some tools  allow
395         for off-tpm options and thus support not using a TCTI.  Tools that do
396         not support it will error when attempted to be used  without  a  TCTI
397         connection.   Does  not  support ANY options and MUST BE presented as
398         the exact text of “none”.
399
400       The arguments to either the command  line  option  or  the  environment
401       variable are in the form:
402
403       <tcti-name>:<tcti-option-config>
404
405       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
406       tion-config> results in the default being used for that portion respec‐
407       tively.
408
409   TCTI Defaults
410       When  a  TCTI  is not specified, the default TCTI is searched for using
411       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
412       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
413       what TCTI will be chosen as the default by using the -v option to print
414       the  version information.  The “default-tcti” key-value pair will indi‐
415       cate which of the aforementioned TCTIs is the default.
416
417   Custom TCTIs
418       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
419       tools internally use dlopen(3), and the raw tcti-name value is used for
420       the lookup.  Thus, this could be a path to the shared library, or a li‐
421       brary name as understood by dlopen(3) semantics.
422

TCTI OPTIONS

424       This collection of options are used to configure the various known TCTI
425       modules available:
426
427       • device: For the device TCTI, the TPM character device file for use by
428         the device TCTI can be specified.  The default is /dev/tpm0.
429
430         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
431         vice:/dev/tpm0”
432
433       • mssim: For the mssim TCTI, the domain name or  IP  address  and  port
434         number  used  by  the  simulator  can  be specified.  The default are
435         127.0.0.1 and 2321.
436
437         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
438         TI=“mssim:host=localhost,port=2321”
439
440       • abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
441         ries of simple key value pairs separated by a  `,'  character.   Each
442         key and value string are separated by a `=' character.
443
444         • TCTI abrmd supports two keys:
445
446           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
447              string).
448
449           2. `bus_type' : The type of the dbus instance (a string) limited to
450              `session' and `system'.
451
452         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
453         ample.FooBar:
454
455                \--tcti=tabrmd:bus_name=com.example.FooBar
456
457         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
458         sion:
459
460                \--tcti:bus_type=session
461
462         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
463         ules.
464

EXAMPLES

466   Set a blank authorization policy for endorsement hierarchy
467              tpm2_setprimarypolicy -C e
468

Returns

470       Tools can return any of the following codes:
471
472       • 0 - Success.
473
474       • 1 - General non-specific error.
475
476       • 2 - Options handling error.
477
478       • 3 - Authentication error.
479
480       • 4 - TCTI related error.
481
482       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
483

BUGS

485       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
486

HELP

488       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
489       fo/tpm2)
490
491
492
493tpm2-tools                                            tpm2_setprimarypolicy(1)