1tpm2_setprimarypolicy(1) General Commands Manual tpm2_setprimarypolicy(1)
2
3
4
6 tpm2_setprimarypolicy(1) - Sets the authorization policy for the lock‐
7 out (lockoutPolicy), the platform hierarchy (platformPolicy), the stor‐
8 age hierarchy (ownerPolicy), and the endorsement hierarchy (endorse‐
9 mentPolicy).
10
12 tpm2_setprimarypolicy [OPTIONS]
13
15 tpm2_setprimarypolicy(1) - Sets the authorization policy for the lock‐
16 out (lockoutPolicy), the platform hierarchy (platformPolicy), the stor‐
17 age hierarchy (ownerPolicy), and the endorsement hierarchy (endorse‐
18 mentPolicy).
19
21 These options control creating the policy authorization session:
22
23 • -C, --hierarchy=OBJECT:
24
25 Specifies the hierarchy whose authorization policy is to be setup.
26 It can be specified as o|p|e|l
27
28 • -P, --auth=AUTH:
29
30 Specifies the authorization value for the hierarchy.
31
32 • -L, --policy=FILE:
33
34 The file path of the authorization policy data.
35
36 • -g, --hash-algorithm=ALGORITHM:
37
38 The hash algorithm used in computation of the policy digest.
39
40 • --cphash=FILE
41
42 File path to record the hash of the command parameters. This is com‐
43 monly termed as cpHash. NOTE: When this option is selected, The tool
44 will not actually execute the command, it simply returns a cpHash.
45
46 References
48 The type of a context object, whether it is a handle or file name, is
49 determined according to the following logic in-order:
50
51 • If the argument is a file path, then the file is loaded as a restored
52 TPM transient object.
53
54 • If the argument is a prefix match on one of:
55
56 • owner: the owner hierarchy
57
58 • platform: the platform hierarchy
59
60 • endorsement: the endorsement hierarchy
61
62 • lockout: the lockout control persistent object
63
64 • If the argument argument can be loaded as a number it will be treat
65 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
66
68 Authorization for use of an object in TPM2.0 can come in 3 different
69 forms: 1. Password 2. HMAC 3. Sessions
70
71 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
72 fied”.
73
74 Passwords
75 Passwords are interpreted in the following forms below using prefix
76 identifiers.
77
78 Note: By default passwords are assumed to be in the string form when
79 they do not have a prefix.
80
81 String
82 A string password, specified by prefix “str:” or it’s absence (raw
83 string without prefix) is not interpreted, and is directly used for au‐
84 thorization.
85
86 Examples
87 foobar
88 str:foobar
89
90 Hex-string
91 A hex-string password, specified by prefix “hex:” is converted from a
92 hexidecimal form into a byte array form, thus allowing passwords with
93 non-printable and/or terminal un-friendly characters.
94
95 Example
96 hex:1122334455667788
97
98 File
99 A file based password, specified be prefix “file:” should be the path
100 of a file containing the password to be read by the tool or a “-” to
101 use stdin. Storing passwords in files prevents information leakage,
102 passwords passed as options can be read from the process list or common
103 shell history features.
104
105 Examples
106 # to use stdin and be prompted
107 file:-
108
109 # to use a file from a path
110 file:path/to/password/file
111
112 # to echo a password via stdin:
113 echo foobar | tpm2_tool -p file:-
114
115 # to use a bash here-string via stdin:
116
117 tpm2_tool -p file:- <<< foobar
118
119 Sessions
120 When using a policy session to authorize the use of an object, prefix
121 the option argument with the session keyword. Then indicate a path to
122 a session file that was created with tpm2_startauthsession(1). Option‐
123 ally, if the session requires an auth value to be sent with the session
124 handle (eg policy password), then append a + and a string as described
125 in the Passwords section.
126
127 Examples
128 To use a session context file called session.ctx.
129
130 session:session.ctx
131
132 To use a session context file called session.ctx AND send the authvalue
133 mypassword.
134
135 session:session.ctx+mypassword
136
137 To use a session context file called session.ctx AND send the HEX auth‐
138 value 0x11223344.
139
140 session:session.ctx+hex:11223344
141
142 PCR Authorizations
143 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
144 language. The PCR minilanguage is as follows:
145 <pcr-spec>=<raw-pcr-file>
146
147 The PCR spec is documented in in the section “PCR bank specifiers”.
148
149 The raw-pcr-file is an optional argument that contains the output of
150 the raw PCR contents as returned by tpm2_pcrread(1).
151
152 PCR bank specifiers (pcr.md)
153
154 Examples
155 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
156 er of:
157
158 pcr:sha256:0,1,2,3
159
160 specifying AUTH.
161
163 Options that take algorithms support “nice-names”.
164
165 There are two major algorithm specification string classes, simple and
166 complex. Only certain algorithms will be accepted by the TPM, based on
167 usage and conditions.
168
169 Simple specifiers
170 These are strings with no additional specification data. When creating
171 objects, non-specified portions of an object are assumed to defaults.
172 You can find the list of known “Simple Specifiers” below.
173
174 Asymmetric
175 • rsa
176
177 • ecc
178
179 Symmetric
180 • aes
181
182 • camellia
183
184 • sm4
185
186 Hashing Algorithms
187 • sha1
188
189 • sha256
190
191 • sha384
192
193 • sha512
194
195 • sm3_256
196
197 • sha3_256
198
199 • sha3_384
200
201 • sha3_512
202
203 Keyed Hash
204 • hmac
205
206 • xor
207
208 Signing Schemes
209 • rsassa
210
211 • rsapss
212
213 • ecdsa
214
215 • ecdaa
216
217 • ecschnorr
218
219 • sm2
220
221 Asymmetric Encryption Schemes
222 • oaep
223
224 • rsaes
225
226 • ecdh
227
228 Modes
229 • ctr
230
231 • ofb
232
233 • cbc
234
235 • cfb
236
237 • ecb
238
239 Misc
240 • null
241
242 Complex Specifiers
243 Objects, when specified for creation by the TPM, have numerous algo‐
244 rithms to populate in the public data. Things like type, scheme and
245 asymmetric details, key size, etc. Below is the general format for
246 specifying this data: <type>:<scheme>:<symmetric-details>
247
248 Type Specifiers
249 This portion of the complex algorithm specifier is required. The re‐
250 maining scheme and symmetric details will default based on the type
251 specified and the type of the object being created.
252
253 • aes - Default AES: aes128
254
255 • aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
256 If mode is not specified, defaults to null.
257
258 • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
259
260 • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
261
262 • sm4 - Default SM4: sm4128
263
264 • sm4128 or sm4_128 <mode> - 128 bit SM4 with optional mode
265 (ctr|ofb|cbc|cfb|ecb). If mode is not specified, defaults to null.
266
267 • ecc - Elliptical Curve, defaults to ecc256.
268
269 • ecc192 or ecc_nist_p192 - 192 bit ECC NIST curve
270
271 • ecc224 or ecc_nist_p224 - 224 bit ECC NIST curve
272
273 • ecc256 or ecc_nist_p256 - 256 bit ECC NIST curve
274
275 • ecc384 or ecc_nist_p384 - 384 bit ECC NIST curve
276
277 • ecc521 or ecc_nist_p521 - 521 bit ECC NIST curve
278
279 • ecc_sm2 or ecc_sm2_p256 - 256 bit SM2 curve
280
281 • rsa - Default RSA: rsa2048
282
283 • rsa1024 - RSA with 1024 bit keysize.
284
285 • rsa2048 - RSA with 2048 bit keysize.
286
287 • rsa3072 - RSA with 3072 bit keysize.
288
289 • rsa4096 - RSA with 4096 bit keysize.
290
291 Scheme Specifiers
292 Next, is an optional field, it can be skipped.
293
294 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
295 Most signing schemes take a hash algorithm directly following the sign‐
296 ing scheme. If the hash algorithm is missing, it defaults to sha256.
297 Some take no arguments, and some take multiple arguments.
298
299 Hash Optional Scheme Specifiers
300 These scheme specifiers are followed by a dash and a valid hash algo‐
301 rithm, For example: oaep-sha256.
302
303 • oaep
304
305 • ecdh
306
307 • rsassa
308
309 • rsapss
310
311 • ecdsa
312
313 • ecschnorr
314
315 • sm2
316
317 Multiple Option Scheme Specifiers
318 This scheme specifier is followed by a count (max size UINT16) then
319 followed by a dash(-) and a valid hash algorithm. * ecdaa For example,
320 ecdaa4-sha256. If no count is specified, it defaults to 4.
321
322 No Option Scheme Specifiers
323 This scheme specifier takes NO arguments. * rsaes
324
325 Symmetric Details Specifiers
326 This field is optional, and defaults based on the type of object being
327 created and it’s attributes. Generally, any valid Symmetric specifier
328 from the Type Specifiers list should work. If not specified, an asym‐
329 metric objects symmetric details defaults to aes128cfb.
330
331 Examples
332 Create an rsa2048 key with an rsaes asymmetric encryption scheme
333 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
334
335 Create an ecc256 key with an ecdaa signing scheme with a count of 4 and
336 sha384 hash
337 /tpm2_create -C parent.ctx -G ecc256:ecdaa4-sha384 -u key.pub -r
338 key.priv cryptographic algorithms ALGORITHM.
339
341 This collection of options are common to many programs and provide in‐
342 formation that many users may expect.
343
344 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
345 attempts to invoke the manpager for the tool, however, on failure
346 will output a short tool summary. This is the same behavior if the
347 “man” option argument is specified, however if explicit “man” is re‐
348 quested, the tool will provide errors from man on stderr. If the
349 “no-man” option if specified, or the manpager fails, the short op‐
350 tions will be output to stdout.
351
352 To successfully use the manpages feature requires the manpages to be
353 installed or on MANPATH, See man(1) for more details.
354
355 • -v, --version: Display version information for this tool, supported
356 tctis and exit.
357
358 • -V, --verbose: Increase the information that the tool prints to the
359 console during its execution. When using this option the file and
360 line number are printed.
361
362 • -Q, --quiet: Silence normal tool output to stdout.
363
364 • -Z, --enable-errata: Enable the application of errata fixups. Useful
365 if an errata fixup needs to be applied to commands sent to the TPM.
366 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
367 formation many users may expect.
368
370 The TCTI or “Transmission Interface” is the communication mechanism
371 with the TPM. TCTIs can be changed for communication with TPMs across
372 different mediums.
373
374 To control the TCTI, the tools respect:
375
376 1. The command line option -T or --tcti
377
378 2. The environment variable: TPM2TOOLS_TCTI.
379
380 Note: The command line option always overrides the environment vari‐
381 able.
382
383 The current known TCTIs are:
384
385 • tabrmd - The resource manager, called tabrmd
386 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
387 abrmd as a tcti name are synonymous.
388
389 • mssim - Typically used for communicating to the TPM software simula‐
390 tor.
391
392 • device - Used when talking directly to a TPM device file.
393
394 • none - Do not initalize a connection with the TPM. Some tools allow
395 for off-tpm options and thus support not using a TCTI. Tools that do
396 not support it will error when attempted to be used without a TCTI
397 connection. Does not support ANY options and MUST BE presented as
398 the exact text of “none”.
399
400 The arguments to either the command line option or the environment
401 variable are in the form:
402
403 <tcti-name>:<tcti-option-config>
404
405 Specifying an empty string for either the <tcti-name> or <tcti-op‐
406 tion-config> results in the default being used for that portion respec‐
407 tively.
408
409 TCTI Defaults
410 When a TCTI is not specified, the default TCTI is searched for using
411 dlopen(3) semantics. The tools will search for tabrmd, device and
412 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
413 what TCTI will be chosen as the default by using the -v option to print
414 the version information. The “default-tcti” key-value pair will indi‐
415 cate which of the aforementioned TCTIs is the default.
416
417 Custom TCTIs
418 Any TCTI that implements the dynamic TCTI interface can be loaded. The
419 tools internally use dlopen(3), and the raw tcti-name value is used for
420 the lookup. Thus, this could be a path to the shared library, or a li‐
421 brary name as understood by dlopen(3) semantics.
422
424 This collection of options are used to configure the various known TCTI
425 modules available:
426
427 • device: For the device TCTI, the TPM character device file for use by
428 the device TCTI can be specified. The default is /dev/tpm0.
429
430 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
431 vice:/dev/tpm0”
432
433 • mssim: For the mssim TCTI, the domain name or IP address and port
434 number used by the simulator can be specified. The default are
435 127.0.0.1 and 2321.
436
437 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
438 TI=“mssim:host=localhost,port=2321”
439
440 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
441 ries of simple key value pairs separated by a `,' character. Each
442 key and value string are separated by a `=' character.
443
444 • TCTI abrmd supports two keys:
445
446 1. `bus_name' : The name of the tabrmd service on the bus (a
447 string).
448
449 2. `bus_type' : The type of the dbus instance (a string) limited to
450 `session' and `system'.
451
452 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
453 ample.FooBar:
454
455 \--tcti=tabrmd:bus_name=com.example.FooBar
456
457 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
458 sion:
459
460 \--tcti:bus_type=session
461
462 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
463 ules.
464
466 Set a blank authorization policy for endorsement hierarchy
467 tpm2_setprimarypolicy -C e
468
470 Tools can return any of the following codes:
471
472 • 0 - Success.
473
474 • 1 - General non-specific error.
475
476 • 2 - Options handling error.
477
478 • 3 - Authentication error.
479
480 • 4 - TCTI related error.
481
482 • 5 - Non supported scheme. Applicable to tpm2_testparams.
483
485 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
486
488 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
489 fo/tpm2)
490
491
492
493tpm2-tools tpm2_setprimarypolicy(1)