1tpm2_policycommandcode(1)   General Commands Manual  tpm2_policycommandcode(1)
2
3
4

NAME

6       tpm2_policycommandcode(1)  -  Restrict TPM object authorization to spe‐
7       cific TPM commands.
8

SYNOPSIS

10       tpm2_policycommandcode [OPTIONS] [ARGUMENT]
11

DESCRIPTION

13       tpm2_policycommandcode(1) - Restricts TPM object authorization to  spe‐
14       cific  TPM  commands.  Useful when you want to allow only specific com‐
15       mands to interact with the TPM object.
16
17       As an argument it takes the command as an integer  or  friendly  string
18       value.  Friendly string to COMMAND CODE mapping can be found in section
19       COMMAND CODE MAPPINGS.
20

OPTIONS

22-S, --session=FILE:
23
24         A session file from tpm2_startauthsession(1)’s -S option.
25
26-L, --policy=FILE:
27
28         File to save the policy digest.
29
30ARGUMENT the command line argument specifies TPM2 command code.
31
32--cphash=FILE
33
34         File path to record the hash of the command parameters.  This is com‐
35         monly termed as cpHash.  NOTE: When this option is selected, The tool
36         will not actually execute the command, it simply returns a cpHash.
37
38   References

COMMON OPTIONS

40       This collection of options are common to many programs and provide  in‐
41       formation that many users may expect.
42
43-h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
44         attempts to invoke the manpager for the  tool,  however,  on  failure
45         will  output  a short tool summary.  This is the same behavior if the
46         “man” option argument is specified, however if explicit “man” is  re‐
47         quested,  the  tool  will  provide errors from man on stderr.  If the
48         “no-man” option if specified, or the manpager fails,  the  short  op‐
49         tions will be output to stdout.
50
51         To  successfully use the manpages feature requires the manpages to be
52         installed or on MANPATH, See man(1) for more details.
53
54-v, --version: Display version information for this  tool,  supported
55         tctis and exit.
56
57-V,  --verbose:  Increase the information that the tool prints to the
58         console during its execution.  When using this option  the  file  and
59         line number are printed.
60
61-Q, --quiet: Silence normal tool output to stdout.
62
63-Z, --enable-errata: Enable the application of errata fixups.  Useful
64         if an errata fixup needs to be applied to commands sent to  the  TPM.
65         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
66         formation many users may expect.
67

TCTI Configuration

69       The TCTI or “Transmission Interface”  is  the  communication  mechanism
70       with  the TPM.  TCTIs can be changed for communication with TPMs across
71       different mediums.
72
73       To control the TCTI, the tools respect:
74
75       1. The command line option -T or --tcti
76
77       2. The environment variable: TPM2TOOLS_TCTI.
78
79       Note: The command line option always overrides  the  environment  vari‐
80       able.
81
82       The current known TCTIs are:
83
84       • tabrmd      -     The     resource     manager,     called     tabrmd
85         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
86         abrmd as a tcti name are synonymous.
87
88       • mssim  - Typically used for communicating to the TPM software simula‐
89         tor.
90
91       • device - Used when talking directly to a TPM device file.
92
93       • none - Do not initalize a connection with the TPM.  Some tools  allow
94         for off-tpm options and thus support not using a TCTI.  Tools that do
95         not support it will error when attempted to be used  without  a  TCTI
96         connection.   Does  not  support ANY options and MUST BE presented as
97         the exact text of “none”.
98
99       The arguments to either the command  line  option  or  the  environment
100       variable are in the form:
101
102       <tcti-name>:<tcti-option-config>
103
104       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
105       tion-config> results in the default being used for that portion respec‐
106       tively.
107
108   TCTI Defaults
109       When  a  TCTI  is not specified, the default TCTI is searched for using
110       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
111       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
112       what TCTI will be chosen as the default by using the -v option to print
113       the  version information.  The “default-tcti” key-value pair will indi‐
114       cate which of the aforementioned TCTIs is the default.
115
116   Custom TCTIs
117       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
118       tools internally use dlopen(3), and the raw tcti-name value is used for
119       the lookup.  Thus, this could be a path to the shared library, or a li‐
120       brary name as understood by dlopen(3) semantics.
121

TCTI OPTIONS

123       This collection of options are used to configure the various known TCTI
124       modules available:
125
126device: For the device TCTI, the TPM character device file for use by
127         the device TCTI can be specified.  The default is /dev/tpm0.
128
129         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
130         vice:/dev/tpm0”
131
132mssim: For the mssim TCTI, the domain name or  IP  address  and  port
133         number  used  by  the  simulator  can  be specified.  The default are
134         127.0.0.1 and 2321.
135
136         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
137         TI=“mssim:host=localhost,port=2321”
138
139abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
140         ries of simple key value pairs separated by a  `,'  character.   Each
141         key and value string are separated by a `=' character.
142
143         • TCTI abrmd supports two keys:
144
145           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
146              string).
147
148           2. `bus_type' : The type of the dbus instance (a string) limited to
149              `session' and `system'.
150
151         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
152         ample.FooBar:
153
154                \--tcti=tabrmd:bus_name=com.example.FooBar
155
156         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
157         sion:
158
159                \--tcti:bus_type=session
160
161         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
162         ules.
163

COMMAND CODE MAPPINGS

165       The friendly strings below can be used en lieu of the raw integer  val‐
166       ues.
167
168       -TPM2_CC_AC_GetCapability: 0x194 -TPM2_CC_AC_Send: 0x195 -TPM2_CC_Acti‐
169       vateCredential: 0x147 -TPM2_CC_Certify: 0x148 -TPM2_CC_CertifyCreation:
170       0x14a     -TPM2_CC_ChangeEPS:     0x124    -TPM2_CC_ChangePPS:    0x125
171       -TPM2_CC_Clear:  0x126  -TPM2_CC_ClearControl:  0x127   -TPM2_CC_Clock‐
172       RateAdjust:   0x130  -TPM2_CC_ClockSet:  0x128  -TPM2_CC_Commit:  0x18b
173       -TPM2_CC_ContextLoad: 0x161 -TPM2_CC_ContextSave:  0x162  -TPM2_CC_Cre‐
174       ate:  0x153  -TPM2_CC_CreateLoaded: 0x191 -TPM2_CC_CreatePrimary: 0x131
175       -TPM2_CC_DictionaryAttackLockReset: 0x139  -TPM2_CC_DictionaryAttackPa‐
176       rameters:   0x13a  -TPM2_CC_Duplicate:  0x14b  -TPM2_CC_ECC_Parameters:
177       0x178    -TPM2_CC_ECDH_KeyGen:    0x163    -TPM2_CC_ECDH_ZGen:    0x154
178       -TPM2_CC_EC_Ephemeral:     0x18e     -TPM2_CC_EncryptDecrypt:     0x164
179       -TPM2_CC_EncryptDecrypt2: 0x193  -TPM2_CC_EventSequenceComplete:  0x185
180       -TPM2_CC_EvictControl:     0x120    -TPM2_CC_FieldUpgradeData:    0x141
181       -TPM2_CC_FieldUpgradeStart:    0x12f    -TPM2_CC_FirmwareRead:    0x179
182       -TPM2_CC_FlushContext:      0x165     -TPM2_CC_GetCapability:     0x17a
183       -TPM2_CC_GetCommandAuditDigest:   0x133    -TPM2_CC_GetRandom:    0x17b
184       -TPM2_CC_GetSessionAuditDigest:   0x14d  -TPM2_CC_GetTestResult:  0x17c
185       -TPM2_CC_GetTime: 0x14c  -TPM2_CC_Hash:  0x17d  -TPM2_CC_HashSequenceS‐
186       tart:  0x186 -TPM2_CC_HierarchyChangeAuth: 0x129 -TPM2_CC_HierarchyCon‐
187       trol:   0x121   -TPM2_CC_HMAC:   0x155    -TPM2_CC_HMAC_Start:    0x15b
188       -TPM2_CC_Import:      0x156     -TPM2_CC_IncrementalSelfTest:     0x142
189       -TPM2_CC_Load: 0x157 -TPM2_CC_LoadExternal: 0x167  -TPM2_CC_MakeCreden‐
190       tial:  0x168  -TPM2_CC_NV_Certify:  0x184 -TPM2_CC_NV_ChangeAuth: 0x13b
191       -TPM2_CC_NV_DefineSpace:      0x12a      -TPM2_CC_NV_Extend:      0x136
192       -TPM2_CC_NV_GlobalWriteLock:    0x132    -TPM2_CC_NV_Increment:   0x134
193       -TPM2_CC_NV_Read: 0x14e -TPM2_CC_NV_ReadLock:  0x14f  -TPM2_CC_NV_Read‐
194       Public:  0x169  -TPM2_CC_NV_SetBits:  0x135  -TPM2_CC_NV_UndefineSpace:
195       0x122 -TPM2_CC_NV_UndefineSpaceSpecial: 0x11f -TPM2_CC_NV_Write:  0x137
196       -TPM2_CC_NV_WriteLock:     0x138    -TPM2_CC_ObjectChangeAuth:    0x150
197       -TPM2_CC_PCR_Allocate: 0x12b -TPM2_CC_PCR_Event: 0x13c -TPM2_CC_PCR_Ex‐
198       tend:   0x182   -TPM2_CC_PCR_Read:   0x17e   -TPM2_CC_PCR_Reset:  0x13d
199       -TPM2_CC_PCR_SetAuthPolicy:  0x12c   -TPM2_CC_PCR_SetAuthValue:   0x183
200       -TPM2_CC_Policy_AC_SendSelect:  0x196  -TPM2_CC_PolicyAuthorize:  0x16a
201       -TPM2_CC_PolicyAuthorizeNV:   0x192   -TPM2_CC_PolicyAuthValue:   0x16b
202       -TPM2_CC_PolicyCommandCode:  0x16c  -TPM2_CC_PolicyCounterTimer:  0x16d
203       -TPM2_CC_PolicyCpHash:  0x16e  -TPM2_CC_PolicyDuplicationSelect:  0x188
204       -TPM2_CC_PolicyGetDigest:    0x189    -TPM2_CC_PolicyLocality:    0x16f
205       -TPM2_CC_PolicyNameHash: 0x170 -TPM2_CC_PolicyNV: 0x149  -TPM2_CC_Poli‐
206       cyNvWritten:  0x18f  -TPM2_CC_PolicyOR:  0x171 -TPM2_CC_PolicyPassword:
207       0x18c -TPM2_CC_PolicyPCR: 0x17f -TPM2_CC_PolicyPhysicalPresence:  0x187
208       -TPM2_CC_PolicyRestart:      0x180     -TPM2_CC_PolicySecret:     0x151
209       -TPM2_CC_PolicySigned:     0x160     -TPM2_CC_PolicyTemplate:     0x190
210       -TPM2_CC_PolicyTicket:      0x172      -TPM2_CC_PP_Commands:      0x12d
211       -TPM2_CC_Quote: 0x158  -TPM2_CC_ReadClock:  0x181  -TPM2_CC_ReadPublic:
212       0x173     -TPM2_CC_Rewrap:     0x152     -TPM2_CC_RSA_Decrypt:    0x159
213       -TPM2_CC_RSA_Encrypt: 0x174 -TPM2_CC_SelfTest: 0x143 -TPM2_CC_Sequence‐
214       Complete:  0x13e  -TPM2_CC_SequenceUpdate: 0x15c -TPM2_CC_SetAlgorithm‐
215       Set: 0x13f -TPM2_CC_SetCommandCodeAuditStatus: 0x140 -TPM2_CC_SetPrima‐
216       ryPolicy:   0x12e   -TPM2_CC_Shutdown:   0x145   -TPM2_CC_Sign:   0x15d
217       -TPM2_CC_StartAuthSession: 0x176 -TPM2_CC_Startup: 0x144 -TPM2_CC_Stir‐
218       Random:   0x146   -TPM2_CC_TestParms:   0x18a   -TPM2_CC_Unseal:  0x15e
219       -TPM2_CC_Vendor_TCG_Test:  0x20000000  -TPM2_CC_VerifySignature:  0x177
220       -TPM2_CC_ZGen_2Phase: 0x18d
221

EXAMPLES

223       Start  a  policy session and extend it with a specific command like un‐
224       seal.  Attempts to perform other operations would fail.
225
226   Create an unseal-only policy
227              tpm2_startauthsession -S session.dat
228
229              tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Unseal
230
231              tpm2_flushcontext session.dat
232
233   Create the object with unseal-only auth policy
234              tpm2_createprimary -C o -c prim.ctx
235
236              tpm2_create -C prim.ctx -u sealkey.pub -r sealkey.priv -L policy.dat \
237                -i- <<< "SEALED-SECRET"
238
239   Try unseal operation
240              tpm2_load -C prim.ctx -u sealkey.pub -r sealkey.priv -n sealkey.name \
241                -c sealkey.ctx
242
243              tpm2_startauthsession --policy-session -S session.dat
244
245              tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Unseal
246
247              tpm2_unseal -p session:session.dat -c sealkey.ctx
248              SEALED-SECRET
249
250              tpm2_flushcontext session.dat
251
252   Try any other operation
253              echo "Encrypt Me" > plain.txt
254
255              tpm2_encryptdecrypt plain.txt -o enc.txt -c sealkey.ctx plain.txt
256              ERROR: Esys_EncryptDecrypt2(0x12F) - tpm:error(2.0): authValue or authPolicy is
257              not available for selected entity
258

Returns

260       Tools can return any of the following codes:
261
262       • 0 - Success.
263
264       • 1 - General non-specific error.
265
266       • 2 - Options handling error.
267
268       • 3 - Authentication error.
269
270       • 4 - TCTI related error.
271
272       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
273

Limitations

275       It expects a session to be already established  via  tpm2_startauthses‐
276       sion(1) and requires one of the following:
277
278       • direct device access
279
280       • extended session support with tpm2-abrmd.
281
282       Without  it, most resource managers will not save session state between
283       command invocations.
284

BUGS

286       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
287

HELP

289       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin
290       fo/tpm2)
291
292
293
294tpm2-tools                                           tpm2_policycommandcode(1)
Impressum