1fapi-config(5)                File Formats Manual               fapi-config(5)
2
3
4

SEE ALSO

6       fapi-profile(5)
7

DESCRIPTION

9       FAPI configuration file
10
11       The  FAPI  parameters  which can be adjusted via the configuration file
12       are;
13
14       • profile_name: Name of the default cryptographic profile  chosen  from
15         the profile_dir directory.
16
17       • profile_dir: Directory that contains all cryptographic profiles known
18         to FAPI.
19
20       • user_dir: The directory where user objects are stored.
21
22       • system_dir: The directory where system objects, policies, and import‐
23         ed objects are stored.
24
25       • tcti: The TCTI interface which will be used.
26
27       • system_pcrs: The PCR registers which are used by the system.
28
29       • log_dir: The directory for the event log.
30
31       • ek_cert_less:  A  switch to disable certificate verification (option‐
32         al).
33
34       • ek_fingerprint: The fingerprint of the endorsement key (optional).
35
36       If not otherwise specified during TSS installation, the  default  loca‐
37       tion   for   the  exemplary  profiles  is  /etc/tpm2-tss/profiles/  and
38       /etc/tpm2-tss/ for the FAPI configuration file.  The environment  vari‐
39       able  TSS2_FAPICONF  can be used to set an alternative pathname for the
40       FAPI configuration file.  If the  system  measurement  files  (IMA  and
41       bios)  do  not  exist  /dev/null will be used for firmware_log_file and
42       ima_log_file.
43
44

EXAMPLES

46       The FAPI configuration file is JSON encoded:
47
48              {
49                   "profile_name": "P_ECCP256SHA256",
50                   "profile_dir": "/etc/tpm2-tss/fapi-profiles/",
51                   "user_dir": "~/.local/share/tpm2-tss/user/keystore/",
52                   "system_dir": "/home/myhome/keystore/system/keystore",
53                   "tcti": "",
54                   "system_pcrs" : [0, 1, 2, 3, 4, 5, 6, 7],
55                   "log_dir" : "/home/myhome/eventlog/",
56                   "firmware_log_file" : "/sys/kernel/security/tpm0/binary_bios_measurements",
57                    "ima_log_file" : "/sys/kernel/security/ima/binary_runtime_measurements"
58              }
59
60       For this example the default TCTI of the system will be used.  The cer‐
61       tificates for the stored endorsement keys will be checked.  If the cer‐
62       tificate checking is not needed the option:
63
64       "ek_cert_less": "yes" can be added to the config file.  Alternative  to
65       the  standard  certificate  checking  a fingerprint (hash of the public
66       key) for the stored endorsement key can be defined in the config file:
67
68       "ek_fingerprint":  {     "hashAlg" : "sha256",     "di‐
69       gest" : "9e56...214d"     }
70

COLOPHON

72       This page is part of release 4.0.1 of Open Source implementation of the
73       TCG TPM2 Software Stack (TSS2). A description of the project,  informa‐
74       tion  about  reporting bugs, and the latest version of this page can be
75       found at https://github.com/tpm2-software/tpm2-tss/.
76
77
78
79TPM2 Software Stack                JULI 2020                    fapi-config(5)