1tpm2_nvdefine(1) General Commands Manual tpm2_nvdefine(1)
2
3
4
6 tpm2_nvdefine(1) - Define a TPM Non-Volatile (NV) index.
7
9 tpm2_nvdefine [OPTIONS] [ARGUMENT]
10
12 tpm2_nvdefine(1) - Define an NV index with given auth value. The index
13 is specified as an argument. It can be specified as raw handle or an
14 offset value to the nv handle range “TPM2_HR_NV_INDEX”. If an index
15 isn’t specified, the tool uses the first free index. The tool outputs
16 the nv index defined on success.
17
19 • -C, --hierarchy=OBJECT:
20 Specifies the handle used to authorize. Defaults to o, TPM_RH_OWNER,
21 when no value has been specified. Supported options are:
22
23 • o for TPM_RH_OWNER
24
25 • p for TPM_RH_PLATFORM
26
27 • <num> where a hierarchy handle or nv-index may be used.
28
29 • -s, --size=NATURAL_NUMBER:
30
31 Specifies the size of data area in bytes. Defaults to MAX_NV_IN‐
32 DEX_SIZE which is typically 2048.
33
34 • -g, --hash-algorithm=ALGORITHM:
35
36 The hash algorithm used to compute the name of the Index and used for
37 the authorization policy. If the index is an extend index, the hash
38 algorithm is used for the extend.
39
40 • -a, --attributes=ATTRIBUTES
41
42 Specifies the attribute values for the nv region used when creating
43 the entity. Either the raw bitfield mask or “nice-names” may be
44 used. See section “NV Attributes” for more details. If not speci‐
45 fied, the attributes default to various selections based on the hier‐
46 archy the index is defined in. For the owner hiearchy the defaults
47 are:
48
49 • TPMA_NV_OWNERWRITE
50
51 • TPMA_NV_OWNERREAD For the platform hiearchy, the defaults are:
52
53 • TPMA_NV_PPWRITE
54
55 • TPMA_NV_PPREAD If a policy file is specified, the hiearchy chosen
56 default attributes are bitwise or’d with:
57
58 • TPMA_NV_POLICYWRITE
59
60 • TPMA_NV_POLICYREAD If a policy file is NOT specified, the hiearchy
61 chosen default attributes are bitwise or’d with:
62
63 • TPMA_NV_AUTHWRITE
64
65 • TPMA_NV_AUTHREAD
66
67 • -P, --hierarchy-auth=AUTH:
68
69 Specifies the authorization value for the hierarchy. Authorization
70 values should follow the “authorization formatting standards”, see
71 section “Authorization Formatting”.
72
73 • -p, --index-auth=AUTH:
74
75 Specifies the password of NV Index when created. HMAC and Password
76 authorization values should follow the “authorization formatting
77 standards”, see section “Authorization Formatting”.
78
79 • -L, --policy=FILE:
80
81 Specifies the policy digest file for policy based authorizations.
82
83 • --cphash=FILE
84
85 File path to record the hash of the command parameters. This is com‐
86 monly termed as cpHash. NOTE: When this option is selected, The tool
87 will not actually execute the command, it simply returns a cpHash,
88 unless rphash is also required.
89
90 • --rphash=FILE
91
92 File path to record the hash of the response parameters. This is
93 commonly termed as rpHash.
94
95 • -S, --session=FILE:
96
97 The session created using tpm2_startauthsession. Multiple of these
98 can be specified. For example, you can have one session for auditing
99 and another for encryption/decryption of the parameters.
100
101 • ARGUMENT the command line argument specifies the NV index or offset
102 number.
103
104 References
106 The type of a context object, whether it is a handle or file name, is
107 determined according to the following logic in-order:
108
109 • If the argument is a file path, then the file is loaded as a restored
110 TPM transient object.
111
112 • If the argument is a prefix match on one of:
113
114 • owner: the owner hierarchy
115
116 • platform: the platform hierarchy
117
118 • endorsement: the endorsement hierarchy
119
120 • lockout: the lockout control persistent object
121
122 • If the argument argument can be loaded as a number it will be treat
123 as a handle, e.g. 0x81010013 and used directly._OBJECT_.
124
126 Authorization for use of an object in TPM2.0 can come in 3 different
127 forms: 1. Password 2. HMAC 3. Sessions
128
129 NOTE: “Authorizations default to the EMPTY PASSWORD when not speci‐
130 fied”.
131
132 Passwords
133 Passwords are interpreted in the following forms below using prefix
134 identifiers.
135
136 Note: By default passwords are assumed to be in the string form when
137 they do not have a prefix.
138
139 String
140 A string password, specified by prefix “str:” or it’s absence (raw
141 string without prefix) is not interpreted, and is directly used for au‐
142 thorization.
143
144 Examples
145 foobar
146 str:foobar
147
148 Hex-string
149 A hex-string password, specified by prefix “hex:” is converted from a
150 hexidecimal form into a byte array form, thus allowing passwords with
151 non-printable and/or terminal un-friendly characters.
152
153 Example
154 hex:1122334455667788
155
156 File
157 A file based password, specified be prefix “file:” should be the path
158 of a file containing the password to be read by the tool or a “-” to
159 use stdin. Storing passwords in files prevents information leakage,
160 passwords passed as options can be read from the process list or common
161 shell history features.
162
163 Examples
164 # to use stdin and be prompted
165 file:-
166
167 # to use a file from a path
168 file:path/to/password/file
169
170 # to echo a password via stdin:
171 echo foobar | tpm2_tool -p file:-
172
173 # to use a bash here-string via stdin:
174
175 tpm2_tool -p file:- <<< foobar
176
177 Sessions
178 When using a policy session to authorize the use of an object, prefix
179 the option argument with the session keyword. Then indicate a path to
180 a session file that was created with tpm2_startauthsession(1). Option‐
181 ally, if the session requires an auth value to be sent with the session
182 handle (eg policy password), then append a + and a string as described
183 in the Passwords section.
184
185 Examples
186 To use a session context file called session.ctx.
187
188 session:session.ctx
189
190 To use a session context file called session.ctx AND send the authvalue
191 mypassword.
192
193 session:session.ctx+mypassword
194
195 To use a session context file called session.ctx AND send the HEX auth‐
196 value 0x11223344.
197
198 session:session.ctx+hex:11223344
199
200 PCR Authorizations
201 You can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
202 language. The PCR minilanguage is as follows:
203 <pcr-spec>=<raw-pcr-file>
204
205 The PCR spec is documented in in the section “PCR bank specifiers”.
206
207 The raw-pcr-file is an optional argument that contains the output of
208 the raw PCR contents as returned by tpm2_pcrread(1).
209
210 PCR bank specifiers (pcr.md)
211
212 Examples
213 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
214 er of:
215
216 pcr:sha256:0,1,2,3
217
218 specifying AUTH.
219
221 Object Attributes are used to control various properties of created ob‐
222 jects. When specified as an option, either the raw bitfield mask or
223 “nice-names” may be used. The values can be found in Table 31 Part 2
224 of the TPM2.0 specification, which can be found here:
225
226 <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
227 Rev-2.0-Part-2-Structures-01.38.pdf>
228
229 Nice names are calculated by taking the name field of table 31 and re‐
230 moving the prefix TPMA_OBJECT_ and lowercasing the result. Thus, TP‐
231 MA_OBJECT_FIXEDTPM becomes fixedtpm. Nice names can be joined using
232 the bitwise or “|” symbol.
233
234 For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
235 and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
236
237 fixedtpm|noda|sign specifying the nv attributes ATTRIBUTES.
238
240 This collection of options are common to many programs and provide in‐
241 formation that many users may expect.
242
243 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
244 attempts to invoke the manpager for the tool, however, on failure
245 will output a short tool summary. This is the same behavior if the
246 “man” option argument is specified, however if explicit “man” is re‐
247 quested, the tool will provide errors from man on stderr. If the
248 “no-man” option if specified, or the manpager fails, the short op‐
249 tions will be output to stdout.
250
251 To successfully use the manpages feature requires the manpages to be
252 installed or on MANPATH, See man(1) for more details.
253
254 • -v, --version: Display version information for this tool, supported
255 tctis and exit.
256
257 • -V, --verbose: Increase the information that the tool prints to the
258 console during its execution. When using this option the file and
259 line number are printed.
260
261 • -Q, --quiet: Silence normal tool output to stdout.
262
263 • -Z, --enable-errata: Enable the application of errata fixups. Useful
264 if an errata fixup needs to be applied to commands sent to the TPM.
265 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
266 formation many users may expect.
267
269 The TCTI or “Transmission Interface” is the communication mechanism
270 with the TPM. TCTIs can be changed for communication with TPMs across
271 different mediums.
272
273 To control the TCTI, the tools respect:
274
275 1. The command line option -T or --tcti
276
277 2. The environment variable: TPM2TOOLS_TCTI.
278
279 Note: The command line option always overrides the environment vari‐
280 able.
281
282 The current known TCTIs are:
283
284 • tabrmd - The resource manager, called tabrmd
285 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
286 abrmd as a tcti name are synonymous.
287
288 • mssim - Typically used for communicating to the TPM software simula‐
289 tor.
290
291 • device - Used when talking directly to a TPM device file.
292
293 • none - Do not initalize a connection with the TPM. Some tools allow
294 for off-tpm options and thus support not using a TCTI. Tools that do
295 not support it will error when attempted to be used without a TCTI
296 connection. Does not support ANY options and MUST BE presented as
297 the exact text of “none”.
298
299 The arguments to either the command line option or the environment
300 variable are in the form:
301
302 <tcti-name>:<tcti-option-config>
303
304 Specifying an empty string for either the <tcti-name> or <tcti-op‐
305 tion-config> results in the default being used for that portion respec‐
306 tively.
307
308 TCTI Defaults
309 When a TCTI is not specified, the default TCTI is searched for using
310 dlopen(3) semantics. The tools will search for tabrmd, device and
311 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
312 what TCTI will be chosen as the default by using the -v option to print
313 the version information. The “default-tcti” key-value pair will indi‐
314 cate which of the aforementioned TCTIs is the default.
315
316 Custom TCTIs
317 Any TCTI that implements the dynamic TCTI interface can be loaded. The
318 tools internally use dlopen(3), and the raw tcti-name value is used for
319 the lookup. Thus, this could be a path to the shared library, or a li‐
320 brary name as understood by dlopen(3) semantics.
321
323 This collection of options are used to configure the various known TCTI
324 modules available:
325
326 • device: For the device TCTI, the TPM character device file for use by
327 the device TCTI can be specified. The default is /dev/tpm0.
328
329 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
330 vice:/dev/tpm0”
331
332 • mssim: For the mssim TCTI, the domain name or IP address and port
333 number used by the simulator can be specified. The default are
334 127.0.0.1 and 2321.
335
336 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
337 TI=“mssim:host=localhost,port=2321”
338
339 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
340 ries of simple key value pairs separated by a `,' character. Each
341 key and value string are separated by a `=' character.
342
343 • TCTI abrmd supports two keys:
344
345 1. `bus_name' : The name of the tabrmd service on the bus (a
346 string).
347
348 2. `bus_type' : The type of the dbus instance (a string) limited to
349 `session' and `system'.
350
351 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
352 ample.FooBar:
353
354 \--tcti=tabrmd:bus_name=com.example.FooBar
355
356 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
357 sion:
358
359 \--tcti:bus_type=session
360
361 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
362 ules.
363
365 tpm2_nvdefine 0x1500016 -C o -s 32 -a 0x2000A
366
367 tpm2_nvdefine 0x1500016 -C o -s 32 -a ownerread|ownerwrite|policywrite -p 1a1b
368
370 Tools can return any of the following codes:
371
372 • 0 - Success.
373
374 • 1 - General non-specific error.
375
376 • 2 - Options handling error.
377
378 • 3 - Authentication error.
379
380 • 4 - TCTI related error.
381
382 • 5 - Non supported scheme. Applicable to tpm2_testparams.
383
385 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
386
388 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
389 fo/tpm2)
390
391
392
393tpm2-tools tpm2_nvdefine(1)