tpm2_nvdefine(1)

1tpm2_nvdefine(1)            General Commands Manual           tpm2_nvdefine(1)
2
3
4

NAME

6       tpm2_nvdefine(1) - Define a TPM Non-Volatile (NV) index.
7

SYNOPSIS

9       tpm2_nvdefine [OPTIONS] [ARGUMENT]
10

DESCRIPTION

12       tpm2_nvdefine(1) - Define an NV index with given auth value.  The index
13       is specified as an argument.  It can be specified as raw handle  or  an
14       offset  value  to  the nv handle range “TPM2_HR_NV_INDEX”.  If an index
15       isn’t specified, the tool uses the first free index.  The tool  outputs
16       the nv index defined on success.
17

OPTIONS

19       • -C, --hierarchy=OBJECT:
20         Specifies the handle used to authorize.  Defaults to o, TPM_RH_OWNER,
21         when no value has been specified.  Supported options are:
22
23         • o for TPM_RH_OWNER
24
25         • p for TPM_RH_PLATFORM
26
27         • <num> where a hierarchy handle or nv-index may be used.
28
29       • -s, --size=NATURAL_NUMBER:
30
31         Specifies the size of data area in  bytes.   Defaults  to  MAX_NV_IN‐
32         DEX_SIZE which is typically 2048.
33
34       • -g, --hash-algorithm=ALGORITHM:
35
36         The hash algorithm used to compute the name of the Index and used for
37         the authorization policy.  If the index is an extend index, the  hash
38         algorithm is used for the extend.
39
40       • -a, --attributes=ATTRIBUTES
41
42         Specifies  the  attribute values for the nv region used when creating
43         the entity.  Either the raw bitfield  mask  or  “nice-names”  may  be
44         used.   See  section “NV Attributes” for more details.  If not speci‐
45         fied, the attributes default to various selections based on the hier‐
46         archy  the  index is defined in.  For the owner hiearchy the defaults
47         are:
48
49         • TPMA_NV_OWNERWRITE
50
51         • TPMA_NV_OWNERREAD For the platform hiearchy, the defaults are:
52
53         • TPMA_NV_PPWRITE
54
55         • TPMA_NV_PPREAD If a policy file is specified, the  hiearchy  chosen
56           default attributes are bitwise or’d with:
57
58         • TPMA_NV_POLICYWRITE
59
60         • TPMA_NV_POLICYREAD  If a policy file is NOT specified, the hiearchy
61           chosen default attributes are bitwise or’d with:
62
63         • TPMA_NV_AUTHWRITE
64
65         • TPMA_NV_AUTHREAD
66
67       • -P, --hierarchy-auth=AUTH:
68
69         Specifies the authorization value for the  hierarchy.   Authorization
70         values  should  follow  the “authorization formatting standards”, see
71         section “Authorization Formatting”.
72
73       • -p, --index-auth=AUTH:
74
75         Specifies the password of NV Index when created.  HMAC  and  Password
76         authorization  values  should  follow  the  “authorization formatting
77         standards”, see section “Authorization Formatting”.
78
79       • -L, --policy=FILE:
80
81         Specifies the policy digest file for policy based authorizations.
82
83       • --cphash=FILE
84
85         File path to record the hash of the command parameters.  This is com‐
86         monly termed as cpHash.  NOTE: When this option is selected, The tool
87         will not actually execute the command, it simply  returns  a  cpHash,
88         unless rphash is also required.
89
90       • --rphash=FILE
91
92         File  path  to  record  the hash of the response parameters.  This is
93         commonly termed as rpHash.
94
95       • -S, --session=FILE:
96
97         The session created using tpm2_startauthsession.  Multiple  of  these
98         can be specified.  For example, you can have one session for auditing
99         and another for encryption/decryption of the parameters.
100
101       • ARGUMENT the command line argument specifies the NV index  or  offset
102         number.
103
104   References

Context Object Format

106       The  type  of a context object, whether it is a handle or file name, is
107       determined according to the following logic in-order:
108
109       • If the argument is a file path, then the file is loaded as a restored
110         TPM transient object.
111
112       • If the argument is a prefix match on one of:
113
114         • owner: the owner hierarchy
115
116         • platform: the platform hierarchy
117
118         • endorsement: the endorsement hierarchy
119
120         • lockout: the lockout control persistent object
121
122       • If  the  argument argument can be loaded as a number it will be treat
123         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
124

Authorization Formatting

126       Authorization for use of an object in TPM2.0 can come  in  3  different
127       forms: 1.  Password 2.  HMAC 3.  Sessions
128
129       NOTE:  “Authorizations  default  to  the EMPTY PASSWORD when not speci‐
130       fied”.
131
132   Passwords
133       Passwords are interpreted in the following  forms  below  using  prefix
134       identifiers.
135
136       Note:  By  default  passwords are assumed to be in the string form when
137       they do not have a prefix.
138
139   String
140       A string password, specified by prefix  “str:”  or  it’s  absence  (raw
141       string without prefix) is not interpreted, and is directly used for au‐
142       thorization.
143
144   Examples
145              foobar
146              str:foobar
147
148   Hex-string
149       A hex-string password, specified by prefix “hex:” is converted  from  a
150       hexidecimal  form  into a byte array form, thus allowing passwords with
151       non-printable and/or terminal un-friendly characters.
152
153   Example
154              hex:1122334455667788
155
156   File
157       A file based password, specified be prefix “file:” should be  the  path
158       of  a  file  containing the password to be read by the tool or a “-” to
159       use stdin.  Storing passwords in files  prevents  information  leakage,
160       passwords passed as options can be read from the process list or common
161       shell history features.
162
163   Examples
164              # to use stdin and be prompted
165              file:-
166
167              # to use a file from a path
168              file:path/to/password/file
169
170              # to echo a password via stdin:
171              echo foobar | tpm2_tool -p file:-
172
173              # to use a bash here-string via stdin:
174
175              tpm2_tool -p file:- <<< foobar
176
177   Sessions
178       When using a policy session to authorize the use of an  object,  prefix
179       the  option argument with the session keyword.  Then indicate a path to
180       a session file that was created with tpm2_startauthsession(1).  Option‐
181       ally, if the session requires an auth value to be sent with the session
182       handle (eg policy password), then append a + and a string as  described
183       in the Passwords section.
184
185   Examples
186       To use a session context file called session.ctx.
187
188              session:session.ctx
189
190       To use a session context file called session.ctx AND send the authvalue
191       mypassword.
192
193              session:session.ctx+mypassword
194
195       To use a session context file called session.ctx AND send the HEX auth‐
196       value 0x11223344.
197
198              session:session.ctx+hex:11223344
199
200   PCR Authorizations
201       You  can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
202       language.      The     PCR     minilanguage     is     as      follows:
203       <pcr-spec>=<raw-pcr-file>
204
205       The PCR spec is documented in in the section “PCR bank specifiers”.
206
207       The  raw-pcr-file  is  an optional argument that contains the output of
208       the raw PCR contents as returned by tpm2_pcrread(1).
209
210       PCR bank specifiers (pcr.md)
211
212   Examples
213       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
214       er of:
215
216              pcr:sha256:0,1,2,3
217
218       specifying AUTH.
219

Object Attributes

221       Object Attributes are used to control various properties of created ob‐
222       jects.  When specified as an option, either the raw  bitfield  mask  or
223       “nice-names”  may  be used.  The values can be found in Table 31 Part 2
224       of the TPM2.0 specification, which can be found here:
225
226       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
227       Rev-2.0-Part-2-Structures-01.38.pdf>
228
229       Nice  names are calculated by taking the name field of table 31 and re‐
230       moving the prefix TPMA_OBJECT_ and lowercasing the result.   Thus,  TP‐
231       MA_OBJECT_FIXEDTPM  becomes  fixedtpm.   Nice names can be joined using
232       the bitwise or “|” symbol.
233
234       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
235       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
236
237       fixedtpm|noda|sign specifying the nv attributes ATTRIBUTES.
238

COMMON OPTIONS

240       This  collection of options are common to many programs and provide in‐
241       formation that many users may expect.
242
243       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
244         attempts  to  invoke  the  manpager for the tool, however, on failure
245         will output a short tool summary.  This is the same behavior  if  the
246         “man”  option argument is specified, however if explicit “man” is re‐
247         quested, the tool will provide errors from man  on  stderr.   If  the
248         “no-man”  option  if  specified, or the manpager fails, the short op‐
249         tions will be output to stdout.
250
251         To successfully use the manpages feature requires the manpages to  be
252         installed or on MANPATH, See man(1) for more details.
253
254       • -v,  --version:  Display version information for this tool, supported
255         tctis and exit.
256
257       • -V, --verbose: Increase the information that the tool prints  to  the
258         console  during  its  execution.  When using this option the file and
259         line number are printed.
260
261       • -Q, --quiet: Silence normal tool output to stdout.
262
263       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
264         if  an  errata fixup needs to be applied to commands sent to the TPM.
265         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
266         formation many users may expect.
267

TCTI Configuration

269       The  TCTI  or  “Transmission  Interface” is the communication mechanism
270       with the TPM.  TCTIs can be changed for communication with TPMs  across
271       different mediums.
272
273       To control the TCTI, the tools respect:
274
275       1. The command line option -T or --tcti
276
277       2. The environment variable: TPM2TOOLS_TCTI.
278
279       Note:  The  command  line option always overrides the environment vari‐
280       able.
281
282       The current known TCTIs are:
283
284       • tabrmd     -     The     resource     manager,     called      tabrmd
285         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
286         abrmd as a tcti name are synonymous.
287
288       • mssim - Typically used for communicating to the TPM software  simula‐
289         tor.
290
291       • device - Used when talking directly to a TPM device file.
292
293       • none  - Do not initalize a connection with the TPM.  Some tools allow
294         for off-tpm options and thus support not using a TCTI.  Tools that do
295         not  support  it  will error when attempted to be used without a TCTI
296         connection.  Does not support ANY options and MUST  BE  presented  as
297         the exact text of “none”.
298
299       The  arguments  to  either  the  command line option or the environment
300       variable are in the form:
301
302       <tcti-name>:<tcti-option-config>
303
304       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
305       tion-config> results in the default being used for that portion respec‐
306       tively.
307
308   TCTI Defaults
309       When a TCTI is not specified, the default TCTI is  searched  for  using
310       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
311       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
312       what TCTI will be chosen as the default by using the -v option to print
313       the version information.  The “default-tcti” key-value pair will  indi‐
314       cate which of the aforementioned TCTIs is the default.
315
316   Custom TCTIs
317       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
318       tools internally use dlopen(3), and the raw tcti-name value is used for
319       the lookup.  Thus, this could be a path to the shared library, or a li‐
320       brary name as understood by dlopen(3) semantics.
321

TCTI OPTIONS

323       This collection of options are used to configure the various known TCTI
324       modules available:
325
326       • device: For the device TCTI, the TPM character device file for use by
327         the device TCTI can be specified.  The default is /dev/tpm0.
328
329         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
330         vice:/dev/tpm0”
331
332       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
333         number used by the simulator  can  be  specified.   The  default  are
334         127.0.0.1 and 2321.
335
336         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
337         TI=“mssim:host=localhost,port=2321”
338
339       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
340         ries  of  simple  key value pairs separated by a `,' character.  Each
341         key and value string are separated by a `=' character.
342
343         • TCTI abrmd supports two keys:
344
345           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
346              string).
347
348           2. `bus_type' : The type of the dbus instance (a string) limited to
349              `session' and `system'.
350
351         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
352         ample.FooBar:
353
354                \--tcti=tabrmd:bus_name=com.example.FooBar
355
356         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
357         sion:
358
359                \--tcti:bus_type=session
360
361         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
362         ules.
363

EXAMPLES

365              tpm2_nvdefine   0x1500016 -C o -s 32 -a 0x2000A
366
367              tpm2_nvdefine   0x1500016 -C o -s 32 -a ownerread|ownerwrite|policywrite -p 1a1b
368

Returns

370       Tools can return any of the following codes:
371
372       • 0 - Success.
373
374       • 1 - General non-specific error.
375
376       • 2 - Options handling error.
377
378       • 3 - Authentication error.
379
380       • 4 - TCTI related error.
381
382       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
383

BUGS

385       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
386

HELP

388       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
389       fo/tpm2)
390
391
392
393tpm2-tools                                                    tpm2_nvdefine(1)