1swtpm_ioctl(8)                                                  swtpm_ioctl(8)
2
3
4

NAME

6       swtpm_ioctl - Utility for sending control commands to swtpm
7

SYNOPSIS

9       swtpm_ioctl [COMMAND] [<device>]
10

DESCRIPTION

12       swtpm_ioctl implements a client tool for controlling the swtpm_cuse and
13       swtpm TPM software emulators, such as for example their initialization
14       and shutdown. Once it has been initialized, TPM commands can be sent to
15       it.
16
17       Note: The environment variable SWTPM_IOCTL_BUFFERSIZE can be set to the
18       size for the buffer for state blob transfer to use. If it is not set,
19       the ioctl() interface is used for transferring the state. This
20       environment variable is primarily used for testing purposes.
21
22       The following commands are supported:
23
24       --tpm-device <device>
25           Use the given device. The full path to the character device must be
26           provided, such as for example /dev/vtpm-200.
27
28           This option can be used instead of providing the device as the last
29           parameter.
30
31       --tcp <server>:<port>
32           Connect to the given server and port; if no server is given,
33           127.0.0.1 is used; if port is not given, the default port 6545 is
34           used.
35
36       --unix <path>
37           Connect to the given UnixIO path.
38
39       -c  Get the capability flags indicating which commands are supported.
40
41       -i  Send a hardware initialization signal to the swtpm_cuse/swtpm.
42           Volatile state previously written by the TPM will be read and the
43           file automatically delete.
44
45       -s  Initiate a graceful shut down.
46
47       --stop
48           Stop the swtpm_cuse/swtpm. This does not shut it down. The -i
49           command can again be sent to it. After a stop it is also possible
50           to load TPM stateblobs into the TPM using the --load command.
51
52       -e  Get the tpmEstablished bit.
53
54       -r locality
55           Reset the tpmEstablished bit using the given locality. Only
56           localities 3 and 4 work.  This operation will not permanently
57           change the localty that was previously set using the -l option.
58
59       -l locality
60           Set the locality for the subsequent TPM commands.
61
62       -v  Have the TPM write the volatile state to a file. Upon a TPM_Init
63           (-i) the TPM state will be read and the TPM can then resume
64           operation without further intialization.
65
66       -C  Cancel an ongoing TPM command.
67
68       -h data
69           Reset and extend PCR 17 with the hash of the given data. If data is
70           the single character '-', then all data are read from stdin.
71
72       --save <TPM state blob name> <filename>
73           Save the TPM state blob into the given file. Valid TPM state blob
74           names are 'permanent', 'volatile', and 'savestate'.
75
76           Note that this command can be executed at any time. However, to
77           retrieve the latest volatile state, the -v command should have been
78           run immediately before running this command. The savestate blob
79           will only be returned if a TPM_SaveState command was executed in
80           the TPM (TPM 1.2).
81
82       --load <TPM state blob name> <filename>
83           Load the given TPM state blob from the given file. Valid TPM state
84           blob names are 'permanent', 'volatile', and 'savestate'.
85
86           Note that this command can only be executed on a TPM that is shut
87           down.  To then start the TPM with the uploaded state, the -i
88           command must be issued.
89
90       -g  Get configuration flags that for example indicate which keys (file
91           encryption or migration key) are in use by the TPM.
92
93       --info <flag>
94           Get information about the TPM implementation in JSON format. The
95           flag TPMLIB_INFO_TPMSPECIFICATION, which has the value 1, returns
96           information about the specification the TPM implementation
97           followed. The flag TPMLIB_INFO_TPMATTRIBUTES, which has the value
98           2, returns information about the manufacturer, model, and version
99           of the TPM.
100
101       --lock-storage <retries>
102           Lock the storage and retry a given number of times with 10ms delay
103           in between.  Locking the storage may be necessary to do after the
104           state of the TPM has been migrated out and the lock on the storage
105           has been released when the 'savestate' blob was received and now
106           the storage should be locked again.
107

EXAMPLE

109       Start swtpm on port 10000 for the control port and emulate a TPM 1.2:
110
111          #> swtpm socket --tpmstate dir=/tmp/myvtpm1 --log level=4 --ctrl type=tcp,port=10000 --server type=tcp,port=10001 --flags not-need-init
112
113       Get information about the TPM implementation in JSON:
114
115          #> swtpm_ioctl --tcp :10000 --info 1
116          {"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
117          #> swtpm_ioctl --tcp :10000 --info 2
118          {"TPMAttributes":{"manufacturer":"id:00001014","version":"id:00740001","model":"swtpm"}}
119
120       Shut down the swtpm
121
122          #> swtpm_ioctl --tcp :10000 -s
123

SEE ALSO

125       swtpm_cuse
126
127
128
129swtpm                             2023-08-16                    swtpm_ioctl(8)
Impressum