1tss2_verifyquote(1) General Commands Manual tss2_verifyquote(1)
2
3
4
6 tss2_verifyquote(1) -
7
9 tss2_verifyquote [OPTIONS]
10
12 fapi-config(5) to adjust Fapi parameters like the used cryptographic
13 profile and TCTI or directories for the Fapi metadata storages.
14
15 fapi-profile(5) to determine the cryptographic algorithms and parame‐
16 ters for all keys and operations of a specific TPM interaction like the
17 name hash algorithm, the asymmetric signature algorithm, scheme and pa‐
18 rameters and PCR bank selection.
19
21 tss2_verifyquote(1) - This command verifies that the data returned by a
22 quote is valid. This includes
23
24 • Reconstructing the quoteInfo’s PCR values from the eventLog (if an
25 eventLog was provided)
26
27 • Verifying the quoteInfo using the signature and the publicKeyPath
28
29 The used signature verification scheme is specified in the cryptograph‐
30 ic profile (cf., fapi-profile(5)).
31
32 An application using tss2_verifyquote() will further have to
33
34 • Assess the publicKey’s trustworthiness
35
36 • Assess the eventLog entries’ trustworthiness
37
39 These are the available options:
40
41 • -Q, --qualifyingData=FILENAME or - (for stdin):
42
43 A nonce provided by the caller to ensure freshness of the signature.
44 Optional parameter.
45
46 • -l, --pcrLog=FILENAME or - (for stdin):
47
48 Returns the PCR event log for the chosen PCR. Optional parameter.
49
50 PCR event logs are a list (arbitrary length JSON array) of log en‐
51 tries with the following content.
52
53 - recnum: Unique record number
54 - pcr: PCR index
55 - digest: The digests
56 - type: The type of event. At the moment the only possible value is: "LINUX_IMA" (legacy IMA)
57 - eventDigest: Digest of the event; e.g. the digest of the measured file
58 - eventName: Name of the event; e.g. the name of the measured file.
59
60 • -q, --quoteInfo=FILENAME or - (for stdin):
61
62 The JSON-encoded structure holding the inputs to the quote operation.
63 This includes the digest value and PCR values.
64
65 • -k, --publicKeyPath=STRING:
66
67 Identifies the signing key. MAY be a path to the public key hierar‐
68 chy /ext.
69
70 • -i, --signature=FILENAME or - (for stdin):
71
72 The signature over the quoted material.
73
75 This collection of options are common to all tss2 programs and provide
76 information that many users may expect.
77
78 • -h, --help [man|no-man]: Display the tools manpage. By default, it
79 attempts to invoke the manpager for the tool, however, on failure
80 will output a short tool summary. This is the same behavior if the
81 “man” option argument is specified, however if explicit “man” is re‐
82 quested, the tool will provide errors from man on stderr. If the
83 “no-man” option if specified, or the manpager fails, the short op‐
84 tions will be output to stdout.
85
86 To successfully use the manpages feature requires the manpages to be
87 installed or on MANPATH, See man(1) for more details.
88
89 • -v, --version: Display version information for this tool, supported
90 tctis and exit.
91
93 tss2_verifyquote --publicKeyPath="ext/myNewParent" --qualifyingData=qualifyingData.file --quoteInfo=quoteInfo.file --signature=signature.file --pcrLog=pcrLog.file
94
96 0 on success or 1 on failure.
97
99 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
100
102 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
103 fo/tpm2)
104
105
106
107tpm2-tools APRIL 2019 tss2_verifyquote(1)