1tpmadm(1M)              System Administration Commands              tpmadm(1M)
2
3
4

NAME

6       tpmadm - administer Trusted Platform Module
7

SYNOPSIS

9       tpmadm status
10
11
12       tpmadm init
13
14
15       tpmadm clear [owner | lock]
16
17
18       tpmadm auth
19
20
21       tpmadm keyinfo [uuid]
22
23
24       tpmadm deletekey uuid
25
26

DESCRIPTION

28       A  Trusted  Platform Module (TPM) is a hardware component that provides
29       for protected key storage and reliable measurements of software used to
30       boot the operating system. The tpmadm utility is used to initialize and
31       administer the TPM so that it can be used by the operating  system  and
32       other programs.
33
34
35       The  TPM subsystem can store and manage an unlimited number of keys for
36       use by the operating system and by users. Each key is identified  by  a
37       Universally Unique Identifier, or UUID.
38
39
40       Although  the  TPM  can hold only a limited number of keys at any given
41       time, the supporting software automatically loads and unloads  keys  as
42       needed. When a key is stored outside the TPM, it is always encrypted or
43       "wrapped" by its parent key so that the key is never exposed  in  read‐
44       able form outside the TPM.
45
46
47       Before  the  TPM  can  be  used, it must be initialized by the platform
48       owner. This process involves setting an owner password which is used to
49       authorize privileged operations.
50
51
52       Although the TPM owner is similar to a traditional superuser, there are
53       two important differences. First, process privilege is  irrelevant  for
54       access to TPM functions. All privileged operations require knowledge of
55       the owner password, regardless of the privilege level  of  the  calling
56       process.  Second, the TPM owner is not able to override access controls
57       for data protected by TPM keys. The owner can effectively destroy  data
58       by  re-initializing  the  TPM,  but he cannot access data that has been
59       encrypted using TPM keys owned by other users.
60

SUB-COMMANDS

62       The following subcommands are used in the form:
63
64         # tpamadm <subcommand> [operand]
65
66
67
68       status
69
70           Report status information about  the  TPM.  Output  includes  basic
71           information  about  whether  ownership  of  the TPM has been estab‐
72           lished, current PCR contents, and the usage of TPM  resources  such
73           as communication sessions and loaded keys.
74
75
76       init
77
78           Initialize  the  TPM for use. This involves taking ownership of the
79           TPM by setting the owner authorization password.  Taking  ownership
80           of the TPM creates a new storage root key, which is the ancestor of
81           all keys created by this TPM. Once this command is issued, the  TPM
82           must  be  reset  using BIOS operations before it can be re-initial‐
83           ized.
84
85
86       auth
87
88           Change the owner authorization password for the TPM.
89
90
91       clear lock
92
93           Clear the count of failed authentication attempts. After  a  number
94           of  failed authentication attempts, the TPM responds more slowly to
95           subsequent attempts, in an effort to thwart attempts  to  find  the
96           owner  password  by exhaustive search. This command, which requires
97           the correct owner password, resets the count of failed attempts.
98
99
100       clear owner
101
102           Deactivate the TPM and return it to an unowned state.  This  opera‐
103           tion,  which  requires  the current TPM owner password, invalidates
104           all keys and data tied to the TPM.  Before  the  TPM  can  be  used
105           again,  the  system must be restarted, the TPM must  be reactivated
106           from the BIOS or ILOM pre-boot environment, and the TPM must be re-
107           initialized using the tpmadm init command.
108
109
110       keyinfo [uuid]
111
112           Report  information about keys stored in the TPM subsystem. Without
113           additional arguments, this subcommand produces a brief  listing  of
114           all  keys.  If the UUID of an individual key is specified, detailed
115           information about that key is displayed.
116
117
118       deletekey uuid
119
120           Delete the key with the specified UUID  from  the  TPM  subsystem's
121           persistent storage.
122
123

EXIT STATUS

125       After  completing the requested operation, tpmadm exits with one of the
126       following status values.
127
128       0
129
130           Successful termination.
131
132
133       1
134
135           Failure. The requested operation could not be completed.
136
137
138       2
139
140           Usage error. The tpmadm command was invoked with invalid arguments.
141
142

ATTRIBUTES

144       See attributes(5) for descriptions of the following attributes:
145
146
147
148
149       ┌─────────────────────────────┬─────────────────────────────┐
150       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
151       ├─────────────────────────────┼─────────────────────────────┤
152       │Availability                 │SUNWcsu                      │
153       ├─────────────────────────────┼─────────────────────────────┤
154       │Interface Stability          │Committed                    │
155       └─────────────────────────────┴─────────────────────────────┘
156

SEE ALSO

158       attributes(5)
159
160
161       TCG Software Stack (TSS) Specifications:  https://www.trustedcomputing
162       group.org/specs/TSS (as of the date of publication)
163
164
165
166SunOS 5.11                        7 Jul 2009                        tpmadm(1M)
Impressum