tpm2_certify(1) proves that an object with a specific
NAME is loaded in the TPM. By certifying that the object is loaded,
the TPM warrants that a public area with a given NAME is
self-consistent and associated with a valid sensitive area. If a relying
party has a public area that has the same NAME as a NAME
certified with this command, then the values in that public area are
correct. The object may be any object that is loaded with TPM2_Load() or
TPM2_CreatePrimary(). An object that only has its public area loaded cannot
be certified.
These options control the ceritifcation:
- •
- -H, –obj-handle=OBJECT_HANDLE: The handle of
the object to be certified.
- •
- -C, –obj-context=FILE: Use FILE for
providing the object context.
- •
- -k, –key-handle=KEY_HANDLE: Handle of the key
used to sign the attestation structure.
- •
- -c, –key-context=KEY_CONTEXT: Filename of the
key context used to sign the attestation structure.
- •
- -P, –pwdo=OBJECT_PASSWORD: Use
OBJECT_PASSWORD for providing an authorization value for the object
specified in OBJECT_HANDLE. Passwords should follow the
“password formatting standards, see section”Password
Formatting“.
- •
- -K, –pwdk=KEY_PASSWORD: Use
KEY_PASSWORD for providing an authorization value for the key
specified in KEY_HANDLE. Follows the same formatting guidelines as
the object handle password or -P option.
- •
- -a, –attest-file=ATTEST_FILE: Output file name
for the attestation data.
- •
- -s, –sig-file=SIG_FILE: Output file name for
the signature data.
- •
- -f, –format
Format selection for the signature output file. See section
“Signature Format Specifiers”.
This collection of options are common to many programs and provide
information that many users may expect.
- •
- -h, –help: Display the tools manpage. This requires
the manpages to be installed or on MANPATH, See man(1) for more
details.
- •
- -v, –version: Display version information for this
tool, supported tctis and exit.
- •
- -V, –verbose: Increase the information that the tool
prints to the console during its execution. When using this option the
file and line number are printed.
- •
- -Q, –quiet: Silence normal tool output to
stdout.
- •
- -Z, –enable-errata: Enable the application of errata
fixups. Useful if an errata fixup needs to be applied to commands sent to
the TPM. # TCTI ENVIRONMENT
This collection of environment variables that may be used to
configure the various TCTI modules available.
The values passed through these variables can be overridden on a
per-command basis using the available command line options, see the
TCTI_OPTIONS section.
The variables respected depend on how the software was
configured.
- •
- TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with
the next component down the TSS stack. In most configurations this will be
the TPM but it could be a simulator or proxy. The current known TCTIs
are:
- •
- tabrmd - The new resource manager, called tabrmd
(https://github.com/01org/tpm2-abrmd).
- •
- socket - Typically used with the old resource manager, or talking directly
to a simulator.
- •
- device - Used when talking directly to a TPM device file.
- •
- TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
device file. The default is “/dev/tpm0”.
Note: Using the tpm directly requires the users to ensure that
concurrent access does not occur and that they manage the tpm resources.
These tasks are usually managed by a resource manager. Linux 4.12 and
greater supports an in kernel resource manager at
“/dev/tpmrm”, typically
“/dev/tpmrm0”.
- •
- TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the
domain name or IP address used. The default is 127.0.0.1.
- •
- TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
number used. The default is 2321.
This collection of options are used to configure the varous TCTI
modules available. They override any environment variables.
- •
- -T,
–tcti=TCTI_NAME[:TCTI_OPTIONS]:
Select the TCTI used for communication with the next component down the
TSS stack. In most configurations this will be the resource manager:
tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
options can appended to TCTI_NAME by appending a : to
TCTI_NAME.
- •
- For the device TCTI, the TPM device file for use by the device TCTI can be
specified. The default is /dev/tpm0. Example: -T
device:/dev/tpm0
- •
- For the socket TCTI, the domain name or IP address and port number used by
the socket can be specified. The default are 127.0.0.1 and 2321. Example:
-T socket:127.0.0.1:2321
- •
- For the abrmd TCTI, it takes no options. Example: -T abrmd
Passwords are interpreted in two forms, string and hex-string. A
string password is not interpreted, and is directly used for authorization.
A hex-string, is converted from a hexidecimal form into a byte array form,
thus allowing passwords with non-printable and/or terminal un-friendly
characters.
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
- •
- str: - Used to indicate it is a raw string. Useful for escaping a password
that starts with the “hex:” prefix.
- •
- hex: - Used when specifying a password in hex string format.
Format selection for the signature output file. tss (the
default) will output a binary blob according to the TPM 2.0 specification
and any potential compiler padding. The option plain will output the
plain signature data as defined by the used cryptographic algorithm. #
EXAMPLES
-
tpm2_certify -H 0x81010002 -k 0x81010001 -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
tpm2_certify -C obj.context -c key.context -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
tpm2_certify -H 0x81010002 -k 0x81010001 -P 0011 -K 00FF -X -g 0x00B -a <fileName> -s <fileName>
0 on success or 1 on failure.
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List
(https://lists.01.org/mailman/listinfo/tpm2)