DOKK / manpages / debian 10 / tpm2-tools / tpm2_unseal.1.en

General Commands Manual

NAME

tpm2_unseal(1) - Returns the data in a loaded Sealed Data Object.

SYNOPSIS

tpm2_unseal [OPTIONS]

DESCRIPTION

tpm2_unseal(1) - -returns the data in a loaded Sealed Data Object.

NOTE: The –set-list and –pcr-input-file options should only be used for simple PCR authentication policies. For more complex policies the tools should be ran in an execution environment that keeps the session context alive and pass that session using the –input-session-handle option.

OPTIONS

•: -H, –item=ITEM_HANDLE:

Item handle of loaded object.

•: -c, –item-context=ITEM_CONTEXT_FILE:

Filename of the item context.

•: -P, –pwdk=KEY_PASSWORD:

Specifies the password of ITEM_HANDLE. Passwords should follow the password formatting standards, see section “Password Formatting”.

•: -o, –outfile=OUT_FILE:

Output file name, containing the unsealed data. Defaults to stdout if not specified.

•: -S, –input-session-handle=SESSION_HANDLE:

Optional Input session handle from a policy session for authorization.

•: -L, –set-list==PCR_SELECTION_LIST:

The list of pcr banks and selected PCRs' ids. PCR_SELECTION_LIST values should follow the pcr bank specifiers standards, see section “PCR Bank Specfiers”.

•: -F,**–pcr-input-file=PCR_INPUT_FILE

Optional Path or Name of the file containing expected pcr values for the specified index. Default is to read the current PCRs per the set list.

COMMON OPTIONS

This collection of options are common to many programs and provide information that many users may expect.

•: -h, –help: Display the tools manpage. This requires the manpages to be installed or on MANPATH, See man(1) for more details.
•: -v, –version: Display version information for this tool, supported tctis and exit.
•: -V, –verbose: Increase the information that the tool prints to the console during its execution. When using this option the file and line number are printed.
•: -Q, –quiet: Silence normal tool output to stdout.
•: -Z, –enable-errata: Enable the application of errata fixups. Useful if an errata fixup needs to be applied to commands sent to the TPM. # TCTI ENVIRONMENT

This collection of environment variables that may be used to configure the various TCTI modules available.

The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.

The variables respected depend on how the software was configured.

•: TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the next component down the TSS stack. In most configurations this will be the TPM but it could be a simulator or proxy. The current known TCTIs are:

•: tabrmd - The new resource manager, called tabrmd (https://github.com/01org/tpm2-abrmd).
•: socket - Typically used with the old resource manager, or talking directly to a simulator.
•: device - Used when talking directly to a TPM device file.

•: TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM device file. The default is “/dev/tpm0”.

Note: Using the tpm directly requires the users to ensure that concurrent access does not occur and that they manage the tpm resources. These tasks are usually managed by a resource manager. Linux 4.12 and greater supports an in kernel resource manager at “/dev/tpmrm”, typically “/dev/tpmrm0”.

•: TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the domain name or IP address used. The default is 127.0.0.1.
•: TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port number used. The default is 2321.

TCTI OPTIONS

This collection of options are used to configure the varous TCTI modules available. They override any environment variables.

•: -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communication with the next component down the TSS stack. In most configurations this will be the resource manager: tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific options can appended to TCTI_NAME by appending a : to TCTI_NAME.

•: For the device TCTI, the TPM device file for use by the device TCTI can be specified. The default is /dev/tpm0. Example: -T device:/dev/tpm0
•: For the socket TCTI, the domain name or IP address and port number used by the socket can be specified. The default are 127.0.0.1 and 2321. Example: -T socket:127.0.0.1:2321
•: For the abrmd TCTI, it takes no options. Example: -T abrmd

Password Formatting

Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.

By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:

•: str: - Used to indicate it is a raw string. Useful for escaping a password that starts with the “hex:” prefix.
•: hex: - Used when specifying a password in hex string format.

PCR Bank Specfiers

PCR Bank Selection lists follow the below specification:

<BANK>:<PCR>[,<PCR>]

multiple banks may be separated by `+'.

For example:

sha:3,4+sha256:5,6

will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the SHA256 bank.

Note

PCR Selections allow for up to 5 hash to pcr selection mappings. This is a limitaion in design in the single call to the tpm to get the pcr values.

EXAMPLES

tpm2_unseal -H 0x81010001 -P abc123 -o out.dat
tpm2_unseal -c item.context -P abc123 -o out.dat
tpm2_unseal -H 0x81010001 -P "hex:123abc" -o out.dat
tpm2_unseal -c item.context -L sha1:0,1,2 -F out.dat

RETURNS

0 on success or 1 on failure.

BUGS

Github Issues (https://github.com/01org/tpm2-tools/issues)

HELP

See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)

SEPTEMBER 2017

tpm2-tools