tpm2_activatecredential
Section: General Commands Manual (1)
Updated: AUGUST 2017
Page Index
NAME
tpm2_activatecredential(1) - verify that an object is
protected with a specific key.
SYNOPSIS
tpm2_activatecredential [OPTIONS]
DESCRIPTION
Verify that the given content is protected with given keyHandle for
given handle, and then decrypt and return the secret, if any passwd
option is missing, assume NULL.
Currently only support using TCG profile compliant EK as the keyHandle.
OPTIONS
These options control the object verification:
- •
-
-H, -handle=HANDLE: HANDLE of
the object associated with the created certificate by CA.
- •
-
-k, -key-handle=KEY_HANDLE: The
KEY_HANDLE of Loaded key used to decrypt the the random seed.
- •
-
-C, -key-context=KEY_CONTEXT_FILE:
KEY_CONTEXT_FILE is the path to a context file.
- •
-
-P, -password=PASSWORD: Use
PASSWORD for providing an authorization value for the
KEY_HANDLE.
Passwords should follow the "password formatting standards, see
section"Password Formatting“.
- •
-
-e, -endorse-password=ENDORSE_PASSWORD:
The endorsement password, optional.
Follows the same formating guidelines as the handle password option -P.
- •
-
-f, -in-file=INPUT_FILE: Input file
path, containing the two structures needed by tpm2_activatecredential
function.
This is created via the tpm2_makecredential(1) command.
- •
-
-o, -out-file=OUTPUT_FILE: Output file
path, record the secret to decrypt the certificate.
COMMON OPTIONS
This collection of options are common to many programs and provide
information that many users may expect.
- •
-
-h, -help: Display the tools manpage.
This requires the manpages to be installed or on MANPATH, See
man(1) for more details.
- •
-
-v, -version: Display version information for
this tool, supported tctis and exit.
- •
-
-V, -verbose: Increase the information that the
tool prints to the console during its execution.
When using this option the file and line number are printed.
- •
-
-Q, -quiet: Silence normal tool output to stdout.
- •
-
-Z, -enable-errata: Enable the application of
errata fixups.
Useful if an errata fixup needs to be applied to commands sent to the
TPM.
# TCTI ENVIRONMENT
This collection of environment variables that may be used to configure
the various TCTI modules available.
The values passed through these variables can be overridden on a
per-command basis using the available command line options, see the
TCTI_OPTIONS section.
The variables respected depend on how the software was configured.
- •
-
TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication
with the next component down the TSS stack.
In most configurations this will be the TPM but it could be a simulator
or proxy.
The current known TCTIs are:
-
- •
-
tabrmd - The new resource manager, called
tabrmd (https://github.com/01org/tpm2-abrmd).
- •
-
socket - Typically used with the old resource manager, or talking
directly to a simulator.
- •
-
device - Used when talking directly to a TPM device file.
- •
-
TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the
TPM device file.
The default is "/dev/tpm0".
-
Note: Using the tpm directly requires the users to ensure that
concurrent access does not occur and that they manage the tpm resources.
These tasks are usually managed by a resource manager.
Linux 4.12 and greater supports an in kernel resource manager at
"/dev/tpmrm", typically "/dev/tpmrm0".
- •
-
TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify
the domain name or IP address used.
The default is 127.0.0.1.
- •
-
TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the
port number used.
The default is 2321.
TCTI OPTIONS
This collection of options are used to configure the varous TCTI modules
available.
They override any environment variables.
- •
-
-T,
-tcti=TCTI_NAME[:TCTI_OPTIONS]:
Select the TCTI used for communication with the next component down the
TSS stack.
In most configurations this will be the resource manager:
tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
options can appended to TCTI_NAME by appending a : to
TCTI_NAME.
-
- •
-
For the device TCTI, the TPM device file for use by the device TCTI can
be specified.
The default is /dev/tpm0.
Example: -T device:/dev/tpm0
- •
-
For the socket TCTI, the domain name or IP address and port number used
by the socket can be specified.
The default are 127.0.0.1 and 2321.
Example: -T socket:127.0.0.1:2321
- •
-
For the abrmd TCTI, it takes no options.
Example: -T abrmd
Password Formatting
Passwords are interpreted in two forms, string and hex-string.
A string password is not interpreted, and is directly used for
authorization.
A hex-string, is converted from a hexidecimal form into a byte array
form, thus allowing passwords with non-printable and/or terminal
un-friendly characters.
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
- •
-
str: - Used to indicate it is a raw string.
Useful for escaping a password that starts with the "hex:"
prefix.
- •
-
hex: - Used when specifying a password in hex string format.
EXAMPLES
-
tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P abc123 -e abc123 -f <filePath> -o <filePath>
tpm2_activatecredential -c ak.context -C ek.context -P abc123 -e abc123 -f <filePath> -o <filePath>
tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P 123abc -e 1a1b1c -X -f <filePath> -o <filePath>
RETURNS
0 on success or 1 on failure.
BUGS
Github Issues (https://github.com/01org/tpm2-tools/issues)
HELP
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)