Section: General Commands Manual (1)
Updated: SEPTEMBER 2017
tpm2_hmac(1) - Performs an HMAC operation with the TPM.
tpm2_hmac [OPTIONS] FILE
tpm2_hmac(1) - performs an HMAC operation on FILE and
returns the results.
If FILE is not specified, then data is read from stdin.
-k, -key-handle=KEY_CONTEXT_FILE: The
key handle for the symmetric signing key providing the HMAC key.
-c, -key-context=KEY_CONTEXT_FILE: The
filename of the key context used for the operation.
-P, -pwdk=KEY_PASSWORD: The password for
Passwords should follow the "password formatting standards, see
-g, -halg=HASH_ALGORITHM: The hash
algorithm to use.
Algorithms should follow the "formatting standards, see
section"Algorithm Specifiers". Also, see section"Supported
Hash Algorithms" for a list of supported hash algorithms.
-o, -outfile=OUT_FILE Optional file
record of the HMAC result.
Defaults to stdout.
Input session handle from a policy session for authorization.
This collection of options are common to many programs and provide
information that many users may expect.
-h, -help: Display the tools manpage.
This requires the manpages to be installed or on MANPATH, See
man(1) for more details.
-v, -version: Display version information for
this tool, supported tctis and exit.
-V, -verbose: Increase the information that the
tool prints to the console during its execution.
When using this option the file and line number are printed.
-Q, -quiet: Silence normal tool output to stdout.
-Z, -enable-errata: Enable the application of
Useful if an errata fixup needs to be applied to commands sent to the
# TCTI ENVIRONMENT
This collection of environment variables that may be used to configure
the various TCTI modules available.
The values passed through these variables can be overridden on a
per-command basis using the available command line options, see the
The variables respected depend on how the software was configured.
TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication
with the next component down the TSS stack.
In most configurations this will be the TPM but it could be a simulator
The current known TCTIs are:
tabrmd - The new resource manager, called
socket - Typically used with the old resource manager, or talking
directly to a simulator.
device - Used when talking directly to a TPM device file.
TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the
TPM device file.
The default is "/dev/tpm0".
Note: Using the tpm directly requires the users to ensure that
concurrent access does not occur and that they manage the tpm resources.
These tasks are usually managed by a resource manager.
Linux 4.12 and greater supports an in kernel resource manager at
"/dev/tpmrm", typically "/dev/tpmrm0".
TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify
the domain name or IP address used.
The default is 127.0.0.1.
TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the
port number used.
The default is 2321.
This collection of options are used to configure the varous TCTI modules
They override any environment variables.
Select the TCTI used for communication with the next component down the
In most configurations this will be the resource manager:
tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
options can appended to TCTI_NAME by appending a : to
For the device TCTI, the TPM device file for use by the device TCTI can
The default is /dev/tpm0.
Example: -T device:/dev/tpm0
For the socket TCTI, the domain name or IP address and port number used
by the socket can be specified.
The default are 127.0.0.1 and 2321.
Example: -T socket:127.0.0.1:2321
For the abrmd TCTI, it takes no options.
Example: -T abrmd
Passwords are interpreted in two forms, string and hex-string.
A string password is not interpreted, and is directly used for
A hex-string, is converted from a hexidecimal form into a byte array
form, thus allowing passwords with non-printable and/or terminal
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
str: - Used to indicate it is a raw string.
Useful for escaping a password that starts with the "hex:"
hex: - Used when specifying a password in hex string format.
Supported Hash Algorithms
Supported hash algorithms are:
0x4 or sha1 for TPM_ALG_SHA1
0xB or sha256 for TPM_ALG_SHA256
0xC or sha384 for TPM_ALG_SHA384
0xD or sha512 for TPM_ALG_SHA512
0x12 or sm3_256 for TPM_ALG_SM3_256
NOTE: Your TPM may not support all algorithms.
Options that take algorithms support "nice-names".
Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
The nice names are converted by stripping the leading TPM_ALG_
from the Algorithm Name field and converting it to lower case.
For instance TPM_ALG_SHA3_256 becomes sha3_256.
The algorithms can be found at:
Perform a SHA1 HMAC on data.in and send output and possibly ticket to
tpm2_hmac -k 0x81010002 -P abc123 -g sha1 data.in
Perform a SHA1 HMAC on data.in read as a file to stdin and send output
to a file:
tpm2_hmac -c key.context -P abc123 -g sha1 -o hash.out << data.in
Perform a SHA256 HMAC on stdin and send result and possibly
ticket to stdout:
cat data.in | tpm2_hmac -k 0x81010002 -g sha256 -o hash.out ```
0 on success or 1 on failure.
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)