tpm2_quote(1) - Provide a quote and signature from the TPM.
tpm2_quote(1) Provide quote and signature for given list of PCRs in given algorithm/banks.
Handle of existing AK.
Filename for the existing AK's context.
specifies the password of AK_HANDLE. Passwords should follow the password formatting standards, see section "Password Formatting".
The comma separated list of selected PCRs' ids, 0~23 e.g. "4,5,6".
The list of pcr banks and selected PCRs' ids for each bank. PCR_SELECTION_LIST values should follow the pcr bank specifiers standards, see section "PCR Bank Specfiers".
message output file, records the quote message that makes up the data that is signed by the TPM.
signature output file, records the signature in the format specified via the -f option.
Format selection for the signature output file. See section "Signature Format Specifiers".
Data given as a Hex string to qualify the quote, optional. This is typically used to add a nonce against replay attacks.
Hash algorithm for signature.
This collection of options are common to many programs and provide information that many users may expect.
This collection of environment variables that may be used to configure the various TCTI modules available.
The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.
The variables respected depend on how the software was configured.
Note: Using the tpm directly requires the users to ensure that concurrent access does not occur and that they manage the tpm resources. These tasks are usually managed by a resource manager. Linux 4.12 and greater supports an in kernel resource manager at "/dev/tpmrm", typically "/dev/tpmrm0".
This collection of options are used to configure the varous TCTI modules available. They override any environment variables.
Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.
By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:
PCR Bank Selection lists follow the below specification:
<BANK>:<PCR>[,<PCR>]
multiple banks may be separated by `+'.
For example:
sha:3,4+sha256:5,6
will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the SHA256 bank.
PCR Selections allow for up to 5 hash to pcr selection mappings. This is a limitaion in design in the single call to the tpm to get the pcr values.
Format selection for the signature output file. tss (the default) will output a binary blob according to the TPM 2.0 specification and any potential compiler padding. The option plain will output the plain signature data as defined by the used cryptographic algorithm. # EXAMPLES
tpm2_quote -k 0x81010002 -P abc123 -g sha1 -l 16,17,18 tpm2_quote -c ak.context -P "str:abc123" -g sha1 -l 16,17,18 tpm2_quote -k 0x81010002 -g sha1 -l 16,17,18 tpm2_quote -c ak.context -g sha1 -l 16,17,18 tpm2_quote -k 0x81010002 -P "hex:123abc" -L sha1:16,17,18+sha256:16,17,18 -q 11aa22bb
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)