tpm2_sign(1) - Sign a hash using the TPM.
tpm2_sign(1) signs an externally provided hash with the specified symmetric or asymmetric signing key. If keyHandle references a restricted signing key, then validation shall be provided, indicating that the TPM performed the hash of the data and validation shall indicate that hashed data did not start with TPM_GENERATED_VALUE. The scheme of keyHandle should not be TPM_ALG_NULL.
Handle of key that will perform signing.
Filename of the key context used for the operation.
Specifies the password of KEY_HANDLE. Passwords should follow the password formatting standards, see section "Password Formatting".
The hash algorithm used to digest the message. Algorithms should follow the "formatting standards, see section"Algorithm Specifiers". Also, see section"Supported Hash Algorithms" for a list of supported hash algorithms.
The message file, containing the content to be digested.
The ticket file, containning the validation structure, optional.
The signature file, records the signature structure.
Format selection for the signature output file. See section "Signature Format Specifiers".
Optional Input session handle from a policy session for authorization.
This collection of options are common to many programs and provide information that many users may expect.
This collection of environment variables that may be used to configure the various TCTI modules available.
The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.
The variables respected depend on how the software was configured.
Note: Using the tpm directly requires the users to ensure that concurrent access does not occur and that they manage the tpm resources. These tasks are usually managed by a resource manager. Linux 4.12 and greater supports an in kernel resource manager at "/dev/tpmrm", typically "/dev/tpmrm0".
This collection of options are used to configure the varous TCTI modules available. They override any environment variables.
Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.
By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:
Supported hash algorithms are:
NOTE: Your TPM may not support all algorithms.
Options that take algorithms support "nice-names". Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. The nice names are converted by stripping the leading TPM_ALG_ from the Algorithm Name field and converting it to lower case. For instance TPM_ALG_SHA3_256 becomes sha3_256.
The algorithms can be found at: <https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
Format selection for the signature output file. tss (the default) will output a binary blob according to the TPM 2.0 specification and any potential compiler padding. The option plain will output the plain signature data as defined by the used cryptographic algorithm. # EXAMPLES
tpm2_sign -k 0x81010001 -P abc123 -g sha256 -m <filePath> -s <filePath> -t <filePath> tpm2_sign -c key.context -P abc123 -g sha256 -m <filePath> -s <filePath> -t <filePath>
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)