tpm2_unseal(1) - Returns the data in a loaded Sealed Data Object.
tpm2_unseal(1) - -returns the data in a loaded Sealed Data Object.
NOTE: The -set-list and -pcr-input-file options should only be used for simple PCR authentication policies. For more complex policies the tools should be ran in an execution environment that keeps the session context alive and pass that session using the -input-session-handle option.
Item handle of loaded object.
Filename of the item context.
Specifies the password of ITEM_HANDLE. Passwords should follow the password formatting standards, see section "Password Formatting".
Output file name, containing the unsealed data. Defaults to stdout if not specified.
Optional Input session handle from a policy session for authorization.
The list of pcr banks and selected PCRs' ids. PCR_SELECTION_LIST values should follow the pcr bank specifiers standards, see section "PCR Bank Specfiers".
Optional Path or Name of the file containing expected pcr values for the specified index. Default is to read the current PCRs per the set list.
This collection of options are common to many programs and provide information that many users may expect.
This collection of environment variables that may be used to configure the various TCTI modules available.
The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.
The variables respected depend on how the software was configured.
Note: Using the tpm directly requires the users to ensure that concurrent access does not occur and that they manage the tpm resources. These tasks are usually managed by a resource manager. Linux 4.12 and greater supports an in kernel resource manager at "/dev/tpmrm", typically "/dev/tpmrm0".
This collection of options are used to configure the varous TCTI modules available. They override any environment variables.
Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.
By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:
PCR Bank Selection lists follow the below specification:
<BANK>:<PCR>[,<PCR>]
multiple banks may be separated by `+'.
For example:
sha:3,4+sha256:5,6
will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the SHA256 bank.
PCR Selections allow for up to 5 hash to pcr selection mappings. This is a limitaion in design in the single call to the tpm to get the pcr values.
tpm2_unseal -H 0x81010001 -P abc123 -o out.dat tpm2_unseal -c item.context -P abc123 -o out.dat tpm2_unseal -H 0x81010001 -P "hex:123abc" -o out.dat tpm2_unseal -c item.context -L sha1:0,1,2 -F out.dat
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)