tpm2_verifysignature(1) - Validates a signature using the TPM.
tpm2_verifysignature(1) uses loaded keys to validate a signature on a message with the message digest passed to the TPM. If the signature check succeeds, then the TPM will produce a TPMT_TK_VERIFIED. Otherwise, the TPM shall return TPM_RC_SIGNATURE. If KEY_HANDLE references an asymmetric key, only the public portion of the key needs to be loaded. If KEY_HANDLE references a symmetric key, both the public and private portions need to be loaded.
Handle of key that will used in the validation.
Filename of the key context used for the operation.
The hash algorithm used to digest the message. Algorithms should follow the "formatting standards, see section"Algorithm Specifiers". Also, see section"Supported Hash Algorithms" for a list of supported hash algorithms.
The message file, containing the content to be digested.
The input hash file, containing the hash of the message. If this option is selected, then the message (-m) and algorithm (-g) options do not need to be specified.
The input signature file of the signature to be validated.
Set the input signature file to raw type. The default is TPMT_SIGNATURE.
The ticket file to record the validation structure.
Optional Input session handle from a policy session for authorization.
This collection of options are common to many programs and provide information that many users may expect.
This collection of environment variables that may be used to configure the various TCTI modules available.
The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.
The variables respected depend on how the software was configured.
Note: Using the tpm directly requires the users to ensure that concurrent access does not occur and that they manage the tpm resources. These tasks are usually managed by a resource manager. Linux 4.12 and greater supports an in kernel resource manager at "/dev/tpmrm", typically "/dev/tpmrm0".
This collection of options are used to configure the varous TCTI modules available. They override any environment variables.
Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.
By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:
Supported hash algorithms are:
Options that take algorithms support "nice-names". Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. The nice names are converted by stripping the leading TPM_ALG_ from the Algorithm Name field and converting it to lower case. For instance TPM_ALG_SHA3_256 becomes sha3_256.
The algorithms can be found at: <https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
tpm2_verifysignature -k 0x81010001 -g sha256 -m <filePath> -s <filePath> -t <filePath> tpm2_verifysignature -k 0x81010001 -D <filePath> -s <filePath> -t <filePath> tpm2_verifysignature -c key.context -g sha256 -m <filePath> -s <filePath> -t <filePath>
0 on success or 1 on failure.
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)