1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
% tpm2_changeauth(1) tpm2-tools | General Commands Manual
# NAME
**tpm2_changeauth** - Changes authorization values for TPM objects.
# SYNOPSIS
**tpm2_changeauth** [*OPTIONS*] [*ARGUMENT*]
# DESCRIPTION
**tpm2_changeauth** - Configures authorization values for the various
hierarchies, NV indices, transient and persistent objects.
Note: For non-permanent objects (Transient objects and Persistent objects),
copies of the private information (files or persistent handles) created prior
to changing auth are not invalidated.
# OPTIONS
Passwords should follow the "password authorization formatting standards",
see section "Authorization Formatting".
* **-c**, **\--object-context**=_OBJECT_:
The key context object to be used for the operation.
* **-p**, **\--object-auth**=_AUTH_:
The old authorization value for the TPM object specified with **-c**.
* **-C**, **\--parent-context**=_OBJECT_:
The parent object. This is required if the object for the operation is a
transient or persistent object.
* **-r**, **\--private**=_FILE_:
The output file which contains the new sensitive portion of the object whose
auth was being changed.
[protection details](common/protection-details.md)
* **\--cphash**=_FILE_
File path to record the hash of the command parameters. This is commonly
termed as cpHash. NOTE: When this option is selected, The tool will not
actually execute the command, it simply returns a cpHash.
* **ARGUMENT** the command line argument specifies the _AUTH_ to be set for
the object specified with **-c**.
## References
[context object format](common/ctxobj.md) details the methods for specifying
_OBJECT_.
[authorization formatting](common/authorizations.md) details the methods for
specifying _AUTH_.
[common options](common/options.md) collection of common options that provide
information many users may expect.
[common tcti options](common/tcti.md) collection of options used to configure
the various known TCTI modules.
# EXAMPLES
## Set owner, endorsement and lockout authorizations to newpass
```bash
tpm2_changeauth -c owner newpass
tpm2_changeauth -c endorsement newpass
tpm2_changeauth -c lockout newpass
```
## Change owner, endorsement and lockout authorizations
```bash
tpm2_changeauth -c o -p newpass newerpass
tpm2_changeauth -c e -p newpass newerpass
tpm2_changeauth -c l -p newpass newerpass
```
## Set owner authorization to empty password
```bash
tpm2_changeauth -c o -p oldpass
```
## Modify authorization for a loadable transient object
```bash
tpm2_createprimary -Q -C o -c prim.ctx
tpm2_create -Q -g sha256 -G aes -u key.pub -r key.priv -C prim.ctx
tpm2_load -C prim.ctx -u key.pub -r key.priv -n key.name -c key.ctx
tpm2_changeauth -c key.ctx -C prim.ctx -r key.priv newkeyauth
```
## Modify authorization for a NV Index
Requires Extended Session Support.
```bash
tpm2_startauthsession -S session.ctx
tpm2_policycommandcode -S session.ctx -L policy.nvchange TPM2_CC_NV_ChangeAuth
tpm2_flushcontext session.ctx
NVIndex=0x1500015
tpm2_nvdefine $NVIndex -C o -s 32 -a "authread|authwrite" -L policy.nvchange
tpm2_startauthsession \--policy-session -S session.ctx
tpm2_policycommandcode -S session.ctx -L policy.nvchange TPM2_CC_NV_ChangeAuth
tpm2_changeauth -p session:session.ctx -c $NVIndex newindexauth
```
[returns](common/returns.md)
[footer](common/footer.md)
|