1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
% tpm2_nvcertify(1) tpm2-tools | General Commands Manual
# NAME
**tpm2_nvcertify**(1) - Provides attestation of the contents of an NV index.
# SYNOPSIS
**tpm2_nvcertify** [*OPTIONS*] [*ARGUMENTS*]
# DESCRIPTION
**tpm2_nvcertify**(1) - Provides attestation of the contents of an NV index.
NOTE: As part of the attestation output, the NV index contents are revealed.
# OPTIONS
These options control the certification:
* **-C**, **\--signingkey-context**=_OBJECT_:
The key object that signs the attestation structure.
* **-P**, **\--signingkey-auth**=_AUTH_:
The authorization value provided for the object specified with -C.
* **-c**, **\--nvauthobj-context**=_OBJECT_:
The object that is the authorization handle for the NV object. It is either
the NV index handle itself or the platform/ owner hierarchy handle. If not
specified it defaults to the NV index handle.
* **-p**, **\--nvauthobj-auth**=_AUTH_:
The authorization value provided for the object specified with -c.
* **-g**, **\--hash-algorithm**=_ALGORITHM_:
The hash algorithm to use in signature generation.
* **-s**, **\--scheme**=_ALGORITHM_:
The signing scheme used to sign the attestation data.
* **-f**, **\--format**=_FORMAT_:
Format selection for the signature output file.
* **-o**, **\--signature**=_FILE_:
Output file name for the signature data.
* **-q**, **\--qualification**=_FILE\_OR\_HEX\_STR_:
Optional, the policy qualifier data that the signer can choose to include in the
signature. Can be either a hex string or path.
* **\--size**=_NATURAL_NUMBER_:
Specifies the size of data to be read in bytes, starting from 0 if
offset is not specified. If not specified, the size of the data
as reported by the public portion of the index will be used.
* **\--offset**=_NATURAL_NUMBER_:
The offset within the NV index to start reading from.
* **--attestation**=_FILE_:
The attestation data of the type TPM2_CREATION_INFO signed with signing key.
* **\--cphash**=_FILE_
File path to record the hash of the command parameters. This is commonly
termed as cpHash. NOTE: When this option is selected, The tool will not
actually execute the command, it simply returns a cpHash.
* **ARGUMENT** the command line argument specifies the NV index or offset
number.
## References
[context object format](common/ctxobj.md) details the methods for specifying
_OBJECT_.
[authorization formatting](common/authorizations.md) details the methods for
specifying _AUTH_.
[algorithm specifiers](common/alg.md) details the options for specifying
cryptographic algorithms _ALGORITHM_.
[signature format specifiers](common/signature.md) option used to configure
signature _FORMAT_.
[common options](common/options.md) collection of common options that provide
information many users may expect.
[common tcti options](common/tcti.md) collection of options used to configure
the various known TCTI modules.
# EXAMPLES
```bash
tpm2_nvdefine -s 32 -a "authread|authwrite" 1
dd if=/dev/urandom bs=1 count=32 status=none| \
tpm2_nvwrite 1 -i-
tpm2_createprimary -C o -c primary.ctx -Q
tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx -c signing_key.ctx -Q
tpm2_readpublic -c signing_key.ctx -f pem -o sslpub.pem -Q
tpm2_nvcertify -C signing_key.ctx -g sha256 -f plain -s rsassa \
-o signature.bin --attestation attestation.bin --size 32 1
```
[returns](common/returns.md)
[footer](common/footer.md)
|