[go: up one dir, main page]

File: tpm2_policynv.1.md

package info (click to toggle)
tpm2-tools 5.0-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 4,396 kB
  • sloc: ansic: 35,984; sh: 12,809; xml: 8,089; makefile: 569
file content (123 lines) | stat: -rw-r--r-- 4,462 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
% tpm2_policynv(1) tpm2-tools | General Commands Manual

# NAME

**tpm2_policynv**(1) - Evaluates policy authorization by comparing a specified
value against the contents in the specified NV Index.

# SYNOPSIS

**tpm2_policynv** [*OPTIONS*] [*ARGUMENT*] [*ARGUMENT*]

# DESCRIPTION

**tpm2_policynv**(1) - This command evaluates policy authorization by comparing
the contents written to an NV index against the one specified in the tool
options. The tool takes two arguments - (1) The NV index specified as raw handle
or an offset value to the nv handle range "TPM2_HR_NV_INDEX" and (2) Comparison
operator for magnitude comparison and or bit test operations. In the
specification the NV index holding the data is called operandA and the data that
the user specifies to compare is called operandB. The comparison operator can be
specified as follows:
* "eq"  if operandA           =   operandB
* "neq" if operandA           !=  operandB
* "sgt" if signed operandA    >   signed operandB
* "ugt" if unsigned operandA  >   unsigned operandB
* "slt" if signed operandA    <   signed operandB
* "ult" if unsigned operandA  <   unsigned operandB
* "sge" if signed operandA    >=  signed operandB
* "uge" if unsigned operandA  >=  unsigned operandB
* "sle" if signed operandA    <=  unsigned operandB
* "ule" if unsigned operandA  <=  unsigned operandB
* "bs"  if all bits set in operandA are set in operandB
* "bc"  if all bits set in operandA are clear in operandB

# OPTIONS

  * **-C**, **\--hierarchy**=_OBJECT_:

    Specifies the hierarchy used to authorize.
    Supported options are:
      * **o** for **TPM_RH_OWNER**
      * **p** for **TPM_RH_PLATFORM**
      * **`<num>`** where a hierarchy handle or nv-index may be used.

    When **-C** isn't explicitly passed the index handle will be used to
    authorize against the index. The index auth value is set via the
    **-p** option to **tpm2_nvdefine**(1).

  * **-P**, **\--auth**=_AUTH_:

    Specifies the authorization value for the hierarchy.

  * **-L**, **\--policy**=_FILE_:

    File to save the policy digest.

  * **-S**, **\--session**=_FILE_:

    The policy session file generated via the **-S** option to
    **tpm2_startauthsession** or saved off of a previous tool run.

  * **\--offset**=_NATURAL_NUMBER_:

    The offset within the NV index to start comparing at. The size of the data
    starting at offset and ending at size of NV index shall not exceed the size
    of the operand specified in the options.

  * **\--cphash**=_FILE_

    File path to record the hash of the command parameters. This is commonly
    termed as cpHash. NOTE: When this option is selected, The tool will not
    actually execute the command, it simply returns a cpHash.

  * **-i**, **\--input**=_FILE_:

    Specifies the input file with data to compare to NV Index contents. In the
    standard specification, this is termed as operand or operandB more
    specifically . It can be specified as a file input or stdin if option
    value is a "-".

## References

[common options](common/options.md) collection of common options that provide
information many users may expect.

[common tcti options](common/tcti.md) collection of options used to configure
the various known TCTI modules.

# EXAMPLES

Test if NV index content value is equal to an input number. To do this we first
create an NV index of size 1 byte and write a value. Eg. 0xAA. Next we attempt
to create a policy that becomes valid if the equality comparison operation of
the NV index content against the one specified in the tool options.

## Define the test NV Index and write the value 0xAA to it
```bash
nv_test_index=0x01500001
tpm2_nvdefine -C o -p nvpass $nv_test_index -a "authread|authwrite" -s 1
echo "aa" | xxd -r -p | tpm2_nvwrite -P nvpass -i- $nv_test_index
```

## Attempt defining policynv with wrong comparison value specified in options.
```bash
tpm2_startauthsession -S session.ctx --policy-session
### This should fail
echo 0xBB | tpm2_policynv -S session.ctx -L policy.nv -i- 0x1500001 eq -P nvpass
tpm2_flushcontext session.ctx
```

## Attempt defining policynv with right comparison value specified in options.
```bash
tpm2_startauthsession -S session.ctx --policy-session
### This should pass
echo 0xAA | tpm2_policynv -S session.ctx -L policy.nv -i- 0x1500001 eq -P nvpass
tpm2_flushcontext session.ctx
```

[returns](common/returns.md)

[limitations](common/policy-limitations.md)

[footer](common/footer.md)