Authorization for use of an object in TPM2.0 can come in 3 different forms: 1. Password 2. HMAC 3. Sessions
NOTE: "Authorizations default to the EMPTY PASSWORD when not specified".
Passwords are interpreted in the following forms below using prefix identifiers.
Note: By default passwords are assumed to be in the string form when they do not have a prefix.
A string password, specified by prefix "str:" or it's absence (raw string without prefix) is not interpreted, and is directly used for authorization.
A hex-string password, specified by prefix "hex:" is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.
A file based password, specified be prefix "file:" should be the path of a file containing the password to be read by the tool or a "-" to use stdin. Storing passwords in files prevents information leakage, passwords passed as options can be read from the process list or common shell history features.
# to use stdin and be prompted file:- # to use a file from a path file:path/to/password/file # to echo a password via stdin: echo foobar | tpm2_tool -p file:- # to use a bash here-string via stdin: tpm2_tool -p file:- <<< foobar
When using a policy session to authorize the use of an object, prefix the option argument with the session keyword. Then indicate a path to a session file that was created with tpm2_startauthsession(1). Optionally, if the session requires an auth value to be sent with the session handle (eg policy password), then append a + and a string as described in the Passwords section.
To use a session context file called session.ctx.
To use a session context file called session.ctx AND send the authvalue mypassword.
To use a session context file called session.ctx AND send the HEX authvalue 0x11223344.
You can satisfy a PCR policy using the "pcr:" prefix and the PCR minilanguage. The PCR
minilanguage is as follows:
The PCR spec is documented in in the section "PCR bank specifiers".
raw-pcr-file is an optional argument that contains the output of the raw PCR contents as returned by tpm2_pcrread(1).
To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifier of: