% tpm2_checkquote(1) tpm2-tools | General Commands Manual


tpm2_checkquote(1) - Validates a quote provided by a TPM.


tpm2_checkquote [OPTIONS]


tpm2_checkquote(1) - Uses the public portion of the provided key to validate a quote generated by a TPM. This will validate the signature against the quote message and, if provided, verify that the qualifying data and PCR values match those in the quote. The PCR values can be provided with or without the TPML_PCR_SELECTION information. An example of PCR values without the PCR selection information is the output from tpm2_pcrread. If PCR value is specified without the PCR selection information, then the PCR selection string must be specified using the -l option to interpret the PCR data.


  • -u, --public=FILE:

    File input for the public portion of the signature verification key. Either the pem file or tss public format file.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm used to digest the message.

  • -m, --message=FILE:

    The quote message that makes up the data that is signed by the TPM.

  • -s, --signature=FILE:

    The input signature file of the signature to be validated.

  • -f, --pcr=FILE:

    Optional PCR input file to save the list of PCR values that were included in the quote.

  • -l, --pcr-list=PCR:

    The list of PCR banks and selected PCRs' ids for each bank.

  • -q, --qualification=HEX_STRING_OR_PATH:

    Qualification data for the quote. Can either be a hex string or path. This is typically used to add a nonce against replay attacks.

  • -F, --format=FORMAT:

    DEPRECATED and IGNORED as it's superfluous.


algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

signature format specifiers option used to configure signature FORMAT.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Generate a quote with a TPM, then verify it

tpm2_createek -c 0x81010001 -G rsa -u ekpub.pem -f pem

tpm2_createak -C 0x81010001 -c ak.ctx -G rsa -s rsassa -g sha256 \
-u akpub.pem -f pem -n ak.name

tpm2_quote -c ak.ctx -l sha256:15,16,22 -q abc123 -m quote.msg -s quote.sig \
  -o quote.pcrs -g sha256

tpm2_checkquote -u akpub.pem -m quote.msg -s quote.sig -f quote.pcrs -g sha256 \
  -q abc123