% tpm2_getsessionauditdigest(1) tpm2-tools | General Commands Manual


tpm2_getsessionauditdigest(1) - Retrieve the command audit attestation data from the TPM.


tpm2_getsessionauditdigest [OPTIONS]


tpm2_getsessionauditdigest(1) - Retrieve the session audit digest attestation data from the TPM. The attestation data includes the session audit digest and a signature over the session audit digest. The session itself is started with the tpm2_startauthsession command.


  • -P, --hierarchy-auth=AUTH:

    Specifies the authorization value for the endorsement hierarchy.

  • -c, --key-context=OBJECT:

    Context object for the signing key that signs the attestation data.

  • -p, --auth=AUTH:

    Specifies the authorization value for key specified by option -c.

  • -q, --qualification=HEX_STRING_OR_PATH:

    Data given as a Hex string or binary file to qualify the quote, optional. This is typically used to add a nonce against replay attacks.

  • -s, --signature=FILE:

    Signature output file, records the signature in the format specified via the -f option.

  • -m, --message=FILE:

    Message output file, records the quote message that makes up the data that is signed by the TPM. This is the command audit digest attestation data.

  • -f, --format=FORMAT:

    Format selection for the signature output file.

  • -g, --hash-algorithm:

    Hash algorithm for signature. Defaults to sha256.

  • --scheme=ALGORITHM:

    The signing scheme used to sign the message. Optional. Signing schemes should follow the "formatting standards", see section "Algorithm Specifiers". Also, see section "Supported Signing Schemes" for a list of supported signature schemes. If specified, the signature scheme must match the key type. If left unspecified, a default signature scheme for the key type will be used.

  • -S, --session=FILE:

    The path of the session that enables and records the audit digests.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

signature format specifiers option used to configure signature FORMAT.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


tpm2_createprimary -Q -C e -c prim.ctx

tpm2_create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2_startauthsession -S session.ctx --audit-session

tpm2_getrandom 8 -S session.ctx

tpm2_getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx