% tpm2_hierarchycontrol(1) tpm2-tools | General Commands Manual % % July 2019


tpm2_hierarchycontrol(1) - Enable and disable use of a hierarchy and its associated NV storage.


tpm2_hierarchycontrol [OPTIONS] VARIABLE OPERATION


tpm2_hierarchycontrol(1) - Allows user change phEnable, phEnableNV, shEnable and ehEnable when the proper authorization is provided. Authorization should be one out of owner hierarchy auth, endorsement hierarchy auth and platform hierarchy auth. As an argument the tool takes the VARIABLE as TPMA_STARTUP_CLEAR bit and _OPERATION_ as string clear|set to clear or set the VARIABLE bit.

Note: If password option is missing, assume NULL.


  • -C, --hierarchy=OBJECT:

    Specifies the handle used to authorize. Defaults to the "platform" hierarchy. Supported options are: * o for TPM_RH_OWNER * p for TPM_RH_PLATFORM * <num> where a raw number can be used.

  • -P, --hierarchy-auth=AUTH:

    Specifies the authorization value for the hierarchy.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Set phEnableNV with platform hierarchy and its authorization

tpm2_hierarchycontrol -C p phEnableNV set -P pass

clear phEnableNV with platform hierarchy

tpm2_hierarchycontrol -C p phEnableNV clear

Set shEnable with platform hierarchy

tpm2_hierarchycontrol -C p shEnable set

Set shEnable with owner hierarchy

tpm2_hierarchycontrol -C o shEnable set

Check current TPMA_STARTUP_CLEAR Bits

tpm2_getcap properties-variable