% tpm2_nvcertify(1) tpm2-tools | General Commands Manual

NAME

tpm2_nvcertify(1) - Provides attestation of the contents of an NV index.

SYNOPSIS

tpm2_nvcertify [OPTIONS] [ARGUMENTS]

DESCRIPTION

tpm2_nvcertify(1) - Provides attestation of the contents of an NV index. NOTE: As part of the attestation output, the NV index contents are revealed.

OPTIONS

These options control the certification:

  • -C, --signingkey-context=OBJECT:

    The key object that signs the attestation structure.

  • -P, --signingkey-auth=AUTH:

    The authorization value provided for the object specified with -C.

  • -c, --nvauthobj-context=OBJECT:

    The object that is the authorization handle for the NV object. It is either the NV index handle itself or the platform/ owner hierarchy handle. If not specified it defaults to the NV index handle.

  • -p, --nvauthobj-auth=AUTH:

    The authorization value provided for the object specified with -c.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm to use in signature generation.

  • -s, --scheme=ALGORITHM:

    The signing scheme used to sign the attestation data.

  • -f, --format=FORMAT:

    Format selection for the signature output file.

  • -o, --signature=FILE:

    Output file name for the signature data.

  • -q, --qualification=FILE_OR_HEX_STR:

    Optional, the policy qualifier data that the signer can choose to include in the signature. Can be either a hex string or path.

  • --size=NATURAL_NUMBER:

    Specifies the size of data to be read in bytes, starting from 0 if offset is not specified. If not specified, the size of the data as reported by the public portion of the index will be used.

  • --offset=NATURAL_NUMBER:

    The offset within the NV index to start reading from.

  • --attestation=FILE:

    The attestation data of the type TPM2_CREATION_INFO signed with signing key.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash unless rphash is also required.

  • --rphash=FILE

    File path to record the hash of the response parameters. This is commonly termed as rpHash.

  • -S, --session=FILE:

    The session created using tpm2_startauthsession. This can be used to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

  • -n, --name=FILE:

    The name of the NV index that must be provided when only calculating the cpHash without actually dispatching the command to the TPM.

  • -signer-name=FILE:

    The name of the signing key that must be provided when only calculating the cpHash without actually dispatching the command to the TPM.

  • ARGUMENT the command line argument specifies the NV index or offset number.

References

context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

signature format specifiers option used to configure signature FORMAT.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

tpm2_nvdefine -s 32 -a "authread|authwrite" 1

dd if=/dev/urandom bs=1 count=32 status=none| \
tpm2_nvwrite 1 -i-

tpm2_createprimary -C o -c primary.ctx -Q

tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx -c signing_key.ctx -Q

tpm2_readpublic -c signing_key.ctx -f pem -o sslpub.pem -Q

tpm2_nvcertify -C signing_key.ctx -g sha256 -f plain -s rsassa \
-o signature.bin --attestation attestation.bin --size 32 1

returns

footer