% tpm2_pcrallocate(1) tpm2-tools | General Commands Manual


tpm2_pcrallocate(1) - Configure PCRs and bank algorithms.


tpm2_pcrallocate [OPTIONS] [*ARGUMENT]


tpm2_pcrallocate(1) - Allow the user to specify a PCR allocation for the TPM. An allocation is the enabling or disabling of PCRs and it's banks. A PCR can have multiple banks, where each bank is associated with a specific hashing algorithm. Allocation is specified in the argument.

If no allocation is given, then SHA1 and SHA256 banks with PCRs 0 - 23 are allocated.

Allocation is a list of banks and selected pcrs. The values should follow the pcr bank specifiers standards, see section "PCR Bank Specifiers".

The new allocations become effective after the next reboot.

Note: This command requires platform authorization.


  • -P, --auth=AUTH:

    Optional authorization value. Authorization values should follow the "authorization formatting standards", see section "Authorization Formatting".

  • ARGUMENT the command line argument specifies the PCR allocation.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

object attribute specifiers details the options for specifying the object attributes ATTRIBUTES.

pcr bank specifiers details the syntax for specifying pcr list.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


To allocate the two default banks (SHA1 and SHA256)


To make a custom allocation with a platform authorization

tpm2_pcrallocate -P abc sha1:7,8,9,10,16,17,18,19+sha256:all

To completly switch from SHA1 bank to SHA256 with a platform authorization

tpm2_pcrallocate -P abc sha1:none+sha256:all