% tpm2_policyauthvalue(1) tpm2-tools | General Commands Manual
NAME
tpm2_policyauthvalue(1) - Enables binding a policy to the authorization value of the authorized TPM object.
SYNOPSIS
tpm2_policyauthvalue [OPTIONS]
DESCRIPTION
tpm2_policyauthvalue(1) - Enables a policy that requires the object's authentication passphrase be provided. This is equivalent to authenticating using the object passphrase in plaintext or HMAC. It enforces it as a policy. It provides a mechanism to allow for password authentication when an object only allows policy based authorization, ie object attribute "userwithauth" is 0.
OPTIONS
-
-L, --policy=FILE:
File to save the compounded policy digest.
-
-S, --session=FILE:
The policy session file generated via the -S option to tpm2_startauthsession(1).
-
--cphash=FILE
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
References
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
EXAMPLES
We want to authenticate using the TPM objects plaintext authentication value. While we could authenticate with an ephemeral password session, in this example we will authenticate with the plaintext passphrase in a policy session instead using the tpm2_policyauthvalue(1) tool.
Create the password policy
tpm2_startauthsession -S session.dat
tpm2_policyauthvalue -S session.dat -L policy.dat
tpm2_flushcontext session.dat
Create the object with a passphrase and the password policy
tpm2_createprimary -C o -c prim.ctx
tpm2_create -g sha256 -G aes -u key.pub -r key.priv -C prim.ctx -L policy.dat \
-p testpswd
Authenticate with plaintext passphrase input
tpm2_load -C prim.ctx -u key.pub -r key.priv -n key.name -c key.ctx
echo "plaintext" > plain.txt
tpm2_encryptdecrypt -c key.ctx -o encrypt.out plain.txt -p testpswd
Authenticate with password and the policy
tpm2_startauthsession --policy-session -S session.dat
tpm2_policyauthvalue -S session.dat
tpm2_encryptdecrypt -c key.ctx -o encrypt.out -p session:session.dat+testpswd \
plain.txt
tpm2_flushcontext session.dat