% tpm2_policycommandcode(1) tpm2-tools | General Commands Manual
NAME
tpm2_policycommandcode(1) - Restrict TPM object authorization to specific TPM commands.
SYNOPSIS
tpm2_policycommandcode [OPTIONS] [ARGUMENT]
DESCRIPTION
tpm2_policycommandcode(1) - Restricts TPM object authorization to specific TPM commands. Useful when you want to allow only specific commands to interact with the TPM object.
As an argument it takes the command as an integer or friendly string value. Friendly string to COMMAND CODE mapping can be found in section COMMAND CODE MAPPINGS.
OPTIONS
-
-S, --session=FILE:
A session file from tpm2_startauthsession(1)'s -S option.
-
-L, --policy=FILE:
File to save the policy digest.
-
ARGUMENT the command line argument specifies TPM2 command code.
-
--cphash=FILE
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
References
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
COMMAND CODE MAPPINGS
The friendly strings below can be used en lieu of the raw integer values.
-TPM2_CC_AC_GetCapability: 0x194 -TPM2_CC_AC_Send: 0x195 -TPM2_CC_ActivateCredential: 0x147 -TPM2_CC_Certify: 0x148 -TPM2_CC_CertifyCreation: 0x14a -TPM2_CC_ChangeEPS: 0x124 -TPM2_CC_ChangePPS: 0x125 -TPM2_CC_Clear: 0x126 -TPM2_CC_ClearControl: 0x127 -TPM2_CC_ClockRateAdjust: 0x130 -TPM2_CC_ClockSet: 0x128 -TPM2_CC_Commit: 0x18b -TPM2_CC_ContextLoad: 0x161 -TPM2_CC_ContextSave: 0x162 -TPM2_CC_Create: 0x153 -TPM2_CC_CreateLoaded: 0x191 -TPM2_CC_CreatePrimary: 0x131 -TPM2_CC_DictionaryAttackLockReset: 0x139 -TPM2_CC_DictionaryAttackParameters: 0x13a -TPM2_CC_Duplicate: 0x14b -TPM2_CC_ECC_Parameters: 0x178 -TPM2_CC_ECDH_KeyGen: 0x163 -TPM2_CC_ECDH_ZGen: 0x154 -TPM2_CC_EC_Ephemeral: 0x18e -TPM2_CC_EncryptDecrypt: 0x164 -TPM2_CC_EncryptDecrypt2: 0x193 -TPM2_CC_EventSequenceComplete: 0x185 -TPM2_CC_EvictControl: 0x120 -TPM2_CC_FieldUpgradeData: 0x141 -TPM2_CC_FieldUpgradeStart: 0x12f -TPM2_CC_FirmwareRead: 0x179 -TPM2_CC_FlushContext: 0x165 -TPM2_CC_GetCapability: 0x17a -TPM2_CC_GetCommandAuditDigest: 0x133 -TPM2_CC_GetRandom: 0x17b -TPM2_CC_GetSessionAuditDigest: 0x14d -TPM2_CC_GetTestResult: 0x17c -TPM2_CC_GetTime: 0x14c -TPM2_CC_Hash: 0x17d -TPM2_CC_HashSequenceStart: 0x186 -TPM2_CC_HierarchyChangeAuth: 0x129 -TPM2_CC_HierarchyControl: 0x121 -TPM2_CC_HMAC: 0x155 -TPM2_CC_HMAC_Start: 0x15b -TPM2_CC_Import: 0x156 -TPM2_CC_IncrementalSelfTest: 0x142 -TPM2_CC_Load: 0x157 -TPM2_CC_LoadExternal: 0x167 -TPM2_CC_MakeCredential: 0x168 -TPM2_CC_NV_Certify: 0x184 -TPM2_CC_NV_ChangeAuth: 0x13b -TPM2_CC_NV_DefineSpace: 0x12a -TPM2_CC_NV_Extend: 0x136 -TPM2_CC_NV_GlobalWriteLock: 0x132 -TPM2_CC_NV_Increment: 0x134 -TPM2_CC_NV_Read: 0x14e -TPM2_CC_NV_ReadLock: 0x14f -TPM2_CC_NV_ReadPublic: 0x169 -TPM2_CC_NV_SetBits: 0x135 -TPM2_CC_NV_UndefineSpace: 0x122 -TPM2_CC_NV_UndefineSpaceSpecial: 0x11f -TPM2_CC_NV_Write: 0x137 -TPM2_CC_NV_WriteLock: 0x138 -TPM2_CC_ObjectChangeAuth: 0x150 -TPM2_CC_PCR_Allocate: 0x12b -TPM2_CC_PCR_Event: 0x13c -TPM2_CC_PCR_Extend: 0x182 -TPM2_CC_PCR_Read: 0x17e -TPM2_CC_PCR_Reset: 0x13d -TPM2_CC_PCR_SetAuthPolicy: 0x12c -TPM2_CC_PCR_SetAuthValue: 0x183 -TPM2_CC_Policy_AC_SendSelect: 0x196 -TPM2_CC_PolicyAuthorize: 0x16a -TPM2_CC_PolicyAuthorizeNV: 0x192 -TPM2_CC_PolicyAuthValue: 0x16b -TPM2_CC_PolicyCommandCode: 0x16c -TPM2_CC_PolicyCounterTimer: 0x16d -TPM2_CC_PolicyCpHash: 0x16e -TPM2_CC_PolicyDuplicationSelect: 0x188 -TPM2_CC_PolicyGetDigest: 0x189 -TPM2_CC_PolicyLocality: 0x16f -TPM2_CC_PolicyNameHash: 0x170 -TPM2_CC_PolicyNV: 0x149 -TPM2_CC_PolicyNvWritten: 0x18f -TPM2_CC_PolicyOR: 0x171 -TPM2_CC_PolicyPassword: 0x18c -TPM2_CC_PolicyPCR: 0x17f -TPM2_CC_PolicyPhysicalPresence: 0x187 -TPM2_CC_PolicyRestart: 0x180 -TPM2_CC_PolicySecret: 0x151 -TPM2_CC_PolicySigned: 0x160 -TPM2_CC_PolicyTemplate: 0x190 -TPM2_CC_PolicyTicket: 0x172 -TPM2_CC_PP_Commands: 0x12d -TPM2_CC_Quote: 0x158 -TPM2_CC_ReadClock: 0x181 -TPM2_CC_ReadPublic: 0x173 -TPM2_CC_Rewrap: 0x152 -TPM2_CC_RSA_Decrypt: 0x159 -TPM2_CC_RSA_Encrypt: 0x174 -TPM2_CC_SelfTest: 0x143 -TPM2_CC_SequenceComplete: 0x13e -TPM2_CC_SequenceUpdate: 0x15c -TPM2_CC_SetAlgorithmSet: 0x13f -TPM2_CC_SetCommandCodeAuditStatus: 0x140 -TPM2_CC_SetPrimaryPolicy: 0x12e -TPM2_CC_Shutdown: 0x145 -TPM2_CC_Sign: 0x15d -TPM2_CC_StartAuthSession: 0x176 -TPM2_CC_Startup: 0x144 -TPM2_CC_StirRandom: 0x146 -TPM2_CC_TestParms: 0x18a -TPM2_CC_Unseal: 0x15e -TPM2_CC_Vendor_TCG_Test: 0x20000000 -TPM2_CC_VerifySignature: 0x177 -TPM2_CC_ZGen_2Phase: 0x18d
EXAMPLES
Start a policy session and extend it with a specific command like unseal. Attempts to perform other operations would fail.
Create an unseal-only policy
tpm2_startauthsession -S session.dat
tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Unseal
tpm2_flushcontext session.dat
Create the object with unseal-only auth policy
tpm2_createprimary -C o -c prim.ctx
tpm2_create -C prim.ctx -u sealkey.pub -r sealkey.priv -L policy.dat \
-i- <<< "SEALED-SECRET"
Try unseal operation
tpm2_load -C prim.ctx -u sealkey.pub -r sealkey.priv -n sealkey.name \
-c sealkey.ctx
tpm2_startauthsession --policy-session -S session.dat
tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Unseal
tpm2_unseal -p session:session.dat -c sealkey.ctx
SEALED-SECRET
tpm2_flushcontext session.dat
Try any other operation
echo "Encrypt Me" > plain.txt
tpm2_encryptdecrypt plain.txt -o enc.txt -c sealkey.ctx plain.txt
ERROR: Esys_EncryptDecrypt2(0x12F) - tpm:error(2.0): authValue or authPolicy is
not available for selected entity