% tpm2_policycountertimer(1) tpm2-tools | General Commands Manual
NAME
tpm2_policycountertimer(1) - Enables policy authorization by evaluating the comparison operation on the TPM parameters time, clock, reset count, restart count and TPM clock safe flag.
SYNOPSIS
tpm2_policycountertimer [OPTIONS] [ARGUMENT]
DESCRIPTION
tpm2_policycountertimer(1) - Enables policy authorization by evaluating the comparison operation on the TPM parameters time, clock, reset count, restart count and TPM clock safe flag. If time/clock, it is input as milliseconds value. The parameter and the value is given as a command line argument as below:
tpm2_policycountertimer -S session.ctx safe
tpm2_policycountertimer -S session.ctx clock=<N ms>
tpm2_policycountertimer -S session.ctx time=<N ms>
tpm2_policycountertimer -S session.ctx resets=<N>
tpm2_policycountertimer -S session.ctx restarts=<N>
By default comparison tests for equality and also by default it tests for time.
OPTIONS
-
-L, --policy=FILE:
File to save the policy digest.
-
-S, --session=FILE:
The policy session file generated via the -S option to tpm2_startauthsession or saved off of a previous tool run.
-
--eq
if value of current time in the TPM = value of specified input time.
-
--neq
if value of current time in the TPM != value of specified input time.
- --sgt
if signed value of current time in the TPM > signed value of specified input time.
- --ugt
if unsigned value of current time in the TPM > unsigned value of specified input time.
- --slt
if signed value of current time in the TPM < signed value of specified input time.
- --ult
if unsigned value of current time in the TPM < unsigned value of specified input time.
- --sge
if signed value of current time in the TPM >= signed value of specified input time.
- --uge
if unsigned value of current time in the TPM >= unsigned value of specified input time.
- --sle
if signed value of current time in the TPM <= unsigned value of specified input time.
- --ule
if unsigned value of current time in the TPM <= unsigned value of specified input time.
-
--bs
if all bits set in value of current time in the TPM are set in value of specified input time.
-
--bc
if all bits set in value of current time in the TPM are clear in value of specified input time.
-
--cphash=FILE
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
References
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
EXAMPLES
Create a sealing object with an authorization policy that evaluates only for first minute of TPM restart.
Create the policy and the sealing object
tpm2_startauthsession -S session.ctx
tpm2_policycountertimer -S session.ctx -L policy.countertimer --ult 60000
tpm2_flushcontext session.ctx
tpm2_createprimary -C o -c prim.ctx -Q
echo "SUPERSECRET" | \
tpm2_create -Q -u key.pub -r key.priv -i- -C prim.ctx \
-L policy.countertimer -a "fixedtpm|fixedparent" -c key.ctx
Unsealing should work in the first minute after TPM restart
tpm2_startauthsession -S session.ctx --policy-session
tpm2_policycountertimer -S session.ctx --ult 60000
tpm2_unseal -c key.ctx -p session:session.ctx
tpm2_flushcontext session.ctx