% tpm2_policycphash(1) tpm2-tools | General Commands Manual

NAME

tpm2_policycphash(1) - Couples a policy with command parameters of the command.

SYNOPSIS

tpm2_policycphash [OPTIONS]

DESCRIPTION

tpm2_policycphash(1) - Couples a policy with command parameters of the command. This is a deferred assertion where the hash of the command parameters in a TPM command is checked against the one specified in the policy.

OPTIONS

  • -L, --policy=FILE:

    File to save the compounded policy digest.

  • -S, --session=FILE:

    The policy session file generated via the -S option to tpm2_startauthsession(1).

  • --cphash-input=FILE:

    The file containing the command parameter hash of the command.

  • --cphash=FILE:

    DEPRECATED, use --cphash-input instead.

References

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

Restrict the value that can be set through tpm2_nvsetbits.

Define NV index object with authorized policy

openssl genrsa -out signing_key_private.pem 2048
openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx \
-n signing_key.name
tpm2_startauthsession -S session.ctx -g sha256
tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name
tpm2_flushcontext session.ctx
tpm2_nvdefine 1 -a "policywrite|authwrite|ownerread|nt=bits" -L authorized.policy

Create policycphash

tpm2_nvsetbits 1 -i 1 --cphash cp.hash
tpm2_startauthsession -S session.ctx -g sha256
tpm2_policycphash -S session.ctx -L policy.cphash --cphash cp.hash
tpm2_flushcontext session.ctx

Sign and verify policycphash

openssl dgst -sha256 -sign signing_key_private.pem \
-out policycphash.signature policy.cphash
tpm2_verifysignature -c signing_key.ctx -g sha256 -m policy.cphash \
-s policycphash.signature -t verification.tkt -f rsassa

Satisfy policycphash and execute nvsetbits

tpm2_startauthsession -S session.ctx --policy-session -g sha256
tpm2_policycphash -S session.ctx --cphash cp.hash
tpm2_policyauthorize -S session.ctx -i policy.cphash -n signing_key.name \
-t verification.tkt
tpm2_nvsetbits 1 -i 1 -P "session:session.ctx"
tpm2_flushcontext session.ctx

returns

limitations

footer