% tpm2_policylocality(1) tpm2-tools | General Commands Manual
tpm2_policylocality(1) - Restrict TPM object authorization to specific localities.
tpm2_policylocality [OPTIONS] [ARGUMENT]
tpm2_policylocality(1) - Restricts TPM object authorization to specific TPM locality. Useful when you want to allow only specific locality with the TPM object. A locality indicates the source of the command, for example it could be from the application layer or the driver layer, each would have it's own locality integer. Localities are hints to the TPM and are enforced by the software communicating to the TPM. Thus they are not trusted inputs on their own and are implemented in platform specific ways.
As an argument it takes the LOCALITY as an integer or friendly name.
Localities are fixed to a byte in size and have two representations, locality and extended locality.
Localities 0 through 4 are the normal locality representation and are represented
as set bit indexes. Thus locality 0 is indicated by
1<<0 and locality 4 is
1<<4. Rather then using raw numbers, these localities can also
be specified by the friendly names of:
- zero: locality 0 or
- one: locality 1 or
- two: locality 2 or
- three: locality 3 or
- four: locality 4 or
Anything from the range 32 - 255 are extended localities.
A session file from tpm2_startauthsession(1)'s -S option.
File to save the policy digest.
ARGUMENT the command line argument specifies the locality number.
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
Start a policy session and extend it with a specific locality number (like 3). Attempts to perform other operations would fail.
Create an policy restricted by locality 3
tpm2_startauthsession -S session.dat tpm2_policylocality -S session.dat -L policy.dat three tpm2_flushcontext session.dat
Create the object with auth policy
tpm2_createprimary -C o -c prim.ctx tpm2_create -C prim.ctx -u sealkey.pub -r sealkey.priv -L policy.dat \ -i- <<< "SEALED-SECRET"
Try unseal operation
tpm2_load -C prim.ctx -u sealkey.pub -r sealkey.priv -n sealkey.name \ -c sealkey.ctx tpm2_startauthsession \--policy-session -S session.dat tpm2_policylocality -S session.dat -L policy.dat three # Change to locality 3, Note: this operation varies on different platforms tpm2_unseal -p session:session.dat -c sealkey.ctx tpm2_flushcontext session.dat