% tpm2_policynvwritten(1) tpm2-tools | General Commands Manual

NAME

tpm2_policynvwritten(1) - Restrict TPM object authorization to the written state of an NV index.

SYNOPSIS

tpm2_policynvwritten [OPTIONS] [ARGUMENT]

DESCRIPTION

tpm2_policynvwritten(1) - Restricts TPM object authorization to the written state of an NV index. Useful when creating write once NV indexes.

As an [ARGUMENT] it takes the expected written state of the NV index. It can be specified as s|c|0|1.

OPTIONS

  • -S, --session=FILE:

    A session file from tpm2_startauthsession(1)'s -S option.

  • -L, --policy=FILE:

    File to save the policy digest.

References

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

Create a write once NV index. To do this the NV index is defined with a write policy that is valid only if the NV index attribute "TPMA_NV_WRITTEN" was never set.

Define the NV index write policy

tpm2_startauthsession -S session.dat
tpm2_policycommandcode -S session.dat TPM2_CC_NV_Write
tpm2_policynvwritten -S session.dat -L nvwrite.policy c
tpm2_flushcontext session.dat

Define the NV index with the policy

 tpm2_nvdefine -s 1 -a "authread|policywrite" -p nvrdpass -L nvwrite.policy

Write the NV index by satisfying the policy

tpm2_startauthsession -S session.dat --policy-session
tpm2_policycommandcode -S session.dat TPM2_CC_NV_Write
tpm2_policynvwritten -S session.dat c
echo 0xAA | xxd -r -p | tpm2_nvwrite 0x01000000 -i- -P session:session.dat
tpm2_flushcontext session.dat

returns

limitations

footer