% tpm2_policynvwritten(1) tpm2-tools | General Commands Manual
tpm2_policynvwritten(1) - Restrict TPM object authorization to the written state of an NV index.
tpm2_policynvwritten [OPTIONS] [ARGUMENT]
tpm2_policynvwritten(1) - Restricts TPM object authorization to the written state of an NV index. Useful when creating write once NV indexes.
As an [ARGUMENT] it takes the expected written state of the NV index. It can be specified as s|c|0|1.
A session file from tpm2_startauthsession(1)'s -S option.
File to save the policy digest.
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
Create a write once NV index. To do this the NV index is defined with a write policy that is valid only if the NV index attribute "TPMA_NV_WRITTEN" was never set.
Define the NV index write policy
tpm2_startauthsession -S session.dat tpm2_policycommandcode -S session.dat TPM2_CC_NV_Write tpm2_policynvwritten -S session.dat -L nvwrite.policy c tpm2_flushcontext session.dat
Define the NV index with the policy
tpm2_nvdefine -s 1 -a "authread|policywrite" -p nvrdpass -L nvwrite.policy
Write the NV index by satisfying the policy
tpm2_startauthsession -S session.dat --policy-session tpm2_policycommandcode -S session.dat TPM2_CC_NV_Write tpm2_policynvwritten -S session.dat c echo 0xAA | xxd -r -p | tpm2_nvwrite 0x01000000 -i- -P session:session.dat tpm2_flushcontext session.dat