% tpm2_ticket(1) tpm2-tools | General Commands Manual
NAME
tpm2_ticket(1) - Enables policy authorization by verifying a ticket that represents a validated authorization that had an expiration time associated with it.
SYNOPSIS
tpm2_ticket [OPTIONS]
DESCRIPTION
tpm2_ticket(1) - Enables policy authorization by verifying a ticket that represents a validated authorization that had an expiration time associated with it.
OPTIONS
-
-L, --policy=FILE:
File to save the compounded policy digest.
-
-S, --session=FILE:
The policy session file generated via the -S option to tpm2_startauthsession(1).
-
-n, --name=FILE:
Name of the object that validated the authorization.
-
--ticket=FILE:
The ticket file to record the authorization ticket structure.
-
--timeout=FILE:
The file path to record the timeout structure returned.
-
-q, --qualification=FILE_OR_HEX_STR:
Optional, the policy qualifier data that the signer can choose to include in the signature. Can be either a hex string or path.
References
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
EXAMPLES
Authorize a TPM operation on an object whose authorization is bound to specific signing authority.
Create the signing authority and load the verification key
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
tpm2_loadexternal -C o -G rsa -u public.pem -c signing_key.ctx \
-n signing_key.name
Generate signature with the expiry time
EXPIRYTIME="FFFFFE0C"
echo $EXPIRYTIME | xxd -r -p | \
openssl dgst -sha256 -sign private.pem -out signature.dat
Create the policy
tpm2_startauthsession -S session.ctx
tpm2_policysigned -S session.ctx -g sha256 -s signature.dat -f rsassa \
-c signing_key.ctx -L policy.signed
tpm2_flushcontext session.ctx
Create a sealing object
tpm2_createprimary -C o -c prim.ctx -Q
echo "plaintext" > secret.dat
tpm2_create -u sealing_key.pub -r sealing_key.priv -c sealing_key.ctx \
-C prim.ctx -i secret.dat -L policy.signed -Q
Create ticket-able policy
tpm2_startauthsession -S session.ctx --nonce-tpm=nonce.test --policy-session
{ cat nonce.test & echo $EXPIRYTIME | xxd -r -p; } | \
openssl dgst -sha256 -sign private.pem -out signature.dat
tpm2_policysigned -S session.ctx -g sha256 -s signature.dat -f rsassa \
-c signing_key.ctx -x nonce.test --ticket tic.ket --timeout time.out \
-t 0xFFFFFE0C
tpm2_flushcontext session.ctx
Test with policyticket instead of policysigned
tpm2_startauthsession -S session.ctx --policy-session
tpm2_policyticket -S session.ctx -n signing_key.name --ticket tic.ket \
--timeout time.out
tpm2_unseal -p session:session.ctx -c sealing_key.ctx