% tpm2_stirrandom(1) tpm2-tools | General Commands Manual
tpm2_stirrandom(1) - Add "additional information" into TPM RNG state.
tpm2_stirrandom [OPTIONS] [ARGUMENT]
tpm2_stirrandom(1) - Inject "additional information" as bytes into TPM entropy Protected Capability pool.
"Additional information" can be extracted from file specified as argument or being read from STDIN if argument is not specified.
Up to 128 bytes can be injected at once through standard input to tpm2_stirrandom(1).
If input file is larger than 128 bytes, tpm2_stirrandom(1) will fail.
Adding data through tpm2_stirrandom(1) will trigger a reseeding of TPM DRBG Protected Capability. It is used when performing any sensitive action on a shielded location such as loading a persistent key or acting on a Protected Capability like updating TPM firmware.
This command has no option
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.)
Inject from stdin using echo
echo -n "myrandomdata" | tpm2_stirrandom
Inject 64 bytes from stdin using a file
dd if=/dev/urandom bs=1 count=64 > myrandom.bin tpm2_stirrandom < ./myrandom.bin
Inject bytes from a file and reading up to 128 bytes
dd if=/dev/urandom of=./myrandom.bin bs=1 count=42 tpm2_stirrandom ./myrandom.bin
Please be aware that even if the "additional information" added by tpm2_stirrandom(1) can be entropy gathered from other DRBG sources, the TPM has no way of determining if the value has any entropy or not. As a consequence, it will just be considered as "additional input".
The "additional input" is as defined in NIST SP800-90A