table of contents
| SIGNED_TPM2_POLICY(1) | User Commands | SIGNED_TPM2_POLICY(1) |
NAME¶
signed_tpm2_policy - add, remove and list signed policies
SYNOPSIS¶
signed_tpm2_policy <cmd> [options] <tpmkey> [<arg>]
DESCRIPTION¶
<cmd> is one of add, rm or ls and [arg] is the private key for the add command or the policy number for the rm command.
OPTIONS¶
- -a, --auth
- require a password for the key [NO]
- -h, --help
- print this help message
- -c, --key-policy <pubkey>
- Specify a policy for the TPM key
- -i, --import <pubkey>
- Create an importable key with the outer wrapper encrypted to <pubkey>
- -x, --pcr-lock <pcrs>
- Lock the created key to the specified PCRs By current value. See PCR VALUES for details about formatting
- --locality <loc>
- Can only be used in a set of localities described by the <loc> bitmap
- --signed-policy <key>
- Add a signed policy directive that allows policies signed by the specified public <key> to authorize use of the key
- --secret <handle>
- Tie authorization of the key to the Authorization of a different object Identified by <handle>.
- -n, --policy-name <name>
- Optional name to annotate the policy with
- -a, --auth
- require a password for the key [NO]
- -h, --help
- print this help message
- -c, --key-policy <pubkey>
- Specify a policy for the TPM key
- -i, --import <pubkey>
- Create an importable key with the outer wrapper encrypted to <pubkey>
- -x, --pcr-lock <pcrs>
- Lock the created key to the specified PCRs By current value. See PCR VALUES for details about formatting
- --locality <loc>
- Can only be used in a set of localities described by the <loc> bitmap
- --signed-policy <key>
- Add a signed policy directive that allows policies signed by the specified public <key> to authorize use of the key
- --secret <handle>
- Tie authorization of the key to the Authorization of a different object Identified by <handle>.
- -n, --policy-name <name>
- Optional name to annotate the policy with
PCR VALUES¶
The PCR values are specified as
<bank>:<list>
Where <bank> is any supported PCR hash bank and list specifies the PCRs to lock the key to as both comma separated individual values as well as comma separated ranges. So
sha256:1,3 means PCRs 1 and 3 in the sha256 bank
sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank
SECRETS IN OTHER OBJECTS¶
When the option --secrets <handle> is used, it creates a key whose authorization password is conditioned on the password of a different object identified by <handle>. Usually this is a permanent NV index, but could be any object. The design of this policy is to allow the password to be changed without updating the key (simply by changing the authorization of the other object). Because OpenSSL can only request a single password, keys with a --secret policy may not additionally have an --auth option to also require passing in the password embedded in the key.
EXAMPLES¶
list all signed policies:
signed_tpm2_policy ls key.tpm
The output is a numbered list of policies (with optional names)
remove the first policy
signed_tpm2_policy rm key.tpm 1
add a new policy with name 'thispolicy' locked to pcr16 using the private policy.key:
signed_tpm2_policy add --name thispolicy --pcr-lock sha256:16 key.tmp
policy.key
REPORTING BUGS¶
Report bugs to <openssl-tpm2-engine@groups.io>
Report bugs to <openssl-tpm2-engine@groups.io>
SEE ALSO¶
| April 2024 | Usage: ./signed_tpm2_policy <cmd> [options] <tpmkey> [<arg>] |