Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

tpm_quote_tools(8) [centos man page]

TPM QUOTE 
TOOLS(8)														TPM QUOTE TOOLS(8)

NAME

       TPM Quote Tools

PROGRAMS

       tpm_mkuuid, tpm_mkaik, tpm_loadkey, tpm_unloadkey, tpm_getpcrhash, tpm_updatepcrhash, tpm_getquote, tpm_verifyquote

DESCRIPTION

       TPM Quote Tools is a collection of programs that provide support for TPM based attestation using the TPM quote operation.

       A  TPM  contains  a set of Platform Configuration Registers (PCRs).  In a well configured machine, some of these registers are set to known
       values during the boot up process or at other times.  For example, a PCR might contain the hash of a boot loader in  memory  before  it	is
       run.

       The  TPM  quote operation is used to authoritatively verify the contents of a TPM's Platform Configuration Registers (PCRs).  During provi-
       sioning, a composite hash of a selected set of PCRs is computed.  The TPM quote operation produces a composite hash that  can  be  compared
       with the one computed while provisioning.

       To  use the TPM quote operation, keys must be generated.  During provisioning, an Attestation Identity Key (AIK) is generated for each TPM,
       and the public part of the key is made available to entities that validate quotes.

       The TPM quote operation returns signed data and a signature.  The data that is signed contains the PCRs selected  for  the  operation,  the
       composite  hash	for  the selected PCRs, and a nonce provided as input, and used to prevent replay attacks.  At provisioning time, the data
       that is signed is stored, not just the composite hash.  The signature is discarded.

       An entity that wishes to evaluate a machine generates a nonce, and sends it along with the set of PCR used to generate  the  composite  PCR
       hash at provisioning time.  For this use of the TPM quote operation, the signed data is ignored, and the signature returned is used to val-
       idate the state of the TPM's PCRs.  Given the signature, the evaluating entity replaces the nonce in the signed data  generated	at  provi-
       sioning	time,  and  checks to see if the signature is valid for the data.  If so, this check ensures the selected PCRs contain values that
       match the ones measured during provisioning.

       A typical scenario for an enterprise using these tools follows.	The tools expect AIKs to be referenced via one enterprise-wide Universally
       Unique Identifier (UUID).  The program tpm_mkuuid creates one.

       For  each  machine  being  checked,  an	AIK  is  created using tpm_mkaik.  The key blob produced is bound to the UUID on its machine using
       tpm_loadkey.  The public key associated with the AIK is sent to the entities that verify quotes.  Finally, the expected PCR composite  hash
       is obtained using tpm_getpcrhash.  When the expected PCR values change, a new hash can be generated with tpm_updatepcrhash.

       The  program  to  obtain  a  quote,  and  thus  measure the current state of the PCRs is tpm_getquote.  The program that verifies the quote
       describes the same PCR composite hash as was measured initially is tpm_verifyquote.

SEE ALSO

       tpm_mkuuid(8), tpm_mkaik(8), tpm_loadkey(8), tpm_unloadkey(8), tpm_getpcrhash(8), tpm_updatepcrhash(8), tpm_getquote(8), tpm_verifyquote(8)

								     Oct 2010							TPM QUOTE TOOLS(8)

Check Out this Related Man Page

Tspi_TPM_GetCapability(3)				     Library Functions Manual					 Tspi_TPM_GetCapability(3)

						     TCG Software Stack Developer's Reference

NAME

       Tspi_TPM_GetCapability - get information on the capabilities of the TPM

SYNOPSIS

       #include <tss/platform.h>
       #include <tss/tcpa_defines.h>
       #include <tss/tcpa_typedef.h>
       #include <tss/tcpa_struct.h>
       #include <tss/tss_typedef.h>
       #include <tss/tss_structs.h>
       #include <tss/tspi.h>

       TSS_RESULT Tspi_TPM_GetCapability(TSS_HTPM hTPM, 	     TSS_FLAG capArea,
					 UINT32   ulSubCapLength,    BYTE*    rgbSubCap,
					 UINT32*  pulRespDataLength, BYTE**   prgbRespData);

DESCRIPTION

       Tspi_TPM_GetCapability  gets  information  on various capabilities of the TPM. This command can be used to learn how many PCRs the TPM sup-
       ports, etc.

PARAMETERS

   hTPM
       The hTPM parameter is used to specify the handle of the TPM object.

   capArea
       The capArea parameter is the flag indicating the attribute to query. Possible values are:

   ulSubCapLength
       The ulSubCapLength parameter is the length in bytes of the rgbSubCap parameter.

   rgbSubCap
       The rgbSubCap parameter is the data indicating the attribute to query. Possible values are:

   pulRespDataLength
       The pulRespDataLength parameter is the length in bytes of the prgbRespData parameter.

   prgbRespData
       The prgbRespData parameter receives a pointer to the actual data of the specified attribute.

NOTES

       The following Capability Areas and Sub-Capability Areas are supported by 1.1 TSS's:

       TSS_TPMCAP_ORD - query whether an ordinal is supported by the TPM.
	       subCaps: TPM_ORD_* (see tcpa_literals.h)

       TSS_TPMCAP_FLAG - query for the volatile and non-volatile flags inside the TPM. (Must be owner authorized). In this case, the 2 UINT32 val-
       ues will be returned concatenated together in prgbRespData.
	       subCaps: ignored.

       TSS_TPMCAP_ALG - query whether an algorithm is supported by the TPM.
	       subCaps: TSS_ALG_RSA
			TSS_ALG_DES
			TSS_ALG_3DES
			TSS_ALG_SHA
			TSS_ALG_HMAC
			TSS_ALG_AES

       TSS_TPMCAP_PROPERTY - query a property of the TPM.
	       subCaps: TSS_TPMCAP_PROP_PCR
			TSS_TPMCAP_PROP_DIR
			TSS_TPMCAP_PROP_MANUFACTURER
			TSS_TPMCAP_PROP_SLOTS

       TSS_TPMCAP_VERSION - get the TSS_VERSION structure tha identifies the TPM.
	       subCaps: ignored.

RETURN CODES

       Tspi_TPM_GetCapability returns TSS_SUCCESS on success, otherwise one of the following values is returned:

       TSS_E_INVALID_HANDLE
	      hTPM is not a valid handle.

       TSS_E_INTERNAL_ERROR
	      An internal SW error has been detected.

       TSS_E_BAD_PARAMETER
	      One or more parameters is bad.

CONFORMING TO

       Tspi_TPM_GetCapability conforms to the Trusted Computing Group Software Specification version 1.1 Golden

SEE ALSO

       Tspi_TPM_GetCapabilitySigned(3), Tspi_TPM_GetEvent(3).

TSS 1.1 							    2004-05-25						 Tspi_TPM_GetCapability(3)
Man Page