| Skip Navigation Links | |
| Exit Print View | |
 | man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
| man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
- administer Trusted Platform Module
tpmadm status
tpmadm init
tpmadm clear [owner |lock]
tpmadm auth
tpmadm keyinfo [uuid]
tpmadm deletekeyuuid
tpmadm pcrextendpcr [filename]
tpmadm pcrresetpcr
A Trusted Platform Module (TPM) is a hardware component that provides forprotected key storage and reliable measurements of software used to boot theoperating system. Thetpmadm utility is used to initialize and administer theTPM so that it can be used by the operating system and otherprograms.
The TPM subsystem can store and manage an unlimited number of keysfor use by the operating system and by users. Each key isidentified by a Universally Unique Identifier, or UUID.
Although the TPM can hold only a limited number of keys atany given time, the supporting software automatically loads and unloads keys asneeded. When a key is stored outside the TPM, it is alwaysencrypted or “wrapped” by its parent key so that the key isnever exposed in readable form outside the TPM.
Before the TPM can be used, it must be initialized by theplatform owner. This process involves setting an owner password which is usedto authorize privileged operations.
Although the TPM owner is similar to a traditional superuser, there aretwo important differences. First, process privilege is irrelevant for access to TPMfunctions. All privileged operations require knowledge of the owner password, regardless ofthe privilege level of the calling process. Second, the TPM owner is notable to override access controls for data protected by TPM keys. Theowner can effectively destroy data by re-initializing the TPM, but he cannotaccess data that has been encrypted using TPM keys owned by otherusers.
The following subcommands are used in the form:
# tpamadm<subcommand>[operand]
Report status information about the TPM. Output includes basic information about whether ownership of the TPM has been established, current PCR contents, and the usage of TPM resources such as communication sessions and loaded keys.
Initialize the TPM for use. This involves taking ownership of the TPM by setting the owner authorization password. Taking ownership of the TPM creates a new storage root key, which is the ancestor of all keys created by this TPM. Once this command is issued, the TPM must be reset using BIOS operations before it can be re-initialized.
Change the owner authorization password for the TPM.
Clear the count of failed authentication attempts. After a number of failed authentication attempts, the TPM responds more slowly to subsequent attempts, in an effort to thwart attempts to find the owner password by exhaustive search. This command, which requires the correct owner password, resets the count of failed attempts.
Deactivate the TPM and return it to an unowned state. This operation, which requires the current TPM owner password, invalidates all keys and data tied to the TPM. Before the TPM can be used again, the system must be restarted, the TPM must be reactivated from the BIOS or ILOM pre-boot environment, and the TPM must be re-initialized using thetpmadm init command.
Report information about keys stored in the TPM subsystem. Without additional arguments, this subcommand produces a brief listing of all keys. If the UUID of an individual key is specified, detailed information about that key is displayed.
Delete the key with the specified UUID from the TPM subsystem's persistent storage.
Create an SHA-1 hash of the contents offilename and perform a PCR Extend operation on the indicated PCR using the hash value as the data to be extended. If a filename is not specified, the data is read from stdin.
Reset the indicated PCR to its initial state (all zeros).
After completing the requested operation,tpmadm exits with one of the followingstatus values.
Successful termination.
Failure. The requested operation could not be completed.
Usage error. Thetpmadm command was invoked with invalid arguments.
Seeattributes(5) for descriptions of the following attributes:
|
See also thetcsd(8) man page, available in theSUNWtss package.
TCG Software Stack (TSS) Specifications:https://www.trustedcomputinggroup.org/specs/TSS (as of the date of publication)
tpmadm communicates with the TPM device through thetcsd service.tcsd mustbe running before using thetpmadm command. Iftcsd is not running,tpmadm will generate the following error:
Connect context: Communication failure (0x3011)
Seetcsd(8) for more details.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.Legal Notices |   |