Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../../usr/man/man8/tpmadm.8
Real path: /usr/share/man/man8/tpmadm.8
Zurück

'\" te
.\" Copyright (c) 2009, 2021, Oracle and/or its affiliates.
.TH tpmadm 8 "21 Jun 2021" "Oracle Solaris 11.4" "System Administration Commands"
.SH NAME
tpmadm \- administer Trusted Platform Module
.SH SYNOPSIS

.LP
.nf
\fBtpmadm status\fR
.fi

.LP
.nf
\fBtpmadm init\fR
.fi

.LP
.nf
\fBtpmadm clear\fR [\fBlock\fR | \fBowner\fR]
.fi

.LP
.nf
\fBtpmadm auth\fR
.fi

.LP
.nf
\fBtpmadm keyinfo\fR [\fIuuid\fR]
.fi

.LP
.nf
\fBtpmadm deletekey\fR \fIuuid\fR
.fi

.LP
.nf
\fBtpmadm migrate export\fR \fIUUID\fR [\fIMigDataFile\fR \fIMigKeyfile\fR]
.fi

.LP
.nf
\fBtpmadm migrate import\fR [\fIMigDataFile\fR \fIMigKeyfile\fR [\fIParentUUID\fR] \fINewKeyUUID\fR]
.fi

.LP
.nf
\fBtpmadm failover\fR
.fi

.LP
.nf
\fBtpmadm pcrextend\fR \fIpcr\fR [\fIfilename\fR]
.fi

.LP
.nf
\fBtpmadm pcrreset\fR \fIpcr\fR
.fi
.SH DESCRIPTION
.sp
.LP
A Trusted Platform Module (TPM) is a hardware component that provides for protected key storage and reliable measurements of software used to boot the operating system. The \fBtpmadm\fR utility is used to initialize and administer the TPM so that it can be used by the operating system and other programs.
.sp
.LP
The TPM subsystem can store and manage an unlimited number of keys for use by the operating system and by users. Each key is identified by a Universally Unique Identifier, or \fBUUID\fR.
.sp
.LP
Although the TPM can hold only a limited number of keys at any given time, the supporting software automatically loads and unloads keys as needed. When a key is stored outside the TPM, it is always encrypted or "wrapped" by its parent key so that the key is never exposed in readable form outside the TPM.
.sp
.LP
Before the TPM can be used, it must be initialized by the platform owner. This process involves setting an owner password which is used to authorize privileged operations.
.sp
.LP
Although the TPM owner is similar to a traditional superuser, there are two important differences. First, process privilege is irrelevant for access to TPM functions. All privileged operations require knowledge of the owner password, regardless of the privilege level of the calling process. Second, the TPM owner is not able to override access controls for data protected by TPM keys. The owner can effectively destroy data by re-initializing the TPM, but cannot access data that has been encrypted using TPM keys owned by other users.
.SH SUB-COMMANDS
.sp
.LP
The following subcommands are used in the form:
.sp
.in +2
.nf
# tpmadm \fI<subcommand>\fR \fI[operand]\fR
.fi
.in -2
.sp
.sp
.ne 2
.mk
.na
\fB\fBstatus\fR\fR
.ad
.br
.sp .6
.RS 4n
Report status information about the TPM. Output includes basic information about whether ownership of the TPM has been established, current PCR contents, and the usage of TPM resources such as communication sessions and loaded keys.
.RE

.sp
.ne 2
.mk
.na
\fB\fBinit\fR\fR
.ad
.br
.sp .6
.RS 4n
Initialize the TPM for use. This involves taking ownership of the TPM by setting the owner authorization password. Taking ownership of the TPM creates a new storage root key, which is the ancestor of all keys created by this TPM. After this command is issued, before re-initializing, reset the TPM by using BIOS operations on x86 systems or ILOM operations on SPARC systems. 
.sp
The \fBtpmadm init\fR subcommand prompts you to create a TPM Owner PIN (or passphrase) twice.
.sp
Here is an example. The PIN is not displayed on the screen, but is shown in this example:
.sp
.sp
.in +2
.nf

# \fBtpmadm init\fR
Enter TPM Owner PIN: \fB87654321\fR
Confirm TPM Owner PIN: \fB87654321\fR
.fi
.in -2
.sp
Some \fBtpmadm\fR subcommands require you to re-enter this PIN, so do not forget it.
.RE

.sp
.ne 2
.mk
.na
\fB\fBauth\fR\fR
.ad
.br
.sp .6
.RS 4n
Change the owner authorization password for the TPM.
.RE

.sp
.ne 2
.mk
.na
\fB\fBclear\fR \fBlock\fR\fR
.ad
.br
.sp .6
.RS 4n
Clear the count of failed authentication attempts. After a number of failed authentication attempts, the TPM responds more slowly to subsequent attempts, in an effort to thwart attempts to find the owner password by exhaustive search. This command, which requires the correct owner password, resets the count of failed attempts.
.RE

.sp
.ne 2
.mk
.na
\fB\fBclear\fR \fBowner\fR\fR
.ad
.br
.sp .6
.RS 4n
Deactivate the TPM and return it to an unowned state. This operation, which requires the current TPM owner password, invalidates all keys and data tied to the TPM. Before the TPM can be used again, the system must be restarted, the TPM must be reactivated from the BIOS or ILOM pre-boot environment, and the TPM must be re-initialized using the \fBtpmadm init\fR command.
.sp
This command should always be executed after running \fBtpmadm clear
lock\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBkeyinfo\fR [\fIuuid\fR]\fR
.ad
.br
.sp .6
.RS 4n
Report information about keys stored in the TPM subsystem. Without additional arguments, this subcommand produces a brief listing of all keys. If the UUID of an individual key is specified, detailed information about that key is displayed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdeletekey\fR \fIuuid\fR\fR
.ad
.br
.sp .6
.RS 4n
Delete the key with the specified UUID from the TPM subsystem's persistent storage.
.RE

.sp
.ne 2
.mk
.na
\fB\fBmigrate\fR \fBexport\fR \fIUUID\fR [\fIMigDataFile\fR \fIMigKeyfile\fR]\fR
.ad
.br
.sp .6
.RS 4n
Create the initial migration blob and key for the persistent key \fIUUID\fR. If necessary, the user will be prompted for a password to access the key being migrated. Additionally, the user will be prompted to create an authorization password for the migration key. This operation creates two files: a migration blob (wrapped key) and a migration key to be used in future migrations. The output files will be named \fBtpm-migration.dat\fR and \fBtpm-migration.key\fR, unless they are specified on the command line. This operation will require TPM owner authorization as well as authorization passwords for any parent keys that must be loaded in order to load the key being exported. The user will be prompted for all authorization passwords as needed.
.sp
If you are exporting the Storage Root Key (SRK), use \fB00000000-0000-0000-0000-00000000000b\fR for the SRK UUID.
.sp
The \fBtpmadm migrate export\fR subcommand prompts for the TPM Owner PIN that was created with the \fBtpmadm init\fR subcommand. Additionally, it will prompt you to create a migration PIN to use with the \fBtpmadm migrate import\fR subcommand. 
.sp
Here is an example. The PIN is not displayed on the screen, but is shown in this example:
.sp
.in +2
.nf
# \fBtpmadm migrate export 00000000-0000-0000-0000-00000000000b\fR
Enter TPM Owner PIN: \fB87654321\fR
Enter PIN for the migration key: \fBBAKUP555\fR
Confirm PIN for the migration key: \fBBAKUP555\fR
.fi
.in -2
.sp
.RE

.sp
.ne 2
.mk
.na
\fB\fBmigrate\fR \fBimport\fR [\fIMigDataFile\fR \fIMigKeyFile\fR [\fIParentUUID\fR] \fINewKeyUUID\fR]\fR
.ad
.br
.sp .6
.RS 4n
Import a key into the user's persistent key DB. The key will be made a child of the given \fIParentUUID\fR. If \fIParentUUID\fR is not given, the imported key will be a child of the system MRK UUID. If \fINewKeyUUID\fR is not given, the system will generate a new UUID and report it to the user upon completion of the command. The user will be prompted for the migration password used in the "export" step. When the \fBmigrate import\fR command is given with no arguments, the import operation will attempt the migration of the \fBSYSTEM\fR  \fBMRK\fR UUID to the current SRK in the system key \fBdb\fR. When importing an MRK, answer "y" to the question "Migratable Root Key file(s) already exist; overwrite [y/N]?", otherwise, the existing MRK will not be overwritten with the imported MRK. The user must have the TPM Administration rights (see \fBprof_attr\fR(5)) or have root privilege (\fBeuid\fR == \fB0\fR). This operation will require TPM owner authorization as well as authorization passwords for any parent keys that must be loaded in order to load the key being exported. The user will be prompted for all authorization passwords as needed.
.sp
Here is an example. The PIN is not displayed on the screen, but is shown in this example:
.sp
.in +2
.nf
# \fBtpmadm migrate import\fR
Enter TPM Owner PIN: \fBBAKUP555\fR
Enter PIN for the migration key: \fBBAKUP555\fR
.fi
.in -2
.sp
.RE

.sp
.ne 2
.mk
.na
\fB\fBfailover\fR\fR
.ad
.br
.sp .6
.RS 4n
Enable TPM failover (for SPARC T7 and later platforms). This prompts for the TPM Owner PIN and a new PIN for the migration key. These will be used to back up and restore the TPM keystore in case the TPM chip fails over to a new TPM chip on another SPARC SP/SPP board.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpcrextend\fR \fIpcr\fR [\fIfilename\fR]\fR
.ad
.br
.sp .6
.RS 4n
Create an SHA-1 hash of the contents of \fIfilename\fR and perform a PCR Extend operation on the indicated PCR using the hash value as the data to be extended. If a filename is not specified, the data is read from stdin.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpcrreset\fR \fIpcr\fR\fR
.ad
.br
.sp .6
.RS 4n
Reset the indicated PCR to its initial state (all zeros).
.RE

.SH EXIT STATUS
.sp
.LP
After completing the requested operation, \fBtpmadm\fR exits with one of the following status values.
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 13n
.rt
Successful termination.
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 13n
.rt
Failure. The requested operation could not be completed.
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.RS 13n
.rt
Usage error. The \fBtpmadm\fR command was invoked with invalid arguments.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp
.TS
tab(
) box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPE
ATTRIBUTE VALUE
_
Availability
system/core-os
_
Interface Stability
Committed
.TE
.sp
.SH SEE ALSO
.sp
.LP
\fBprof_attr\fR(5), \fBattributes\fR(7)
.sp
.LP
See also the \fBtcsd(8)\fR man page, available in the \fBpkg:/library/security/trousers\fR package.
.sp
.ne 2
.mk
.na
\fBTCG Software Stack (TSS) Specifications:\fR
.ad
.br
.sp .6
.RS 4n
https://www.trustedcomputinggroup.org/specs/TSS
.RE

.SH NOTES
.sp
.LP
\fBtpmadm\fR communicates with the TPM device through the \fBtcsd\fR service. \fBtcsd\fR must be running before using the \fBtpmadm\fR command. If \fBtcsd\fR is not running, \fBtpmadm\fR will generate the following error:
.sp
.in +2
.nf
Connect context: Communication failure (0x3011)
.fi
.in -2
.sp
.sp
.LP
See \fBtcsd(8)\fR for more details.