illumos: manual page: tpmadm.8

TPMADM(8) Maintenance Procedures TPMADM(8)

NAME

tpmadm - administer Trusted Platform Module

SYNOPSIS

tpmadm status

tpmadm init

tpmadm clear [owner | lock]

tpmadm auth

tpmadm keyinfo [uuid]

tpmadm deletekey uuid

DESCRIPTION

A Trusted Platform Module (TPM) is a hardware component that provides for
protected key storage and reliable measurements of software used to boot
the operating system. The tpmadm utility is used to initialize and
administer the TPM so that it can be used by the operating system and
other programs.

The TPM subsystem can store and manage an unlimited number of keys for
use by the operating system and by users. Each key is identified by a
Universally Unique Identifier, or UUID.

Although the TPM can hold only a limited number of keys at any given
time, the supporting software automatically loads and unloads keys as
needed. When a key is stored outside the TPM, it is always encrypted or
"wrapped" by its parent key so that the key is never exposed in readable
form outside the TPM.

Before the TPM can be used, it must be initialized by the platform owner.
This process involves setting an owner password which is used to
authorize privileged operations.

Although the TPM owner is similar to a traditional superuser, there are
two important differences. First, process privilege is irrelevant for
access to TPM functions. All privileged operations require knowledge of
the owner password, regardless of the privilege level of the calling
process. Second, the TPM owner is not able to override access controls
for data protected by TPM keys. The owner can effectively destroy data by
re-initializing the TPM, but he cannot access data that has been
encrypted using TPM keys owned by other users.

SUBCOMMANDS

The following subcommands are used in the form:

# tpmadm <subcommand> [operand]

status

Report status information about the TPM. Output includes basic
information about whether ownership of the TPM has been established,
current PCR contents, and the usage of TPM resources such as
communication sessions and loaded keys.

init

Initialize the TPM for use. This involves taking ownership of the TPM
by setting the owner authorization password. Taking ownership of the
TPM creates a new storage root key, which is the ancestor of all keys
created by this TPM. Once this command is issued, the TPM must be
reset using BIOS operations before it can be re-initialized.

auth

Change the owner authorization password for the TPM.

clear lock

Clear the count of failed authentication attempts. After a number of
failed authentication attempts, the TPM responds more slowly to
subsequent attempts, in an effort to thwart attempts to find the
owner password by exhaustive search. This command, which requires the
correct owner password, resets the count of failed attempts.

clear owner

Deactivate the TPM and return it to an unowned state. This operation,
which requires the current TPM owner password, invalidates all keys
and data tied to the TPM. Before the TPM can be used again, the
system must be restarted, the TPM must be reactivated from the BIOS
or ILOM pre-boot environment, and the TPM must be re-initialized
using the tpmadm init command.

keyinfo [uuid]

Report information about keys stored in the TPM subsystem. Without
additional arguments, this subcommand produces a brief listing of all
keys. If the UUID of an individual key is specified, detailed
information about that key is displayed.

deletekey uuid

Delete the key with the specified UUID from the TPM subsystem's
persistent storage.

EXIT STATUS

After completing the requested operation, tpmadm exits with one of the
following status values.

0

Successful termination.

1

Failure. The requested operation could not be completed.

2

Usage error. The tpmadm command was invoked with invalid arguments.