Tribblix: manual page: tpmadm.8

TPMADM(8) Maintenance Commands and Procedures TPMADM(8)

NAME

tpmadm - administer Trusted Platform Module

SYNOPSIS

tpmadm status

tpmadm init

tpmadm clear [owner | lock]

tpmadm auth

tpmadm keyinfo [uuid]

tpmadm deletekey uuid

DESCRIPTION

A Trusted Platform Module (TPM) is a hardware component that provides
for protected key storage and reliable measurements of software used
to boot the operating system. The tpmadm utility is used to
initialize and administer the TPM so that it can be used by the
operating system and other programs.

The TPM subsystem can store and manage an unlimited number of keys
for use by the operating system and by users. Each key is identified
by a Universally Unique Identifier, or UUID.

Although the TPM can hold only a limited number of keys at any given
time, the supporting software automatically loads and unloads keys as
needed. When a key is stored outside the TPM, it is always encrypted
or "wrapped" by its parent key so that the key is never exposed in
readable form outside the TPM.

Before the TPM can be used, it must be initialized by the platform
owner. This process involves setting an owner password which is used
to authorize privileged operations.

Although the TPM owner is similar to a traditional superuser, there
are two important differences. First, process privilege is irrelevant
for access to TPM functions. All privileged operations require
knowledge of the owner password, regardless of the privilege level of
the calling process. Second, the TPM owner is not able to override
access controls for data protected by TPM keys. The owner can
effectively destroy data by re-initializing the TPM, but he cannot
access data that has been encrypted using TPM keys owned by other
users.

SUBCOMMANDS

The following subcommands are used in the form:

# tpmadm <subcommand> [operand]

status

Report status information about the TPM. Output includes basic
information about whether ownership of the TPM has been
established, current PCR contents, and the usage of TPM resources
such as communication sessions and loaded keys.

init

Initialize the TPM for use. This involves taking ownership of the
TPM by setting the owner authorization password. Taking ownership
of the TPM creates a new storage root key, which is the ancestor
of all keys created by this TPM. Once this command is issued,
the TPM must be reset using BIOS operations before it can be re-
initialized.

auth

Change the owner authorization password for the TPM.

clear lock

Clear the count of failed authentication attempts. After a number
of failed authentication attempts, the TPM responds more slowly
to subsequent attempts, in an effort to thwart attempts to find
the owner password by exhaustive search. This command, which
requires the correct owner password, resets the count of failed
attempts.

clear owner

Deactivate the TPM and return it to an unowned state. This
operation, which requires the current TPM owner password,
invalidates all keys and data tied to the TPM. Before the TPM can
be used again, the system must be restarted, the TPM must be
reactivated from the BIOS or ILOM pre-boot environment, and the
TPM must be re-initialized using the tpmadm init command.

keyinfo [uuid]

Report information about keys stored in the TPM subsystem.
Without additional arguments, this subcommand produces a brief
listing of all keys. If the UUID of an individual key is
specified, detailed information about that key is displayed.

deletekey uuid

Delete the key with the specified UUID from the TPM subsystem's
persistent storage.

EXIT STATUS

After completing the requested operation, tpmadm exits with one of
the following status values.

0

Successful termination.

1

Failure. The requested operation could not be completed.

2

Usage error. The tpmadm command was invoked with invalid
arguments.