% tpm2_policycommandcode(1) tpm2-tools | General Commands Manual
tpm2_policycommandcode(1) - Restrict TPM object authorization to specific TPM commands.
tpm2_policycommandcode [OPTIONS] [ARGUMENT]
tpm2_policycommandcode(1) - Restricts TPM object authorization to specific TPM commands. Useful when you want to allow only specific commands to interact with the TPM object.
As an argument it takes the command as an integer or friendly string value. Friendly string to COMMAND CODE mapping can be found in section COMMAND CODE MAPPINGS.
-
-S, --session=FILE:
A session file from tpm2_startauthsession(1)'s -S option.
-
-L, --policy=FILE:
File to save the policy digest.
-
ARGUMENT the command line argument specifies TPM2 command code.
-
--cphash=FILE
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
The friendly strings below can be used en lieu of the raw integer values.
-TPM2_CC_AC_GetCapability: 0x194 -TPM2_CC_AC_Send: 0x195 -TPM2_CC_ActivateCredential: 0x147 -TPM2_CC_Certify: 0x148 -TPM2_CC_CertifyCreation: 0x14a -TPM2_CC_ChangeEPS: 0x124 -TPM2_CC_ChangePPS: 0x125 -TPM2_CC_Clear: 0x126 -TPM2_CC_ClearControl: 0x127 -TPM2_CC_ClockRateAdjust: 0x130 -TPM2_CC_ClockSet: 0x128 -TPM2_CC_Commit: 0x18b -TPM2_CC_ContextLoad: 0x161 -TPM2_CC_ContextSave: 0x162 -TPM2_CC_Create: 0x153 -TPM2_CC_CreateLoaded: 0x191 -TPM2_CC_CreatePrimary: 0x131 -TPM2_CC_DictionaryAttackLockReset: 0x139 -TPM2_CC_DictionaryAttackParameters: 0x13a -TPM2_CC_Duplicate: 0x14b -TPM2_CC_ECC_Parameters: 0x178 -TPM2_CC_ECDH_KeyGen: 0x163 -TPM2_CC_ECDH_ZGen: 0x154 -TPM2_CC_EC_Ephemeral: 0x18e -TPM2_CC_EncryptDecrypt: 0x164 -TPM2_CC_EncryptDecrypt2: 0x193 -TPM2_CC_EventSequenceComplete: 0x185 -TPM2_CC_EvictControl: 0x120 -TPM2_CC_FieldUpgradeData: 0x141 -TPM2_CC_FieldUpgradeStart: 0x12f -TPM2_CC_FirmwareRead: 0x179 -TPM2_CC_FlushContext: 0x165 -TPM2_CC_GetCapability: 0x17a -TPM2_CC_GetCommandAuditDigest: 0x133 -TPM2_CC_GetRandom: 0x17b -TPM2_CC_GetSessionAuditDigest: 0x14d -TPM2_CC_GetTestResult: 0x17c -TPM2_CC_GetTime: 0x14c -TPM2_CC_Hash: 0x17d -TPM2_CC_HashSequenceStart: 0x186 -TPM2_CC_HierarchyChangeAuth: 0x129 -TPM2_CC_HierarchyControl: 0x121 -TPM2_CC_HMAC: 0x155 -TPM2_CC_HMAC_Start: 0x15b -TPM2_CC_Import: 0x156 -TPM2_CC_IncrementalSelfTest: 0x142 -TPM2_CC_Load: 0x157 -TPM2_CC_LoadExternal: 0x167 -TPM2_CC_MakeCredential: 0x168 -TPM2_CC_NV_Certify: 0x184 -TPM2_CC_NV_ChangeAuth: 0x13b -TPM2_CC_NV_DefineSpace: 0x12a -TPM2_CC_NV_Extend: 0x136 -TPM2_CC_NV_GlobalWriteLock: 0x132 -TPM2_CC_NV_Increment: 0x134 -TPM2_CC_NV_Read: 0x14e -TPM2_CC_NV_ReadLock: 0x14f -TPM2_CC_NV_ReadPublic: 0x169 -TPM2_CC_NV_SetBits: 0x135 -TPM2_CC_NV_UndefineSpace: 0x122 -TPM2_CC_NV_UndefineSpaceSpecial: 0x11f -TPM2_CC_NV_Write: 0x137 -TPM2_CC_NV_WriteLock: 0x138 -TPM2_CC_ObjectChangeAuth: 0x150 -TPM2_CC_PCR_Allocate: 0x12b -TPM2_CC_PCR_Event: 0x13c -TPM2_CC_PCR_Extend: 0x182 -TPM2_CC_PCR_Read: 0x17e -TPM2_CC_PCR_Reset: 0x13d -TPM2_CC_PCR_SetAuthPolicy: 0x12c -TPM2_CC_PCR_SetAuthValue: 0x183 -TPM2_CC_Policy_AC_SendSelect: 0x196 -TPM2_CC_PolicyAuthorize: 0x16a -TPM2_CC_PolicyAuthorizeNV: 0x192 -TPM2_CC_PolicyAuthValue: 0x16b -TPM2_CC_PolicyCommandCode: 0x16c -TPM2_CC_PolicyCounterTimer: 0x16d -TPM2_CC_PolicyCpHash: 0x16e -TPM2_CC_PolicyDuplicationSelect: 0x188 -TPM2_CC_PolicyGetDigest: 0x189 -TPM2_CC_PolicyLocality: 0x16f -TPM2_CC_PolicyNameHash: 0x170 -TPM2_CC_PolicyNV: 0x149 -TPM2_CC_PolicyNvWritten: 0x18f -TPM2_CC_PolicyOR: 0x171 -TPM2_CC_PolicyPassword: 0x18c -TPM2_CC_PolicyPCR: 0x17f -TPM2_CC_PolicyPhysicalPresence: 0x187 -TPM2_CC_PolicyRestart: 0x180 -TPM2_CC_PolicySecret: 0x151 -TPM2_CC_PolicySigned: 0x160 -TPM2_CC_PolicyTemplate: 0x190 -TPM2_CC_PolicyTicket: 0x172 -TPM2_CC_PP_Commands: 0x12d -TPM2_CC_Quote: 0x158 -TPM2_CC_ReadClock: 0x181 -TPM2_CC_ReadPublic: 0x173 -TPM2_CC_Rewrap: 0x152 -TPM2_CC_RSA_Decrypt: 0x159 -TPM2_CC_RSA_Encrypt: 0x174 -TPM2_CC_SelfTest: 0x143 -TPM2_CC_SequenceComplete: 0x13e -TPM2_CC_SequenceUpdate: 0x15c -TPM2_CC_SetAlgorithmSet: 0x13f -TPM2_CC_SetCommandCodeAuditStatus: 0x140 -TPM2_CC_SetPrimaryPolicy: 0x12e -TPM2_CC_Shutdown: 0x145 -TPM2_CC_Sign: 0x15d -TPM2_CC_StartAuthSession: 0x176 -TPM2_CC_Startup: 0x144 -TPM2_CC_StirRandom: 0x146 -TPM2_CC_TestParms: 0x18a -TPM2_CC_Unseal: 0x15e -TPM2_CC_Vendor_TCG_Test: 0x20000000 -TPM2_CC_VerifySignature: 0x177 -TPM2_CC_ZGen_2Phase: 0x18d
Start a policy session and extend it with a specific command like unseal. Attempts to perform other operations would fail.
tpm2_startauthsession -S session.dat
tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Unseal
tpm2_flushcontext session.dattpm2_createprimary -C o -c prim.ctx
tpm2_create -C prim.ctx -u sealkey.pub -r sealkey.priv -L policy.dat \
-i- <<< "SEALED-SECRET"tpm2_load -C prim.ctx -u sealkey.pub -r sealkey.priv -n sealkey.name \
-c sealkey.ctx
tpm2_startauthsession --policy-session -S session.dat
tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Unseal
tpm2_unseal -p session:session.dat -c sealkey.ctx
SEALED-SECRET
tpm2_flushcontext session.datecho "Encrypt Me" > plain.txt
tpm2_encryptdecrypt plain.txt -o enc.txt -c sealkey.ctx plain.txt
ERROR: Esys_EncryptDecrypt2(0x12F) - tpm:error(2.0): authValue or authPolicy is
not available for selected entity