% tpm2_policyrestart(1) tpm2-tools | General Commands Manual
tpm2_policyrestart(1) - Restart an existing session with the TPM.
tpm2_policyrestart [OPTIONS]
tpm2_policyrestart(1) - Restarts a session with the TPM back to it's
initial state. This is useful when the TPM gives one a TPM_RC_PCR_CHANGED
(0x00000128) error code when using a PCR policy session.
This will be returned if a PCR state affecting policy is altered during the session. One could restart the session and try again, however, the PCR state would still need to satisfy the policy.
-
-S, --session=FILE:
Optional, A session file from tpm2_startauthsession(1)'s -S option. This session is used in lieu of starting a session and using the PCR policy options.
-
--cphash=FILE
File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
# create a policy and bind it to an object
tpm2_startauthsession -S session.dat
tpm2_policypcr -S session.dat -l "sha1:0,1,2,3" -L policy.dat
tpm2_createprimary -c primary.ctx
tpm2_create -Cprimary.ctx -u key.pub -r key.priv -L policy.dat -i- <<< "secret"
tpm2_load -C primary.ctx -c key.ctx -u key.pub -r key.priv
tpm2_flushcontext session.dat
# satisfy the policy and use the object
tpm2_startauthsession --policy -S session.dat
tpm2_policypcr -S session.dat -l "sha1:0,1,2,3"
# PCR event occurs here causing unseal to fail
tpm2_pcrevent 0 <<< "event data"
tpm2_unseal -psession:session.dat -c key.ct
ERROR: Esys_Unseal(0x128) - tpm:error(2.0): PCR have changed since checked
# Clear the policy digest to initial state, note access to object no longer allowed by
# policy so policyor would be useful here.
tpm2_policyrestart -S session.dat