% tss2_verifyquote(1) tpm2-tools | General Commands Manual % % APRIL 2019
tss2_verifyquote(1) -
tss2_verifyquote [OPTIONS]
tss2_verifyquote(1) - This command verifies that the data returned by a quote is valid. This includes
- Reconstructing the quoteInfo's PCR values from the eventLog (if an eventLog was provided)
- Verifying the quoteInfo using the signature and the publicKeyPath
The used signature verification scheme is specified in the cryptographic profile (cf., fapi-profile(5)).
An application using tss2_verifyquote() will further have to
- Assess the publicKey's trustworthiness
- Assess the eventLog entries' trustworthiness
These are the available options:
-
-Q, --qualifyingData=FILENAME or - (for stdin):
A nonce provided by the caller to ensure freshness of the signature. Optional parameter.
-
-l, --pcrLog=FILENAME or - (for stdin):
Returns the PCR event log for the chosen PCR. Optional parameter.
PCR event logs are a list (arbitrary length JSON array) of log entries with the following content.
- recnum: Unique record number - pcr: PCR index - digest: The digests - type: The type of event. At the moment the only possible value is: "LINUX_IMA" (legacy IMA) - eventDigest: Digest of the event; e.g. the digest of the measured file - eventName: Name of the event; e.g. the name of the measured file.
-
-q, --quoteInfo=FILENAME or - (for stdin):
The JSON-encoded structure holding the inputs to the quote operation. This includes the digest value and PCR values.
-
-k, --publicKeyPath=STRING:
Identifies the signing key. MAY be a path to the public key hierarchy /ext.
-
-i, --signature=FILENAME or - (for stdin):
The signature over the quoted material.
tss2_verifyquote --publicKeyPath="ext/myNewParent" --qualifyingData=qualifyingData.file --quoteInfo=quoteInfo.file --signature=signature.file --pcrLog=pcrLog.file0 on success or 1 on failure.