tpmadm(1M) System Administration Commands tpmadm(1M)NAMEtpmadm - administer Trusted Platform Module
SYNOPSIStpmadm status
tpmadm init
tpmadm clear [owner | lock]
tpmadm auth
tpmadm keyinfo [uuid]
tpmadm deletekey uuid
DESCRIPTION
A Trusted Platform Module (TPM) is a hardware component that provides
for protected key storage and reliable measurements of software used to
boot the operating system. The tpmadm utility is used to initialize and
administer the TPM so that it can be used by the operating system and
other programs.
The TPM subsystem can store and manage an unlimited number of keys for
use by the operating system and by users. Each key is identified by a
Universally Unique Identifier, or UUID.
Although the TPM can hold only a limited number of keys at any given
time, the supporting software automatically loads and unloads keys as
needed. When a key is stored outside the TPM, it is always encrypted or
"wrapped" by its parent key so that the key is never exposed in read‐
able form outside the TPM.
Before the TPM can be used, it must be initialized by the platform
owner. This process involves setting an owner password which is used to
authorize privileged operations.
Although the TPM owner is similar to a traditional superuser, there are
two important differences. First, process privilege is irrelevant for
access to TPM functions. All privileged operations require knowledge of
the owner password, regardless of the privilege level of the calling
process. Second, the TPM owner is not able to override access controls
for data protected by TPM keys. The owner can effectively destroy data
by re-initializing the TPM, but he cannot access data that has been
encrypted using TPM keys owned by other users.
SUB-COMMANDS
The following subcommands are used in the form:
# tpamadm <subcommand> [operand]
status
Report status information about the TPM. Output includes basic
information about whether ownership of the TPM has been estab‐
lished, current PCR contents, and the usage of TPM resources such
as communication sessions and loaded keys.
init
Initialize the TPM for use. This involves taking ownership of the
TPM by setting the owner authorization password. Taking ownership
of the TPM creates a new storage root key, which is the ancestor of
all keys created by this TPM. Once this command is issued, the TPM
must be reset using BIOS operations before it can be re-initial‐
ized.
auth
Change the owner authorization password for the TPM.
clear lock
Clear the count of failed authentication attempts. After a number
of failed authentication attempts, the TPM responds more slowly to
subsequent attempts, in an effort to thwart attempts to find the
owner password by exhaustive search. This command, which requires
the correct owner password, resets the count of failed attempts.
clear owner
Deactivate the TPM and return it to an unowned state. This opera‐
tion, which requires the current TPM owner password, invalidates
all keys and data tied to the TPM. Before the TPM can be used
again, the system must be restarted, the TPM must be reactivated
from the BIOS or ILOM pre-boot environment, and the TPM must be re-
initialized using the tpmadm init command.
keyinfo [uuid]
Report information about keys stored in the TPM subsystem. Without
additional arguments, this subcommand produces a brief listing of
all keys. If the UUID of an individual key is specified, detailed
information about that key is displayed.
deletekey uuid
Delete the key with the specified UUID from the TPM subsystem's
persistent storage.
EXIT STATUS
After completing the requested operation, tpmadm exits with one of the
following status values.
0
Successful termination.
1
Failure. The requested operation could not be completed.
2
Usage error. The tpmadm command was invoked with invalid arguments.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcs │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOattributes(5)
See also the tcsd(8) man page, available in the SUNWtss package.
TCG Software Stack (TSS) Specifications: https://www.trustedcomputing‐
group.org/specs/TSS (as of the date of publication)
NOTEStpmadm communicates with the TPM device through the tcsd service.
tcsd must be running before using the tpmadm command. If tcsd is not
running, tpmadm will generate the following error:
Connect context: Communication failure (0x3011)
See tcsd(8) for more details.
SunOS 5.11 8 Oct 2009 tpmadm(1M)