Manual Pages for UNIX Operating System command usage for man tpmadm

System Administration Commands                         tpmadm(1M)



NAME
     tpmadm - administer Trusted Platform Module

SYNOPSIS
     tpmadm status


     tpmadm init


     tpmadm clear [owner | lock]


     tpmadm auth


     tpmadm keyinfo [uuid]


     tpmadm deletekey uuid


DESCRIPTION
     A Trusted Platform Module (TPM) is a hardware component that
     provides for protected key storage and reliable measurements
     of software used to boot the operating  system.  The  tpmadm
     utility is used to initialize and administer the TPM so that
     it can be used by the operating system and other programs.


     The TPM subsystem can store and manage an  unlimited  number
     of  keys  for use by the operating system and by users. Each
     key is identified by a  Universally  Unique  Identifier,  or
     UUID.


     Although the TPM can hold only a limited number of  keys  at
     any  given time, the supporting software automatically loads
     and unloads keys as needed. When a key is stored outside the
     TPM,  it  is always encrypted or "wrapped" by its parent key
     so that the key is never exposed in  readable  form  outside
     the TPM.


     Before the TPM can be used, it must be  initialized  by  the
     platform owner. This process involves setting an owner pass-
     word which is used to authorize privileged operations.


     Although  the  TPM  owner  is  similar  to   a   traditional
     superuser,  there are two important differences. First, pro-
     cess privilege is irrelevant for access  to  TPM  functions.



SunOS 5.11           Last change: 8 Oct 2009                    1






System Administration Commands                         tpmadm(1M)



     All  privileged  operations  require  knowledge of the owner
     password, regardless of the privilege level of  the  calling
     process.  Second,  the  TPM  owner  is  not able to override
     access controls for data protected by TPM  keys.  The  owner
     can effectively destroy data by re-initializing the TPM, but
     he cannot access data that has been encrypted using TPM keys
     owned by other users.

SUB-COMMANDS
     The following subcommands are used in the form:

       # tpamadm  [operand]



     status

         Report status information about the TPM. Output includes
         basic information about whether ownership of the TPM has
         been established, current PCR contents, and the usage of
         TPM  resources such as communication sessions and loaded
         keys.


     init

         Initialize the TPM for use. This involves taking  owner-
         ship of the TPM by setting the owner authorization pass-
         word. Taking ownership of the TPM creates a new  storage
         root  key,  which is the ancestor of all keys created by
         this TPM. Once this command is issued, the TPM  must  be
         reset  using  BIOS  operations  before  it  can  be  re-
         initialized.


     auth

         Change the owner authorization password for the TPM.


     clear lock

         Clear the count of failed authentication attempts. After
         a  number  of  failed  authentication  attempts, the TPM
         responds more  slowly  to  subsequent  attempts,  in  an
         effort  to thwart attempts to find the owner password by
         exhaustive search.  This  command,  which  requires  the
         correct  owner  password,  resets  the  count  of failed
         attempts.






SunOS 5.11           Last change: 8 Oct 2009                    2






System Administration Commands                         tpmadm(1M)



     clear owner

         Deactivate the TPM and return it to  an  unowned  state.
         This  operation,  which  requires  the current TPM owner
         password, invalidates all keys and data tied to the TPM.
         Before  the  TPM  can  be used again, the system must be
         restarted, the TPM must be reactivated from the BIOS  or
         ILOM  pre-boot  environment,  and  the  TPM  must be re-
         initialized using the tpmadm init command.


     keyinfo [uuid]

         Report information about keys stored in the TPM  subsys-
         tem.  Without additional arguments, this subcommand pro-
         duces a brief listing of all keys. If  the  UUID  of  an
         individual  key is specified, detailed information about
         that key is displayed.


     deletekey uuid

         Delete the key with the  specified  UUID  from  the  TPM
         subsystem's persistent storage.


EXIT STATUS
     After completing the requested operation, tpmadm exits  with
     one of the following status values.

     0

         Successful termination.


     1

         Failure. The requested operation could not be completed.


     2

         Usage error. The tpmadm command was invoked with invalid
         arguments.


ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:






SunOS 5.11           Last change: 8 Oct 2009                    3






System Administration Commands                         tpmadm(1M)



     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcs                      |
    |_____________________________|_____________________________|
    | Interface Stability         | Committed                   |
    |_____________________________|_____________________________|


SEE ALSO
     attributes(5)


     See also the tcsd(8) man  page,  available  in  the  SUNWtss
     package.


     TCG      Software      Stack      (TSS)      Specifications:
     https://www.trustedcomputinggroup.org/specs/TSS  (as  of the
     date of publication)

NOTES
     tpmadm communicates with the TPM  device  through  the  tcsd
     service.   tcsd must be running before using the tpmadm com-
     mand. If tcsd is not running, tpmadm will generate the  fol-
     lowing error:

       Connect context: Communication failure (0x3011)




     See tcsd(8) for more details.






















SunOS 5.11           Last change: 8 Oct 2009                    4