[swtpm.git] / man / man8 / swtpm_ioctl.pod

=head1 NAME

swtpm_ioctl - Utility for sending control commands to swtpm

=head1 SYNOPSIS

B<swtpm_ioctl [COMMAND] [E<lt>deviceE<gt>>]

=head1 DESCRIPTION

B<swtpm_ioctl> implements a client tool for controlling the
I<swtpm_cuse> and I<swtpm> TPM software emulators, such as for example their
initialization and shutdown. Once it has been initialized, TPM commands can
be sent to it.

Note: The environment variable SWTPM_IOCTL_BUFFERSIZE can be set to the size
for the buffer for state blob transfer to use. If it is not set, the ioctl()
interface is used for transferring the state. This environment variable
is primarily used for testing purposes.

The following commands are supported:

=over 4

=item B<--tpm-device E<lt>deviceE<gt>>

Use the given device. The full path to the character device must be provided, such
as for example /dev/vtpm-200.

This option can be used instead of providing the device as the last parameter.

=item B<--tcp E<lt>serverE<gt>:E<lt>portE<gt>>

Connect to the given server and port; if no server is given, 127.0.0.1 is used;
if port is not given, the default port 6545 is used.

=item B<--unix E<lt>pathE<gt>>

Connect to the given UnixIO path.

=item B<-c>

Get the capability flags indicating which commands are supported.

=item B<-i>

Send a hardware initialization signal to the swtpm_cuse/swtpm. Volatile
state previously written by the TPM will be read and the file automatically
delete.

=item B<-s>

Initiate a graceful shut down.

=item B<--stop>

Stop the swtpm_cuse/swtpm. This does not shut it down. The I<-i> command can again
be sent to it. After a stop it is also possible to load TPM stateblobs into the
TPM using the I<--load> command.

=item B<-e>

Get the tpmEstablished bit.

=item B<-r locality>

Reset the tpmEstablished bit using the given locality. Only localities 3 and 4 work.
This operation will not permanently change the localty that was previously set
using the I<-l> option.

=item B<-l locality>

Set the locality for the subsequent TPM commands.

=item B<-v>

Have the TPM write the volatile state to a file. Upon a TPM_Init (-i) the
TPM state will be read and the TPM can then resume operation without further
intialization.

=item B<-C>

Cancel an ongoing TPM command.

=item B<-h data>

Reset and extend PCR 17 with the hash of the given data. If data is the single
character '-', then all data are read from stdin.

=item B<--save E<lt>TPM state blob nameE<gt> E<lt>filenameE<gt> >

Save the TPM state blob into the given file. Valid TPM state blob
names are 'permanent', 'volatile', and 'savestate'.

Note that this command can be executed at any time. However, to retrieve
the latest volatile state, the I<-v> command should have been run
immediately before running this command. The savestate blob will only be
returned if a TPM_SaveState command was executed in the TPM (TPM 1.2).

=item B<--load E<lt>TPM state blob nameE<gt> E<lt>filenameE<gt>>

Load the given TPM state blob from the given file. Valid TPM state blob
names are 'permanent', 'volatile', and 'savestate'.

Note that this command can only be executed on a TPM that is shut down.
To then start the TPM with the uploaded state, the I<-i> command must
be issued.

=item B<-g>

Get configuration flags that for example indicate which keys (file encryption
or migration key) are in use by the TPM.

=item B<--info E<lt>flagE<gt>>

Get information about the TPM implementation in JSON format. The flag
I<TPMLIB_INFO_TPMSPECIFICATION>, which has the value 1, returns information
about the specification the TPM implementation followed. The flag
I<TPMLIB_INFO_TPMATTRIBUTES>, which has the value 2, returns information
about the manufacturer, model, and version of the TPM.

=item B<--lock-storage E<lt>retriesE<gt>>

Lock the storage and retry a given number of times with 10ms delay in between.
Locking the storage may be necessary to do after the state of the TPM has been
migrated out and the lock on the storage has been released when the 'savestate'
blob was received and now the storage should be locked again.

=back

=head1 EXAMPLE

Start swtpm on port 10000 for the control port and emulate a TPM 1.2:

   #> swtpm socket --tpmstate dir=/tmp/myvtpm1 --log level=4 --ctrl type=tcp,port=10000 --server type=tcp,port=10001 --flags not-need-init

Get information about the TPM implementation in JSON:

   #> swtpm_ioctl --tcp :10000 --info 1
   {"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
   #> swtpm_ioctl --tcp :10000 --info 2
   {"TPMAttributes":{"manufacturer":"id:00001014","version":"id:00740001","model":"swtpm"}}

Shut down the swtpm

   #> swtpm_ioctl --tcp :10000 -s

=head1 SEE ALSO

B<swtpm_cuse>
Commit	Line	Data
e46a2b66 SB	1	=head1 NAME
e46a2b66 SB	2
5311e60e	3	swtpm_ioctl - Utility for sending control commands to swtpm
e46a2b66 SB	4
	5	=head1 SYNOPSIS
	6
5e9e4733	7	B<swtpm_ioctl [COMMAND] [E<lt>deviceE<gt>>]
e46a2b66 SB	8
	9	=head1 DESCRIPTION
	10
	11	B<swtpm_ioctl> implements a client tool for controlling the
4f56102e SB	12	I<swtpm_cuse> and I<swtpm> TPM software emulators, such as for example their
	13	initialization and shutdown. Once it has been initialized, TPM commands can
	14	be sent to it.
e46a2b66	15
4f56102e	16	Note: The environment variable SWTPM_IOCTL_BUFFERSIZE can be set to the size
05cd79b8 SB	17	for the buffer for state blob transfer to use. If it is not set, the ioctl()
	18	interface is used for transferring the state. This environment variable
	19	is primarily used for testing purposes.
	20
e46a2b66 SB	21	The following commands are supported:
	22
	23	=over 4
	24
37dcf15b SB	25	=item B<--tpm-device E<lt>deviceE<gt>>
37dcf15b SB	26
4f56102e SB	27	Use the given device. The full path to the character device must be provided, such
4f56102e SB	28	as for example /dev/vtpm-200.
37dcf15b SB	29
	30	This option can be used instead of providing the device as the last parameter.
	31
01eb4d3a SB	32	=item B<--tcp E<lt>serverE<gt>:E<lt>portE<gt>>
	33
	34	Connect to the given server and port; if no server is given, 127.0.0.1 is used;
	35	if port is not given, the default port 6545 is used.
	36
b199d808	37	=item B<--unix E<lt>pathE<gt>>
01eb4d3a SB	38
	39	Connect to the given UnixIO path.
	40
e46a2b66 SB	41	=item B<-c>
e46a2b66 SB	42
4f56102e	43	Get the capability flags indicating which commands are supported.
e46a2b66 SB	44
	45	=item B<-i>
	46
4f56102e	47	Send a hardware initialization signal to the swtpm_cuse/swtpm. Volatile
e46a2b66 SB	48	state previously written by the TPM will be read and the file automatically
	49	delete.
	50
	51	=item B<-s>
	52
4f56102e	53	Initiate a graceful shut down.
e46a2b66	54
950040f0 SB	55	=item B<--stop>
950040f0 SB	56
4f56102e	57	Stop the swtpm_cuse/swtpm. This does not shut it down. The I<-i> command can again
950040f0 SB	58	be sent to it. After a stop it is also possible to load TPM stateblobs into the
	59	TPM using the I<--load> command.
	60
e46a2b66 SB	61	=item B<-e>
	62
	63	Get the tpmEstablished bit.
	64
0321a380 SB	65	=item B<-r locality>
	66
	67	Reset the tpmEstablished bit using the given locality. Only localities 3 and 4 work.
	68	This operation will not permanently change the localty that was previously set
3f7933fc	69	using the I<-l> option.
0321a380	70
e46a2b66 SB	71	=item B<-l locality>
	72
	73	Set the locality for the subsequent TPM commands.
	74
	75	=item B<-v>
	76
	77	Have the TPM write the volatile state to a file. Upon a TPM_Init (-i) the
	78	TPM state will be read and the TPM can then resume operation without further
	79	intialization.
	80
	81	=item B<-C>
	82
	83	Cancel an ongoing TPM command.
	84
	85	=item B<-h data>
	86
	87	Reset and extend PCR 17 with the hash of the given data. If data is the single
	88	character '-', then all data are read from stdin.
	89
0c0e5b20 SB	90	=item B<--save E<lt>TPM state blob nameE<gt> E<lt>filenameE<gt> >
	91
	92	Save the TPM state blob into the given file. Valid TPM state blob
4f56102e	93	names are 'permanent', 'volatile', and 'savestate'.
0c0e5b20 SB	94
	95	Note that this command can be executed at any time. However, to retrieve
	96	the latest volatile state, the I<-v> command should have been run
	97	immediately before running this command. The savestate blob will only be
4f56102e	98	returned if a TPM_SaveState command was executed in the TPM (TPM 1.2).
0c0e5b20 SB	99
	100	=item B<--load E<lt>TPM state blob nameE<gt> E<lt>filenameE<gt>>
	101
	102	Load the given TPM state blob from the given file. Valid TPM state blob
4f56102e	103	names are 'permanent', 'volatile', and 'savestate'.
0c0e5b20 SB	104
	105	Note that this command can only be executed on a TPM that is shut down.
	106	To then start the TPM with the uploaded state, the I<-i> command must
	107	be issued.
	108
bd98690a SB	109	=item B<-g>
	110
	111	Get configuration flags that for example indicate which keys (file encryption
01eb4d3a	112	or migration key) are in use by the TPM.
bd98690a	113
0dda8245 SB	114	=item B<--info E<lt>flagE<gt>>
	115
	116	Get information about the TPM implementation in JSON format. The flag
4f56102e SB	117	I<TPMLIB_INFO_TPMSPECIFICATION>, which has the value 1, returns information
	118	about the specification the TPM implementation followed. The flag
	119	I<TPMLIB_INFO_TPMATTRIBUTES>, which has the value 2, returns information
	120	about the manufacturer, model, and version of the TPM.
	121
6fbb219d SB	122	=item B<--lock-storage E<lt>retriesE<gt>>
	123
	124	Lock the storage and retry a given number of times with 10ms delay in between.
	125	Locking the storage may be necessary to do after the state of the TPM has been
	126	migrated out and the lock on the storage has been released when the 'savestate'
	127	blob was received and now the storage should be locked again.
0dda8245	128
e46a2b66 SB	129	=back
e46a2b66 SB	130
4f56102e SB	131	=head1 EXAMPLE
	132
	133	Start swtpm on port 10000 for the control port and emulate a TPM 1.2:
	134
	135	#> swtpm socket --tpmstate dir=/tmp/myvtpm1 --log level=4 --ctrl type=tcp,port=10000 --server type=tcp,port=10001 --flags not-need-init
	136
	137	Get information about the TPM implementation in JSON:
	138
	139	#> swtpm_ioctl --tcp :10000 --info 1
	140	{"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
	141	#> swtpm_ioctl --tcp :10000 --info 2
	142	{"TPMAttributes":{"manufacturer":"id:00001014","version":"id:00740001","model":"swtpm"}}
	143
	144	Shut down the swtpm
	145
	146	#> swtpm_ioctl --tcp :10000 -s
	147
e46a2b66 SB	148	=head1 SEE ALSO
	149
	150	B<swtpm_cuse>