1313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/ 2feab398eSKent YoderDate: April 2005 3feab398eSKent YoderKernelVersion: 2.6.12 4c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 5feab398eSKent YoderDescription: The device/ directory under a specific TPM instance exposes 6feab398eSKent Yoder the properties of that TPM chip 7feab398eSKent Yoder 8feab398eSKent Yoder 9313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/active 10feab398eSKent YoderDate: April 2006 11feab398eSKent YoderKernelVersion: 2.6.17 12c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 13feab398eSKent YoderDescription: The "active" property prints a '1' if the TPM chip is accepting 14feab398eSKent Yoder commands. An inactive TPM chip still contains all the state of 15feab398eSKent Yoder an active chip (Storage Root Key, NVRAM, etc), and can be 16feab398eSKent Yoder visible to the OS, but will only accept a restricted set of 17feab398eSKent Yoder commands. See the TPM Main Specification part 2, Structures, 18feab398eSKent Yoder section 17 for more information on which commands are 19feab398eSKent Yoder available. 20feab398eSKent Yoder 21313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/cancel 22feab398eSKent YoderDate: June 2005 23feab398eSKent YoderKernelVersion: 2.6.13 24c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 25feab398eSKent YoderDescription: The "cancel" property allows you to cancel the currently 26feab398eSKent Yoder pending TPM command. Writing any value to cancel will call the 27feab398eSKent Yoder TPM vendor specific cancel operation. 28feab398eSKent Yoder 29313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/caps 30feab398eSKent YoderDate: April 2005 31feab398eSKent YoderKernelVersion: 2.6.12 32c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 33feab398eSKent YoderDescription: The "caps" property contains TPM manufacturer and version info. 34feab398eSKent Yoder 3598913408SMauro Carvalho Chehab Example output:: 36feab398eSKent Yoder 37feab398eSKent Yoder Manufacturer: 0x53544d20 38feab398eSKent Yoder TCG version: 1.2 39feab398eSKent Yoder Firmware version: 8.16 40feab398eSKent Yoder 41feab398eSKent Yoder Manufacturer is a hex dump of the 4 byte manufacturer info 42feab398eSKent Yoder space in a TPM. TCG version shows the TCG TPM spec level that 43feab398eSKent Yoder the chip supports. Firmware version is that of the chip and 44feab398eSKent Yoder is manufacturer specific. 45feab398eSKent Yoder 46313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/durations 47feab398eSKent YoderDate: March 2011 48feab398eSKent YoderKernelVersion: 3.1 49c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 50feab398eSKent YoderDescription: The "durations" property shows the 3 vendor-specific values 51feab398eSKent Yoder used to wait for a short, medium and long TPM command. All 52feab398eSKent Yoder TPM commands are categorized as short, medium or long in 53feab398eSKent Yoder execution time, so that the driver doesn't have to wait 54feab398eSKent Yoder any longer than necessary before starting to poll for a 55feab398eSKent Yoder result. 56feab398eSKent Yoder 5798913408SMauro Carvalho Chehab Example output:: 58feab398eSKent Yoder 59feab398eSKent Yoder 3015000 4508000 180995000 [original] 60feab398eSKent Yoder 61feab398eSKent Yoder Here the short, medium and long durations are displayed in 62feab398eSKent Yoder usecs. "[original]" indicates that the values are displayed 63feab398eSKent Yoder unmodified from when they were queried from the chip. 64feab398eSKent Yoder Durations can be modified in the case where a buggy chip 65feab398eSKent Yoder reports them in msec instead of usec and they need to be 66feab398eSKent Yoder scaled to be displayed in usecs. In this case "[adjusted]" 67feab398eSKent Yoder will be displayed in place of "[original]". 68feab398eSKent Yoder 69313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/enabled 70feab398eSKent YoderDate: April 2006 71feab398eSKent YoderKernelVersion: 2.6.17 72c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 73feab398eSKent YoderDescription: The "enabled" property prints a '1' if the TPM chip is enabled, 74feab398eSKent Yoder meaning that it should be visible to the OS. This property 75feab398eSKent Yoder may be visible but produce a '0' after some operation that 76feab398eSKent Yoder disables the TPM. 77feab398eSKent Yoder 78313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/owned 79feab398eSKent YoderDate: April 2006 80feab398eSKent YoderKernelVersion: 2.6.17 81c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 82feab398eSKent YoderDescription: The "owned" property produces a '1' if the TPM_TakeOwnership 83feab398eSKent Yoder ordinal has been executed successfully in the chip. A '0' 84feab398eSKent Yoder indicates that ownership hasn't been taken. 85feab398eSKent Yoder 86313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/pcrs 87feab398eSKent YoderDate: April 2005 88feab398eSKent YoderKernelVersion: 2.6.12 89c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 90feab398eSKent YoderDescription: The "pcrs" property will dump the current value of all Platform 91feab398eSKent Yoder Configuration Registers in the TPM. Note that since these 92feab398eSKent Yoder values may be constantly changing, the output is only valid 93feab398eSKent Yoder for a snapshot in time. 94feab398eSKent Yoder 9598913408SMauro Carvalho Chehab Example output:: 96feab398eSKent Yoder 97feab398eSKent Yoder PCR-00: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 98feab398eSKent Yoder PCR-01: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 99feab398eSKent Yoder PCR-02: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 100feab398eSKent Yoder PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 101feab398eSKent Yoder PCR-04: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 102feab398eSKent Yoder ... 103feab398eSKent Yoder 104feab398eSKent Yoder The number of PCRs and hex bytes needed to represent a PCR 105feab398eSKent Yoder value will vary depending on TPM chip version. For TPM 1.1 and 106feab398eSKent Yoder 1.2 chips, PCRs represent SHA-1 hashes, which are 20 bytes 107feab398eSKent Yoder long. Use the "caps" property to determine TPM version. 108feab398eSKent Yoder 109313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/pubek 110feab398eSKent YoderDate: April 2005 111feab398eSKent YoderKernelVersion: 2.6.12 112c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 113feab398eSKent YoderDescription: The "pubek" property will return the TPM's public endorsement 114feab398eSKent Yoder key if possible. If the TPM has had ownership established and 115feab398eSKent Yoder is version 1.2, the pubek will not be available without the 116feab398eSKent Yoder owner's authorization. Since the TPM driver doesn't store any 117feab398eSKent Yoder secrets, it can't authorize its own request for the pubek, 118feab398eSKent Yoder making it unaccessible. The public endorsement key is gener- 11983432ef3SMasanari Iida ated at TPM manufacture time and exists for the life of the 120feab398eSKent Yoder chip. 121feab398eSKent Yoder 12298913408SMauro Carvalho Chehab Example output:: 123feab398eSKent Yoder 124feab398eSKent Yoder Algorithm: 00 00 00 01 125feab398eSKent Yoder Encscheme: 00 03 126feab398eSKent Yoder Sigscheme: 00 01 127feab398eSKent Yoder Parameters: 00 00 08 00 00 00 00 02 00 00 00 00 128feab398eSKent Yoder Modulus length: 256 129feab398eSKent Yoder Modulus: 130feab398eSKent Yoder B4 76 41 82 C9 20 2C 10 18 40 BC 8B E5 44 4C 6C 131feab398eSKent Yoder 3A B2 92 0C A4 9B 2A 83 EB 5C 12 85 04 48 A0 B6 132feab398eSKent Yoder 1E E4 81 84 CE B2 F2 45 1C F0 85 99 61 02 4D EB 133feab398eSKent Yoder 86 C4 F7 F3 29 60 52 93 6B B2 E5 AB 8B A9 09 E3 134feab398eSKent Yoder D7 0E 7D CA 41 BF 43 07 65 86 3C 8C 13 7A D0 8B 135feab398eSKent Yoder 82 5E 96 0B F8 1F 5F 34 06 DA A2 52 C1 A9 D5 26 136feab398eSKent Yoder 0F F4 04 4B D9 3F 2D F2 AC 2F 74 64 1F 8B CD 3E 137feab398eSKent Yoder 1E 30 38 6C 70 63 69 AB E2 50 DF 49 05 2E E1 8D 138feab398eSKent Yoder 6F 78 44 DA 57 43 69 EE 76 6C 38 8A E9 8E A3 F0 139feab398eSKent Yoder A7 1F 3C A8 D0 12 15 3E CA 0E BD FA 24 CD 33 C6 140feab398eSKent Yoder 47 AE A4 18 83 8E 22 39 75 93 86 E6 FD 66 48 B6 141feab398eSKent Yoder 10 AD 94 14 65 F9 6A 17 78 BD 16 53 84 30 BF 70 142feab398eSKent Yoder E0 DC 65 FD 3C C6 B0 1E BF B9 C1 B5 6C EF B1 3A 143feab398eSKent Yoder F8 28 05 83 62 26 11 DC B4 6B 5A 97 FF 32 26 B6 144feab398eSKent Yoder F7 02 71 CF 15 AE 16 DD D1 C1 8E A8 CF 9B 50 7B 145feab398eSKent Yoder C3 91 FF 44 1E CF 7C 39 FE 17 77 21 20 BD CE 9B 146feab398eSKent Yoder 14798913408SMauro Carvalho Chehab Possible values:: 148feab398eSKent Yoder 149feab398eSKent Yoder Algorithm: TPM_ALG_RSA (1) 150feab398eSKent Yoder Encscheme: TPM_ES_RSAESPKCSv15 (2) 151feab398eSKent Yoder TPM_ES_RSAESOAEP_SHA1_MGF1 (3) 152feab398eSKent Yoder Sigscheme: TPM_SS_NONE (1) 153feab398eSKent Yoder Parameters, a byte string of 3 u32 values: 154feab398eSKent Yoder Key Length (bits): 00 00 08 00 (2048) 155feab398eSKent Yoder Num primes: 00 00 00 02 (2) 156feab398eSKent Yoder Exponent Size: 00 00 00 00 (0 means the 157feab398eSKent Yoder default exp) 158feab398eSKent Yoder Modulus Length: 256 (bytes) 159feab398eSKent Yoder Modulus: The 256 byte Endorsement Key modulus 160feab398eSKent Yoder 161313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/temp_deactivated 162feab398eSKent YoderDate: April 2006 163feab398eSKent YoderKernelVersion: 2.6.17 164c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 165feab398eSKent YoderDescription: The "temp_deactivated" property returns a '1' if the chip has 16683432ef3SMasanari Iida been temporarily deactivated, usually until the next power 167feab398eSKent Yoder cycle. Whether a warm boot (reboot) will clear a TPM chip 168feab398eSKent Yoder from a temp_deactivated state is platform specific. 169feab398eSKent Yoder 170313d21eeSJarkko SakkinenWhat: /sys/class/tpm/tpmX/device/timeouts 171feab398eSKent YoderDate: March 2011 172feab398eSKent YoderKernelVersion: 3.1 173c269e876SJerry SnitselaarContact: linux-integrity@vger.kernel.org 174feab398eSKent YoderDescription: The "timeouts" property shows the 4 vendor-specific values 175feab398eSKent Yoder for the TPM's interface spec timeouts. The use of these 176feab398eSKent Yoder timeouts is defined by the TPM interface spec that the chip 177feab398eSKent Yoder conforms to. 178feab398eSKent Yoder 17998913408SMauro Carvalho Chehab Example output:: 180feab398eSKent Yoder 181feab398eSKent Yoder 750000 750000 750000 750000 [original] 182feab398eSKent Yoder 183feab398eSKent Yoder The four timeout values are shown in usecs, with a trailing 184feab398eSKent Yoder "[original]" or "[adjusted]" depending on whether the values 185feab398eSKent Yoder were scaled by the driver to be reported in usec from msecs. 1867084eddfSJerry Snitselaar 1877084eddfSJerry SnitselaarWhat: /sys/class/tpm/tpmX/tpm_version_major 1887084eddfSJerry SnitselaarDate: October 2019 1897084eddfSJerry SnitselaarKernelVersion: 5.5 1907084eddfSJerry SnitselaarContact: linux-integrity@vger.kernel.org 1917084eddfSJerry SnitselaarDescription: The "tpm_version_major" property shows the TCG spec major version 1927084eddfSJerry Snitselaar implemented by the TPM device. 1937084eddfSJerry Snitselaar 19454a19b4dSMauro Carvalho Chehab Example output:: 1957084eddfSJerry Snitselaar 1967084eddfSJerry Snitselaar 2 19752d0848eSJames Bottomley 198*ea84409fSMauro Carvalho ChehabWhat: /sys/class/tpm/tpmX/pcr-<H>/<N> 19952d0848eSJames BottomleyDate: March 2021 20052d0848eSJames BottomleyKernelVersion: 5.12 20152d0848eSJames BottomleyContact: linux-integrity@vger.kernel.org 20252d0848eSJames BottomleyDescription: produces output in compact hex representation for PCR 20352d0848eSJames Bottomley number N from hash bank H. N is the numeric value of 20452d0848eSJames Bottomley the PCR number and H is the crypto string 20552d0848eSJames Bottomley representation of the hash 20652d0848eSJames Bottomley 20752d0848eSJames Bottomley Example output:: 20852d0848eSJames Bottomley 20952d0848eSJames Bottomley cat /sys/class/tpm/tpm0/pcr-sha256/7 21052d0848eSJames Bottomley 2ED93F199692DC6788EFA6A1FE74514AB9760B2A6CEEAEF6C808C13E4ABB0D42 211