tpmadm - administer Trusted Platform Module
tpmadm clear [owner | lock]
tpmadm keyinfo [uuid]
tpmadm deletekey uuid
A Trusted Platform Module (TPM) is a hardware component that provides for
protected key storage and reliable measurements of software used to boot the
operating system. The tpmadm utility is used to initialize and
administer the TPM so that it can be used by the operating system and other
The TPM subsystem can store and manage an unlimited number of keys
for use by the operating system and by users. Each key is identified by a
Universally Unique Identifier, or UUID.
Although the TPM can hold only a limited number of keys at any
given time, the supporting software automatically loads and unloads keys as
needed. When a key is stored outside the TPM, it is always encrypted or
"wrapped" by its parent key so that the key is never exposed in
readable form outside the TPM.
Before the TPM can be used, it must be initialized by the platform
owner. This process involves setting an owner password which is used to
authorize privileged operations.
Although the TPM owner is similar to a traditional superuser,
there are two important differences. First, process privilege is irrelevant
for access to TPM functions. All privileged operations require knowledge of
the owner password, regardless of the privilege level of the calling
process. Second, the TPM owner is not able to override access controls for
data protected by TPM keys. The owner can effectively destroy data by
re-initializing the TPM, but he cannot access data that has been encrypted
using TPM keys owned by other users.
The following subcommands are used in the form:
# tpmadm <subcommand> [operand]
Report status information about the TPM. Output includes
basic information about whether ownership of the TPM has been established,
current PCR contents, and the usage of TPM resources such as communication
sessions and loaded keys.
Initialize the TPM for use. This involves taking
ownership of the TPM by setting the owner authorization password. Taking
ownership of the TPM creates a new storage root key, which is the ancestor of
all keys created by this TPM. Once this command is issued, the TPM must be
reset using BIOS operations before it can be re-initialized.
Change the owner authorization password for the
Clear the count of failed authentication attempts. After
a number of failed authentication attempts, the TPM responds more slowly to
subsequent attempts, in an effort to thwart attempts to find the owner
password by exhaustive search. This command, which requires the correct owner
password, resets the count of failed attempts.
Deactivate the TPM and return it to an unowned state.
This operation, which requires the current TPM owner password, invalidates all
keys and data tied to the TPM. Before the TPM can be used again, the system
must be restarted, the TPM must be reactivated from the BIOS or ILOM pre-boot
environment, and the TPM must be re-initialized using the tpmadm init
Report information about keys stored in the TPM
subsystem. Without additional arguments, this subcommand produces a brief
listing of all keys. If the UUID of an individual key is specified, detailed
information about that key is displayed.
Delete the key with the specified UUID from the TPM
subsystem's persistent storage.
After completing the requested operation, tpmadm exits with one of the
following status values.
Failure. The requested operation could not be
Usage error. The tpmadm command was invoked with
See attributes(5) for descriptions of the following attributes:
TCG Software Stack (TSS) Specifications:
https://www.trustedcomputinggroup.org/specs/TSS (as of the date of