Esys¶

class tpm2_pytss.ESAPI(tcti=None)[source]¶

Initialize an ESAPI object for further use.

Initialize an ESAPI object that holds all the state and metadata information during an interaction with the TPM. If tcti is None (the default), load a TCTI in this order:

Library libtss2-tcti-default.so (link to the preferred TCTI)

Library libtss2-tcti-tabrmd.so (tabrmd)

Device /dev/tpmrm0 (kernel resident resource manager)

Device /dev/tpm0 (hardware TPM)

TCP socket localhost:2321 (TPM simulator)

Parameters

Union[TCTI (tcti) – The TCTI context used to connect to the TPM (may be None). This
str] – The TCTI context used to connect to the TPM (may be None). This
of (is established using TCTILdr or a tpm2-tools style --tcti string in the format) –
<tcti-name> – <tcti-conf> where :<tcti-conf> is optional. Defaults to None.

Returns

An instance of the ESAPI class.

Raises

TypeError – If the TCTI is an invalid type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.
RuntimeError – If a TCTI config string is not in name:conf or name format.

This class implements the TCG defined Enhanced System API in Python see Notes below.

Note that since this implementation is a binding, the underlying tss2-esys version will matter as far as the users mileage.

Note that since the TCG has no specification on the ESAPI Python interface, liberties were taken to make use of features in Python not found in C. While the API is very similar to the C API, its not an exact match and, hopefully, will be simpler to use.

The specification for the C library can be found at:

https://trustedcomputinggroup.org/resource/tcg-tss-2-0-enhanced-system-api-esapi-specification/

C Function: Esys_Initialize

activate_credential(activate_handle, key_handle, credential_blob, secret, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ActivateCredential command.

This function invokes the TPM2_ActivateCredential command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

activate_handle (ESYS_TR) – Handle of the object associated with certificate in credentialBlob.
key_handle (ESYS_TR) – Loaded key used to decrypt the TPMS_SENSITIVE in credentialBlob.
credential_blob (TPM2B_ID_OBJECT) – The credential.
secret (TPM2B_ENCRYPTED_SECRET) – KeyHandle algorithm-dependent encrypted seed that protects credentialBlob.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

The cert_info, which is a TPM2B_DIGEST of the decrypted certificate information.

C Function: Esys_ActivateCredential

TPM Command: TPM2_ActivateCredential

certify(object_handle, sign_handle, qualifying_data, in_scheme, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Certify command.

This function invokes the TPM2_Certify command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

object_handle (ESYS_TR) – Handle of the object to be certified.
sign_handle (ESYS_TR) – Handle of the key used to sign the attestation structure.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – User provided qualifying data.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG_NULL.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] which is the structure that was signed, known as certify_info and the signature computed over certify_info.

C Function: Esys_Certify

TPM Command: TPM2_Certify

certify_creation(sign_handle, object_handle, qualifying_data, creation_hash, in_scheme, creation_ticket, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_CertifyCreation command.

This function invokes the TPM2_CertifyCreation command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of the key that will sign the attestation block.
object_handle (ESYS_TR) – The object associated with the creation data.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – User provided qualifying data.
creation_hash (Union[TPM2B_DIGEST, bytes, str]) – Hash of the creation data produced by TPM2_Create() or TPM2_CreatePrimary().
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG_NULL.
creation_ticket (TPMT_TK_CREATION) – Ticket produced by TPM2_Create() or TPM2_CreatePrimary().
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] which is the structure that was signed, known as certify_info and the signature computed over certify_info.

C Function: Esys_CertifyCreation

TPM Command: TPM2_CertifyCreation

change_eps(auth_handle=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ChangeEPS command.

This function invokes the TPM2_ChangeEPS command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_ChangeEPS

TPM Command: TPM2_ChangeEPS

change_pps(auth_handle=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ChangePPS command.

This function invokes the TPM2_ChangePPS command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_ChangePPS

TPM Command: TPM2_ChangePPS

clear(auth_handle, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Clear command.

This function invokes the TPM2_Clear command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – ESYS_TR.LOCKOUT or ESYS_TR.PLATFORM+{PP}.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_Clear

TPM Command: TPM2_Clear

clear_control(auth, disable, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ClearControl command.

This function invokes the TPM2_ClearControl command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth (ESYS_TR) – ESYS_TR.LOCKOUT or ESYS_TR.PLATFORM+{PP}.
disable (bool) – True if the disableOwnerClear flag is to be SET, False if the flag is to be CLEAR.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_ClearControl

TPM Command: TPM2_ClearControl

clock_rate_adjust(rate_adjust, auth=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ClockRateAdjust command.

This function invokes the TPM2_ClockRateAdjust command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

rate_adjust (TPM2_CLOCK) – Adjustment to current Clock update rate.
auth (ESYS_TR) – ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.OWNER.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_ClockRateAdjust

TPM Command: TPM2_ClockRateAdjust

clock_set(new_time, auth=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ClockSet command.

This function invokes the TPM2_ClockSet command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

new_time (int) – New Clock setting in milliseconds.
auth (ESYS_TR) – ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.OWNER.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_ClockSet

TPM Command: TPM2_ClockSet

close()[source]¶

Finalize an ESAPI Instance

After interactions with the TPM the context holding the metadata needs to be freed. Since additional internal memory allocations may have happened during use of the context, it needs to be finalized correctly.

C Function: Esys_Finalize

commit(sign_handle, p1, s2, y2, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Commit command.

This function invokes the TPM2_Commit command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of the key that will be used in the signing operation
p1 (TPM2B_ECC_POINT) – A point (M) on the curve used by signHandle.
s2 (Union[TPM2B_SENSITIVE_DATA, bytes, str]) – Octet array used to derive x-coordinate of a base point.
y2 (Union[TPM2B_ECC_PARAMETER, bytes, str]) – Y coordinate of the point associated with s2.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ECC_POINT, TPM2B_ECC_POINT, TPM2B_ECC_POINT, int] which is the K point as ECC point K := [ds](x2, y2), the L point as L := [r](x2, y2), the E point as E := [r]P1 and the counter value respectively.

C Function: Esys_Commit

TPM Command: TPM2_Commit

context_load(context)[source]¶

Invoke the TPM2_ContextLoad command.

This function invokes the TPM2_ContextLoad command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

context (TPMS_CONTEXT) – The context blob.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR which is the handle to the loaded data.

C Function: Esys_ContextLoad

TPM Command: TPM2_ContextLoad

context_save(save_handle)[source]¶

Invoke the TPM2_ContextSave command.

This function invokes the TPM2_ContextSave command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

save_handle (ESYS_TR) – Handle of the resource to save.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPMS_CONTEXT which is the saved save_handle data.

C Function: Esys_ContextSave

TPM Command: TPM2_ContextSave

create(parent_handle, in_sensitive, in_public='rsa2048', outside_info=<tpm2_pytss.types.TPM2B_DATA object>, creation_pcr=<tpm2_pytss.types.TPML_PCR_SELECTION object>, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Create command.

This function invokes the TPM2_Create command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

parent_handle (ESYS_TR) – Handle of parent for new object.
in_sensitive (TPM2B_SENSITIVE_CREATE) – The sensitive data, can be None for an empty TPM2B_SENSITIVE_CREATE.
in_public (Union[TPM2B_PUBLIC, str]) – The public template. Defaults to an rsa2048 template.
outside_info (Union[TPM2B_DATA, bytes, str]) – Data that will be included in the creation data for this object to provide permanent, verifiable linkage between this object and some object owner data. Defaults to empty TPM2B_DATA.
creation_pcr (Union[TPML_PCR_SELECTION, str]) – PCR that will be used in creation data. Defaults to an empty PCR selection.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An Tuple[TPM2B_PRIVATE, TPM2B_PUBLIC, TPM2B_CREATION_DATA, TPM2B_DIGEST, TPMT_TK_CREATION].

C Function: Esys_Create

TPM Command: TPM2_Create

create_loaded(parent_handle, in_sensitive, in_public='rsa2048', session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_CreateLoaded command.

This function invokes the TPM2_CreateLoaded command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

parent_handle (ESYS_TR) – TPM2_Handle of a transient storage key, a persistent storage key, ESYS_TR.ENDORSEMENT, ESYS_TR.OWNER, ESYS_TR.PLATFORM+{PP}, or ESYS_TR.NULL.
in_sensitive (TPM2B_SENSITIVE_CREATE) – The sensitive data, see TPM 2.0 Part 1 Sensitive Values. Accepts None for an empty TPM2B_SENSITIVE_CREATE.
in_public (Union[TPM2B_TEMPLATE, str]) – The public template (optional). Defaults to an rsa2048 key.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[ESYS_TR, TPM2B_PRIVATE, TPM2B_PUBLIC] which is the handle of the loaded object(object_handle), the sensitive area of the object (out_private), and the public portion of the created object (out_public).

C Function: Esys_CreateLoaded

TPM Command: TPM2_CreateLoaded

create_primary(in_sensitive, in_public='rsa2048', primary_handle=ESYS_TR.RH_OWNER, outside_info=<tpm2_pytss.types.TPM2B_DATA object>, creation_pcr=<tpm2_pytss.types.TPML_PCR_SELECTION object>, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_CreatePrimary command.

This function invokes the TPM2_CreatePrimary command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

in_sensitive (TPM2B_SENSITIVE_CREATE) – The sensitive data, see TPM 2.0 Part 1 Sensitive Values. Accepts None for an empty TPM2B_SENSITIVE_CREATE.
in_public (Union[TPM2B_PUBLIC, str]) – The public template. Defaults to “rsa2048”.
primary_handle (ESYS_TR) – ESYS_TR.ENDORSEMENT, ESYS_TR.OWNER, ESYS_TR.PLATFORM or ESYS_TR.NULL. Defaults to ESYS_TR.OWNER.
outside_info (Union[TPM2B_DATA, bytes, str]) – Data that will be included in the creation data for this object to provide permanent, verifiable linkage between this object and some object owner data. Defaults to an empty TPM2B_DATA.
creation_pcr (Union[TPML_PCR_SELECTION, str]) – PCR that will be used in creation data. Defaults to an empty TPML_PCR_SELECTION().
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[ESYS_TR, TPM2B_PUBLIC, TPM2B_CREATION_DATA, TPM2B_DIGEST, TPMT_TK_CREATION] which is the ESYS_TR handle of ESYS resource for TPM2_HANDLE, the public portion of the created object, the creation data and digest of creation data using the nameAlg of of the object respectively.

C Function: Esys_CreatePrimary

TPM Command: TPM2_CreatePrimary

dictionary_attack_lock_reset(lock_handle=ESYS_TR.RH_LOCKOUT, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_DictionaryAttackLockReset command.

This function invokes the TPM2_DictionaryAttackLockReset command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

lock_handle (ESYS_TR) – ESYS_TR.LOCKOUT. Defaults to ESYS_TR.LOCKOUT.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_DictionaryAttackLockReset

TPM Command: TPM2_DictionaryAttackLockReset

dictionary_attack_parameters(new_max_tries, new_recovery_time, lockout_recovery, lock_handle=ESYS_TR.RH_LOCKOUT, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_DictionaryAttackParameters command.

This function invokes the TPM2_DictionaryAttackParameters command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

new_max_tries (int) – Count of authorization failures before the lockout is imposed.
new_recovery_time (int) – Time in seconds before the authorization failure count is automatically decremented.
lockout_recovery (int) – Time in seconds after a lockoutAuth failure before use of lockoutAuth is allowed.
lock_handle (ESYS_TR) – ESYS_TR.LOCKOUT. Defaults to ESYS_TR.LOCKOUT.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_DictionaryAttackParameters

TPM Command: TPM2_DictionaryAttackParameters

duplicate(object_handle, new_parent_handle, encryption_key_in, symmetric_alg, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Duplicate command.

This function invokes the TPM2_Duplicate command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

object_handle (ESYS_TR) – Loaded object to duplicate.
new_parent_handle (ESYS_TR) – The duplication parent, and hall reference the public area of an asymmetric key.
encryption_key_in (TPM2B_DATA) – Symmetric encryption key. Can be None if no wrapping is to be performed.
symmetric_alg (TPMT_SYM_DEF_OBJECT) – Definition for the symmetric algorithm to be used for the inner wrapper
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_DATA, TPM2B_PRIVATE, TPM2B_ENCRYPTED_SECRET] which is the TPM2_If the caller provided an encryption key or if symmetric_alg was TPM2_ALG.NULL, then this will be the TPM2_Empty TPM2_Buffer; otherwise, it shall contain the TPM2_TPM-generated, symmetric encryption key for the inner wrapper, duplicate Private area that may be encrypted by encryption_key_in; and may be doubly encrypted and the Seed protected by the asymmetric algorithms of new parent (NP).

C Function: Esys_Duplicate

TPM Command: TPM2_Duplicate

ec_ephemeral(curve_id, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_EC_Ephemeral command.

This function invokes the TPM2_EC_Ephemeral command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

curve_id (TPM2_ECC_CURVE) – The curve for the computed ephemeral point .
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

= [r]G, known as Q, and the least-significant 16 bits of commitCount.

Return type

A Tuple[TPM2B_ECC_POINT, int] which is the Ephemeral public key Q

C Function: Esys_EC_Ephemeral

TPM Command: TPM2_EC_Ephemeral

ecc_parameters(curve_id, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ECC_Parameters command.

This function invokes the TPM2_ECC_Parameters command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

curve_id (TPM2_ECC_CURVE) – Parameter set selector.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPMS_ALGORITHM_DETAIL_ECC ECC parameters for the selected curve.

C Function: Esys_ECC_Parameters

TPM Command: TPM2_ECC_Parameters

ecdh_key_gen(key_handle, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ECDH_KeyGen command.

This function invokes the TPM2_ECDH_KeyGen command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – Handle of a loaded ECC key public area.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

= h[de]Qs and pubPoint Generated ephemeral public point (Qe) respectively.

Return type

A Tuple[TPM2B_ECC_POINT, TPM2B_ECC_POINT] which is the zPoint Results of P

C Function: Esys_ECDH_KeyGen

TPM Command: TPM2_ECDH_KeyGen

ecdh_zgen(key_handle, in_point, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ECDH_ZGen command.

This function invokes the TPM2_ECDH_ZGen command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – Handle of a loaded ECC key.
in_point (TPM2B_ECC_POINT) – A public key.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_ECC_POINT which is the X and Y coordinates of the product of the: multiplication Z = (xZ , yZ) := [hdS]QB.

C Function: Esys_ECDH_ZGen

TPM Command: TPM2_ECDH_ZGen

encrypt_decrypt(key_handle, decrypt, mode, iv_in, in_data, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_EncryptDecrypt command.

This function invokes the TPM2_EncryptDecrypt command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – The symmetric key used for the operation.
decrypt (bool) – If True, then the operation is decryption; if False, the operation is encryption.
mode (TPM2_ALG) – Symmetric mode.
iv_in (Union[TPM2B_IV, bytes, str]) – An initial value as required by the algorithm.
in_data (Union[TPM2B_MAX_BUFFER, bytes, str]) – The data to be encrypted/decrypted.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_MAX_BUFFER, TPM2B_IV] which is the encrypted or decrypted output and the chaining value to use for IV in next round respectively.

C Function: Esys_EncryptDecrypt

TPM Command: TPM2_EncryptDecrypt

encrypt_decrypt_2(key_handle, decrypt, mode, iv_in, in_data, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_EncryptDecrypt2 command.

This function invokes the TPM2_EncryptDecrypt2 command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – The symmetric key used for the operation.
decrypt (bool) – If True, then the operation is decryption; if False, the operation is encryption.
mode (TPM2_ALG) – Symmetric mode.
iv_in (Union[TPM2B_IV, bytes, str]) – An initial value as required by the algorithm.
in_data (Union[TPM2B_MAX_BUFFER, bytes, str]) – The data to be encrypted/decrypted.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_MAX_BUFFER, TPM2B_IV] which is the encrypted or decrypted output and the chaining value to use for IV in next round respectively.

C Function: Esys_EncryptDecrypt2

TPM Command: TPM2_EncryptDecrypt2

event_sequence_complete(pcr_handle, sequence_handle, buffer, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_EventSequenceComplete command.

This function invokes the TPM2_EventSequenceComplete command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_handle (ESYS_TR) – PCR to be extended with the Event data.
sequence_handle (ESYS_TR) – Authorization for the sequence.
buffer (Union[TPM2B_MAX_BUFFER, bytes, str]) – Data to be added to the Event.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPML_DIGEST_VALUES a list of digests computed for the PCR.

C Function: Esys_EventSequenceComplete

TPM Command: TPM2_EventSequenceComplete

evict_control(auth, object_handle, persistent_handle, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_EvictControl command.

This function invokes the TPM2_EvictControl command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth (ESYS_TR) – ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP}.
object_handle (ESYS_TR) – The handle of a loaded object.
persistent_handle (int) – If objectHandle is a transient object handle, then this is the persistent handle for the object.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR handle of ESYS resource for TPM2_HANDLE.

C Function: Esys_EvictControl

TPM Command: TPM2_EvictControl

field_upgrade_data(fu_data, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_FieldUpgradeData command.

This function invokes the TPM2_FieldUpgradeData command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

fu_data (Union[TPM2B_MAX_BUFFER, bytes, str]) – Field upgrade image data.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPMT_HA, TPMT_HA] which is the tagged digest of the next block and the tagged digest of the first block of the sequence respectively.

C Function: Esys_FieldUpgradeData

TPM Command: TPM2_FieldUpgradeData

field_upgrade_start(key_handle, fu_digest, manifest_signature, authorization=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_FieldUpgradeStart command.

This function invokes the TPM2_FieldUpgradeStart command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – Handle of a public area that contains the TPM Vendor Authorization Key that will be used to validate manifestSignature.
fu_digest (Union[TPM2B_DIGEST, bytes, str]) – Digest of the first block in the field upgrade sequence.
manifest_signature (TPMT_SIGNATURE) – Signature over fuDigest using the key associated with keyHandle (not optional).
authorization (ESYS_TR) – ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_FieldUpgradeStart

TPM Command: TPM2_FieldUpgradeStart

firmware_read(sequence_number, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_FirmwareRead command.

This function invokes the TPM2_FirmwareRead command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sequence_number (int) – sequenceNumber The number of previous calls to this command in this sequence.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_MAX_BUFFER which is the field upgrade image data.

C Function: Esys_FirmwareRead

TPM Command: TPM2_FirmwareRead

flush_context(flush_handle)[source]¶

Invoke the TPM2_FlushContext command.

This function invokes the TPM2_FlushContext command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

flush_handle (ESYS_TR) – The handle of the item to flush.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_FlushContext

TPM Command: TPM2_FlushContext

get_capability(capability, prop, property_count=1, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_GetCapability command.

This function invokes the TPM2_GetCapability command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

capability (TPM2_CAP) – Group selection; determines the format of the response.
prop (int) – Further definition of information.
property_count (int) – Number of properties of the indicated type to return. Defaults to 1.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[bool, TPMS_CAPABILITY_DATA] which is the Flag to indicate if there are more values of this type and the capability data respectively.

C Function: Esys_GetCapability

TPM Command: TPM2_GetCapability

get_command_audit_digest(sign_handle, qualifying_data, in_scheme=<tpm2_pytss.types.TPMT_SIG_SCHEME object>, privacy_handle=ESYS_TR.RH_ENDORSEMENT, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_GetCommandAuditDigest command.

This function invokes the TPM2_GetCommandAuditDigest command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of the signing key.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – Other data to associate with this audit digest.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG_NULL (optional). Defaults to TPMT_SIG_SCHEME(scheme=TPM2_ALG.NULL).
privacy_handle (ESYS_TR) – TPM2_Handle of the privacy administrator must be ESYS_TR.ENDORSEMENT. Defaults to ESYS_TR.ENDORSEMENT (optional).
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] which is the audit information that was signed, known as audit_info, and the signature over audit_info.

C Function: Esys_GetCommandAuditDigest

TPM Command: TPM2_GetCommandAuditDigest

get_random(bytes_requested, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_GetRandom command.

This function invokes the TPM2_GetRandom command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

bytes_requested (int) – Number of octets to return.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_DIGEST of the random octets.

C Function: Esys_GetRandom

TPM Command: TPM2_GetRandom

get_session_audit_digest(sign_handle, session_handle, qualifying_data, in_scheme=<tpm2_pytss.types.TPMT_SIG_SCHEME object>, privacy_admin_handle=ESYS_TR.RH_ENDORSEMENT, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_GetSessionAuditDigest command.

This function invokes the TPM2_GetSessionAuditDigest command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of the signing key.
session_handle (ESYS_TR) – Handle of the audit session.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – User-provided qualifying data - may be zero-length.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG_NULL (optional). Defaults to TPMT_SIG_SCHEME(scheme=TPM2_ALG.NULL).
privacy_admin_handle (ESYS_TR) – TPM2_Handle of the privacy administrator must be ESYS_TR.ENDORSEMENT. Defaults to ESYS_TR.ENDORSEMENT (optional).
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] which is the audit information that was signed, known as audit_info, and the signature over audit_info.

C Function: Esys_GetSessionAuditDigest

TPM Command: TPM2_GetSessionAuditDigest

get_tcti()[source]¶

Return the used TCTI context.

If a TCTI was passed into Esys_Initialize then this tcti context is return. If None was passed in, then None will be returned. This function is useful before Esys_Finalize to retrieve the tcti context and perform a clean Tss2_Tcti_Finalize.

Returns: A TCTI or None if None was passed to the ESAPI constructor.

get_test_result(session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_GetTestResult command.

This function invokes the TPM2_GetTestResult command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_MAX_BUFFER, TPM2_RC] the test result data and the return code from the test execution.

C Function: Esys_GetTestResult

TPM Command: TPM2_GetTestResult

get_time(sign_handle, qualifying_data, in_scheme=<tpm2_pytss.types.TPMT_SIG_SCHEME object>, privacy_admin_handle=ESYS_TR.RH_ENDORSEMENT, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_GetTime command.

This function invokes the TPM2_GetTime command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of the signing key.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – Other data to associate with this audit digest.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG_NULL (optional). Defaults to TPMT_SIG_SCHEME(scheme=TPM2_ALG.NULL).
privacy_admin_handle (ESYS_TR) – TPM2_Handle of the privacy administrator must be ESYS_TR.ENDORSEMENT. Defaults to ESYS_TR.ENDORSEMENT (optional).
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] Standard TPM-generated attestation block, known as time_info, and the signature over time_info respectively.

C Function: Esys_GetTime

TPM Command: TPM2_GetTime

hash(data, hash_alg, hierarchy=ESYS_TR.RH_OWNER, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Hash command.

This function invokes the TPM2_Hash command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

data (Union[TPM2B_MAX_BUFFER, bytes, str]) – Data to be hashed.
hash_alg (TPM2_ALG) – TPM2_Algorithm for the hash being computed - shall not be TPM2_ALG_NULL.
hierarchy (ESYS_TR) – Hierarchy to use for the ticket (ESYS_TR.NULL allowed). Defaults to ESYS_TR.OWNER.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_DIGEST, TPMT_TK_HASHCHECK] which is the hash and validation TPM2_Ticket indicating that the sequence of octets used to compute outDigest did not start with TPM2_GENERATED_VALUE respectively.

C Function: Esys_Hash

TPM Command: TPM2_Hash

hash_sequence_start(auth, hash_alg, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_HashSequenceStart command.

This function invokes the TPM2_HashSequenceStart command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth (Union[TPM2B_AUTH, bytes, str]) – Authorization value for subsequent use of the sequence.
hash_alg (TPM2_ALG) – The hash algorithm to use for the hash sequence.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR handle of ESYS resource for TPMI_DH_OBJECT.

C Function: Esys_HashSequenceStart

TPM Command: TPM2_HashSequenceStart

hierarchy_change_auth(auth_handle, new_auth, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_HierarchyChangeAuth command.

This function invokes the TPM2_HierarchyChangeAuth command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – ESYS_TR.LOCKOUT, ESYS_TR.ENDORSEMENT, ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP}.
new_auth (Union[TPM2B_AUTH, bytes, str]) – New authorization value.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_HierarchyChangeAuth

TPM Command: TPM2_HierarchyChangeAuth

hierarchy_control(auth_handle, enable, state, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_HierarchyControl command.

This function invokes the TPM2_HierarchyControl command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – ESYS_TR.ENDORSEMENT, ESYS_TR.OWNER or ESYS_TR.PLATFORM.
enable (ESYS_TR) – The enable being modified.
state (bool) – True if the enable should be SET, False if the enable should be CLEAR.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_HierarchyControl

TPM Command: TPM2_HierarchyControl

hmac(handle, buffer, hash_alg, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_HMAC command.

This function invokes the TPM2_HMAC command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

handle (ESYS_TR) – Handle for the symmetric signing key providing the HMAC key.
buffer (Union[TPM2B_MAX_BUFFER, bytes, str]) – HMAC data.
hash_alg (TPM2_ALG) – Algorithm to use for HMAC.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_DIGEST result of the HMAC.

C Function: Esys_HMAC

TPM Command: TPM2_HMAC

hmac_start(handle, auth, hash_alg, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_HMAC_Start command.

This function invokes the TPM2_HMAC_Start command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

handle (ESYS_TR) – Handle of an HMAC key.
auth (Union[TPM2B_AUTH, bytes, str]) – Authorization value for subsequent use of the sequence.
hash_alg (TPM2_ALG) – The hash algorithm to use for the HMAC.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR handle of ESYS resource for TPMI_DH_OBJECT.

C Function: Esys_HMAC_Start

TPM Command: TPM2_HMAC_Start

import_(parent_handle, encryption_key, object_public, duplicate, in_sym_seed, symmetric_alg, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Import command.

This function invokes the TPM2_Import command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

parent_handle (ESYS_TR) – The handle of the new parent for the object.
encryption_key (Union[TPM2B_DATA, bytes, str]) – The optional symmetric encryption key used as the inner wrapper for duplicate.
object_public (TPM2B_PUBLIC) – The public area of the object to be imported.
duplicate (TPM2B_PRIVATE) – The symmetrically encrypted duplicate object that may contain an inner symmetric wrapper.
in_sym_seed (TPM2B_ENCRYPTED_SECRET) – The seed for the symmetric key and HMAC key.
symmetric_alg (TPMT_SYM_DEF_OBJECT) – Definition for the symmetric algorithm to use for the inner wrapper.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_PRIVATE which is the sensitive area encrypted with the symmetric key of parentHandle.

C Function: Esys_Import

TPM Command: TPM2_Import

incremental_self_test(to_test, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_IncrementalSelfTest command.

This function invokes the TPM2_IncrementalSelfTest command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

to_test (TPML_ALG) – List of algorithms that should be tested.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPML_ALG list of of algorithms that need testing; the todo list.

C Function: Esys_IncrementalSelfTest

TPM Command: TPM2_IncrementalSelfTest

load(parent_handle, in_private, in_public, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Load command.

This function invokes the TPM2_Load command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

parent_handle (ESYS_TR) – parentHandle TPM handle of parent key; shall not be a reserved handle.
in_private (TPM2B_PRIVATE) – The private portion of the object.
in_public (TPM2B_PUBLIC) – The public portion of the object.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR representing the handle of the loaded object.

C Function: Esys_Load

TPM Command: TPM2_Load

load_blob(data, type_=1)[source]¶

load binary ESAPI object as binary blob. Supported are the types FAPI_ESYSBLOB.CONTEXTLOAD and FAPI_ESYSBLOB.DESERIALIZE.

Parameters

data (bytes) – Binary blob of the ESAPI object to load.
type (int) – FAPI_ESYSBLOB.CONTEXTLOAD or FAPI_ESYSBLOB.DESERIALIZE. Defaults to FAPI_ESYSBLOB.CONTEXTLOAD if FAPI is installed else :const: FAPI_ESYSBLOB.DESERIALIZE.

Raises

ValueError – If type_ is not of an expected value.

Returns

The ESAPI handle to the loaded object.

Return type

ESYS_TR

load_external(in_public, in_private=None, hierarchy=ESYS_TR.RH_NULL, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_LoadExternal command.

This function invokes the TPM2_LoadExternal command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

in_public (TPM2B_PUBLIC) – The public portion of the object.
in_private (TPM2B_SENSITIVE) – The sensitive portion of the object. Defaults to None.
hierarchy (ESYS_TR) – Hierarchy with which the object area is associated.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR representing the handle of the loaded object.

C Function: Esys_LoadExternal

TPM Command: TPM2_LoadExternal

make_credential(handle, credential, object_name, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_MakeCredential command.

This function invokes the TPM2_MakeCredential command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

handle (ESYS_TR) – Loaded public area, used to encrypt the sensitive area containing the credential key.
credential (TPM2B_DIGEST) – The credential information.
object_name (TPM2B_NAME) – Name of the object to which the credential applies.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET] which is the credential_blob and the secret portions respectively. The secret is a handle algorithm-dependent data that wraps the key that encrypts credential_blob.

C Function: Esys_MakeCredential

TPM Command: TPM2_MakeCredential

nv_certify(sign_handle, nv_index, qualifying_data, in_scheme, size, offset=0, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_Certify command.

This function invokes the TPM2_NV_Certify command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of the key used to sign the attestation structure.
nv_index (ESYS_TR) – Index for the area to be certified.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – User-provided qualifying data.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG.NULL.
size (int) – Number of octets to certify.
offset (int) – Octet offset into the area (optional). Defaults to 0.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization (optional). Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] which is the structure that was signed and the signature over that structure respectively.

C Function: Esys_NV_Certify

TPM Command: TPM2_NV_Certify

nv_change_auth(nv_index, new_auth, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_ChangeAuth command.

This function invokes the TPM2_NV_ChangeAuth command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – Handle of the entity.
new_auth (Union[TPM2B_DIGEST, bytes, str]) – New authorization value.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_ChangeAuth

TPM Command: TPM2_NV_ChangeAuth

nv_define_space(auth, public_info, auth_handle=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_DefineSpace command.

This function invokes the TPM2_NV_DefineSpace command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth (Union[TPM2B_AUTH, bytes, str, None]) – The authorization value.
public_info (TPM2B_NV_PUBLIC) – The public parameters of the NV area.
auth_handle (ESYS_TR) – ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.OWNER.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR handle of ESYS resource for TPM2_HANDLE.

C Function: Esys_NV_DefineSpace

TPM Command: TPM2_NV_DefineSpace

nv_extend(nv_index, data, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_Extend command.

This function invokes the TPM2_NV_Extend command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index to extend.
data (Union[TPM2B_MAX_NV_BUFFER, bytes, str]) – The data to extend.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_Extend

TPM Command: TPM2_NV_Extend

nv_global_write_lock(auth_handle=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_GlobalWriteLock command.

This function invokes the TPM2_NV_GlobalWriteLock command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_GlobalWriteLock

TPM Command: TPM2_NV_GlobalWriteLock

nv_increment(nv_index, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_Increment command.

This function invokes the TPM2_NV_Increment command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index to increment.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_Increment

TPM Command: TPM2_NV_Increment

nv_read(nv_index, size, offset=0, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_Read command.

This function invokes the TPM2_NV_Read command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index to be read.
size (int) – Number of octets to read.
offset (int) – Octet offset into the area (optional). Defaults to 0.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_MAX_NV_BUFFER which is the data read.

C Function: Esys_NV_Read

TPM Command: TPM2_NV_Read

nv_read_lock(nv_index, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_ReadLock command.

This function invokes the TPM2_NV_ReadLock command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index to be locked.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization (optional). Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_ReadLock

TPM Command: TPM2_NV_ReadLock

nv_read_public(nv_index, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_ReadPublic command.

This function invokes the TPM2_NV_ReadPublic command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_NV_PUBLIC, TPM2B_NAME] which is the public area of the NV Index and the name of the NV Index respectively.

C Function: Esys_NV_ReadPublic

TPM Command: TPM2_NV_ReadPublic

nv_set_bits(nv_index, bits, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_SetBits command.

This function invokes the TPM2_NV_SetBits command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index to extend.
bits (int) – The data to OR with the current contents.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_SetBits

TPM Command: TPM2_NV_SetBits

nv_undefine_space(nv_index, auth_handle=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_UndefineSpace command.

This function invokes the TPM2_NV_UndefineSpace command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – he NV Index to remove from NV space.
auth_handle (ESYS_TR) – ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.OWNER.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_UndefineSpace

TPM Command: TPM2_NV_UndefineSpace

nv_undefine_space_special(nv_index, session1, platform=ESYS_TR.RH_PLATFORM, session2=ESYS_TR.PASSWORD, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_UndefineSpaceSpecial command.

This function invokes the TPM2_NV_UndefineSpaceSpecial command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – Index to be deleted.
session1 (ESYS_TR) – Session handle for authorization of nvIndex (required).
platform (ESYS_TR) – platform ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.PLATFORM.
session2 (ESYS_TR) – Session handle for authorization of platform (optional). Defaults to ESYS_TR.PASSWORD.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_UndefineSpaceSpecial

TPM Command: TPM2_NV_UndefineSpaceSpecial

nv_write(nv_index, data, offset=0, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_Write command.

This function invokes the TPM2_NV_Write command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index of the area to write.
data (Union[TPM2B_MAX_NV_BUFFER, bytes, str]) – The data to write.
offset (int) – The offset into the NV Area. Defaults to 0.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_Write

TPM Command: TPM2_NV_Write

nv_write_lock(nv_index, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_NV_WriteLock command.

This function invokes the TPM2_NV_WriteLock command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index to extend.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_NV_WriteLock

TPM Command: TPM2_NV_WriteLock

object_change_auth(object_handle, parent_handle, new_auth, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ObjectChangeAuth command.

This function invokes the TPM2_ObjectChangeAuth command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

object_handle (ESYS_TR) – Handle of the object.
parent_handle (ESYS_TR) – Handle of the parent.
new_auth (Union[TPM2B_AUTH, str, bytes]) – New authorization value.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A new TPM2B_PRIVATE which includes the new_auth value.

C Function: Esys_ObjectChangeAuth

TPM Command: TPM2_ObjectChangeAuth

pcr_allocate(pcr_allocation, auth_handle=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_Allocate command.

This function invokes the TPM2_PCR_Allocate command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_allocation (Union[TPML_PCR_SELECTION, str]) – The requested allocation.
auth_handle (ESYS_TR) – ESYS_TR.PLATFORM+{PP} (optional). Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[bool, int, int, int] of True if the allocation succeeded, the maximum number of PCR that may be in a bank, the number of octets required to satisfy the request, and number of octets available (Computed before the allocation) respectively.

C Function: Esys_PCR_Allocate

TPM Command: TPM2_PCR_Allocate

pcr_event(pcr_handle, event_data, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_Event command.

This function invokes the TPM2_PCR_Event command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_handle (ESYS_TR) – Handle of the PCR.
event_data (Union[TPM2B_EVENT, bytes, str]) – The event data.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPML_DIGEST_VALUES the digests.

C Function: Esys_PCR_Event

TPM Command: TPM2_PCR_Event

pcr_extend(pcr_handle, digests, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_Extend command.

This function invokes the TPM2_PCR_Extend command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_handle (ESYS_TR) – Handle of the PCR.
digests (TPML_DIGEST_VALUES) – List of tagged digest values to be extended.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PCR_Extend

TPM Command: TPM2_PCR_Extend

pcr_read(pcr_selection_in, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_Read command.

This function invokes the TPM2_PCR_Read command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_selection_in (Union[TPML_PCR_SELECTION, str]) – The selection of PCR to read.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[int, TPML_PCR_SELECTION, TPML_DIGEST] of the current value of the PCR update counter, the digests The PCR in the returned list and the contents of the PCR indicated in TPML_PCR_SELECTION.

C Function: Esys_PCR_Read

TPM Command: TPM2_PCR_Read

pcr_reset(pcr_handle, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_Reset command.

This function invokes the TPM2_PCR_Reset command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_handle (ESYS_TR) – The PCR to reset.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PCR_Reset

TPM Command: TPM2_PCR_Reset

pcr_set_auth_policy(auth_policy, hash_alg, pcr_num, auth_handle=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_SetAuthPolicy command.

This function invokes the TPM2_PCR_SetAuthPolicy command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_policy (Union[TPM2B_DIGEST, bytes, str]) – The desired authPolicy.
hash_alg (TPM2_ALG) – The hash algorithm of the policy.
pcr_num (ESYS_TR) – The PCR for which the policy is to be set.
auth_handle (ESYS_TR) – ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PCR_SetAuthPolicy

TPM Command: TPM2_PCR_SetAuthPolicy

pcr_set_auth_value(pcr_handle, auth, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PCR_SetAuthValue command.

This function invokes the TPM2_PCR_SetAuthValue command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

pcr_handle (ESYS_TR) – Handle for a PCR that may have an authorization value set.
auth (Union[TPM2B_DIGEST, bytes, str]) – The desired authorization value.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PCR_SetAuthValue

TPM Command: TPM2_PCR_SetAuthValue

policy_auth_value(policy_session, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyAuthValue command.

This function invokes the TPM2_PolicyAuthValue command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyAuthValue

TPM Command: TPM2_PolicyAuthValue

policy_authorize(policy_session, approved_policy, policy_ref, key_sign, check_ticket, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyAuthorize command.

This function invokes the TPM2_PolicyAuthorize command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
approved_policy (Union[TPM2B_DIGEST, bytes, str]) – Digest of the policy being approved.
policy_ref (Union[TPM2B_NONCE, bytes, str]) – A policy qualifier.
key_sign (Union[TPM2B_NAME, bytes, str]) – Name of a key that can sign a policy addition.
check_ticket (TPMT_TK_VERIFIED) – Ticket validating that approvedPolicy and policyRef were signed by keySign.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyAuthorize

TPM Command: TPM2_PolicyAuthorize

policy_authorize_nv(nv_index, policy_session, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyAuthorizeNV command.

This function invokes the TPM2_PolicyAuthorizeNV command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

nv_index (ESYS_TR) – The NV Index of the area to read.
policy_session (ESYS_TR) – Handle for the policy session being extended.
auth_handle (ESYS_TR) – Handle indicating the source of the authorization value. Defaults to the nv_index.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyAuthorizeNV

TPM Command: TPM2_PolicyAuthorizeNV

policy_command_code(policy_session, code, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyCommandCode command.

This function invokes the TPM2_PolicyCommandCode command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
code (TPM2_CC) – The allowed commandCode.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyCommandCode

TPM Command: TPM2_PolicyCommandCode

policy_counter_timer(policy_session, operand_b, operation, offset=0, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyCounterTimer command.

This function invokes the TPM2_PolicyCounterTimer command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
operand_b (TPM2B_OPERAND) – The second operand.
operation (TPM2_EO) – The comparison to make.
offset (int) – The offset in TPMS_TIME_INFO structure for the start of operand A. (optional). Defaults to 0.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyCounterTimer

TPM Command: TPM2_PolicyCounterTimer

policy_cp_hash(policy_session, cp_hash_a, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyCpHash command.

This function invokes the TPM2_PolicyCpHash command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
cp_hash_a (Union[TPM2B_DIGEST, bytes, str]) – The cpHash added to the policy.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyCpHash

TPM Command: TPM2_PolicyCpHash

policy_duplication_select(policy_session, object_name, new_parent_name, include_object=False, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyDuplicationSelect command.

This function invokes the TPM2_PolicyDuplicationSelect command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
object_name (Union[TPM2B_NAME, bytes, str]) – The Name of the object to be duplicated.
new_parent_name (Union[TPM2B_NAME, bytes, str]) – The Name of the new parent.
include_object (bool) – If YES, the objectName will be included in the value in policySession->policyDigest, optional. Defaults to False.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyDuplicationSelect

TPM Command: TPM2_PolicyDuplicationSelect

policy_get_digest(policy_session, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyGetDigest command.

This function invokes the TPM2_PolicyGetDigest command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

The current value of the policySession->policyDigest as a TPM2B_DIGEST.

C Function: Esys_PolicyGetDigest

TPM Command: TPM2_PolicyGetDigest

policy_locality(policy_session, locality, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyLocality command.

This function invokes the TPM2_PolicyLocality command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
locality (int) – The allowed localities for the policy.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyLocality

TPM Command: TPM2_PolicyLocality

policy_name_hash(policy_session, name_hash, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyNameHash command.

This function invokes the TPM2_PolicyNameHash command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
name_hash (Union[TPM2B_DIGEST, bytes, str]) – The digest to be added to the policy.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyNameHash

TPM Command: TPM2_PolicyNameHash

policy_nv(auth_handle, nv_index, policy_session, operand_b, operation, offset=0, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyNV command.

This function invokes the TPM2_PolicyNV command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – Handle indicating the source of the authorization value.
nv_index (ESYS_TR) – The NV Index of the area to read.
policy_session (ESYS_TR) – Handle for the policy session being extended.
operand_b (TPM2B_OPERAND) – The second operand.
operation (TPM2_EO) – The comparison to make.
offset (int) – The offset in the NV Index for the start of operand A. (optional). Defaults to 0.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyNV

TPM Command: TPM2_PolicyNV

policy_nv_written(policy_session, written_set=True, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyNvWritten command.

This function invokes the TPM2_PolicyNvWritten command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
written_set (bool) – True if NV Index is required to have been written, False otherwise. Defaults to True.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyNvWritten

TPM Command: TPM2_PolicyNvWritten

policy_or(policy_session, p_hash_list, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyOr command.

This function invokes the TPM2_PolicyOr command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
p_hash_list (TPML_DIGEST) – The list of hashes to check for a match.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyOr

TPM Command: TPM2_PolicyOr

policy_password(policy_session, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyPassword command.

This function invokes the TPM2_PolicyPassword command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyPassword

TPM Command: TPM2_PolicyPassword

policy_pcr(policy_session, pcr_digest, pcrs, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyPCR command.

This function invokes the TPM2_PolicyPCR command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
pcr_digest (Union[TPM2B_DIGEST, bytes, str]) – Expected digest value of the selected PCR using the hash algorithm of the session; may be zero length.
pcrs (Union[TPML_PCR_SELECTION, str]) – The PCR to include in the check digest.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyPCR

TPM Command: TPM2_PolicyPCR

policy_physical_presence(policy_session, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyPhysicalPresence command.

This function invokes the TPM2_PolicyPhysicalPresence command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyPhysicalPresence

TPM Command: TPM2_PolicyPhysicalPresence

policy_restart(session_handle, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyRestart command.

This function invokes the TPM2_PolicyRestart command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

session_handle (ESYS_TR) – The handle for the policy session.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyRestart

TPM Command: TPM2_PolicyRestart

policy_secret(auth_handle, policy_session, nonce_tpm, cp_hash_a, policy_ref, expiration, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicySecret command.

This function invokes the TPM2_PolicySecret command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – Handle for an entity providing the authorization.
policy_session (ESYS_TR) – Handle for the policy session being extended.
nonce_tpm (Union[TPM2B_NONCE, bytes, str]) – The policy nonce for the session.
cp_hash_a (Union[TPM2B_DIGEST, bytes, str]) – Digest of the command parameters to which this authorization is limited.
policy_ref (Union[TPM2B_NONCE, bytes, str]) – policyRef A reference to a policy relating to the authorization - may be the Empty Buffer.
expiration (int) – Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_TIMEOUT, TPMT_TK_AUTH] which is the timeout, an implementation-specific time value, used to indicate to the TPM when the ticket expires and the policy_ticket, a which is produced if the command succeeds and expiration in the command was non-zero; this ticket will use the TPMT_ST_AUTH_SIGNED structure tag. See 23.2.5.

C Function: Esys_PolicySecret

TPM Command: TPM2_PolicySecret

policy_signed(auth_object, policy_session, nonce_tpm, cp_hash_a, policy_ref, expiration, auth, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicySigned command.

This function invokes the TPM2_PolicySigned command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_object (ESYS_TR) – Handle for a key that will validate the signature.
policy_session (ESYS_TR) – Handle for the policy session being extended.
nonce_tpm (Union[TPM2B_NONCE, bytes, str]) – The policy nonce for the session.
cp_hash_a (Union[TPM2B_DIGEST, bytes, str]) – Digest of the command parameters to which this authorization is limited.
policy_ref (Union[TPM2B_NONCE, bytes, str]) – policyRef A reference to a policy relating to the authorization - may be the Empty Buffer.
expiration (int) – Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.
auth (TPMT_SIGNATURE) – Signed authorization (not optional).
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_TIMEOUT, TPMT_TK_AUTH] which is the timeout, an implementation-specific time value, used to indicate to the TPM when the ticket expires and the policy_ticket, a which is produced if the command succeeds and expiration in the command was non-zero; this ticket will use the TPMT_ST_AUTH_SIGNED structure tag. See 23.2.5.

C Function: Esys_PolicySigned

TPM Command: TPM2_PolicySigned

policy_template(policy_session, template_hash, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyTemplate command.

This function invokes the TPM2_PolicyTemplate command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
template_hash (Union[TPM2B_DIGEST, bytes, str]) – The digest to be added to the policy.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyTemplate

TPM Command: TPM2_PolicyTemplate

policy_ticket(policy_session, timeout, cp_hash_a, policy_ref, auth_name, ticket, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PolicyTicket command.

This function invokes the TPM2_PolicyTicket command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

policy_session (ESYS_TR) – Handle for the policy session being extended.
timeout (TPM2B_TIMEOUT) – Time when authorization will expire.
cp_hash_a (Union[TPM2B_DIGEST, bytes, str]) – Digest of the command parameters to which this authorization is limited.
policy_ref (Union[TPM2B_NONCE, bytes, str]) – policyRef A reference to a policy relating to the authorization - may be the Empty Buffer.
auth_name (Union[TPM2B_NAME, bytes, str]) – Name of the object that provided the authorization.
ticket (TPMT_TK_AUTH) – An authorization ticket returned by the TPM in response to a TPM2_PolicySigned() or TPM2_PolicySecret().
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PolicyTicket

TPM Command: TPM2_PolicyTicket

pp_commands(set_list, clear_list, auth=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_PP_Commands command.

This function invokes the TPM2_PP_Commands command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

set_list (TPML_CC) – List of commands to be added to those that will require that Physical Presence be asserted.
clear_list (TPML_CC) – clearList List of commands that will no longer require that Physical Presence be asserted.
auth (ESYS_TR) – ESYS_TR.PLATFORM+{PP}. Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_PP_Commands

TPM Command: TPM2_PP_Commands

quote(sign_handle, pcr_select, qualifying_data, in_scheme=<tpm2_pytss.types.TPMT_SIG_SCHEME object>, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Quote command.

This function invokes the TPM2_Quote command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sign_handle (ESYS_TR) – Handle of key that will perform signature.
pcr_select (Union[TPML_PCR_SELECTION, str]) – PCR set to quote.
qualifying_data (Union[TPM2B_DATA, bytes, str]) – Data supplied by the caller.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for signHandle is TPM2_ALG_NULL (optional). Defaults to TPMT_SIG_SCHEME(scheme=TPM2_ALG.NULL).
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ATTEST, TPMT_SIGNATURE] which is the quoted information, known as quoted and the signature over quoted.

C Function: Esys_Quote

TPM Command: TPM2_Quote

read_clock(session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ReadClock command.

This function invokes the TPM2_ReadClock command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

The current time as a TPMS_TIME_INFO.

C Function: Esys_ReadClock

TPM Command: TPM2_ReadClock

read_public(object_handle, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ReadPublic command.

This function invokes the TPM2_ReadPublic command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

object_handle (ESYS_TR) – Handle of the object.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_PUBLIC, TPM2B_NAME, TPM2B_NAME] which is the public portion of the object, the name and the qualified name respectively.

C Function: Esys_ReadPublic

TPM Command: TPM2_ReadPublic

rewrap(old_parent, new_parent, in_duplicate, name, in_sym_seed, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Rewrap command.

This function invokes the TPM2_Rewrap command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

old_parent (ESYS_TR) – Parent of object.
new_parent (ESYS_TR) – New parent of the object.
in_duplicate (TPM2B_PRIVATE) – An object encrypted using symmetric key derived from inSymSeed.
name (Union[TPM2B_NAME, bytes, str]) – The Name of the object being rewrapped.
in_sym_seed (TPM2B_ENCRYPTED_SECRET) – The seed for the symmetric key and HMAC key.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_PRIVATE, TPM2B_ENCRYPTED_SECRET] which is the object encrypted using symmetric key derived from out_sym_seed and out_sym_seed which is the Seed for a symmetric key protected by newParent asymmetric key respecitevely.

C Function: Esys_Rewrap

TPM Command: TPM2_Rewrap

rsa_decrypt(key_handle, cipher_text, in_scheme, label=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_RSA_Decrypt command.

This function invokes the TPM2_RSA_Decrypt command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – RSA key to use for decryption.
cipher_text (Union[TPM2B_PUBLIC_KEY_RSA, bytes, str]) – Cipher text to be decrypted.
in_scheme (TPMT_RSA_DECRYPT) – TPM2_The padding scheme to use if scheme associated with keyHandle is TPM2_ALG_NULL.
label (Union[TPM2B_DATA, bytes, str, None]) – whose association with the message is to be verified.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_PUBLIC_KEY_RSA which is the Decrypted output.

C Function: Esys_RSA_Decrypt

TPM Command: TPM2_RSA_Decrypt

rsa_encrypt(key_handle, message, in_scheme, label=None, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_RSA_Encrypt command.

This function invokes the TPM2_RSA_Encrypt command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – Reference to public portion of RSA key to use for encryption.
message (Union[TPM2B_PUBLIC_KEY_RSA, bytes, str]) – Message to be encrypted.
in_scheme (TPMT_RSA_DECRYPT) – TPM2_The padding scheme to use if scheme associated with keyHandle is TPM2_ALG_NULL.
label (Union[TPM2B_DATA, bytes, str, None]) – label to be associated with the message (optional). Defaults to None.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_PUBLIC_KEY_RSA which is the encrypted output.

C Function: Esys_RSA_Encrypt

TPM Command: TPM2_RSA_Encrypt

self_test(full_test, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_SelfTest command.

This function invokes the TPM2_SelfTest command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

full_test (bool) – True to run a full test. False to run tests that have yet to be executed.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_SelfTest

TPM Command: TPM2_SelfTest

sequence_complete(sequence_handle, buffer, hierarchy=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_SequenceComplete command.

This function invokes the TPM2_SequenceComplete command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sequence_handle (ESYS_TR) – Authorization for the sequence.
buffer (Union[TPM2B_MAX_BUFFER, bytes, str]) – Data to be added to the hash/HMAC.
hierarchy (ESYS_TR) – Hierarchy of the ticket for a hash.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_DIGEST, TPMT_TK_HASHCHECK] which is the The returned HMAC or digest in a sized buffer and the TPM2_Ticket indicating that the sequence of octets used to compute outDigest did not start with TPM2_GENERATED_VALUE respectively.

C Function: Esys_SequenceComplete

TPM Command: TPM2_SequenceComplete

sequence_update(sequence_handle, buffer, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_SequenceUpdate command.

This function invokes the TPM2_SequenceUpdate command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

sequence_handle (ESYS_TR) – Handle for the sequence object.
buffer (Union[TPM2B_MAX_BUFFER, bytes, str]) – Data to be added to hash.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_SequenceUpdate

TPM Command: TPM2_SequenceUpdate

set_algorithm_set(algorithm_set, auth_handle=ESYS_TR.RH_PLATFORM, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_SetAlgorithmSet command.

This function invokes the TPM2_SetAlgorithmSet command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

algorithm_set (Union[List[int], int]) – A TPM vendor-dependent value indicating the algorithm set selection.
auth_handle (ESYS_TR) – ESYS_TR.PLATFORM. Defaults to ESYS_TR.PLATFORM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_SetAlgorithmSet

TPM Command: TPM2_SetAlgorithmSet

set_command_code_audit_status(audit_alg, set_list, clear_list, auth=ESYS_TR.RH_OWNER, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_SetCommandCodeAuditStatus command.

This function invokes the TPM2_SetCommandCodeAuditStatus command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

audit_alg (TPM2_ALG) – TPM2_Hash algorithm for the audit digest; if TPM2_ALG_NULL, then the hash is not changed.
set_list (TPML_CC) – List of commands that will be added to those that will be audited.
clear_list (TPML_CC) – List of commands that will no longer be audited.
auth (ESYS_TR) – ESYS_TR.OWNER or ESYS_TR.PLATFORM+{PP} (optional). Default to ESYS_TR.OWNER
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_SetCommandCodeAuditStatus

TPM Command: TPM2_SetCommandCodeAuditStatus

set_primary_policy(auth_handle, auth_policy, hash_alg, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_SetPrimaryPolicy command.

This function invokes the TPM2_SetPrimaryPolicy command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

auth_handle (ESYS_TR) – ESYS_TR.ENDORSEMENT, ESYS_TR.OWNER or ESYS_TR.PLATFORM.
auth_policy (Union[TPM2B_DIGEST, bytes, str]) – authPolicy An authorization policy digest; may be the empty buffer.
hash_alg (TPM2_ALG) – The hash algorithm to use for the policy.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_SetPrimaryPolicy

TPM Command: TPM2_SetPrimaryPolicy

shutdown(shutdown_type=TPM2_SU_STATE, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Shutdown command.

This function invokes the TPM2_Shutdown command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

shutdown_type (TPM2_SU) – TPM2_SU_CLEAR or TPM2_SU_STATE.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_Shutdown

TPM Command: TPM2_Shutdown

sign(key_handle, digest, in_scheme, validation, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Sign command.

This function invokes the TPM2_Sign command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) –
digest (Union[TPM2B_DIGEST, bytes, str]) – Digest to be signed.
in_scheme (TPMT_SIG_SCHEME) – TPM2_Signing scheme to use if the scheme for keyHandle is TPM2_ALG_NULL.
validation (TPMT_TK_HASHCHECK) – Proof that digest was created by the TPM.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPMT_SIGNATURE the signature.

C Function: Esys_Sign

TPM Command: TPM2_Sign

start_auth_session(tpm_key, bind, session_type, symmetric, auth_hash, nonce_caller=None, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_StartAuthSession command.

This function invokes the TPM2_StartAuthSession command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

tpm_key (ESYS_TR) – Handle of a loaded decrypt key used to encrypt salt.
bind (ESYS_TR) – Entity providing the authValue.
session_type (TPM2_SE) – Indicates the type of the session; simple HMAC or policy (including a trial policy).
symmetric (TPMT_SYM_DEF) – The algorithm and key size for parameter encryption.
auth_hash (TPM2_ALG) – Hash algorithm to use for the session.
nonce_caller (Union[TPM2B_NONCE, bytes, str, None]) – Initial nonceCaller, sets nonceTPM size for the session. Can be None to have ESAPI generate it for the caller. Defaults to None.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

An ESYS_TR which is the handle of the started session.

C Function: Esys_StartAuthSession

TPM Command: TPM2_StartAuthSession

startup(startup_type)[source]¶

Invoke the TPM2_Startup command.

This function invokes the TPM2_Startup command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

startup_type (TPM2_SU) – TPM2_SU_CLEAR or TPM2_SU_STATE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_Startup

TPM Command: TPM2_Startup

stir_random(in_data, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_StirRandom command.

This function invokes the TPM2_StirRandom command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

in_data (Union[TPM2B_SENSITIVE_DATA, bytes, str]) – Additional information.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_StirRandom

TPM Command: TPM2_StirRandom

property tcti¶: Same as get_tcti()

test_parms(parameters, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_TestParms command.

This function invokes the TPM2_TestParms command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

parameters (TPMT_PUBLIC_PARMS) – Algorithm parameters to be validated.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TestParms

TPM Command: TPM2_TestParms

tr_close(esys_handle)[source]¶

Close an ESYS_TR without removing it from the TPM.

This function deletes an ESYS_TR object from an ESYS_CONTEXT without deleting it from the TPM. This is useful for NV-Indices or persistent keys, after ESAPI.tr_serialize has been called. Transient objects should be deleted using ESAPI.flush_context.

Parameters: esys_handle (ESYS_TR) – The ESYS_TR metadata object to be deleted from ESAPI.
Raises: TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TR_Close

tr_deserialize(buffer)[source]¶

Deserialization of an ESYS_TR from a byte buffer.

Deserialize the metadata of an ESYS_TR object from a byte buffer that was stored on disk for later use by a different program or context. An object can be serialized using tr_serialize.

Parameters: buffer (bytes) – The ESYS_TR object to deserialize.
Returns: The ESAPI handle to the deserialized object.
Return type: ESYS_TR

C Function: Esys_TR_Deserialize

Raises

TypeError – If a parameter is the incorrect type.
TSS2_Exception –
- TSS2_ESYS_RC_MEMORY if the object can not be allocated. - TSS2_RCs produced by lower layers of the software stack.

tr_from_tpmpublic(handle, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Creation of an ESYS_TR object from TPM metadata.

This function can be used to create ESYS_TR object for Tpm Resources that are not created or loaded (e.g. using ESys_CreatePrimary or ESys_Load) but pre-exist inside the TPM. Examples are NV-Indices or persistent object.

Since man in the middle attacks should be prevented as much as possible it is recommended to pass a session.

Note: For PCRs and hierarchies, please use the global ESYS_TR identifiers.

Note: If a session is provided the TPM is queried for the metadata twice. First without a session to retrieve some metadata then with the session where this metadata is used in the session HMAC calculation and thereby verified.

Parameters

handle (TPM2_HANDLE) – The handle of the TPM object to represent as ESYS_TR.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Returns

The newly created ESYS_TR metadata object.

Raises

TypeError – If a type is not expected.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TR_FromTPMPublic

tr_get_name(handle)[source]¶

Retrieve the TPM public name of an Esys_TR object.

Some operations (i.e. Esys_PolicyNameHash) require the name of a TPM object to be passed. Esys_TR_GetName provides this name to the caller.

Parameters

handle (ESYS_TR) – The ESYS_TR for which to get the name value.

Returns

A TPM2B_NAME containing the name of the object referenced in the esys_handle.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TR_GetName

tr_serialize(esys_handle)[source]¶

Serialization of an ESYS_TR into a byte buffer.

Serialize the metadata of an ESYS_TR object into a byte buffer such that it can be stored on disk for later use by a different program or context. The serialized object can be deserialized using tr_deserialize.

Parameters: esys_handle (ESYS_TR) – The ESYS_TR object to serialize.
Returns: The serialized object as bytes.

C Function: Esys_TR_Serialize

Raises

TypeError – If esys_handle is not an ESYS_TR.
TSS2_Exception –
- TSS2_ESYS_RC_BAD_TR if the ESYS_TR object is unknown to the ESYS_CONTEXT. - TSS2_ESYS_RC_MEMORY if the buffer for marshaling the object can’t be allocated. - TSS2_ESYS_RC_BAD_VALUE For invalid ESYS data to be marshaled. - TSS2_RCs produced by lower layers of the software stack.

tr_set_auth(esys_handle, auth_value)[source]¶

Set the authorization value of an ESYS_TR.

Authorization values are associated with ESYS_TR Tpm Resource object. They are then picked up whenever an authorization is needed.

Note: The authorization value is not stored in the metadata during tr_serialize. Therefore tr_set_auth needs to be called again after every tr_deserialize.

Parameters

esys_handle (ESYS_TR) – The ESYS_TR for which to set the auth_value value.
auth_value (Union[TPM2B_AUTH, bytes, str, None]) – The auth_value value to set for the ESYS_TR or None to zero. Defaults to None.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TR_SetAuth

trsess_get_nonce_tpm(session)[source]¶

Retrieve the TPM nonce of an Esys_TR session object.

Some operations (i.e. Esys_PolicySigned) require the nonce returned by the TPM during Esys_StartauthSession. This function provides this nonce to the caller.

Parameters

session (ESYS_TR) – The session handle.

Returns

The TPMB_NONCE representing the current session nonce.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TRSess_GetNonceTPM

trsess_set_attributes(session, attributes, mask=255)[source]¶

Set session attributes.

Set or unset a session’s attributes according to the provided flags and mask. new_attributes = old_attributes & ~mask | flags & mask Note: this function only applies to ESYS_TR objects that represent sessions.

Parameters

session (ESYS_TR) – The session handle.
attributes (int) – The attributes to be set or unset for the session.
mask (int) – The mask for the flags to be set or unset. Defaults to 0xFF.

Raises

TypeError – If a parameter is not of an expected type.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

C Function: Esys_TRSess_SetAttributes

unseal(item_handle, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Unseal command.

This function invokes the TPM2_Unseal command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

item_handle (ESYS_TR) – The handle of a loaded data object.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_SENSITIVE_DATA which is the unsealed data.

C Function: Esys_Unseal

TPM Command: TPM2_Unseal

vendor_tcg_test(input_data, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_Vendor_TCG_Test command.

This function invokes the TPM2_Vendor_TCG_Test command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

input_data (Union[TPM2B_DATA, bytes, str]) – Dummy data.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPM2B_DATA which is the output dummy data.

C Function: Esys_Vendor_TCG_Test

TPM Command: TPM2_Vendor_TCG_Test

verify_signature(key_handle, digest, signature, session1=ESYS_TR.NONE, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_VerifySignature command.

This function invokes the TPM2_VerifySignature command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_handle (ESYS_TR) – Handle of public key that will be used in the validation.
digest (Union[TPM2B_DIGEST, bytes, str]) – Digest of the signed message.
signature (TPMT_SIGNATURE) – Signature to be tested.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A TPMT_TK_VERIFIED on successful verification of the signature.

C Function: Esys_VerifySignature

TPM Command: TPM2_VerifySignature

zgen_2_phase(key_a, in_qs_b, in_qe_b, in_scheme, counter, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶

Invoke the TPM2_ZGen_2Phase command.

This function invokes the TPM2_ZGen_2Phase command in a one-call variant. This means the function will block until the TPM response is available.

Parameters

key_a (ESYS_TR) – Handle of an unrestricted decryption key ECC.
in_qs_b (TPM2B_ECC_POINT) – party’s static public key (Qs,B = (Xs,B, Ys,B)).
in_qe_b (TPM2B_ECC_POINT) – party’s ephemeral public key (Qe,B = (Xe,B, Ye,B)).
in_scheme (TPM2_ALG) – The key exchange scheme.
counter (int) – Value returned by TPM2_EC_Ephemeral().
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

Raises

TypeError – If a parameter is not of an expected type.
ValueError – If a parameter is not of an expected value.
TSS2_Exception – Any of the various TSS2_RC’s the lower layers can return.

Returns

A Tuple[TPM2B_ECC_POINT, TPM2B_ECC_POINT] which are the X and Y coordinates of the first and second computed values (scheme dependent) respectively.

C Function: Esys_ZGen_2Phase

TPM Command: TPM2_ZGen_2Phase