NAME

       tss2_verifyquote(1) -

SYNOPSIS

       tss2_verifyquote [OPTIONS]

SEE ALSO

       fapi-config(5)  to  adjust Fapi parameters like the used cryptographic profile and TCTI or
       directories for the Fapi metadata storages.

       fapi-profile(5) to determine the cryptographic algorithms and parameters for all keys  and
       operations  of  a  specific  TPM  interaction like the name hash algorithm, the asymmetric
       signature algorithm, scheme and parameters and PCR bank selection.

DESCRIPTION

       tss2_verifyquote(1) - This command verifies that the data returned by a  quote  is  valid.
       This includes

       • Reconstructing  the  quoteInfo’s  PCR  values  from  the  eventLog  (if  an eventLog was
         provided)

       • Verifying the quoteInfo using the signature and the publicKeyPath

       The used signature verification scheme is specified in  the  cryptographic  profile  (cf.,
       fapi-profile(5)).

       An application using tss2_verifyquote() will further have to

       • Assess the publicKey’s trustworthiness

       • Assess the eventLog entries’ trustworthiness

OPTIONS

       These are the available options:

       • -Q, --qualifyingData=FILENAME or - (for stdin):

         A  nonce  provided  by  the  caller  to  ensure  freshness  of  the signature.  Optional
         parameter.

       • -l, --pcrLog=FILENAME or - (for stdin):

         Returns the PCR event log for the chosen PCR.  Optional parameter.

         PCR event logs are a list  (arbitrary  length  JSON  array)  of  log  entries  with  the
         following content.

                - recnum: Unique record number
                - pcr: PCR index
                - digest: The digests
                - type: The type of event. At the moment the only possible value is: "LINUX_IMA" (legacy IMA)
                - eventDigest: Digest of the event; e.g. the digest of the measured file
                - eventName: Name of the event; e.g. the name of the measured file.

       • -q, --quoteInfo=FILENAME or - (for stdin):

         The JSON-encoded structure holding the inputs to the quote operation.  This includes the
         digest value and PCR values.

       • -k, --publicKeyPath=STRING:

         Identifies the signing key.  MAY be a path to the public key hierarchy /ext.

       • -i, --signature=FILENAME or - (for stdin):

         The signature over the quoted material.

COMMON OPTIONS

       This collection of options are common to all tss2 programs and  provide  information  that
       many users may expect.

       • -h,  --help  [man|no-man]: Display the tools manpage.  By default, it attempts to invoke
         the manpager for the tool, however, on failure will output a short tool  summary.   This
         is  the  same  behavior  if  the “man” option argument is specified, however if explicit
         “man” is requested, the tool will provide errors from man on stderr.   If  the  “no-man”
         option if specified, or the manpager fails, the short options will be output to stdout.

         To  successfully  use  the  manpages feature requires the manpages to be installed or on
         MANPATH, See man(1) for more details.

       • -v, --version: Display version information for this tool, supported tctis and exit.

EXAMPLE

                  tss2_verifyquote --publicKeyPath="ext/myNewParent" --qualifyingData=qualifyingData.file --quoteInfo=quoteInfo.file --signature=signature.file --pcrLog=pcrLog.file

RETURNS

       0 on success or 1 on failure.

BUGS

       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)

HELP

       See the Mailing List (https://lists.linuxfoundation.org/mailman/listinfo/tpm2)