oracular (5) fapi-config.5.gz

Provided by: libtss2-doc_4.1.3-1ubuntu3_all bug

SEE ALSO
       fapi-profile(5)


DESCRIPTION
       FAPI configuration file

       The FAPI parameters which can be adjusted via the configuration file are;

       • profile_name: Name of the default cryptographic profile chosen from the profile_dir directory.

       • profile_dir: Directory that contains all cryptographic profiles known to FAPI.

       • user_dir: The directory where user objects are stored.

       • system_dir: The directory where system objects, policies, and imported objects are stored.

       • tcti: The TCTI interface which will be used.

       • system_pcrs: The PCR registers which are used by the system.

       • log_dir: The directory for the event log.

       • ek_cert_less: A switch to disable certificate verification (optional).

       • ek_fingerprint: The fingerprint of the endorsement key (optional).

       If  not  otherwise  specified during TSS installation, the default location for the exemplary profiles is
       /etc/tpm2-tss/profiles/ and /etc/tpm2-tss/ for the FAPI configuration  file.   The  environment  variable
       TSS2_FAPICONF  can be used to set an alternative pathname for the FAPI configuration file.  If the system
       measurement files (IMA and  bios)  do  not  exist  /dev/null  will  be  used  for  firmware_log_file  and
       ima_log_file.


EXAMPLES
       The FAPI configuration file is JSON encoded:

              {
                   "profile_name": "P_ECCP256SHA256",
                   "profile_dir": "/etc/tpm2-tss/fapi-profiles/",
                   "user_dir": "~/.local/share/tpm2-tss/user/keystore/",
                   "system_dir": "/home/myhome/keystore/system/keystore",
                   "tcti": "",
                   "system_pcrs" : [0, 1, 2, 3, 4, 5, 6, 7],
                   "log_dir" : "/home/myhome/eventlog/",
                   "firmware_log_file" : "/sys/kernel/security/tpm0/binary_bios_measurements",
                    "ima_log_file" : "/sys/kernel/security/ima/binary_runtime_measurements"
              }

       For  this  example  the  default  TCTI  of  the  system  will  be  used.  The certificates for the stored
       endorsement keys will be checked.  If the certificate checking is not needed the option:

       "ek_cert_less": "yes" can be added to the config file.  Alternative to the standard certificate  checking
       a fingerprint (hash of the public key) for the stored endorsement key can be defined in the config file:

       "ek_fingerprint":  {     "hashAlg" : "sha256",     "digest" : "9e56...214d"     }


COLOPHON
       This page is part of release 4.1.3 of Open Source implementation of the TCG TPM2 Software Stack (TSS2). A
       description of the project, information about reporting bugs, and the latest version of this page can  be
       found at https://github.com/tpm2-software/tpm2-tss/.