FreeBSD Manual Pages

home | help

fapi-config(5)		      File Formats Manual		fapi-config(5)

SEE ALSO
       fapi-profile(5)

DESCRIPTION
       FAPI configuration file

       The  FAPI  parameters  which can	be adjusted via	the configuration file
       are;

       • profile_name: Name of the default cryptographic profile  chosen  from
	 the profile_dir directory.

       • profile_dir: Directory	that contains all cryptographic	profiles known
	 to FAPI.

       • user_dir: The directory where user objects are	stored.

       • system_dir: The directory where system	objects, policies, and import-
	 ed objects are	stored.

       • tcti: The TCTI	interface which	will be	used.

       • system_pcrs: The PCR registers	which are used by the system.

       • log_dir: The directory	for the	event log.

       • ek_cert_less:	A  switch to disable certificate verification (option-
	 al).

       • ek_fingerprint: The fingerprint of the	endorsement key	(optional).

       If not otherwise	specified during TSS installation, the	default	 loca-
       tion   for   the	 exemplary  profiles  is  /etc/tpm2-tss/profiles/  and
       /etc/tpm2-tss/ for the FAPI configuration file.	The environment	 vari-
       able  TSS2_FAPICONF  can	be used	to set an alternative pathname for the
       FAPI configuration file.	 If the	 system	 measurement  files  (IMA  and
       bios)  do  not  exist  /dev/null	will be	used for firmware_log_file and
       ima_log_file.

EXAMPLES
       The FAPI	configuration file is JSON encoded:

	      {
		   "profile_name": "P_ECCP256SHA256",
		   "profile_dir": "/etc/tpm2-tss/fapi-profiles/",
		   "user_dir": "~/.local/share/tpm2-tss/user/keystore/",
		   "system_dir": "/home/myhome/keystore/system/keystore",
		   "tcti": "",
		   "system_pcrs" : [0, 1, 2, 3,	4, 5, 6, 7],
		   "log_dir" : "/home/myhome/eventlog/",
		   "firmware_log_file" : "/sys/kernel/security/tpm0/binary_bios_measurements",
		    "ima_log_file" : "/sys/kernel/security/ima/binary_runtime_measurements"
	      }

       For this	example	the default TCTI of the	system will be used.  The cer-
       tificates for the stored	endorsement keys will be checked.  If the cer-
       tificate	checking is not	needed the option:

       "ek_cert_less": "yes" can be added to the config	file.  Alternative  to
       the  standard  certificate  checking  a fingerprint (hash of the	public
       key) for	the stored endorsement key can be defined in the config	file:

       "ek_fingerprint":  {	"hashAlg" : "sha256",	  "di-
       gest" : "9e56...214d"	 }

COLOPHON
       This page is part of release 4.0.1 of Open Source implementation	of the
       TCG TPM2	Software Stack (TSS2). A description of	the project,  informa-
       tion  about  reporting bugs, and	the latest version of this page	can be
       found at	https://github.com/tpm2-software/tpm2-tss/.

TPM2 Software Stack		   JULI	2020			fapi-config(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=fapi-config&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages