tpm2-abrmd man page

tpm2-abrmd — TPM2 access broker and resource management daemon


tpm2-abrmd [-m][-e][-i][-o][-l logger-name][-r][-s][-g /dev/urandom][-t conf]


tpm2-abrmd is a daemon that implements the TPM access broker and resource manager as described by the Trusted Computing Group (TGC) in the “TSS System Level API and TPM Command Transmission Interface Specification”. This daemon uses the DBus system bus and some pipes to communicate with clients.



Provide the daemon with a string that describes the TCTI and how to configure it for communication with the next component down the TSS2 stack. This string is formatted as "tcti-name:tcti-conf" where:


The name of the TCTI library shared object file. Libraries are found using the same algorithm as dlopen (3). If the TCTI library file name follows the naming convention: libtss2-tcti-<name>.so.0 where <name> is the name for the TCTI, the value of <name> may be supplied in place of the full library file name. See 'Examples' below.


The configuration string passed to the TCTI library upon initialization.

If this option is omitted (or a NULL string provided) then a default TCTI is used in it's default configuration. If the string does not contain a colon then it will be interpreted as only the 'tcti-name'. To provide only the configuration string (using the default TCTI) then the first character in the string passed to this option must be a colon followed by the configuration string. See examples below.


Allow daemon to run as root. If this option is not provided the daemon will refused to run as the root user. Use of this option is not recommended.


Set an upper bound on the number of concurrent client connections allowed. Once this number of client connections is reached new connections will be rejected with an error.


Flush all objects and sessions when daemon is started.


Direct logging output to named logging target. Supported targets are stdout and syslog. If the logger option is not specified the default is stdout.


Set and upper bound on the number of sessions that each client connection is allowed to create (loaded or active) at any one time.


Set an upper bound on the number of transient objects that each client connection allowed to load. Once this number of objects is reached attempts to load new transient objects will produce an error.


Claim the given name on dbus. This option overrides the default of


Read seed for pseudo-random number generator from the provided file.


Connect daemon to the session dbus. This option overrides the default behavior.


Display version string.


Execute daemon with default TCTI and options:


Execute daemon with default TCTI and provided config string:

tpm2-abrmd --tcti=":/dev/tpm0"

This is equivalent to:

tpm2-abrmd --tcti="device:/dev/tpm0"
tpm2-abrmd --tcti=""

Have daemon use Microsoft/IBM TPM2 Simulator tcti library

This connects to a TPM2 simulator via a TCP mssim.
tpm2-abrmd --tcti="mssim"
tpm2-abrmd --tcti=""

Have daemon use tcti library '' and config string

tpm2-abrmd --tcti=mssim:host=,port=5555"
tpm2-abrmd --tcti=",port=5555"


Philip Tricca <>

See Also



This page is part of the 2.0.1 release of Intel's TPM2 Access Broker & Resource Management Daemon. A description of the project, information about reporting bugs, and the latest version of this page can be found at

Referenced By

tss2-tcti-device(7), Tss2_Tcti_Device_Init(3), tss2-tcti-mssim(7), Tss2_Tcti_Mssim_Init(3), tss2-tcti-tabrmd(7), Tss2_Tcti_Tabrmd_Init(3).

March 2018 Intel TPM2 Software Stack