Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019

tcsd (8)


tcsd - daemon that manages Trusted Computing resources


tcsd [-f] [-e] [-c <configfile> ] [-h]


tcsd(8)                     System Manager's Manual                    tcsd(8)

                              TCG Software Stack

       tcsd - daemon that manages Trusted Computing resources

       tcsd [-f] [-e] [-c <configfile> ] [-h]

       Trousers is an open-source TCG Software Stack (TSS), released under the
       BSD License. Trousers aims to be compliant with the current (1.1b) and
       upcoming (1.2) TSS specifications available from the Trusted Computing
       Group website: http://www.trustedcomputinggroup.org.

       tcsd is a user space daemon that should be (according to the TSS spec)
       the only portal to the TPM device driver. At boot time, tcsd should be
       started, it should open the TPM device driver and from that point on,
       all requests to the TPM should go through the TSS stack. The tcsd
       manages TPM resources and handles requests from TSP's both local and

       -f, --foreground
              run the daemon in the foreground

       -e     attempt to connect to software TPMs over TCP

       -c, --config <configfile>
              use the provided configuration file rather than the default
              configuration file

       -h, --help
              display help message

       There are two types of access control for the tcsd, access to the
       daemon's socket itself and access to specific commands internal to the
       tcsd. Access to the tcsd's port should be controlled by the system
       administrator using firewall rules.  If port = 0 in
       /etc/security/tcsd.conf, tcsduses a UNIX Domain socket.  Otherwise,
       tcsd uses a TCP port.  By default the TCP port, when enabled, is
       accessible only from localhost, unless "remote_ops" in tcsd.conf is not

       Access to individual commands internal to the tcsd is configured by the
       tcsd configuration file's "remote_ops" directive. Each function call in
       the TCS API is reachable by a unique ordinal.  Each labeled "remote op"
       actually defines a set of ordinals (usually more than one) necessary to
       accomplish the operation. So, for example, the "random" operation
       enables the ordinals for opening and closing a context, calling
       TCS_StirRandom and TCS_GetRandom, as well as TCS_FreeMemory. By
       default, connections from localhost will allow any ordinals.

       TSS applications have access to 2 different kinds of 'persistant'
       storage. 'User' persistant storage has the lifetime of that of the
       application using it and therefore is destroyed when an application
       exits.  User PS is controlled by the TSP of the application.  'System'
       persistent storage is controlled by the TCS and stays valid across
       application lifetimes, tcsd restarts and system resets. Data registered
       in system PS stays valid until an application requests that it be
       removed. User PS files are by default stored as
       /var/user/$USERNAME/tpm/userps/user.data and the system PS file by
       default is /var/tpm/system/system.data.  The system PS file is
       initially created when ownership of the TPM is first taken.

           Contains the system PS (persistent storage) data controlled by  the
           TCS.   By  default,  the  SRK  key  is installed in PS and does not
           require owner authorization to use.  If the TPM has previously been
           provisioned  and  owner-auth  is required to load the SRK, then the
           /var/tpm/system/system.data.auth   file   should   be   moved    to
           /var/tpm/system/system.data before starting the TCS (See NOTES).

           This  is  the  default  PS  data  file  to  use if the TPM has been
           previously configured to require  owner-auth  to  access  the  SRK.
           Copy this file to /var/tpm/system/system.data prior to starting the
           TCS if owner-auth is needed, otherwise this file can be ignored.

       tcsd configuration is stored by default in /etc/security/tcsd.conf

       If TrouSerS has been compiled with  debugging  enabled,  the  debugging
       output  can  be  supressed  by  setting  the  TSS_DEBUG_OFF environment

       tcsd is compatible with the IBM Research TPM  device  driver  available
       from   http://ibmswtpm.sourceforge.net/   and  the  TPM  device  driver
       available from http://sf.net/projects/tpmdd, which is also available in
       the  upstream  Linux  kernel  and  many  Linux  distros.   It  is  also
       compatible with the TPM device  driver  for  Oracle  Solaris  which  is
       available in package driver/crypto/tpm.

       tcsd  conforms  to  the  Trusted Computing Group Software Specification
       version 1.1 Golden

       See attributes(7) for descriptions of the following attributes:

       |Availability   | library/security/trousers |
       |Stability      | Uncommitted               |
       tcsd.conf(5), svcadm(8), smf(7)

       The tcsd service is managed by the service management facility, smf(7),
       under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed  using  svcadm(8).  The  service's
       status can be queried using the svcs(1) command.

       Kent Yoder

       Report bugs to <trousers-tech@lists.sf.net>

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source                was                downloaded                from

       Further information about this software can be found on the open source
       community website at http://trousers.sourceforge.net/.

TSS 1.1                           2005-03-15                           tcsd(8)