Add tpm2_pcrreset and tpm2_checkquote tools

This change adds the backported tpm2_pcrreset and tpm2_checkquote tools
and also the support to allow tpm2_makecredential tool to run off-TPM.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

Add-attestation-test-which-ensures-full-attestation-.patch

@@ -0,0 +1,146 @@
+From 70733e919aaa72aa03cccf6cd453bbe0da752de1 Mon Sep 17 00:00:00 2001
+From: jetwhiz <Charles.Munson@ll.mit.edu>
+Date: Tue, 9 Apr 2019 17:57:36 -0400
+Subject: [PATCH] Add attestation test, which ensures full attestation
+ process works
+
+Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
+---
+ test/system/test_attestation.sh | 125 ++++++++++++++++++++++++++++++++
+ 1 file changed, 125 insertions(+)
+ create mode 100755 test/system/test_attestation.sh
+
+diff --git a/test/system/test_attestation.sh b/test/system/test_attestation.sh
+new file mode 100755
+index 00000000000..ea9da13a419
+--- /dev/null
++++ b/test/system/test_attestation.sh
+@@ -0,0 +1,125 @@
++#!/bin/bash
++#;**********************************************************************;
++#
++# Copyright (c) 2019 Massachusetts Institute of Technology.
++# All rights reserved.
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions are met:
++#
++# 1. Redistributions of source code must retain the above copyright notice,
++# this list of conditions and the following disclaimer.
++#
++# 2. Redistributions in binary form must reproduce the above copyright notice,
++# this list of conditions and the following disclaimer in the documentation
++# and/or other materials provided with the distribution.
++#
++# 3. Neither the name of Intel Corporation nor the names of its contributors
++# may be used to endorse or promote products derived from this software without
++# specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
++# THE POSSIBILITY OF SUCH DAMAGE.
++#;**********************************************************************;
++
++source test_helpers.sh
++
++handle_ek=0x81010007
++handle_ak=0x81010008
++handle_nv=0x1500018
++handle_hier=0x40000001
++ek_alg=rsa
++ak_alg=rsa
++digestAlg=sha256
++signAlg=rsassa
++ownerpw=ownerpass
++endorsepw=endorsepass
++ekpw=ekpass
++akpw=akpass
++
++file_input_data=secret.data
++file_input_key=nv.data
++output_ek_pub_pem=ekpub.pem
++output_ek_pub=ek.pub
++output_ak_pub_pem=akpub.pem
++output_ak_pub=ak.pub
++output_ak_priv=ak.priv
++output_ak_pub_name=ak.name
++output_mkcredential=mkcred.out
++output_actcredential=actcred.out
++output_quote=quote.out
++output_quotesig=quotesig.out
++output_quotepcr=quotepcr.out
++
++cleanup() {
++  rm -f $output_ak_priv \
++        $file_input_data $file_input_key $output_ek_pub $output_ek_pub_pem $output_ak_pub \
++        $output_ak_pub_pem $output_ak_pub_name $output_mkcredential \
++        $output_actcredential $output_quote $output_quotesig $output_quotepcr rand.out 
++
++  tpm2_pcrreset 16
++  tpm2_evictcontrol -Q -Ao -c $handle_ek 2>/dev/null || true
++  tpm2_evictcontrol -Q -Ao -c $handle_ak 2>/dev/null || true
++
++  tpm2_nvrelease -Q -x $handle_nv -a $handle_hier -P "$ownerpw" 2>/dev/null || true
++
++  tpm2_takeownership -c 2>/dev/null || true
++}
++trap cleanup EXIT
++
++
++cleanup
++
++echo "12345678" > $file_input_data
++echo "1234567890123456789012345678901" > $file_input_key
++
++getrandom() {
++  tpm2_getrandom -Q -o rand.out $1
++  local file_size=`stat --printf="%s" rand.out`
++  loaded_randomness=`cat rand.out | xxd -p -c $file_size`
++}
++
++
++tpm2_takeownership -o "$ownerpw" -e "$endorsepw"
++
++# Key generation
++tpm2_getpubek -Q -H $handle_ek -g $ek_alg -f $output_ek_pub -P "$ekpw" -o "$ownerpw" -e "$endorsepw"
++tpm2_readpublic -Q -H $handle_ek -o $output_ek_pub_pem -f pem
++tpm2_getpubak -Q -E $handle_ek -k $handle_ak -g $ak_alg -D $digestAlg -s $signAlg -f $output_ak_pub -n $output_ak_pub_name -e "$endorsepw" -P "$akpw" -o "$ownerpw"
++tpm2_readpublic -Q -H $handle_ak -o $output_ak_pub_pem -f pem
++
++# Validate keys (registrar)
++file_size=`stat --printf="%s" $output_ak_pub_name`
++loaded_key_name=`cat $output_ak_pub_name | xxd -p -c $file_size`
++tpm2_makecredential -Q -T none -e $output_ek_pub  -s $file_input_data -n $loaded_key_name -o $output_mkcredential 
++tpm2_activatecredential -Q -H $handle_ak -k $handle_ek -f $output_mkcredential -o $output_actcredential -P "$akpw" -e "$endorsepw"
++diff $file_input_data $output_actcredential
++
++
++# Quoting
++tpm2_pcrreset -Q 16
++tpm2_pcrextend -Q 16:sha256=6ea40aa7267bb71251c1de1c3605a3df759b86b22fa9f62aa298d4197cd88a38
++tpm2_pcrlist -Q
++getrandom 20
++tpm2_quote -Q -k $handle_ak -L $digestAlg:15,16,22 -q $loaded_randomness -m $output_quote -s $output_quotesig -p $output_quotepcr -G $digestAlg -P "$akpw"
++
++
++# Verify quote
++tpm2_checkquote -Q -c $output_ak_pub_pem -m $output_quote -s $output_quotesig -p $output_quotepcr -G $digestAlg -q $loaded_randomness
++
++
++# Save U key from verifier
++tpm2_nvdefine -Q -x $handle_nv -a $handle_hier -s 32 -t "ownerread|policywrite|ownerwrite" -I "indexpass" -P "$ownerpw"
++tpm2_nvwrite -Q -x $handle_nv -a $handle_hier -P "$ownerpw" $file_input_key
++tpm2_nvread -Q -x $handle_nv -a $handle_hier -s 32 -P "$ownerpw"
++
++exit 0
+-- 
+2.21.0
+

Fix-ups-in-tpm2_quote.md.1.patch

@@ -0,0 +1,34 @@
+From 6c25de22d981d26d0ae80d99706f86c52f713b06 Mon Sep 17 00:00:00 2001
+From: jetwhiz <Charles.Munson@ll.mit.edu>
+Date: Fri, 3 May 2019 13:46:41 -0400
+Subject: [PATCH] Fix-ups in tpm2_quote.md.1
+
+Capitalization fixes to follow preferred format
+
+Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
+---
+ man/tpm2_quote.1.md | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/man/tpm2_quote.1.md b/man/tpm2_quote.1.md
+index 491848201d9..c926f4d045d 100644
+--- a/man/tpm2_quote.1.md
++++ b/man/tpm2_quote.1.md
+@@ -41,12 +41,12 @@
+ 
+   * **-m**, **--message**:
+ 
+-    message output file, records the quote message that makes up the data that
++    Message output file, records the quote message that makes up the data that
+     is signed by the TPM.
+ 
+   * **-s**, **--signature**:
+ 
+-    signature output file, records the signature in the format specified via the **-f**
++    Signature output file, records the signature in the format specified via the **-f**
+     option.
+ 
+   * **-f**, **--format**
+-- 
+2.21.0
+

Update-CHANGELOG.md.patch

@@ -0,0 +1,26 @@
+From edbbe53e225bcc68c6ee0a5a85bec82ae6cdc398 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Thu, 2 May 2019 08:44:48 -0700
+Subject: [PATCH] Update CHANGELOG.md
+
+---
+ CHANGELOG.md | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/CHANGELOG.md b/CHANGELOG.md
+index 19e831d7e7f..a8e4f39afde 100644
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -1,4 +1,9 @@
+ ## Changelog
++### 3.2.0 - next
++* tpm2_makecredential: add support for executing tool off-TPM.
++* tpm2_pcrreset: introduce new tool for resetting PCRs.
++* tpm2_quote: Fix AK auth password not being used.
++
+ ### 3.1.4 - 2019-03-14
+   * Fix various man pages
+   * tpm2_getmanufec: fix OSSL build warnings
+-- 
+2.21.0
+

Wire-up-support-for-ak-auth-password-in-tpm2_quote-t.patch

@@ -0,0 +1,97 @@
+From 993da58a612238bf2dd53a015dfdb2a6c0eb00b9 Mon Sep 17 00:00:00 2001
+From: jetwhiz <Charles.Munson@ll.mit.edu>
+Date: Mon, 22 Apr 2019 09:48:56 -0400
+Subject: [PATCH 1/6] Wire up support for ak auth password in tpm2_quote tool
+
+Add regression test
+
+Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
+---
+ test/system/test_tpm2_quote.sh |  9 ++++++++-
+ tools/tpm2_quote.c             | 11 ++++++++---
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/test/system/test_tpm2_quote.sh b/test/system/test_tpm2_quote.sh
+index d845ea1bdb1..231bed326ec 100755
+--- a/test/system/test_tpm2_quote.sh
++++ b/test/system/test_tpm2_quote.sh
+@@ -50,6 +50,7 @@ file_quote_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-"$alg_crea
+ Handle_ak_quote=0x81010016
+ Handle_ek_quote=0x81010017
+ Handle_ak_quote2=0x81010018
++Handle_ak_quote3=0x81010019
+ 
+ maxdigest=$(tpm2_getcap -c properties-fixed | grep TPM_PT_MAX_DIGEST | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g')
+ if ! [[ "$maxdigest" =~ ^(0x)*[0-9]+$ ]] ; then
+@@ -73,6 +74,7 @@ cleanup() {
+     tpm2_evictcontrol -Q -Ao -H $Handle_ek_quote 2>/dev/null || true
+     tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote 2>/dev/null || true
+     tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote2 2>/dev/null || true
++    tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote3 2>/dev/null || true
+ }
+ trap cleanup EXIT
+ 
+@@ -104,4 +106,9 @@ tpm2_getpubak -Q -E  $Handle_ek_quote -k  $Handle_ak_quote2 -f ak.pub2 -n ak.nam
+ 
+ tpm2_quote -Q -k $Handle_ak_quote -g $alg_quote -l 16,17,18 -q $nonce
+ 
+-exit 0
++#####AK with password
++tpm2_getpubak -Q -E  $Handle_ek_quote -k  $Handle_ak_quote3 -f ak.pub2 -n ak.name_2 -P abc123
++
++tpm2_quote -Q -k $Handle_ak_quote3 -g $alg_quote -l 16,17,18 -q $nonce -P abc123
++
++exit 0
+\ No newline at end of file
+diff --git a/tools/tpm2_quote.c b/tools/tpm2_quote.c
+index 3538947db31..05b6d641656 100644
+--- a/tools/tpm2_quote.c
++++ b/tools/tpm2_quote.c
+@@ -50,7 +50,7 @@ typedef struct {
+     UINT32 id[24];
+ } PCR_LIST;
+ 
+-static TPMS_AUTH_COMMAND sessionData;
++static TPMS_AUTH_COMMAND sessionData = TPMS_AUTH_COMMAND_INIT(TPM2_RS_PW);
+ static char *outFilePath;
+ static char *signature_path;
+ static char *message_path;
+@@ -60,7 +60,7 @@ static TPM2B_DATA qualifyingData = TPM2B_EMPTY_INIT;
+ static TPML_PCR_SELECTION  pcrSelections;
+ static bool is_auth_session;
+ static TPMI_SH_AUTH_SESSION auth_session_handle;
+-static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag;
++static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag, P_flag;
+ static char *contextFilePath;
+ static TPM2_HANDLE akHandle;
+ 
+@@ -94,7 +94,7 @@ static int quote(TSS2_SYS_CONTEXT *sapi_context, TPM2_HANDLE akHandle, TPML_PCR_
+ {
+     UINT32 rval;
+     TPMT_SIG_SCHEME inScheme;
+-    TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, {{.sessionHandle=TPM2_RS_PW}}};
++    TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, { sessionData }};
+     TSS2L_SYS_AUTH_RESPONSE sessionsDataOut;
+     TPM2B_ATTEST quoted = TPM2B_TYPE_INIT(TPM2B_ATTEST, attestationData);
+     TPMT_SIGNATURE signature;
+@@ -152,6 +152,7 @@ static bool on_option(char key, char *value) {
+             LOG_ERR("Invalid AK password, got\"%s\"", value);
+             return false;
+         }
++        P_flag = 1;
+     } break;
+     case 'l':
+         if(!pcr_parse_list(value, strlen(value), &pcrSelections.pcrSelections[0]))
+@@ -265,5 +266,9 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {
+         }
+     }
+ 
++    if (P_flag == 0) {
++        sessionData.hmac.size = 0;
++    }
++
+     return quote(sapi_context, akHandle, &pcrSelections);
+ }
+-- 
+2.21.0
+

lib-tpm2_util.c-string_to_uint32-ensure-the-string-d.patch

@@ -0,0 +1,47 @@
+From 9685ea263f994537430323fb1681b210395eee7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0?=
+ =?UTF-8?q?=D1=83=D0=B7=D0=BE=D0=B2?= <git-dpa@aegee.org>
+Date: Tue, 2 Apr 2019 16:18:32 +0000
+Subject: [PATCH] lib/tpm2_util.c:string_to_uint32: ensure the string does not
+ overflow in uint32
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before this change input of "4294967295" generated output of 4294967295, which
+is UINT32_MAX = 2**32 - 1.  But input "4294967296" created output of 0.  The
+function is supposed to fail if the number is too big, rather than silently
+convert unsigned long int to uint32_t, ignoring some bits.
+
+Signed-Off-By: Дилян Палаузов <git-dpa@aegee.org>
+---
+ lib/tpm2_util.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tpm2_util.c b/lib/tpm2_util.c
+index edfda4a8b0b..ca9d8b7f4d7 100644
+--- a/lib/tpm2_util.c
++++ b/lib/tpm2_util.c
+@@ -236,8 +236,8 @@ bool tpm2_util_string_to_uint32(const char *str, uint32_t *value) {
+ 
+     /* clear errno before the call, should be 0 afterwards */
+     errno = 0;
+-    uint32_t tmp = strtoul(str, &endptr, 0);
+-    if (errno) {
++    unsigned long int tmp = strtoul(str, &endptr, 0);
++    if (errno || tmp > UINT32_MAX) {
+         return false;
+     }
+ 
+@@ -250,7 +250,7 @@ bool tpm2_util_string_to_uint32(const char *str, uint32_t *value) {
+         return false;
+     }
+ 
+-    *value = tmp;
++    *value = (uint32_t) tmp;
+     return true;
+ }
+ 
+-- 
+2.21.0
+

tpm2-tools.spec

@@ -1,12 +1,21 @@
 Name: tpm2-tools
 Version: 3.1.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
 
 License: BSD
 URL:     https://github.com/tpm2-software/tpm2-tools
 Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
 
+Patch0: Wire-up-support-for-ak-auth-password-in-tpm2_quote-t.patch
+Patch1: tpm2_pcrreset-new-tools.patch
+Patch2: Add-ability-to-run-tpm2_makecredential-without-a-TPM.patch
+Patch3: Update-CHANGELOG.md.patch
+Patch4: Add-ability-to-check-quotes-and-output-PCR-values-fo.patch
+Patch5: Add-attestation-test-which-ensures-full-attestation-.patch
+Patch6: Fix-ups-in-tpm2_quote.md.1.patch
+Patch7: lib-tpm2_util.c-string_to_uint32-ensure-the-string-d.patch
+
 BuildRequires: gcc-c++
 BuildRequires: libtool
 BuildRequires: autoconf-archive
@@ -45,6 +54,10 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
 %{_mandir}/man1/tpm2_*.1.gz
 
 %changelog
+* Fri May 10 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.4-2
+- Allow tpm2_makecredential to run without a TPM (jetwhiz)
+- Add tpm2_pcrreset and tpm2_checkquote tools (jetwhiz)
+
 * Fri Mar 15 2019 Yunying Sun <yunying.sun@intel.com> - 3.1.4-1
 - Update to 3.1.4 release
 - Removed the 4 patches since all have been included in 3.1.4 release

tpm2_pcrreset-new-tools.patch

@@ -0,0 +1,313 @@
+From 016ef077a2e81fab14cbcd5ba6fae10a6681688b Mon Sep 17 00:00:00 2001
+From: jetwhiz <charles.munson@ll.mit.edu>
+Date: Mon, 1 Oct 2018 17:55:13 -0400
+Subject: [PATCH 2/6] tpm2_pcrreset new tools
+
+New tool to allow resetting PCR registers, backport from 0ef0f31775
+
+Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
+---
+ Makefile.am                       |   3 +
+ man/tpm2_pcrreset.1.md            |  58 ++++++++++++++
+ test/system/test_tpm2_pcrreset.sh |  59 ++++++++++++++
+ tools/tpm2_pcrreset.c             | 129 ++++++++++++++++++++++++++++++
+ 4 files changed, 249 insertions(+)
+ create mode 100644 man/tpm2_pcrreset.1.md
+ create mode 100755 test/system/test_tpm2_pcrreset.sh
+ create mode 100644 tools/tpm2_pcrreset.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 3856bcb400c..ffe22f383e3 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -87,6 +87,7 @@ bin_PROGRAMS = \
+     tools/tpm2_pcrevent \
+     tools/tpm2_pcrextend \
+     tools/tpm2_pcrlist \
++    tools/tpm2_pcrreset \
+     tools/tpm2_quote \
+     tools/tpm2_rc_decode \
+     tools/tpm2_readpublic \
+@@ -179,6 +180,7 @@ tools_tpm2_unseal_SOURCES = tools/tpm2_unseal.c $(TOOL_SRC)
+ tools_tpm2_dictionarylockout_SOURCES = tools/tpm2_dictionarylockout.c $(TOOL_SRC)
+ tools_tpm2_createpolicy_SOURCES = tools/tpm2_createpolicy.c $(TOOL_SRC)
+ tools_tpm2_pcrextend_SOURCES = tools/tpm2_pcrextend.c $(TOOL_SRC)
++tools_tpm2_pcrreset_SOURCES = tools/tpm2_pcrreset.c $(TOOL_SRC)
+ tools_tpm2_pcrevent_SOURCES = tools/tpm2_pcrevent.c $(TOOL_SRC)
+ tools_tpm2_rc_decode_SOURCES = tools/tpm2_rc_decode.c $(TOOL_SRC)
+ 
+@@ -279,6 +281,7 @@ if HAVE_MAN_PAGES
+     man/man1/tpm2_pcrevent.1 \
+     man/man1/tpm2_pcrextend.1 \
+     man/man1/tpm2_pcrlist.1 \
++    man/man1/tpm2_pcrreset.1 \
+     man/man1/tpm2_quote.1 \
+     man/man1/tpm2_rc_decode.1 \
+     man/man1/tpm2_readpublic.1 \
+diff --git a/man/tpm2_pcrreset.1.md b/man/tpm2_pcrreset.1.md
+new file mode 100644
+index 00000000000..d5637137796
+--- /dev/null
++++ b/man/tpm2_pcrreset.1.md
+@@ -0,0 +1,58 @@
++% tpm2_pcrreset(1) tpm2-tools | General Commands Manual
++%
++% JANUARY 2019
++
++# NAME
++
++**tpm2_pcrreset**(1) - Reset one or more PCR banks
++
++# SYNOPSIS
++
++**tpm2_pcrreset** [*OPTIONS*] _PCR\_INDEX_ ...
++
++# DESCRIPTION
++
++**tpm2_pcrreset**(1) - Reset PCR value in all banks for specified index.
++More than one PCR index can be specified.
++
++The reset value is manufacturer-dependent and is either sequence of 00 or FF
++on the length of the hash algorithm for each supported bank
++
++_PCR\_INDEX_ is a space separated list of PCR indexes to be reset when issuing
++the command. 
++
++# OPTIONS
++
++This tool accepts no tool specific options.
++
++[common options](common/options.md)
++
++[common tcti options](common/tcti.md)
++
++# EXAMPLES
++
++## Reset a single PCR
++```
++tpm2_pcrreset 23
++```
++
++## Reset multiple PCRs
++```
++tpm2_pcrreset 16 23
++```
++
++# NOTES
++
++On operating system's locality (generally locality 0), only PCR 23 can be reset.
++PCR-16 can also be reset on this locality, depending on TPM manufacturers
++which could define this PCR as resettable.
++
++PCR 0 to 15 are not resettable (being part of SRTM). PCR 16 to 22 are mostly
++reserved for DRTM or dedicated to specific localities and might not
++be resettable depending on current TPM locality.
++
++# RETURNS
++
++0 on success or 1 on failure.
++
++[footer](common/footer.md)
+diff --git a/test/system/test_tpm2_pcrreset.sh b/test/system/test_tpm2_pcrreset.sh
+new file mode 100755
+index 00000000000..962de780ab4
+--- /dev/null
++++ b/test/system/test_tpm2_pcrreset.sh
+@@ -0,0 +1,59 @@
++#!/bin/bash
++#;**********************************************************************;
++#
++# Copyright (c) 2019, Sebastien LE STUM
++# All rights reserved.
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions are met:
++#
++# 1. Redistributions of source code must retain the above copyright notice,
++# this list of conditions and the following disclaimer.
++#
++# 2. Redistributions in binary form must reproduce the above copyright notice,
++# this list of conditions and the following disclaimer in the documentation
++# and/or other materials provided with the distribution.
++#
++# 3. Neither the name of Intel Corporation nor the names of its contributors
++# may be used to endorse or promote products derived from this software without
++# specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
++# THE POSSIBILITY OF SUCH DAMAGE.
++#;**********************************************************************;
++
++source test_helpers.sh
++
++# Reset a resettable PCR
++tpm2_pcrreset 23
++
++# Reset more than one resettable PCR
++tpm2_pcrreset 16 23
++
++# Get PCR_Reset out of bound index error
++tpm2_pcrreset 999 2>&1 1>/dev/null | grep -q "out of bound PCR"
++
++# Get PCR_Reset wrong index error
++tpm2_pcrreset toto 2>&1 1>/dev/null | grep -q "invalid PCR"
++
++# Get PCR_Reset index out of range error
++if tpm2_pcrreset 29 2>&1 1>/dev/null ; then
++    echo "tpm2_pcrreset on out of range PCR index didn't fail"
++    exit 1
++else
++    true
++fi
++
++# Get PCR_Reset bad locality error
++tpm2_pcrreset 0 2>&1 1>/dev/null | grep -q "0x907"
++
++exit 0
+diff --git a/tools/tpm2_pcrreset.c b/tools/tpm2_pcrreset.c
+new file mode 100644
+index 00000000000..5fa1de121e7
+--- /dev/null
++++ b/tools/tpm2_pcrreset.c
+@@ -0,0 +1,129 @@
++//**********************************************************************;
++// Copyright (c) 2017, Intel Corporation
++// All rights reserved.
++//
++// Redistribution and use in source and binary forms, with or without
++// modification, are permitted provided that the following conditions are met:
++//
++// 1. Redistributions of source code must retain the above copyright notice,
++// this list of conditions and the following disclaimer.
++//
++// 2. Redistributions in binary form must reproduce the above copyright notice,
++// this list of conditions and the following disclaimer in the documentation
++// and/or other materials provided with the distribution.
++//
++// 3. Neither the name of Intel Corporation nor the names of its contributors
++// may be used to endorse or promote products derived from this software without
++// specific prior written permission.
++//
++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
++// THE POSSIBILITY OF SUCH DAMAGE.
++//**********************************************************************;
++
++#include <ctype.h>
++#include <errno.h>
++#include <stdbool.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <tss2/tss2_sys.h>
++
++#include "log.h"
++#include "pcr.h"
++#include "tpm2_options.h"
++#include "tpm2_tool.h"
++#include "tpm2_util.h"
++
++typedef struct tpm_pcr_reset_ctx tpm_pcr_reset_ctx;
++struct tpm_pcr_reset_ctx {
++    bool            pcr_list[TPM2_MAX_PCRS];
++};
++
++static tpm_pcr_reset_ctx ctx;
++
++static bool pcr_reset_one(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_PCR pcr_index) {
++    TSS2L_SYS_AUTH_RESPONSE sessions_data_out;
++    TSS2L_SYS_AUTH_COMMAND sessions_data = { 1, {{ .sessionHandle=TPM2_RS_PW }}};
++
++    TSS2_RC rval = TSS2_RETRY_EXP(Tss2_Sys_PCR_Reset(sapi_context, pcr_index, &sessions_data,
++            &sessions_data_out));
++    if (rval != TSS2_RC_SUCCESS) {
++        LOG_ERR("Could not reset PCR index: %d", pcr_index);
++        return false;
++    }
++
++    return true;
++}
++
++static bool pcr_reset(TSS2_SYS_CONTEXT *sapi_context) {
++    size_t i;
++
++    for (i = 0; i < TPM2_MAX_PCRS; i++) {
++        if(!ctx.pcr_list[i])
++            continue;
++
++        bool result = pcr_reset_one(sapi_context, i);
++        if (!result) {
++            return false;
++        }
++    }
++
++    return true;
++}
++
++static bool on_arg(int argc, char** argv){
++    int i;
++    uint32_t pcr;
++
++    memset(ctx.pcr_list, 0, TPM2_MAX_PCRS);
++    
++    if (argc < 1) {
++        LOG_ERR("Expected at least one PCR index"
++                "ie: <pcr index>, got: 0");
++        return false;
++    }
++
++    for(i = 0; i < argc; i++){
++        if(!tpm2_util_string_to_uint32(argv[i], &pcr)){
++            LOG_ERR("Got invalid PCR Index: \"%s\"", argv[i]);
++            return false;
++        }
++
++        /*
++        * If any specified PCR index is greater than the last valid
++        * index supported in the spec, throw an error 
++        */
++        if(pcr > TPM2_MAX_PCRS - 1){
++            LOG_ERR("Got out of bound PCR Index: \"%s\"", argv[i]);
++            return false;
++        }
++
++        ctx.pcr_list[pcr] = 1;
++    }
++
++    return true;
++}
++
++bool tpm2_tool_onstart(tpm2_options **opts) {
++
++    *opts = tpm2_options_new(NULL, 0, NULL, NULL, on_arg, 0);
++
++    return *opts != NULL;
++}
++
++int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {
++
++    UNUSED(flags);
++
++    return pcr_reset(sapi_context) != true;
++}
++
+-- 
+2.21.0
+