tpm2_create(1) - create an object that can be loaded into a
TPM using tpm2_load. The object will need to be loaded before it may be
used.
tpm2_create(1) - create an object that can be loaded into a
TPM using tpm2_load. The object will need to be loaded before it may be
used.
These options for creating the tpm entity:
- •
- -H, –pparent=PARENT_HANDLE: The handle of the
parent object to create this object under.
- •
- -c, –context-parent=PARENT_CONTEXT_FILE: The
filename for parent context.
- •
- -P, –pwdp=PARENT_KEY_PASSWORD: The password
for parent key, optional. Passwords should follow the “password
formatting standards, see section”Password Formatting“.
- •
- -K, –pwdk=KEY_PASSWORD: The password for key,
optional. Follows the password formatting of the “password for
parent key” option: -P.
- •
- -g, –halg=ALGORITHM: The hash algorithm to
use. Algorithms should follow the " formatting standards, see section
“Algorithm Specifiers”. Also, see section “Supported
Hash Algorithms” for a list of supported hash algorithms.
- •
- -G, –kalg=KEY_ALGORITHM: The algorithm
associated with this object. It accepts friendly names just like -g
option. See section “Supported Public Object Algorithms” for
a list of supported object algorithms.
- •
- -A, –object-attributes=ATTRIBUTES: The object
attributes, optional. Object attribytes follow the specifications as
outlined in “object attribute specifiers”. The default for
created objects is:
TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH
- •
- -I, –in-file=FILE: The data file to be sealed,
optional. If file is -, read from stdin. When sealing data only the
TPM_ALG_KEYEDHASH algorithm is allowed.
- •
- -L, –policy-file=POLICY_FILE: The input policy
file, optional.
- •
- -u, –pubfile=OUTPUT_PUBLIC_FILE: The output
file which contains the public portion of the created object,
optional.
- •
- -r, –privfile=OUTPUT_PRIVATE_FILE: The output
file which contains the sensitive portion of the object, optional.
- •
- -S, –input-session-handle=SESSION_HANDLE:
Optional Input session handle from a policy session for
authorization.
This collection of options are common to many programs and provide
information that many users may expect.
- •
- -h, –help: Display the tools manpage. This requires
the manpages to be installed or on MANPATH, See man(1) for more
details.
- •
- -v, –version: Display version information for this
tool, supported tctis and exit.
- •
- -V, –verbose: Increase the information that the tool
prints to the console during its execution. When using this option the
file and line number are printed.
- •
- -Q, –quiet: Silence normal tool output to
stdout.
- •
- -Z, –enable-errata: Enable the application of errata
fixups. Useful if an errata fixup needs to be applied to commands sent to
the TPM. # TCTI ENVIRONMENT
This collection of environment variables that may be used to
configure the various TCTI modules available.
The values passed through these variables can be overridden on a
per-command basis using the available command line options, see the
TCTI_OPTIONS section.
The variables respected depend on how the software was
configured.
- •
- TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with
the next component down the TSS stack. In most configurations this will be
the TPM but it could be a simulator or proxy. The current known TCTIs
are:
- •
- tabrmd - The new resource manager, called tabrmd
(https://github.com/01org/tpm2-abrmd).
- •
- socket - Typically used with the old resource manager, or talking directly
to a simulator.
- •
- device - Used when talking directly to a TPM device file.
- •
- TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
device file. The default is “/dev/tpm0”.
Note: Using the tpm directly requires the users to ensure that
concurrent access does not occur and that they manage the tpm resources.
These tasks are usually managed by a resource manager. Linux 4.12 and
greater supports an in kernel resource manager at
“/dev/tpmrm”, typically
“/dev/tpmrm0”.
- •
- TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the
domain name or IP address used. The default is 127.0.0.1.
- •
- TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
number used. The default is 2321.
This collection of options are used to configure the varous TCTI
modules available. They override any environment variables.
- •
- -T,
–tcti=TCTI_NAME[:TCTI_OPTIONS]:
Select the TCTI used for communication with the next component down the
TSS stack. In most configurations this will be the resource manager:
tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
options can appended to TCTI_NAME by appending a : to
TCTI_NAME.
- •
- For the device TCTI, the TPM device file for use by the device TCTI can be
specified. The default is /dev/tpm0. Example: -T
device:/dev/tpm0
- •
- For the socket TCTI, the domain name or IP address and port number used by
the socket can be specified. The default are 127.0.0.1 and 2321. Example:
-T socket:127.0.0.1:2321
- •
- For the abrmd TCTI, it takes no options. Example: -T abrmd
Passwords are interpreted in two forms, string and hex-string. A
string password is not interpreted, and is directly used for authorization.
A hex-string, is converted from a hexidecimal form into a byte array form,
thus allowing passwords with non-printable and/or terminal un-friendly
characters.
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
- •
- str: - Used to indicate it is a raw string. Useful for escaping a password
that starts with the “hex:” prefix.
- •
- hex: - Used when specifying a password in hex string format.
Supported hash algorithms are:
- •
- 0x4 or sha1 for TPM_ALG_SHA1 (default)
- •
- 0xB or sha256 for TPM_ALG_SHA256
- •
- 0xC or sha384 for TPM_ALG_SHA384
- •
- 0xD or sha512 for TPM_ALG_SHA512
- •
- 0x12 or sm3_256 for TPM_ALG_SM3_256
NOTE: Your TPM may not support all algorithms.
Supported public object algorithms are:
- •
- 0x1 or rsa for TPM_ALG_RSA (default).
- •
- 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
- •
- 0x23 or ecc for TPM_ALG_ECC.
- •
- 0x25 or symcipher for TPM_ALG_SYMCIPHER.
NOTE: Your TPM may not support all algorithms.
Options that take algorithms support “nice-names”.
Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. The
nice names are converted by stripping the leading TPM_ALG_ from the
Algorithm Name field and converting it to lower case. For instance
TPM_ALG_SHA3_256 becomes sha3_256.
The algorithms can be found at:
<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
Object Attributes are used to control various properties of
created objects. When specified as an option, either the raw bitfield mask
or “nice-names” may be used. The values can be found in Table
31 Part 2 of the TPM2.0 specification, which can be found here:
<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
Nice names are calculated by taking the name field of table 31 and
removing the prefix TPMA_OBJECT_ and lowercasing the result. Thus,
TPMA_OBJECT_FIXEDTPM becomes fixedtpm. Nice names can be joined using
the bitwise or “|” symbol.
For instance, to set The fields TPMA_OBJECT_FIXEDTPM,
TPMA_OBJECT_NODA, and TPMA_OBJECT_SIGN, the argument would
be:
fixedtpm|noda|sign
-
tpm2_create -H 0x81010001 -P abc123 -K def456 -g sha256 -G keyedhash-I data.File -o opu.File
tpm2_create -c parent.context -P abc123 -K def456 -g sha256 -G keyedhash -I data.File -o opu.File
tpm2_create -H 0x81010001 -P 123abc -K 456def -X -g sha256 -G keyedhash -I data.File -o opu.File
0 on success or 1 on failure.
Github Issues (https://github.com/01org/tpm2-tools/issues)
See the Mailing List
(https://lists.01.org/mailman/listinfo/tpm2)