swtpm_setup.conf - Configuration file for swtpm_setup
The file /etc/swtpm_setup.conf contains configuration
information for swtpm_setup. It must only contain one configuration keyword
per line, followed by an equals sign (=) and then followed by appropriate
configuration information. A comment at the end of the line may be
introduced by a hash (#) sign.
Users may write their own configuration into
${XDG_CONFIG_HOME}/swtpm_setup.conf or if XDG_CONFIG_HOME is not set
it may be in ${HOME}/.config/swtpm_setup.conf.
The following keywords are recognized:
- create_certs_tool
- This keyword is to be followed by the name of an executable or executable
script used for creating various TPM certificates. The tool will be called
with the following options
- --type type
- This parameter indicates the type of certificate to create. The type
parameter may be one of the following: ek, or platform
- --dir dir
- This parameter indicates the directory into which the certificate is to be
stored. It is expected that the EK certificate is stored in this directory
under the name ek.cert and the platform certificate under the name
platform.cert.
- --ek ek
- This parameter indicates the modulus of the public key of the endorsement
key (EK). The public key is provided as a sequence of ASCII hex
digits.
- --vmid ID
- This parameter indicates the ID of the VM for which to create the
certificate.
- --logfile
<logfile>
- The log file to log output to; by default logging goes to stdout and
stderr on the console.
- --configfile
<configuration file>
- The configuration file to use. This file typically contains configuration
information for the invoked program. If omitted, the program must use its
default configuration file.
- --optsfile
<options file>
- The options file to use. This file typically contains options that the
invoked program uses. If omitted, the program must use its default options
file.
- --tpm-spec-family
<family>, --tpm-spec-level <level>,
--tpm-spec-revision <revision>
- These 3 options describe the TPM specification that was followed for the
implementation of the TPM and will be part of the EK certificate.
- --tpm2
- This option is passed in case a TPM 2 compliant certificate needs to be
created.
- create_certs_tool_config
- This keyword is to be followed by the name of a configuration file that
will be passed to the invoked program using the --configfile option
described above. If omitted, the invoked program will use the default
configuration file.
- create_certs_tool_options
- This keyword is to be followed by the name of an options file that will be
passed to the invoked program using the --optsfile option described above.
If omitted, the invoked program will use the default options file.
- active_pcr_banks
(since v0.7)
- This keyword is to be followed by a comma-separated list of names of PCR
banks. The list must not contain any spaces. Valid PCR bank names are
sha1, sha256, sha384, and sha512.
Report bugs to Stefan Berger
<stefanb@linux.vnet.ibm.com>