forked from tpm2-software/tpm2-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manual
866 lines (742 loc) · 40.6 KB
/
manual
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
tpm2.0-tools Manual
===================
1. Common steps before running any tools from tpm2.0-tools
First of all, clone TPM2.0-TSS and follow the build process to install it.
Then follow below steps for tpm2.0-tools.
Build:
$ ./bootstrap
$ ./configure
$ make
Install:
$ sudo make install
Launch resourcemgr daemon:
$ resourcemgr
or
$ resourcemgr -sim -tpmhost <ip>
The resourcemgr can connect to either physical tpm or remote MS/IBM simulator,
refer to the help of resourcemgr for details.
2. running tools
All tool executables are built under ./tools/. So once resourcemgr is up:
$ cd ./tools
$ ./tpm2_xxx -x...
Or if the tools are installed:
$ tpm2_xxx -x...
3. tool usages
common options
This collection of options are common to many programs and provide information that many users may expect.
-h, --help Display a manual describing the tool and its usage.
-v, --version Display version information for this tool.
-V, --verbose Increase the information that the tool prints to the console during its execution.
tcti options (depends on configure time options for tcti's.)
This collection of options are used to configure the varous TCTI modules available.
-T, --tcti Select the TCTI used for communication with the next component down the TSS stack.
In most configurations this will be the TPM but it could be a simulator or proxy.
Supported TCTIs are or “device” or “socket” .
-d, --device-file Specify the TPM device file for use by the device TCTI. The default is /dev/tpm0.
-R, --socket-address Specify the domain name or IP address used by the socket TCTI. The default is 127.0.0.1.
-p, --socket-port Specify the port number used by the socket TCTI. The default is 2321.
Subset 1: NV tools
------------------
* tpm2_nvdefine
Define NV index with given auth value, if passwd not given, assume NULL
Usage:
tpm2_nvdefine [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
[-s/--size <size>] [-t/--attribute <attributeDWord>]
[-P/--handlePasswd <string>] [-I/--indexPasswd <string>]
[-X/--passwdInHex]
where:
-x/--index <nvIdx> specifies the index of the NV area.
-a/--authHandle <hexHandle> specifies the handle used to authorize:
0x40000001 (TPM_RH_OWNER)
0x4000000C (TPM_RH_PLATFORM)
-s/--size <size> specifies the size of data area.
-t/--attribute <attributeDWord> specifies the value of attribute in
publicInfo struct (need calculate outside).
-P/--handlePasswd <string> specifies the password of authHandle.
-I/--indexPasswd <string> specifies the password of NV Index when
created.
-X/--passwdInHex passwords given by any options are hex format
example:
tpm2_nvdefine -x 0x1500016 -a 0x40000001 -s 32 -t 0x2000A
tpm2_nvdefine -x 0x1500016 -a 0x40000001 -s 32 -t 0x2000A -I 1a1b1c -X
* tpm2_nvrelease
release NV index, if any passwd option is missing, assume NULL.
Usage:
tpm2_nvrelease [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
[-P/--handlePasswd <string>]
[-X/--passwdInHex]
where:
-x/--index <nvIdx> specifies the index of the NV area.
-a/--authHandle <hexHandle> specifies the handle used to authorize:
0x40000001 (TPM_RH_OWNER)
0x4000000C (TPM_RH_PLATFORM)
-P/--handlePasswd <string> specifies the password of authHandle.
-X/--passwdInHex passwords given by any options are hex format
example:
tpm2_nvrelease -x 0x1500016 -a 0x40000001 -P passwd
tpm2_nvrelease -x 0x1500016 -a 0x40000001 -P 1a1b1c -X
* tpm2_nvread
read content from NV index, if any passwd option is missing, assume NULL.
Usage:
tpm2_nvread [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
[-P/--handlePasswd <string>] [-s/--size <size>]
[-o/--offset <offset>]
[-X/--passwdInHex]
where:
-x/--index <nvIdx> specifies the index of the NV area.
-a/--authHandle <hexHandle> specifies the handle used to authorize:
0x40000001 (TPM_RH_OWNER)
0x4000000C (TPM_RH_PLATFORM)
{NV_INDEX_FIRST:NV_INDEX_LAST}
-P/--handlePasswd <string> specifies the password of authHandle.
-s/--size <size> specifies the number of octets to read.
-o/--offset <offset> specifies octet offset into the area
This value shall be less than or equal to the
size of the nvIndex data.
-X/--passwdInHex passwords given by any options are hex format
example:
tpm2_nvread -x 0x1500016 -a 0x40000001 -P passwd -s 32 -o 0
tpm2_nvread -x 0x1500016 -a 0x40000001 -P 1a1b1c -s 32 -o 0 -X
* tpm2_nvreadlock
lock the NV index for further reads until the machine is restarted
Usage:
tpm2_nvreadlock [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
[-P/--handlePasswd <string>]
[-X/--passwdInHex]
where:
-x/--index <nvIdx> specifies the index of the NV area.
-a/--authHandle <hexHandle> specifies the handle used to authorize:
0x40000001 (TPM_RH_OWNER)
0x4000000C (TPM_RH_PLATFORM)
{NV_INDEX_FIRST:NV_INDEX_LAST}
-P/--handlePasswd <string> specifies the password of authHandle.
-X/--passwdInHex passwords given by any options are hex format
example:
tpm2_nvreadlock -x 0x1500016 -a 0x40000001 -P passwd
tpm2_nvreadlock -x 0x1500016 -a 0x40000001 -P 1a1b1c -X
* tpm2_nvwrite
write content from a file to a specified index, if any passwd option is
missing, assume NULL.
Usage:
tpm2_nvwrite [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
[-P/--handlePasswd <string>] [-f/--file <filename>]
[-X/--passwdInHex]
where:
-x/--index <nvIdx> specifies the index of the NV area.
-a/--authHandle <hexHandle> specifies the handle used to authorize:
0x40000001 (TPM_RH_OWNER)
0x4000000C (TPM_RH_PLATFORM)
{NV_INDEX_FIRST:NV_INDEX_LAST}
-P/--handlePasswd <string> specifies the password of authHandle.
-f/--file <filename> specifies the nv data file.
-X/--passwdInHex passwords given by any options are hex format
example:
tpm2_nvwrite -x 0x1500016 -a 0x40000001 -P passwd -f nv.data
tpm2_nvwrite -x 0x1500016 -a 0x40000001 -P 1a1b1c -X -f nv.data
* tpm2_nvlist
display all defined NV indices.
Usage:
tpm2_nvlist
example:
tpm2_nvlist
Subset 2: Attestation tools
---------------------------
* tpm2_takeownership
Inserting authorization values for the ownerAuth, endorsementAuth, and
lockoutAuth, if any passwd option is missing, assume NULL.
Usage:
tpm2_takeownership [-e/--endorsePasswd <password>]
[-o/--ownerPasswd <password>]
[-l/--lockPasswd <password>]
[-E/--oldEndorsePasswd <password>]
[-O/--oldOwnerPasswd <password>]
[-L/--oldLockPasswd <password>]
[-X/--passwdInHex]
where:
-o/--ownerPasswd <password> new Owner authorization value (string,
optional, default:NULL).
-e/--endorsePasswd <password> new Endorsement authorization value (string,
optional, default:NULL).
-l/--lockPasswd <password> new Lockout authorization value (string,
optional, default:NULL).
-O/--oldOwnerPasswd <password> old Owner authorization (string, optional,
default:NULL).
-E/--oldEndorsePasswd <password> old Endorsement authorization (string,
optional, default:NULL).
-L/--oldLockPasswd <password> old Lockout authorization (string, optional,
default:NULL).
-X/--passwdInHex passwords given by any options are hex format
-c/--clear [-L <password> [-X]] clears the 3 authorizations values with
lockout auth.
example:
Set ownerAuth, endorsementAuth and lockoutAuth to emptyAuth:
tpm2_takeownership -c -L old
Set ownerAuth, endorsementAuth and lockoutAuth to a newAuth:
tpm2_takeownership -o new -e new -l new -O old -E old -L old
tpm2_takeownership -o 2a2b2c -e 2a2b2c -l 2a2b2c -O 1a1b1c -E 1a1b1c -L 1a1b1c -X
* tpm2_getpubek
Generate TCG profile compliant endorsement key(endorsement hierarchy primary
object), make it persistent with give ek handle, and return public EK, if any
passwd option is missing, assume NULL, default type/alg is 0x1(RSA)
Refer to:
http://www.trustedcomputinggroup.org/files/static_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F/Credential_Profile_EK_V2.0_R14_published.pdf
Usage:
tpm2_getpubek [-e/--endorsePasswd <password>] [-o/--ownerPasswd <password>]
[-P/--ekPasswd <password>] [-H/--handle <hexHandle>]
[-g/--alg <hexAlg>] [-f/--file <outputFile>]
[-X/--passwdInHex]
where:
-e/--endorsePasswd <password> specifies current endorse password (string,
optional, default:NULL).
-o/--ownerPasswd <password> specifies current owner password (string,
optional, default:NULL).
-P/--ekPasswd <password> specifies the EK password when created
(string, optional, default:NULL).
-H/--handle <hexHandle> specifies the handle used to make EK
persistent (hex).
-g/--alg <hexAlg> specifies the algorithm type of EK
(default:0x01/TPM_ALG_RSA).
TPM_ALG_RSA 0x0001
TPM_ALG_KEYEDHASH 0x0008
TPM_ALG_ECC 0x0023
TPM_ALG_SYMCIPHER 0x0025
-f/--file <outputFile> specifies the file used to save the public
portion of EK.
-X/--passwdInHex passwords given by any options are hex format
example:
tpm2_getpubek -e abc123 -o abc123 -P passwd -H 0x81010001 -g 0x01 -f ek.pub
tpm2_getpubek -e 1a1b1c -o 1a1b1c -P 123abc -X -H 0x81010001 -g 0x01 -f ek.pub
* tpm2_getmanufec
Retrieve the Endorsement Credential Certificate for the TPM endorsement key from the TPM manufacturer's endorsement certificate hosting server
Usage:
tpm2_getmanufec [-e/--endorsePasswd <password>] [-o/--ownerPasswd <password>]
[-P/--ekPasswd <password>] [-H/--handle <hexHandle>]
[-g/--alg <hexAlg>] [-f/--file <outputFile>]
[-S/--EKserverAddr <EKserverAddr>]
[-E/--ECcertFile <ECcertFile>]
[-X/--passwdInHex]
where:
-e/--endorsePasswd <password> specifies current endorse password (string,
optional,default:NULL).
-o/--ownerPasswd <password> specifies current owner password (string,
optional,default:NULL).
-P/--ekPasswd <password> specifies the EK password when created
(string,optional,default:NULL).
-H/--handle <hexHandle> specifies the handle used to make EK
persistent (hex).
-g/--alg <hexAlg> specifies the algorithm type of EK
(default:0x01/TPM_ALG_RSA).
-f/--file <outputFile> specifies the file used to save the public
portion of EK.
-N/--NonPersistent specifies to readout the EK public without
making it persistent
-O/--OfflineProv specifies that the file specifier from '-f'
is an EK retrieved from offline platform
that needs to be provisioned
-E/--ECcertFile <ECcertFile> specifies the file used to save the
Endorsement Credentials retrieved from
the TPM manufacturer provisioning server
-S/--EKserverAddr <EKserverAddr> specifies to attempt retrieving the
Endorsement Credentials from the specified
TPM manufacturer provisioning server
-U/--SSL_NO_VERIFY specifies to attempt connecting with the
TPM manufacturer provisioning server with
SSL_NO_VERIFY option
-X/--passwdInHex passwords given by any options are hex
format
example:
tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -X -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
* tpm2_getpubak
Generate attestation key with given algorithm under endorsement hierarchy,
make it persistent with given ak handle, and return pub AK and AK name,
if any passwd option is missing, assume NULL, default type/alg is 0x1(RSA),
default digestAlg is 0xb(SHA256), default signAlg is 0x14(RSASSA) for RSA,
0x18(ECDSA) for ECC
Usage:
tpm2_getpubak [-e/--endorsePasswd <password>] [-P/--akPasswd <password>]
[-o/--ownerPasswd <password>] [-E/--ekHandle <hexHandle>]
[-k/--akHandle <hexHandle>] [-g/--alg <hexAlg>]
[-D/--digestAlg <hexAlg>] [-s/--signAlg <hexAlg>]
[-f/--file <outputFile>] [-n/--akName <aknameFile>]
[-X/--passwdInHex]
where:
-e/--endorsePasswd <password> specifies current endorsement password
(string,optional,default:NULL).
-P/--akPasswd <password> specifies the AK password when created
(string,optional,default:NULL).
-o/--ownerPasswd <password> specifies current owner password
(string,optional,default:NULL).
-E/--ekHandle <hexHandle> specifies the handle of EK (hex).
-k/--akHandle <hexHandle> specifies the handle used to make AK
persistent (hex).
-g/--alg <hexAlg> specifies the algorithm type of AK
(default:0x01/TPM_ALG_RSA):
TPM_ALG_RSA 0x0001
TPM_ALG_KEYEDHASH 0x0008
TPM_ALG_ECC 0x0023
-D/--digestAlg <hexAlg> specifies the algorithm of digest.
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-s/--signAlg <hexAlg> specifies the algorithm of sign.
0x0005 TPM_ALG_HMAC
0x0014 TPM_ALG_RSASSA
0x0016 TPM_ALG_RSAPSS
0x0018 TPM_ALG_ECDSA
0x001A TPM_ALG_ECDAA
0x001B TPM_ALG_SM2
0x001C TPM_ALG_ECSCHNORR
-f/--file <outputFile> specifies the file used to save the public
portion of AK.
-n/--akName <aknameFile> specifies the file used to save the ak name.
-X/--passwdInHex passwords given by any options are hex format.
example:
tpm2_getpubak -e abc123 -P abc123 -o passwd -E 0x81010001 -k 0x81010002 -f ./ak.pub -n ./ak.name
tpm2_getpubak -e 1a1b1c -P 123abc -o 1a1b1c -X -E 0x81010001 -k 0x81010002 -f ./ak.pub -n ./ak.name
* tpm2_akparse
parse the algorithm and key values in TPM2B_PUBLIC struct which input via
file inputFile, and output the key into file akKeyFile.
Usage:
tpm2_akparse [-f inputFile][-k akKeyFile]
where:
-f Specifies the file used to be parsed.
-k Specifies the file used to save ak key.
example:
tpm2_akparse -f ./ak.data -k ./ak.key
* tpm2_makecredential
Use the given tpm public key to protect the given secret which are used to
encrypt the AK cert.
Usage:
-e, --encKey <keyFile> A tpm Public Key which was used to wrap the seed
-s, --sec <secFile> The secret which will be protected by the key
derived from the random seed
-n, --name <hexString> The name of the key for which certificate is to be
created
-o, --outFile<filePath> output file path, recording the two structures
output by tpm2_makecredential function
example:
tpm2_makecredential -e <keyFile> -s <secFile> -n <hexString> -o <outFile>
* tpm2_activatecredential
Verify that the given content is protected with given keyHandle for given
handle, and then decrypt and return the secret, if any passwd option is
missing, assume NULL. Currently only support using TCG profile compliant EK as
the keyHandle.
Usage:
-H, --handle <hexHandle> Handle of the object associated with the created
certificate by CA
-c, --context <filename> filename for handle context
-k, --keyHandle <hexHandle> Loaded key used to decrypt the the random seed
-C, --keyContext <filename> filename for keyHandle context
-P, --Password <string> the handle's password, optional
-e, --endorsePasswd <string> the endorsement password, optional
-f, --inFile <filePath> Input file path, containing the two structures
needed by tpm2_activatecredential function
-o, --outFile <filePath> Output file path, record the secret to decrypt
the certificate
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P abc123 -e abc123 -f <filePath> -o <filePath>
tpm2_activatecredential -c ak.context -C ek.context -P abc123 -e abc123 -f <filePath> -o <filePath>
tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P 123abc -e 1a1b1c -X -f <filePath> -o <filePath>
* tpm2_listpcrs
display all PCR values in given algorithm with -g, display given PCR values
in given algorithms with -L, or if no algorithm is given, output all algs.
Output file just contains all returned PCR values in binary format and in
0~23 order and in the requested order if multiple algs were requested. Assume
the caller know the pcr value length corresponding to the given bank/algorithm.
Usage:
-g, --algorithim <hexAlg> The algorithm id, optional
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-o, --output <filename> The file to hold the PCR values in binary
format, optional
-L, --selList <hexAlg1:num1,...,numN+hexAlg2:num2_1,...,num2_M+...>
The list of pcr banks and selected PCRs' ids
(0~23) for each bank
-s, --algs Show the supported algs in the PCR banks
example:
display all PCR values:
tpm2_listpcrs
display the PCR values with specified bank:
tpm2_listpcrs -g 0x04
display the PCR values with specified banks and store in a file:
tpm2_listpcrs -L 0x04:16,17,18+0x0b:16,17,18 -o pcrs
display the supported algs in the PCR banks:
tpm2_listpcrs -s
* tpm2_quote
Provide quote and signature for given list of PCRs in given algorithm/banks.
Usage:
-k, --akHandle <hexHandle> Handle of existing AK
-c, --akContext <filename> filename for the existing AK's context
-P, --akPassword <akPassword> AK handle's Password
-l, --idList <num1,...,numN> The list of selected PCRs' ids, 0~23
-g, --algorithm <hexAlg> The algorithm id
-L, --selList <hexAlg1:num1,...,numN+hexAlg2:num2_1,...,num2_M+...>
The list of pcr banks and selected PCRs' ids
(0~23) for each bank
-o, --outFile<filePath> output file path, recording the two structures
output by tpm2_quote function
-X, --passwdInHex passwords given by any options are hex format.
-q, --qualifyData <hexData> Data given as a Hex string to qualify the
quote, optional.
Note:
-L option & -g/-l options are mutually exclusive. -g/-l can be used to specify
PCRs in one bank, and -L can be used to specify PCRs in any number of existing
banks.
example:
tpm2_quote -k 0x81010002 -P abc123 -g 0x4 -l 16,17,18 -o outFile001
tpm2_quote -c ak.context -P abc123 -g 0x4 -l 16,17,18 -o outFile001
tpm2_quote -k 0x81010002 -g 0x4 -l 16,17,18 -o outFile001
tpm2_quote -c ak.context -g 0x4 -l 16,17,18 -o outFile001
tpm2_quote -k 0x81010002 -P 123abc -X -L 0x4:16,17,18+0xb:16,17,18 -o outFile001 -q 11aa22bb
* tpm2_listpersistent
display all defined persistent objects.
Usage:
tpm2_listpersistent
example:
tpm2_listpersistent
Subset 3: Key management tools
------------------------------
* tpm2_createprimary
create a Primary Object under one of the Primary Seeds or a Temporary Object
under TPM_RH_NULL.
Usage:
-A, --auth <o | p |...> the authorization used to authorize thecommands
o TPM_RH_OWNER
p TPM_RH_PLATFORM
e TPM_RH_ENDORSEMENT
n TPM_RH_NULL
-P, --pwdp <string> password for hierarchy, optional
-K, --pwdk <string> password for key, optional
-g, --halg <sha1,...> algorithm used for computing the Name of the object
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-G, --kalg <rsa,...> algorithm associated with this object
0x0001 TPM_ALG_RSA
0x0008 TPM_ALG_KEYEDHASH
0x0023 TPM_ALG_ECC
0x0025 TPM_ALG_SYMCIPHER
-C, --context <filename> The file to save the object context, optional
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_createprimary -A e -P abc123 -K def456 -g 0x000B -G 0x0008
tpm2_createprimary -A e -P abc123 -K def456 -g 0x000B -G 0x0008 -C ek.context
tpm2_createprimary -A e -P 1a2b3c -K 456def -X -g 0x000B -G 0x0008
* tpm2_create
create an object that can be loaded into a TPM using tpm2_load. The object
will need to be loaded before it may be used.
Usage:
-H, --parent <handle> parent handle
-c, --contextParent <filename> filename for parent context
-P, --pwdp <string> password for parent key, optional
-K, --pwdk <string> password for key, optional
-g, --halg <hexAlg> algorithm used for computing the Name of the
object
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-G, --kalg <hexAlg> algorithm associated with this object
0x0001 TPM_ALG_RSA
0x0008 TPM_ALG_KEYEDHASH
0x0023 TPM_ALG_ECC
0x0025 TPM_ALG_SYMCIPHER
-A, --objectAttribute <hexDWord> object attributes, optional
-I, --inFile <dataFileToBeSealed> data file to be sealed, optional
-L, --pol <policyFile> the input policy file, optional
-o, --opu <publicKeyFileName> the output file which contains the public key,
optional
-O, --opr <privateKeyFileName> the output file which contains the private key,
optional
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_create -H 0x81010001 -P abc123 -K def456 -g 0x000B -G 0x0008 -I data.File -o opu.File
tpm2_create -c parent.context -P abc123 -K def456 -g 0x000B -G 0x0008 -I data.File -o opu.File
tpm2_create -H 0x81010001 -P 123abc -K 456def -X -g 0x000B -G 0x0008 -I data.File -o opu.File
* tpm2_evictcontrol
allows a transient object to be made persistent or a persistent object to
be evicted.
Usage:
-A, --auth <o | p> the authorization used to authorize the
commands
o TPM_RH_OWNER
p TPM_RH_PLATFORM
-H, --handle <objectHandle> the handle of a loaded object
-c, --context <filename> filename for object context
-S, --persistent <persistentHandle> the persistent handle for objectHandle
-P, --pwda <authorizationPassword> authrization password, optional
-X, --passwdInHex passwords given by any options are hex
format.
example:
tpm2_evictcontrol -A o -c object.context -S 0x81010002 -P abc123
tpm2_evictcontrol -A o -H 0x81010002 -S 0x81010002 -P abc123
tpm2_evictcontrol -A o -H 0x81010002 -S 0x81010002 -P 123abc -X
* tpm2_load
load objects into the TPM, both pub/priv portion are needed.
Usage:
-H, --parent <parentHandle> parent handle
-c, --contextParent <filename> filename for parent context
-P, --pwdp <parentKeyPassword> parent key password, optional
-u, --pubfile <publicKeyFileName> The public portion of the object
-r, --privfile <privateKeyFileName> The sensitive portion of the object
-n, --name <outPutFilename> Output file name, containing the name
structure
-C, --context <filename> The file to save the object context,
optional
-X, --passwdInHex passwords given by any options are hex
format.
example:
tpm2_load -H 0x80000000 -P abc123 -u <pubKeyFileName> -r <privKeyFileName> -n <outPutFileName>
tpm2_load -c parent.context -P abc123 -u <pubKeyFileName> -r <privKeyFileName> -n <outPutFileName> -C object.context
tpm2_load -H 0x80000000 -P 123abc -X -u <pubKeyFileName> -r <privKeyFileName> -n <outPutFileName>
* tpm2_loadexternal
load an object that is not a Protected Object into the TPM. The command allows
loading of a public area or both a public and a sensitive area.
Usage:
-H, --hierarchy <e|o|p|n> Hierarchy with which the object area is
associated
e TPM_RH_ENDORSEMENT
o TPM_RH_OWNER
p TPM_RH_PLATFORM
n TPM_RH_NULL
-u, --pubfile <publicKeyFileName> The public portion of the object
-r, --privfile <privateKeyFileName> The sensitive portion of the object,
optional
-C, --context <filename> The file to save the object context,
optional
example:
Load a public area generated by tpm2_create, tpm2_readpublic or manually
tpm2_loadexternal -H <e|o|p|n> -u <pubKeyFileName> -C object.context
Load a key with sensitive area. Both the public & the senstive areas shall
be generated externally. *DON'T* use the areas generated by tpm2_create.
tpm2_loadexternal -H n -u <pubKeyFileName> -r <privKeyFileName> -C object.context
Subset 4: Encryption tools
--------------------------
* tpm2_encryptdecrypt
performs symmetric encryption or decryption. keyHandle shall reference a
symmetric cipher object.
Usage:
-k, --keyHandle<hexHandle> the symmetric key used for the operation
(encryption/decryption)
-c, --keyContext <filename> filename of the key context used for the
operation
-P, --pwdk <password> the password of key, optional
-D, --decrypt <YES | NO> the operation type, default NO, optional
YES the operation is decryption
NO the operation is encryption
-I, --inFile <filePath> Input file path, containing the data to be
operated
-o, --outFile <filePath> Output file path, record the operated data
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_encryptdecrypt -k 0x81010001 -P abc123 -D NO -I <filePath> -o <filePath>
tpm2_encryptdecrypt -c key.context -P abc123 -D NO -I <filePath> -o <filePath>
tpm2_encryptdecrypt -k 0x81010001 -P 123abca -X -D NO -I <filePath> -o <filePath>
* tpm2_rsaencrypt
performs RSA encryption using the indicated padding scheme according to
IETF RFC 3447. The scheme of keyHandle should not be TPM_ALG_NULL. The key
referenced by keyHandle is required to be an RSA key (TPM_RC_KEY) with the
decrypt attribute SET (TPM_RC_ATTRIBUTES).
Usage:
-k, --keyHandle <hexHandle> the public portion of RSA key to use for
encryption
-c, --keyContext <filename> filename of the key context used for the operation
-I, --inFile <filePath> Input file path, containing the data to be
encrypted
-o, --outFile <filePath> Output file path, record the encrypted data
example:
tpm2_rsaencrypt -k 0x81010001 -I <filePath> -o <filePath>
tpm2_rsaencrypt -c key.context -I <filePath> -o <filePath>
* tpm2_rsadecrypt
performs RSA decryption using the indicated padding scheme according to
IETF RFC 3447 (PKCS#1). The scheme of keyHandle should not be TPM_ALG_NULL.
The key referenced by keyHandle is required to be an RSA key (TPM_RC_KEY)
with the decrypt attribute SET (TPM_RC_ATTRIBUTES).
Usage:
-k, --keyHandle<hexHandle> the public portion of RSA key to use for
decryption
-c, --keyContext <filename> filename of the key context used for the operation
-P, --pwdk <password> the password of key, optional
-I, --inFile <filePath> Input file path, containing the data to be
decrypted
-o, --outFile <filePath> Output file path, record the decrypted data
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_rsadecrypt -k 0x81010001 -I <filePath> -o <filePath>
tpm2_rsadecrypt -k 0x81010001 -P 123abc -X -I <filePath> -o <filePath>
* tpm2_unseal
returns the data in a loaded Sealed Data Object.
Usage:
-H, --item <itemHandle> item handle, handle of a loaded data object
-c, --itemContext <filename> filename for item context
-P, --pwdi <itemPassword> item handle password, optional
-o, --outfile <outPutFilename> Output file name, containing the unsealed data
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_unseal -H 0x81010001 -P abc123 -o <outPutFileName>
tpm2_unseal -c item.context -P abc123 -o <outPutFileName>
tpm2_unseal -H 0x81010001 -P 123abc -X -o <outPutFileName>
Subset 5: Signing tools
-----------------------
* tpm2_sign
sign an externally provided hash with the specified symmetric or asymmetric
signing key. If keyHandle references a restricted signing key, then validation
shall be provided, indicating that the TPM performed the hash of the data and
validation shall indicate that hashed data did not start with
TPM_GENERATED_VALUE. The scheme of keyHandle should not be TPM_ALG_NULL.
Usage:
-k, --keyHandle<hexHandle> Handle of key that will perform signing
-c, --keyContext <filename> filename of the key context used for the operation
-P, --pwdk <password> the password of key, optional
-g, --halg <hexAlg> the hash algorithm used to digest the message
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-m, --msg <filePath> the message file, containning the content to be
digested
-t, --ticket <filePath> the ticket file, containning the validation
structure, optional
-s, --sig <filePath> the signature file, record the signature structure
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_sign -k 0x81010001 -P abc123 -g 0x000B -m <filePath> -s <filePath> -t <filePath>
tpm2_sign -c key.context - abc123 -g 0x000B -m <filePath> -s <filePath> -t <filePath>
tpm2_sign -k 0x81010001 -P 123abc -X -g 0x000B -m <filePath> -s <filePath> -t <filePath>
* tpm2_verifysignature
uses loaded keys to validate a signature on a message with the message digest
passed to the TPM. If the signature check succeeds, then the TPM will produce
a TPMT_TK_VERIFIED. Otherwise, the TPM shall return TPM_RC_SIGNATURE. If
keyHandle references an asymmetric key, only the public portion of the key
needs to be loaded. If keyHandle references a symmetric key, both the public
and private portions need to be loaded.
Usage:
-k, --keyHandle<hexHandle> handle of public key that will be used in the
validation
-c, --keyContext <filename> filename of the key context used for the operation
-g, --halg <hexAlg> the hash algorithm used to digest the message
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-m, --msg <filePath> the input message file, containning the content
to be digested
-D, --digest <filePath> the input hash file, containning the hash of the
message. If this argument been chosed, the
argument '-m(--msg)' and '-g(--halg)' is no need
-s, --sig <filePath> the input signature file, containning the
signature to be tested
-r, --raw set the input signature file to raw type, default
TPMT_SIGNATURE, optional
-t, --ticket <filePath> the ticket file, record the validation structure
example:
tpm2_verifysignature -k 0x81010001 -g 0x000B -m <filePath> -s <filePath> -t <filePath>
tpm2_verifysignature -k 0x81010001 -D <filePath> -s <filePath> -t <filePath>
tpm2_verifysignature -c key.context -g 0x000B -m <filePath> -s <filePath> -t <filePath>
* tpm2_certify
prove that an object with a specific Name is loaded in the TPM. By certifying
that the object is loaded, the TPM warrants that a public area with a given
Name is self-consistent and associated with a valid sensitive area. If a
relying party has a public area that has the same Name as a Name certified
with this command, then the values in that public area are correct. The object
may be any object that is loaded with TPM2_Load() or TPM2_CreatePrimary().
An object that only has its public area loaded cannot be certified.
Usage:
-H, --objHandle <hexHandle> handle of the object to be certified
-C, --objContext <filename> filename of the object context to be certified
-k, --keyHandle <hexHandle> handle of the key used to sign the attestation
structure
-c, --keyContext <filename> filename of the key context used to sign the
attestation structure
-P, --pwdo <string> the object handle's password, optional
-K, --pwdk <string> the keyHandle's password, optional
-g, --halg <hexAlg> the hash algorithm used to digest the message
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-a, --attestFile <fileName> output file name, record the attestation structure
-s, --sigFile <fileName> output file name, record the signature structure
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_certify -H 0x81010002 -k 0x81010001 -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
tpm2_certify -C obj.context -c key.context -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
tpm2_certify -H 0x81010002 -k 0x81010001 -P 0011 -K 00FF -X -g 0x00B -a <fileName> -s <fileName>
Subset 6: utilities
-------------------
* tpm2_getrandom
returns the next bytesRequested octets from the random number generator.
Usage:
tpm2_getrandom [-s/--size <bytesRequested>] [-o/--of <outfilename>]
where:
-s/--size <bytesRequested> specifies the size of the bytesRequested.
-o/--of <outfilename> specifies the filename of output.
example:
tpm2_getrandom -s 20 -o random.out
* tpm2_hash
performs a hash operation on a data buffer and returns the results. If the
results of the hash will be used in a signing operation that uses a restricted
signing key, then the ticket returned by this command can indicate that the
hash is safe to sign.
Usage:
-H, --hierarchy <e|o|p|n> hierarchy to use for the ticket
e TPM_RH_ENDORSEMENT
o TPM_RH_OWNER
p TPM_RH_PLATFORM
n TPM_RH_NULL
-g, --halg <hexAlg> algorithm for the hash being computed
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-I, --infile <inputFilename> file containning the data to be hashed
-o, --outfile <hashFilename> file record the hash result
-t, --ticket <ticketFilename> file record the ticket
example:
tpm2_hash -H <e|o|p|n> -g 0x004 -I <inputFilename> -o <hashFilename> -t <ticketFilename>
* tpm2_hmac
performs an HMAC on the supplied data using the indicated hash algorithm. The
caller shall provide proper authorization for use of handle.
Usage:
-k, --keyHandle <hexHandle> handle for the symmetric signing key providing
the HMAC key
-c, --keyContext <filename> filename of the key context used for the
operation
-P, --pwdk <string> the keyHandle's password, optional
-g, --halg <hexAlg> algorithm for the hash being computed
0x0004 TPM_ALG_SHA1
0x000B TPM_ALG_SHA256
0x000C TPM_ALG_SHA384
0x000D TPM_ALG_SHA512
0x0012 TPM_ALG_SM3_256
-I, --infile <inputFilename> file containning the data to be HMACed
-o, --outfile <hmacFilename> file record the HMAC result
-X, --passwdInHex passwords given by any options are hex format.
example:
tpm2_hmac -k 0x81010002 -P abc123 -g 0x004 -I <inputFilename> -o <hmacFilename>
tpm2_hmac -c key.context -P abc123 -g 0x004 -I <inputFilename> -o <hmacFilename>
tpm2_hmac -k 0x81010002 -P 123abc -X -g 0x004 -I <inputFilename> -o <hmacFilename>
* tpm2_readpublic
Access to the public area of a loaded object.
Usage:
-H, --object <objectHandle> The loaded object handle
-c, --contextObject <filename> filename for object context
-o, --opu <publicKeyFileName> The output file path, recording the public
portion of the object
example:
tpm2_readpublic -H 0x81010002 --opu <pubKeyFileName>
tpm2_readpublic -c obj.context --opu <pubKeyFileName>