1swtpm_setup(8) swtpm_setup(8)
2
6 swtpm_setup - Swtpm utility to simulate the manufacturing of a TPM 1.2
7 or 2.0
8
10 swtpm_setup [OPTIONS]
11
13 swtpm_setup is a tool that prepares the intial state for a libtpms-
14 based TPM.
15 For creating the initial state of a TPM 1.2, swtpm_setup must be run
17 either as root or as the user the that tcsd requires, which is
18 typically tss.
19 The following options are supported:
21 --runas <userid>
23 Use this userid to run swtpm_setup.sh; by default 'tss' is used.
24 --config <file>
26 Path to configuration file containing the tool to use for creating
27 certificates; see also swtpm_setup.conf
28 If this parameter is not provided, the default configuration file
30 /etc/swtpm_setup.conf will be used. If the environment variable
31 XDG_CONFIG_HOME is set, the configuration file is assumed to be
32 $XDG_CONFIG_HOME/swtpm_setup.conf.
33 --tpm-state <dir> or --tpmstate <dir>
35 Path to a directory where the TPM's state will be written into;
36 this is a mandatory argument
37 --tpm <path to executable>
39 Path to the TPM executable; this is an optional argument and by
40 default the swtpm executable found in the PATH will be used.
41 --tpm2
43 Do setup on a TPM 2; by default a TPM 1.2 is setup.
44 --createek
46 Create the EK
47 --allow-signing
49 Create an EK that can sign. This option requires --tpm2.
50 Note that the TCG specification "EK Credential Profile For TPM
52 Family 2.0; Level 0" suggests in its section on "EK Usage" that
53 "the Endorsement Key can be a created as a decryption or signing
54 key." However, some platforms will not accept an EK as a signing
55 key, or as a signing and encryption key, and therefore this option
56 should be used very carfully.
57 --decryption
59 Create an EK that can be used for key encipherment. This is the
60 default unless --allow-signing is passed. This option requires
61 --tpm2.
62 --ecc
64 Create elliptic curve crypto (ECC) keys; by default RSA keys are
65 generated.
66 --take-ownership
68 Take ownership; this option implies --createek
69 --ownerpass <password>
71 Provide custom owner password; default is ooo
72 --owner-well-known
74 Use a password of all zeros (20 bytes of zeros) as the owner
75 password
76 --srkpass <password>
78 Provide custom SRK password; default is sss
79 --srk-well-known
81 Use a password of all zeros (20 bytes of zeros) as the SRK password
82 --create-ek-cert
84 Create an EK certificate; this implies --createek (NOT SUPPORTED
85 YET)
86 --create-platform-cert
88 Create a platform certificate; this implies --create-ek-cert
89 --lock-nvram
91 Lock NVRAM access
92 --display
94 At the end display as much info as possible about the configuration
95 of the TPM
96 --logfile <logfile>
98 The logfile to log to. By default logging goes to stdout and
99 stderr.
100 --keyfile <keyfile>
102 The key file contains an ASCII hex key consisting of 32 hex digits
103 with an optional leading '0x'. This is the key to be used by the
104 TPM emulator for encrypting the state of the TPM.
105 --pwdfile <passphrase file>
107 The passpharse file contains a passphrase from which the TPM
108 emulator will derive the encyrption key from and use the key for
109 encrypting the TPM state.
110 --ciper <cipher>
112 The cipher may be either aes-cbc or aes-128-cbc for 128 bit AES
113 encryption, or aes-256-cbc for 256 bit AES encryption. The same
114 cipher must be used on the swtpm command line later on.
115 --overwrite
117 Overwrite existing TPM state. All previous state will be erased.
118 If this option is not given and an existing state file is found, an
119 error code is returned.
120 --not-overwrite
122 Do not overwrite existing TPM state. If exising TPM state is found,
123 the program ends without an error.
124 --vmid <VM ID>
126 Optional VM ID that can be used to keep track of certificates
127 issued for VMs (or containers). This parameter will be passed
128 through to the tool used for creating the certificates and may be
129 required by that tool.
130 --pcr-banks <PCR banks>
132 Optional comma-separated list of PCR banks to activate. Providing
133 '-' allows to skip the selection and activates all PCR banks. By
134 default the sha1 and sha256 banks are activated.
135 --swtpm_ioctl <executable>
137 Pass the path to the swtpm_ioctl executable. By default the
138 swtpm_ioctl in the PATH is used.
139 --tcsd-system-ps-file <file>
141 A file to copy TCSD's system_ps_file to. The system_ps_file
142 contains the TPM 1.2 SRK public key after taking ownership of the
143 TPM. The file is needed by TCSD for key related functions.
144 This option is only useful with TPM 1.2 and in if ownership is
146 taken.
147 --help, -h
149 Display the help screen
150
152 To simulate manufacturing of a TPM, one would typically run the
153 following command:
154 #> sudo swtpm_setup --tpmstate /tmp/mytpm1/ \
156 --create-ek-cert --create-platform-cert --lock-nvram
157 Note: since setting up a TPM 1.2 relies on the tcsd for some of its
159 operations, swtpm_setup has to be run as root so that it can invoke the
160 tcsd either as root or tss user.
161 A normal user can also simulate the manufacturing of a TPM 2 using the
163 swtpm-localca plugin. The following example assumes that the user has
164 set the environment variable XDG_CONFIG_HOME as follows (using bash for
165 example):
166 export XDG_CONFIG_HOME=~/.config
168 Note: The XDG_CONFIG_HOME variable is part of the XDG Base Directory
170 Specification.
171 The following configuration files need to be created:
173 ~/.config/swtpm_setup.conf:
175 # Program invoked for creating certificates
177 create_certs_tool= /usr/share/swtpm/swtpm-localca
178 create_certs_tool_config = ${XDG_CONFIG_HOME}/swtpm-localca.conf
179 create_certs_tool_options = ${XDG_CONFIG_HOME}/swtpm-localca.options
180 ~/.config/swtpm-localca.conf:
182 statedir = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca
184 signingkey = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/signkey.pem
185 issuercert = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/issuercert.pem
186 certserial = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/certserial
187 ~/.config/swtpm-localca.options:
189 --platform-manufacturer Fedora
191 --platform-version 2.12
192 --platform-model QEMU
193 The following commands now create a TPM 2 with an EK and platform
195 certificate. The state of the TPM 2 will be stored in the directory
196 ${XDG_CONFIG_HOME}/mytpm1.
197 #> mkdir -p ${XDG_CONFIG_HOME}/mytpm1
199 #> swtpm_setup --tpm2 --tpmstate ${XDG_CONFIG_HOME}/mytpm1 \
200 --create-ek-cert --create-platform-cert --lock-nvram
201
203 swtpm_setup.conf
204
206 Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
207swtpm 2017-11-13 swtpm_setup(8)