tpm2_create(1)

1tpm2_create(1)              General Commands Manual             tpm2_create(1)
2
3
4

6       tpm2_create(1) - Create a child object.
7

9       tpm2_create [OPTIONS]
10

12       tpm2_create(1) - Create a child object.  The object can either be a key
13       or a sealing object.  A sealing object allows to seal user data to  the
14       TPM,  with  a maximum size of 256 bytes.  Additionally it will load the
15       created object if the -o is specified.
16

18       These options for creating the TPM entity:
19
20       · -C, --parent-context=OBJECT:
21
22         The parent of the object to be created.
23
24       · -P, --parent-auth=AUTH:
25
26         The authorization value of the parent object specified with -C.
27
28       · -p, --key-auth=AUTH:
29
30         The authorization value for the created object.
31
32       · -g, --hash-algorithm=ALGORITHM:
33
34         The hash algorithm for generating the objects name.  This is optional
35         and defaults to sha256 when not specified.
36
37       · -G, --key-algorithm=ALGORITHM:
38
39         The  key algorithm associated with this object.  It defaults to "rsa"
40         if not specified.
41
42       · -a, --attributes=ATTRIBUTES:
43
44         The object attributes, optional.  The default for created objects is:
45
46         TPMA_OBJECT_SIGN_ENCRYPT|TPMA_OBJECT_DECRYPT|TPMA_OB‐
47         JECT_FIXEDTPM|  TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORI‐
48         GIN|  TPMA_OBJECT_USERWITHAUTH
49
50         When -i is specified for sealing,  TPMA_OBJECT_SIGN_ENCRYPT  and  TP‐
51         MA_OBJECT_DECRYPT  are  removed  from the default attribute set.  The
52         algorithm is set in a way where the the object is only good for seal‐
53         ing  and  unsealing.   I.e.  one cannot use an object for sealing and
54         cryptography operations.
55
56       · -i, --sealing-input=FILE or STDIN:
57
58         The data file to be sealed, optional.  If file is -, read from stdin.
59         When  sealing  data  only the TPM_ALG_KEYEDHASH algorithm with a NULL
60         scheme is allowed.  Thus, -G cannot be specified.
61
62       · -L, --policy=FILE:
63
64         The input policy file, optional.
65
66       · -u, --public=FILE:
67
68         The output file which contains the public portion of the created  ob‐
69         ject, optional.
70
71       · -r, --private=FILE:
72
73         The  output  file which contains the sensitive portion of the object,
74         optional.
75
76       · -c, --key-context=FILE:
77
78         The output file which contains the key context,  optional.   The  key
79         context  is  analogous  to the context file produced by tpm2_load(1),
80         however is generated via a tpm2_createloaded(1) command.  This option
81         can  be used to avoid the normal tpm2_create(1) and tpm2_load(1) com‐
82         mand sequences and do it all in one command, atomically.
83
84   References

86       The type of a context object, whether it is a handle or file  name,  is
87       determined according to the following logic in-order:
88
89       · If the argument is a file path, then the file is loaded as a restored
90         TPM transient object.
91
92       · If the argument is a prefix match on one of:
93
94         · owner: the owner hierarchy
95
96         · platform: the platform hierarchy
97
98         · endorsement: the endorsement hierarchy
99
100         · lockout: the lockout control persistent object
101
102       · If the argument argument can be loaded as a number it will  be  treat
103         as a handle, e.g.  0x81010013 and used directly.OBJECT.
104

106       Authorization  for  use  of an object in TPM2.0 can come in 3 different
107       forms: 1.  Password 2.  HMAC 3.  Sessions
108
109       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
110       fied".
111
112   Passwords
113       Passwords  are  interpreted  in  the following forms below using prefix
114       identifiers.
115
116       Note: By default passwords are assumed to be in the  string  form  when
117       they do not have a prefix.
118
119   String
120       A  string  password,  specified  by  prefix "str:" or it's absence (raw
121       string without prefix) is not interpreted, and is directly used for au‐
122       thorization.
123
124   Examples
125              foobar
126              str:foobar
127
128   Hex-string
129       A  hex-string  password, specified by prefix "hex:" is converted from a
130       hexidecimal form into a byte array form, thus allowing  passwords  with
131       non-printable and/or terminal un-friendly characters.
132
133   Example
134              hex:0x1122334455667788
135
136   File
137       A  file  based password, specified be prefix "file:" should be the path
138       of a file containing the password to be read by the tool or  a  "-"  to
139       use  stdin.   Storing  passwords in files prevents information leakage,
140       passwords passed as options can be read from the process list or common
141       shell history features.
142
143   Examples
144              # to use stdin and be prompted
145              file:-
146
147              # to use a file from a path
148              file:path/to/password/file
149
150              # to echo a password via stdin:
151              echo foobar | tpm2_tool -p file:-
152
153              # to use a bash here-string via stdin:
154
155              tpm2_tool -p file:- <<< foobar
156
157   Sessions
158       When  using  a policy session to authorize the use of an object, prefix
159       the option argument with the session keyword.  Then indicate a path  to
160       a session file that was created with tpm2_startauthsession(1).  Option‐
161       ally, if the session requires an auth value to be sent with the session
162       handle  (eg policy password), then append a + and a string as described
163       in the Passwords section.
164
165   Examples
166       To use a session context file called session.ctx.
167
168              session:session.ctx
169
170       To use a session context file called session.ctx AND send the authvalue
171       mypassword.
172
173              session:session.ctx+mypassword
174
175       To use a session context file called session.ctx AND send the HEX auth‐
176       value 0x11223344.
177
178              session:session.ctx+hex:11223344
179
180   PCR Authorizations
181       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
182       language.       The     PCR     minilanguage     is     as     follows:
183       <pcr-spec>=<raw-pcr-file>
184
185       The PCR spec is documented in in the section "PCR bank specifiers".
186
187       The raw-pcr-file is an optional the output of the raw PCR  contents  as
188       returned by tpm2_pcrread(1).
189
190       PCR bank specifiers (common/pcr.md)
191
192   Examples
193       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
194       er of:
195
196              pcr:sha256:0,1,2,3
197
198       specifying AUTH.
199

201       Options that take algorithms support "nice-names".
202
203       There are two major algorithm specification string classes, simple  and
204       complex.  Only certain algorithms will be accepted by the TPM, based on
205       usage and conditions.
206
207   Simple specifiers
208       These are strings with no additional specification data.  When creating
209       objects,  non-specified  portions of an object are assumed to defaults.
210       You can find the list of known "Simple Specifiers Below".
211
212   Asymmetric
213       · rsa
214
215       · ecc
216
217   Symmetric
218       · aes
219
220       · camellia
221
222   Hashing Algorithms
223       · sha1
224
225       · sha256
226
227       · sha384
228
229       · sha512
230
231       · sm3_256
232
233       · sha3_256
234
235       · sha3_384
236
237       · sha3_512
238
239   Keyed Hash
240       · hmac
241
242       · xor
243
244   Signing Schemes
245       · rsassa
246
247       · rsapss
248
249       · ecdsa
250
251       · ecdaa
252
253       · ecschnorr
254
255   Asymmetric Encryption Schemes
256       · oaep
257
258       · rsaes
259
260       · ecdh
261
262   Modes
263       · ctr
264
265       · ofb
266
267       · cbc
268
269       · cfb
270
271       · ecb
272
273   Misc
274       · null
275
276   Complex Specifiers
277       Objects, when specified for creation by the TPM,  have  numerous  algo‐
278       rithms  to  populate  in the public data.  Things like type, scheme and
279       asymmetric details, key size, etc.  Below is  the  general  format  for
280       specifying this data: <type>:<scheme>:<symmetric-details>
281
282   Type Specifiers
283       This  portion  of the complex algorithm specifier is required.  The re‐
284       maining scheme and symmetric details will default  based  on  the  type
285       specified and the type of the object being created.
286
287       · aes - Default AES: aes128
288
289       · aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
290         If mode is not specified, defaults to null.
291
292       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
293
294       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
295
296       · ecc - Elliptical Curve, defaults to ecc256.
297
298       · ecc192 - 192 bit ECC
299
300       · ecc224 - 224 bit ECC
301
302       · ecc256 - 256 bit ECC
303
304       · ecc384 - 384 bit ECC
305
306       · ecc521 - 521 bit ECC
307
308       · rsa - Default RSA: rsa2048
309
310       · rsa1024 - RSA with 1024 bit keysize.
311
312       · rsa2048 - RSA with 2048 bit keysize.
313
314       · rsa4096 - RSA with 4096 bit keysize.
315
316   Scheme Specifiers
317       Next, is an optional field, it can be skipped.
318
319       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
320       Most signing schemes take a hash algorithm directly following the sign‐
321       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
322       Some take no arguments, and some take multiple arguments.
323
324   Hash Optional Scheme Specifiers
325       These  scheme  specifiers are followed by a dash and a valid hash algo‐
326       rithm, For example: oaep-sha256.
327
328       · oaep
329
330       · ecdh
331
332       · rsassa
333
334       · rsapss
335
336       · ecdsa
337
338       · ecschnorr
339
340   Multiple Option Scheme Specifiers
341       This scheme specifier is followed by a count  (max  size  UINT16)  then
342       folloed  by a dash(-) and a valid hash algorithm.  * ecdaa For example,
343       ecdaa4-sha256.  If no count is specified, it defaults to 4.
344
345   No Option Scheme Specifiers
346       This scheme specifier takes NO arguments.  * rsaes
347
348   Symmetric Details Specifiers
349       This field is optional, and defaults based on the type of object  being
350       created  and it's attributes.  Generally, any valid Symmetric specifier
351       from the Type Specifiers list should work.  If not specified, an  asym‐
352       metric objects symmetric details defaults to aes128cfb.
353
354   Examples
355   Create an rsa2048 key with an rsaes asymmetric encryption scheme
356       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
357
358   Create an ecc256 key with an ecdaa signing scheme with a count of 4
359       and sha384 hash
360
361       /tpm2_create -C parent.ctx -G ecc256:ec‐
362       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
363

365       Object Attributes are used to control various properties of created ob‐
366       jects.   When  specified  as an option, either the raw bitfield mask or
367       "nice-names" may be used.  The values can be found in Table 31  Part  2
368       of the TPM2.0 specification, which can be found here:
369
370       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
371       Rev-2.0-Part-2-Structures-01.38.pdf>
372
373       Nice names are calculated by taking the name field of table 31 and  re‐
374       moving  the  prefix TPMA_OBJECT_ and lowercasing the result.  Thus, TP‐
375       MA_OBJECT_FIXEDTPM becomes fixedtpm.  Nice names can  be  joined  using
376       the bitwise or "|" symbol.
377
378       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
379       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
380
381       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
382

384       This collection of options are common to many programs and provide  in‐
385       formation that many users may expect.
386
387       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
388         attempts to invoke the manpager for the  tool,  however,  on  failure
389         will  output  a short tool summary.  This is the same behavior if the
390         "man" option argument is specified, however if explicit "man" is  re‐
391         quested,  the  tool  will  provide errors from man on stderr.  If the
392         "no-man" option if specified, or the manpager fails,  the  short  op‐
393         tions will be output to stdout.
394
395         To  successfully use the manpages feature requires the manpages to be
396         installed or on MANPATH, See man(1) for more details.
397
398       · -v, --version: Display version information for this  tool,  supported
399         tctis and exit.
400
401       · -V,  --verbose:  Increase the information that the tool prints to the
402         console during its execution.  When using this option  the  file  and
403         line number are printed.
404
405       · -Q, --quiet: Silence normal tool output to stdout.
406
407       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
408         if an errata fixup needs to be applied to commands sent to  the  TPM.
409         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
410         formation many users may expect.
411

413       The TCTI or "Transmission Interface"  is  the  communication  mechanism
414       with  the TPM.  TCTIs can be changed for communication with TPMs across
415       different mediums.
416
417       To control the TCTI, the tools respect:
418
419       1. The command line option -T or --tcti
420
421       2. The environment variable: TPM2TOOLS_TCTI.
422
423       Note: The command line option always overrides  the  environment  vari‐
424       able.
425
426       The current known TCTIs are:
427
428       · tabrmd      -     The     resource     manager,     called     tabrmd
429         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
430         abrmd as a tcti name are synonymous.
431
432       · mssim  - Typically used for communicating to the TPM software simula‐
433         tor.
434
435       · device - Used when talking directly to a TPM device file.
436
437       · none - Do not initalize a connection with the TPM.  Some tools  allow
438         for off-tpm options and thus support not using a TCTI.  Tools that do
439         not support it will error when attempted to be used  without  a  TCTI
440         connection.   Does  not  support ANY options and MUST BE presented as
441         the exact text of "none".
442
443       The arguments to either the command  line  option  or  the  environment
444       variable are in the form:
445
446       <tcti-name>:<tcti-option-config>
447
448       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
449       tion-config> results in the default being used for that portion respec‐
450       tively.
451
452   TCTI Defaults
453       When  a  TCTI  is not specified, the default TCTI is searched for using
454       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
455       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
456       what TCTI will be chosen as the default by using the -v option to print
457       the  version information.  The "default-tcti" key-value pair will indi‐
458       cate which of the aforementioned TCTIs is the default.
459
460   Custom TCTIs
461       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
462       tools internally use dlopen(3), and the raw tcti-name value is used for
463       the lookup.  Thus, this could be a path to the shared library, or a li‐
464       brary name as understood by dlopen(3) semantics.
465

467       This collection of options are used to configure the various known TCTI
468       modules available:
469
470       · device: For the device TCTI, the TPM character device file for use by
471         the device TCTI can be specified.  The default is /dev/tpm0.
472
473         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
474         vice:/dev/tpm0"
475
476       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
477         number  used  by  the  simulator  can  be specified.  The default are
478         127.0.0.1 and 2321.
479
480         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
481         TI="mssim:host=localhost,port=2321"
482
483       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
484         ries of simple key value pairs separated by a  ','  character.   Each
485         key and value string are separated by a '=' character.
486
487         · TCTI abrmd supports two keys:
488
489           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
490              string).
491
492           2. 'bus_type' : The type of the dbus instance (a string) limited to
493              'session' and 'system'.
494
495         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
496         ample.FooBar:
497
498         \--tcti=tabrmd:bus_name=com.example.FooBar
499
500         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
501         sion:
502
503         \--tcti:bus_type=session
504
505         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
506         ules.
507

509   Setup
510       In order to create an object, we must first create  a  primary  key  as
511       it's parent.
512
513              tpm2_createprimary -c primary.ctx
514
515   Create an Object
516       This  will  create an object using all the default values and store the
517       TPM sealed private and public portions to the paths  specified  via  -u
518       and -r respectively.  The tool defaults to an RSA key.
519
520              tpm2_create -C primary.ctx -u obj.pub -r obj.priv
521
522   Seal Data to the TPM
523       Outside of key objects, the TPM allows for small amounts of user speci‐
524       fied data to be sealed to the TPM.
525
526              echo "my sealed data" > seal.dat
527              tpm2_create -C primary.ctx -i seal.dat -u obj.pub -r obj.priv
528
529   Create an EC Key Object and Load it to the TPM
530       Normally, when creating an object, only the public and private portions
531       of  the object are returned and the caller needs to use tpm2_load(1) to
532       load those public and private portions to the TPM before being able  to
533       use  the object.  However, this can be accomplished within this command
534       as well.
535
536              tpm2_create -C primary.ctx -G ecc -u obj.pub -r obj.priv -c ecc.ctx
537

539       Tools can return any of the following codes:
540
541       · 0 - Success.
542
543       · 1 - General non-specific error.
544
545       · 2 - Options handling error.
546
547       · 3 - Authentication error.
548
549       · 4 - TCTI related error.
550
551       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
552

554       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
555

557       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
558
559
560
561tpm2-tools                                                      tpm2_create(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

Object Attributes

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP