tpm2_createak(1)

1tpm2_createak(1)            General Commands Manual           tpm2_createak(1)
2
3
4

6       tpm2_createak(1)  - Generate attestation key with given algorithm under
7       the endorsement hierarchy.
8

10       tpm2_createak [OPTIONS]
11

13       tpm2_createak(1) - Generate an attestation key (AK) with the given  al‐
14       gorithm  under  the endorsement hierarchy.  The context of the attesta‐
15       tion key is specified via -c.
16
17       The tool outputs to stdout a YAML representation of  the  loaded  key's
18       name, for example:
19
20              loaded-key:
21                name: 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268
22

24       · -P, --eh-auth=AUTH:
25
26         The authorization value for the endorsement hierarchy.
27
28       · -p, --ak-auth=AUTH
29
30         The authorization value for the attestation key object created.
31
32       · -C, --ek-context=OBJECT:
33
34         The endorsement key object.
35
36       · -c, --ak-context=FILE:
37
38         The file path to save the object context of the attestation key.
39
40       · -G, --key-algorithm=ALGORITHM:
41         Specifies the attestation key algorithm.  Supports:
42
43         · ecc - An P256 key.
44
45         · rsa - An RSA2048 key.
46
47         · keyedhash - hmac key.
48
49       · -g, --hash-algorithm=ALGORITHM:
50
51         Specifies the digest algorithm used for signing.
52
53       · -s, --signing-algorithm=ALGORITHM:
54
55         The signing algorithm.
56
57       · -u, --public=FILE:
58
59         The file to save the public portion of the attestation key.
60
61       · -n, --ak-name=FILE:
62
63         The file to save the attestation key name, optional.
64
65       · -r, --private=FILE:
66
67         The  output  file which contains the sensitive portion of the object,
68         optional.
69
70       · -f, --format=FORMAT:
71
72         Format selection for the signature output file.
73
74   References

76       The type of a context object, whether it is a handle or file  name,  is
77       determined according to the following logic in-order:
78
79       · If the argument is a file path, then the file is loaded as a restored
80         TPM transient object.
81
82       · If the argument is a prefix match on one of:
83
84         · owner: the owner hierarchy
85
86         · platform: the platform hierarchy
87
88         · endorsement: the endorsement hierarchy
89
90         · lockout: the lockout control persistent object
91
92       · If the argument argument can be loaded as a number it will  be  treat
93         as a handle, e.g.  0x81010013 and used directly.OBJECT.
94

96       Authorization  for  use  of an object in TPM2.0 can come in 3 different
97       forms: 1.  Password 2.  HMAC 3.  Sessions
98
99       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
100       fied".
101
102   Passwords
103       Passwords  are  interpreted  in  the following forms below using prefix
104       identifiers.
105
106       Note: By default passwords are assumed to be in the  string  form  when
107       they do not have a prefix.
108
109   String
110       A  string  password,  specified  by  prefix "str:" or it's absence (raw
111       string without prefix) is not interpreted, and is directly used for au‐
112       thorization.
113
114   Examples
115              foobar
116              str:foobar
117
118   Hex-string
119       A  hex-string  password, specified by prefix "hex:" is converted from a
120       hexidecimal form into a byte array form, thus allowing  passwords  with
121       non-printable and/or terminal un-friendly characters.
122
123   Example
124              hex:0x1122334455667788
125
126   File
127       A  file  based password, specified be prefix "file:" should be the path
128       of a file containing the password to be read by the tool or  a  "-"  to
129       use  stdin.   Storing  passwords in files prevents information leakage,
130       passwords passed as options can be read from the process list or common
131       shell history features.
132
133   Examples
134              # to use stdin and be prompted
135              file:-
136
137              # to use a file from a path
138              file:path/to/password/file
139
140              # to echo a password via stdin:
141              echo foobar | tpm2_tool -p file:-
142
143              # to use a bash here-string via stdin:
144
145              tpm2_tool -p file:- <<< foobar
146
147   Sessions
148       When  using  a policy session to authorize the use of an object, prefix
149       the option argument with the session keyword.  Then indicate a path  to
150       a session file that was created with tpm2_startauthsession(1).  Option‐
151       ally, if the session requires an auth value to be sent with the session
152       handle  (eg policy password), then append a + and a string as described
153       in the Passwords section.
154
155   Examples
156       To use a session context file called session.ctx.
157
158              session:session.ctx
159
160       To use a session context file called session.ctx AND send the authvalue
161       mypassword.
162
163              session:session.ctx+mypassword
164
165       To use a session context file called session.ctx AND send the HEX auth‐
166       value 0x11223344.
167
168              session:session.ctx+hex:11223344
169
170   PCR Authorizations
171       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
172       language.       The     PCR     minilanguage     is     as     follows:
173       <pcr-spec>=<raw-pcr-file>
174
175       The PCR spec is documented in in the section "PCR bank specifiers".
176
177       The raw-pcr-file is an optional the output of the raw PCR  contents  as
178       returned by tpm2_pcrread(1).
179
180       PCR bank specifiers (common/pcr.md)
181
182   Examples
183       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
184       er of:
185
186              pcr:sha256:0,1,2,3
187
188       specifying AUTH.
189

191       Options that take algorithms support "nice-names".
192
193       There are two major algorithm specification string classes, simple  and
194       complex.  Only certain algorithms will be accepted by the TPM, based on
195       usage and conditions.
196
197   Simple specifiers
198       These are strings with no additional specification data.  When creating
199       objects,  non-specified  portions of an object are assumed to defaults.
200       You can find the list of known "Simple Specifiers Below".
201
202   Asymmetric
203       · rsa
204
205       · ecc
206
207   Symmetric
208       · aes
209
210       · camellia
211
212   Hashing Algorithms
213       · sha1
214
215       · sha256
216
217       · sha384
218
219       · sha512
220
221       · sm3_256
222
223       · sha3_256
224
225       · sha3_384
226
227       · sha3_512
228
229   Keyed Hash
230       · hmac
231
232       · xor
233
234   Signing Schemes
235       · rsassa
236
237       · rsapss
238
239       · ecdsa
240
241       · ecdaa
242
243       · ecschnorr
244
245   Asymmetric Encryption Schemes
246       · oaep
247
248       · rsaes
249
250       · ecdh
251
252   Modes
253       · ctr
254
255       · ofb
256
257       · cbc
258
259       · cfb
260
261       · ecb
262
263   Misc
264       · null
265
266   Complex Specifiers
267       Objects, when specified for creation by the TPM,  have  numerous  algo‐
268       rithms  to  populate  in the public data.  Things like type, scheme and
269       asymmetric details, key size, etc.  Below is  the  general  format  for
270       specifying this data: <type>:<scheme>:<symmetric-details>
271
272   Type Specifiers
273       This  portion  of the complex algorithm specifier is required.  The re‐
274       maining scheme and symmetric details will default  based  on  the  type
275       specified and the type of the object being created.
276
277       · aes - Default AES: aes128
278
279       · aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
280         If mode is not specified, defaults to null.
281
282       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
283
284       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
285
286       · ecc - Elliptical Curve, defaults to ecc256.
287
288       · ecc192 - 192 bit ECC
289
290       · ecc224 - 224 bit ECC
291
292       · ecc256 - 256 bit ECC
293
294       · ecc384 - 384 bit ECC
295
296       · ecc521 - 521 bit ECC
297
298       · rsa - Default RSA: rsa2048
299
300       · rsa1024 - RSA with 1024 bit keysize.
301
302       · rsa2048 - RSA with 2048 bit keysize.
303
304       · rsa4096 - RSA with 4096 bit keysize.
305
306   Scheme Specifiers
307       Next, is an optional field, it can be skipped.
308
309       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
310       Most signing schemes take a hash algorithm directly following the sign‐
311       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
312       Some take no arguments, and some take multiple arguments.
313
314   Hash Optional Scheme Specifiers
315       These  scheme  specifiers are followed by a dash and a valid hash algo‐
316       rithm, For example: oaep-sha256.
317
318       · oaep
319
320       · ecdh
321
322       · rsassa
323
324       · rsapss
325
326       · ecdsa
327
328       · ecschnorr
329
330   Multiple Option Scheme Specifiers
331       This scheme specifier is followed by a count  (max  size  UINT16)  then
332       folloed  by a dash(-) and a valid hash algorithm.  * ecdaa For example,
333       ecdaa4-sha256.  If no count is specified, it defaults to 4.
334
335   No Option Scheme Specifiers
336       This scheme specifier takes NO arguments.  * rsaes
337
338   Symmetric Details Specifiers
339       This field is optional, and defaults based on the type of object  being
340       created  and it's attributes.  Generally, any valid Symmetric specifier
341       from the Type Specifiers list should work.  If not specified, an  asym‐
342       metric objects symmetric details defaults to aes128cfb.
343
344   Examples
345   Create an rsa2048 key with an rsaes asymmetric encryption scheme
346       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
347
348   Create an ecc256 key with an ecdaa signing scheme with a count of 4
349       and sha384 hash
350
351       /tpm2_create -C parent.ctx -G ecc256:ec‐
352       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
353

355       Format selection for the signature output file.  tss (the default) will
356       output a binary blob according to the TPM 2.0 specification and any po‐
357       tential compiler padding.  The option plain will output the plain  sig‐
358       nature  data as defined by the used cryptographic algorithm.  signature
359       FORMAT.
360

362       This collection of options are common to many programs and provide  in‐
363       formation that many users may expect.
364
365       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
366         attempts to invoke the manpager for the  tool,  however,  on  failure
367         will  output  a short tool summary.  This is the same behavior if the
368         "man" option argument is specified, however if explicit "man" is  re‐
369         quested,  the  tool  will  provide errors from man on stderr.  If the
370         "no-man" option if specified, or the manpager fails,  the  short  op‐
371         tions will be output to stdout.
372
373         To  successfully use the manpages feature requires the manpages to be
374         installed or on MANPATH, See man(1) for more details.
375
376       · -v, --version: Display version information for this  tool,  supported
377         tctis and exit.
378
379       · -V,  --verbose:  Increase the information that the tool prints to the
380         console during its execution.  When using this option  the  file  and
381         line number are printed.
382
383       · -Q, --quiet: Silence normal tool output to stdout.
384
385       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
386         if an errata fixup needs to be applied to commands sent to  the  TPM.
387         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
388         formation many users may expect.
389

391       The TCTI or "Transmission Interface"  is  the  communication  mechanism
392       with  the TPM.  TCTIs can be changed for communication with TPMs across
393       different mediums.
394
395       To control the TCTI, the tools respect:
396
397       1. The command line option -T or --tcti
398
399       2. The environment variable: TPM2TOOLS_TCTI.
400
401       Note: The command line option always overrides  the  environment  vari‐
402       able.
403
404       The current known TCTIs are:
405
406       · tabrmd      -     The     resource     manager,     called     tabrmd
407         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
408         abrmd as a tcti name are synonymous.
409
410       · mssim  - Typically used for communicating to the TPM software simula‐
411         tor.
412
413       · device - Used when talking directly to a TPM device file.
414
415       · none - Do not initalize a connection with the TPM.  Some tools  allow
416         for off-tpm options and thus support not using a TCTI.  Tools that do
417         not support it will error when attempted to be used  without  a  TCTI
418         connection.   Does  not  support ANY options and MUST BE presented as
419         the exact text of "none".
420
421       The arguments to either the command  line  option  or  the  environment
422       variable are in the form:
423
424       <tcti-name>:<tcti-option-config>
425
426       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
427       tion-config> results in the default being used for that portion respec‐
428       tively.
429
430   TCTI Defaults
431       When  a  TCTI  is not specified, the default TCTI is searched for using
432       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
433       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
434       what TCTI will be chosen as the default by using the -v option to print
435       the  version information.  The "default-tcti" key-value pair will indi‐
436       cate which of the aforementioned TCTIs is the default.
437
438   Custom TCTIs
439       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
440       tools internally use dlopen(3), and the raw tcti-name value is used for
441       the lookup.  Thus, this could be a path to the shared library, or a li‐
442       brary name as understood by dlopen(3) semantics.
443

445       This collection of options are used to configure the various known TCTI
446       modules available:
447
448       · device: For the device TCTI, the TPM character device file for use by
449         the device TCTI can be specified.  The default is /dev/tpm0.
450
451         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
452         vice:/dev/tpm0"
453
454       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
455         number  used  by  the  simulator  can  be specified.  The default are
456         127.0.0.1 and 2321.
457
458         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
459         TI="mssim:host=localhost,port=2321"
460
461       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
462         ries of simple key value pairs separated by a  ','  character.   Each
463         key and value string are separated by a '=' character.
464
465         · TCTI abrmd supports two keys:
466
467           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
468              string).
469
470           2. 'bus_type' : The type of the dbus instance (a string) limited to
471              'session' and 'system'.
472
473         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
474         ample.FooBar:
475
476         \--tcti=tabrmd:bus_name=com.example.FooBar
477
478         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
479         sion:
480
481         \--tcti:bus_type=session
482
483         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
484         ules.
485

487   Create an Attestation Key and make it persistent
488              tpm2_createek -c ek.handle -G rsa -u ek.pub
489              tpm2_createak -C ek.handle -c ak.ctx -u ak.pub -n ak.name
490              tpm2_evictcontrol -c 0x81010002 -o ak.ctx
491

493       Tools can return any of the following codes:
494
495       · 0 - Success.
496
497       · 1 - General non-specific error.
498
499       · 2 - Options handling error.
500
501       · 3 - Authentication error.
502
503       · 4 - TCTI related error.
504
505       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
506

508       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
509

511       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
512
513
514
515tpm2-tools                                                    tpm2_createak(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

Signature Format Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP