tpm2_create(1)

1tpm2_create(1)              General Commands Manual             tpm2_create(1)
2
3
4

6       tpm2_create(1) - Create a child object.
7

9       tpm2_create [OPTIONS]
10

12       tpm2_create(1) - Create a child object.  The object can either be a key
13       or a sealing object.  A sealing object allows to seal user data to  the
14       TPM,  with  a maximum size of 256 bytes.  Additionally it will load the
15       created object if the -o is specified.
16

18       These options for creating the TPM entity:
19
20       · -C, --parent-context=OBJECT:
21
22         The parent of the object to be created.
23
24       · -P, --parent-auth=AUTH:
25
26         The authorization value of the parent object specified with -C.
27
28       · -p, --key-auth=AUTH:
29
30         The authorization value for the created object.
31
32       · -g, --hash-algorithm=ALGORITHM:
33
34         The hash algorithm for generating the objects name.  This is optional
35         and defaults to sha256 when not specified.
36
37       · -G, --key-algorithm=ALGORITHM:
38
39         The  key algorithm associated with this object.  It defaults to "rsa"
40         if not specified.
41
42       · -a, --attributes=ATTRIBUTES:
43
44         The object attributes, optional.  The default for created objects is:
45
46         TPMA_OBJECT_SIGN_ENCRYPT|TPMA_OBJECT_DECRYPT|TPMA_OB‐
47         JECT_FIXEDTPM|  TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORI‐
48         GIN|  TPMA_OBJECT_USERWITHAUTH
49
50         When -i is specified for sealing,  TPMA_OBJECT_SIGN_ENCRYPT  and  TP‐
51         MA_OBJECT_DECRYPT  are  removed  from the default attribute set.  The
52         algorithm is set in a way where the the object is only good for seal‐
53         ing  and  unsealing.   I.e.  one cannot use an object for sealing and
54         cryptography operations.
55
56       · -i, --sealing-input=FILE or STDIN:
57
58         The data file to be sealed, optional.  If file is -, read from stdin.
59         When  sealing  data  only the TPM_ALG_KEYEDHASH algorithm with a NULL
60         scheme is allowed.  Thus, -G cannot be specified.
61
62       · -L, --policy=FILE:
63
64         The input policy file, optional.
65
66       · -u, --public=FILE:
67
68         The output file which contains the public portion of the created  ob‐
69         ject, optional.
70
71       · -r, --private=FILE:
72
73         The  output  file which contains the sensitive portion of the object,
74         optional.
75
76       · -c, --key-context=FILE:
77
78         The output file which contains the key context,  optional.   The  key
79         context  is  analogous  to the context file produced by tpm2_load(1),
80         however is generated via a tpm2_createloaded(1) command.  This option
81         can  be used to avoid the normal tpm2_create(1) and tpm2_load(1) com‐
82         mand sequences and do it all in one command, atomically.
83
84       · --creation-data=FILE:
85
86         An optional file output that saves the creation data  for  certifica‐
87         tion.
88
89         · --template-data=FILE:
90
91         An  optional file output that saves the key template data (TPM2B_PUB‐
92         LIC) to be used in tpm2_policytemplate.
93
94       · -t, --creation-ticket=FILE:
95
96         An optional file output that saves the creation ticket for certifica‐
97         tion.
98
99       · -d, --creation-hash=FILE:
100
101         An  optional  file output that saves the creation hash for certifica‐
102         tion.
103
104       · -q, --outside-info=HEX_STR_OR_FILE:
105
106         An optional hex string or path to add unique data to the creation da‐
107         ta.   Note  that  it  does  not  contribute in creating statistically
108         unique object.
109
110       · -l, --pcr-list=PCR:
111
112         The list of PCR banks and selected PCRs' ids for each bank to be  in‐
113         cluded in the creation data for certification.
114
115       · --cphash=FILE
116
117         File path to record the hash of the command parameters.  This is com‐
118         monly termed as cpHash.  NOTE: When this option is selected, The tool
119         will not actually execute the command, it simply returns a cpHash.
120
121   References

123       The  type  of a context object, whether it is a handle or file name, is
124       determined according to the following logic in-order:
125
126       · If the argument is a file path, then the file is loaded as a restored
127         TPM transient object.
128
129       · If the argument is a prefix match on one of:
130
131         · owner: the owner hierarchy
132
133         · platform: the platform hierarchy
134
135         · endorsement: the endorsement hierarchy
136
137         · lockout: the lockout control persistent object
138
139       · If  the  argument argument can be loaded as a number it will be treat
140         as a handle, e.g.  0x81010013 and used directly.OBJECT.
141

143       Authorization for use of an object in TPM2.0 can come  in  3  different
144       forms: 1.  Password 2.  HMAC 3.  Sessions
145
146       NOTE:  "Authorizations  default  to  the EMPTY PASSWORD when not speci‐
147       fied".
148
149   Passwords
150       Passwords are interpreted in the following  forms  below  using  prefix
151       identifiers.
152
153       Note:  By  default  passwords are assumed to be in the string form when
154       they do not have a prefix.
155
156   String
157       A string password, specified by prefix  "str:"  or  it's  absence  (raw
158       string without prefix) is not interpreted, and is directly used for au‐
159       thorization.
160
161   Examples
162              foobar
163              str:foobar
164
165   Hex-string
166       A hex-string password, specified by prefix "hex:" is converted  from  a
167       hexidecimal  form  into a byte array form, thus allowing passwords with
168       non-printable and/or terminal un-friendly characters.
169
170   Example
171              hex:0x1122334455667788
172
173   File
174       A file based password, specified be prefix "file:" should be  the  path
175       of  a  file  containing the password to be read by the tool or a "-" to
176       use stdin.  Storing passwords in files  prevents  information  leakage,
177       passwords passed as options can be read from the process list or common
178       shell history features.
179
180   Examples
181              # to use stdin and be prompted
182              file:-
183
184              # to use a file from a path
185              file:path/to/password/file
186
187              # to echo a password via stdin:
188              echo foobar | tpm2_tool -p file:-
189
190              # to use a bash here-string via stdin:
191
192              tpm2_tool -p file:- <<< foobar
193
194   Sessions
195       When using a policy session to authorize the use of an  object,  prefix
196       the  option argument with the session keyword.  Then indicate a path to
197       a session file that was created with tpm2_startauthsession(1).  Option‐
198       ally, if the session requires an auth value to be sent with the session
199       handle (eg policy password), then append a + and a string as  described
200       in the Passwords section.
201
202   Examples
203       To use a session context file called session.ctx.
204
205              session:session.ctx
206
207       To use a session context file called session.ctx AND send the authvalue
208       mypassword.
209
210              session:session.ctx+mypassword
211
212       To use a session context file called session.ctx AND send the HEX auth‐
213       value 0x11223344.
214
215              session:session.ctx+hex:11223344
216
217   PCR Authorizations
218       You  can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
219       language.      The     PCR     minilanguage     is     as      follows:
220       <pcr-spec>=<raw-pcr-file>
221
222       The PCR spec is documented in in the section "PCR bank specifiers".
223
224       The  raw-pcr-file  is an optional the output of the raw PCR contents as
225       returned by tpm2_pcrread(1).
226
227       PCR bank specifiers (common/pcr.md)
228
229   Examples
230       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
231       er of:
232
233              pcr:sha256:0,1,2,3
234
235       specifying AUTH.
236

238       Options that take algorithms support "nice-names".
239
240       There  are two major algorithm specification string classes, simple and
241       complex.  Only certain algorithms will be accepted by the TPM, based on
242       usage and conditions.
243
244   Simple specifiers
245       These are strings with no additional specification data.  When creating
246       objects, non-specified portions of an object are assumed  to  defaults.
247       You can find the list of known "Simple Specifiers Below".
248
249   Asymmetric
250       · rsa
251
252       · ecc
253
254   Symmetric
255       · aes
256
257       · camellia
258
259   Hashing Algorithms
260       · sha1
261
262       · sha256
263
264       · sha384
265
266       · sha512
267
268       · sm3_256
269
270       · sha3_256
271
272       · sha3_384
273
274       · sha3_512
275
276   Keyed Hash
277       · hmac
278
279       · xor
280
281   Signing Schemes
282       · rsassa
283
284       · rsapss
285
286       · ecdsa
287
288       · ecdaa
289
290       · ecschnorr
291
292   Asymmetric Encryption Schemes
293       · oaep
294
295       · rsaes
296
297       · ecdh
298
299   Modes
300       · ctr
301
302       · ofb
303
304       · cbc
305
306       · cfb
307
308       · ecb
309
310   Misc
311       · null
312
313   Complex Specifiers
314       Objects,  when  specified  for creation by the TPM, have numerous algo‐
315       rithms to populate in the public data.  Things like  type,  scheme  and
316       asymmetric  details,  key  size,  etc.  Below is the general format for
317       specifying this data: <type>:<scheme>:<symmetric-details>
318
319   Type Specifiers
320       This portion of the complex algorithm specifier is required.   The  re‐
321       maining  scheme  and  symmetric  details will default based on the type
322       specified and the type of the object being created.
323
324       · aes - Default AES: aes128
325
326       · aes128<mode> - 128 bit AES with optional mode  (ctr|ofb|cbc|cfb|ecb).
327         If mode is not specified, defaults to null.
328
329       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
330
331       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
332
333       · ecc - Elliptical Curve, defaults to ecc256.
334
335       · ecc192 - 192 bit ECC
336
337       · ecc224 - 224 bit ECC
338
339       · ecc256 - 256 bit ECC
340
341       · ecc384 - 384 bit ECC
342
343       · ecc521 - 521 bit ECC
344
345       · rsa - Default RSA: rsa2048
346
347       · rsa1024 - RSA with 1024 bit keysize.
348
349       · rsa2048 - RSA with 2048 bit keysize.
350
351       · rsa4096 - RSA with 4096 bit keysize.
352
353   Scheme Specifiers
354       Next, is an optional field, it can be skipped.
355
356       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
357       Most signing schemes take a hash algorithm directly following the sign‐
358       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
359       Some take no arguments, and some take multiple arguments.
360
361   Hash Optional Scheme Specifiers
362       These scheme specifiers are followed by a dash and a valid  hash  algo‐
363       rithm, For example: oaep-sha256.
364
365       · oaep
366
367       · ecdh
368
369       · rsassa
370
371       · rsapss
372
373       · ecdsa
374
375       · ecschnorr
376
377   Multiple Option Scheme Specifiers
378       This  scheme  specifier  is  followed by a count (max size UINT16) then
379       folloed by a dash(-) and a valid hash algorithm.  * ecdaa For  example,
380       ecdaa4-sha256.  If no count is specified, it defaults to 4.
381
382   No Option Scheme Specifiers
383       This scheme specifier takes NO arguments.  * rsaes
384
385   Symmetric Details Specifiers
386       This  field is optional, and defaults based on the type of object being
387       created and it's attributes.  Generally, any valid Symmetric  specifier
388       from  the Type Specifiers list should work.  If not specified, an asym‐
389       metric objects symmetric details defaults to aes128cfb.
390
391   Examples
392   Create an rsa2048 key with an rsaes asymmetric encryption scheme
393       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
394
395   Create an ecc256 key with an ecdaa signing scheme with a count of 4
396       and sha384 hash
397
398       /tpm2_create -C parent.ctx -G ecc256:ec‐
399       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
400

402       Object Attributes are used to control various properties of created ob‐
403       jects.  When specified as an option, either the raw  bitfield  mask  or
404       "nice-names"  may  be used.  The values can be found in Table 31 Part 2
405       of the TPM2.0 specification, which can be found here:
406
407       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
408       Rev-2.0-Part-2-Structures-01.38.pdf>
409
410       Nice  names are calculated by taking the name field of table 31 and re‐
411       moving the prefix TPMA_OBJECT_ and lowercasing the result.   Thus,  TP‐
412       MA_OBJECT_FIXEDTPM  becomes  fixedtpm.   Nice names can be joined using
413       the bitwise or "|" symbol.
414
415       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
416       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
417
418       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
419

421       This  collection of options are common to many programs and provide in‐
422       formation that many users may expect.
423
424       · -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
425         attempts  to  invoke  the  manpager for the tool, however, on failure
426         will output a short tool summary.  This is the same behavior  if  the
427         "man"  option argument is specified, however if explicit "man" is re‐
428         quested, the tool will provide errors from man  on  stderr.   If  the
429         "no-man"  option  if  specified, or the manpager fails, the short op‐
430         tions will be output to stdout.
431
432         To successfully use the manpages feature requires the manpages to  be
433         installed or on MANPATH, See man(1) for more details.
434
435       · -v,  --version:  Display version information for this tool, supported
436         tctis and exit.
437
438       · -V, --verbose: Increase the information that the tool prints  to  the
439         console  during  its  execution.  When using this option the file and
440         line number are printed.
441
442       · -Q, --quiet: Silence normal tool output to stdout.
443
444       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
445         if  an  errata fixup needs to be applied to commands sent to the TPM.
446         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
447         formation many users may expect.
448

450       The  TCTI  or  "Transmission  Interface" is the communication mechanism
451       with the TPM.  TCTIs can be changed for communication with TPMs  across
452       different mediums.
453
454       To control the TCTI, the tools respect:
455
456       1. The command line option -T or --tcti
457
458       2. The environment variable: TPM2TOOLS_TCTI.
459
460       Note:  The  command  line option always overrides the environment vari‐
461       able.
462
463       The current known TCTIs are:
464
465       · tabrmd     -     The     resource     manager,     called      tabrmd
466         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
467         abrmd as a tcti name are synonymous.
468
469       · mssim - Typically used for communicating to the TPM software  simula‐
470         tor.
471
472       · device - Used when talking directly to a TPM device file.
473
474       · none  - Do not initalize a connection with the TPM.  Some tools allow
475         for off-tpm options and thus support not using a TCTI.  Tools that do
476         not  support  it  will error when attempted to be used without a TCTI
477         connection.  Does not support ANY options and MUST  BE  presented  as
478         the exact text of "none".
479
480       The  arguments  to  either  the  command line option or the environment
481       variable are in the form:
482
483       <tcti-name>:<tcti-option-config>
484
485       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
486       tion-config> results in the default being used for that portion respec‐
487       tively.
488
489   TCTI Defaults
490       When a TCTI is not specified, the default TCTI is  searched  for  using
491       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
492       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
493       what TCTI will be chosen as the default by using the -v option to print
494       the version information.  The "default-tcti" key-value pair will  indi‐
495       cate which of the aforementioned TCTIs is the default.
496
497   Custom TCTIs
498       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
499       tools internally use dlopen(3), and the raw tcti-name value is used for
500       the lookup.  Thus, this could be a path to the shared library, or a li‐
501       brary name as understood by dlopen(3) semantics.
502

504       This collection of options are used to configure the various known TCTI
505       modules available:
506
507       · device: For the device TCTI, the TPM character device file for use by
508         the device TCTI can be specified.  The default is /dev/tpm0.
509
510         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
511         vice:/dev/tpm0"
512
513       · mssim:  For  the  mssim  TCTI, the domain name or IP address and port
514         number used by the simulator  can  be  specified.   The  default  are
515         127.0.0.1 and 2321.
516
517         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
518         TI="mssim:host=localhost,port=2321"
519
520       · abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
521         ries  of  simple  key value pairs separated by a ',' character.  Each
522         key and value string are separated by a '=' character.
523
524         · TCTI abrmd supports two keys:
525
526           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
527              string).
528
529           2. 'bus_type' : The type of the dbus instance (a string) limited to
530              'session' and 'system'.
531
532         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
533         ample.FooBar:
534
535         \--tcti=tabrmd:bus_name=com.example.FooBar
536
537         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
538         sion:
539
540         \--tcti:bus_type=session
541
542         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
543         ules.
544

546   Setup
547       In  order  to  create  an object, we must first create a primary key as
548       it's parent.
549
550              tpm2_createprimary -c primary.ctx
551
552   Create an Object
553       This will create an object using all the default values and  store  the
554       TPM  sealed  private  and public portions to the paths specified via -u
555       and -r respectively.  The tool defaults to an RSA key.
556
557              tpm2_create -C primary.ctx -u obj.pub -r obj.priv
558
559   Seal Data to the TPM
560       Outside of key objects, the TPM allows for small amounts of user speci‐
561       fied data to be sealed to the TPM.
562
563              echo "my sealed data" > seal.dat
564              tpm2_create -C primary.ctx -i seal.dat -u obj.pub -r obj.priv
565
566   Create an EC Key Object and Load it to the TPM
567       Normally, when creating an object, only the public and private portions
568       of the object are returned and the caller needs to use tpm2_load(1)  to
569       load  those public and private portions to the TPM before being able to
570       use the object.  However, this can be accomplished within this  command
571       as well.
572
573              tpm2_create -C primary.ctx -G ecc -u obj.pub -r obj.priv -c ecc.ctx
574

576       Tools can return any of the following codes:
577
578       · 0 - Success.
579
580       · 1 - General non-specific error.
581
582       · 2 - Options handling error.
583
584       · 3 - Authentication error.
585
586       · 4 - TCTI related error.
587
588       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
589

591       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
592

594       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
595
596
597
598tpm2-tools                                                      tpm2_create(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

Object Attributes

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP