1tpm2_makecredential(1)      General Commands Manual     tpm2_makecredential(1)
2
3
4

NAME

6       tpm2_makecredential(1)  -  Generate  the encrypted-user-chosen-data and
7       the wrapped-secret-data-encryption-key for the  privacy-sensitive  cre‐
8       dentialing process of a TPM object.
9

SYNOPSIS

11       tpm2_makecredential [OPTIONS]
12

DESCRIPTION

14       tpm2_makecredential(1) - The TPM supports a privacy preserving protocol
15       for distributing credentials for keys on a TPM.  The process guarantees
16       that  the  credentialed-TPM-object(AIK)  is loaded on the same TPM as a
17       well-known public-key-object(EK) without knowledge of the specific pub‐
18       lic  properties  of  the  credentialed-TPM-object(AIK).  The privacy is
19       guaranteed  due  to  the  fact  that  only  the  name  of  the  creden‐
20       tialed-TPM-object(AIK)  is shared and not the credentialed-TPM-object’s
21       public key itself.
22
23       Make-credential is the first step in this process where  in  after  re‐
24       ceiving the public-key-object(EK) public key of the TPM and the name of
25       the credentialed-TPM-object(AIK), an encrypted-user-chosen-data is gen‐
26       erated  and the secret-data-encryption-key is generated and wrapped us‐
27       ing cryptographic processes  specific  to  credential  activation  that
28       guarantees  that  the credentialed-TPM-object(AIK) is loaded on the TPM
29       with the well-known public-key-object(EK).
30
31       tpm2_makecredential can be used  to  generate  the  encrypted-user-cho‐
32       sen-data  and  the  wrapped secret-data-encryption-key without a TPM by
33       using the none TCTI option.
34

OPTIONS

36-e, --encryption-key=FILE:
37
38         DEPRECATED, use -u or –public instead.
39
40-u, --public=FILE:
41
42         A TPM public key which was used to wrap the seed.  NOTE: This  option
43         is same as -e and is added to make it similar with other tools speci‐
44         fying the public key.  The old option is retained for backwards  com‐
45         patibility.
46
47-G, --key-algorithm=ALGORITHM:
48
49         The  key  algorithm  associated  with TPM public key.  Specify either
50         RSA/ ECC.  When this option is used, input public key is expected  to
51         be  in PEM format and the default TCG EK template is used for the key
52         properties.
53
54-s, --secret=FILE or STDIN:
55
56         The secret which will be protected by the key derived from the random
57         seed.  It can be specified as a file or passed from stdin.
58
59-n, --name=FILE:
60
61         The name of the key for which certificate is to be created.
62
63-o, --credential-blob=FILE:
64
65         The  output  file  path, recording the encrypted-user-chosen-data and
66         the wrapped secret-data-encryption-key.
67

COMMON OPTIONS

69       This collection of options are common to many programs and provide  in‐
70       formation that many users may expect.
71
72-h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
73         attempts to invoke the manpager for the  tool,  however,  on  failure
74         will  output  a short tool summary.  This is the same behavior if the
75         “man” option argument is specified, however if explicit “man” is  re‐
76         quested,  the  tool  will  provide errors from man on stderr.  If the
77         “no-man” option if specified, or the manpager fails,  the  short  op‐
78         tions will be output to stdout.
79
80         To  successfully use the manpages feature requires the manpages to be
81         installed or on MANPATH, See man(1) for more details.
82
83-v, --version: Display version information for this  tool,  supported
84         tctis and exit.
85
86-V,  --verbose:  Increase the information that the tool prints to the
87         console during its execution.  When using this option  the  file  and
88         line number are printed.
89
90-Q, --quiet: Silence normal tool output to stdout.
91
92-Z, --enable-errata: Enable the application of errata fixups.  Useful
93         if an errata fixup needs to be applied to commands sent to  the  TPM.
94         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
95

TCTI Configuration

97       The  TCTI  or  “Transmission  Interface” is the communication mechanism
98       with the TPM.  TCTIs can be changed for communication with TPMs  across
99       different mediums.
100
101       To control the TCTI, the tools respect:
102
103       1. The command line option -T or --tcti
104
105       2. The environment variable: TPM2TOOLS_TCTI.
106
107       Note:  The  command  line option always overrides the environment vari‐
108       able.
109
110       The current known TCTIs are:
111
112       • tabrmd     -     The     resource     manager,     called      tabrmd
113         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
114         abrmd as a tcti name are synonymous.
115
116       • mssim - Typically used for communicating to the TPM software  simula‐
117         tor.
118
119       • device - Used when talking directly to a TPM device file.
120
121       • none  - Do not initalize a connection with the TPM.  Some tools allow
122         for off-tpm options and thus support not using a TCTI.  Tools that do
123         not  support  it  will error when attempted to be used without a TCTI
124         connection.  Does not support ANY options and MUST  BE  presented  as
125         the exact text of “none”.
126
127       The  arguments  to  either  the  command line option or the environment
128       variable are in the form:
129
130       <tcti-name>:<tcti-option-config>
131
132       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
133       tion-config> results in the default being used for that portion respec‐
134       tively.
135
136   TCTI Defaults
137       When a TCTI is not specified, the default TCTI is  searched  for  using
138       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
139       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
140       what TCTI will be chosen as the default by using the -v option to print
141       the version information.  The “default-tcti” key-value pair will  indi‐
142       cate which of the aforementioned TCTIs is the default.
143
144   Custom TCTIs
145       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
146       tools internally use dlopen(3), and the raw tcti-name value is used for
147       the lookup.  Thus, this could be a path to the shared library, or a li‐
148       brary name as understood by dlopen(3) semantics.
149

TCTI OPTIONS

151       This collection of options are used to configure the various known TCTI
152       modules available:
153
154device: For the device TCTI, the TPM character device file for use by
155         the device TCTI can be specified.  The default is /dev/tpm0.
156
157         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
158         vice:/dev/tpm0”
159
160mssim:  For  the  mssim  TCTI, the domain name or IP address and port
161         number used by the simulator  can  be  specified.   The  default  are
162         127.0.0.1 and 2321.
163
164         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
165         TI=“mssim:host=localhost,port=2321”
166
167abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
168         ries  of  simple  key value pairs separated by a `,' character.  Each
169         key and value string are separated by a `=' character.
170
171         • TCTI abrmd supports two keys:
172
173           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
174              string).
175
176           2. `bus_type' : The type of the dbus instance (a string) limited to
177              `session' and `system'.
178
179         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
180         ample.FooBar:
181
182                \--tcti=tabrmd:bus_name=com.example.FooBar
183
184         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
185         sion:
186
187                \--tcti:bus_type=session
188
189         NOTE: abrmd and tabrmd are synonymous.
190

EXAMPLES

192              tpm2 createek -Q -c 0x81010009 -G rsa -u ek.pub
193
194              tpm2 createak -C 0x81010009 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \
195              -n ak.name -p akpass> ak.out
196
197              file_size=`ls -l ak.name | awk {'print $5'}`
198              loaded_key_name=`cat ak.name | xxd -p -c $file_size`
199
200              tpm2 readpublic -c 0x81010009 -o ek.pem -f pem -Q
201
202              echo "12345678" | tpm2 makecredential -Q -u ek.pem -s - -n $loaded_key_name \
203              -o mkcred.out -G rsa
204

Returns

206       Tools can return any of the following codes:
207
208       • 0 - Success.
209
210       • 1 - General non-specific error.
211
212       • 2 - Options handling error.
213
214       • 3 - Authentication error.
215
216       • 4 - TCTI related error.
217
218       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
219

BUGS

221       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
222

HELP

224       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin
225       fo/tpm2)
226
227
228
229tpm2-tools                                              tpm2_makecredential(1)
Impressum