1tpm2_getpubak(1)            General Commands Manual           tpm2_getpubak(1)
2
3
4

NAME

6       tpm2_getpubak(1)  - Generate attestation key with given algorithm under
7       the endorsement hierarchy.
8

SYNOPSIS

10       tpm2_getpubak [OPTIONS]
11

DESCRIPTION

13       tpm2_getpubak(1) - Generate attestation key with given algorithm  under
14       endorsement hierarchy, make it persistent with given ak handle, and re‐
15       turn pub AK and AK name.  If any passwd option is missing, assume NULL.
16
17       The tool outputs to stdout a YAML representation of the loaded key han‐
18       dle as well as it's name, for example:
19
20              loaded-key:
21                handle: 800000ff
22                name: 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268
23

OPTIONS

25       · -e,  –endorse-passwd=ENDORSE_PASSWORD:  Specifies current endorsement
26         password, defaults to NULL.  Passwords should  follow  the  “password
27         formatting standards, see section”Password Formatting“.
28
29       · -P,  –ak-passwd=AK_PASSWORD  Specifies  the AK password when created,
30         defaults to NULL.  Same formatting as the endorse password  value  or
31         -e option.
32
33       · -o,  –owner-passwd=OWNER_PASSWORD  Specifies  the current owner pass‐
34         word, defaults to NULL.  Same formatting as the endorse password val‐
35         ue or -e option.
36
37       · -E,  –ek-handle=EK_HANDLE:  Specifies the handle used to make EK per‐
38         sistent.
39
40       · -k, –ak-handle=AK_HANDLE: Specifies the handle used to make  AK  per‐
41         sistent.
42
43       · -g,  –alg=ALGORITHM:  Specifies the algorithm type of AK.  Algorithms
44         should follow the "  formatting  standards,  see  section  “Algorithm
45         Specifiers”.   See section “Supported Public Object Algorithms” for a
46         list of supported object algorithms.
47
48       · -g, –alg=ALGORITHM: Like -g, but specifies  the  algorithm  of  sign.
49         See section “Supported Signing Algorithms” for details.
50
51       · -f, –file=FILE: Specifies the file used to save the public portion of
52         AK.  This will be  a  binary  data  structure  corresponding  to  the
53         TPM2B_PUBLIC struct in the specification.
54
55       · -n,  –ak-name=NAME:  Specifies the file used to save the ak name, op‐
56         tional.
57

COMMON OPTIONS

59       This collection of options are common to many programs and provide  in‐
60       formation that many users may expect.
61
62       · -h,  –help: Display the tools manpage.  This requires the manpages to
63         be installed or on MANPATH, See man(1) for more details.
64
65       · -v, –version: Display version information for  this  tool,  supported
66         tctis and exit.
67
68       · -V,  –verbose:  Increase  the information that the tool prints to the
69         console during its execution.  When using this option  the  file  and
70         line number are printed.
71
72       · -Q, –quiet: Silence normal tool output to stdout.
73
74       · -Z,  –enable-errata: Enable the application of errata fixups.  Useful
75         if an errata fixup needs to be applied to commands sent to  the  TPM.
76         # TCTI ENVIRONMENT
77
78       This  collection of environment variables that may be used to configure
79       the various TCTI modules available.
80
81       The values passed through  these  variables  can  be  overridden  on  a
82       per-command basis using the available command line options, see the TC‐
83       TI_OPTIONS section.
84
85       The variables respected depend on how the software was configured.
86
87       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with  the
88         next  component down the TSS stack.  In most configurations this will
89         be the TPM but it could be a simulator or proxy.  The  current  known
90         TCTIs are:
91
92         · tabrmd    -    The    new    resource    manager,   called   tabrmd
93           (https://github.com/01org/tpm2-abrmd).
94
95         · socket - Typically used with the old resource manager,  or  talking
96           directly to a simulator.
97
98         · device - Used when talking directly to a TPM device file.
99
100       · TPM2TOOLS_DEVICE_FILE:  When  using  the device TCTI, specify the TPM
101         device file.  The default is “/dev/tpm0”.
102
103         Note: Using the tpm directly requires the users to ensure  that  con‐
104         current access does not occur and that they manage the tpm resources.
105         These tasks are usually managed by a resource  manager.   Linux  4.12
106         and  greater  supports an in kernel resource manager at “/dev/tpmrm”,
107         typically “/dev/tpmrm0”.
108
109       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
110         main name or IP address used.  The default is 127.0.0.1.
111
112       · TPM2TOOLS_SOCKET_PORT:  When  using the socket TCTI, specify the port
113         number used.  The default is 2321.
114

TCTI OPTIONS

116       This collection of options are used to configure the varous  TCTI  mod‐
117       ules available.  They override any environment variables.
118
119       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
120         cation with the next component down the TSS stack.  In most  configu‐
121         rations    this    will    be    the    resource    manager:   tabrmd
122         (https://github.com/01org/tpm2-abrmd) Optionally, tcti  specific  op‐
123         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
124
125         · For the device TCTI, the TPM device file for use by the device TCTI
126           can be specified.  The  default  is  /dev/tpm0.   Example:  -T  de‐
127           vice:/dev/tpm0
128
129         · For  the socket TCTI, the domain name or IP address and port number
130           used by the socket can be specified.  The default are 127.0.0.1 and
131           2321.  Example: -T socket:127.0.0.1:2321
132
133         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
134

Password Formatting

136       Passwords  are  interpreted  in  two  forms,  string and hex-string.  A
137       string password is not interpreted, and is directly used for authoriza‐
138       tion.   A  hex-string, is converted from a hexidecimal form into a byte
139       array form, thus allowing passwords with non-printable and/or  terminal
140       un-friendly characters.
141
142       By  default  passwords  are assumed to be in the string form.  Password
143       form is specified with special prefix values, they are:
144
145       · str: - Used to indicate it is a raw string.  Useful  for  escaping  a
146         password that starts with the “hex:” prefix.
147
148       · hex: - Used when specifying a password in hex string format.
149

Supported Signing Algorithms

151       Supported algorithms are:
152
153       · 0x5 or hmac for TPM_ALG_HMAC (default)
154
155       · 0x14 or rsassa for TPM_ALG_RSASSA
156
157       · 0x16 or rsapss for TPM_ALG_RSAPSS
158
159       · 0x18 or ecdsa for TPM_ALG_ECDSA
160
161       · 0x1A or ecdaa for TPM_ALG_ECDAA
162
163       · 0x1B or sm2 for TPM_ALG_SM2
164
165       · 0x1C or ecschnorr for TPM_ALG_ECSCHNORR
166
167       NOTE: Your TPM may not support all algorithms.
168

Supported Public Object Algorithms

170       Supported public object algorithms are:
171
172       · 0x1 or rsa for TPM_ALG_RSA (default).
173
174       · 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
175
176       · 0x23 or ecc for TPM_ALG_ECC.
177
178       · 0x25 or symcipher for TPM_ALG_SYMCIPHER.
179
180       NOTE: Your TPM may not support all algorithms.
181

Algorithm Specfiers

183       Options  that  take  algorithms support “nice-names”.  Nice names, like
184       sha1 can be used in place of the raw hex for sha1: 0x4.  The nice names
185       are converted by stripping the leading TPM_ALG_ from the Algorithm Name
186       field and converting it to lower case.  For  instance  TPM_ALG_SHA3_256
187       becomes sha3_256.
188
189       The  algorithms can be found at: <https://trustedcomputinggroup.org/wp-
190       content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
191

EXAMPLES

193              tpm2_getpubak -e abc123 -P abc123 -o passwd -E 0x81010001 -k 0x81010002 -f ./ak.pub -n ./ak.name
194              tpm2_getpubak -e 1a1b1c -P 123abc -o 1a1b1c -X -E 0x81010001 -k 0x81010002 -f ./ak.pub -n ./ak.name
195

RETURNS

197       0 on success or 1 on failure.
198

BUGS

200       Github Issues (https://github.com/01org/tpm2-tools/issues)
201

HELP

203       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
204
205
206
207tpm2-tools                      SEPTEMBER 2017                tpm2_getpubak(1)
Impressum