1tpm2_create(1) General Commands Manual tpm2_create(1)
2
3
4
6 tpm2_create(1) - create an object that can be loaded into a TPM using
7 tpm2_load. The object will need to be loaded before it may be used.
8
10 tpm2_create [OPTIONS]
11
13 tpm2_create(1) - create an object that can be loaded into a TPM using
14 tpm2_load. The object will need to be loaded before it may be used.
15
17 These options for creating the tpm entity:
18
19 · -H, –pparent=PARENT_HANDLE: The handle of the parent object to create
20 this object under.
21
22 · -c, –context-parent=PARENT_CONTEXT_FILE: The filename for parent con‐
23 text.
24
25 · -P, –pwdp=PARENT_KEY_PASSWORD: The password for parent key, optional.
26 Passwords should follow the “password formatting standards, see sec‐
27 tion”Password Formatting“.
28
29 · -K, –pwdk=KEY_PASSWORD: The password for key, optional. Follows the
30 password formatting of the “password for parent key” option: -P.
31
32 · -g, –halg=ALGORITHM: The hash algorithm to use. Algorithms should
33 follow the " formatting standards, see section “Algorithm Speci‐
34 fiers”. Also, see section “Supported Hash Algorithms” for a list of
35 supported hash algorithms.
36
37 · -G, –kalg=KEY_ALGORITHM: The algorithm associated with this object.
38 It accepts friendly names just like -g option. See section “Support‐
39 ed Public Object Algorithms” for a list of supported object algo‐
40 rithms.
41
42 · -A, –object-attributes=ATTRIBUTES: The object attributes, optional.
43 Object attribytes follow the specifications as outlined in “object
44 attribute specifiers”. The default for created objects is:
45
46 TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TP‐
47 MA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH
48
49 · -I, –in-file=FILE: The data file to be sealed, optional. If file is
50 -, read from stdin. When sealing data only the TPM_ALG_KEYEDHASH al‐
51 gorithm is allowed.
52
53 · -L, –policy-file=POLICY_FILE: The input policy file, optional.
54
55 · -u, –pubfile=OUTPUT_PUBLIC_FILE: The output file which contains the
56 public portion of the created object, optional.
57
58 · -r, –privfile=OUTPUT_PRIVATE_FILE: The output file which contains the
59 sensitive portion of the object, optional.
60
61 · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
62 dle from a policy session for authorization.
63
65 This collection of options are common to many programs and provide in‐
66 formation that many users may expect.
67
68 · -h, –help: Display the tools manpage. This requires the manpages to
69 be installed or on MANPATH, See man(1) for more details.
70
71 · -v, –version: Display version information for this tool, supported
72 tctis and exit.
73
74 · -V, –verbose: Increase the information that the tool prints to the
75 console during its execution. When using this option the file and
76 line number are printed.
77
78 · -Q, –quiet: Silence normal tool output to stdout.
79
80 · -Z, –enable-errata: Enable the application of errata fixups. Useful
81 if an errata fixup needs to be applied to commands sent to the TPM.
82 # TCTI ENVIRONMENT
83
84 This collection of environment variables that may be used to configure
85 the various TCTI modules available.
86
87 The values passed through these variables can be overridden on a
88 per-command basis using the available command line options, see the TC‐
89 TI_OPTIONS section.
90
91 The variables respected depend on how the software was configured.
92
93 · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the
94 next component down the TSS stack. In most configurations this will
95 be the TPM but it could be a simulator or proxy. The current known
96 TCTIs are:
97
98 · tabrmd - The new resource manager, called tabrmd
99 (https://github.com/01org/tpm2-abrmd).
100
101 · socket - Typically used with the old resource manager, or talking
102 directly to a simulator.
103
104 · device - Used when talking directly to a TPM device file.
105
106 · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
107 device file. The default is “/dev/tpm0”.
108
109 Note: Using the tpm directly requires the users to ensure that con‐
110 current access does not occur and that they manage the tpm resources.
111 These tasks are usually managed by a resource manager. Linux 4.12
112 and greater supports an in kernel resource manager at “/dev/tpmrm”,
113 typically “/dev/tpmrm0”.
114
115 · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
116 main name or IP address used. The default is 127.0.0.1.
117
118 · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
119 number used. The default is 2321.
120
122 This collection of options are used to configure the varous TCTI mod‐
123 ules available. They override any environment variables.
124
125 · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
126 cation with the next component down the TSS stack. In most configu‐
127 rations this will be the resource manager: tabrmd
128 (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific op‐
129 tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
130
131 · For the device TCTI, the TPM device file for use by the device TCTI
132 can be specified. The default is /dev/tpm0. Example: -T de‐
133 vice:/dev/tpm0
134
135 · For the socket TCTI, the domain name or IP address and port number
136 used by the socket can be specified. The default are 127.0.0.1 and
137 2321. Example: -T socket:127.0.0.1:2321
138
139 · For the abrmd TCTI, it takes no options. Example: -T abrmd
140
142 Passwords are interpreted in two forms, string and hex-string. A
143 string password is not interpreted, and is directly used for authoriza‐
144 tion. A hex-string, is converted from a hexidecimal form into a byte
145 array form, thus allowing passwords with non-printable and/or terminal
146 un-friendly characters.
147
148 By default passwords are assumed to be in the string form. Password
149 form is specified with special prefix values, they are:
150
151 · str: - Used to indicate it is a raw string. Useful for escaping a
152 password that starts with the “hex:” prefix.
153
154 · hex: - Used when specifying a password in hex string format.
155
157 Supported hash algorithms are:
158
159 · 0x4 or sha1 for TPM_ALG_SHA1 (default)
160
161 · 0xB or sha256 for TPM_ALG_SHA256
162
163 · 0xC or sha384 for TPM_ALG_SHA384
164
165 · 0xD or sha512 for TPM_ALG_SHA512
166
167 · 0x12 or sm3_256 for TPM_ALG_SM3_256
168
169 NOTE: Your TPM may not support all algorithms.
170
172 Supported public object algorithms are:
173
174 · 0x1 or rsa for TPM_ALG_RSA (default).
175
176 · 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
177
178 · 0x23 or ecc for TPM_ALG_ECC.
179
180 · 0x25 or symcipher for TPM_ALG_SYMCIPHER.
181
182 NOTE: Your TPM may not support all algorithms.
183
185 Options that take algorithms support “nice-names”. Nice names, like
186 sha1 can be used in place of the raw hex for sha1: 0x4. The nice names
187 are converted by stripping the leading TPM_ALG_ from the Algorithm Name
188 field and converting it to lower case. For instance TPM_ALG_SHA3_256
189 becomes sha3_256.
190
191 The algorithms can be found at: <https://trustedcomputinggroup.org/wp-
192 content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
193
195 Object Attributes are used to control various properties of created ob‐
196 jects. When specified as an option, either the raw bitfield mask or
197 “nice-names” may be used. The values can be found in Table 31 Part 2
198 of the TPM2.0 specification, which can be found here:
199
200 <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
201 Rev-2.0-Part-2-Structures-01.38.pdf>
202
203 Nice names are calculated by taking the name field of table 31 and re‐
204 moving the prefix TPMA_OBJECT_ and lowercasing the result. Thus, TP‐
205 MA_OBJECT_FIXEDTPM becomes fixedtpm. Nice names can be joined using
206 the bitwise or “|” symbol.
207
208 For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
209 and TPMA_OBJECT_SIGN, the argument would be:
210
211 fixedtpm|noda|sign
212
214 tpm2_create -H 0x81010001 -P abc123 -K def456 -g sha256 -G keyedhash-I data.File
215 tpm2_create -c parent.context -P abc123 -K def456 -g sha256 -G keyedhash -I data.File
216 tpm2_create -H 0x81010001 -P 123abc -K 456def -X -g sha256 -G keyedhash -I data.File
217
219 0 on success or 1 on failure.
220
222 Github Issues (https://github.com/01org/tpm2-tools/issues)
223
225 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
226
227
228
229tpm2-tools AUGUST 2017 tpm2_create(1)