1tpm2_create(1)              General Commands Manual             tpm2_create(1)
2
3
4

NAME

6       tpm2_create(1)  -  create an object that can be loaded into a TPM using
7       tpm2_load.  The object will need to be loaded before it may be used.
8

SYNOPSIS

10       tpm2_create [OPTIONS]
11

DESCRIPTION

13       tpm2_create(1) - create an object that can be loaded into a  TPM  using
14       tpm2_load.  The object will need to be loaded before it may be used.
15

OPTIONS

17       These options for creating the tpm entity:
18
19       · -H, –pparent=PARENT_HANDLE: The handle of the parent object to create
20         this object under.
21
22       · -c, –context-parent=PARENT_CONTEXT_FILE: The filename for parent con‐
23         text.
24
25       · -P, –pwdp=PARENT_KEY_PASSWORD: The password for parent key, optional.
26         Passwords should follow the “password formatting standards, see  sec‐
27         tion”Password Formatting“.
28
29       · -K,  –pwdk=KEY_PASSWORD: The password for key, optional.  Follows the
30         password formatting of the “password for parent key” option: -P.
31
32       · -g, –halg=ALGORITHM: The hash algorithm to  use.   Algorithms  should
33         follow  the  "  formatting  standards,  see section “Algorithm Speci‐
34         fiers”.  Also, see section “Supported Hash Algorithms” for a list  of
35         supported hash algorithms.
36
37       · -G,  –kalg=KEY_ALGORITHM:  The algorithm associated with this object.
38         It accepts friendly names just like -g option.  See section “Support‐
39         ed  Public  Object  Algorithms”  for a list of supported object algo‐
40         rithms.
41
42       · -A, –object-attributes=ATTRIBUTES: The object  attributes,  optional.
43         Object  attribytes  follow  the specifications as outlined in “object
44         attribute specifiers”.  The default for created objects is:
45
46         TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TP‐
47         MA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH
48
49       · -I,  –in-file=FILE: The data file to be sealed, optional.  If file is
50         -, read from stdin.  When sealing data only the TPM_ALG_KEYEDHASH al‐
51         gorithm is allowed.
52
53       · -L, –policy-file=POLICY_FILE: The input policy file, optional.
54
55       · -u,  –pubfile=OUTPUT_PUBLIC_FILE:  The output file which contains the
56         public portion of the created object, optional.
57
58       · -r, –privfile=OUTPUT_PRIVATE_FILE: The output file which contains the
59         sensitive portion of the object, optional.
60
61       · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
62         dle from a policy session for authorization.
63

COMMON OPTIONS

65       This collection of options are common to many programs and provide  in‐
66       formation that many users may expect.
67
68       · -h,  –help: Display the tools manpage.  This requires the manpages to
69         be installed or on MANPATH, See man(1) for more details.
70
71       · -v, –version: Display version information for  this  tool,  supported
72         tctis and exit.
73
74       · -V,  –verbose:  Increase  the information that the tool prints to the
75         console during its execution.  When using this option  the  file  and
76         line number are printed.
77
78       · -Q, –quiet: Silence normal tool output to stdout.
79
80       · -Z,  –enable-errata: Enable the application of errata fixups.  Useful
81         if an errata fixup needs to be applied to commands sent to  the  TPM.
82         # TCTI ENVIRONMENT
83
84       This  collection of environment variables that may be used to configure
85       the various TCTI modules available.
86
87       The values passed through  these  variables  can  be  overridden  on  a
88       per-command basis using the available command line options, see the TC‐
89       TI_OPTIONS section.
90
91       The variables respected depend on how the software was configured.
92
93       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with  the
94         next  component down the TSS stack.  In most configurations this will
95         be the TPM but it could be a simulator or proxy.  The  current  known
96         TCTIs are:
97
98         · tabrmd    -    The    new    resource    manager,   called   tabrmd
99           (https://github.com/01org/tpm2-abrmd).
100
101         · socket - Typically used with the old resource manager,  or  talking
102           directly to a simulator.
103
104         · device - Used when talking directly to a TPM device file.
105
106       · TPM2TOOLS_DEVICE_FILE:  When  using  the device TCTI, specify the TPM
107         device file.  The default is “/dev/tpm0”.
108
109         Note: Using the tpm directly requires the users to ensure  that  con‐
110         current access does not occur and that they manage the tpm resources.
111         These tasks are usually managed by a resource  manager.   Linux  4.12
112         and  greater  supports an in kernel resource manager at “/dev/tpmrm”,
113         typically “/dev/tpmrm0”.
114
115       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
116         main name or IP address used.  The default is 127.0.0.1.
117
118       · TPM2TOOLS_SOCKET_PORT:  When  using the socket TCTI, specify the port
119         number used.  The default is 2321.
120

TCTI OPTIONS

122       This collection of options are used to configure the varous  TCTI  mod‐
123       ules available.  They override any environment variables.
124
125       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
126         cation with the next component down the TSS stack.  In most  configu‐
127         rations    this    will    be    the    resource    manager:   tabrmd
128         (https://github.com/01org/tpm2-abrmd) Optionally, tcti  specific  op‐
129         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
130
131         · For the device TCTI, the TPM device file for use by the device TCTI
132           can be specified.  The  default  is  /dev/tpm0.   Example:  -T  de‐
133           vice:/dev/tpm0
134
135         · For  the socket TCTI, the domain name or IP address and port number
136           used by the socket can be specified.  The default are 127.0.0.1 and
137           2321.  Example: -T socket:127.0.0.1:2321
138
139         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
140

Password Formatting

142       Passwords  are  interpreted  in  two  forms,  string and hex-string.  A
143       string password is not interpreted, and is directly used for authoriza‐
144       tion.   A  hex-string, is converted from a hexidecimal form into a byte
145       array form, thus allowing passwords with non-printable and/or  terminal
146       un-friendly characters.
147
148       By  default  passwords  are assumed to be in the string form.  Password
149       form is specified with special prefix values, they are:
150
151       · str: - Used to indicate it is a raw string.  Useful  for  escaping  a
152         password that starts with the “hex:” prefix.
153
154       · hex: - Used when specifying a password in hex string format.
155

Supported Hash Algorithms

157       Supported hash algorithms are:
158
159       · 0x4 or sha1 for TPM_ALG_SHA1 (default)
160
161       · 0xB or sha256 for TPM_ALG_SHA256
162
163       · 0xC or sha384 for TPM_ALG_SHA384
164
165       · 0xD or sha512 for TPM_ALG_SHA512
166
167       · 0x12 or sm3_256 for TPM_ALG_SM3_256
168
169       NOTE: Your TPM may not support all algorithms.
170

Supported Public Object Algorithms

172       Supported public object algorithms are:
173
174       · 0x1 or rsa for TPM_ALG_RSA (default).
175
176       · 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
177
178       · 0x23 or ecc for TPM_ALG_ECC.
179
180       · 0x25 or symcipher for TPM_ALG_SYMCIPHER.
181
182       NOTE: Your TPM may not support all algorithms.
183

Algorithm Specfiers

185       Options  that  take  algorithms support “nice-names”.  Nice names, like
186       sha1 can be used in place of the raw hex for sha1: 0x4.  The nice names
187       are converted by stripping the leading TPM_ALG_ from the Algorithm Name
188       field and converting it to lower case.  For  instance  TPM_ALG_SHA3_256
189       becomes sha3_256.
190
191       The  algorithms can be found at: <https://trustedcomputinggroup.org/wp-
192       content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
193

Object Attributes

195       Object Attributes are used to control various properties of created ob‐
196       jects.   When  specified  as an option, either the raw bitfield mask or
197       “nice-names” may be used.  The values can be found in Table 31  Part  2
198       of the TPM2.0 specification, which can be found here:
199
200       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
201       Rev-2.0-Part-2-Structures-01.38.pdf>
202
203       Nice names are calculated by taking the name field of table 31 and  re‐
204       moving  the  prefix TPMA_OBJECT_ and lowercasing the result.  Thus, TP‐
205       MA_OBJECT_FIXEDTPM becomes fixedtpm.  Nice names can  be  joined  using
206       the bitwise or “|” symbol.
207
208       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
209       and TPMA_OBJECT_SIGN, the argument would be:
210
211       fixedtpm|noda|sign
212

EXAMPLES

214              tpm2_create -H 0x81010001 -P abc123 -K def456 -g sha256 -G keyedhash-I data.File
215              tpm2_create -c parent.context -P abc123 -K def456 -g sha256 -G keyedhash -I data.File
216              tpm2_create -H 0x81010001 -P 123abc -K 456def -X -g sha256 -G keyedhash -I data.File
217

RETURNS

219       0 on success or 1 on failure.
220

BUGS

222       Github Issues (https://github.com/01org/tpm2-tools/issues)
223

HELP

225       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
226
227
228
229tpm2-tools                        AUGUST 2017                   tpm2_create(1)
Impressum