1tpm2_createprimary(1) General Commands Manual tpm2_createprimary(1)
2
3
4
6 tpm2_createprimary(1) - Create a primary key under a primary seed or a
7 temporary primary key under the TPM_RH_NULL hierarchy.
8
10 tpm2_createprimary [OPTIONS]
11
13 tpm2_createprimary(1) - This command is used to create a Primary Object
14 under one of the Primary Seeds or a Temporary Object under TPM_RH_NULL.
15 The command uses a TPM2B_PUBLIC as a template for the object to be cre‐
16 ated. The command will create and load a Primary Object. The sensi‐
17 tive area is not returned.
18
20 · -H, –hierarchy=HIERARCHY: Specify the hierarchy under which the ob‐
21 ject is created. This will also dictate which authorization secret
22 (if any) must be supplied. Supported options are:
23
24 · o for TPM_RH_OWNER
25
26 · p for TPM_RH_PLATFORM
27
28 · e for TPM_RH_ENDORSEMENT
29
30 · n for TPM_RH_NULL
31
32 · -P, –pwdp=PARENT_KEY_PASSWORD: Optional authorization string if au‐
33 thorization is required to create object under the specified hierar‐
34 chy. Passwords should follow the “password formatting standards, see
35 section”Password Formatting“.
36
37 · -K, –pwdk=KEY_PASSWORD: Optional authorization string for the newly
38 created object. Follows the same password formating guidelines as
39 the parent authorization string under the -P option.
40
41 · -g, –halg=ALGORITHM: The hash algorithm to use. Algorithms should
42 follow the " formatting standards, see section “Algorithm Speci‐
43 fiers”. Also, see section “Supported Hash Algorithms” for a list of
44 supported hash algorithms.
45
46 · -G, –kalg=KEY_ALGORITHM: Algorithm type for generated key. It sup‐
47 ports friendly names like the -g option. See section “Supported Pub‐
48 lic Object Algorithms” for a list of supported object algorithms.
49
50 · -C, –context=CONTEXT_FILE: An optional file used to store the object
51 context returned.
52
53 · -L, –policy-file=POLICY_FILE: An optional file input that contains
54 the policy digest for policy based authorization of the object.
55
56 · -A, –object-attributes=ATTRIBUTES: The object attributes, optional.
57 Object attribytes follow the specifications as outlined in “object
58 attribute specifiers”. The default for created objects is:
59
60 TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TP‐
61 MA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OB‐
62 JECT_USERWITHAUTH
63
64 · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
65 dle from a policy session for authorization.
66
68 This collection of options are common to many programs and provide in‐
69 formation that many users may expect.
70
71 · -h, –help: Display the tools manpage. This requires the manpages to
72 be installed or on MANPATH, See man(1) for more details.
73
74 · -v, –version: Display version information for this tool, supported
75 tctis and exit.
76
77 · -V, –verbose: Increase the information that the tool prints to the
78 console during its execution. When using this option the file and
79 line number are printed.
80
81 · -Q, –quiet: Silence normal tool output to stdout.
82
83 · -Z, –enable-errata: Enable the application of errata fixups. Useful
84 if an errata fixup needs to be applied to commands sent to the TPM.
85 # TCTI ENVIRONMENT
86
87 This collection of environment variables that may be used to configure
88 the various TCTI modules available.
89
90 The values passed through these variables can be overridden on a
91 per-command basis using the available command line options, see the TC‐
92 TI_OPTIONS section.
93
94 The variables respected depend on how the software was configured.
95
96 · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the
97 next component down the TSS stack. In most configurations this will
98 be the TPM but it could be a simulator or proxy. The current known
99 TCTIs are:
100
101 · tabrmd - The new resource manager, called tabrmd
102 (https://github.com/01org/tpm2-abrmd).
103
104 · socket - Typically used with the old resource manager, or talking
105 directly to a simulator.
106
107 · device - Used when talking directly to a TPM device file.
108
109 · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
110 device file. The default is “/dev/tpm0”.
111
112 Note: Using the tpm directly requires the users to ensure that con‐
113 current access does not occur and that they manage the tpm resources.
114 These tasks are usually managed by a resource manager. Linux 4.12
115 and greater supports an in kernel resource manager at “/dev/tpmrm”,
116 typically “/dev/tpmrm0”.
117
118 · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
119 main name or IP address used. The default is 127.0.0.1.
120
121 · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
122 number used. The default is 2321.
123
125 This collection of options are used to configure the varous TCTI mod‐
126 ules available. They override any environment variables.
127
128 · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
129 cation with the next component down the TSS stack. In most configu‐
130 rations this will be the resource manager: tabrmd
131 (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific op‐
132 tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
133
134 · For the device TCTI, the TPM device file for use by the device TCTI
135 can be specified. The default is /dev/tpm0. Example: -T de‐
136 vice:/dev/tpm0
137
138 · For the socket TCTI, the domain name or IP address and port number
139 used by the socket can be specified. The default are 127.0.0.1 and
140 2321. Example: -T socket:127.0.0.1:2321
141
142 · For the abrmd TCTI, it takes no options. Example: -T abrmd
143
145 Passwords are interpreted in two forms, string and hex-string. A
146 string password is not interpreted, and is directly used for authoriza‐
147 tion. A hex-string, is converted from a hexidecimal form into a byte
148 array form, thus allowing passwords with non-printable and/or terminal
149 un-friendly characters.
150
151 By default passwords are assumed to be in the string form. Password
152 form is specified with special prefix values, they are:
153
154 · str: - Used to indicate it is a raw string. Useful for escaping a
155 password that starts with the “hex:” prefix.
156
157 · hex: - Used when specifying a password in hex string format.
158
160 Supported hash algorithms are:
161
162 · 0x4 or sha1 for TPM_ALG_SHA1 (default)
163
164 · 0xB or sha256 for TPM_ALG_SHA256
165
166 · 0xC or sha384 for TPM_ALG_SHA384
167
168 · 0xD or sha512 for TPM_ALG_SHA512
169
170 · 0x12 or sm3_256 for TPM_ALG_SM3_256
171
172 NOTE: Your TPM may not support all algorithms.
173
175 Supported public object algorithms are:
176
177 · 0x1 or rsa for TPM_ALG_RSA (default).
178
179 · 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
180
181 · 0x23 or ecc for TPM_ALG_ECC.
182
183 · 0x25 or symcipher for TPM_ALG_SYMCIPHER.
184
185 NOTE: Your TPM may not support all algorithms.
186
188 Options that take algorithms support “nice-names”. Nice names, like
189 sha1 can be used in place of the raw hex for sha1: 0x4. The nice names
190 are converted by stripping the leading TPM_ALG_ from the Algorithm Name
191 field and converting it to lower case. For instance TPM_ALG_SHA3_256
192 becomes sha3_256.
193
194 The algorithms can be found at: <https://trustedcomputinggroup.org/wp-
195 content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
196
198 Object Attributes are used to control various properties of created ob‐
199 jects. When specified as an option, either the raw bitfield mask or
200 “nice-names” may be used. The values can be found in Table 31 Part 2
201 of the TPM2.0 specification, which can be found here:
202
203 <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
204 Rev-2.0-Part-2-Structures-01.38.pdf>
205
206 Nice names are calculated by taking the name field of table 31 and re‐
207 moving the prefix TPMA_OBJECT_ and lowercasing the result. Thus, TP‐
208 MA_OBJECT_FIXEDTPM becomes fixedtpm. Nice names can be joined using
209 the bitwise or “|” symbol.
210
211 For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
212 and TPMA_OBJECT_SIGN, the argument would be:
213
214 fixedtpm|noda|sign
215
217 tpm2_createprimary -H o -g sha256 -G ecc -C context.out
218
220 0 on success or 1 on failure.
221
223 Github Issues (https://github.com/01org/tpm2-tools/issues)
224
226 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
227
228
229
230tpm2-tools SEPTEMBER 2017 tpm2_createprimary(1)