1tpm2_createprimary(1)       General Commands Manual      tpm2_createprimary(1)
2
3
4

NAME

6       tpm2_createprimary(1)  - Create a primary key under a primary seed or a
7       temporary primary key under the TPM_RH_NULL hierarchy.
8

SYNOPSIS

10       tpm2_createprimary [OPTIONS]
11

DESCRIPTION

13       tpm2_createprimary(1) - This command is used to create a Primary Object
14       under one of the Primary Seeds or a Temporary Object under TPM_RH_NULL.
15       The command uses a TPM2B_PUBLIC as a template for the object to be cre‐
16       ated.   The  command will create and load a Primary Object.  The sensi‐
17       tive area is not returned.
18

OPTIONS

20       · -H, –hierarchy=HIERARCHY: Specify the hierarchy under which  the  ob‐
21         ject  is  created.  This will also dictate which authorization secret
22         (if any) must be supplied.  Supported options are:
23
24         · o for TPM_RH_OWNER
25
26         · p for TPM_RH_PLATFORM
27
28         · e for TPM_RH_ENDORSEMENT
29
30         · n for TPM_RH_NULL
31
32       · -P, –pwdp=PARENT_KEY_PASSWORD: Optional authorization string  if  au‐
33         thorization  is required to create object under the specified hierar‐
34         chy.  Passwords should follow the “password formatting standards, see
35         section”Password Formatting“.
36
37       · -K,  –pwdk=KEY_PASSWORD:  Optional authorization string for the newly
38         created object.  Follows the same password  formating  guidelines  as
39         the parent authorization string under the -P option.
40
41       · -g,  –halg=ALGORITHM:  The  hash algorithm to use.  Algorithms should
42         follow the " formatting  standards,  see  section  “Algorithm  Speci‐
43         fiers”.   Also, see section “Supported Hash Algorithms” for a list of
44         supported hash algorithms.
45
46       · -G, –kalg=KEY_ALGORITHM: Algorithm type for generated key.   It  sup‐
47         ports friendly names like the -g option.  See section “Supported Pub‐
48         lic Object Algorithms” for a list of supported object algorithms.
49
50       · -C, –context=CONTEXT_FILE: An optional file used to store the  object
51         context returned.
52
53       · -L,  –policy-file=POLICY_FILE:  An  optional file input that contains
54         the policy digest for policy based authorization of the object.
55
56       · -A, –object-attributes=ATTRIBUTES: The object  attributes,  optional.
57         Object  attribytes  follow  the specifications as outlined in “object
58         attribute specifiers”.  The default for created objects is:
59
60         TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TP‐
61         MA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OB‐
62         JECT_USERWITHAUTH
63
64       · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
65         dle from a policy session for authorization.
66

COMMON OPTIONS

68       This  collection of options are common to many programs and provide in‐
69       formation that many users may expect.
70
71       · -h, –help: Display the tools manpage.  This requires the manpages  to
72         be installed or on MANPATH, See man(1) for more details.
73
74       · -v,  –version:  Display  version information for this tool, supported
75         tctis and exit.
76
77       · -V, –verbose: Increase the information that the tool  prints  to  the
78         console  during  its  execution.  When using this option the file and
79         line number are printed.
80
81       · -Q, –quiet: Silence normal tool output to stdout.
82
83       · -Z, –enable-errata: Enable the application of errata fixups.   Useful
84         if  an  errata fixup needs to be applied to commands sent to the TPM.
85         # TCTI ENVIRONMENT
86
87       This collection of environment variables that may be used to  configure
88       the various TCTI modules available.
89
90       The  values  passed  through  these  variables  can  be overridden on a
91       per-command basis using the available command line options, see the TC‐
92       TI_OPTIONS section.
93
94       The variables respected depend on how the software was configured.
95
96       · TPM2TOOLS_TCTI_NAME:  Select the TCTI used for communication with the
97         next component down the TSS stack.  In most configurations this  will
98         be  the  TPM but it could be a simulator or proxy.  The current known
99         TCTIs are:
100
101         · tabrmd   -   The    new    resource    manager,    called    tabrmd
102           (https://github.com/01org/tpm2-abrmd).
103
104         · socket  -  Typically used with the old resource manager, or talking
105           directly to a simulator.
106
107         · device - Used when talking directly to a TPM device file.
108
109       · TPM2TOOLS_DEVICE_FILE: When using the device TCTI,  specify  the  TPM
110         device file.  The default is “/dev/tpm0”.
111
112         Note:  Using  the tpm directly requires the users to ensure that con‐
113         current access does not occur and that they manage the tpm resources.
114         These  tasks  are  usually managed by a resource manager.  Linux 4.12
115         and greater supports an in kernel resource manager  at  “/dev/tpmrm”,
116         typically “/dev/tpmrm0”.
117
118       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
119         main name or IP address used.  The default is 127.0.0.1.
120
121       · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify  the  port
122         number used.  The default is 2321.
123

TCTI OPTIONS

125       This  collection  of options are used to configure the varous TCTI mod‐
126       ules available.  They override any environment variables.
127
128       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
129         cation  with the next component down the TSS stack.  In most configu‐
130         rations   this    will    be    the    resource    manager:    tabrmd
131         (https://github.com/01org/tpm2-abrmd)  Optionally,  tcti specific op‐
132         tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
133
134         · For the device TCTI, the TPM device file for use by the device TCTI
135           can  be  specified.   The  default  is  /dev/tpm0.  Example: -T de‐
136           vice:/dev/tpm0
137
138         · For the socket TCTI, the domain name or IP address and port  number
139           used by the socket can be specified.  The default are 127.0.0.1 and
140           2321.  Example: -T socket:127.0.0.1:2321
141
142         · For the abrmd TCTI, it takes no options.  Example: -T abrmd
143

Password Formatting

145       Passwords are interpreted in  two  forms,  string  and  hex-string.   A
146       string password is not interpreted, and is directly used for authoriza‐
147       tion.  A hex-string, is converted from a hexidecimal form into  a  byte
148       array  form, thus allowing passwords with non-printable and/or terminal
149       un-friendly characters.
150
151       By default passwords are assumed to be in the  string  form.   Password
152       form is specified with special prefix values, they are:
153
154       · str:  -  Used  to indicate it is a raw string.  Useful for escaping a
155         password that starts with the “hex:” prefix.
156
157       · hex: - Used when specifying a password in hex string format.
158

Supported Hash Algorithms

160       Supported hash algorithms are:
161
162       · 0x4 or sha1 for TPM_ALG_SHA1 (default)
163
164       · 0xB or sha256 for TPM_ALG_SHA256
165
166       · 0xC or sha384 for TPM_ALG_SHA384
167
168       · 0xD or sha512 for TPM_ALG_SHA512
169
170       · 0x12 or sm3_256 for TPM_ALG_SM3_256
171
172       NOTE: Your TPM may not support all algorithms.
173

Supported Public Object Algorithms

175       Supported public object algorithms are:
176
177       · 0x1 or rsa for TPM_ALG_RSA (default).
178
179       · 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
180
181       · 0x23 or ecc for TPM_ALG_ECC.
182
183       · 0x25 or symcipher for TPM_ALG_SYMCIPHER.
184
185       NOTE: Your TPM may not support all algorithms.
186

Algorithm Specfiers

188       Options that take algorithms support “nice-names”.   Nice  names,  like
189       sha1 can be used in place of the raw hex for sha1: 0x4.  The nice names
190       are converted by stripping the leading TPM_ALG_ from the Algorithm Name
191       field  and  converting it to lower case.  For instance TPM_ALG_SHA3_256
192       becomes sha3_256.
193
194       The algorithms can be found at:  <https://trustedcomputinggroup.org/wp-
195       content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
196

Object Attributes

198       Object Attributes are used to control various properties of created ob‐
199       jects.  When specified as an option, either the raw  bitfield  mask  or
200       “nice-names”  may  be used.  The values can be found in Table 31 Part 2
201       of the TPM2.0 specification, which can be found here:
202
203       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
204       Rev-2.0-Part-2-Structures-01.38.pdf>
205
206       Nice  names are calculated by taking the name field of table 31 and re‐
207       moving the prefix TPMA_OBJECT_ and lowercasing the result.   Thus,  TP‐
208       MA_OBJECT_FIXEDTPM  becomes  fixedtpm.   Nice names can be joined using
209       the bitwise or “|” symbol.
210
211       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
212       and TPMA_OBJECT_SIGN, the argument would be:
213
214       fixedtpm|noda|sign
215

EXAMPLES

217              tpm2_createprimary -H o -g sha256 -G ecc -C context.out
218

RETURNS

220       0 on success or 1 on failure.
221

BUGS

223       Github Issues (https://github.com/01org/tpm2-tools/issues)
224

HELP

226       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
227
228
229
230tpm2-tools                      SEPTEMBER 2017           tpm2_createprimary(1)
Impressum