1swtpm(8) swtpm(8)
2
6 swtpm - TPM Emulator for TPM 1.2 and 2.0
7
9 swtpm socket [OPTIONS]
10 swtpm chardev [OPTIONS]
12 swtpm cuse [OPTIONS]
14
16 swtpm implements a TPM software emulator built on libtpms. It provides
17 access to TPM functionality over a TCP/IP socket interface or it can
18 listend for commands on a character device, or create a CUSE (character
19 device in userspace) interface for receiving of TPM commands.
20 Unless corresponding command line parameters are used, the swtpm socket
22 version requires that the environment variable TPM_PORT be set to the
23 TCP/IP port the process is supposed to listen on for TPM request
24 messages.
25 Similarly, the environment variable TPM_PATH can be set and contain the
27 name of a directory where the TPM can store its persistent state into.
28 The swtpm process can be gracefully terminated by sending a SIGTERM
30 signal to it.
31 The swtpm cuse version requires root rights to start the TPM.
33
35 The following options are supported if the socket interface is chosen:
36 -p|--port <port>
38 Use the given port rather than using the environment variable
39 TPM_PORT.
40 -t|--terminate
42 Terminate the TPM after the client has closed the connection.
43 --server
45 [type=tcp][,port=<port>[,bindaddr=<address>[,ifname=<ifname>]]][,fd=<fd>][,disconnect]
46 Expect TCP connections on the given port; if a port is not provided
47 a file descriptor must be passed with the fd parameter and the
48 commands are read from this file descriptor then. If a port is
49 provided the bind address on which to listen for TCP connections
50 can be provided as well; the default bind address is 127.0.0.1. If
51 a link local IPv6 addresss if provided, the name of the interface
52 to bind to must be provided with ifname.
53 This parameter enables a persistent connection by default unless
55 the disconnect option is given. This parameter should be used
56 rather than the -p and --fd options.
57 --server
59 type=unixio[,path=<path>][,fd=<fd>][,mode=<0...>][,uid=<uid>][,gid=<gid>]
60 Expect UnixIO connections on the given path. If no path is
61 provided, a file descriptor must be passed instead. The mode
62 parameter allows to set the file mode bits of the UnixIO path. The
63 mode bits value must be given as an octal number starting with a
64 '0'. The default value is 0770. uid and gid set the ownership of
65 the UnixIO socket's path. This operation requires root privileges.
66
68 The following options are supported if the chardev interface is chosen:
69 -c|--chardev <device path>
71 Use the given device to listen for TPM commands and send response
72 on.
73 --vtpm-proxy
75 Create a Linux vTPM proxy device instance and read TPM commands
76 from its backend device.
77
79 The following options are supported if the cuse interface is chosen:
80 -n|--name <NAME>
82 The TPM will use a device with the given name. A device with the
83 given name will be created in /dev. This is a mandatory option.
84 -M|--maj <MAJOR>
86 Create the device with the given major number.
87 -m|--min <MINOR>
89 Create the device with the given minor number.
90
92 The following options are supported by the socket and character device
93 interfaces:
94 -f|--fd <fd>
96 Use the given socket file descriptor or character device file
97 descriptor for receiving TPM commands and sending responses. For
98 the socket interface, this option automatically assumes -t.
99 -d|--daemon
101 Daemonize the process.
102 --ctrl
104 type=[unixio|tcp][,path=<path>][,port=<port>[,bindaddr=<address>[,ifname=<ifname>]]][,fd=<filedescriptor>|clientfd=<filedescriptor>][,mode=<0...>][,uid=<uid>][,gid=<gid>]
105 This option adds a control channel to the TPM. The control channel
106 can either use a UnixIO socket with a given path or filedescriptor
107 or it can use a TCP socket on the given port or filedescriptor. If
108 a port is provided the bind address on which to listen for TCP
109 connections can be provided as well; the default bind address is
110 127.0.0.1. If a link local IPv6 addresss if provided, the name of
111 the interface to bind to must be provided with ifname.
112 The mode parameter allows to set the file mode bits of the UnixIO
114 path. The mode bits value must be given as an octal number
115 starting with a '0'. The default value is 0770. uid and gid set
116 the ownership of the UnixIO socket's path. This operation requires
117 root privileges.
118 The control channel enables out-of-band control of the TPM, such as
120 resetting the TPM.
121 --flags [not-need-init]
123 The not-need-init flag enables the TPM to accept TPM commands right
124 after start without requiring a INIT to be sent to it through the
125 command channel (see the '-i' option of swtpm_ioctl).
126
128 The following options are support by all interfaces:
129 --tpmstate dir=<dir>[,mode=<0...>]
131 Use the given path rather than using the environment variable
132 TPM_PATH.
133 The TPM state files will be written with the given file mode bits.
135 This value must be given as an octal number starting with a '0'.
136 The default value is 0640.
137 --tpm2
139 Choose TPM 2 functionality; by default a TPM 1.2 is chosen.
140 --log [fd=<fd>|file=<path>][,level=<n>][,prefix=<prefix>][,truncate]
142 Enable logging to a file given its file descriptor or its path. Use
143 '-' for path to suppress the logging.
144 The level parameter allows to choose the level of logging. Starting
146 at log level 5, libtpms debug logging is activated.
147 All logged lines will be prefixed with prefix. By default no prefix
149 is prepended.
150 If truncate is passed, the log file will be truncated.
152 --locality reject-locality-4[,allow-set-locality]
154 The reject-locality-4 parameter will cause TPM error messages to be
155 returned for requests to set the TPM into locality 4.
156 The allow-set-locality parameter allows the swtpm to receive
158 TPM/TPM2_SetLocality commands. This is parameter is useful if the
159 Linux VTPM proxy driver access is enabled by file descriptor
160 passing. This option is implied by the --vtpm-proxy option and
161 therefore need not be explicity set if this option is passed. In
162 all other cases care should be taken as to who can send the
163 TPM/TPM2_SetLocality command.
164 --key
166 file=<keyfile>|fd=<fd>[,format=<hex|binary>][,mode=aes-cbc|aes-256-cbc],[remove[=true|false]]
167 Enable encryption of the state files of the TPM. The keyfile must
168 contain an AES key of supported size; 128 bit (16 bytes) and 256
169 bit (32 bytes) keys are supported.
170 The key may be in binary format, in which case the file size must
172 be 16 or 32 bytes. If the key is in hex format (default), the key
173 may consist of 32 or 64 hex digits starting with an optional '0x'.
174 The mode parameter indicates which block chaining mode is to be
176 used. Currently aes-cbc (aes-128-cbc) and aes-256-cbc are
177 supported. The encrypted data is integrity protected using
178 encrypt-then-mac.
179 The remove parameter will attempt to remove the given keyfile once
181 the key has been read.
182 --key pwdfile=<passphrase
184 file>|pwdfd=<fd>[,mode=aes-cbc|aes-256-cbc][remove[=true|false]][,kdf=sha512|pbkdf2]
185 This variant of the key parameter allows to provide a passphrase in
186 a file. The file is read and a key is derived from it using either
187 a SHA512 hash or PBKDF2. By default PBKDF2 is used.
188 --migration-key
190 file=<keyfile>|fd=<fd>[,format=<hex|binary>][,mode=aes-cbc|aes-256-cbc][,remove[=true|false]]
191 The availability of a migration key ensures that the state of the
192 TPM will not be revealed in unencrypted form when the TPM state
193 blobs are retreived through the ioctl interface. The migration key
194 is not used for encrypting TPM state written to files, this is what
195 the --key parameter is used for.
196 The migration key and the key used for encrypting the TPM state
198 files may be the same.
199 While the key for the TPM state files needs to stay with those
201 files it encrypts, the migration key needs to stay with the TPM
202 state blobs. If for example the state of the TPM is migrated
203 between hosts in a data center, then the TPM migration key must be
204 available at all the destinations, so in effect it may have to be a
205 key shared across all machines in the datacenter. In contrast to
206 that, the key used for encrypting the TPM state files can be
207 different for each TPM and need only be available on the host where
208 the TPM state resides.
209 The migration key enables the encryption of the TPM state blobs.
211 The keyfile must contain an AES key of supported size; 128 bit (16
212 bytes) and 256 bit (32 bytes) keys are supported.
213 The key may be in binary format, in which case the file size must
215 be 16 or 32 bytes. If the key is in hex format (default), the key
216 may consist of 32 or 64 hex digits starting with an optional '0x'.
217 The mode parameter indicates which block chaining mode is to be
219 used. Currently aes-cbc (aes-128-cbc) and aes-256-cbc are
220 supported. The encrypted data is integrity protected using
221 encrypt-then-mac.
222 The remove parameter will attempt to remove the given keyfile once
224 the key has been read.
225 --migration-key pwdfile=<passphrase
227 file>|pwdfd=<fd>[,mode=aes-cbc|aes-256-cbc][,remove[=true|false]][,pdf=sha512|pbkdf2]
228 This variant of the key parameter allows to provide a passphrase in
229 a file. The file is read and a key is derived from it using either
230 a SHA512 hash or PBKDF2. By default PBKDF2 is used.
231 --pid file=<pidfile>|fd=<filedescriptor>
233 This options allows to set the name of file where the process ID
234 (pid) of the TPM will be written into. It is also possible to pass
235 a file descriptor to a file that has been opened for writing.
236 -r|--runas <owner>
238 Switch to the given user. This option can only be used when swtpm
239 is started as root.
240 --seccomp action=none|log|kill (since v0.2)
242 This option allows to select the action to take by the seccomp
243 profile when a syscall is executed that is not allowed. The default
244 is kill. To disable the seccomp profile, choose none. The log
245 action logs offending syscalls. The log action is only available
246 if libseccomp supports logging.
247 This option is only available on Linux and only if swtpm was
249 compiled with libseccomp support.
250 --print-capabilities (since v0.2)
252 Print capabilities that were added to swtpm after version 0.1. The
253 output may contain the following:
254 {
256 "type": "swtpm",
257 "features": [
258 "cmdarg-seccomp",
259 "cmdarg-key-fd",
260 "cmdarg-pwd-fd",
261 "tpm-send-command-header",
262 ]
263 }
264 The meaning of the feature verbs is as follows:
266 cmdarg-seccomp
268 The --seccomp option is supported.
269 cmdarg-key-fd
271 The --key option supports the fd= parameter.
272 cmdarg-pwd-fd
274 The --key option supports the pwdfd= parameter.
275 tpm-send-command-header
277 The TPM 2 commands may be prefixed by a header that carries a
278 4-byte command, 1 byte for locality, and 4-byte TPM 2 command
279 length indicator. The TPM 2 will respond by preprending a
280 4-byte response indicator and a 4-byte trailer. All data is
281 sent in big endian format.
282 -h|--help
284 Display usage info.
285
287 swtpm_bios, swtpm_cuse
288swtpm 2019-07-09 swtpm(8)