1swtpm_setup(8) swtpm_setup(8)
2
6 swtpm_setup - Swtpm utility to simulate the manufacturing of a TPM 1.2
7 or 2.0
8
10 swtpm_setup [OPTIONS]
11
13 swtpm_setup is a tool that prepares the intial state for a libtpms-
14 based TPM.
15 For creating the initial state of a TPM 1.2, swtpm_setup must be run
17 either as root or as the user the that tcsd requires, which is
18 typically tss.
19 The following options are supported:
21 --runas <userid>
23 Use this userid to run swtpm_setup.sh; by default 'tss' is used.
24 --config <file>
26 Path to configuration file containing the tool to use for creating
27 certificates; see also swtpm_setup.conf
28 If this parameter is not provided, the default configuration file
30 /etc/swtpm_setup.conf will be used. If the environment variable
31 XDG_CONFIG_HOME is set, the configuration file is assumed to be
32 $XDG_CONFIG_HOME/swtpm_setup.conf.
33 --tpm-state <dir> or --tpmstate <dir>
35 Path to a directory where the TPM's state will be written into;
36 this is a mandatory argument
37 --tpm <path to executable>
39 Path to the TPM executable; this is an optional argument and by
40 default the swtpm executable found in the PATH will be used.
41 --tpm2
43 Do setup on a TPM 2; by default a TPM 1.2 is setup.
44 --createek
46 Create the EK
47 --allow-signing
49 Create an EK that can sign. This option requires --tpm2.
50 Note that the TCG specification "EK Credential Profile For TPM
52 Family 2.0; Level 0" suggests in its section on "EK Usage" that
53 "the Endorsement Key can be a created as a decryption or signing
54 key." However, some platforms will not accept an EK as a signing
55 key, or as a signing and encryption key, and therefore this option
56 should be used very carfully.
57 --decryption
59 Create an EK that can be used for key encipherment. This is the
60 default unless --allow-signing is passed. This option requires
61 --tpm2.
62 --ecc
64 Create elliptic curve crypto (ECC) keys; by default RSA keys are
65 generated.
66 --take-ownership
68 Take ownership; this option implies --createek
69 --ownerpass <password>
71 Provide custom owner password; default is ooo
72 --owner-well-known
74 Use a password of all zeros (20 bytes of zeros) as the owner
75 password
76 --srkpass <password>
78 Provide custom SRK password; default is sss
79 --srk-well-known
81 Use a password of all zeros (20 bytes of zeros) as the SRK password
82 --create-ek-cert
84 Create an EK certificate; this implies --createek (NOT SUPPORTED
85 YET)
86 --create-platform-cert
88 Create a platform certificate; this implies --create-ek-cert
89 --lock-nvram
91 Lock NVRAM access
92 --display
94 At the end display as much info as possible about the configuration
95 of the TPM
96 --logfile <logfile>
98 The logfile to log to. By default logging goes to stdout and
99 stderr.
100 --keyfile <keyfile>
102 The key file contains an ASCII hex key consisting of 32 hex digits
103 with an optional leading '0x'. This is the key to be used by the
104 TPM emulator for encrypting the state of the TPM.
105 --keyfile-fd <file descriptor>
107 Like --keyfile but the key will be read from the file descriptor.
108 --pwdfile <passphrase file>
110 The passphrase file contains a passphrase from which the TPM
111 emulator will derive the encyrption key from and use the key for
112 encrypting the TPM state.
113 --pwdfile-fd <file descriptor>
115 Like --pwdfile but the passphrase will be read from the file
116 descriptor.
117 --ciper <cipher>
119 The cipher may be either aes-cbc or aes-128-cbc for 128 bit AES
120 encryption, or aes-256-cbc for 256 bit AES encryption. The same
121 cipher must be used on the swtpm command line later on.
122 --overwrite
124 Overwrite existing TPM state. All previous state will be erased.
125 If this option is not given and an existing state file is found, an
126 error code is returned.
127 --not-overwrite
129 Do not overwrite existing TPM state. If exising TPM state is found,
130 the program ends without an error.
131 --vmid <VM ID>
133 Optional VM ID that can be used to keep track of certificates
134 issued for VMs (or containers). This parameter will be passed
135 through to the tool used for creating the certificates and may be
136 required by that tool.
137 --pcr-banks <PCR banks>
139 Optional comma-separated list of PCR banks to activate. Providing
140 '-' allows to skip the selection and activates all PCR banks. By
141 default the sha1 and sha256 banks are activated.
142 --swtpm_ioctl <executable>
144 Pass the path to the swtpm_ioctl executable. By default the
145 swtpm_ioctl in the PATH is used.
146 --tcsd-system-ps-file <file>
148 A file to copy TCSD's system_ps_file to. The system_ps_file
149 contains the TPM 1.2 SRK public key after taking ownership of the
150 TPM. The file is needed by TCSD for key related functions.
151 This option is only useful with TPM 1.2 and in if ownership is
153 taken.
154 --print-capabilities (since v0.2)
156 Print capabilities that were added to swtpm_setup after version
157 0.1. The output contains the following:
158 {
160 "type": "swtpm_setup",
161 "features": [
162 "cmdarg-keyfile-fd",
163 "cmdarg-pwdfile-fd"
164 ]
165 }
166 The meaning of the feature verbs is as follows:
168 cmdarg-key-fd
170 The --keyfile-fd option is supported.
171 cmdarg-pwd-fd
173 The --pwdfile-fd option is supported.
174 --help, -h
176 Display the help screen
177
179 To simulate manufacturing of a TPM, one would typically run the
180 following command:
181 #> sudo swtpm_setup --tpmstate /tmp/mytpm1/ \
183 --create-ek-cert --create-platform-cert --lock-nvram
184 Note: since setting up a TPM 1.2 relies on the tcsd for some of its
186 operations, swtpm_setup has to be run as root so that it can invoke the
187 tcsd either as root or tss user.
188 A normal user can also simulate the manufacturing of a TPM 2 using the
190 swtpm-localca plugin. The following example assumes that the user has
191 set the environment variable XDG_CONFIG_HOME as follows (using bash for
192 example):
193 export XDG_CONFIG_HOME=~/.config
195 Note: The XDG_CONFIG_HOME variable is part of the XDG Base Directory
197 Specification.
198 The following configuration files need to be created:
200 ~/.config/swtpm_setup.conf:
202 # Program invoked for creating certificates
204 create_certs_tool= /usr/share/swtpm/swtpm-localca
205 create_certs_tool_config = ${XDG_CONFIG_HOME}/swtpm-localca.conf
206 create_certs_tool_options = ${XDG_CONFIG_HOME}/swtpm-localca.options
207 ~/.config/swtpm-localca.conf:
209 statedir = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca
211 signingkey = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/signkey.pem
212 issuercert = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/issuercert.pem
213 certserial = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/certserial
214 ~/.config/swtpm-localca.options:
216 --platform-manufacturer Fedora
218 --platform-version 2.12
219 --platform-model QEMU
220 The following commands now create a TPM 2 with an EK and platform
222 certificate. The state of the TPM 2 will be stored in the directory
223 ${XDG_CONFIG_HOME}/mytpm1.
224 #> mkdir -p ${XDG_CONFIG_HOME}/mytpm1
226 #> swtpm_setup --tpm2 --tpmstate ${XDG_CONFIG_HOME}/mytpm1 \
227 --create-ek-cert --create-platform-cert --lock-nvram
228
230 swtpm_setup.conf
231
233 Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
234swtpm 2019-07-09 swtpm_setup(8)