1tpm2_getekcertificate(1) General Commands Manual tpm2_getekcertificate(1)
2
6 tpm2_getekcertificate(1) - Retrieve the Endorsement key Certificate for
7 the TPM endorsement key from the TPM manufacturer's endorsement cer‐
8 tificate hosting server.
9
11 tpm2_getekcertificate [OPTIONS] [ARGUMENT]
12
14 tpm2_getekcertificate(1) - Retrieve the Endorsement key Certificate for
15 the TPM endorsement key from the TPM manufacturer's endorsement cer‐
16 tificate hosting server. The argument specifies the URL address for
17 the ek certificate portal.
18
20 · -o, --ek-certificate=FILE or STDOUT:
21 The fileto save the Endorsement key certificate retrieved from the
23 TPM manufacturer provisioning server. Defaults to stdout if not
24 specified.
25 · -X, --allow-unverified:
27 Specifies to attempt connecting with the TPM manufacturer provision‐
29 ing server without verifying server certificate.
30 WARNING: This option should be used only on platforms with older CA
32 certificates.
33 · -u, --ek-public=FILE:
35 Specifies the file path for the endorsement key public portion in tss
37 format.
38 · -x, --offline:
40 This flags the tool to operate in an offline mode. In that the cer‐
42 tificates can be retrieved for supplied ek public that do not belong
43 to the platform the tool is run on. Useful in factory provisioning
44 of multiple platforms that are not individually connected to the In‐
45 ternet. In such a scenario a single Internet facing provisioning
46 server can utilize this tool in this mode.
47 · ARGUMENT the command line argument specifies the URL address for the
49 ek certificate portal.
50 References
53 This collection of options are common to many programs and provide in‐
54 formation that many users may expect.
55 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
57 attempts to invoke the manpager for the tool, however, on failure
58 will output a short tool summary. This is the same behavior if the
59 "man" option argument is specified, however if explicit "man" is re‐
60 quested, the tool will provide errors from man on stderr. If the
61 "no-man" option if specified, or the manpager fails, the short op‐
62 tions will be output to stdout.
63 To successfully use the manpages feature requires the manpages to be
65 installed or on MANPATH, See man(1) for more details.
66 · -v, --version: Display version information for this tool, supported
68 tctis and exit.
69 · -V, --verbose: Increase the information that the tool prints to the
71 console during its execution. When using this option the file and
72 line number are printed.
73 · -Q, --quiet: Silence normal tool output to stdout.
75 · -Z, --enable-errata: Enable the application of errata fixups. Useful
77 if an errata fixup needs to be applied to commands sent to the TPM.
78 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
79 formation many users may expect.
80
82 The TCTI or "Transmission Interface" is the communication mechanism
83 with the TPM. TCTIs can be changed for communication with TPMs across
84 different mediums.
85 To control the TCTI, the tools respect:
87 1. The command line option -T or --tcti
89 2. The environment variable: TPM2TOOLS_TCTI.
91 Note: The command line option always overrides the environment vari‐
93 able.
94 The current known TCTIs are:
96 · tabrmd - The resource manager, called tabrmd
98 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
99 abrmd as a tcti name are synonymous.
100 · mssim - Typically used for communicating to the TPM software simula‐
102 tor.
103 · device - Used when talking directly to a TPM device file.
105 · none - Do not initalize a connection with the TPM. Some tools allow
107 for off-tpm options and thus support not using a TCTI. Tools that do
108 not support it will error when attempted to be used without a TCTI
109 connection. Does not support ANY options and MUST BE presented as
110 the exact text of "none".
111 The arguments to either the command line option or the environment
113 variable are in the form:
114 <tcti-name>:<tcti-option-config>
116 Specifying an empty string for either the <tcti-name> or <tcti-op‐
118 tion-config> results in the default being used for that portion respec‐
119 tively.
120 TCTI Defaults
122 When a TCTI is not specified, the default TCTI is searched for using
123 dlopen(3) semantics. The tools will search for tabrmd, device and
124 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
125 what TCTI will be chosen as the default by using the -v option to print
126 the version information. The "default-tcti" key-value pair will indi‐
127 cate which of the aforementioned TCTIs is the default.
128 Custom TCTIs
130 Any TCTI that implements the dynamic TCTI interface can be loaded. The
131 tools internally use dlopen(3), and the raw tcti-name value is used for
132 the lookup. Thus, this could be a path to the shared library, or a li‐
133 brary name as understood by dlopen(3) semantics.
134
136 This collection of options are used to configure the various known TCTI
137 modules available:
138 · device: For the device TCTI, the TPM character device file for use by
140 the device TCTI can be specified. The default is /dev/tpm0.
141 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
143 vice:/dev/tpm0"
144 · mssim: For the mssim TCTI, the domain name or IP address and port
146 number used by the simulator can be specified. The default are
147 127.0.0.1 and 2321.
148 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
150 TI="mssim:host=localhost,port=2321"
151 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
153 ries of simple key value pairs separated by a ',' character. Each
154 key and value string are separated by a '=' character.
155 · TCTI abrmd supports two keys:
157 1. 'bus_name' : The name of the tabrmd service on the bus (a
159 string).
160 2. 'bus_type' : The type of the dbus instance (a string) limited to
162 'session' and 'system'.
163 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
165 ample.FooBar:
166 \--tcti=tabrmd:bus_name=com.example.FooBar
168 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
170 sion:
171 \--tcti:bus_type=session
173 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
175 ules.
176
178 When the verbose option is specified, additional curl debugging infor‐
179 mation is provided by setting the curl mode verbose, see
180 <https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html> for more informa‐
181 tion.
182
184 tpm2_createek -G rsa -u ek.pub -c key.ctx
185 tpm2_getekcertificate -X -o ECcert.bin -u ek.pub \
187 https://tpm.manufacturer.com/ekcertserver/
188
190 Tools can return any of the following codes:
191 · 0 - Success.
193 · 1 - General non-specific error.
195 · 2 - Options handling error.
197 · 3 - Authentication error.
199 · 4 - TCTI related error.
201 · 5 - Non supported scheme. Applicable to tpm2_testparams.
203
205 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
206
208 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
209tpm2-tools tpm2_getekcertificate(1)