1tpm2_createek(1)            General Commands Manual           tpm2_createek(1)
2
3
4

NAME

6       tpm2_createek(1) - Generate TCG profile compliant endorsement key.
7

SYNOPSIS

9       tpm2_createek [OPTIONS]
10

DESCRIPTION

12       tpm2_createek(1) - Generate TCG profile compliant endorsement key (EK),
13       which is the primary object of the endorsement hierarchy.
14
15       If a transient object is generated the  tool  outputs  a  context  file
16       specified with -c.
17
18       Refer       to:       <http://www.trustedcomputinggroup.org/files/stat
19       ic_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F>
20

OPTIONS

22-P, --eh-auth=AUTH:
23
24         The authorization value for the endorsement hierarchy
25
26-w, --owner-auth=AUTH
27
28         The authorization value for the owner hierarchy.
29
30-c, --ek-context=OBJECT or FILE:
31
32         Either a file path or a persistent handle value to save the  endorse‐
33         ment key.
34
35         If a value of - is passed the tool will find a vacant persistent han‐
36         dle to use and print out the automatically selected handle.
37
38         If one saves the context file via this option and the public key  via
39         the  -u  option, the EK can be restored via a call to tpm2_loadexter‐
40         nal(1).
41
42-G, --key-algorithm=ALGORITHM:
43         The endorsement key algorithm.  Supports:
44
45ecc - An P256 key.
46
47rsa - An RSA2048 key.
48
49keyedhash - hmac key.
50
51-u, --public=FILE:
52
53         The optional input for a file to save the public portion of  endorse‐
54         ment key.
55
56-t, --template:
57
58         The  optional manufacturer defined endorsement key template and nonce
59         from fixed NV Indices to populate the TPM2B_PUBLIC public area.   See
60         the  TCG  EK  Credential  Profile specification for more information:
61         https://trustedcomputinggroup.org/wp-content/uploads/ TCG_IWG_Creden‐
62         tial_Profile_EK_V2.1_R13.pdf
63
64-f, --format:
65
66         Format selection for the public key output file.  'tss' (the default)
67         will output a binary blob according to  the  TPM  2.0  Specification.
68         'pem'  will  output  an  OpenSSL  compatible  PEM encoded public key.
69         'der' will output an  OpenSSL  compatible  DER  encoded  public  key.
70         'tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
71         by TPM 2.0 specs.
72
73         Public key format.
74
75   References

Context Object Format

77       The type of a context object, whether it is a handle or file  name,  is
78       determined according to the following logic in-order:
79
80       • If the argument is a file path, then the file is loaded as a restored
81         TPM transient object.
82
83       • If the argument is a prefix match on one of:
84
85         • owner: the owner hierarchy
86
87         • platform: the platform hierarchy
88
89         • endorsement: the endorsement hierarchy
90
91         • lockout: the lockout control persistent object
92
93       • If the argument argument can be loaded as a number it will  be  treat
94         as a handle, e.g.  0x81010013 and used directly.OBJECT.
95

Authorization Formatting

97       Authorization  for  use  of an object in TPM2.0 can come in 3 different
98       forms: 1.  Password 2.  HMAC 3.  Sessions
99
100       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
101       fied".
102
103   Passwords
104       Passwords  are  interpreted  in  the following forms below using prefix
105       identifiers.
106
107       Note: By default passwords are assumed to be in the  string  form  when
108       they do not have a prefix.
109
110   String
111       A  string  password,  specified  by  prefix "str:" or it's absence (raw
112       string without prefix) is not interpreted, and is directly used for au‐
113       thorization.
114
115   Examples
116              foobar
117              str:foobar
118
119   Hex-string
120       A  hex-string  password, specified by prefix "hex:" is converted from a
121       hexidecimal form into a byte array form, thus allowing  passwords  with
122       non-printable and/or terminal un-friendly characters.
123
124   Example
125              hex:0x1122334455667788
126
127   File
128       A  file  based password, specified be prefix "file:" should be the path
129       of a file containing the password to be read by the tool or  a  "-"  to
130       use  stdin.   Storing  passwords in files prevents information leakage,
131       passwords passed as options can be read from the process list or common
132       shell history features.
133
134   Examples
135              # to use stdin and be prompted
136              file:-
137
138              # to use a file from a path
139              file:path/to/password/file
140
141              # to echo a password via stdin:
142              echo foobar | tpm2_tool -p file:-
143
144              # to use a bash here-string via stdin:
145
146              tpm2_tool -p file:- <<< foobar
147
148   Sessions
149       When  using  a policy session to authorize the use of an object, prefix
150       the option argument with the session keyword.  Then indicate a path  to
151       a session file that was created with tpm2_startauthsession(1).  Option‐
152       ally, if the session requires an auth value to be sent with the session
153       handle  (eg policy password), then append a + and a string as described
154       in the Passwords section.
155
156   Examples
157       To use a session context file called session.ctx.
158
159              session:session.ctx
160
161       To use a session context file called session.ctx AND send the authvalue
162       mypassword.
163
164              session:session.ctx+mypassword
165
166       To use a session context file called session.ctx AND send the HEX auth‐
167       value 0x11223344.
168
169              session:session.ctx+hex:11223344
170
171   PCR Authorizations
172       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
173       language.       The     PCR     minilanguage     is     as     follows:
174       <pcr-spec>=<raw-pcr-file>
175
176       The PCR spec is documented in in the section "PCR bank specifiers".
177
178       The raw-pcr-file is an optional the output of the raw PCR  contents  as
179       returned by tpm2_pcrread(1).
180
181       PCR bank specifiers (common/pcr.md)
182
183   Examples
184       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
185       er of:
186
187              pcr:sha256:0,1,2,3
188
189       specifying AUTH.
190

Algorithm Specifiers

192       Options that take algorithms support "nice-names".
193
194       There are two major algorithm specification string classes, simple  and
195       complex.  Only certain algorithms will be accepted by the TPM, based on
196       usage and conditions.
197
198   Simple specifiers
199       These are strings with no additional specification data.  When creating
200       objects,  non-specified  portions of an object are assumed to defaults.
201       You can find the list of known "Simple Specifiers Below".
202
203   Asymmetric
204       • rsa
205
206       • ecc
207
208   Symmetric
209       • aes
210
211       • camellia
212
213   Hashing Algorithms
214       • sha1
215
216       • sha256
217
218       • sha384
219
220       • sha512
221
222       • sm3_256
223
224       • sha3_256
225
226       • sha3_384
227
228       • sha3_512
229
230   Keyed Hash
231       • hmac
232
233       • xor
234
235   Signing Schemes
236       • rsassa
237
238       • rsapss
239
240       • ecdsa
241
242       • ecdaa
243
244       • ecschnorr
245
246   Asymmetric Encryption Schemes
247       • oaep
248
249       • rsaes
250
251       • ecdh
252
253   Modes
254       • ctr
255
256       • ofb
257
258       • cbc
259
260       • cfb
261
262       • ecb
263
264   Misc
265       • null
266
267   Complex Specifiers
268       Objects, when specified for creation by the TPM,  have  numerous  algo‐
269       rithms  to  populate  in the public data.  Things like type, scheme and
270       asymmetric details, key size, etc.  Below is  the  general  format  for
271       specifying this data: <type>:<scheme>:<symmetric-details>
272
273   Type Specifiers
274       This  portion  of the complex algorithm specifier is required.  The re‐
275       maining scheme and symmetric details will default  based  on  the  type
276       specified and the type of the object being created.
277
278       • aes - Default AES: aes128
279
280       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
281         If mode is not specified, defaults to null.
282
283       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
284
285       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
286
287       • ecc - Elliptical Curve, defaults to ecc256.
288
289       • ecc192 - 192 bit ECC
290
291       • ecc224 - 224 bit ECC
292
293       • ecc256 - 256 bit ECC
294
295       • ecc384 - 384 bit ECC
296
297       • ecc521 - 521 bit ECC
298
299       • rsa - Default RSA: rsa2048
300
301       • rsa1024 - RSA with 1024 bit keysize.
302
303       • rsa2048 - RSA with 2048 bit keysize.
304
305       • rsa4096 - RSA with 4096 bit keysize.
306
307   Scheme Specifiers
308       Next, is an optional field, it can be skipped.
309
310       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
311       Most signing schemes take a hash algorithm directly following the sign‐
312       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
313       Some take no arguments, and some take multiple arguments.
314
315   Hash Optional Scheme Specifiers
316       These  scheme  specifiers are followed by a dash and a valid hash algo‐
317       rithm, For example: oaep-sha256.
318
319       • oaep
320
321       • ecdh
322
323       • rsassa
324
325       • rsapss
326
327       • ecdsa
328
329       • ecschnorr
330
331   Multiple Option Scheme Specifiers
332       This scheme specifier is followed by a count  (max  size  UINT16)  then
333       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
334       ecdaa4-sha256.  If no count is specified, it defaults to 4.
335
336   No Option Scheme Specifiers
337       This scheme specifier takes NO arguments.  * rsaes
338
339   Symmetric Details Specifiers
340       This field is optional, and defaults based on the type of object  being
341       created  and it's attributes.  Generally, any valid Symmetric specifier
342       from the Type Specifiers list should work.  If not specified, an  asym‐
343       metric objects symmetric details defaults to aes128cfb.
344
345   Examples
346   Create an rsa2048 key with an rsaes asymmetric encryption scheme
347       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
348
349   Create an ecc256 key with an ecdaa signing scheme with a count of 4
350       and sha384 hash
351
352       /tpm2_create -C parent.ctx -G ecc256:ec‐
353       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
354

COMMON OPTIONS

356       This collection of options are common to many programs and provide  in‐
357       formation that many users may expect.
358
359-h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
360         attempts to invoke the manpager for the  tool,  however,  on  failure
361         will  output  a short tool summary.  This is the same behavior if the
362         "man" option argument is specified, however if explicit "man" is  re‐
363         quested,  the  tool  will  provide errors from man on stderr.  If the
364         "no-man" option if specified, or the manpager fails,  the  short  op‐
365         tions will be output to stdout.
366
367         To  successfully use the manpages feature requires the manpages to be
368         installed or on MANPATH, See man(1) for more details.
369
370-v, --version: Display version information for this  tool,  supported
371         tctis and exit.
372
373-V,  --verbose:  Increase the information that the tool prints to the
374         console during its execution.  When using this option  the  file  and
375         line number are printed.
376
377-Q, --quiet: Silence normal tool output to stdout.
378
379-Z, --enable-errata: Enable the application of errata fixups.  Useful
380         if an errata fixup needs to be applied to commands sent to  the  TPM.
381         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
382         formation many users may expect.
383

TCTI Configuration

385       The TCTI or "Transmission Interface"  is  the  communication  mechanism
386       with  the TPM.  TCTIs can be changed for communication with TPMs across
387       different mediums.
388
389       To control the TCTI, the tools respect:
390
391       1. The command line option -T or --tcti
392
393       2. The environment variable: TPM2TOOLS_TCTI.
394
395       Note: The command line option always overrides  the  environment  vari‐
396       able.
397
398       The current known TCTIs are:
399
400       • tabrmd      -     The     resource     manager,     called     tabrmd
401         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
402         abrmd as a tcti name are synonymous.
403
404       • mssim  - Typically used for communicating to the TPM software simula‐
405         tor.
406
407       • device - Used when talking directly to a TPM device file.
408
409       • none - Do not initalize a connection with the TPM.  Some tools  allow
410         for off-tpm options and thus support not using a TCTI.  Tools that do
411         not support it will error when attempted to be used  without  a  TCTI
412         connection.   Does  not  support ANY options and MUST BE presented as
413         the exact text of "none".
414
415       The arguments to either the command  line  option  or  the  environment
416       variable are in the form:
417
418       <tcti-name>:<tcti-option-config>
419
420       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
421       tion-config> results in the default being used for that portion respec‐
422       tively.
423
424   TCTI Defaults
425       When  a  TCTI  is not specified, the default TCTI is searched for using
426       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
427       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
428       what TCTI will be chosen as the default by using the -v option to print
429       the  version information.  The "default-tcti" key-value pair will indi‐
430       cate which of the aforementioned TCTIs is the default.
431
432   Custom TCTIs
433       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
434       tools internally use dlopen(3), and the raw tcti-name value is used for
435       the lookup.  Thus, this could be a path to the shared library, or a li‐
436       brary name as understood by dlopen(3) semantics.
437

TCTI OPTIONS

439       This collection of options are used to configure the various known TCTI
440       modules available:
441
442device: For the device TCTI, the TPM character device file for use by
443         the device TCTI can be specified.  The default is /dev/tpm0.
444
445         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
446         vice:/dev/tpm0"
447
448        mssim: For the mssim TCTI, the domain name or  IP  address  and  port
449         number  used  by  the  simulator  can  be specified.  The default are
450         127.0.0.1 and 2321.
451
452         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
453         TI="mssim:host=localhost,port=2321"
454
455        abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
456         ries of simple key value pairs separated by a  ','  character.   Each
457         key and value string are separated by a '=' character.
458
459         • TCTI abrmd supports two keys:
460
461           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
462              string).
463
464           2. 'bus_type' : The type of the dbus instance (a string) limited to
465              'session' and 'system'.
466
467         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
468         ample.FooBar:
469
470         \--tcti=tabrmd:bus_name=com.example.FooBar
471
472         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
473         sion:
474
475         \--tcti:bus_type=session
476
477         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
478         ules.
479

EXAMPLES

481   Create an Endorsement Key and make it persistent
482              tpm2_createek -P abc123 -w abc123 -c 0x81010001 -G rsa -u ek.pub
483
484   Create a transient Endorsement Key, flush it, and reload it.
485              tpm2_createek -G rsa -u ek.pub
486
487              # Check that it is loaded in transient memory
488              tpm2_getcap handles-transient
489              - 0x80000000
490
491              # Flush the handle
492              tpm2_flushcontext 0x80000000
493
494              # Note that it is flushed
495              tpm2_getcap handles-transient
496              <null output>
497
498              # Reload it via loadexternal
499              tpm2_loadexternal -C o -u ek.pub -c ek.ctx
500
501              # Check that it is re-loaded in transient memory
502              tpm2_getcap handles-transient
503              - 0x80000000
504

Returns

506       Tools can return any of the following codes:
507
508       • 0 - Success.
509
510       • 1 - General non-specific error.
511
512       • 2 - Options handling error.
513
514       • 3 - Authentication error.
515
516       • 4 - TCTI related error.
517
518       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
519

BUGS

521       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
522

HELP

524       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
525
526
527
528tpm2-tools                                                    tpm2_createek(1)
Impressum