1tpm2_createek(1) General Commands Manual tpm2_createek(1)
2
3
4
6 tpm2_createek(1) - Generate TCG profile compliant endorsement key.
7
9 tpm2_createek [OPTIONS]
10
12 tpm2_createek(1) - Generate TCG profile compliant endorsement key (EK),
13 which is the primary object of the endorsement hierarchy.
14
15 If a transient object is generated the tool outputs a context file
16 specified with -c.
17
18 Refer to: <http://www.trustedcomputinggroup.org/files/stat‐
19 ic_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F>
20
22 • -P, --eh-auth=AUTH:
23
24 The authorization value for the endorsement hierarchy
25
26 • -w, --owner-auth=AUTH
27
28 The authorization value for the owner hierarchy.
29
30 • -c, --ek-context=OBJECT or FILE:
31
32 Either a file path or a persistent handle value to save the endorse‐
33 ment key.
34
35 If a value of - is passed the tool will find a vacant persistent han‐
36 dle to use and print out the automatically selected handle.
37
38 If one saves the context file via this option and the public key via
39 the -u option, the EK can be restored via a call to tpm2_loadexter‐
40 nal(1).
41
42 • -G, --key-algorithm=ALGORITHM:
43 The endorsement key algorithm. Supports:
44
45 • ecc - An P256 key.
46
47 • rsa - An RSA2048 key.
48
49 • keyedhash - hmac key.
50
51 • -u, --public=FILE:
52
53 The optional input for a file to save the public portion of endorse‐
54 ment key.
55
56 • -t, --template:
57
58 The optional manufacturer defined endorsement key template and nonce
59 from fixed NV Indices to populate the TPM2B_PUBLIC public area. See
60 the TCG EK Credential Profile specification for more information:
61 https://trustedcomputinggroup.org/wp-content/uploads/ TCG_IWG_Creden‐
62 tial_Profile_EK_V2.1_R13.pdf
63
64 • -f, --format:
65
66 Format selection for the public key output file. 'tss' (the default)
67 will output a binary blob according to the TPM 2.0 Specification.
68 'pem' will output an OpenSSL compatible PEM encoded public key.
69 'der' will output an OpenSSL compatible DER encoded public key.
70 'tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
71 by TPM 2.0 specs.
72
73 Public key format.
74
75 References
77 The type of a context object, whether it is a handle or file name, is
78 determined according to the following logic in-order:
79
80 • If the argument is a file path, then the file is loaded as a restored
81 TPM transient object.
82
83 • If the argument is a prefix match on one of:
84
85 • owner: the owner hierarchy
86
87 • platform: the platform hierarchy
88
89 • endorsement: the endorsement hierarchy
90
91 • lockout: the lockout control persistent object
92
93 • If the argument argument can be loaded as a number it will be treat
94 as a handle, e.g. 0x81010013 and used directly.OBJECT.
95
97 Authorization for use of an object in TPM2.0 can come in 3 different
98 forms: 1. Password 2. HMAC 3. Sessions
99
100 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
101 fied".
102
103 Passwords
104 Passwords are interpreted in the following forms below using prefix
105 identifiers.
106
107 Note: By default passwords are assumed to be in the string form when
108 they do not have a prefix.
109
110 String
111 A string password, specified by prefix "str:" or it's absence (raw
112 string without prefix) is not interpreted, and is directly used for au‐
113 thorization.
114
115 Examples
116 foobar
117 str:foobar
118
119 Hex-string
120 A hex-string password, specified by prefix "hex:" is converted from a
121 hexidecimal form into a byte array form, thus allowing passwords with
122 non-printable and/or terminal un-friendly characters.
123
124 Example
125 hex:0x1122334455667788
126
127 File
128 A file based password, specified be prefix "file:" should be the path
129 of a file containing the password to be read by the tool or a "-" to
130 use stdin. Storing passwords in files prevents information leakage,
131 passwords passed as options can be read from the process list or common
132 shell history features.
133
134 Examples
135 # to use stdin and be prompted
136 file:-
137
138 # to use a file from a path
139 file:path/to/password/file
140
141 # to echo a password via stdin:
142 echo foobar | tpm2_tool -p file:-
143
144 # to use a bash here-string via stdin:
145
146 tpm2_tool -p file:- <<< foobar
147
148 Sessions
149 When using a policy session to authorize the use of an object, prefix
150 the option argument with the session keyword. Then indicate a path to
151 a session file that was created with tpm2_startauthsession(1). Option‐
152 ally, if the session requires an auth value to be sent with the session
153 handle (eg policy password), then append a + and a string as described
154 in the Passwords section.
155
156 Examples
157 To use a session context file called session.ctx.
158
159 session:session.ctx
160
161 To use a session context file called session.ctx AND send the authvalue
162 mypassword.
163
164 session:session.ctx+mypassword
165
166 To use a session context file called session.ctx AND send the HEX auth‐
167 value 0x11223344.
168
169 session:session.ctx+hex:11223344
170
171 PCR Authorizations
172 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
173 language. The PCR minilanguage is as follows:
174 <pcr-spec>=<raw-pcr-file>
175
176 The PCR spec is documented in in the section "PCR bank specifiers".
177
178 The raw-pcr-file is an optional the output of the raw PCR contents as
179 returned by tpm2_pcrread(1).
180
181 PCR bank specifiers (common/pcr.md)
182
183 Examples
184 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
185 er of:
186
187 pcr:sha256:0,1,2,3
188
189 specifying AUTH.
190
192 Options that take algorithms support "nice-names".
193
194 There are two major algorithm specification string classes, simple and
195 complex. Only certain algorithms will be accepted by the TPM, based on
196 usage and conditions.
197
198 Simple specifiers
199 These are strings with no additional specification data. When creating
200 objects, non-specified portions of an object are assumed to defaults.
201 You can find the list of known "Simple Specifiers Below".
202
203 Asymmetric
204 • rsa
205
206 • ecc
207
208 Symmetric
209 • aes
210
211 • camellia
212
213 Hashing Algorithms
214 • sha1
215
216 • sha256
217
218 • sha384
219
220 • sha512
221
222 • sm3_256
223
224 • sha3_256
225
226 • sha3_384
227
228 • sha3_512
229
230 Keyed Hash
231 • hmac
232
233 • xor
234
235 Signing Schemes
236 • rsassa
237
238 • rsapss
239
240 • ecdsa
241
242 • ecdaa
243
244 • ecschnorr
245
246 Asymmetric Encryption Schemes
247 • oaep
248
249 • rsaes
250
251 • ecdh
252
253 Modes
254 • ctr
255
256 • ofb
257
258 • cbc
259
260 • cfb
261
262 • ecb
263
264 Misc
265 • null
266
267 Complex Specifiers
268 Objects, when specified for creation by the TPM, have numerous algo‐
269 rithms to populate in the public data. Things like type, scheme and
270 asymmetric details, key size, etc. Below is the general format for
271 specifying this data: <type>:<scheme>:<symmetric-details>
272
273 Type Specifiers
274 This portion of the complex algorithm specifier is required. The re‐
275 maining scheme and symmetric details will default based on the type
276 specified and the type of the object being created.
277
278 • aes - Default AES: aes128
279
280 • aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
281 If mode is not specified, defaults to null.
282
283 • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
284
285 • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
286
287 • ecc - Elliptical Curve, defaults to ecc256.
288
289 • ecc192 - 192 bit ECC
290
291 • ecc224 - 224 bit ECC
292
293 • ecc256 - 256 bit ECC
294
295 • ecc384 - 384 bit ECC
296
297 • ecc521 - 521 bit ECC
298
299 • rsa - Default RSA: rsa2048
300
301 • rsa1024 - RSA with 1024 bit keysize.
302
303 • rsa2048 - RSA with 2048 bit keysize.
304
305 • rsa4096 - RSA with 4096 bit keysize.
306
307 Scheme Specifiers
308 Next, is an optional field, it can be skipped.
309
310 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
311 Most signing schemes take a hash algorithm directly following the sign‐
312 ing scheme. If the hash algorithm is missing, it defaults to sha256.
313 Some take no arguments, and some take multiple arguments.
314
315 Hash Optional Scheme Specifiers
316 These scheme specifiers are followed by a dash and a valid hash algo‐
317 rithm, For example: oaep-sha256.
318
319 • oaep
320
321 • ecdh
322
323 • rsassa
324
325 • rsapss
326
327 • ecdsa
328
329 • ecschnorr
330
331 Multiple Option Scheme Specifiers
332 This scheme specifier is followed by a count (max size UINT16) then
333 followed by a dash(-) and a valid hash algorithm. * ecdaa For example,
334 ecdaa4-sha256. If no count is specified, it defaults to 4.
335
336 No Option Scheme Specifiers
337 This scheme specifier takes NO arguments. * rsaes
338
339 Symmetric Details Specifiers
340 This field is optional, and defaults based on the type of object being
341 created and it's attributes. Generally, any valid Symmetric specifier
342 from the Type Specifiers list should work. If not specified, an asym‐
343 metric objects symmetric details defaults to aes128cfb.
344
345 Examples
346 Create an rsa2048 key with an rsaes asymmetric encryption scheme
347 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
348
349 Create an ecc256 key with an ecdaa signing scheme with a count of 4
350 and sha384 hash
351
352 /tpm2_create -C parent.ctx -G ecc256:ec‐
353 daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
354
356 This collection of options are common to many programs and provide in‐
357 formation that many users may expect.
358
359 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
360 attempts to invoke the manpager for the tool, however, on failure
361 will output a short tool summary. This is the same behavior if the
362 "man" option argument is specified, however if explicit "man" is re‐
363 quested, the tool will provide errors from man on stderr. If the
364 "no-man" option if specified, or the manpager fails, the short op‐
365 tions will be output to stdout.
366
367 To successfully use the manpages feature requires the manpages to be
368 installed or on MANPATH, See man(1) for more details.
369
370 • -v, --version: Display version information for this tool, supported
371 tctis and exit.
372
373 • -V, --verbose: Increase the information that the tool prints to the
374 console during its execution. When using this option the file and
375 line number are printed.
376
377 • -Q, --quiet: Silence normal tool output to stdout.
378
379 • -Z, --enable-errata: Enable the application of errata fixups. Useful
380 if an errata fixup needs to be applied to commands sent to the TPM.
381 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
382 formation many users may expect.
383
385 The TCTI or "Transmission Interface" is the communication mechanism
386 with the TPM. TCTIs can be changed for communication with TPMs across
387 different mediums.
388
389 To control the TCTI, the tools respect:
390
391 1. The command line option -T or --tcti
392
393 2. The environment variable: TPM2TOOLS_TCTI.
394
395 Note: The command line option always overrides the environment vari‐
396 able.
397
398 The current known TCTIs are:
399
400 • tabrmd - The resource manager, called tabrmd
401 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
402 abrmd as a tcti name are synonymous.
403
404 • mssim - Typically used for communicating to the TPM software simula‐
405 tor.
406
407 • device - Used when talking directly to a TPM device file.
408
409 • none - Do not initalize a connection with the TPM. Some tools allow
410 for off-tpm options and thus support not using a TCTI. Tools that do
411 not support it will error when attempted to be used without a TCTI
412 connection. Does not support ANY options and MUST BE presented as
413 the exact text of "none".
414
415 The arguments to either the command line option or the environment
416 variable are in the form:
417
418 <tcti-name>:<tcti-option-config>
419
420 Specifying an empty string for either the <tcti-name> or <tcti-op‐
421 tion-config> results in the default being used for that portion respec‐
422 tively.
423
424 TCTI Defaults
425 When a TCTI is not specified, the default TCTI is searched for using
426 dlopen(3) semantics. The tools will search for tabrmd, device and
427 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
428 what TCTI will be chosen as the default by using the -v option to print
429 the version information. The "default-tcti" key-value pair will indi‐
430 cate which of the aforementioned TCTIs is the default.
431
432 Custom TCTIs
433 Any TCTI that implements the dynamic TCTI interface can be loaded. The
434 tools internally use dlopen(3), and the raw tcti-name value is used for
435 the lookup. Thus, this could be a path to the shared library, or a li‐
436 brary name as understood by dlopen(3) semantics.
437
439 This collection of options are used to configure the various known TCTI
440 modules available:
441
442 • device: For the device TCTI, the TPM character device file for use by
443 the device TCTI can be specified. The default is /dev/tpm0.
444
445 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
446 vice:/dev/tpm0"
447
448 • mssim: For the mssim TCTI, the domain name or IP address and port
449 number used by the simulator can be specified. The default are
450 127.0.0.1 and 2321.
451
452 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
453 TI="mssim:host=localhost,port=2321"
454
455 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
456 ries of simple key value pairs separated by a ',' character. Each
457 key and value string are separated by a '=' character.
458
459 • TCTI abrmd supports two keys:
460
461 1. 'bus_name' : The name of the tabrmd service on the bus (a
462 string).
463
464 2. 'bus_type' : The type of the dbus instance (a string) limited to
465 'session' and 'system'.
466
467 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
468 ample.FooBar:
469
470 \--tcti=tabrmd:bus_name=com.example.FooBar
471
472 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
473 sion:
474
475 \--tcti:bus_type=session
476
477 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
478 ules.
479
481 Create an Endorsement Key and make it persistent
482 tpm2_createek -P abc123 -w abc123 -c 0x81010001 -G rsa -u ek.pub
483
484 Create a transient Endorsement Key, flush it, and reload it.
485 tpm2_createek -G rsa -u ek.pub
486
487 # Check that it is loaded in transient memory
488 tpm2_getcap handles-transient
489 - 0x80000000
490
491 # Flush the handle
492 tpm2_flushcontext 0x80000000
493
494 # Note that it is flushed
495 tpm2_getcap handles-transient
496 <null output>
497
498 # Reload it via loadexternal
499 tpm2_loadexternal -C o -u ek.pub -c ek.ctx
500
501 # Check that it is re-loaded in transient memory
502 tpm2_getcap handles-transient
503 - 0x80000000
504
506 Tools can return any of the following codes:
507
508 • 0 - Success.
509
510 • 1 - General non-specific error.
511
512 • 2 - Options handling error.
513
514 • 3 - Authentication error.
515
516 • 4 - TCTI related error.
517
518 • 5 - Non supported scheme. Applicable to tpm2_testparams.
519
521 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
522
524 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
525
526
527
528tpm2-tools tpm2_createek(1)