1tpm2_createprimary(1)       General Commands Manual      tpm2_createprimary(1)
2
3
4

NAME

6       tpm2_createprimary(1) - Create a primary key.
7

SYNOPSIS

9       tpm2_createprimary [OPTIONS]
10

DESCRIPTION

12       tpm2_createprimary(1) - This command is used to create a primary object
13       under one of the hierarchies: Owner, Platform, Endorsement, NULL.   The
14       command  will create and load a Primary Object.  The sensitive and pub‐
15       lic portions are not returned.  A context file for the created object’s
16       handle is saved as a file for future interactions with the created pri‐
17       mary.
18

OPTIONS

20-C, --hierarchy=OBJECT:
21         The hierarchy under which the object is created.  This will also dic‐
22         tate  which authorization secret (if any) must be supplied.  Defaults
23         to TPM_RH_OWNER, when no value specified.  Supported options are:
24
25o for TPM_RH_OWNER
26
27p for TPM_RH_PLATFORM
28
29e for TPM_RH_ENDORSEMENT
30
31n for TPM_RH_NULL
32
33<num> where a raw number can be used.
34
35-P, --hierarchy-auth=AUTH:
36
37         The authorization value for the hierarchy specified with -C.
38
39-p, --key-auth=AUTH:
40
41         The authorization value for the primary object created.
42
43-g, --hash-algorithm=ALGORITHM:
44
45         The hash algorithm to use for generating the objects name.   Defaults
46         to sha256 if not specified.
47
48-G, --key-algorithm=ALGORITHM:
49
50         The  algorithm  type  for  the  generated  primary  key.  Defaults to
51         rsa2048:null:aes128cfb.
52
53-c, --key-context=FILE:
54
55         The file path to save the object context of the generated primary ob‐
56         ject.
57
58-L, --policy=FILE:
59
60         An  optional  file  input  that contains the policy digest for policy
61         based authorization of the object.
62
63-a, --attributes=ATTRIBUTES:
64
65         The object attributes, optional.  Defaults to:  TPMA_OBJECT_RESTRICT‐
66         ED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|    TPMA_OBJECT_FIXEDPAR‐
67         ENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|  TPMA_OBJECT_USERWITHAUTH
68
69-u, --unique-data=FILE OR STDIN:
70
71         An optional file input that contains the unique field of  TPMT_PUBLIC
72         in  little-endian  format.  Primary key creator may place information
73         that causes the primary key generation scheme internal to the TPM  to
74         generate  statistically  unique  values.   The TPM v2.0 specification
75         calls this field unique and overloads it so that it contains one val‐
76         ue  when the application provides this structure as input and another
77         value when the applications receives this structure as  output  (like
78         public portion of the rsa key).
79
80         If  the  data is specified as a file, the user is responsible for en‐
81         suring that this buffer is formatted per TPMU_PUBLIC_ID union.
82
83         The unique data can also be retrieved from stdin buffer by specifying
84         “-”  as the –unique-data option value and the tool will parse the key
85         type and associate the input data with the unique data buffer associ‐
86         ated with the key type.  NOTE:
87
88         1. The maximum allowed bytes is dependent on key type and the TPM im‐
89            plementation.   Eg.   While  TSS  allows  a  value  upto  512  for
90            MAX_RSA_KEY_BYTES,  however the ibmSwTPM implementation supports a
91            value upto 256 bytes.
92
93         2. The unique input data specified on stdin  for  ECC  is  split  for
94            specifying the X coordinate and Y coordinate buffers.
95
96--creation-data=FILE:
97
98         An  optional  file output that saves the creation data for certifica‐
99         tion.
100
101--template-data=FILE:
102
103         An optional file output that saves the key template data  (TPM2B_PUB‐
104         LIC) to be used in tpm2_policytemplate.
105
106-t, --creation-ticket=FILE:
107
108         An optional file output that saves the creation ticket for certifica‐
109         tion.
110
111-d, --creation-hash=FILE:
112
113         An optional file output that saves the creation hash  for  certifica‐
114         tion.
115
116-q, --outside-info=FILE_OR_HEX:
117
118         An optional file or hex string to add unique data to the creation da‐
119         ta.  Note that it  does  not  contribute  in  creating  statistically
120         unique object.
121
122-l, --pcr-list=PCR:
123
124         The  list of PCR banks and selected PCRs’ ids for each bank to be in‐
125         cluded in the creation data for certification.
126
127--cphash=FILE
128
129         File path to record the hash of the command parameters.  This is com‐
130         monly termed as cpHash.  NOTE: When this option is selected, The tool
131         will not actually execute the command, it simply returns a cpHash.
132
133-f, --format:
134
135         Format selection for the public key output file.  `tss' (the default)
136         will  output  a  binary  blob according to the TPM 2.0 Specification.
137         `pem' will output an  OpenSSL  compatible  PEM  encoded  public  key.
138         `der'  will  output  an  OpenSSL  compatible  DER encoded public key.
139         `tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
140         by TPM 2.0 specs.
141
142         Public key format.
143
144-o, --output=FILE:
145
146         The output file path, recording the public portion of the object.
147
148   References

Context Object Format

150       The  type  of a context object, whether it is a handle or file name, is
151       determined according to the following logic in-order:
152
153       • If the argument is a file path, then the file is loaded as a restored
154         TPM transient object.
155
156       • If the argument is a prefix match on one of:
157
158         • owner: the owner hierarchy
159
160         • platform: the platform hierarchy
161
162         • endorsement: the endorsement hierarchy
163
164         • lockout: the lockout control persistent object
165
166       • If  the  argument argument can be loaded as a number it will be treat
167         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
168

Authorization Formatting

170       Authorization for use of an object in TPM2.0 can come  in  3  different
171       forms: 1.  Password 2.  HMAC 3.  Sessions
172
173       NOTE:  “Authorizations  default  to  the EMPTY PASSWORD when not speci‐
174       fied”.
175
176   Passwords
177       Passwords are interpreted in the following  forms  below  using  prefix
178       identifiers.
179
180       Note:  By  default  passwords are assumed to be in the string form when
181       they do not have a prefix.
182
183   String
184       A string password, specified by prefix  “str:”  or  it’s  absence  (raw
185       string without prefix) is not interpreted, and is directly used for au‐
186       thorization.
187
188   Examples
189              foobar
190              str:foobar
191
192   Hex-string
193       A hex-string password, specified by prefix “hex:” is converted  from  a
194       hexidecimal  form  into a byte array form, thus allowing passwords with
195       non-printable and/or terminal un-friendly characters.
196
197   Example
198              hex:0x1122334455667788
199
200   File
201       A file based password, specified be prefix “file:” should be  the  path
202       of  a  file  containing the password to be read by the tool or a “-” to
203       use stdin.  Storing passwords in files  prevents  information  leakage,
204       passwords passed as options can be read from the process list or common
205       shell history features.
206
207   Examples
208              # to use stdin and be prompted
209              file:-
210
211              # to use a file from a path
212              file:path/to/password/file
213
214              # to echo a password via stdin:
215              echo foobar | tpm2_tool -p file:-
216
217              # to use a bash here-string via stdin:
218
219              tpm2_tool -p file:- <<< foobar
220
221   Sessions
222       When using a policy session to authorize the use of an  object,  prefix
223       the  option argument with the session keyword.  Then indicate a path to
224       a session file that was created with tpm2_startauthsession(1).  Option‐
225       ally, if the session requires an auth value to be sent with the session
226       handle (eg policy password), then append a + and a string as  described
227       in the Passwords section.
228
229   Examples
230       To use a session context file called session.ctx.
231
232              session:session.ctx
233
234       To use a session context file called session.ctx AND send the authvalue
235       mypassword.
236
237              session:session.ctx+mypassword
238
239       To use a session context file called session.ctx AND send the HEX auth‐
240       value 0x11223344.
241
242              session:session.ctx+hex:11223344
243
244   PCR Authorizations
245       You  can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
246       language.      The     PCR     minilanguage     is     as      follows:
247       <pcr-spec>=<raw-pcr-file>
248
249       The PCR spec is documented in in the section “PCR bank specifiers”.
250
251       The  raw-pcr-file  is  an optional argument that contains the output of
252       the raw PCR contents as returned by tpm2_pcrread(1).
253
254       PCR bank specifiers (pcr.md)
255
256   Examples
257       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
258       er of:
259
260              pcr:sha256:0,1,2,3
261
262       specifying AUTH.
263

Algorithm Specifiers

265       Options that take algorithms support “nice-names”.
266
267       There  are two major algorithm specification string classes, simple and
268       complex.  Only certain algorithms will be accepted by the TPM, based on
269       usage and conditions.
270
271   Simple specifiers
272       These are strings with no additional specification data.  When creating
273       objects, non-specified portions of an object are assumed  to  defaults.
274       You can find the list of known “Simple Specifiers Below”.
275
276   Asymmetric
277       • rsa
278
279       • ecc
280
281   Symmetric
282       • aes
283
284       • camellia
285
286   Hashing Algorithms
287       • sha1
288
289       • sha256
290
291       • sha384
292
293       • sha512
294
295       • sm3_256
296
297       • sha3_256
298
299       • sha3_384
300
301       • sha3_512
302
303   Keyed Hash
304       • hmac
305
306       • xor
307
308   Signing Schemes
309       • rsassa
310
311       • rsapss
312
313       • ecdsa
314
315       • ecdaa
316
317       • ecschnorr
318
319   Asymmetric Encryption Schemes
320       • oaep
321
322       • rsaes
323
324       • ecdh
325
326   Modes
327       • ctr
328
329       • ofb
330
331       • cbc
332
333       • cfb
334
335       • ecb
336
337   Misc
338       • null
339
340   Complex Specifiers
341       Objects,  when  specified  for creation by the TPM, have numerous algo‐
342       rithms to populate in the public data.  Things like  type,  scheme  and
343       asymmetric  details,  key  size,  etc.  Below is the general format for
344       specifying this data: <type>:<scheme>:<symmetric-details>
345
346   Type Specifiers
347       This portion of the complex algorithm specifier is required.   The  re‐
348       maining  scheme  and  symmetric  details will default based on the type
349       specified and the type of the object being created.
350
351       • aes - Default AES: aes128
352
353       • aes128<mode> - 128 bit AES with optional mode  (ctr|ofb|cbc|cfb|ecb).
354         If mode is not specified, defaults to null.
355
356       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
357
358       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
359
360       • ecc - Elliptical Curve, defaults to ecc256.
361
362       • ecc192 - 192 bit ECC
363
364       • ecc224 - 224 bit ECC
365
366       • ecc256 - 256 bit ECC
367
368       • ecc384 - 384 bit ECC
369
370       • ecc521 - 521 bit ECC
371
372       • rsa - Default RSA: rsa2048
373
374       • rsa1024 - RSA with 1024 bit keysize.
375
376       • rsa2048 - RSA with 2048 bit keysize.
377
378       • rsa4096 - RSA with 4096 bit keysize.
379
380   Scheme Specifiers
381       Next, is an optional field, it can be skipped.
382
383       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
384       Most signing schemes take a hash algorithm directly following the sign‐
385       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
386       Some take no arguments, and some take multiple arguments.
387
388   Hash Optional Scheme Specifiers
389       These scheme specifiers are followed by a dash and a valid  hash  algo‐
390       rithm, For example: oaep-sha256.
391
392       • oaep
393
394       • ecdh
395
396       • rsassa
397
398       • rsapss
399
400       • ecdsa
401
402       • ecschnorr
403
404   Multiple Option Scheme Specifiers
405       This  scheme  specifier  is  followed by a count (max size UINT16) then
406       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
407       ecdaa4-sha256.  If no count is specified, it defaults to 4.
408
409   No Option Scheme Specifiers
410       This scheme specifier takes NO arguments.  * rsaes
411
412   Symmetric Details Specifiers
413       This  field is optional, and defaults based on the type of object being
414       created and it’s attributes.  Generally, any valid Symmetric  specifier
415       from  the Type Specifiers list should work.  If not specified, an asym‐
416       metric objects symmetric details defaults to aes128cfb.
417
418   Examples
419   Create an rsa2048 key with an rsaes asymmetric encryption scheme
420       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
421
422   Create an ecc256 key with an ecdaa signing scheme with a  count  of  4  and
423       sha384 hash
424       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
425       key.priv cryptographic algorithms ALGORITHM.
426

Object Attributes

428       Object Attributes are used to control various properties of created ob‐
429       jects.   When  specified  as an option, either the raw bitfield mask or
430       “nice-names” may be used.  The values can be found in Table 31  Part  2
431       of the TPM2.0 specification, which can be found here:
432
433       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
434       Rev-2.0-Part-2-Structures-01.38.pdf>
435
436       Nice names are calculated by taking the name field of table 31 and  re‐
437       moving  the  prefix TPMA_OBJECT_ and lowercasing the result.  Thus, TP‐
438       MA_OBJECT_FIXEDTPM becomes fixedtpm.  Nice names can  be  joined  using
439       the bitwise or “|” symbol.
440
441       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
442       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
443
444       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
445

COMMON OPTIONS

447       This collection of options are common to many programs and provide  in‐
448       formation that many users may expect.
449
450-h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
451         attempts to invoke the manpager for the  tool,  however,  on  failure
452         will  output  a short tool summary.  This is the same behavior if the
453         “man” option argument is specified, however if explicit “man” is  re‐
454         quested,  the  tool  will  provide errors from man on stderr.  If the
455         “no-man” option if specified, or the manpager fails,  the  short  op‐
456         tions will be output to stdout.
457
458         To  successfully use the manpages feature requires the manpages to be
459         installed or on MANPATH, See man(1) for more details.
460
461-v, --version: Display version information for this  tool,  supported
462         tctis and exit.
463
464-V,  --verbose:  Increase the information that the tool prints to the
465         console during its execution.  When using this option  the  file  and
466         line number are printed.
467
468-Q, --quiet: Silence normal tool output to stdout.
469
470-Z, --enable-errata: Enable the application of errata fixups.  Useful
471         if an errata fixup needs to be applied to commands sent to  the  TPM.
472         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
473         formation many users may expect.
474

TCTI Configuration

476       The TCTI or “Transmission Interface”  is  the  communication  mechanism
477       with  the TPM.  TCTIs can be changed for communication with TPMs across
478       different mediums.
479
480       To control the TCTI, the tools respect:
481
482       1. The command line option -T or --tcti
483
484       2. The environment variable: TPM2TOOLS_TCTI.
485
486       Note: The command line option always overrides  the  environment  vari‐
487       able.
488
489       The current known TCTIs are:
490
491       • tabrmd      -     The     resource     manager,     called     tabrmd
492         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
493         abrmd as a tcti name are synonymous.
494
495       • mssim  - Typically used for communicating to the TPM software simula‐
496         tor.
497
498       • device - Used when talking directly to a TPM device file.
499
500       • none - Do not initalize a connection with the TPM.  Some tools  allow
501         for off-tpm options and thus support not using a TCTI.  Tools that do
502         not support it will error when attempted to be used  without  a  TCTI
503         connection.   Does  not  support ANY options and MUST BE presented as
504         the exact text of “none”.
505
506       The arguments to either the command  line  option  or  the  environment
507       variable are in the form:
508
509       <tcti-name>:<tcti-option-config>
510
511       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
512       tion-config> results in the default being used for that portion respec‐
513       tively.
514
515   TCTI Defaults
516       When  a  TCTI  is not specified, the default TCTI is searched for using
517       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
518       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
519       what TCTI will be chosen as the default by using the -v option to print
520       the  version information.  The “default-tcti” key-value pair will indi‐
521       cate which of the aforementioned TCTIs is the default.
522
523   Custom TCTIs
524       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
525       tools internally use dlopen(3), and the raw tcti-name value is used for
526       the lookup.  Thus, this could be a path to the shared library, or a li‐
527       brary name as understood by dlopen(3) semantics.
528

TCTI OPTIONS

530       This collection of options are used to configure the various known TCTI
531       modules available:
532
533device: For the device TCTI, the TPM character device file for use by
534         the device TCTI can be specified.  The default is /dev/tpm0.
535
536         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI=“de‐
537         vice:/dev/tpm0”
538
539mssim: For the mssim TCTI, the domain name or  IP  address  and  port
540         number  used  by  the  simulator  can  be specified.  The default are
541         127.0.0.1 and 2321.
542
543         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
544         TI=“mssim:host=localhost,port=2321”
545
546abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
547         ries of simple key value pairs separated by a  `,'  character.   Each
548         key and value string are separated by a `=' character.
549
550         • TCTI abrmd supports two keys:
551
552           1. `bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
553              string).
554
555           2. `bus_type' : The type of the dbus instance (a string) limited to
556              `session' and `system'.
557
558         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
559         ample.FooBar:
560
561                \--tcti=tabrmd:bus_name=com.example.FooBar
562
563         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
564         sion:
565
566                \--tcti:bus_type=session
567
568         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
569         ules.
570

EXAMPLES

572   Create an ECC primary object
573              tpm2_createprimary -C o -g sha256 -G ecc -c context.out
574
575   Create a primary object that follows the guidance of TCG Provisioning guide
576       See         :          https://trustedcomputinggroup.org/wp-content/up
577       loads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
578
579       Where  unique.dat contains the binary-formatted data: 0x00 0x01 (0x00 *
580       256)
581
582       ```bash tpm2_createprimary -C  o  -G  rsa2048:aes128cfb  -g  sha256  -c
583       prim.ctx
584       -a   `restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|user‐
585       withauth|
586       noda' -u unique.dat
587
588   Create a primary object and output the public key in pem format
589              tpm2_createprimary -c primary.ctx --format=pem --output=public.pem
590

Returns

592       Tools can return any of the following codes:
593
594       • 0 - Success.
595
596       • 1 - General non-specific error.
597
598       • 2 - Options handling error.
599
600       • 3 - Authentication error.
601
602       • 4 - TCTI related error.
603
604       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
605

BUGS

607       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
608

HELP

610       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
611
612
613
614tpm2-tools                                               tpm2_createprimary(1)
Impressum