1swtpm_setup(8) swtpm_setup(8)
2
6 swtpm_setup - Swtpm tool to simulate the manufacturing of a TPM 1.2 or
7 2.0
8
10 swtpm_setup [OPTIONS]
11
13 swtpm_setup is a tool that prepares the initial state for a libtpms-
14 based TPM.
15 The following options are supported:
17 --runas <userid>
19 Use this userid to run swtpm_setup as. Only 'root' can use this
20 option.
21 --config <file>
23 Path to configuration file containing the tool to use for creating
24 certificates; see also swtpm_setup.conf
25 If this parameter is not provided, the default configuration file
27 will be used. The search order for the default configuration file
28 is as follows. If the environment variable XDG_CONFIG_HOME is set,
29 ${XDG_CONFIG_HOME}/swtpm_setup.conf will be used if available,
30 otherwise if the environment variable HOME is set,
31 ${HOME}/swtpm_setup.conf will be used if available. If none of the
32 previous ones are available, /etc/swtpm_setup.conf will be used.
33 --tpm-state <dir> or --tpmstate <dir>
35 Path where the TPM's state will be written to; this is a mandatory
36 argument. Prefix with dir:// to use directory backend, or file://
37 to use linear file.
38 --tpm <path to executable>
40 Path to the TPM executable; this is an optional argument and by
41 default the swtpm executable found in the PATH will be used.
42 --tpm2
44 Do setup on a TPM 2; by default a TPM 1.2 is setup.
45 --createek
47 Create an endorsement key (EK).
48 --allow-signing
50 Create an EK that can sign. This option requires --tpm2.
51 This option will create a non-standard EK. When re-creating the EK,
53 TPM 2 tools have to use the EK Template that is witten at an NV
54 index corresponding to the created EK (e.g., NV index 0x01c00004
55 for RS 2048 EK). Otherwise the tool-created EK will not correspond
56 to the actual key being used or the modulus shown in the EK
57 certificate.
58 Note that the TCG specification "EK Credential Profile For TPM
60 Family 2.0; Level 0" suggests in its section on "EK Usage" that
61 "the Endorsement Key can be a created as a decryption or signing
62 key." However, some platforms will not accept an EK as a signing
63 key, or as a signing and encryption key, and therefore this option
64 should be used very carefully.
65 --decryption
67 Create an EK that can be used for key encipherment. This is the
68 default unless --allow-signing is passed. This option requires
69 --tpm2.
70 --ecc
72 Create elliptic curve crypto (ECC) keys; by default RSA keys are
73 generated.
74 --take-ownership
76 Take ownership; this option implies --createek. This option is only
77 available for TPM 1.2.
78 --ownerpass <password>
80 Provide custom owner password; default is 'ooo'. This option is
81 only available for TPM 1.2.
82 --owner-well-known
84 Use a password of all zeros (20 bytes of zeros) as the owner
85 password. This option is only available for TPM 1.2.
86 --srkpass <password>
88 Provide custom SRK password; default is 'sss'. This option is only
89 available for TPM 1.2.
90 --srk-well-known
92 Use a password of all zeros (20 bytes of zeros) as the SRK
93 password. This option is only available for TPM 1.2.
94 --create-ek-cert
96 Create an EK certificate; this implies --createek.
97 --create-platform-cert
99 Create a platform certificate; this implies --create-ek-cert.
100 --lock-nvram
102 Lock NVRAM access to all NVRAM locations that were written to.
103 --display
105 At the end display as much info as possible about the configuration
106 of the TPM.
107 --logfile <logfile>
109 The logfile to log to. By default logging goes to stdout and
110 stderr.
111 --keyfile <keyfile>
113 The key file contains an ASCII hex key consisting of 32 hex digits
114 with an optional leading '0x'. This is the key to be used by the
115 TPM emulator for encrypting the state of the TPM.
116 --keyfile-fd <file descriptor>
118 Like --keyfile but the key will be read from the file descriptor.
119 --pwdfile <passphrase file>
121 The passphrase file contains a passphrase from which the TPM
122 emulator will derive the encryption key from and use the key for
123 encrypting the TPM state.
124 --pwdfile-fd <file descriptor>
126 Like --pwdfile but the passphrase will be read from the file
127 descriptor.
128 --ciper <cipher>
130 The cipher may be either aes-cbc or aes-128-cbc for 128 bit AES
131 encryption, or aes-256-cbc for 256 bit AES encryption. The same
132 cipher must be used on the swtpm command line later on.
133 --overwrite
135 Overwrite existing TPM state. All previous state will be erased.
136 If this option is not given and an existing state file is found, an
137 error code is returned.
138 --not-overwrite
140 Do not overwrite existing TPM state. If existing TPM state is
141 found, the program ends without an error.
142 --vmid <VM ID>
144 Optional VM ID that can be used to keep track of certificates
145 issued for VMs (or containers). This parameter will be passed
146 through to the tool used for creating the certificates and may be
147 required by that tool.
148 --pcr-banks <PCR banks>
150 Optional comma-separated list of PCR banks to activate. Providing
151 '-' allows a user to skip the selection and activates all PCR
152 banks. If this option is not provided, the swtpm_setup.conf
153 configuration file will be consulted for the active_pcr_banks
154 entry. If no such entry is found then the default set of PCR banks
155 will be activated. The default set of PCR banks can be determined
156 using the --help option.
157 --swtpm_ioctl <executable>
159 Pass the path to the swtpm_ioctl executable. By default the
160 swtpm_ioctl in the PATH is used.
161 --tcsd-system-ps-file <file>
163 This option is deprecated and has no effect (since v0.4).
164 --rsa-keysize <keysize> (since v0.4)
166 This option allows to pass the size of a TPM 2 RSA EK key, such as
167 2048 or 3072. The supported keysizes for a TPM 2 can be queried for
168 using the --print-capabilities option. The default size is 2048
169 bits for both TPM 1.2 and TPM 2. If 'max' is passed, the largest
170 possible key size is used.
171 --reconfigure (since v0.7)
173 This option allows the reconfiguration of the active PCR banks of a
174 TPM 2 using the --pcr-banks option.
175 --print-capabilities (since v0.2)
177 Print capabilities that were added to swtpm_setup after version
178 0.1. The output may contain the following:
179 {
181 "type": "swtpm_setup",
182 "features": [
183 "cmdarg-keyfile-fd",
184 "cmdarg-pwdfile-fd",
185 "cmdarg-write-ek-cert-files",
186 "cmdarg-create-config-files",
187 "cmdarg-reconfigure-pcr-banks",
188 "tpm2-rsa-keysize-2048",
189 "tpm2-rsa-keysize-3072",
190 "tpm12-not-need-root",
191 "tpm-1.2",
192 "tpm-2.0"
193 ],
194 "version": "0.7.0"
195 }
196 The version field is available since v0.7.
198 The meaning of the feature verbs is as follows:
200 cmdarg-key-fd (since v0.2)
202 The --keyfile-fd option is supported.
203 cmdarg-pwd-fd (since v0.2)
205 The --pwdfile-fd option is supported.
206 cmdarg-write-ek-cert-files (since v0.7)
208 The --write-ek-cert-files option is supported.
209 cmdarg-create-config-files (since v0.7)
211 The --create-config-files option is supported.
212 cmdarg-reconfigure-pcr-banks (since v0.7)
214 The --reconfigure option is supported and allows the
215 reconfiguration of the active PCR banks.
216 tpm2-rsa-keysize-2048, ... (since v0.4)
218 The shown RSA key sizes are supported for a TPM 2's EK key. If
219 none of the tpm2-rsa-keysize verbs is shown then only RSA 2048
220 bit keys are supported.
221 tpm12-not-need-root (since v0.4)
223 This option implies that any user can setup a TPM 1.2.
224 Previously only root or the 'tss' user, depending on
225 configuration and availability of this account, could do that.
226 tpm-1.2 (since v0.7)
228 TPM 1.2 setup is supported (libtpms is compiled with TPM 1.2
229 support).
230 tpm-2.0 (since v0.7)
232 TPM 2 setup is supported (libtpms is compiled with TPM 2
233 support).
234 --write-ek-cert-files <directory> (since v0.7)
236 This option causes endorsement key (EK) files to be written into
237 the provided directory. The files contain the DER-formatted EKs
238 that were written into the NVRAM locations of the TPM 1.2 or TPM 2.
239 The EK files have the filename pattern of ek-<key type>.crt.
240 Example for filenames are ek-rsa2048.crt, ek-rsa3072.crt, and
241 ek-secp384r1.crt.
242 The keys that are written for a TPM 2 may change over time as the
244 default strength of the EK keys changes. This means that one should
245 look for all files with the above filename pattern when looking for
246 the EKs.
247 --create-config-files [[overwrite][,root][,skip-if-exist]] (since v0.7)
249 This option allows a user to create configuration files for
250 swtpm_setup and swtpm-localca under the $XDG_CONFIG_HOME or
251 $HOME/.config directories.
252 The configuration files will not be created if any one of them
254 already exists and in this case the program will report the first
255 file it finds and exit with an error code.
256 The meaning of the options is as follows:
258 overwrite
260 Overwrite any existing configuration files.
261 root
263 Create the configuration files even under the root account.
264 These configuration files may then shadow any other existing
265 configuration files, such as /etc/swtpm-localca.conf for
266 example.
267 skip-if-exist
269 Do nothing if any one of the configuration files that would be
270 created already exists. The program will exit without error
271 code.
272 Note: The case when a user is part of the group that is allowed to
274 access the default configuration files' paths is currently not
275 handled. On many systems this may be the case when a user is part
276 of the 'tss' group. In this case it is recommended that the user
277 replace the swtpm-localca.conf created with this command with a
278 symbolic link to /etc/swtpm-localca.conf.
279 --help, -h
281 Display the help screen
282
284 To simulate manufacturing of a TPM, one would typically run the
285 following command:
286 #> sudo swtpm_setup --tpmstate /tmp/mytpm1/ \
288 --create-ek-cert --create-platform-cert --lock-nvram
289 Note: since v0.4 TPM 1.2 setup does not require root rights anymore.
291 Any user can also simulate the manufacturing of a TPM using the
293 swtpm_localca utility. The following example assumes that the user has
294 set the environment variable XDG_CONFIG_HOME as follows (using bash for
295 example):
296 export XDG_CONFIG_HOME=~/.config
298 Note: The XDG_CONFIG_HOME variable is part of the XDG Base Directory
300 Specification.
301 The following configuration files need to be created:
303 ~/.config/swtpm_setup.conf:
305 # Program invoked for creating certificates
307 create_certs_tool= /usr/share/swtpm/swtpm-localca
308 create_certs_tool_config = ${XDG_CONFIG_HOME}/swtpm-localca.conf
309 create_certs_tool_options = ${XDG_CONFIG_HOME}/swtpm-localca.options
310 ~/.config/swtpm-localca.conf:
312 statedir = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca
314 signingkey = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/signkey.pem
315 issuercert = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/issuercert.pem
316 certserial = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/certserial
317 ~/.config/swtpm-localca.options:
319 --platform-manufacturer Fedora
321 --platform-version 2.12
322 --platform-model QEMU
323 Note: The tool swtpm-create-user-config-files can be used to create
325 such files (with different content):
326 #> /usr/share/swtpm/swtpm-create-user-config-files
328 Writing /home/stefanb/.config/swtpm_setup.conf.
329 Writing /home/stefanb/.config/swtpm-localca.conf.
330 Writing /home/stefanb/.config/swtpm-localca.options.
331 The following commands now create a TPM 2 with an EK and platform
333 certificate. The state of the TPM 2 will be stored in the directory
334 ${XDG_CONFIG_HOME}/mytpm1.
335 #> mkdir -p ${XDG_CONFIG_HOME}/mytpm1
337 #> swtpm_setup --tpm2 --tpmstate ${XDG_CONFIG_HOME}/mytpm1 \
338 --create-ek-cert --create-platform-cert --lock-nvram
339
341 swtpm_setup.conf
342
344 Report bugs to Stefan Berger <stefanb@linux.ibm.com>
345swtpm 2021-11-09 swtpm_setup(8)