tpm2_certifycreation(1)

1tpm2_certifycreation(1)     General Commands Manual    tpm2_certifycreation(1)
2
3
4

6       tpm2_certifycreation(1)  - Attest the association between a loaded pub‐
7       lic area and the provided hash of the creation data.
8

10       tpm2_certifycreation [OPTIONS]
11

13       tpm2_certifycreation(1) - Attest the association between a loaded  pub‐
14       lic area and the provided hash of the creation data.  The creation data
15       and the creation ticket is produced when creating the object.  The  ob‐
16       ject  itself  is  created with either TPM2_CreatePrimary or TPM2_Create
17       commands.
18

20       • -C, --signingkey-context=OBJECT:
21
22         Context object pointing to the key used that signs the attestation.
23
24       • -P, --signingkey-auth_AUTH_:
25
26         Optional authorization value to use for the key specified by -C.
27
28       • -c, --certifiedkey-context=OBJECT:
29
30         Context object pointing to the key that has to be certified.
31
32       • -g, --hash-algorithm=ALGORITHM:
33
34         The hash algorithm used to digest the creation data.
35
36       • -s, --scheme=ALGORITHM:
37
38         The signing scheme used to sign the attestation data.
39
40       • -d, --creation-hash=FILE
41
42         File containing the digest of the creation data.
43
44       • -t, --ticket=FILE:
45
46         The ticket file to validate that the creation data  was  produced  by
47         the TPM.
48
49       • -o, --signature=FILE:
50
51         File  containing the signature of the attestation data for the certi‐
52         fied key.
53
54       • -f, --format=FORMAT:
55
56         Output signature format selection.
57
58       • –attestation=FILE:
59
60         The attestation data of the type TPM2_CREATION_INFO signed with sign‐
61         ing key.
62
63       • -q, --qualification=FILE_OR_HEX:
64
65         Optional, the policy qualifier data that the signer can choose to in‐
66         clude in the signature.  Can either be a path or hex string.
67
68       • --cphash=FILE
69
70         File path to record the hash of the command parameters.  This is com‐
71         monly termed as cpHash.  NOTE: When this option is selected, The tool
72         will not actually execute the command, it simply  returns  a  cpHash,
73         unless rphash is also required.
74
75       • --rphash=FILE
76
77         File  path  to  record  the hash of the response parameters.  This is
78         commonly termed as rpHash.
79
80       • -S, --session=FILE:
81
82         The session created using tpm2_startauthsession.  This can be used to
83         specify  an  auxiliary session for auditing and or encryption/decryp‐
84         tion of the parameters.
85
86   References

88       The type of a context object, whether it is a handle or file  name,  is
89       determined according to the following logic in-order:
90
91       • If the argument is a file path, then the file is loaded as a restored
92         TPM transient object.
93
94       • If the argument is a prefix match on one of:
95
96         • owner: the owner hierarchy
97
98         • platform: the platform hierarchy
99
100         • endorsement: the endorsement hierarchy
101
102         • lockout: the lockout control persistent object
103
104       • If the argument argument can be loaded as a number it will  be  treat
105         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
106

108       Authorization  for  use  of an object in TPM2.0 can come in 3 different
109       forms: 1.  Password 2.  HMAC 3.  Sessions
110
111       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
112       fied”.
113
114   Passwords
115       Passwords  are  interpreted  in  the following forms below using prefix
116       identifiers.
117
118       Note: By default passwords are assumed to be in the  string  form  when
119       they do not have a prefix.
120
121   String
122       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
123       string without prefix) is not interpreted, and is directly used for au‐
124       thorization.
125
126   Examples
127              foobar
128              str:foobar
129
130   Hex-string
131       A  hex-string  password, specified by prefix “hex:” is converted from a
132       hexidecimal form into a byte array form, thus allowing  passwords  with
133       non-printable and/or terminal un-friendly characters.
134
135   Example
136              hex:0x1122334455667788
137
138   File
139       A  file  based password, specified be prefix “file:” should be the path
140       of a file containing the password to be read by the tool or  a  “-”  to
141       use  stdin.   Storing  passwords in files prevents information leakage,
142       passwords passed as options can be read from the process list or common
143       shell history features.
144
145   Examples
146              # to use stdin and be prompted
147              file:-
148
149              # to use a file from a path
150              file:path/to/password/file
151
152              # to echo a password via stdin:
153              echo foobar | tpm2_tool -p file:-
154
155              # to use a bash here-string via stdin:
156
157              tpm2_tool -p file:- <<< foobar
158
159   Sessions
160       When  using  a policy session to authorize the use of an object, prefix
161       the option argument with the session keyword.  Then indicate a path  to
162       a session file that was created with tpm2_startauthsession(1).  Option‐
163       ally, if the session requires an auth value to be sent with the session
164       handle  (eg policy password), then append a + and a string as described
165       in the Passwords section.
166
167   Examples
168       To use a session context file called session.ctx.
169
170              session:session.ctx
171
172       To use a session context file called session.ctx AND send the authvalue
173       mypassword.
174
175              session:session.ctx+mypassword
176
177       To use a session context file called session.ctx AND send the HEX auth‐
178       value 0x11223344.
179
180              session:session.ctx+hex:11223344
181
182   PCR Authorizations
183       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
184       language.       The     PCR     minilanguage     is     as     follows:
185       <pcr-spec>=<raw-pcr-file>
186
187       The PCR spec is documented in in the section “PCR bank specifiers”.
188
189       The raw-pcr-file is an optional argument that contains  the  output  of
190       the raw PCR contents as returned by tpm2_pcrread(1).
191
192       PCR bank specifiers (pcr.md)
193
194   Examples
195       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
196       er of:
197
198              pcr:sha256:0,1,2,3
199
200       specifying AUTH.
201

203       Options that take algorithms support “nice-names”.
204
205       There are two major algorithm specification string classes, simple  and
206       complex.  Only certain algorithms will be accepted by the TPM, based on
207       usage and conditions.
208
209   Simple specifiers
210       These are strings with no additional specification data.  When creating
211       objects,  non-specified  portions of an object are assumed to defaults.
212       You can find the list of known “Simple Specifiers Below”.
213
214   Asymmetric
215       • rsa
216
217       • ecc
218
219   Symmetric
220       • aes
221
222       • camellia
223
224   Hashing Algorithms
225       • sha1
226
227       • sha256
228
229       • sha384
230
231       • sha512
232
233       • sm3_256
234
235       • sha3_256
236
237       • sha3_384
238
239       • sha3_512
240
241   Keyed Hash
242       • hmac
243
244       • xor
245
246   Signing Schemes
247       • rsassa
248
249       • rsapss
250
251       • ecdsa
252
253       • ecdaa
254
255       • ecschnorr
256
257   Asymmetric Encryption Schemes
258       • oaep
259
260       • rsaes
261
262       • ecdh
263
264   Modes
265       • ctr
266
267       • ofb
268
269       • cbc
270
271       • cfb
272
273       • ecb
274
275   Misc
276       • null
277
278   Complex Specifiers
279       Objects, when specified for creation by the TPM,  have  numerous  algo‐
280       rithms  to  populate  in the public data.  Things like type, scheme and
281       asymmetric details, key size, etc.  Below is  the  general  format  for
282       specifying this data: <type>:<scheme>:<symmetric-details>
283
284   Type Specifiers
285       This  portion  of the complex algorithm specifier is required.  The re‐
286       maining scheme and symmetric details will default  based  on  the  type
287       specified and the type of the object being created.
288
289       • aes - Default AES: aes128
290
291       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
292         If mode is not specified, defaults to null.
293
294       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
295
296       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
297
298       • ecc - Elliptical Curve, defaults to ecc256.
299
300       • ecc192 - 192 bit ECC
301
302       • ecc224 - 224 bit ECC
303
304       • ecc256 - 256 bit ECC
305
306       • ecc384 - 384 bit ECC
307
308       • ecc521 - 521 bit ECC
309
310       • rsa - Default RSA: rsa2048
311
312       • rsa1024 - RSA with 1024 bit keysize.
313
314       • rsa2048 - RSA with 2048 bit keysize.
315
316       • rsa4096 - RSA with 4096 bit keysize.
317
318   Scheme Specifiers
319       Next, is an optional field, it can be skipped.
320
321       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
322       Most signing schemes take a hash algorithm directly following the sign‐
323       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
324       Some take no arguments, and some take multiple arguments.
325
326   Hash Optional Scheme Specifiers
327       These  scheme  specifiers are followed by a dash and a valid hash algo‐
328       rithm, For example: oaep-sha256.
329
330       • oaep
331
332       • ecdh
333
334       • rsassa
335
336       • rsapss
337
338       • ecdsa
339
340       • ecschnorr
341
342   Multiple Option Scheme Specifiers
343       This scheme specifier is followed by a count  (max  size  UINT16)  then
344       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
345       ecdaa4-sha256.  If no count is specified, it defaults to 4.
346
347   No Option Scheme Specifiers
348       This scheme specifier takes NO arguments.  * rsaes
349
350   Symmetric Details Specifiers
351       This field is optional, and defaults based on the type of object  being
352       created  and it’s attributes.  Generally, any valid Symmetric specifier
353       from the Type Specifiers list should work.  If not specified, an  asym‐
354       metric objects symmetric details defaults to aes128cfb.
355
356   Examples
357   Create an rsa2048 key with an rsaes asymmetric encryption scheme
358       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
359
360   Create  an  ecc256  key  with an ecdaa signing scheme with a count of 4 and
361       sha384 hash
362       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
363       key.priv cryptographic algorithms ALGORITHM.
364

366       This  collection of options are common to many programs and provide in‐
367       formation that many users may expect.
368
369       • -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
370         attempts  to  invoke  the  manpager for the tool, however, on failure
371         will output a short tool summary.  This is the same behavior  if  the
372         “man”  option argument is specified, however if explicit “man” is re‐
373         quested, the tool will provide errors from man  on  stderr.   If  the
374         “no-man”  option  if  specified, or the manpager fails, the short op‐
375         tions will be output to stdout.
376
377         To successfully use the manpages feature requires the manpages to  be
378         installed or on MANPATH, See man(1) for more details.
379
380       • -v,  --version:  Display version information for this tool, supported
381         tctis and exit.
382
383       • -V, --verbose: Increase the information that the tool prints  to  the
384         console  during  its  execution.  When using this option the file and
385         line number are printed.
386
387       • -Q, --quiet: Silence normal tool output to stdout.
388
389       • -Z, --enable-errata: Enable the application of errata fixups.  Useful
390         if  an  errata fixup needs to be applied to commands sent to the TPM.
391         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
392         formation many users may expect.
393

395       The  TCTI  or  “Transmission  Interface” is the communication mechanism
396       with the TPM.  TCTIs can be changed for communication with TPMs  across
397       different mediums.
398
399       To control the TCTI, the tools respect:
400
401       1. The command line option -T or --tcti
402
403       2. The environment variable: TPM2TOOLS_TCTI.
404
405       Note:  The  command  line option always overrides the environment vari‐
406       able.
407
408       The current known TCTIs are:
409
410       • tabrmd     -     The     resource     manager,     called      tabrmd
411         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
412         abrmd as a tcti name are synonymous.
413
414       • mssim - Typically used for communicating to the TPM software  simula‐
415         tor.
416
417       • device - Used when talking directly to a TPM device file.
418
419       • none  - Do not initalize a connection with the TPM.  Some tools allow
420         for off-tpm options and thus support not using a TCTI.  Tools that do
421         not  support  it  will error when attempted to be used without a TCTI
422         connection.  Does not support ANY options and MUST  BE  presented  as
423         the exact text of “none”.
424
425       The  arguments  to  either  the  command line option or the environment
426       variable are in the form:
427
428       <tcti-name>:<tcti-option-config>
429
430       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
431       tion-config> results in the default being used for that portion respec‐
432       tively.
433
434   TCTI Defaults
435       When a TCTI is not specified, the default TCTI is  searched  for  using
436       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
437       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
438       what TCTI will be chosen as the default by using the -v option to print
439       the version information.  The “default-tcti” key-value pair will  indi‐
440       cate which of the aforementioned TCTIs is the default.
441
442   Custom TCTIs
443       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
444       tools internally use dlopen(3), and the raw tcti-name value is used for
445       the lookup.  Thus, this could be a path to the shared library, or a li‐
446       brary name as understood by dlopen(3) semantics.
447

449       This collection of options are used to configure the various known TCTI
450       modules available:
451
452       • device: For the device TCTI, the TPM character device file for use by
453         the device TCTI can be specified.  The default is /dev/tpm0.
454
455         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
456         vice:/dev/tpm0”
457
458       • mssim:  For  the  mssim  TCTI, the domain name or IP address and port
459         number used by the simulator  can  be  specified.   The  default  are
460         127.0.0.1 and 2321.
461
462         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
463         TI=“mssim:host=localhost,port=2321”
464
465       • abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
466         ries  of  simple  key value pairs separated by a `,' character.  Each
467         key and value string are separated by a `=' character.
468
469         • TCTI abrmd supports two keys:
470
471           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
472              string).
473
474           2. `bus_type' : The type of the dbus instance (a string) limited to
475              `session' and `system'.
476
477         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
478         ample.FooBar:
479
480                \--tcti=tabrmd:bus_name=com.example.FooBar
481
482         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
483         sion:
484
485                \--tcti:bus_type=session
486
487         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
488         ules.  # Signature Format Specifiers
489
490       Format selection for the signature output file.  tss (the default) will
491       output a binary blob according to the TPM 2.0 specification and any po‐
492       tential  compiler padding.  The option plain will output the plain sig‐
493       nature data as defined by the used cryptographic algorithm.
494

496   Certify creation data of a primary key.
497              tpm2_createprimary -C o -c prim.ctx --creation-data create.dat \
498              -d create.dig -t create.ticket
499
500              tpm2_create -G rsa -u rsa.pub -r rsa.priv -C prim.ctx -c signing_key.ctx
501
502              tpm2_certifycreation -C signing_key.ctx -c prim.ctx -d create.dig \
503              -t create.ticket -g sha256 -o sig.nature --attestation attestat.ion -f plain \
504              -s rsassa
505

507       Tools can return any of the following codes:
508
509       • 0 - Success.
510
511       • 1 - General non-specific error.
512
513       • 2 - Options handling error.
514
515       • 3 - Authentication error.
516
517       • 4 - TCTI related error.
518
519       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
520

522       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
523

525       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
526
527
528
529tpm2-tools                                             tpm2_certifycreation(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP