1tpm2_createek(1)            General Commands Manual           tpm2_createek(1)
2
3
4

NAME

6       tpm2_createek(1) - Generate TCG profile compliant endorsement key.
7

SYNOPSIS

9       tpm2_createek [OPTIONS]
10

DESCRIPTION

12       tpm2_createek(1) - Generate TCG profile compliant endorsement key (EK),
13       which is the primary object of the endorsement hierarchy.
14
15       If a transient object is generated the  tool  outputs  a  context  file
16       specified with -c.
17
18       Refer       to:       <http://www.trustedcomputinggroup.org/files/stat
19       ic_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F>
20

OPTIONS

22-P, --eh-auth=AUTH:
23
24         The authorization value for the endorsement hierarchy
25
26-w, --owner-auth=AUTH
27
28         The authorization value for the owner hierarchy.
29
30-c, --ek-context=OBJECT or FILE:
31
32         Either a file path or a persistent handle value to save the  endorse‐
33         ment key.
34
35         If a value of - is passed the tool will find a vacant persistent han‐
36         dle to use and print out the automatically selected handle.
37
38         If one saves the context file via this option and the public key  via
39         the  -u  option, the EK can be restored via a call to tpm2_loadexter‐
40         nal(1).
41
42-G, --key-algorithm=ALGORITHM:
43         The endorsement key algorithm.  Supports:
44
45ecc - An P256 key.
46
47rsa - An RSA2048 key.
48
49keyedhash - hmac key.
50
51-u, --public=FILE:
52
53         The optional input for a file to save the public portion of  endorse‐
54         ment key.
55
56-t, --template:
57
58         The  optional manufacturer defined endorsement key template and nonce
59         from fixed NV Indices to populate the TPM2B_PUBLIC public area.   See
60         the  TCG  EK  Credential  Profile specification for more information:
61         https://trustedcomputinggroup.org/wp-content/uploads/ TCG_IWG_Creden‐
62         tial_Profile_EK_V2.1_R13.pdf
63
64-f, --format:
65
66         Format selection for the public key output file.  `tss' (the default)
67         will output a binary blob according to  the  TPM  2.0  Specification.
68         `pem'  will  output  an  OpenSSL  compatible  PEM encoded public key.
69         `der' will output an  OpenSSL  compatible  DER  encoded  public  key.
70         `tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
71         by TPM 2.0 specs.
72
73         Public key format.
74
75   References

Context Object Format

77       The type of a context object, whether it is a handle or file  name,  is
78       determined according to the following logic in-order:
79
80       • If the argument is a file path, then the file is loaded as a restored
81         TPM transient object.
82
83       • If the argument is a prefix match on one of:
84
85         • owner: the owner hierarchy
86
87         • platform: the platform hierarchy
88
89         • endorsement: the endorsement hierarchy
90
91         • lockout: the lockout control persistent object
92
93       • If the argument argument can be loaded as a number it will  be  treat
94         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
95

Authorization Formatting

97       Authorization  for  use  of an object in TPM2.0 can come in 3 different
98       forms: 1.  Password 2.  HMAC 3.  Sessions
99
100       NOTE: “Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
101       fied”.
102
103   Passwords
104       Passwords  are  interpreted  in  the following forms below using prefix
105       identifiers.
106
107       Note: By default passwords are assumed to be in the  string  form  when
108       they do not have a prefix.
109
110   String
111       A  string  password,  specified  by  prefix “str:” or it’s absence (raw
112       string without prefix) is not interpreted, and is directly used for au‐
113       thorization.
114
115   Examples
116              foobar
117              str:foobar
118
119   Hex-string
120       A  hex-string  password, specified by prefix “hex:” is converted from a
121       hexidecimal form into a byte array form, thus allowing  passwords  with
122       non-printable and/or terminal un-friendly characters.
123
124   Example
125              hex:0x1122334455667788
126
127   File
128       A  file  based password, specified be prefix “file:” should be the path
129       of a file containing the password to be read by the tool or  a  “-”  to
130       use  stdin.   Storing  passwords in files prevents information leakage,
131       passwords passed as options can be read from the process list or common
132       shell history features.
133
134   Examples
135              # to use stdin and be prompted
136              file:-
137
138              # to use a file from a path
139              file:path/to/password/file
140
141              # to echo a password via stdin:
142              echo foobar | tpm2_tool -p file:-
143
144              # to use a bash here-string via stdin:
145
146              tpm2_tool -p file:- <<< foobar
147
148   Sessions
149       When  using  a policy session to authorize the use of an object, prefix
150       the option argument with the session keyword.  Then indicate a path  to
151       a session file that was created with tpm2_startauthsession(1).  Option‐
152       ally, if the session requires an auth value to be sent with the session
153       handle  (eg policy password), then append a + and a string as described
154       in the Passwords section.
155
156   Examples
157       To use a session context file called session.ctx.
158
159              session:session.ctx
160
161       To use a session context file called session.ctx AND send the authvalue
162       mypassword.
163
164              session:session.ctx+mypassword
165
166       To use a session context file called session.ctx AND send the HEX auth‐
167       value 0x11223344.
168
169              session:session.ctx+hex:11223344
170
171   PCR Authorizations
172       You can satisfy a PCR policy using the “pcr:” prefix and the PCR  mini‐
173       language.       The     PCR     minilanguage     is     as     follows:
174       <pcr-spec>=<raw-pcr-file>
175
176       The PCR spec is documented in in the section “PCR bank specifiers”.
177
178       The raw-pcr-file is an optional argument that contains  the  output  of
179       the raw PCR contents as returned by tpm2_pcrread(1).
180
181       PCR bank specifiers (pcr.md)
182
183   Examples
184       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
185       er of:
186
187              pcr:sha256:0,1,2,3
188
189       specifying AUTH.
190

Algorithm Specifiers

192       Options that take algorithms support “nice-names”.
193
194       There are two major algorithm specification string classes, simple  and
195       complex.  Only certain algorithms will be accepted by the TPM, based on
196       usage and conditions.
197
198   Simple specifiers
199       These are strings with no additional specification data.  When creating
200       objects,  non-specified  portions of an object are assumed to defaults.
201       You can find the list of known “Simple Specifiers Below”.
202
203   Asymmetric
204       • rsa
205
206       • ecc
207
208   Symmetric
209       • aes
210
211       • camellia
212
213   Hashing Algorithms
214       • sha1
215
216       • sha256
217
218       • sha384
219
220       • sha512
221
222       • sm3_256
223
224       • sha3_256
225
226       • sha3_384
227
228       • sha3_512
229
230   Keyed Hash
231       • hmac
232
233       • xor
234
235   Signing Schemes
236       • rsassa
237
238       • rsapss
239
240       • ecdsa
241
242       • ecdaa
243
244       • ecschnorr
245
246   Asymmetric Encryption Schemes
247       • oaep
248
249       • rsaes
250
251       • ecdh
252
253   Modes
254       • ctr
255
256       • ofb
257
258       • cbc
259
260       • cfb
261
262       • ecb
263
264   Misc
265       • null
266
267   Complex Specifiers
268       Objects, when specified for creation by the TPM,  have  numerous  algo‐
269       rithms  to  populate  in the public data.  Things like type, scheme and
270       asymmetric details, key size, etc.  Below is  the  general  format  for
271       specifying this data: <type>:<scheme>:<symmetric-details>
272
273   Type Specifiers
274       This  portion  of the complex algorithm specifier is required.  The re‐
275       maining scheme and symmetric details will default  based  on  the  type
276       specified and the type of the object being created.
277
278       • aes - Default AES: aes128
279
280       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
281         If mode is not specified, defaults to null.
282
283       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
284
285       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
286
287       • ecc - Elliptical Curve, defaults to ecc256.
288
289       • ecc192 - 192 bit ECC
290
291       • ecc224 - 224 bit ECC
292
293       • ecc256 - 256 bit ECC
294
295       • ecc384 - 384 bit ECC
296
297       • ecc521 - 521 bit ECC
298
299       • rsa - Default RSA: rsa2048
300
301       • rsa1024 - RSA with 1024 bit keysize.
302
303       • rsa2048 - RSA with 2048 bit keysize.
304
305       • rsa4096 - RSA with 4096 bit keysize.
306
307   Scheme Specifiers
308       Next, is an optional field, it can be skipped.
309
310       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
311       Most signing schemes take a hash algorithm directly following the sign‐
312       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
313       Some take no arguments, and some take multiple arguments.
314
315   Hash Optional Scheme Specifiers
316       These  scheme  specifiers are followed by a dash and a valid hash algo‐
317       rithm, For example: oaep-sha256.
318
319       • oaep
320
321       • ecdh
322
323       • rsassa
324
325       • rsapss
326
327       • ecdsa
328
329       • ecschnorr
330
331   Multiple Option Scheme Specifiers
332       This scheme specifier is followed by a count  (max  size  UINT16)  then
333       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
334       ecdaa4-sha256.  If no count is specified, it defaults to 4.
335
336   No Option Scheme Specifiers
337       This scheme specifier takes NO arguments.  * rsaes
338
339   Symmetric Details Specifiers
340       This field is optional, and defaults based on the type of object  being
341       created  and it’s attributes.  Generally, any valid Symmetric specifier
342       from the Type Specifiers list should work.  If not specified, an  asym‐
343       metric objects symmetric details defaults to aes128cfb.
344
345   Examples
346   Create an rsa2048 key with an rsaes asymmetric encryption scheme
347       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
348
349   Create  an  ecc256  key  with an ecdaa signing scheme with a count of 4 and
350       sha384 hash
351       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
352       key.priv cryptographic algorithms ALGORITHM.
353

COMMON OPTIONS

355       This  collection of options are common to many programs and provide in‐
356       formation that many users may expect.
357
358-h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
359         attempts  to  invoke  the  manpager for the tool, however, on failure
360         will output a short tool summary.  This is the same behavior  if  the
361         “man”  option argument is specified, however if explicit “man” is re‐
362         quested, the tool will provide errors from man  on  stderr.   If  the
363         “no-man”  option  if  specified, or the manpager fails, the short op‐
364         tions will be output to stdout.
365
366         To successfully use the manpages feature requires the manpages to  be
367         installed or on MANPATH, See man(1) for more details.
368
369-v,  --version:  Display version information for this tool, supported
370         tctis and exit.
371
372-V, --verbose: Increase the information that the tool prints  to  the
373         console  during  its  execution.  When using this option the file and
374         line number are printed.
375
376-Q, --quiet: Silence normal tool output to stdout.
377
378-Z, --enable-errata: Enable the application of errata fixups.  Useful
379         if  an  errata fixup needs to be applied to commands sent to the TPM.
380         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
381         formation many users may expect.
382

TCTI Configuration

384       The  TCTI  or  “Transmission  Interface” is the communication mechanism
385       with the TPM.  TCTIs can be changed for communication with TPMs  across
386       different mediums.
387
388       To control the TCTI, the tools respect:
389
390       1. The command line option -T or --tcti
391
392       2. The environment variable: TPM2TOOLS_TCTI.
393
394       Note:  The  command  line option always overrides the environment vari‐
395       able.
396
397       The current known TCTIs are:
398
399       • tabrmd     -     The     resource     manager,     called      tabrmd
400         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
401         abrmd as a tcti name are synonymous.
402
403       • mssim - Typically used for communicating to the TPM software  simula‐
404         tor.
405
406       • device - Used when talking directly to a TPM device file.
407
408       • none  - Do not initalize a connection with the TPM.  Some tools allow
409         for off-tpm options and thus support not using a TCTI.  Tools that do
410         not  support  it  will error when attempted to be used without a TCTI
411         connection.  Does not support ANY options and MUST  BE  presented  as
412         the exact text of “none”.
413
414       The  arguments  to  either  the  command line option or the environment
415       variable are in the form:
416
417       <tcti-name>:<tcti-option-config>
418
419       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
420       tion-config> results in the default being used for that portion respec‐
421       tively.
422
423   TCTI Defaults
424       When a TCTI is not specified, the default TCTI is  searched  for  using
425       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
426       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
427       what TCTI will be chosen as the default by using the -v option to print
428       the version information.  The “default-tcti” key-value pair will  indi‐
429       cate which of the aforementioned TCTIs is the default.
430
431   Custom TCTIs
432       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
433       tools internally use dlopen(3), and the raw tcti-name value is used for
434       the lookup.  Thus, this could be a path to the shared library, or a li‐
435       brary name as understood by dlopen(3) semantics.
436

TCTI OPTIONS

438       This collection of options are used to configure the various known TCTI
439       modules available:
440
441device: For the device TCTI, the TPM character device file for use by
442         the device TCTI can be specified.  The default is /dev/tpm0.
443
444         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
445         vice:/dev/tpm0”
446
447mssim:  For  the  mssim  TCTI, the domain name or IP address and port
448         number used by the simulator  can  be  specified.   The  default  are
449         127.0.0.1 and 2321.
450
451         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
452         TI=“mssim:host=localhost,port=2321”
453
454abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
455         ries  of  simple  key value pairs separated by a `,' character.  Each
456         key and value string are separated by a `=' character.
457
458         • TCTI abrmd supports two keys:
459
460           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
461              string).
462
463           2. `bus_type' : The type of the dbus instance (a string) limited to
464              `session' and `system'.
465
466         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
467         ample.FooBar:
468
469                \--tcti=tabrmd:bus_name=com.example.FooBar
470
471         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
472         sion:
473
474                \--tcti:bus_type=session
475
476         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
477         ules.
478

EXAMPLES

480   Create an Endorsement Key and make it persistent
481              tpm2_createek -P abc123 -w abc123 -c 0x81010001 -G rsa -u ek.pub
482
483   Create a transient Endorsement Key, flush it, and reload it.
484              tpm2_createek -G rsa -u ek.pub
485
486              # Check that it is loaded in transient memory
487              tpm2_getcap handles-transient
488              - 0x80000000
489
490              # Flush the handle
491              tpm2_flushcontext 0x80000000
492
493              # Note that it is flushed
494              tpm2_getcap handles-transient
495              <null output>
496
497              # Reload it via loadexternal
498              tpm2_loadexternal -C o -u ek.pub -c ek.ctx
499
500              # Check that it is re-loaded in transient memory
501              tpm2_getcap handles-transient
502              - 0x80000000
503

Returns

505       Tools can return any of the following codes:
506
507       • 0 - Success.
508
509       • 1 - General non-specific error.
510
511       • 2 - Options handling error.
512
513       • 3 - Authentication error.
514
515       • 4 - TCTI related error.
516
517       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
518

BUGS

520       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
521

HELP

523       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
524
525
526
527tpm2-tools                                                    tpm2_createek(1)
Impressum