1tpm2_makecredential(1) General Commands Manual tpm2_makecredential(1)
2
6 tpm2_makecredential(1) - Generate the encrypted-user-chosen-data and
7 the wrapped-secret-data-encryption-key for the privacy-sensitive cre‐
8 dentialing process of a TPM object.
9
11 tpm2_makecredential [OPTIONS]
12
14 tpm2_makecredential(1) - The TPM supports a privacy preserving protocol
15 for distributing credentials for keys on a TPM. The process guarantees
16 that the credentialed-TPM-object(AIK) is loaded on the same TPM as a
17 well-known public-key-object(EK) without knowledge of the specific pub‐
18 lic properties of the credentialed-TPM-object(AIK). The privacy is
19 guaranteed due to the fact that only the name of the creden‐
20 tialed-TPM-object(AIK) is shared and not the credentialed-TPM-object’s
21 public key itself.
22 Make-credential is the first step in this process where in after re‐
24 ceiving the public-key-object(EK) public key of the TPM and the name of
25 the credentialed-TPM-object(AIK), an encrypted-user-chosen-data is gen‐
26 erated and the secret-data-encryption-key is generated and wrapped us‐
27 ing cryptographic processes specific to credential activation that
28 guarantees that the credentialed-TPM-object(AIK) is loaded on the TPM
29 with the well-known public-key-object(EK).
30 tpm2_makecredential can be used to generate the encrypted-user-cho‐
32 sen-data and the wrapped secret-data-encryption-key without a TPM by
33 using the none TCTI option.
34
36 • -e, --encryption-key=FILE:
37 DEPRECATED, use -u or –public instead.
39 • -u, --public=FILE:
41 A TPM public key which was used to wrap the seed. NOTE: This option
43 is same as -e and is added to make it similar with other tools speci‐
44 fying the public key. The old option is retained for backwards com‐
45 patibility.
46 • -G, --key-algorithm=ALGORITHM:
48 The key algorithm associated with TPM public key. Specify either
50 RSA/ ECC. When this option is used, input public key is expected to
51 be in PEM format and the default TCG EK template is used for the key
52 properties.
53 • -s, --secret=FILE or STDIN:
55 The secret which will be protected by the key derived from the random
57 seed. It can be specified as a file or passed from stdin.
58 • -n, --name=FILE:
60 The name of the key for which certificate is to be created.
62 • -o, --credential-blob=FILE:
64 The output file path, recording the encrypted-user-chosen-data and
66 the wrapped secret-data-encryption-key.
67
69 This collection of options are common to many programs and provide in‐
70 formation that many users may expect.
71 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
73 attempts to invoke the manpager for the tool, however, on failure
74 will output a short tool summary. This is the same behavior if the
75 “man” option argument is specified, however if explicit “man” is re‐
76 quested, the tool will provide errors from man on stderr. If the
77 “no-man” option if specified, or the manpager fails, the short op‐
78 tions will be output to stdout.
79 To successfully use the manpages feature requires the manpages to be
81 installed or on MANPATH, See man(1) for more details.
82 • -v, --version: Display version information for this tool, supported
84 tctis and exit.
85 • -V, --verbose: Increase the information that the tool prints to the
87 console during its execution. When using this option the file and
88 line number are printed.
89 • -Q, --quiet: Silence normal tool output to stdout.
91 • -Z, --enable-errata: Enable the application of errata fixups. Useful
93 if an errata fixup needs to be applied to commands sent to the TPM.
94 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
95
97 The TCTI or “Transmission Interface” is the communication mechanism
98 with the TPM. TCTIs can be changed for communication with TPMs across
99 different mediums.
100 To control the TCTI, the tools respect:
102 1. The command line option -T or --tcti
104 2. The environment variable: TPM2TOOLS_TCTI.
106 Note: The command line option always overrides the environment vari‐
108 able.
109 The current known TCTIs are:
111 • tabrmd - The resource manager, called tabrmd
113 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
114 abrmd as a tcti name are synonymous.
115 • mssim - Typically used for communicating to the TPM software simula‐
117 tor.
118 • device - Used when talking directly to a TPM device file.
120 • none - Do not initalize a connection with the TPM. Some tools allow
122 for off-tpm options and thus support not using a TCTI. Tools that do
123 not support it will error when attempted to be used without a TCTI
124 connection. Does not support ANY options and MUST BE presented as
125 the exact text of “none”.
126 The arguments to either the command line option or the environment
128 variable are in the form:
129 <tcti-name>:<tcti-option-config>
131 Specifying an empty string for either the <tcti-name> or <tcti-op‐
133 tion-config> results in the default being used for that portion respec‐
134 tively.
135 TCTI Defaults
137 When a TCTI is not specified, the default TCTI is searched for using
138 dlopen(3) semantics. The tools will search for tabrmd, device and
139 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
140 what TCTI will be chosen as the default by using the -v option to print
141 the version information. The “default-tcti” key-value pair will indi‐
142 cate which of the aforementioned TCTIs is the default.
143 Custom TCTIs
145 Any TCTI that implements the dynamic TCTI interface can be loaded. The
146 tools internally use dlopen(3), and the raw tcti-name value is used for
147 the lookup. Thus, this could be a path to the shared library, or a li‐
148 brary name as understood by dlopen(3) semantics.
149
151 This collection of options are used to configure the various known TCTI
152 modules available:
153 • device: For the device TCTI, the TPM character device file for use by
155 the device TCTI can be specified. The default is /dev/tpm0.
156 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
158 vice:/dev/tpm0”
159 • mssim: For the mssim TCTI, the domain name or IP address and port
161 number used by the simulator can be specified. The default are
162 127.0.0.1 and 2321.
163 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
165 TI=“mssim:host=localhost,port=2321”
166 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
168 ries of simple key value pairs separated by a `,' character. Each
169 key and value string are separated by a `=' character.
170 • TCTI abrmd supports two keys:
172 1. `bus_name' : The name of the tabrmd service on the bus (a
174 string).
175 2. `bus_type' : The type of the dbus instance (a string) limited to
177 `session' and `system'.
178 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
180 ample.FooBar:
181 \--tcti=tabrmd:bus_name=com.example.FooBar
183 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
185 sion:
186 \--tcti:bus_type=session
188 NOTE: abrmd and tabrmd are synonymous.
190
192 tpm2 createek -Q -c 0x81010009 -G rsa -u ek.pub
193 tpm2 createak -C 0x81010009 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \
195 -n ak.name -p akpass> ak.out
196 file_size=`ls -l ak.name | awk {'print $5'}`
198 loaded_key_name=`cat ak.name | xxd -p -c $file_size`
199 tpm2 readpublic -c 0x81010009 -o ek.pem -f pem -Q
201 echo "12345678" | tpm2 makecredential -Q -u ek.pem -s - -n $loaded_key_name \
203 -o mkcred.out -G rsa
204
206 Tools can return any of the following codes:
207 • 0 - Success.
209 • 1 - General non-specific error.
211 • 2 - Options handling error.
213 • 3 - Authentication error.
215 • 4 - TCTI related error.
217 • 5 - Non supported scheme. Applicable to tpm2_testparams.
219
221 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
222
224 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
225tpm2-tools tpm2_makecredential(1)