1tpm2_makecredential(1) General Commands Manual tpm2_makecredential(1)
2
3
4
6 tpm2_makecredential(1) - Generate the encrypted-user-chosen-data and
7 the wrapped-secret-data-encryption-key for the privacy-sensitive cre‐
8 dentialing process of a TPM object.
9
11 tpm2_makecredential [OPTIONS]
12
14 tpm2_makecredential(1) - The TPM supports a privacy preserving protocol
15 for distributing credentials for keys on a TPM. The process guarantees
16 that the credentialed-TPM-object(AIK) is loaded on the same TPM as a
17 well-known public-key-object(EK) without knowledge of the specific pub‐
18 lic properties of the credentialed-TPM-object(AIK). The privacy is
19 guaranteed due to the fact that only the name of the creden‐
20 tialed-TPM-object(AIK) is shared and not the credentialed-TPM-object’s
21 public key itself.
22
23 Make-credential is the first step in this process where in after re‐
24 ceiving the public-key-object(EK) public key of the TPM and the name of
25 the credentialed-TPM-object(AIK), an encrypted-user-chosen-data is gen‐
26 erated and the secret-data-encryption-key is generated and wrapped us‐
27 ing cryptographic processes specific to credential activation that
28 guarantees that the credentialed-TPM-object(AIK) is loaded on the TPM
29 with the well-known public-key-object(EK).
30
31 tpm2_makecredential can be used to generate the encrypted-user-cho‐
32 sen-data and the wrapped secret-data-encryption-key without a TPM by
33 using the none TCTI option.
34
36 • -e, --encryption-key=FILE:
37
38 DEPRECATED, use -u or –public instead.
39
40 • -u, --public=FILE:
41
42 A TPM public key which was used to wrap the seed. NOTE: This option
43 is same as -e and is added to make it similar with other tools speci‐
44 fying the public key. The old option is retained for backwards com‐
45 patibility.
46
47 • -G, --key-algorithm=ALGORITHM:
48
49 The key algorithm associated with TPM public key. Specify either
50 RSA/ ECC. When this option is used, input public key is expected to
51 be in PEM format and the default TCG EK template is used for the key
52 properties.
53
54 • -s, --secret=FILE or STDIN:
55
56 The secret which will be protected by the key derived from the random
57 seed. It can be specified as a file or passed from stdin.
58
59 • -n, --name=FILE:
60
61 The name of the key for which certificate is to be created.
62
63 • -o, --credential-blob=FILE:
64
65 The output file path, recording the encrypted-user-chosen-data and
66 the wrapped secret-data-encryption-key.
67
69 This collection of options are common to many programs and provide in‐
70 formation that many users may expect.
71
72 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
73 attempts to invoke the manpager for the tool, however, on failure
74 will output a short tool summary. This is the same behavior if the
75 “man” option argument is specified, however if explicit “man” is re‐
76 quested, the tool will provide errors from man on stderr. If the
77 “no-man” option if specified, or the manpager fails, the short op‐
78 tions will be output to stdout.
79
80 To successfully use the manpages feature requires the manpages to be
81 installed or on MANPATH, See man(1) for more details.
82
83 • -v, --version: Display version information for this tool, supported
84 tctis and exit.
85
86 • -V, --verbose: Increase the information that the tool prints to the
87 console during its execution. When using this option the file and
88 line number are printed.
89
90 • -Q, --quiet: Silence normal tool output to stdout.
91
92 • -Z, --enable-errata: Enable the application of errata fixups. Useful
93 if an errata fixup needs to be applied to commands sent to the TPM.
94 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
95
97 The TCTI or “Transmission Interface” is the communication mechanism
98 with the TPM. TCTIs can be changed for communication with TPMs across
99 different mediums.
100
101 To control the TCTI, the tools respect:
102
103 1. The command line option -T or --tcti
104
105 2. The environment variable: TPM2TOOLS_TCTI.
106
107 Note: The command line option always overrides the environment vari‐
108 able.
109
110 The current known TCTIs are:
111
112 • tabrmd - The resource manager, called tabrmd
113 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
114 abrmd as a tcti name are synonymous.
115
116 • mssim - Typically used for communicating to the TPM software simula‐
117 tor.
118
119 • device - Used when talking directly to a TPM device file.
120
121 • none - Do not initalize a connection with the TPM. Some tools allow
122 for off-tpm options and thus support not using a TCTI. Tools that do
123 not support it will error when attempted to be used without a TCTI
124 connection. Does not support ANY options and MUST BE presented as
125 the exact text of “none”.
126
127 The arguments to either the command line option or the environment
128 variable are in the form:
129
130 <tcti-name>:<tcti-option-config>
131
132 Specifying an empty string for either the <tcti-name> or <tcti-op‐
133 tion-config> results in the default being used for that portion respec‐
134 tively.
135
136 TCTI Defaults
137 When a TCTI is not specified, the default TCTI is searched for using
138 dlopen(3) semantics. The tools will search for tabrmd, device and
139 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
140 what TCTI will be chosen as the default by using the -v option to print
141 the version information. The “default-tcti” key-value pair will indi‐
142 cate which of the aforementioned TCTIs is the default.
143
144 Custom TCTIs
145 Any TCTI that implements the dynamic TCTI interface can be loaded. The
146 tools internally use dlopen(3), and the raw tcti-name value is used for
147 the lookup. Thus, this could be a path to the shared library, or a li‐
148 brary name as understood by dlopen(3) semantics.
149
151 This collection of options are used to configure the various known TCTI
152 modules available:
153
154 • device: For the device TCTI, the TPM character device file for use by
155 the device TCTI can be specified. The default is /dev/tpm0.
156
157 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
158 vice:/dev/tpm0”
159
160 • mssim: For the mssim TCTI, the domain name or IP address and port
161 number used by the simulator can be specified. The default are
162 127.0.0.1 and 2321.
163
164 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
165 TI=“mssim:host=localhost,port=2321”
166
167 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
168 ries of simple key value pairs separated by a `,' character. Each
169 key and value string are separated by a `=' character.
170
171 • TCTI abrmd supports two keys:
172
173 1. `bus_name' : The name of the tabrmd service on the bus (a
174 string).
175
176 2. `bus_type' : The type of the dbus instance (a string) limited to
177 `session' and `system'.
178
179 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
180 ample.FooBar:
181
182 \--tcti=tabrmd:bus_name=com.example.FooBar
183
184 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
185 sion:
186
187 \--tcti:bus_type=session
188
189 NOTE: abrmd and tabrmd are synonymous.
190
192 tpm2 createek -Q -c 0x81010009 -G rsa -u ek.pub
193
194 tpm2 createak -C 0x81010009 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \
195 -n ak.name -p akpass> ak.out
196
197 file_size=`ls -l ak.name | awk {'print $5'}`
198 loaded_key_name=`cat ak.name | xxd -p -c $file_size`
199
200 tpm2 readpublic -c 0x81010009 -o ek.pem -f pem -Q
201
202 echo "12345678" | tpm2 makecredential -Q -u ek.pem -s - -n $loaded_key_name \
203 -o mkcred.out -G rsa
204
206 Tools can return any of the following codes:
207
208 • 0 - Success.
209
210 • 1 - General non-specific error.
211
212 • 2 - Options handling error.
213
214 • 3 - Authentication error.
215
216 • 4 - TCTI related error.
217
218 • 5 - Non supported scheme. Applicable to tpm2_testparams.
219
221 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
222
224 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
225
226
227
228tpm2-tools tpm2_makecredential(1)