1tpm2_createprimary(1)       General Commands Manual      tpm2_createprimary(1)
2
3
4

NAME

6       tpm2_createprimary(1) - Create a primary key.
7

SYNOPSIS

9       tpm2_createprimary [OPTIONS]
10

DESCRIPTION

12       tpm2_createprimary(1) - This command is used to create a primary object
13       under one of the hierarchies: Owner, Platform, Endorsement, NULL.   The
14       command  will create and load a Primary Object.  The sensitive and pub‐
15       lic portions are not returned.  A context file for the created object’s
16       handle is saved as a file for future interactions with the created pri‐
17       mary.
18

OPTIONS

20-C, --hierarchy=OBJECT:
21         The hierarchy under which the object is created.  This will also dic‐
22         tate  which authorization secret (if any) must be supplied.  Defaults
23         to TPM_RH_OWNER, when no value specified.  Supported options are:
24
25o for TPM_RH_OWNER
26
27p for TPM_RH_PLATFORM
28
29e for TPM_RH_ENDORSEMENT
30
31n for TPM_RH_NULL
32
33<num> where a raw number can be used.
34
35-P, --hierarchy-auth=AUTH:
36
37         The authorization value for the hierarchy specified with -C.
38
39-p, --key-auth=AUTH:
40
41         The authorization value for the primary object created.
42
43-g, --hash-algorithm=ALGORITHM:
44
45         The hash algorithm to use for generating the objects name.   Defaults
46         to sha256 if not specified.
47
48-G, --key-algorithm=ALGORITHM:
49
50         The  algorithm  type  for  the  generated  primary  key.  Defaults to
51         rsa2048:null:aes128cfb.
52
53-c, --key-context=FILE:
54
55         The file path to save the object context of the generated primary ob‐
56         ject.
57
58-L, --policy=FILE or HEX_STRING:
59
60         An  optional file input or hex string that contains the policy digest
61         for policy based authorization of the object.
62
63-a, --attributes=ATTRIBUTES:
64
65         The object attributes, optional.  Defaults to:  TPMA_OBJECT_RESTRICT‐
66         ED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|    TPMA_OBJECT_FIXEDPAR‐
67         ENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|  TPMA_OBJECT_USERWITHAUTH
68
69-u, --unique-data=FILE OR STDIN:
70
71         An optional file input that contains the unique field of  TPMT_PUBLIC
72         in  little-endian  format.  Primary key creator may place information
73         that causes the primary key generation scheme internal to the TPM  to
74         generate  statistically  unique  values.   The TPM v2.0 specification
75         calls this field unique and overloads it so that it contains one val‐
76         ue  when the application provides this structure as input and another
77         value when the applications receives this structure as  output  (like
78         public portion of the rsa key).
79
80         If  the  data is specified as a file, the user is responsible for en‐
81         suring that this buffer is formatted per TPMU_PUBLIC_ID union.
82
83         The unique data can also be retrieved from stdin buffer by specifying
84         “-”  as the –unique-data option value and the tool will parse the key
85         type and associate the input data with the unique data buffer associ‐
86         ated with the key type.  NOTE:
87
88         1. The maximum allowed bytes is dependent on key type and the TPM im‐
89            plementation.   Eg.   While  TSS  allows  a  value  upto  512  for
90            MAX_RSA_KEY_BYTES,  however the ibmSwTPM implementation supports a
91            value upto 256 bytes.
92
93         2. The unique input data specified on stdin  for  ECC  is  split  for
94            specifying the X coordinate and Y coordinate buffers.
95
96--creation-data=FILE:
97
98         An  optional  file output that saves the creation data for certifica‐
99         tion.
100
101--template-data=FILE:
102
103         An optional file output that saves the key template data  (TPM2B_PUB‐
104         LIC) to be used in tpm2_policytemplate.
105
106-t, --creation-ticket=FILE:
107
108         An optional file output that saves the creation ticket for certifica‐
109         tion.
110
111-d, --creation-hash=FILE:
112
113         An optional file output that saves the creation hash  for  certifica‐
114         tion.
115
116-q, --outside-info=FILE_OR_HEX:
117
118         An optional file or hex string to add unique data to the creation da‐
119         ta.  Note that it  does  not  contribute  in  creating  statistically
120         unique object.
121
122-l, --pcr-list=PCR:
123
124         The  list of PCR banks and selected PCRs’ ids for each bank to be in‐
125         cluded in the creation data for certification.
126
127--cphash=FILE
128
129         File path to record the hash of the command parameters.  This is com‐
130         monly termed as cpHash.  NOTE: When this option is selected, The tool
131         will not actually execute the command, it simply returns a cpHash.
132
133-f, --format:
134
135         Format selection for the public key output file.  `tss' (the default)
136         will  output  a  binary  blob according to the TPM 2.0 Specification.
137         `pem' will output an  OpenSSL  compatible  PEM  encoded  public  key.
138         `der'  will  output  an  OpenSSL  compatible  DER encoded public key.
139         `tpmt' will output a binary blob of the TPMT_PUBLIC struct referenced
140         by TPM 2.0 specs.
141
142         Public key format.
143
144-o, --output=FILE:
145
146         The output file path, recording the public portion of the object.
147
148   References

Context Object Format

150       The  type  of a context object, whether it is a handle or file name, is
151       determined according to the following logic in-order:
152
153       • If the argument is a file path, then the file is loaded as a restored
154         TPM transient object.
155
156       • If the argument is a prefix match on one of:
157
158         • owner: the owner hierarchy
159
160         • platform: the platform hierarchy
161
162         • endorsement: the endorsement hierarchy
163
164         • lockout: the lockout control persistent object
165
166       • If  the  argument argument can be loaded as a number it will be treat
167         as a handle, e.g. 0x81010013 and used directly._OBJECT_.
168

Authorization Formatting

170       Authorization for use of an object in TPM2.0 can come  in  3  different
171       forms: 1.  Password 2.  HMAC 3.  Sessions
172
173       NOTE:  “Authorizations  default  to  the EMPTY PASSWORD when not speci‐
174       fied”.
175
176   Passwords
177       Passwords are interpreted in the following  forms  below  using  prefix
178       identifiers.
179
180       Note:  By  default  passwords are assumed to be in the string form when
181       they do not have a prefix.
182
183   String
184       A string password, specified by prefix  “str:”  or  it’s  absence  (raw
185       string without prefix) is not interpreted, and is directly used for au‐
186       thorization.
187
188   Examples
189              foobar
190              str:foobar
191
192   Hex-string
193       A hex-string password, specified by prefix “hex:” is converted  from  a
194       hexidecimal  form  into a byte array form, thus allowing passwords with
195       non-printable and/or terminal un-friendly characters.
196
197   Example
198              hex:1122334455667788
199
200   File
201       A file based password, specified be prefix “file:” should be  the  path
202       of  a  file  containing the password to be read by the tool or a “-” to
203       use stdin.  Storing passwords in files  prevents  information  leakage,
204       passwords passed as options can be read from the process list or common
205       shell history features.
206
207   Examples
208              # to use stdin and be prompted
209              file:-
210
211              # to use a file from a path
212              file:path/to/password/file
213
214              # to echo a password via stdin:
215              echo foobar | tpm2_tool -p file:-
216
217              # to use a bash here-string via stdin:
218
219              tpm2_tool -p file:- <<< foobar
220
221   Sessions
222       When using a policy session to authorize the use of an  object,  prefix
223       the  option argument with the session keyword.  Then indicate a path to
224       a session file that was created with tpm2_startauthsession(1).  Option‐
225       ally, if the session requires an auth value to be sent with the session
226       handle (eg policy password), then append a + and a string as  described
227       in the Passwords section.
228
229   Examples
230       To use a session context file called session.ctx.
231
232              session:session.ctx
233
234       To use a session context file called session.ctx AND send the authvalue
235       mypassword.
236
237              session:session.ctx+mypassword
238
239       To use a session context file called session.ctx AND send the HEX auth‐
240       value 0x11223344.
241
242              session:session.ctx+hex:11223344
243
244   PCR Authorizations
245       You  can satisfy a PCR policy using the “pcr:” prefix and the PCR mini‐
246       language.      The     PCR     minilanguage     is     as      follows:
247       <pcr-spec>=<raw-pcr-file>
248
249       The PCR spec is documented in in the section “PCR bank specifiers”.
250
251       The  raw-pcr-file  is  an optional argument that contains the output of
252       the raw PCR contents as returned by tpm2_pcrread(1).
253
254       PCR bank specifiers (pcr.md)
255
256   Examples
257       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
258       er of:
259
260              pcr:sha256:0,1,2,3
261
262       specifying AUTH.
263

Algorithm Specifiers

265       Options that take algorithms support “nice-names”.
266
267       There  are two major algorithm specification string classes, simple and
268       complex.  Only certain algorithms will be accepted by the TPM, based on
269       usage and conditions.
270
271   Simple specifiers
272       These are strings with no additional specification data.  When creating
273       objects, non-specified portions of an object are assumed  to  defaults.
274       You can find the list of known “Simple Specifiers” below.
275
276   Asymmetric
277       • rsa
278
279       • ecc
280
281   Symmetric
282       • aes
283
284       • camellia
285
286       • sm4
287
288   Hashing Algorithms
289       • sha1
290
291       • sha256
292
293       • sha384
294
295       • sha512
296
297       • sm3_256
298
299       • sha3_256
300
301       • sha3_384
302
303       • sha3_512
304
305   Keyed Hash
306       • hmac
307
308       • xor
309
310   Signing Schemes
311       • rsassa
312
313       • rsapss
314
315       • ecdsa
316
317       • ecdaa
318
319       • ecschnorr
320
321       • sm2
322
323   Asymmetric Encryption Schemes
324       • oaep
325
326       • rsaes
327
328       • ecdh
329
330   Modes
331       • ctr
332
333       • ofb
334
335       • cbc
336
337       • cfb
338
339       • ecb
340
341   Misc
342       • null
343
344   Complex Specifiers
345       Objects,  when  specified  for creation by the TPM, have numerous algo‐
346       rithms to populate in the public data.  Things like  type,  scheme  and
347       asymmetric  details,  key  size,  etc.  Below is the general format for
348       specifying this data: <type>:<scheme>:<symmetric-details>
349
350   Type Specifiers
351       This portion of the complex algorithm specifier is required.   The  re‐
352       maining  scheme  and  symmetric  details will default based on the type
353       specified and the type of the object being created.
354
355       • aes - Default AES: aes128
356
357       • aes128<mode> - 128 bit AES with optional mode  (ctr|ofb|cbc|cfb|ecb).
358         If mode is not specified, defaults to null.
359
360       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
361
362       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
363
364       • sm4 - Default SM4: sm4128
365
366       • sm4128   or   sm4_128  <mode>  -  128  bit  SM4  with  optional  mode
367         (ctr|ofb|cbc|cfb|ecb).  If mode is not specified, defaults to null.
368
369       • ecc - Elliptical Curve, defaults to ecc256.
370
371       • ecc192 or ecc_nist_p192 - 192 bit ECC NIST curve
372
373       • ecc224 or ecc_nist_p224 - 224 bit ECC NIST curve
374
375       • ecc256 or ecc_nist_p256 - 256 bit ECC NIST curve
376
377       • ecc384 or ecc_nist_p384 - 384 bit ECC NIST curve
378
379       • ecc521 or ecc_nist_p521 - 521 bit ECC NIST curve
380
381       • ecc_sm2 or ecc_sm2_p256 - 256 bit SM2 curve
382
383       • rsa - Default RSA: rsa2048
384
385       • rsa1024 - RSA with 1024 bit keysize.
386
387       • rsa2048 - RSA with 2048 bit keysize.
388
389       • rsa3072 - RSA with 3072 bit keysize.
390
391       • rsa4096 - RSA with 4096 bit keysize.
392
393   Scheme Specifiers
394       Next, is an optional field, it can be skipped.
395
396       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
397       Most signing schemes take a hash algorithm directly following the sign‐
398       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
399       Some take no arguments, and some take multiple arguments.
400
401   Hash Optional Scheme Specifiers
402       These  scheme  specifiers are followed by a dash and a valid hash algo‐
403       rithm, For example: oaep-sha256.
404
405       • oaep
406
407       • ecdh
408
409       • rsassa
410
411       • rsapss
412
413       • ecdsa
414
415       • ecschnorr
416
417       • sm2
418
419   Multiple Option Scheme Specifiers
420       This scheme specifier is followed by a count  (max  size  UINT16)  then
421       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
422       ecdaa4-sha256.  If no count is specified, it defaults to 4.
423
424   No Option Scheme Specifiers
425       This scheme specifier takes NO arguments.  * rsaes
426
427   Symmetric Details Specifiers
428       This field is optional, and defaults based on the type of object  being
429       created  and it’s attributes.  Generally, any valid Symmetric specifier
430       from the Type Specifiers list should work.  If not specified, an  asym‐
431       metric objects symmetric details defaults to aes128cfb.
432
433   Examples
434   Create an rsa2048 key with an rsaes asymmetric encryption scheme
435       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
436
437   Create  an  ecc256  key  with an ecdaa signing scheme with a count of 4 and
438       sha384 hash
439       /tpm2_create  -C  parent.ctx  -G  ecc256:ecdaa4-sha384  -u  key.pub  -r
440       key.priv cryptographic algorithms ALGORITHM.
441

Object Attributes

443       Object Attributes are used to control various properties of created ob‐
444       jects.  When specified as an option, either the raw  bitfield  mask  or
445       “nice-names”  may  be used.  The values can be found in Table 31 Part 2
446       of the TPM2.0 specification, which can be found here:
447
448       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
449       Rev-2.0-Part-2-Structures-01.38.pdf>
450
451       Nice  names are calculated by taking the name field of table 31 and re‐
452       moving the prefix TPMA_OBJECT_ and lowercasing the result.   Thus,  TP‐
453       MA_OBJECT_FIXEDTPM  becomes  fixedtpm.   Nice names can be joined using
454       the bitwise or “|” symbol.
455
456       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
457       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
458
459       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
460

COMMON OPTIONS

462       This  collection of options are common to many programs and provide in‐
463       formation that many users may expect.
464
465-h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
466         attempts  to  invoke  the  manpager for the tool, however, on failure
467         will output a short tool summary.  This is the same behavior  if  the
468         “man”  option argument is specified, however if explicit “man” is re‐
469         quested, the tool will provide errors from man  on  stderr.   If  the
470         “no-man”  option  if  specified, or the manpager fails, the short op‐
471         tions will be output to stdout.
472
473         To successfully use the manpages feature requires the manpages to  be
474         installed or on MANPATH, See man(1) for more details.
475
476-v,  --version:  Display version information for this tool, supported
477         tctis and exit.
478
479-V, --verbose: Increase the information that the tool prints  to  the
480         console  during  its  execution.  When using this option the file and
481         line number are printed.
482
483-Q, --quiet: Silence normal tool output to stdout.
484
485-Z, --enable-errata: Enable the application of errata fixups.  Useful
486         if  an  errata fixup needs to be applied to commands sent to the TPM.
487         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
488         formation many users may expect.
489

TCTI Configuration

491       The  TCTI  or  “Transmission  Interface” is the communication mechanism
492       with the TPM.  TCTIs can be changed for communication with TPMs  across
493       different mediums.
494
495       To control the TCTI, the tools respect:
496
497       1. The command line option -T or --tcti
498
499       2. The environment variable: TPM2TOOLS_TCTI.
500
501       Note:  The  command  line option always overrides the environment vari‐
502       able.
503
504       The current known TCTIs are:
505
506       • tabrmd     -     The     resource     manager,     called      tabrmd
507         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
508         abrmd as a tcti name are synonymous.
509
510       • mssim - Typically used for communicating to the TPM software  simula‐
511         tor.
512
513       • device - Used when talking directly to a TPM device file.
514
515       • none  - Do not initalize a connection with the TPM.  Some tools allow
516         for off-tpm options and thus support not using a TCTI.  Tools that do
517         not  support  it  will error when attempted to be used without a TCTI
518         connection.  Does not support ANY options and MUST  BE  presented  as
519         the exact text of “none”.
520
521       The  arguments  to  either  the  command line option or the environment
522       variable are in the form:
523
524       <tcti-name>:<tcti-option-config>
525
526       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
527       tion-config> results in the default being used for that portion respec‐
528       tively.
529
530   TCTI Defaults
531       When a TCTI is not specified, the default TCTI is  searched  for  using
532       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
533       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
534       what TCTI will be chosen as the default by using the -v option to print
535       the version information.  The “default-tcti” key-value pair will  indi‐
536       cate which of the aforementioned TCTIs is the default.
537
538   Custom TCTIs
539       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
540       tools internally use dlopen(3), and the raw tcti-name value is used for
541       the lookup.  Thus, this could be a path to the shared library, or a li‐
542       brary name as understood by dlopen(3) semantics.
543

TCTI OPTIONS

545       This collection of options are used to configure the various known TCTI
546       modules available:
547
548device: For the device TCTI, the TPM character device file for use by
549         the device TCTI can be specified.  The default is /dev/tpm0.
550
551         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI=“de‐
552         vice:/dev/tpm0”
553
554mssim:  For  the  mssim  TCTI, the domain name or IP address and port
555         number used by the simulator  can  be  specified.   The  default  are
556         127.0.0.1 and 2321.
557
558         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
559         TI=“mssim:host=localhost,port=2321”
560
561abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
562         ries  of  simple  key value pairs separated by a `,' character.  Each
563         key and value string are separated by a `=' character.
564
565         • TCTI abrmd supports two keys:
566
567           1. `bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
568              string).
569
570           2. `bus_type' : The type of the dbus instance (a string) limited to
571              `session' and `system'.
572
573         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
574         ample.FooBar:
575
576                \--tcti=tabrmd:bus_name=com.example.FooBar
577
578         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
579         sion:
580
581                \--tcti:bus_type=session
582
583         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
584         ules.
585

EXAMPLES

587   Create an ECC primary object
588              tpm2_createprimary -C o -g sha256 -G ecc -c context.out
589
590   Create a primary object that follows the guidance of TCG Provisioning guide
591       See          :         https://trustedcomputinggroup.org/wp-content/up
592       loads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
593
594       Where unique.dat contains the binary-formatted data: 0x00 0x01 (0x00  *
595       256)
596
597              tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c prim.ctx \
598              -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|\
599              noda' -u unique.dat
600
601              ## Create a primary object and output the public key in pem format
602              tpm2_createprimary -c primary.ctx --format=pem --output=public.pem
603

Returns

605       Tools can return any of the following codes:
606
607       • 0 - Success.
608
609       • 1 - General non-specific error.
610
611       • 2 - Options handling error.
612
613       • 3 - Authentication error.
614
615       • 4 - TCTI related error.
616
617       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
618

BUGS

620       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
621

HELP

623       See the Mailing List (https://lists.linuxfoundation.org/mailman/listin
624       fo/tpm2)
625
626
627
628tpm2-tools                                               tpm2_createprimary(1)
Impressum