1tpm2_getekcertificate(1) General Commands Manual tpm2_getekcertificate(1)
2
6 tpm2_getekcertificate(1) - Retrieve the Endorsement key Certificate.
7
9 tpm2_getekcertificate [OPTIONS] [ARGUMENT]
10
12 tpm2_getekcertificate(1) - Retrieve the endorsement key certificate.
13 The certificate is present either on the TCG specified TPM NV indices
14 OR on the TPM manufacturer’s endorsement certificate hosting server.
15 Following are the conditions dictating the certificate location lookup.
16 1. NV-Index:
18 Default search location when ARGUMENT is not specified.
20 2. Intel-EK-certificate-server:
22 Search location when EK certificate could not be found in the NV
24 index AND tpmEPSgenerated bit is CLEAR AND manufacturer is INTC.
25 3. Intel-EK-Re-certification-server:
27 Search location when EK certificate could not be found in the NV
29 index AND tpmEPSgenerated bit is SET AND manufacturer is INTC.
30 Note:
32 In this operation information is provided regarding additional
34 software to be run as part of the re-provisioning/ re-certification
35 service.
36 After re-provisioning/ recertification process is complete, EK cer‐
38 tificates can be read from the NV indexes by running another in‐
39 stance of tpm2_getekcertificate.
40 4. Generic or other EK-certificate-server:
42 Search location when ARGUMENT specifies the EK certificate web
44 hosting address.
45
47 • -o, --ek-certificate=FILE or STDOUT:
48 The file to save the Endorsement key certificate. When EK certifi‐
50 cates are found in the TPM NV indices, this option can be specified
51 additional times to save the RSA and ECC EK certificates in order.
52 The tool will warn if additional EK certificates are found on the TPM
53 NV indices and only a single output file is specified. If the option
54 isn’t specified all the EK certificates retrieved either from the
55 manufacturer web hosting or from the TPM NV indices, are output to
56 stdout.
57 • -X, --allow-unverified:
59 Specifies to attempt connecting with the TPM manufacturer provision‐
61 ing server without verifying server certificate. This option is ir‐
62 relevant when EK certificates are found on the TPM NV indices.
63 WARNING: This option should be used only on platforms with older CA
65 certificates.
66 • -u, --ek-public=FILE:
68 Specifies the file path for the endorsement key public portion in tss
70 format.
71 • -x, --offline:
73 This flags the tool to operate in an offline mode. In that the cer‐
75 tificates can be retrieved for supplied EK public that do not belong
76 to the platform the tool is run on. Useful in factory provisioning
77 of multiple platforms that are not individually connected to the In‐
78 ternet. In such a scenario a single Internet facing provisioning
79 server can utilize this tool in this mode. This forces the tool to
80 not look for the EK certificates on the NV indices.
81 • –raw:
83 This flags the tool to output the EK certificate as is received from
85 the source: NV/ Web-Hosting.
86 • ARGUMENT the command line argument specifies the URL address for the
88 EK certificate portal. This forces the tool to not look for the EK
89 certificates on the NV indices.
90 References
93 This collection of options are common to many programs and provide in‐
94 formation that many users may expect.
95 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
97 attempts to invoke the manpager for the tool, however, on failure
98 will output a short tool summary. This is the same behavior if the
99 “man” option argument is specified, however if explicit “man” is re‐
100 quested, the tool will provide errors from man on stderr. If the
101 “no-man” option if specified, or the manpager fails, the short op‐
102 tions will be output to stdout.
103 To successfully use the manpages feature requires the manpages to be
105 installed or on MANPATH, See man(1) for more details.
106 • -v, --version: Display version information for this tool, supported
108 tctis and exit.
109 • -V, --verbose: Increase the information that the tool prints to the
111 console during its execution. When using this option the file and
112 line number are printed.
113 • -Q, --quiet: Silence normal tool output to stdout.
115 • -Z, --enable-errata: Enable the application of errata fixups. Useful
117 if an errata fixup needs to be applied to commands sent to the TPM.
118 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
119 formation many users may expect.
120
122 The TCTI or “Transmission Interface” is the communication mechanism
123 with the TPM. TCTIs can be changed for communication with TPMs across
124 different mediums.
125 To control the TCTI, the tools respect:
127 1. The command line option -T or --tcti
129 2. The environment variable: TPM2TOOLS_TCTI.
131 Note: The command line option always overrides the environment vari‐
133 able.
134 The current known TCTIs are:
136 • tabrmd - The resource manager, called tabrmd
138 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
139 abrmd as a tcti name are synonymous.
140 • mssim - Typically used for communicating to the TPM software simula‐
142 tor.
143 • device - Used when talking directly to a TPM device file.
145 • none - Do not initalize a connection with the TPM. Some tools allow
147 for off-tpm options and thus support not using a TCTI. Tools that do
148 not support it will error when attempted to be used without a TCTI
149 connection. Does not support ANY options and MUST BE presented as
150 the exact text of “none”.
151 The arguments to either the command line option or the environment
153 variable are in the form:
154 <tcti-name>:<tcti-option-config>
156 Specifying an empty string for either the <tcti-name> or <tcti-op‐
158 tion-config> results in the default being used for that portion respec‐
159 tively.
160 TCTI Defaults
162 When a TCTI is not specified, the default TCTI is searched for using
163 dlopen(3) semantics. The tools will search for tabrmd, device and
164 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
165 what TCTI will be chosen as the default by using the -v option to print
166 the version information. The “default-tcti” key-value pair will indi‐
167 cate which of the aforementioned TCTIs is the default.
168 Custom TCTIs
170 Any TCTI that implements the dynamic TCTI interface can be loaded. The
171 tools internally use dlopen(3), and the raw tcti-name value is used for
172 the lookup. Thus, this could be a path to the shared library, or a li‐
173 brary name as understood by dlopen(3) semantics.
174
176 This collection of options are used to configure the various known TCTI
177 modules available:
178 • device: For the device TCTI, the TPM character device file for use by
180 the device TCTI can be specified. The default is /dev/tpm0.
181 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
183 vice:/dev/tpm0”
184 • mssim: For the mssim TCTI, the domain name or IP address and port
186 number used by the simulator can be specified. The default are
187 127.0.0.1 and 2321.
188 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
190 TI=“mssim:host=localhost,port=2321”
191 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
193 ries of simple key value pairs separated by a `,' character. Each
194 key and value string are separated by a `=' character.
195 • TCTI abrmd supports two keys:
197 1. `bus_name' : The name of the tabrmd service on the bus (a
199 string).
200 2. `bus_type' : The type of the dbus instance (a string) limited to
202 `session' and `system'.
203 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
205 ample.FooBar:
206 \--tcti=tabrmd:bus_name=com.example.FooBar
208 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
210 sion:
211 \--tcti:bus_type=session
213 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
215 ules.
216
218 When the verbose option is specified, additional curl debugging infor‐
219 mation is provided by setting the curl mode verbose, see
220 <https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html> for more informa‐
221 tion.
222
224 Retrieve EK certificate from TPM manufacturer backend by supplying EK pub‐
225 lic.
226 tpm2_createek -G rsa -u ek.pub -c key.ctx
227 tpm2_getekcertificate -X -o ECcert.bin -u ek.pub \
229 https://tpm.manufacturer.com/ekcertserver/
230 Retrieve EK certificate from Intel backend if certificate not found on NV.
232 tpm2_createek -G rsa -u ek.pub -c key.ctx
233 tpm2_getekcertificate -X -o ECcert.bin -u ek.pub
235 Retrieve EK certificate from Intel backend for an offline platform.
237 tpm2_getekcertificate -X -x -o ECcert.bin -u ek.pub
238 Retrieve EK certificate from TPM NV indices only, fail otherwise.
240 tpm2_getekcertificate -o ECcert.bin
241 Retrieve multiple EK certificates from TPM NV indices only, fail otherwise.
243 tpm2_getekcertificate -o RSA_EK_cert.bin -o ECC_EK_cert.bin
244
246 Tools can return any of the following codes:
247 • 0 - Success.
249 • 1 - General non-specific error.
251 • 2 - Options handling error.
253 • 3 - Authentication error.
255 • 4 - TCTI related error.
257 • 5 - Non supported scheme. Applicable to tpm2_testparams.
259
261 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
262
264 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
265 fo/tpm2)
266tpm2-tools tpm2_getekcertificate(1)