|
Packit Service |
4684c1 |
@node tpmtool Invocation
|
|
Packit Service |
4684c1 |
@subsection Invoking tpmtool
|
|
Packit Service |
4684c1 |
@pindex tpmtool
|
|
Packit Service |
4684c1 |
@ignore
|
|
Packit Service |
4684c1 |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DO NOT EDIT THIS FILE (invoke-tpmtool.texi)
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# It has been AutoGen-ed
|
|
Packit Service |
4684c1 |
# From the definitions ../src/tpmtool-args.def
|
|
Packit Service |
4684c1 |
# and the template file agtexi-cmd.tpl
|
|
Packit Service |
4684c1 |
@end ignore
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Program that allows handling cryptographic data from the TPM chip.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This section was generated by @strong{AutoGen},
|
|
Packit Service |
4684c1 |
using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program.
|
|
Packit Service |
4684c1 |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{tpmtool usage}
|
|
Packit Service |
4684c1 |
@subheading tpmtool help/usage (@option{--help})
|
|
Packit Service |
4684c1 |
@cindex tpmtool help
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the automatically generated usage text for tpmtool.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The text printed is the same whether selected with the @code{help} option
|
|
Packit Service |
4684c1 |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit Service |
4684c1 |
the usage text by passing it through a pager program.
|
|
Packit Service |
4684c1 |
@code{more-help} is disabled on platforms without a working
|
|
Packit Service |
4684c1 |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit Service |
4684c1 |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit Service |
4684c1 |
with a status code of 0.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@exampleindent 0
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
tpmtool - GnuTLS TPM tool
|
|
Packit Service |
4684c1 |
Usage: tpmtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-d, --debug=num Enable debugging
|
|
Packit Service |
4684c1 |
- it must be in the range:
|
|
Packit Service |
4684c1 |
0 to 9999
|
|
Packit Service |
4684c1 |
--infile=file Input file
|
|
Packit Service |
4684c1 |
- file must pre-exist
|
|
Packit Service |
4684c1 |
--outfile=str Output file
|
|
Packit Service |
4684c1 |
--generate-rsa Generate an RSA private-public key pair
|
|
Packit Service |
4684c1 |
--register Any generated key will be registered in the TPM
|
|
Packit Service |
4684c1 |
- requires the option 'generate-rsa'
|
|
Packit Service |
4684c1 |
--signing Any generated key will be a signing key
|
|
Packit Service |
4684c1 |
- requires the option 'generate-rsa'
|
|
Packit Service |
4684c1 |
-- and prohibits the option 'legacy'
|
|
Packit Service |
4684c1 |
--legacy Any generated key will be a legacy key
|
|
Packit Service |
4684c1 |
- requires the option 'generate-rsa'
|
|
Packit Service |
4684c1 |
-- and prohibits the option 'signing'
|
|
Packit Service |
4684c1 |
--user Any registered key will be a user key
|
|
Packit Service |
4684c1 |
- requires the option 'register'
|
|
Packit Service |
4684c1 |
-- and prohibits the option 'system'
|
|
Packit Service |
4684c1 |
--system Any registered key will be a system key
|
|
Packit Service |
4684c1 |
- requires the option 'register'
|
|
Packit Service |
4684c1 |
-- and prohibits the option 'user'
|
|
Packit Service |
4684c1 |
--pubkey=str Prints the public key of the provided key
|
|
Packit Service |
4684c1 |
--list Lists all stored keys in the TPM
|
|
Packit Service |
4684c1 |
--delete=str Delete the key identified by the given URL (UUID).
|
|
Packit Service |
4684c1 |
--test-sign=str Tests the signature operation of the provided object
|
|
Packit Service |
4684c1 |
--sec-param=str Specify the security level [low, legacy, medium, high, ultra].
|
|
Packit Service |
4684c1 |
--bits=num Specify the number of bits for key generate
|
|
Packit Service |
4684c1 |
--inder Use the DER format for keys.
|
|
Packit Service |
4684c1 |
- disabled as '--no-inder'
|
|
Packit Service |
4684c1 |
--outder Use DER format for output keys
|
|
Packit Service |
4684c1 |
- disabled as '--no-outder'
|
|
Packit Service |
4684c1 |
--srk-well-known SRK has well known password (20 bytes of zeros)
|
|
Packit Service |
4684c1 |
-v, --version[=arg] output version information and exit
|
|
Packit Service |
4684c1 |
-h, --help display extended usage information and exit
|
|
Packit Service |
4684c1 |
-!, --more-help extended usage information passed thru pager
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Options are specified by doubled hyphens and their name or by a single
|
|
Packit Service |
4684c1 |
hyphen and the flag character.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Program that allows handling cryptographic data from the TPM chip.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
@exampleindent 4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{tpmtool debug}
|
|
Packit Service |
4684c1 |
@subheading debug option (-d)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable debugging'' option.
|
|
Packit Service |
4684c1 |
This option takes a number argument.
|
|
Packit Service |
4684c1 |
Specifies the debug level.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool generate-rsa}
|
|
Packit Service |
4684c1 |
@subheading generate-rsa option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate an rsa private-public key pair'' option.
|
|
Packit Service |
4684c1 |
Generates an RSA private-public key pair in the TPM chip.
|
|
Packit Service |
4684c1 |
The key may be stored in file system and protected by a PIN, or stored (registered)
|
|
Packit Service |
4684c1 |
in the TPM chip flash.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool user}
|
|
Packit Service |
4684c1 |
@subheading user option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``any registered key will be a user key'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must appear in combination with the following options:
|
|
Packit Service |
4684c1 |
register.
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
system.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The generated key will be stored in a user specific persistent storage.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool system}
|
|
Packit Service |
4684c1 |
@subheading system option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``any registered key will be a system key'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must appear in combination with the following options:
|
|
Packit Service |
4684c1 |
register.
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
user.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The generated key will be stored in system persistent storage.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool test-sign}
|
|
Packit Service |
4684c1 |
@subheading test-sign option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``tests the signature operation of the provided object'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument @file{url}.
|
|
Packit Service |
4684c1 |
It can be used to test the correct operation of the signature operation.
|
|
Packit Service |
4684c1 |
This operation will sign and verify the signed data.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool sec-param}
|
|
Packit Service |
4684c1 |
@subheading sec-param option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the security level [low, legacy, medium, high, ultra].'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument @file{Security parameter}.
|
|
Packit Service |
4684c1 |
This is alternative to the bits option. Note however that the
|
|
Packit Service |
4684c1 |
values allowed by the TPM chip are quantized and given values may be rounded up.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool inder}
|
|
Packit Service |
4684c1 |
@subheading inder option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use the der format for keys.'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-inder.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The input files will be assumed to be in the portable
|
|
Packit Service |
4684c1 |
DER format of TPM. The default format is a custom format used by various
|
|
Packit Service |
4684c1 |
TPM tools
|
|
Packit Service |
4684c1 |
@anchor{tpmtool outder}
|
|
Packit Service |
4684c1 |
@subheading outder option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use der format for output keys'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-outder.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The output will be in the TPM portable DER format.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool srk-well-known}
|
|
Packit Service |
4684c1 |
@subheading srk-well-known option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``srk has well known password (20 bytes of zeros)'' option.
|
|
Packit Service |
4684c1 |
This option has no @samp{doc} documentation.
|
|
Packit Service |
4684c1 |
@anchor{tpmtool exit status}
|
|
Packit Service |
4684c1 |
@subheading tpmtool exit status
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
One of the following exit values will be returned:
|
|
Packit Service |
4684c1 |
@table @samp
|
|
Packit Service |
4684c1 |
@item 0 (EXIT_SUCCESS)
|
|
Packit Service |
4684c1 |
Successful program execution.
|
|
Packit Service |
4684c1 |
@item 1 (EXIT_FAILURE)
|
|
Packit Service |
4684c1 |
The operation failed or the command syntax was not valid.
|
|
Packit Service |
4684c1 |
@end table
|
|
Packit Service |
4684c1 |
@anchor{tpmtool See Also}
|
|
Packit Service |
4684c1 |
@subheading tpmtool See Also
|
|
Packit Service |
4684c1 |
p11tool (1), certtool (1)
|
|
Packit Service |
4684c1 |
@anchor{tpmtool Examples}
|
|
Packit Service |
4684c1 |
@subheading tpmtool Examples
|
|
Packit Service |
4684c1 |
To generate a key that is to be stored in file system use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To generate a key that is to be stored in TPM's flash use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ tpmtool --generate-rsa --bits 2048 --register --user
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To get the public key of a TPM key use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
|
|
Packit Service |
4684c1 |
--outfile pubkey.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
or if the key is stored in the file system:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To list all keys stored in TPM use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ tpmtool --list
|
|
Packit Service |
4684c1 |
@end example
|