|
Packit |
549fdc |
@node tpmtool Invocation
|
|
Packit |
549fdc |
@subsection Invoking tpmtool
|
|
Packit |
549fdc |
@pindex tpmtool
|
|
Packit |
549fdc |
@ignore
|
|
Packit |
549fdc |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# DO NOT EDIT THIS FILE (invoke-tpmtool.texi)
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# It has been AutoGen-ed
|
|
Packit |
549fdc |
# From the definitions ../src/tpmtool-args.def
|
|
Packit |
549fdc |
# and the template file agtexi-cmd.tpl
|
|
Packit |
549fdc |
@end ignore
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Program that allows handling cryptographic data from the TPM chip.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This section was generated by @strong{AutoGen},
|
|
Packit |
549fdc |
using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program.
|
|
Packit |
549fdc |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{tpmtool usage}
|
|
Packit |
549fdc |
@subheading tpmtool help/usage (@option{--help})
|
|
Packit |
549fdc |
@cindex tpmtool help
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the automatically generated usage text for tpmtool.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The text printed is the same whether selected with the @code{help} option
|
|
Packit |
549fdc |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit |
549fdc |
the usage text by passing it through a pager program.
|
|
Packit |
549fdc |
@code{more-help} is disabled on platforms without a working
|
|
Packit |
549fdc |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit |
549fdc |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit |
549fdc |
with a status code of 0.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@exampleindent 0
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
tpmtool is unavailable - no --help
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
@exampleindent 4
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{tpmtool debug}
|
|
Packit |
549fdc |
@subheading debug option (-d)
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``enable debugging'' option.
|
|
Packit |
549fdc |
This option takes a number argument.
|
|
Packit |
549fdc |
Specifies the debug level.
|
|
Packit |
549fdc |
@anchor{tpmtool generate-rsa}
|
|
Packit |
549fdc |
@subheading generate-rsa option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``generate an rsa private-public key pair'' option.
|
|
Packit |
549fdc |
Generates an RSA private-public key pair in the TPM chip.
|
|
Packit |
549fdc |
The key may be stored in file system and protected by a PIN, or stored (registered)
|
|
Packit |
549fdc |
in the TPM chip flash.
|
|
Packit |
549fdc |
@anchor{tpmtool user}
|
|
Packit |
549fdc |
@subheading user option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``any registered key will be a user key'' option.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
must appear in combination with the following options:
|
|
Packit |
549fdc |
register.
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
must not appear in combination with any of the following options:
|
|
Packit |
549fdc |
system.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The generated key will be stored in a user specific persistent storage.
|
|
Packit |
549fdc |
@anchor{tpmtool system}
|
|
Packit |
549fdc |
@subheading system option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``any registered key will be a system key'' option.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
must appear in combination with the following options:
|
|
Packit |
549fdc |
register.
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
must not appear in combination with any of the following options:
|
|
Packit |
549fdc |
user.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The generated key will be stored in system persistent storage.
|
|
Packit |
549fdc |
@anchor{tpmtool test-sign}
|
|
Packit |
549fdc |
@subheading test-sign option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``tests the signature operation of the provided object'' option.
|
|
Packit |
549fdc |
This option takes a string argument @file{url}.
|
|
Packit |
549fdc |
It can be used to test the correct operation of the signature operation.
|
|
Packit |
549fdc |
This operation will sign and verify the signed data.
|
|
Packit |
549fdc |
@anchor{tpmtool sec-param}
|
|
Packit |
549fdc |
@subheading sec-param option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``specify the security level [low, legacy, medium, high, ultra].'' option.
|
|
Packit |
549fdc |
This option takes a string argument @file{Security parameter}.
|
|
Packit |
549fdc |
This is alternative to the bits option. Note however that the
|
|
Packit |
549fdc |
values allowed by the TPM chip are quantized and given values may be rounded up.
|
|
Packit |
549fdc |
@anchor{tpmtool inder}
|
|
Packit |
549fdc |
@subheading inder option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``use the der format for keys.'' option.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
can be disabled with --no-inder.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The input files will be assumed to be in the portable
|
|
Packit |
549fdc |
DER format of TPM. The default format is a custom format used by various
|
|
Packit |
549fdc |
TPM tools
|
|
Packit |
549fdc |
@anchor{tpmtool outder}
|
|
Packit |
549fdc |
@subheading outder option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``use der format for output keys'' option.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
can be disabled with --no-outder.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The output will be in the TPM portable DER format.
|
|
Packit |
549fdc |
@anchor{tpmtool exit status}
|
|
Packit |
549fdc |
@subheading tpmtool exit status
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
One of the following exit values will be returned:
|
|
Packit |
549fdc |
@table @samp
|
|
Packit |
549fdc |
@item 0 (EXIT_SUCCESS)
|
|
Packit |
549fdc |
Successful program execution.
|
|
Packit |
549fdc |
@item 1 (EXIT_FAILURE)
|
|
Packit |
549fdc |
The operation failed or the command syntax was not valid.
|
|
Packit |
549fdc |
@end table
|
|
Packit |
549fdc |
@anchor{tpmtool See Also}
|
|
Packit |
549fdc |
@subheading tpmtool See Also
|
|
Packit |
549fdc |
p11tool (1), certtool (1)
|
|
Packit |
549fdc |
@anchor{tpmtool Examples}
|
|
Packit |
549fdc |
@subheading tpmtool Examples
|
|
Packit |
549fdc |
To generate a key that is to be stored in file system use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To generate a key that is to be stored in TPM's flash use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --generate-rsa --bits 2048 --register --user
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To get the public key of a TPM key use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
|
|
Packit |
549fdc |
--outfile pubkey.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
or if the key is stored in the file system:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To list all keys stored in TPM use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --list
|
|
Packit |
549fdc |
@end example
|