@node tpmtool Invocation

@subsection Invoking tpmtool

@pindex tpmtool

@ignore

#  -*- buffer-read-only: t -*- vi: set ro:

#

# DO NOT EDIT THIS FILE   (invoke-tpmtool.texi)

#

# It has been AutoGen-ed

# From the definitions    ../src/tpmtool-args.def

# and the template file   agtexi-cmd.tpl

@end ignore

Program that allows handling cryptographic data from the TPM chip.

This section was generated by @strong{AutoGen},

using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program.

This software is released under the GNU General Public License, version 3 or later.

@anchor{tpmtool usage}

@subheading tpmtool help/usage (@option{--help})

@cindex tpmtool help

This is the automatically generated usage text for tpmtool.

The text printed is the same whether selected with the @code{help} option

(@option{--help}) or the @code{more-help} option (@option{--more-help}).  @code{more-help} will print

the usage text by passing it through a pager program.

@code{more-help} is disabled on platforms without a working

@code{fork(2)} function.  The @code{PAGER} environment variable is

used to select the program, defaulting to @file{more}.  Both will exit

with a status code of 0.

@exampleindent 0

@example

tpmtool is unavailable - no --help

@end example

@exampleindent 4

@anchor{tpmtool debug}

@subheading debug option (-d)

This is the ``enable debugging'' option.

This option takes a number argument.

Specifies the debug level.

@anchor{tpmtool generate-rsa}

@subheading generate-rsa option

This is the ``generate an rsa private-public key pair'' option.

Generates an RSA private-public key pair in the TPM chip. 

The key may be stored in file system and protected by a PIN, or stored (registered)

in the TPM chip flash.

@anchor{tpmtool user}

@subheading user option

This is the ``any registered key will be a user key'' option.

@noindent

This option has some usage constraints.  It:

@itemize @bullet

@item

must appear in combination with the following options:

register.

@item

must not appear in combination with any of the following options:

system.

@end itemize

The generated key will be stored in a user specific persistent storage.

@anchor{tpmtool system}

@subheading system option

This is the ``any registered key will be a system key'' option.

@noindent

This option has some usage constraints.  It:

@itemize @bullet

@item

must appear in combination with the following options:

register.

@item

must not appear in combination with any of the following options:

user.

@end itemize

The generated key will be stored in system persistent storage.

@anchor{tpmtool test-sign}

@subheading test-sign option

This is the ``tests the signature operation of the provided object'' option.

This option takes a string argument @file{url}.

It can be used to test the correct operation of the signature operation.

This operation will sign and verify the signed data.

@anchor{tpmtool sec-param}

@subheading sec-param option

This is the ``specify the security level [low, legacy, medium, high, ultra].'' option.

This option takes a string argument @file{Security parameter}.

This is alternative to the bits option. Note however that the

values allowed by the TPM chip are quantized and given values may be rounded up.

@anchor{tpmtool inder}

@subheading inder option

This is the ``use the der format for keys.'' option.

@noindent

This option has some usage constraints.  It:

@itemize @bullet

@item

can be disabled with --no-inder.

@end itemize

The input files will be assumed to be in the portable

DER format of TPM. The default format is a custom format used by various

TPM tools

@anchor{tpmtool outder}

@subheading outder option

This is the ``use der format for output keys'' option.

@noindent

This option has some usage constraints.  It:

@itemize @bullet

@item

can be disabled with --no-outder.

@end itemize

The output will be in the TPM portable DER format.

@anchor{tpmtool exit status}

@subheading tpmtool exit status

One of the following exit values will be returned:

@table @samp

@item 0 (EXIT_SUCCESS)

Successful program execution.

@item 1 (EXIT_FAILURE)

The operation failed or the command syntax was not valid.

@end table

@anchor{tpmtool See Also}

@subheading tpmtool See Also

    p11tool (1), certtool (1)

@anchor{tpmtool Examples}

@subheading tpmtool Examples

To generate a key that is to be stored in file system use:

@example

$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem

@end example

To generate a key that is to be stored in TPM's flash use:

@example

$ tpmtool --generate-rsa --bits 2048 --register --user

@end example

To get the public key of a TPM key use:

@example

$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \

          --outfile pubkey.pem

@end example

or if the key is stored in the file system:

@example

$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem

@end example

To list all keys stored in TPM use:

@example

$ tpmtool --list

@end example