|
Packit |
549fdc |
AutoGen Definitions options;
|
|
Packit |
549fdc |
prog-name = tpmtool;
|
|
Packit |
549fdc |
prog-title = "GnuTLS TPM tool";
|
|
Packit |
549fdc |
prog-desc = "Program to handle TPM as a cryptographic device.\n";
|
|
Packit |
549fdc |
detail = "Program that allows handling cryptographic data from the TPM chip.";
|
|
Packit |
549fdc |
short-usage = "tpmtool [options]\ntpmtool --help for usage instructions.\n";
|
|
Packit |
549fdc |
explain = "";
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define OUTFILE_OPT 1
|
|
Packit |
549fdc |
#define INFILE_OPT 1
|
|
Packit |
549fdc |
#include args-std.def
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate-rsa;
|
|
Packit |
549fdc |
descrip = "Generate an RSA private-public key pair";
|
|
Packit |
549fdc |
doc = "Generates an RSA private-public key pair in the TPM chip.
|
|
Packit |
549fdc |
The key may be stored in file system and protected by a PIN, or stored (registered)
|
|
Packit |
549fdc |
in the TPM chip flash.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = register;
|
|
Packit |
549fdc |
descrip = "Any generated key will be registered in the TPM";
|
|
Packit |
549fdc |
flags_must = generate-rsa;
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = signing;
|
|
Packit |
549fdc |
descrip = "Any generated key will be a signing key";
|
|
Packit |
549fdc |
flags_must = generate-rsa;
|
|
Packit |
549fdc |
flags_cant = legacy;
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = legacy;
|
|
Packit |
549fdc |
descrip = "Any generated key will be a legacy key";
|
|
Packit |
549fdc |
flags_must = generate-rsa;
|
|
Packit |
549fdc |
flags_cant = signing;
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = user;
|
|
Packit |
549fdc |
descrip = "Any registered key will be a user key";
|
|
Packit |
549fdc |
flags_must = register;
|
|
Packit |
549fdc |
flags_cant = system;
|
|
Packit |
549fdc |
doc = "The generated key will be stored in a user specific persistent storage.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = system;
|
|
Packit |
549fdc |
descrip = "Any registered key will be a system key";
|
|
Packit |
549fdc |
flags_must = register;
|
|
Packit |
549fdc |
flags_cant = user;
|
|
Packit |
549fdc |
doc = "The generated key will be stored in system persistent storage.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = pubkey;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
arg-name = "url";
|
|
Packit |
549fdc |
descrip = "Prints the public key of the provided key";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list;
|
|
Packit |
549fdc |
descrip = "Lists all stored keys in the TPM";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = delete;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
arg-name = "url";
|
|
Packit |
549fdc |
descrip = "Delete the key identified by the given URL (UUID).";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = test-sign;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
arg-name = "url";
|
|
Packit |
549fdc |
descrip = "Tests the signature operation of the provided object";
|
|
Packit |
549fdc |
doc = "It can be used to test the correct operation of the signature operation.
|
|
Packit |
549fdc |
This operation will sign and verify the signed data.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = sec-param;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
arg-name = "Security parameter";
|
|
Packit |
549fdc |
descrip = "Specify the security level [low, legacy, medium, high, ultra].";
|
|
Packit |
549fdc |
doc = "This is alternative to the bits option. Note however that the
|
|
Packit |
549fdc |
values allowed by the TPM chip are quantized and given values may be rounded up.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = bits;
|
|
Packit |
549fdc |
arg-type = number;
|
|
Packit |
549fdc |
descrip = "Specify the number of bits for key generate";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = inder;
|
|
Packit |
549fdc |
descrip = "Use the DER format for keys.";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "The input files will be assumed to be in the portable
|
|
Packit |
549fdc |
DER format of TPM. The default format is a custom format used by various
|
|
Packit |
549fdc |
TPM tools";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = outder;
|
|
Packit |
549fdc |
descrip = "Use DER format for output keys";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "The output will be in the TPM portable DER format.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
doc-section = {
|
|
Packit |
549fdc |
ds-type = 'SEE ALSO';
|
|
Packit |
549fdc |
ds-format = 'texi';
|
|
Packit |
549fdc |
ds-text = <<-_EOT_
|
|
Packit |
549fdc |
p11tool (1), certtool (1)
|
|
Packit |
549fdc |
_EOT_;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
doc-section = {
|
|
Packit |
549fdc |
ds-type = 'EXAMPLES';
|
|
Packit |
549fdc |
ds-format = 'texi';
|
|
Packit |
549fdc |
ds-text = <<-_EOT_
|
|
Packit |
549fdc |
To generate a key that is to be stored in file system use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To generate a key that is to be stored in TPM's flash use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --generate-rsa --bits 2048 --register --user
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To get the public key of a TPM key use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
|
|
Packit |
549fdc |
--outfile pubkey.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
or if the key is stored in the file system:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To list all keys stored in TPM use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ tpmtool --list
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
_EOT_;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|