chantra / rpms / tpm2-tools

Forked from rpms/tpm2-tools 2 years ago
Clone
Blob Blame History Raw
diff --git a/Makefile.am b/Makefile.am
index 2034c2500b3e..9dfe2ca1ea7c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -270,7 +270,6 @@ EXTRA_DIST = $(top_srcdir)/man \
 	     README.md \
 	     RELEASE.md
 
-if HAVE_PANDOC
     man1_MANS := \
     man/man1/tpm2_activatecredential.1 \
     man/man1/tpm2_certify.1 \
@@ -311,7 +310,6 @@ if HAVE_PANDOC
     man/man1/tpm2_takeownership.1 \
     man/man1/tpm2_unseal.1 \
     man/man1/tpm2_verifysignature.1
-endif
 
 MARKDOWN_COMMON_DEPS = \
 	man/common/alg.md \
diff --git a/man/man1/tpm2_activatecredential.1 b/man/man1/tpm2_activatecredential.1
new file mode 100644
index 000000000000..afe81e4d4b02
--- /dev/null
+++ b/man/man1/tpm2_activatecredential.1
@@ -0,0 +1,178 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_activatecredential" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_activatecredential\f[](1) \- verify that an object is
+protected with a specific key.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_activatecredential\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+Verify that the given content is protected with given keyHandle for
+given handle, and then decrypt and return the secret, if any passwd
+option is missing, assume NULL.
+Currently only support using TCG profile compliant EK as the keyHandle.
+.SH OPTIONS
+.PP
+These options control the object verification:
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: \f[I]HANDLE\f[] of
+the object associated with the created certificate by CA.
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: The
+\f[I]KEY_HANDLE\f[] of Loaded key used to decrypt the the random seed.
+.IP \[bu] 2
+\f[B]\-C\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
+\f[I]KEY_CONTEXT_FILE\f[] is the path to a context file.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-password\f[]=\f[I]PASSWORD\f[]: Use
+\f[I]PASSWORD\f[] for providing an authorization value for the
+\f[I]KEY_HANDLE\f[].
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]:
+The endorsement password, optional.
+Follows the same formating guidelines as the handle password option \-P.
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file
+path, containing the two structures needed by tpm2_activatecredential
+function.
+This is created via the tpm2_makecredential(1) command.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]: Output file
+path, record the secret to decrypt the certificate.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ abc123\ \-e\ abc123\ \-f\ <filePath>\ \-o\ <filePath>
+tpm2_activatecredential\ \-c\ ak.context\ \-C\ ek.context\ \-P\ abc123\ \-e\ abc123\ \-f\ <filePath>\ \-o\ <filePath>
+tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 123abc\ \-e\ 1a1b1c\ \-X\ \-f\ <filePath>\ \-o\ <filePath>
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_certify.1 b/man/man1/tpm2_certify.1
new file mode 100644
index 000000000000..f1a5af18d65b
--- /dev/null
+++ b/man/man1/tpm2_certify.1
@@ -0,0 +1,201 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_certify" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_certify\f[](1) \- prove that an object is loaded in the tpm.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_certify\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_certify\f[](1) proves that an object with a specific
+\f[I]NAME\f[] is loaded in the TPM.
+By certifying that the object is loaded, the TPM warrants that a public
+area with a given \f[I]NAME\f[] is self\-consistent and associated with
+a valid sensitive area.
+If a relying party has a public area that has the same \f[I]NAME\f[] as
+a \f[I]NAME\f[] certified with this command, then the values in that
+public area are correct.
+The object may be any object that is loaded with TPM2_Load() or
+TPM2_CreatePrimary().
+An object that only has its public area loaded cannot be certified.
+.SH OPTIONS
+.PP
+These options control the ceritifcation:
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-obj\-handle\f[]=\f[I]OBJECT_HANDLE\f[]: The
+handle of the object to be certified.
+.IP \[bu] 2
+\f[B]\-C\f[], \f[B]\-\-obj\-context\f[]=\f[I]FILE\f[]: Use \f[I]FILE\f[]
+for providing the object context.
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: Handle of
+the key used to sign the attestation structure.
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT\f[]: Filename
+of the key context used to sign the attestation structure.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdo\f[]=\f[I]OBJECT_PASSWORD\f[]: Use
+\f[I]OBJECT_PASSWORD\f[] for providing an authorization value for the
+object specified in \f[I]OBJECT_HANDLE\f[].
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Use
+\f[I]KEY_PASSWORD\f[] for providing an authorization value for the key
+specified in \f[I]KEY_HANDLE\f[].
+Follows the same formatting guidelines as the object handle password or
+\-P option.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-attest\-file\f[]=\f[I]ATTEST_FILE\f[]: Output
+file name for the attestation data.
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-sig\-file\f[]=\f[I]SIG_FILE\f[]: Output file name
+for the signature data.
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-format\f[]
+.RS 2
+.PP
+Format selection for the signature output file.
+See section "Signature Format Specifiers".
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Signature Format Specifiers
+.PP
+Format selection for the signature output file.
+\f[B]tss\f[] (the default) will output a binary blob according to the
+TPM 2.0 specification and any potential compiler padding.
+The option \f[B]plain\f[] will output the plain signature data as
+defined by the used cryptographic algorithm.
+# EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ <fileName>\ \-s\ <fileName>
+tpm2_certify\ \-C\ obj.context\ \-c\ key.context\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ <fileName>\ \-s\ <fileName>
+tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0011\ \-K\ 00FF\ \-X\ \-g\ 0x00B\ \-a\ <fileName>\ \-s\ <fileName>
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_create.1 b/man/man1/tpm2_create.1
new file mode 100644
index 000000000000..80e158428a26
--- /dev/null
+++ b/man/man1/tpm2_create.1
@@ -0,0 +1,271 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_create" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a
+TPM using tpm2_load.
+The object will need to be loaded before it may be used.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_create\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a
+TPM using tpm2_load.
+The object will need to be loaded before it may be used.
+.SH OPTIONS
+.PP
+These options for creating the tpm entity:
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-pparent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of
+the parent object to create this object under.
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]:
+The filename for parent context.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The
+password for parent key, optional.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for
+key, optional.
+Follows the password formatting of the "password for parent key" option:
+\-P.
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm
+to use.
+Algorithms should follow the " formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: The algorithm
+associated with this object.
+It accepts friendly names just like \-g option.
+See section "Supported Public Object Algorithms" for a list of supported
+object algorithms.
+.IP \[bu] 2
+\f[B]\-A\f[], \f[B]\-\-object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The
+object attributes, optional.
+Object attribytes follow the specifications as outlined in "object
+attribute specifiers".
+The default for created objects is:
+.RS 2
+.PP
+\f[C]TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]FILE\f[]: The data file to be
+sealed, optional.
+If file is \-, read from stdin.
+When sealing data only the TPM_ALG_KEYEDHASH algorithm is allowed.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: The input
+policy file, optional.
+.IP \[bu] 2
+\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]OUTPUT_PUBLIC_FILE\f[]: The
+output file which contains the public portion of the created object,
+optional.
+.IP \[bu] 2
+\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]OUTPUT_PRIVATE_FILE\f[]: The
+output file which contains the sensitive portion of the object,
+optional.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Supported Public Object Algorithms
+.PP
+Supported public object algorithms are:
+.IP \[bu] 2
+\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
+(\f[B]default\f[]).
+.IP \[bu] 2
+\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+.IP \[bu] 2
+\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+.IP \[bu] 2
+\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH Object Attributes
+.PP
+Object Attributes are used to control various properties of created
+objects.
+When specified as an option, either the raw bitfield mask or
+"nice\-names" may be used.
+The values can be found in Table 31 Part 2 of the TPM2.0 specification,
+which can be found here:
+.PP
+<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
+.PP
+Nice names are calculated by taking the name field of table 31 and
+removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result.
+Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm.
+Nice names can be joined using the bitwise or "|" symbol.
+.PP
+For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[],
+\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument
+would be:
+.PP
+\f[B]fixedtpm|noda|sign\f[]
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_create\ \-H\ 0x81010001\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\-I\ data.File\ \-o\ opu.File
+tpm2_create\ \-c\ parent.context\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File\ \-o\ opu.File
+tpm2_create\ \-H\ 0x81010001\ \-P\ 123abc\ \-K\ 456def\ \-X\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File\ \-o\ opu.File
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_createpolicy.1 b/man/man1/tpm2_createpolicy.1
new file mode 100644
index 000000000000..355137e38852
--- /dev/null
+++ b/man/man1/tpm2_createpolicy.1
@@ -0,0 +1,186 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_createpolicy" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization
+policies based on multiple pcr indices values across multiple enabled
+banks.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_createpolicy\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization
+policies based on multiple pcr indices values across multiple enabled
+banks.
+It can then be used with object creation and or tools using the object.
+.SH OPTIONS
+.PP
+These options control creating the policy authorization session:
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: File to
+save the policy digest.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-policy\-pcr\f[]: Identifies the PCR policy type
+for policy creation.
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-policy\-digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]:
+The hash algorithm used in computation of the policy digest.
+Algorithms should follow the "formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-set\-list\f[]=\f[I]PCR_LIST\f[]: The list of pcr
+banks and selected PCRs\[aq] ids (0~23) for each bank.
+.IP \[bu] 2
+\f[B]\-F\f[], \f[B]\-\-pcr\-input\-file\f[]=\f[I]PCR_FILE\f[]: Optional
+Path or Name of the file containing expected pcr values for the
+specified index.
+Default is to read the current PCRs per the set list.
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-extend\-policy\-session\f[]: Retains the policy
+session at the end of operation.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-auth\-policy\-session\f[]: Start a policy session
+of type \f[B]TPM_SE_POLICY\f[].
+Default without this option is \f[B]TPM_SE_TRIAL\f[].
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.PP
+Create a authorization policy tied to a specific PCR index:
+.PP
+\f[B]tpm2_createpolicy \-P \-L 0x4:0 \-f policy.file \-F pcr0.bin\f[]
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_createprimary.1 b/man/man1/tpm2_createprimary.1
new file mode 100644
index 000000000000..5a77fc162ef1
--- /dev/null
+++ b/man/man1/tpm2_createprimary.1
@@ -0,0 +1,273 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_createprimary" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_createprimary\f[](1) \- Create a primary key under a primary
+seed or a temporary primary key under the \f[B]TPM_RH_NULL\f[]
+hierarchy.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_createprimary\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_createprimary\f[](1) \- This command is used to create a
+Primary Object under one of the Primary Seeds or a Temporary Object
+under \f[B]TPM_RH_NULL\f[].
+The command uses a \f[B]TPM2B_PUBLIC\f[] as a template for the object to
+be created.
+The command will create and load a Primary Object.
+The sensitive area is not returned.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: Specify the
+hierarchy under which the object is created.
+This will also dictate which authorization secret (if any) must be
+supplied.
+Supported options are:
+.RS 2
+.IP \[bu] 2
+\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.IP \[bu] 2
+\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[]
+.IP \[bu] 2
+\f[B]n\f[] for \f[B]TPM_RH_NULL\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: Optional
+authorization string if authorization is required to create object under
+the specified hierarchy.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Optional
+authorization string for the newly created object.
+Follows the same password formating guidelines as the parent
+authorization string under the \-P option.
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm
+to use.
+Algorithms should follow the " formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Algorithm type
+for generated key.
+It supports friendly names like the \-g option.
+See section "Supported Public Object Algorithms" for a list of supported
+object algorithms.
+.IP \[bu] 2
+\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[]: An optional
+file used to store the object context returned.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: An
+optional file input that contains the policy digest for policy based
+authorization of the object.
+.IP \[bu] 2
+\f[B]\-A\f[], \f[B]\-\-object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The
+object attributes, optional.
+Object attribytes follow the specifications as outlined in "object
+attribute specifiers".
+The default for created objects is:
+.RS 2
+.PP
+\f[C]TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Supported Public Object Algorithms
+.PP
+Supported public object algorithms are:
+.IP \[bu] 2
+\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
+(\f[B]default\f[]).
+.IP \[bu] 2
+\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+.IP \[bu] 2
+\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+.IP \[bu] 2
+\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH Object Attributes
+.PP
+Object Attributes are used to control various properties of created
+objects.
+When specified as an option, either the raw bitfield mask or
+"nice\-names" may be used.
+The values can be found in Table 31 Part 2 of the TPM2.0 specification,
+which can be found here:
+.PP
+<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
+.PP
+Nice names are calculated by taking the name field of table 31 and
+removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result.
+Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm.
+Nice names can be joined using the bitwise or "|" symbol.
+.PP
+For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[],
+\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument
+would be:
+.PP
+\f[B]fixedtpm|noda|sign\f[]
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_createprimary\ \-H\ o\ \-g\ sha256\ \-G\ ecc\ \-C\ context.out
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_dictionarylockout.1 b/man/man1/tpm2_dictionarylockout.1
new file mode 100644
index 000000000000..d8e5be903645
--- /dev/null
+++ b/man/man1/tpm2_dictionarylockout.1
@@ -0,0 +1,155 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_dictionarylockout" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_dictionarylockout\f[](1) \- setup or clear
+dictionary\-attack\-lockout parameters.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_dictionarylockout\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_dictionarylockout\f[](1) \- setup dictionary\-attack\-lockout
+parameters or clear dictionary\-attack\-lockout state, if any passwd
+option is missing, assume NULL.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-setup\-parameters\f[]=\f[I]SETUP_PARAMETERS\f[]:
+specifies the tool should operate to setup dictionary\-attack\-lockout
+parameters.
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-clear\-lockout\f[]: specifies the tool should
+operate to clear dictionary\-attack\-lockout state.
+.IP \[bu] 2
+\f[B]\-l\f[], \f[B]\-lockout\-recovery\-time\f[]=\f[I]LOCKOUT_TIME\f[]:
+specifies the wait time in seconds before another TPM_RH_LOCKOUT
+authentication attempt can be made after a failed authentication.
+.IP \[bu] 2
+\f[B]\-t\f[], \f[B]\-\-recovery\-time\f[]=\f[I]RECOVERY_TIME\f[]:
+specifies the wait time in seconds before another DA\-protected\-object
+authentication attempt can be made after max\-tries number of failed
+authentications.
+.IP \[bu] 2
+\f[B]\-n\f[], \f[B]\-\-max\-tries\f[]=\f[I]MAX_TRYS\f[]: specifies the
+maximum number of allowed authentication attempts on
+DA\-protected\-object; after which DA is activated.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_dictionarylockout\ \-c\ \-p\ passwd
+tpm2_dictionarylockout\ \-s\ \-n\ 5\ \-t\ 6\ \-l\ 7\ \-p\ passwd
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_encryptdecrypt.1 b/man/man1/tpm2_encryptdecrypt.1
new file mode 100644
index 000000000000..39fa1ee57d12
--- /dev/null
+++ b/man/man1/tpm2_encryptdecrypt.1
@@ -0,0 +1,169 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_encryptdecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_encryptdecrypt\f[](1) \- performs symmetric encryption or
+decryption.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_encryptdecrypt\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+tpm2_encryptdecrypt(1) \- performs symmetric encryption or decryption
+with a specified symmetric key.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: the
+symmetric key used for the operation (encryption/decryption).
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
+filename of the key context used for the operation.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: filename of the
+key context used for the operation.
+The password for parent key, optional.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-D\f[], \f[B]\-\-decrypt\f[]: Perform a decrypt operation.
+Default is encryption.
+.IP \[bu] 2
+\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file path
+containing data for decrypt or encrypt operation.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ abc123\ \-D\ NO\ \-I\ <filePath>\ \-o\ <filePath>
+tpm2_encryptdecrypt\ \-c\ key.context\ \-P\ abc123\ \-D\ NO\ \-I\ <filePath>\ \-o\ <filePath>
+tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ 123abca\ \-X\ \-D\ NO\ \-I\ <filePath>\ \-o\ <filePath>
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_evictcontrol.1 b/man/man1/tpm2_evictcontrol.1
new file mode 100644
index 000000000000..37102a6fb634
--- /dev/null
+++ b/man/man1/tpm2_evictcontrol.1
@@ -0,0 +1,180 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_evictcontrol" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_evictcontrol\f[](1) \- Make a transient object persistent or
+evict a persistent object.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_evictcontrol\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_evictcontrol\f[](1) \- allows a transient object to be made
+persistent or a persistent object to be evicted.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-A\f[], \f[B]\-\-auth\f[]=\f[I]AUTH\f[]: The authorization used to
+authorize the commands.
+Valid choices are:
+.RS 2
+.IP \[bu] 2
+\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: The handle of a
+loaded transient or a persistent object.
+.RS 2
+.PP
+If the handle is for a transient object, then a handle that will be
+assigned to the persisted object must also be specified with the
+\f[B]\-S\f[] option.
+.PP
+If the handle is for a persistent object, then the \f[B]\-S\f[] does not
+need to be provided since the handle must be the same for both options.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]:
+Filename for object context.
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-persistent\f[]=\f[I]PERSISTENT_HANDLE\f[]: The
+persistent handle for the object handle specified via \f[I]HANDLE\f[].
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwda\f[]=\f[I]AUTH_PASSWORD\f[]: authorization
+password, optional.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_evictcontrol\ \-A\ o\ \-c\ object.context\ \-S\ 0x81010002\ \-P\ abc123
+tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ abc123
+tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ 123abc
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_getcap.1 b/man/man1/tpm2_getcap.1
new file mode 100644
index 000000000000..c7547a52ef35
--- /dev/null
+++ b/man/man1/tpm2_getcap.1
@@ -0,0 +1,161 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_getcap" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_getcap\f[](1) \- Display TPM capabilities in a human readable
+form.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_getcap\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_getcap\f[](1) \- Query the TPM for it\[aq]s capabilities /
+properties and dump them to the console.
+This is a thin wrapper around the GetCapability command.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-capability\f[]=\f[I]CAPABILITY_NAME\f[]: The name
+of the capability group to query.
+Currently supported capability groups are:
+.RS 2
+.IP \[bu] 2
+properties\-fixed: Display fixed TPM properties.
+.IP \[bu] 2
+properties\-variable: Display variable TPM properties.
+.IP \[bu] 2
+algorithms: Display data about supported algorithms.
+.IP \[bu] 2
+commands: Display data about supported commands.
+.IP \[bu] 2
+ecc\-curves: Display data about elliptic curves.
+.IP \[bu] 2
+handles\-transient: Display handles about transient objects.
+.IP \[bu] 2
+handles\-persistent: Display handles about persistent objects.
+.IP \[bu] 2
+handles\-permanent: Display handles about permanent objects.
+.IP \[bu] 2
+handles\-pcr: Display handles about PCRs.
+.IP \[bu] 2
+handles\-nv\-index: Display handles about NV Indices.
+.IP \[bu] 2
+handles\-loaded\-session: Display handles about both loaded HMAC and
+policy sessions.
+.IP \[bu] 2
+handles\-saved\-session: Display handles about saved sessions.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_getcap\ \-\-capability="properties\-fixed"
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_getmanufec.1 b/man/man1/tpm2_getmanufec.1
new file mode 100644
index 000000000000..93b2a485c73e
--- /dev/null
+++ b/man/man1/tpm2_getmanufec.1
@@ -0,0 +1,225 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_getmanufec" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential
+Certificate for the TPM endorsement key from the TPM manufacturer\[aq]s
+endorsement certificate hosting server.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_getmanufec\f[] [\f[I]OPTIONS\f[]] [\f[I]URL\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential
+Certificate for the TPM endorsement key from the TPM manufacturer\[aq]s
+endorsement certificate hosting server.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]:
+specifies current endorse password (string, optional,default:NULL).
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]:
+specifies current owner password (string, optional,default:NULL).
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-ek\-passwd\f[]=\f[I]EK_PASSWORD\f[]: specifies
+the EK password when created (string,optional,default:NULL).
+.RS 2
+.PP
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: specifies the handle
+used to make EK persistent (hex).
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: specifies the
+algorithm type of EK.
+See section "Supported Public Object Algorithms" for a list of supported
+object algorithms.
+See section "Algorithm Specifiers" on how to specify an algorithm
+argument.
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: Specifies the file used
+to save the public portion of EK.
+.IP \[bu] 2
+\f[B]\-N\f[], \f[B]\-\-non\-persistent\f[]: specifies to readout the EK
+public without making it persistent.
+.IP \[bu] 2
+\f[B]\-O\f[], \f[B]\-\-offline\f[]=\f[I]FILE\f[]: Specifies the file
+that contains an EK retrieved from offline platform that needs to be
+provisioned.
+.IP \[bu] 2
+\f[B]\-E\f[], \f[B]\-\-ec\-cert\f[]=\f[I]EC_CERT_FILE\f[]: Specifies the
+file used to save the Endorsement Credentials retrieved from the TPM
+manufacturer provisioning server.
+Defaults to stdout if not specified.
+.IP \[bu] 2
+\f[B]\-U\f[], \f[B]\-\-SSL_NO_VERIFY\f[]: specifies to attempt
+connecting with the TPM manufacturer provisioning server with
+SSL_NO_VERIFY option.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Public Object Algorithms
+.PP
+Supported public object algorithms are:
+.IP \[bu] 2
+\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
+(\f[B]default\f[]).
+.IP \[bu] 2
+\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+.IP \[bu] 2
+\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+.IP \[bu] 2
+\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH NOTES
+.PP
+When the verbose option is specified, additional curl debugging
+information is provided by setting the curl mode verbose, see:
+<https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html> for more
+information.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_getmanufec\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/
+tpm2_getmanufec\ \-e\ 1a1b1c\ \-o\ 1a1b1c\ \-P\ 123abc\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_getpubak.1 b/man/man1/tpm2_getpubak.1
new file mode 100644
index 000000000000..32f9ca0222e9
--- /dev/null
+++ b/man/man1/tpm2_getpubak.1
@@ -0,0 +1,241 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_getpubak" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given
+algorithm under the endorsement hierarchy.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_getpubak\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given
+algorithm under endorsement hierarchy, make it persistent with given ak
+handle, and return pub AK and AK name.
+If any passwd option is missing, assume NULL.
+.PP
+The tool outputs to stdout a YAML representation of the loaded key
+handle as well as it\[aq]s name, for example:
+.IP
+.nf
+\f[C]
+loaded\-key:
+\ \ handle:\ 800000ff
+\ \ name:\ 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268
+\f[]
+.fi
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]:
+Specifies current endorsement password, defaults to NULL.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-ak\-passwd\f[]=\f[I]AK_PASSWORD\f[] Specifies the
+AK password when created, defaults to NULL.
+Same formatting as the endorse password value or \-e option.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]
+Specifies the current owner password, defaults to NULL.
+Same formatting as the endorse password value or \-e option.
+.IP \[bu] 2
+\f[B]\-E\f[], \f[B]\-\-ek\-handle\f[]=\f[I]EK_HANDLE\f[]: Specifies the
+handle used to make EK persistent.
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-ak\-handle\f[]=\f[I]AK_HANDLE\f[]: Specifies the
+handle used to make AK persistent.
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: Specifies the
+algorithm type of AK.
+Algorithms should follow the " formatting standards, see section
+"Algorithm Specifiers".
+See section "Supported Public Object Algorithms" for a list of supported
+object algorithms.
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: Like \-g, but
+specifies the algorithm of sign.
+See section "Supported Signing Algorithms" for details.
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-file\f[]=\f[I]FILE\f[]: Specifies the file used
+to save the public portion of AK.
+This will be a binary data structure corresponding to the TPM2B_PUBLIC
+struct in the specification.
+.IP \[bu] 2
+\f[B]\-n\f[], \f[B]\-\-ak\-name\f[]=\f[I]NAME\f[]: Specifies the file
+used to save the ak name, optional.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Signing Algorithms
+.PP
+Supported algorithms are:
+.IP \[bu] 2
+\f[B]0x5\f[] or \f[B]hmac\f[] for \f[B]TPM_ALG_HMAC\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0x14\f[] or \f[B]rsassa\f[] for \f[B]TPM_ALG_RSASSA\f[]
+.IP \[bu] 2
+\f[B]0x16\f[] or \f[B]rsapss\f[] for \f[B]TPM_ALG_RSAPSS\f[]
+.IP \[bu] 2
+\f[B]0x18\f[] or \f[B]ecdsa\f[] for \f[B]TPM_ALG_ECDSA\f[]
+.IP \[bu] 2
+\f[B]0x1A\f[] or \f[B]ecdaa\f[] for \f[B]TPM_ALG_ECDAA\f[]
+.IP \[bu] 2
+\f[B]0x1B\f[] or \f[B]sm2\f[] for \f[B]TPM_ALG_SM2\f[]
+.IP \[bu] 2
+\f[B]0x1C\f[] or \f[B]ecschnorr\f[] for \f[B]TPM_ALG_ECSCHNORR\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Supported Public Object Algorithms
+.PP
+Supported public object algorithms are:
+.IP \[bu] 2
+\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
+(\f[B]default\f[]).
+.IP \[bu] 2
+\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+.IP \[bu] 2
+\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+.IP \[bu] 2
+\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_getpubak\ \-e\ abc123\ \-P\ abc123\ \-o\ passwd\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name
+tpm2_getpubak\ \-e\ 1a1b1c\ \-P\ 123abc\ \-o\ 1a1b1c\ \-X\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_getpubek.1 b/man/man1/tpm2_getpubek.1
new file mode 100644
index 000000000000..1115b1095c6c
--- /dev/null
+++ b/man/man1/tpm2_getpubek.1
@@ -0,0 +1,189 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_getpubek" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement
+key.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_getpubek\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement
+key(endorsement hierarchy primary object), make it persistent with give
+ek handle, and return public EK, if any passwd option is missing, assume
+NULL.
+.PP
+Refer to:
+<http://www.trustedcomputinggroup.org/files/static_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F>
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]:
+Specifies current endorsement password, defaults to NULL.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]
+Specifies the current owner password, defaults to NULL.
+Same formatting as the endorse password value or \-e option.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-eKPasswd\f[]=\f[I]EK_PASSWORD\f[] Specifies the
+EK password when created, defaults to NULL.
+Same formatting as the endorse password value or \-e option.
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: specifies the handle
+used to make EK persistent (hex).
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: specifies the
+algorithm type of EK.
+See section "Supported Public Object Algorithms" for a list of supported
+object algorithms.
+See section "Algorithm Specifiers" on how to specify an algorithm
+argument.
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-file\f[]=\f[I]FILE\f[]: specifies the file used
+to save the public portion of EK.
+This will be a binary data structure corresponding to the TPM2B_PUBLIC
+struct in the specification.
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION\f[]:
+Optional Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Supported Public Object Algorithms
+.PP
+Supported public object algorithms are:
+.IP \[bu] 2
+\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
+(\f[B]default\f[]).
+.IP \[bu] 2
+\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+.IP \[bu] 2
+\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+.IP \[bu] 2
+\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_getpubek\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\ \-g\ rsa\ \-f\ ek.pub
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_getrandom.1 b/man/man1/tpm2_getrandom.1
new file mode 100644
index 000000000000..1b345f3d43df
--- /dev/null
+++ b/man/man1/tpm2_getrandom.1
@@ -0,0 +1,144 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_getrandom" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_getrandom\f[](1) \- Retrieves random bytes from the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_getrandom\f[] [\f[I]OPTIONS\f[]] \f[I]SIZE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_getrandom\f[](1) \- Returns the next \f[I]SIZE\f[] octets from
+the random number generator.
+The \f[I]SIZE\f[] parameter is expected as the only argument to the
+tool.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[] specifies the filename
+to output the raw bytes to.
+Defaults to stdout as a hex string.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.PP
+Generate a random 20 bytes and output the binary data to a file:
+.IP
+.nf
+\f[C]
+tpm2_getrandom\ \-o\ random.out\ 20
+\f[]
+.fi
+.PP
+Generate a random 8 bytes and output the hex formated data to stdout:
+.IP
+.nf
+\f[C]
+tpm2_getrandom\ 8
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_hash.1 b/man/man1/tpm2_hash.1
new file mode 100644
index 000000000000..5c18718ce893
--- /dev/null
+++ b/man/man1/tpm2_hash.1
@@ -0,0 +1,190 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_hash" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_hash\f[](1) \- Performs a hash operation with the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_hash\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_hash\f[](1) \- performs a hash operation on \f[I]FILE\f[] and
+returns the results.
+If \f[I]FILE\f[] is not specified, then data is read from stdin.
+If the results of the hash will be used in a signing operation that uses
+a restricted signing key, then the ticket returned by this command can
+indicate that the hash is safe to sign.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to
+use for the ticket.
+Supported options are:
+.RS 2
+.IP \[bu] 2
+\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.IP \[bu] 2
+\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[]
+.IP \[bu] 2
+\f[B]n\f[] for \f[B]TPM_RH_NULL\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash
+algorithm to use.
+Algorithms should follow the "formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[] Optional file
+record of the hash result.
+Defaults to stdout in hex form.
+.IP \[bu] 2
+\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[] Optional file
+record of the ticket result.
+Defaults to stdout in hex form.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.PP
+Hash a file with sha1 hash algorithm and save the hash and ticket to a
+file:
+.IP
+.nf
+\f[C]
+tpm2_hash\ \-H\ e\ \-g\ sha1\ \-o\ hash.bin\ \-t\ ticket.bin\ data.txt
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_hmac.1 b/man/man1/tpm2_hmac.1
new file mode 100644
index 000000000000..fbb81f947f0d
--- /dev/null
+++ b/man/man1/tpm2_hmac.1
@@ -0,0 +1,214 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_hmac" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_hmac\f[](1) \- Performs an HMAC operation with the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_hmac\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_hmac\f[](1) \- performs an HMAC operation on \f[I]FILE\f[] and
+returns the results.
+If \f[I]FILE\f[] is not specified, then data is read from stdin.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The
+key handle for the symmetric signing key providing the HMAC key.
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The
+filename of the key context used for the operation.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for
+key, optional.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash
+algorithm to use.
+Algorithms should follow the "formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[] Optional file
+record of the HMAC result.
+Defaults to stdout.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.PP
+Perform a SHA1 HMAC on data.in and send output and possibly ticket to
+stdout:
+.IP
+.nf
+\f[C]
+tpm2_hmac\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ data.in
+\f[]
+.fi
+.PP
+Perform a SHA1 HMAC on data.in read as a file to stdin and send output
+to a file:
+.IP
+.nf
+\f[C]
+tpm2_hmac\ \-c\ key.context\ \-P\ abc123\ \-g\ sha1\ \-o\ hash.out\ <<\ data.in
+\f[]
+.fi
+.PP
+Perform a SHA256 HMAC on \f[I]stdin\f[] and send result and possibly
+ticket to stdout:
+.PP
+cat data.in | tpm2_hmac \-k 0x81010002 \-g sha256 \-o hash.out ```
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_listpersistent.1 b/man/man1/tpm2_listpersistent.1
new file mode 100644
index 000000000000..ba1e31e8c596
--- /dev/null
+++ b/man/man1/tpm2_listpersistent.1
@@ -0,0 +1,185 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_listpersistent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_listpersistent\f[](1) \- Display all defined persistent
+objects.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_listpersistent\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_listpersistent\f[](1) \- display all defined persistent
+objects.
+.SH OPTIONS
+.PP
+These options for listing the persistent objects:
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: Only display
+persistent objects using this hash algorithm.
+Algorithms should follow the " formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Only display
+persistent objects using this key algorithm.
+It accepts friendly names just like \f[B]\-g\f[] option.
+See section "Supported Public Object Algorithms" for a list of supported
+object algorithms.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Supported Public Object Algorithms
+.PP
+Supported public object algorithms are:
+.IP \[bu] 2
+\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
+(\f[B]default\f[]).
+.IP \[bu] 2
+\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+.IP \[bu] 2
+\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+.IP \[bu] 2
+\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_listpersistent
+tpm2_listpersistent\ \-g\ sha256\ \-G\ ecc
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_load.1 b/man/man1/tpm2_load.1
new file mode 100644
index 000000000000..20358a3a9dac
--- /dev/null
+++ b/man/man1/tpm2_load.1
@@ -0,0 +1,174 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_load" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_load\f[](1) \- Load an object into the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_load\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_load\f[](1) \- Load both the private and public portions of an
+object into the TPM.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-parent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of
+the parent object.
+Either this option or \f[B]\-c\f[] must be used.
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]:
+The filename for parent context.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The
+password for parent key, optional.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]PUBLIC_OBJECT_DATA_FILE\f[]: A
+file containing the public portion of the object.
+.IP \[bu] 2
+\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]PRIVATE_OBJECT_DATA_FILE\f[]: A
+file containing the sensitive portion of the object.
+.IP \[bu] 2
+\f[B]\-n\f[], \f[B]\-\-name\f[]=\f[I]NAME_DATA_FILE\f[]: An optional
+file to save the name structure of the object.
+.IP \[bu] 2
+\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[]: An optional
+file to save the object context to.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_load\ \ \-H\ 0x80000000\ \-P\ abc123\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-n\ <outPutFileName>
+tpm2_load\ \ \-c\ parent.context\ \-P\ abc123\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-n\ <outPutFileName>\ \-C\ object.context
+tpm2_load\ \ \-H\ 0x80000000\ \-P\ "hex:123abc"\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-n\ <outPutFileName>
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_loadexternal.1 b/man/man1/tpm2_loadexternal.1
new file mode 100644
index 000000000000..b4be6d9a2892
--- /dev/null
+++ b/man/man1/tpm2_loadexternal.1
@@ -0,0 +1,166 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_loadexternal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected
+Object into the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_loadexternal\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected
+Object into the TPM.
+The command allows loading of a public area or both a public and a
+sensitive area.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to
+use for the ticket.
+Supported options are:
+.RS 2
+.IP \[bu] 2
+\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.IP \[bu] 2
+\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[]
+.IP \[bu] 2
+\f[B]n\f[] for \f[B]TPM_RH_NULL\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]PUBLIC_FILE\f[]: The public
+portion of the object.
+.IP \[bu] 2
+\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]PRIVATE_FILE\f[]: The sensitive
+portion of the object, optional.
+.IP \[bu] 2
+\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[] The file to
+save the object context, optional.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.PP
+Load a public area generated by tpm2_create, tpm2_readpublic or manually
+.IP
+.nf
+\f[C]
+tpm2_loadexternal\ \-H\ <e|o|p|n>\ \-u\ <pubKeyFileName>\ \-C\ object.context
+\f[]
+.fi
+.PP
+Load a key with sensitive area.
+Both the public & the senstive areas shall be generated externally.
+\f[I]DON\[aq]T\f[] use the areas generated by tpm2_create.
+.IP
+.nf
+\f[C]
+tpm2_loadexternal\ \-H\ n\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-C\ object.context
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_makecredential.1 b/man/man1/tpm2_makecredential.1
new file mode 100644
index 000000000000..90cae8c0ecb1
--- /dev/null
+++ b/man/man1/tpm2_makecredential.1
@@ -0,0 +1,142 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_makecredential" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_makecredential\f[](1) \- load an object that is not a
+Protected Object into the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_makecredential\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_makecredential\f[](1) \- Use a TPM public key to protect a
+secret that is used to encrypt the AK certififcate.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-enckey\f[]=\f[I]PUBLIC_FILE\f[]: A tpm Public Key
+which was used to wrap the seed.
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-sec\f[]=\f[I]SECRET_DATA_FILE\f[]: The secret
+which will be protected by the key derived from the random seed.
+.IP \[bu] 2
+\f[B]\-n\f[], \f[B]\-\-name\f[]=\f[I]NAME\f[] The name of the key for
+which certificate is to be created.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUT_FILE\f[] The output file
+path, recording the two structures output by tpm2_makecredential
+function.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_makecredential\ \-e\ <keyFile>\ \-s\ <secFile>\ \-n\ <hexString>\ \-o\ <outFile>
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_nvdefine.1 b/man/man1/tpm2_nvdefine.1
new file mode 100644
index 000000000000..95c8c84be731
--- /dev/null
+++ b/man/man1/tpm2_nvdefine.1
@@ -0,0 +1,203 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_nvdefine" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_nvdefine\f[](1) \- define a TPM Non\-Volatile (NV) index.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_nvdefine\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_nvdefine\f[](1) \- Define NV index with given auth value.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
+to define the space at.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
+specifies the handle used to authorize:
+.RS 2
+.IP \[bu] 2
+\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: specifies the size of
+data area in bytes.
+Defaults to MAX_NV_INDEX_SIZE which is typically 2048.
+.IP \[bu] 2
+\f[B]\-t\f[], \f[B]\-\-attributes\f[]=\f[I]ATTRIBUTES\f[] Specifies the
+attribute values for the nv region used when creating the entitiy.
+Either the raw bitfield mask or "nice\-names" may be used.
+See section "NV Attributes" for more details.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
+specifies the password of authHandle.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-I\f[], \f[B]\-\-index\-passwd\f[]=\f[I]INDEX_PASSWORD\f[]:
+specifies the password of NV Index when created.
+Follows the same formatting guidelines as the handle password or \-P
+option.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: Specifies
+the policy digest file for policy based authorizations.
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
+Optional Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH NV Attributes
+.PP
+NV Attributes are used to control various properties of the NV defined
+space.
+When specified as an option, either the raw bitfield mask or
+"nice\-names" may be used.
+The values can be found in Table 204 Part 2 of the TPM2.0 specification,
+which can be found here:
+.PP
+<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
+.PP
+Nice names are calculated by taking the name field of table 204 and
+removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result.
+Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite.
+Nice names can be joined using the bitwise or "|" symbol.
+.PP
+Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set
+via \f[B]nt=\f[] format.
+For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[],
+\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and
+\f[B]TPMA_NT = 0x3\f[], the argument would be:
+.PP
+\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ 0x2000A
+tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ ownerread|ownerwrite|policywrite\ \-I\ 1a1b1c
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_nvlist.1 b/man/man1/tpm2_nvlist.1
new file mode 100644
index 000000000000..ac8c5dec8743
--- /dev/null
+++ b/man/man1/tpm2_nvlist.1
@@ -0,0 +1,192 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_nvlist" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s
+indices.
+.SS SYNOPSIS
+.PP
+\f[B]tpm2_nvlist\f[] [\f[I]OPTIONS\f[]]
+.SS DESCRIPTION
+.PP
+\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s
+indices to stdout in a YAML format.
+.PP
+Display metadata for all defined NV indices.
+Metadata includes:
+.IP \[bu] 2
+The size of the defined region.
+.IP \[bu] 2
+The hash algorithm used to compute the name of the index.
+.IP \[bu] 2
+The auth policy.
+.IP \[bu] 2
+The NV attributes as defined in section "NV Attributes".
+.PP
+Example Output:
+.IP
+.nf
+\f[C]
+0x1500015:
+\ \ hash\ algorithm:
+\ \ \ \ friendly:\ sha256
+\ \ \ \ value:\ 0xB
+\ \ attributes:
+\ \ \ \ friendly:\ ownerwrite|ownerread
+\ \ \ \ value:\ 0x2000200
+\ \ size:\ 32
+\ \ authorization\ policy:
+
+0x1500017:
+\ \ hash\ algorithm:
+\ \ \ \ friendly:\ sha256
+\ \ \ \ value:\ 0xB
+\ \ attributes:
+\ \ \ \ friendly:\ ownerwrite|ownerread
+\ \ \ \ value:\ 0x2000200
+\ \ size:\ 32
+\ \ authorization\ policy:
+\f[]
+.fi
+.SH OPTIONS
+.PP
+This tool takes no tool specific options.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH NV Attributes
+.PP
+NV Attributes are used to control various properties of the NV defined
+space.
+When specified as an option, either the raw bitfield mask or
+"nice\-names" may be used.
+The values can be found in Table 204 Part 2 of the TPM2.0 specification,
+which can be found here:
+.PP
+<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
+.PP
+Nice names are calculated by taking the name field of table 204 and
+removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result.
+Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite.
+Nice names can be joined using the bitwise or "|" symbol.
+.PP
+Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set
+via \f[B]nt=\f[] format.
+For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[],
+\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and
+\f[B]TPMA_NT = 0x3\f[], the argument would be:
+.PP
+\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # EXAMPLES
+.PP
+To list the defined NV indeces to stdout:
+.IP
+.nf
+\f[C]
+tpm2_nvlist
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_nvread.1 b/man/man1/tpm2_nvread.1
new file mode 100644
index 000000000000..59025e755dd0
--- /dev/null
+++ b/man/man1/tpm2_nvread.1
@@ -0,0 +1,193 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_nvread" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s
+index.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_nvread\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s
+index.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
+to define the space at.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
+specifies the handle used to authorize:
+.RS 2
+.IP \[bu] 2
+\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: file to write data
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
+specifies the password of authHandle.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: Specifies the size of
+data to be read in bytes, starting from 0 if offset is not specified.
+If not specified, the size of the data as reported by the public portion
+of the index will be used.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-offset\f[]=\f[I]OFFSET\f[]: The offset within the
+NV index to start reading from.
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
+Optional Input session handle from a policy session for authorization.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]:
+.RS 2
+.PP
+The list of pcr banks and selected PCRs\[aq] ids.
+\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
+standards, see section "PCR Bank Specfiers".
+.RE
+.IP \[bu] 2
+\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[]
+.RS 2
+.PP
+Optional Path or Name of the file containing expected pcr values for the
+specified index.
+Default is to read the current PCRs per the set list.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.PP
+To read 32 bytes from an index starting at offset 0:
+.IP
+.nf
+\f[C]
+tpm2_nvread\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_nvreadlock.1 b/man/man1/tpm2_nvreadlock.1
new file mode 100644
index 000000000000..3dcb5c9e51fc
--- /dev/null
+++ b/man/man1/tpm2_nvreadlock.1
@@ -0,0 +1,168 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_nvreadlock" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for
+further reads.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_nvreadlock\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for
+further reads.
+The index is released on subsequent restart of the machine.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
+to define the space at.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
+specifies the handle used to authorize:
+.RS 2
+.IP \[bu] 2
+\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
+specifies the password of authHandle.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
+Optional Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.PP
+To lock an index protected by a password:
+.IP
+.nf
+\f[C]
+tpm2_nvreadlock\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_nvrelease.1 b/man/man1/tpm2_nvrelease.1
new file mode 100644
index 000000000000..be984d747144
--- /dev/null
+++ b/man/man1/tpm2_nvrelease.1
@@ -0,0 +1,167 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_nvrelease" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_nvrelease\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index that
+was previously defined with tpm2_nvdefine(1).
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
+to release.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
+specifies the handle used to authorize:
+.RS 2
+.IP \[bu] 2
+\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: specifies the size of
+data area in bytes.
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
+specifies the password of authHandle.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
+Optional Input session handle from a policy session for authorization.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_nvrelease\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_nvwrite.1 b/man/man1/tpm2_nvwrite.1
new file mode 100644
index 000000000000..8f69e026d49f
--- /dev/null
+++ b/man/man1/tpm2_nvwrite.1
@@ -0,0 +1,186 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_nvwrite" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_nvwrite\f[](1) \- Write data to a Non\-Volatile (NV) index.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_nvwrite\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_nvwrite\f[](1) \- Write data specified via \f[I]FILE\f[] to a
+Non\-Volatile (NV) index.
+If \f[I]FILE\f[] is not specified, it defaults to stdout.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
+to define the space at.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-offset\f[]=\f[I]OFFSET\f[]: The offset within the
+NV index to start writing at.
+.IP \[bu] 2
+\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
+specifies the handle used to authorize:
+.RS 2
+.IP \[bu] 2
+\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
+.IP \[bu] 2
+\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
+specifies the password of authHandle.
+Passwords should follow the "password formatting standards, see section
+"Password Formatting".
+.IP \[bu] 2
+\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
+Optional Input session handle from a policy session for authorization.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]:
+.RS 2
+.PP
+The list of pcr banks and selected PCRs\[aq] ids.
+\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
+standards, see section "PCR Bank Specfiers".
+.RE
+.IP \[bu] 2
+\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[]
+.RS 2
+.PP
+Optional Path or Name of the file containing expected pcr values for the
+specified index.
+Default is to read the current PCRs per the set list.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.PP
+To write the file nv.data to index 0x150016:
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x40000001\ nv.data
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_pcrevent.1 b/man/man1/tpm2_pcrevent.1
new file mode 100644
index 000000000000..1359d00dbc6d
--- /dev/null
+++ b/man/man1/tpm2_pcrevent.1
@@ -0,0 +1,162 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_pcrevent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_pcrevent\f[](1) \- hashes a file and optionally extends a pcr.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_pcrevent\f[] [\f[I]OPTIONS\f[]] [\f[I]FILE\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_pcrevent\f[](1) hashes \f[I]FILE\f[] if specified or stdin.
+It uses all of the hashing algorithms that the tpm supports.
+Optionally, if a pcr index is specified, it extends that pcr for all
+supported algorithms with the hash digest.
+In either case, it outputs to stdout the hash algorithm used and the
+digest value, one per line:
+.PP
+\f[I]alg\f[]:\f[I]digest\f[]
+.PP
+Where \f[I]alg\f[] is the algorithm used (eg.
+sha1) and \f[I]digest\f[] is the digest resulting from the hash
+computation of \f[I]alg\f[] on the data.
+.PP
+See sections 23.1 and sections 17 of the TPM2.0
+Specification (https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf)
+.SH OPTIONS
+.PP
+These options control extending the pcr:
+.IP \[bu] 2
+\f[B]\-i\f[], \f[B]\-\-pcr\-index\f[]=\f[I]INDEX\f[]: Not only compute
+the hash digests on \f[I]FILE\f[], also extend the pcr given by
+\f[I]INDEX\f[] for all supported hash algorithms.
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Use
+\f[I]SESSION_HANDLE\f[] for providing an authorization session for the
+pcr specified by \f[I]INDEX\f[].
+It is an error to specify \f[B]\-S\f[] without specifying a pcr index
+with \f[B]\-i\f[].
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-password\f[]=\f[I]PASSWORD\f[]: Use
+\f[I]PASSWORD\f[] for providing an authorization value for the pcr
+specified in \f[I]INDEX\f[].
+It is an error to specify \f[B]\-P\f[] without specifying a pcr index
+with \f[B]\-i\f[].
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.PP
+Hash a file:
+.PP
+tpm2_pcrevent data
+.PP
+Hash a file and extend pcr 8:
+.PP
+tpm2_pcrevent \-i 8 data
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_pcrextend.1 b/man/man1/tpm2_pcrextend.1
new file mode 100644
index 000000000000..5a4a232907f6
--- /dev/null
+++ b/man/man1/tpm2_pcrextend.1
@@ -0,0 +1,178 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_pcrextend" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_pcrextend\f[](1) \- Extends a PCR.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_pcrextend\f[] [\f[I]OPTIONS\f[]] [\f[I]PCR_DIGEST_SPEC\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_pcrextend\f[](1) Extends the pcrs with values indicated by
+\f[I]PCR_DIGEST_SPEC\f[].
+.PP
+A \f[I]PCR_DIGEST_SPEC\f[] is defined as follows:
+.IP \[bu] 2
+A numerical pcr identifier.
+.IP \[bu] 2
+A colon followed by the algorithm hash specification.
+The algorithm hash specification is as follows:
+.RS 2
+.IP \[bu] 2
+The algorithm friendly name or raw numerical.
+.IP \[bu] 2
+An equals sign.
+.IP \[bu] 2
+The hex hash value.
+.RE
+.PP
+Example Digest Specification:
+.IP
+.nf
+\f[C]
+4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
+\f[]
+.fi
+.PP
+\f[B]Note\f[]: that multiple specifications of PCR and hash are allowed.
+Multiple hashes cause the pcr to be extended with both hashes.
+Multiple same PCR values cause the PCR to be extended multiple times.
+Extension is done in order from left to right as specified.
+At most 5 hash extensions per PCR entry are supported.
+This is to keep the parser simple.
+.SH OPTIONS
+.PP
+This tool accepts no tool specific options.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.PP
+Extend PCR 4\[aq]s SHA1 bank with a hash:
+.IP
+.nf
+\f[C]
+tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
+\f[]
+.fi
+.PP
+Extend PCR 4\[aq]s SHA1 and SHA256 banks with hashes:
+.IP
+.nf
+\f[C]
+tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15,sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
+\f[]
+.fi
+.PP
+Extend PCR 4\[aq]s SHA1 and PCR 7\[aq]s SHA256 bank with hashes:
+.IP
+.nf
+\f[C]
+tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\ 7:sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_pcrlist.1 b/man/man1/tpm2_pcrlist.1
new file mode 100644
index 000000000000..fb9a329da20b
--- /dev/null
+++ b/man/man1/tpm2_pcrlist.1
@@ -0,0 +1,246 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_pcrlist" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_pcrlist\f[](1) \- List PCR values.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_pcrlist\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_pcrlist\f[](1) Displays PCR values.
+Without any options, \f[B]tpm2_pcrlist\f[] outputs all pcrs and their
+hash banks.
+One can use either the \f[B]\-g\f[] or \f[B]\-L\f[] mutually exclusive
+options to filter the output.
+.PP
+Output is writtien in a YAML format to stdout, with each algorithm
+followed by a PCR index and its value.
+As a simple example assume just sha1 and sha256 support and only 1 PCR.
+The output would be:
+.IP
+.nf
+\f[C]
+sha1\ :
+\ \ 0\ \ :\ 0000000000000000000000000000000000000003
+sha256\ :
+\ \ 0\ \ :\ 0000000000000000000000000000000000000000000000000000000000000003
+\f[]
+.fi
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-algorithm\f[]=\f[I]HASH_ALGORITHM\f[]: Only
+output PCR banks with the given algorithm.
+Algorithms should follow the "formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: The output file to
+write the PCR values in binary format, optional.
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]:
+.RS 2
+.PP
+The list of pcr banks and selected PCRs\[aq] ids for each bank to
+display.
+\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
+standards, see section "PCR Bank Specfiers".
+.RE
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-algs\f[]: Output the list of supported
+algorithms.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH PCR Bank Specfiers
+.PP
+PCR Bank Selection lists follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by \[aq]+\[aq].
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.SS Note
+.PP
+PCR Selections allow for up to 5 hash to pcr selection mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.PP
+display all PCR values:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist
+\f[]
+.fi
+.PP
+Display the PCR values with a specified bank:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-g\ sha1
+\f[]
+.fi
+.PP
+Display the PCR values with specified banks and store in a file:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-o\ pcrs
+\f[]
+.fi
+.PP
+Display the supported PCR bank algorithms and exit:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-s
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_quote.1 b/man/man1/tpm2_quote.1
new file mode 100644
index 000000000000..3d49cb84dbce
--- /dev/null
+++ b/man/man1/tpm2_quote.1
@@ -0,0 +1,255 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_quote" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_quote\f[](1) \- Provide a quote and signature from the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_quote\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_quote\f[](1) Provide quote and signature for given list of
+PCRs in given algorithm/banks.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-ak\-handle\f[]=\f[I]AK_HANDLE\f[]:
+.RS 2
+.PP
+Handle of existing AK.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-ak\-context\f[]=\f[I]AK_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+Filename for the existing AK\[aq]s context.
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-ak\-password\f[]=\f[I]AK_PASSWORD\f[]:
+.RS 2
+.PP
+specifies the password of \f[I]AK_HANDLE\f[].
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-l\f[], \f[B]\-\-id\-list\f[]=\f[I]PCR_ID_LIST\f[]
+.RS 2
+.PP
+The comma separated list of selected PCRs\[aq] ids, 0~23 e.g.
+"4,5,6".
+.RE
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]:
+.RS 2
+.PP
+The list of pcr banks and selected PCRs\[aq] ids for each bank.
+\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
+standards, see section "PCR Bank Specfiers".
+.RE
+.IP \[bu] 2
+\f[B]\-m\f[], \f[B]\-\-message\f[]:
+.RS 2
+.PP
+message output file, records the quote message that makes up the data
+that is signed by the TPM.
+.RE
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-signature\f[]:
+.RS 2
+.PP
+signature output file, records the signature in the format specified via
+the \f[B]\-f\f[] option.
+.RE
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-format\f[]
+.RS 2
+.PP
+Format selection for the signature output file.
+See section "Signature Format Specifiers".
+.RE
+.IP \[bu] 2
+\f[B]\-q\f[], \f[B]\-\-qualify\-data\f[]:
+.RS 2
+.PP
+Data given as a Hex string to qualify the quote, optional.
+This is typically used to add a nonce against replay attacks.
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
+Input session handle from a policy session for authorization.
+.IP \[bu] 2
+\f[B]\-G\f[], \f[B]\-\-sig\-hash\-algorithm\f[]:
+.RS 2
+.PP
+Hash algorithm for signature.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH PCR Bank Specfiers
+.PP
+PCR Bank Selection lists follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by \[aq]+\[aq].
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.SS Note
+.PP
+PCR Selections allow for up to 5 hash to pcr selection mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SH Signature Format Specifiers
+.PP
+Format selection for the signature output file.
+\f[B]tss\f[] (the default) will output a binary blob according to the
+TPM 2.0 specification and any potential compiler padding.
+The option \f[B]plain\f[] will output the plain signature data as
+defined by the used cryptographic algorithm.
+# EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_quote\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ \-l\ 16,17,18
+tpm2_quote\ \-c\ ak.context\ \-P\ "str:abc123"\ \-g\ sha1\ \-l\ 16,17,18
+tpm2_quote\ \-k\ 0x81010002\ \-g\ sha1\ \-l\ 16,17,18
+tpm2_quote\ \-c\ ak.context\ \-g\ sha1\ \-l\ 16,17,18
+tpm2_quote\ \-k\ 0x81010002\ \-P\ "hex:123abc"\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-q\ 11aa22bb
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_rc_decode.1 b/man/man1/tpm2_rc_decode.1
new file mode 100644
index 000000000000..492eea90607c
--- /dev/null
+++ b/man/man1/tpm2_rc_decode.1
@@ -0,0 +1,132 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_rc_decode" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_rc_decode\f[](1) \- Decode TPM2 error codes to human readable
+format.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_rc_decode\f[] [\f[I]OPTIONS\f[]] \f[I]RC_CODE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_rc_decode\f[](1) converts \f[I]RC_CODE\f[] originating from
+the SAPI and TCTI into human readable errors.
+Analogous to strerror(3), but for the tpm2 stack.
+.SH OPTIONS
+.PP
+This tool takes no tool specific options.
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_rc_decode\ 0x100
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_readpublic.1 b/man/man1/tpm2_readpublic.1
new file mode 100644
index 000000000000..ccc8c4010af1
--- /dev/null
+++ b/man/man1/tpm2_readpublic.1
@@ -0,0 +1,155 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_readpublic" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_readpublic\f[](1) \- Read the public area of a loaded object.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_readpublic\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_readpublic\f[](1) Reads the public area of a loaded object.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-object\f[]=\f[I]HANDLE\f[]:
+.RS 2
+.PP
+The loaded object handle to read the public data of.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-ak\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+Filename for object context.
+.RE
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-opu\f[]:
+.RS 2
+.PP
+The output file path, recording the public portion of the object.
+.RE
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-format\f[]:
+.RS 2
+.PP
+Format selection for the public key output file.
+\[aq]tss\[aq] (the default) will output a binary blob according to the
+TPM 2.0 secification.
+\[aq]pem\[aq] will output an OpenSSL compatible PEM encoded public key.
+\[aq]der\[aq] will output an OpenSSL compatible DER encoded public key.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_readpublic\ \-H\ 0x81010002\ \-\-opu\ output.dat
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_rsadecrypt.1 b/man/man1/tpm2_rsadecrypt.1
new file mode 100644
index 000000000000..dede7d971717
--- /dev/null
+++ b/man/man1/tpm2_rsadecrypt.1
@@ -0,0 +1,191 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_rsadecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_rsadecrypt\f[](1) \- Performs an RSA Decryption operation
+using the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_tpm2_rsadecrypt\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_rsadecrypt\f[](1) performs RSA decryption using the indicated
+padding scheme according to IETF RFC 3447 (PKCS#1).
+The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[].
+.PP
+The key referenced by keyHandle is \f[B]required\f[] to be:
+.IP "1." 3
+an RSA key
+.IP "2." 3
+Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it\[aq]s attributes.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
+.RS 2
+.PP
+the public portion of RSA key to use for decryption.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+filename of the key context used for the operation.
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
+.RS 2
+.PP
+specifies the password of \f[I]KEY_HANDLE\f[].
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT\f[]:
+.RS 2
+.PP
+Input file path, containing the data to be decrypted.
+.RE
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]:
+.RS 2
+.PP
+Output file path, record the decrypted data.
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
+.RS 2
+.PP
+Optional Input session handle from a policy session for authorization.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_rsadecrypt\ \-k\ 0x81010001\ \-I\ encrypted.in\ \-o\ plain.out
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_rsaencrypt.1 b/man/man1/tpm2_rsaencrypt.1
new file mode 100644
index 000000000000..29e2bcd7e9df
--- /dev/null
+++ b/man/man1/tpm2_rsaencrypt.1
@@ -0,0 +1,188 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_rsaencrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_rsaencrypt\f[](1) \- Performs an RSA Encryption operation
+using the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_rsaencrypt\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_rsaencrypt\f[](1) performs RSA encryption on the contents of
+\f[I]FILE\f[] (defaulting to stdin) using the indicated padding scheme
+according to IETF RFC 3447 (PKCS#1).
+The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[].
+.PP
+The key referenced by keyHandle is \f[B]required\f[] to be:
+.IP "1." 3
+an RSA key
+.IP "2." 3
+Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it\[aq]s attributes.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
+.RS 2
+.PP
+the public portion of RSA key to use for encryption.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+filename of the key context used for the operation.
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
+.RS 2
+.PP
+specifies the password of \f[I]KEY_HANDLE\f[].
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]:
+.RS 2
+.PP
+Output file path, record the decrypted data.
+The default is to print an xxd compatible hexdump to stdout.
+If a file is specified, raw binary output is performed.
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
+.RS 2
+.PP
+Optional Input session handle from a policy session for authorization.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_rsaencrypt\ \-k\ 0x81010001\ \-I\ plain.in\ \-o\ encrypted.out
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_send.1 b/man/man1/tpm2_send.1
new file mode 100644
index 000000000000..193b66d101b7
--- /dev/null
+++ b/man/man1/tpm2_send.1
@@ -0,0 +1,154 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_send" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_send\f[](1) \- Send a raw command buffer to the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_send\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_send\f[](1) Sends a TPM command to the TPM.
+The command is read from a file as a binary stream and transmitted to
+the TPM using the TCTI specified by the caller.
+The response received from the TPM is written to the output file.
+.PP
+Likely the caller will want to redirect this to a file or into a program
+to decode and display the response in a human readable form.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-i\f[], \f[B]\-\-input\f[]=\f[I]INPUT\f[]:
+.RS 2
+.PP
+Input file to read a command buffer from.
+Defaults to stdin.
+.RE
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]:
+.RS 2
+.PP
+Output file to send response buffer to.
+Defaults to stdout.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.PP
+Send the contents of tpm2\-command.bin to a device and collect the
+response as tpm2\-response.bin.
+All examples of below accomplish this task.
+.IP
+.nf
+\f[C]
+tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ >\ tpm2\-response.bin
+tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ >\ tpm2\-response.bin
+tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ \-o\ tpm2\-response.bin
+tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ \-o\ tpm2\-response.bin
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_sign.1 b/man/man1/tpm2_sign.1
new file mode 100644
index 000000000000..67e079619fba
--- /dev/null
+++ b/man/man1/tpm2_sign.1
@@ -0,0 +1,245 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_sign" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_sign\f[](1) \- Sign a hash using the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_sign\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_sign\f[](1) signs an externally provided hash with the
+specified symmetric or asymmetric signing key.
+If keyHandle references a restricted signing key, then validation shall
+be provided, indicating that the TPM performed the hash of the data and
+validation shall indicate that hashed data did not start with
+\f[B]TPM_GENERATED_VALUE\f[].
+The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[].
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
+.RS 2
+.PP
+Handle of key that will perform signing.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+Filename of the key context used for the operation.
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
+.RS 2
+.PP
+Specifies the password of \f[I]KEY_HANDLE\f[].
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]:
+.RS 2
+.PP
+The hash algorithm used to digest the message.
+Algorithms should follow the "formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.RE
+.IP \[bu] 2
+\f[B]\-m\f[], \f[B]\-\-msg\f[]=\f[I]MSG_FILE\f[]:
+.RS 2
+.PP
+The message file, containing the content to be digested.
+.RE
+.IP \[bu] 2
+\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[]:
+.RS 2
+.PP
+The ticket file, containning the validation structure, optional.
+.RE
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-sig\f[]=\f[I]TICKET_FILE\f[]:
+.RS 2
+.PP
+The signature file, records the signature structure.
+.RE
+.IP \[bu] 2
+\f[B]\-f\f[], \f[B]\-\-format\f[]
+.RS 2
+.PP
+Format selection for the signature output file.
+See section "Signature Format Specifiers".
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
+.RS 2
+.PP
+Optional Input session handle from a policy session for authorization.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH Signature Format Specifiers
+.PP
+Format selection for the signature output file.
+\f[B]tss\f[] (the default) will output a binary blob according to the
+TPM 2.0 specification and any potential compiler padding.
+The option \f[B]plain\f[] will output the plain signature data as
+defined by the used cryptographic algorithm.
+# EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_sign\ \-k\ 0x81010001\ \-P\ abc123\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
+tpm2_sign\ \-c\ key.context\ \-P\ abc123\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_startup.1 b/man/man1/tpm2_startup.1
new file mode 100644
index 000000000000..ca40b6bceb79
--- /dev/null
+++ b/man/man1/tpm2_startup.1
@@ -0,0 +1,139 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_startup" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_startup\f[](1) \- Send a startup command to the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_startup\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_startup\f[](1) Send a \f[B]TPM2_Startup\f[] command with
+either \f[B]TPM_SU_CLEAR\f[] or \f[B]TPM_SU_STATE\f[].
+.PP
+\f[B]NOTE\f[]: Typically a Resource Manager or low\-level/boot software
+will have already sent this command.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-clear\f[]:
+.RS 2
+.PP
+Startup type sent will be \f[B]TPM_SU_CLEAR\f[] instead of
+\f[B]TPM2_SU_STATE\f[].
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_startup
+tpm2_startup\ \-c
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_takeownership.1 b/man/man1/tpm2_takeownership.1
new file mode 100644
index 000000000000..aee0bc7d4ced
--- /dev/null
+++ b/man/man1/tpm2_takeownership.1
@@ -0,0 +1,220 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_takeownership" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_takeownership\f[](1) \- Insert authorization values for the
+owner, endorsement and lockout authorizations.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_takeownership\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_takeownership\f[](1) \- performs a hash operation on
+\f[I]FILE\f[] and returns the results.
+If \f[I]FILE\f[] is not specified, then data is read from stdin.
+If the results of the hash will be used in a signing operation that uses
+a restricted signing key, then the ticket returned by this command can
+indicate that the hash is safe to sign.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-owner\-password\f[]=\f[I]OWNER_PASSWORD\f[]: The
+new owner authorization value.
+.RS 2
+.PP
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-e\f[], \f[B]\-\-endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]:
+.RS 2
+.PP
+The new endorse authorization value.
+Passwords should follow the same formatting requirements as the \-o
+option.
+.RE
+.IP \[bu] 2
+\f[B]\-l\f[], \f[B]\-\-lockout\-password\f[]=\f[I]LOCKOUT_PASSWORD\f[]:
+.RS 2
+.PP
+The new lockout authorization value.
+.PP
+The new endorse authorization value.
+Passwords should follow the same formatting requirements as the \-o
+option.
+.RE
+.IP \[bu] 2
+\f[B]\-O\f[],
+\f[B]\-\-old\-ownerPassword\f[]=\f[I]OLD_OWNER_PASSWORD\f[]:
+.RS 2
+.PP
+The old owner authorization value.
+Passwords should follow the same formatting requirements as the \-o
+option.
+.RE
+.IP \[bu] 2
+\f[B]\-E\f[],
+\f[B]\-\-old\-endorsePassword\f[]=\f[I]OLD_ENDORSE_PASSWORD\f[]:
+.RS 2
+.PP
+The old endorse authorization value.
+Passwords should follow the same formatting requirements as the \-o
+option.
+.RE
+.IP \[bu] 2
+\f[B]\-L\f[],
+\f[B]\-\-old\-lockoutPassword\f[]=\f[I]OLD_LOCKOUT_PASSWORD\f[]:
+.RS 2
+.PP
+The old lockout authorization value.
+Passwords should follow the same formatting requirements as the \-o
+option.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-clear\f[]:
+.RS 2
+.PP
+Clears the 3 authorizations values with lockout auth, thus one must
+specify \-L.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH EXAMPLES
+.PP
+Set owner, endorsement and lockout authorizations to an empty auth
+value:
+.IP
+.nf
+\f[C]
+tpm2_takeownership\ \-c\ \-L\ oldlockoutpasswd
+\f[]
+.fi
+.PP
+Set owner, endorsement and lockout authorizations to a new value:
+.IP
+.nf
+\f[C]
+tpm2_takeownership\ \-o\ newo\ \-e\ newe\ \-l\ newl\ \-O\ oldo\ \-E\ olde\ \-L\ oldl
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_unseal.1 b/man/man1/tpm2_unseal.1
new file mode 100644
index 000000000000..81a3b6696b7a
--- /dev/null
+++ b/man/man1/tpm2_unseal.1
@@ -0,0 +1,232 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_unseal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_unseal\f[](1) \- Returns the data in a loaded Sealed Data
+Object.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_unseal\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_unseal\f[](1) \- \-returns the data in a loaded Sealed Data
+Object.
+.PP
+\f[B]NOTE\f[]: The \f[B]\-\-set\-list\f[] and
+\f[B]\-\-pcr\-input\-file\f[] options should only be used for simple PCR
+authentication policies.
+For more complex policies the tools should be ran in an execution
+environment that keeps the session context alive and pass that session
+using the \f[B]\-\-input\-session\-handle\f[] option.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-H\f[], \f[B]\-\-item\f[]=\f[I]ITEM_HANDLE\f[]:
+.RS 2
+.PP
+Item handle of loaded object.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-item\-context\f[]=\f[I]ITEM_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+Filename of the item context.
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
+.RS 2
+.PP
+Specifies the password of \f[I]ITEM_HANDLE\f[].
+Passwords should follow the password formatting standards, see section
+"Password Formatting".
+.RE
+.IP \[bu] 2
+\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[]:
+.RS 2
+.PP
+Output file name, containing the unsealed data.
+Defaults to stdout if not specified.
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
+.RS 2
+.PP
+Optional Input session handle from a policy session for authorization.
+.RE
+.IP \[bu] 2
+\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]:
+.RS 2
+.PP
+The list of pcr banks and selected PCRs\[aq] ids.
+\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
+standards, see section "PCR Bank Specfiers".
+.RE
+.IP \[bu] 2
+\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[]
+.RS 2
+.PP
+Optional Path or Name of the file containing expected pcr values for the
+specified index.
+Default is to read the current PCRs per the set list.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH PCR Bank Specfiers
+.PP
+PCR Bank Selection lists follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by \[aq]+\[aq].
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.SS Note
+.PP
+PCR Selections allow for up to 5 hash to pcr selection mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_unseal\ \-H\ 0x81010001\ \-P\ abc123\ \-o\ out.dat
+tpm2_unseal\ \-c\ item.context\ \-P\ abc123\ \-o\ out.dat
+tpm2_unseal\ \-H\ 0x81010001\ \-P\ "hex:123abc"\ \-o\ out.dat
+tpm2_unseal\ \-c\ item.context\ \-L\ sha1:0,1,2\ \-F\ out.dat
+\f[]
+.fi
+.SH RETURNS
+.PP
+0 on success or 1 on failure.
+.SH BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
diff --git a/man/man1/tpm2_verifysignature.1 b/man/man1/tpm2_verifysignature.1
new file mode 100644
index 000000000000..ed047386d4f8
--- /dev/null
+++ b/man/man1/tpm2_verifysignature.1
@@ -0,0 +1,244 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "tpm2_verifysignature" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_verifysignature\f[](1) \- Validates a signature using the TPM.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_verifysignature\f[] [\f[I]OPTIONS\f[]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_verifysignature\f[](1) uses loaded keys to validate a
+signature on a message with the message digest passed to the TPM.
+If the signature check succeeds, then the TPM will produce a
+\f[B]TPMT_TK_VERIFIED\f[].
+Otherwise, the TPM shall return \f[B]TPM_RC_SIGNATURE\f[].
+If \f[I]KEY_HANDLE\f[] references an asymmetric key, only the public
+portion of the key needs to be loaded.
+If \f[I]KEY_HANDLE\f[] references a symmetric key, both the public and
+private portions need to be loaded.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
+.RS 2
+.PP
+Handle of key that will used in the validation.
+.RE
+.IP \[bu] 2
+\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
+.RS 2
+.PP
+Filename of the key context used for the operation.
+.RE
+.IP \[bu] 2
+\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]:
+.RS 2
+.PP
+The hash algorithm used to digest the message.
+Algorithms should follow the "formatting standards, see section
+"Algorithm Specifiers".
+Also, see section "Supported Hash Algorithms" for a list of supported
+hash algorithms.
+.RE
+.IP \[bu] 2
+\f[B]\-m\f[], \f[B]\-\-msg\f[]=\f[I]MSG_FILE\f[]:
+.RS 2
+.PP
+The message file, containing the content to be digested.
+.RE
+.IP \[bu] 2
+\f[B]\-D\f[], \f[B]\-\-digest\f[]=\f[I]DIGEST_FILE\f[]:
+.RS 2
+.PP
+The input hash file, containing the hash of the message.
+If this option is selected, then the message (\f[B]\-m\f[]) and
+algorithm (\f[B]\-g\f[]) options do not need to be specified.
+.RE
+.IP \[bu] 2
+\f[B]\-s\f[], \f[B]\-\-sig\f[]=\f[I]SIG_FILE\f[]:
+.RS 2
+.PP
+The input signature file of the signature to be validated.
+.RE
+.IP \[bu] 2
+\f[B]\-r\f[], \f[B]\-\-raw\f[]:
+.RS 2
+.PP
+Set the input signature file to raw type.
+The default is TPMT_SIGNATURE.
+.RE
+.IP \[bu] 2
+\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[]:
+.RS 2
+.PP
+The ticket file to record the validation structure.
+.RE
+.IP \[bu] 2
+\f[B]\-S\f[],
+\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
+.RS 2
+.PP
+Optional Input session handle from a policy session for authorization.
+.RE
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
+This requires the manpages to be installed or on \f[I]MANPATH\f[], See
+man(1) for more details.
+.IP \[bu] 2
+\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
+tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+# TCTI ENVIRONMENT
+.PP
+This collection of environment variables that may be used to configure
+the various TCTI modules available.
+.PP
+The values passed through these variables can be overridden on a
+per\-command basis using the available command line options, see the
+\f[I]TCTI_OPTIONS\f[] section.
+.PP
+The variables respected depend on how the software was configured.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
+with the next component down the TSS stack.
+In most configurations this will be the TPM but it could be a simulator
+or proxy.
+The current known TCTIs are:
+.RS 2
+.IP \[bu] 2
+tabrmd \- The new resource manager, called
+tabrmd (https://github.com/01org/tpm2-abrmd).
+.IP \[bu] 2
+socket \- Typically used with the old resource manager, or talking
+directly to a simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
+TPM device file.
+The default is "/dev/tpm0".
+.RS 2
+.PP
+Note: Using the tpm directly requires the users to ensure that
+concurrent access does not occur and that they manage the tpm resources.
+These tasks are usually managed by a resource manager.
+Linux 4.12 and greater supports an in kernel resource manager at
+"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
+.RE
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
+the domain name or IP address used.
+The default is 127.0.0.1.
+.IP \[bu] 2
+\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
+port number used.
+The default is 2321.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the varous TCTI modules
+available.
+They override any environment variables.
+.IP \[bu] 2
+\f[B]\-T\f[],
+\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
+Select the TCTI used for communication with the next component down the
+TSS stack.
+In most configurations this will be the resource manager:
+tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
+options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
+\f[I]TCTI_NAME\f[].
+.RS 2
+.IP \[bu] 2
+For the device TCTI, the TPM device file for use by the device TCTI can
+be specified.
+The default is /dev/tpm0.
+Example: \f[B]\-T device:/dev/tpm0\f[]
+.IP \[bu] 2
+For the socket TCTI, the domain name or IP address and port number used
+by the socket can be specified.
+The default are 127.0.0.1 and 2321.
+Example: \f[B]\-T socket:127.0.0.1:2321\f[]
+.IP \[bu] 2
+For the abrmd TCTI, it takes no options.
+Example: \f[B]\-T abrmd\f[]
+.RE
+.SH Password Formatting
+.PP
+Passwords are interpreted in two forms, string and hex\-string.
+A string password is not interpreted, and is directly used for
+authorization.
+A hex\-string, is converted from a hexidecimal form into a byte array
+form, thus allowing passwords with non\-printable and/or terminal
+un\-friendly characters.
+.PP
+By default passwords are assumed to be in the string form.
+Password form is specified with special prefix values, they are:
+.IP \[bu] 2
+str: \- Used to indicate it is a raw string.
+Useful for escaping a password that starts with the "hex:" prefix.
+.IP \[bu] 2
+hex: \- Used when specifying a password in hex string format.
+.SH Supported Hash Algorithms
+.PP
+Supported hash algorithms are:
+.IP \[bu] 2
+\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
+\f[B](default)\f[]
+.IP \[bu] 2
+\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
+.IP \[bu] 2
+\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
+.IP \[bu] 2
+\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
+.IP \[bu] 2
+\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
+.PP
+\f[B]NOTE\f[]: Your TPM may not support all algorithms.
+.SH Algorithm Specfiers
+.PP
+Options that take algorithms support "nice\-names".
+Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
+The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
+from the Algorithm Name field and converting it to lower case.
+For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
+.PP
+The algorithms can be found at:
+<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
+.SH EXAMPLES
+.IP
+.nf
+\f[C]
+tpm2_verifysignature\ \-k\ 0x81010001\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
+tpm2_verifysignature\ \-k\ 0x81010001\ \-D\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
+tpm2_verifysignature\ \-c\ key.context\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
+\f[]
+.fi
+.PP
+RETURNS
+.PP
+0 on success or 1 on failure.
+.PP
+BUGS
+.PP
+Github Issues (https://github.com/01org/tpm2-tools/issues)
+.PP
+HELP
+.PP
+See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
-- 
2.14.3