--- tpm2-tools-3.0.4/Makefile.am 2018-04-30 02:52:17.000000000 -0700 +++ tpm2-tools-3.0.4-new/Makefile.am 2018-09-10 07:53:19.911780215 -0700 @@ -273,8 +273,7 @@ RELEASE.md \ test/system -if HAVE_PANDOC - man1_MANS := \ +man1_MANS := \ man/man1/tpm2_activatecredential.1 \ man/man1/tpm2_certify.1 \ man/man1/tpm2_create.1 \ @@ -315,16 +314,6 @@ man/man1/tpm2_unseal.1 \ man/man1/tpm2_verifysignature.1 -# If pandoc is enabled, we want to generate the manpages for the dist tarball -EXTRA_DIST += $(man1_MANS) -else -# If pandoc is not enabled, we want to complain that you need pandoc for make dist, -# so hook the target and complain. -dist-hook: - @(>&2 echo "You do not have pandoc, a requirement for the distribution of manpages") - @exit 1 -endif - MARKDOWN_COMMON_DEPS = \ man/common/alg.md \ man/common/hash.md \ diff -urN tpm2-tools-3.0.4/man/man1/tpm2_activatecredential.1 tpm2-tools-3.0.4-new/man/man1/tpm2_activatecredential.1 --- tpm2-tools-3.0.4/man/man1/tpm2_activatecredential.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_activatecredential.1 2018-09-10 07:57:12.390603034 -0700 @@ -0,0 +1,179 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_activatecredential" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_activatecredential\f[](1) \- verify that an object is +protected with a specific key. +.SH SYNOPSIS +.PP +\f[B]tpm2_activatecredential\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +Verify that the given content is protected with given keyHandle for +given handle, and then decrypt and return the secret, if any passwd +option is missing, assume NULL. +Currently only support using TCG profile compliant EK as the keyHandle. +.SH OPTIONS +.PP +These options control the object verification: +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: \f[I]HANDLE\f[] of +the object associated with the created certificate by CA. +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: The +\f[I]KEY_HANDLE\f[] of Loaded key used to decrypt the the random seed. +.IP \[bu] 2 +\f[B]\-C\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: +\f[I]KEY_CONTEXT_FILE\f[] is the path to a context file. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]password\f[]=\f[I]PASSWORD\f[]: Use +\f[I]PASSWORD\f[] for providing an authorization value for the +\f[I]KEY_HANDLE\f[]. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]: +The endorsement password, optional. +Follows the same formating guidelines as the handle password option \-P. +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file +path, containing the two structures needed by tpm2_activatecredential +function. +This is created via the tpm2_makecredential(1) command. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: Output file +path, record the secret to decrypt the certificate. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ abc123\ \-e\ abc123\ \-f\ \ \-o\ +tpm2_activatecredential\ \-c\ ak.context\ \-C\ ek.context\ \-P\ abc123\ \-e\ abc123\ \-f\ \ \-o\ +tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 123abc\ \-e\ 1a1b1c\ \-X\ \-f\ \ \-o\ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_certify.1 tpm2-tools-3.0.4-new/man/man1/tpm2_certify.1 --- tpm2-tools-3.0.4/man/man1/tpm2_certify.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_certify.1 2018-09-10 07:57:12.572600547 -0700 @@ -0,0 +1,202 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_certify" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_certify\f[](1) \- prove that an object is loaded in the tpm. +.SH SYNOPSIS +.PP +\f[B]tpm2_certify\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_certify\f[](1) proves that an object with a specific +\f[I]NAME\f[] is loaded in the TPM. +By certifying that the object is loaded, the TPM warrants that a public +area with a given \f[I]NAME\f[] is self\-consistent and associated with +a valid sensitive area. +If a relying party has a public area that has the same \f[I]NAME\f[] as +a \f[I]NAME\f[] certified with this command, then the values in that +public area are correct. +The object may be any object that is loaded with TPM2_Load() or +TPM2_CreatePrimary(). +An object that only has its public area loaded cannot be certified. +.SH OPTIONS +.PP +These options control the ceritifcation: +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]obj\-handle\f[]=\f[I]OBJECT_HANDLE\f[]: The +handle of the object to be certified. +.IP \[bu] 2 +\f[B]\-C\f[], \f[B]\[en]obj\-context\f[]=\f[I]FILE\f[]: Use +\f[I]FILE\f[] for providing the object context. +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: Handle of +the key used to sign the attestation structure. +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT\f[]: Filename +of the key context used to sign the attestation structure. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdo\f[]=\f[I]OBJECT_PASSWORD\f[]: Use +\f[I]OBJECT_PASSWORD\f[] for providing an authorization value for the +object specified in \f[I]OBJECT_HANDLE\f[]. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-K\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Use +\f[I]KEY_PASSWORD\f[] for providing an authorization value for the key +specified in \f[I]KEY_HANDLE\f[]. +Follows the same formatting guidelines as the object handle password or +\-P option. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]attest\-file\f[]=\f[I]ATTEST_FILE\f[]: Output +file name for the attestation data. +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]sig\-file\f[]=\f[I]SIG_FILE\f[]: Output file +name for the signature data. +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]format\f[] +.RS 2 +.PP +Format selection for the signature output file. +See section \[lq]Signature Format Specifiers\[rq]. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Signature Format Specifiers +.PP +Format selection for the signature output file. +\f[B]tss\f[] (the default) will output a binary blob according to the +TPM 2.0 specification and any potential compiler padding. +The option \f[B]plain\f[] will output the plain signature data as +defined by the used cryptographic algorithm. +# EXAMPLES +.IP +.nf +\f[C] +tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ \ \-s\ +tpm2_certify\ \-C\ obj.context\ \-c\ key.context\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ \ \-s\ +tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0011\ \-K\ 00FF\ \-X\ \-g\ 0x00B\ \-a\ \ \-s\ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_create.1 tpm2-tools-3.0.4-new/man/man1/tpm2_create.1 --- tpm2-tools-3.0.4/man/man1/tpm2_create.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_create.1 2018-09-10 07:57:12.772597813 -0700 @@ -0,0 +1,273 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_create" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a +TPM using tpm2_load. +The object will need to be loaded before it may be used. +.SH SYNOPSIS +.PP +\f[B]tpm2_create\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a +TPM using tpm2_load. +The object will need to be loaded before it may be used. +.SH OPTIONS +.PP +These options for creating the tpm entity: +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]pparent\f[]=\f[I]PARENT_HANDLE\f[]: The handle +of the parent object to create this object under. +.IP \[bu] 2 +\f[B]\-c\f[], +\f[B]\[en]context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]: The filename +for parent context. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The +password for parent key, optional. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-K\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for +key, optional. +Follows the password formatting of the \[lq]password for parent key\[rq] +option: \-P. +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm +to use. +Algorithms should follow the " formatting standards, see section +\[lq]Algorithm Specifiers\[rq]. +Also, see section \[lq]Supported Hash Algorithms\[rq] for a list of +supported hash algorithms. +.IP \[bu] 2 +\f[B]\-G\f[], \f[B]\[en]kalg\f[]=\f[I]KEY_ALGORITHM\f[]: The algorithm +associated with this object. +It accepts friendly names just like \-g option. +See section \[lq]Supported Public Object Algorithms\[rq] for a list of +supported object algorithms. +.IP \[bu] 2 +\f[B]\-A\f[], \f[B]\[en]object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The +object attributes, optional. +Object attribytes follow the specifications as outlined in \[lq]object +attribute specifiers\[rq]. +The default for created objects is: +.RS 2 +.PP +\f[C]TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[] +.RE +.IP \[bu] 2 +\f[B]\-I\f[], \f[B]\[en]in\-file\f[]=\f[I]FILE\f[]: The data file to be +sealed, optional. +If file is \-, read from stdin. +When sealing data only the TPM_ALG_KEYEDHASH algorithm is allowed. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: The input +policy file, optional. +.IP \[bu] 2 +\f[B]\-u\f[], \f[B]\[en]pubfile\f[]=\f[I]OUTPUT_PUBLIC_FILE\f[]: The +output file which contains the public portion of the created object, +optional. +.IP \[bu] 2 +\f[B]\-r\f[], \f[B]\[en]privfile\f[]=\f[I]OUTPUT_PRIVATE_FILE\f[]: The +output file which contains the sensitive portion of the object, +optional. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Supported Public Object Algorithms +.PP +Supported public object algorithms are: +.IP \[bu] 2 +\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] +(\f[B]default\f[]). +.IP \[bu] 2 +\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. +.IP \[bu] 2 +\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. +.IP \[bu] 2 +\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH Object Attributes +.PP +Object Attributes are used to control various properties of created +objects. +When specified as an option, either the raw bitfield mask or +\[lq]nice\-names\[rq] may be used. +The values can be found in Table 31 Part 2 of the TPM2.0 specification, +which can be found here: +.PP + +.PP +Nice names are calculated by taking the name field of table 31 and +removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result. +Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm. +Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. +.PP +For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[], +\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument +would be: +.PP +\f[B]fixedtpm|noda|sign\f[] +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_create\ \-H\ 0x81010001\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\-I\ data.File +tpm2_create\ \-c\ parent.context\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File +tpm2_create\ \-H\ 0x81010001\ \-P\ 123abc\ \-K\ 456def\ \-X\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_createpolicy.1 tpm2-tools-3.0.4-new/man/man1/tpm2_createpolicy.1 --- tpm2-tools-3.0.4/man/man1/tpm2_createpolicy.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_createpolicy.1 2018-09-10 07:57:12.945595449 -0700 @@ -0,0 +1,185 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_createpolicy" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization +policies based on multiple pcr indices values across multiple enabled +banks. +.SH SYNOPSIS +.PP +\f[B]tpm2_createpolicy\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization +policies based on multiple pcr indices values across multiple enabled +banks. +It can then be used with object creation and or tools using the object. +.SH OPTIONS +.PP +These options control creating the policy authorization session: +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: File to +save the policy digest. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]policy\-pcr\f[]: Identifies the PCR policy type +for policy creation. +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]policy\-digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]: +The hash algorithm used in computation of the policy digest. +Algorithms should follow the \[lq]formatting standards, see +section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported +Hash Algorithms" for a list of supported hash algorithms. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]set\-list\f[]=\f[I]PCR_LIST\f[]: The list of pcr +banks and selected PCRs' ids (0~23) for each bank. +.IP \[bu] 2 +\f[B]\-F\f[], \f[B]\[en]pcr\-input\-file\f[]=\f[I]PCR_FILE\f[]: Optional +Path or Name of the file containing expected pcr values for the +specified index. +Default is to read the current PCRs per the set list. +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]extend\-policy\-session\f[]: Retains the policy +session at the end of operation. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]auth\-policy\-session\f[]: Start a policy +session of type \f[B]TPM_SE_POLICY\f[]. +Default without this option is \f[B]TPM_SE_TRIAL\f[]. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.PP +Create a authorization policy tied to a specific PCR index: +.PP +\f[B]tpm2_createpolicy \-P \-L 0x4:0 \-f policy.file \-F pcr0.bin\f[] +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_createprimary.1 tpm2-tools-3.0.4-new/man/man1/tpm2_createprimary.1 --- tpm2-tools-3.0.4/man/man1/tpm2_createprimary.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_createprimary.1 2018-09-10 07:57:13.139592798 -0700 @@ -0,0 +1,274 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_createprimary" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_createprimary\f[](1) \- Create a primary key under a primary +seed or a temporary primary key under the \f[B]TPM_RH_NULL\f[] +hierarchy. +.SH SYNOPSIS +.PP +\f[B]tpm2_createprimary\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_createprimary\f[](1) \- This command is used to create a +Primary Object under one of the Primary Seeds or a Temporary Object +under \f[B]TPM_RH_NULL\f[]. +The command uses a \f[B]TPM2B_PUBLIC\f[] as a template for the object to +be created. +The command will create and load a Primary Object. +The sensitive area is not returned. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]hierarchy\f[]=\f[I]HIERARCHY\f[]: Specify the +hierarchy under which the object is created. +This will also dictate which authorization secret (if any) must be +supplied. +Supported options are: +.RS 2 +.IP \[bu] 2 +\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] +.IP \[bu] 2 +\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] +.IP \[bu] 2 +\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: Optional +authorization string if authorization is required to create object under +the specified hierarchy. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-K\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Optional +authorization string for the newly created object. +Follows the same password formating guidelines as the parent +authorization string under the \-P option. +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm +to use. +Algorithms should follow the " formatting standards, see section +\[lq]Algorithm Specifiers\[rq]. +Also, see section \[lq]Supported Hash Algorithms\[rq] for a list of +supported hash algorithms. +.IP \[bu] 2 +\f[B]\-G\f[], \f[B]\[en]kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Algorithm type +for generated key. +It supports friendly names like the \-g option. +See section \[lq]Supported Public Object Algorithms\[rq] for a list of +supported object algorithms. +.IP \[bu] 2 +\f[B]\-C\f[], \f[B]\[en]context\f[]=\f[I]CONTEXT_FILE\f[]: An optional +file used to store the object context returned. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: An +optional file input that contains the policy digest for policy based +authorization of the object. +.IP \[bu] 2 +\f[B]\-A\f[], \f[B]\[en]object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The +object attributes, optional. +Object attribytes follow the specifications as outlined in \[lq]object +attribute specifiers\[rq]. +The default for created objects is: +.RS 2 +.PP +\f[C]TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[] +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Supported Public Object Algorithms +.PP +Supported public object algorithms are: +.IP \[bu] 2 +\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] +(\f[B]default\f[]). +.IP \[bu] 2 +\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. +.IP \[bu] 2 +\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. +.IP \[bu] 2 +\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH Object Attributes +.PP +Object Attributes are used to control various properties of created +objects. +When specified as an option, either the raw bitfield mask or +\[lq]nice\-names\[rq] may be used. +The values can be found in Table 31 Part 2 of the TPM2.0 specification, +which can be found here: +.PP + +.PP +Nice names are calculated by taking the name field of table 31 and +removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result. +Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm. +Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. +.PP +For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[], +\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument +would be: +.PP +\f[B]fixedtpm|noda|sign\f[] +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_createprimary\ \-H\ o\ \-g\ sha256\ \-G\ ecc\ \-C\ context.out +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_dictionarylockout.1 tpm2-tools-3.0.4-new/man/man1/tpm2_dictionarylockout.1 --- tpm2-tools-3.0.4/man/man1/tpm2_dictionarylockout.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_dictionarylockout.1 2018-09-10 07:57:13.320590324 -0700 @@ -0,0 +1,155 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_dictionarylockout" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_dictionarylockout\f[](1) \- setup or clear +dictionary\-attack\-lockout parameters. +.SH SYNOPSIS +.PP +\f[B]tpm2_dictionarylockout\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_dictionarylockout\f[](1) \- setup dictionary\-attack\-lockout +parameters or clear dictionary\-attack\-lockout state, if any passwd +option is missing, assume NULL. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]setup\-parameters\f[]=\f[I]SETUP_PARAMETERS\f[]: +specifies the tool should operate to setup dictionary\-attack\-lockout +parameters. +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]clear\-lockout\f[]: specifies the tool should +operate to clear dictionary\-attack\-lockout state. +.IP \[bu] 2 +\f[B]\-l\f[], \f[B]\-lockout\-recovery\-time\f[]=\f[I]LOCKOUT_TIME\f[]: +specifies the wait time in seconds before another TPM_RH_LOCKOUT +authentication attempt can be made after a failed authentication. +.IP \[bu] 2 +\f[B]\-t\f[], \f[B]\[en]recovery\-time\f[]=\f[I]RECOVERY_TIME\f[]: +specifies the wait time in seconds before another DA\-protected\-object +authentication attempt can be made after max\-tries number of failed +authentications. +.IP \[bu] 2 +\f[B]\-n\f[], \f[B]\[en]max\-tries\f[]=\f[I]MAX_TRYS\f[]: specifies the +maximum number of allowed authentication attempts on +DA\-protected\-object; after which DA is activated. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_dictionarylockout\ \-c\ \-p\ passwd +tpm2_dictionarylockout\ \-s\ \-n\ 5\ \-t\ 6\ \-l\ 7\ \-p\ passwd +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_encryptdecrypt.1 tpm2-tools-3.0.4-new/man/man1/tpm2_encryptdecrypt.1 --- tpm2-tools-3.0.4/man/man1/tpm2_encryptdecrypt.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_encryptdecrypt.1 2018-09-10 07:57:13.685585336 -0700 @@ -0,0 +1,170 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_encryptdecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_encryptdecrypt\f[](1) \- performs symmetric encryption or +decryption. +.SH SYNOPSIS +.PP +\f[B]tpm2_encryptdecrypt\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +tpm2_encryptdecrypt(1) \- performs symmetric encryption or decryption +with a specified symmetric key. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: the +symmetric key used for the operation (encryption/decryption). +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: +filename of the key context used for the operation. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: filename of the +key context used for the operation. +The password for parent key, optional. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-D\f[], \f[B]\[en]decrypt\f[]: Perform a decrypt operation. +Default is encryption. +.IP \[bu] 2 +\f[B]\-I\f[], \f[B]\[en]in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file +path containing data for decrypt or encrypt operation. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ abc123\ \-D\ NO\ \-I\ \ \-o\ +tpm2_encryptdecrypt\ \-c\ key.context\ \-P\ abc123\ \-D\ NO\ \-I\ \ \-o\ +tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ 123abca\ \-X\ \-D\ NO\ \-I\ \ \-o\ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_evictcontrol.1 tpm2-tools-3.0.4-new/man/man1/tpm2_evictcontrol.1 --- tpm2-tools-3.0.4/man/man1/tpm2_evictcontrol.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_evictcontrol.1 2018-09-10 07:57:13.874582753 -0700 @@ -0,0 +1,181 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_evictcontrol" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_evictcontrol\f[](1) \- Make a transient object persistent or +evict a persistent object. +.SH SYNOPSIS +.PP +\f[B]tpm2_evictcontrol\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_evictcontrol\f[](1) \- allows a transient object to be made +persistent or a persistent object to be evicted. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-A\f[], \f[B]\[en]auth\f[]=\f[I]AUTH\f[]: The authorization used +to authorize the commands. +Valid choices are: +.RS 2 +.IP \[bu] 2 +\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] +.RE +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: The handle of a +loaded transient or a persistent object. +.RS 2 +.PP +If the handle is for a transient object, then a handle that will be +assigned to the persisted object must also be specified with the +\f[B]\-S\f[] option. +.PP +If the handle is for a persistent object, then the \f[B]\-S\f[] does not +need to be provided since the handle must be the same for both options. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]: +Filename for object context. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]persistent\f[]=\f[I]PERSISTENT_HANDLE\f[]: The +persistent handle for the object handle specified via \f[I]HANDLE\f[]. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwda\f[]=\f[I]AUTH_PASSWORD\f[]: authorization +password, optional. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_evictcontrol\ \-A\ o\ \-c\ object.context\ \-S\ 0x81010002\ \-P\ abc123 +tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ abc123 +tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ 123abc +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getcap.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getcap.1 --- tpm2-tools-3.0.4/man/man1/tpm2_getcap.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_getcap.1 2018-09-10 07:57:13.499587878 -0700 @@ -0,0 +1,161 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_getcap" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_getcap\f[](1) \- Display TPM capabilities in a human readable +form. +.SH SYNOPSIS +.PP +\f[B]tpm2_getcap\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_getcap\f[](1) \- Query the TPM for it's capabilities / +properties and dump them to the console. +This is a thin wrapper around the GetCapability command. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]capability\f[]=\f[I]CAPABILITY_NAME\f[]: The +name of the capability group to query. +Currently supported capability groups are: +.RS 2 +.IP \[bu] 2 +properties\-fixed: Display fixed TPM properties. +.IP \[bu] 2 +properties\-variable: Display variable TPM properties. +.IP \[bu] 2 +algorithms: Display data about supported algorithms. +.IP \[bu] 2 +commands: Display data about supported commands. +.IP \[bu] 2 +ecc\-curves: Display data about elliptic curves. +.IP \[bu] 2 +handles\-transient: Display handles about transient objects. +.IP \[bu] 2 +handles\-persistent: Display handles about persistent objects. +.IP \[bu] 2 +handles\-permanent: Display handles about permanent objects. +.IP \[bu] 2 +handles\-pcr: Display handles about PCRs. +.IP \[bu] 2 +handles\-nv\-index: Display handles about NV Indices. +.IP \[bu] 2 +handles\-loaded\-session: Display handles about both loaded HMAC and +policy sessions. +.IP \[bu] 2 +handles\-saved\-session: Display handles about saved sessions. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_getcap\ \-\-capability="properties\-fixed" +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getmanufec.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getmanufec.1 --- tpm2-tools-3.0.4/man/man1/tpm2_getmanufec.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_getmanufec.1 2018-09-10 07:57:14.067580116 -0700 @@ -0,0 +1,226 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_getmanufec" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential +Certificate for the TPM endorsement key from the TPM manufacturer's +endorsement certificate hosting server. +.SH SYNOPSIS +.PP +\f[B]tpm2_getmanufec\f[] [\f[I]OPTIONS\f[]] [\f[I]URL\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential +Certificate for the TPM endorsement key from the TPM manufacturer's +endorsement certificate hosting server. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: +specifies current endorse password (string, optional,default:NULL). +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]: +specifies current owner password (string, optional,default:NULL). +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]ek\-passwd\f[]=\f[I]EK_PASSWORD\f[]: specifies +the EK password when created (string,optional,default:NULL). +.RS 2 +.PP +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: specifies the handle +used to make EK persistent (hex). +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: specifies the +algorithm type of EK. +See section \[lq]Supported Public Object Algorithms\[rq] for a list of +supported object algorithms. +See section \[lq]Algorithm Specifiers\[rq] on how to specify an +algorithm argument. +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[]: Specifies the file +used to save the public portion of EK. +.IP \[bu] 2 +\f[B]\-N\f[], \f[B]\[en]non\-persistent\f[]: specifies to readout the EK +public without making it persistent. +.IP \[bu] 2 +\f[B]\-O\f[], \f[B]\[en]offline\f[]=\f[I]FILE\f[]: Specifies the file +that contains an EK retrieved from offline platform that needs to be +provisioned. +.IP \[bu] 2 +\f[B]\-E\f[], \f[B]\[en]ec\-cert\f[]=\f[I]EC_CERT_FILE\f[]: Specifies +the file used to save the Endorsement Credentials retrieved from the TPM +manufacturer provisioning server. +Defaults to stdout if not specified. +.IP \[bu] 2 +\f[B]\-U\f[], \f[B]\[en]SSL_NO_VERIFY\f[]: specifies to attempt +connecting with the TPM manufacturer provisioning server with +SSL_NO_VERIFY option. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Public Object Algorithms +.PP +Supported public object algorithms are: +.IP \[bu] 2 +\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] +(\f[B]default\f[]). +.IP \[bu] 2 +\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. +.IP \[bu] 2 +\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. +.IP \[bu] 2 +\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH NOTES +.PP +When the verbose option is specified, additional curl debugging +information is provided by setting the curl mode verbose, see: + for more +information. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_getmanufec\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/ +tpm2_getmanufec\ \-e\ 1a1b1c\ \-o\ 1a1b1c\ \-P\ 123abc\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getpubak.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getpubak.1 --- tpm2-tools-3.0.4/man/man1/tpm2_getpubak.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_getpubak.1 2018-09-10 07:57:14.258577505 -0700 @@ -0,0 +1,242 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_getpubak" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given +algorithm under the endorsement hierarchy. +.SH SYNOPSIS +.PP +\f[B]tpm2_getpubak\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given +algorithm under endorsement hierarchy, make it persistent with given ak +handle, and return pub AK and AK name. +If any passwd option is missing, assume NULL. +.PP +The tool outputs to stdout a YAML representation of the loaded key +handle as well as it's name, for example: +.IP +.nf +\f[C] +loaded\-key: +\ \ handle:\ 800000ff +\ \ name:\ 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268 +\f[] +.fi +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: +Specifies current endorsement password, defaults to NULL. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]ak\-passwd\f[]=\f[I]AK_PASSWORD\f[] Specifies +the AK password when created, defaults to NULL. +Same formatting as the endorse password value or \-e option. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[] +Specifies the current owner password, defaults to NULL. +Same formatting as the endorse password value or \-e option. +.IP \[bu] 2 +\f[B]\-E\f[], \f[B]\[en]ek\-handle\f[]=\f[I]EK_HANDLE\f[]: Specifies the +handle used to make EK persistent. +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]ak\-handle\f[]=\f[I]AK_HANDLE\f[]: Specifies the +handle used to make AK persistent. +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: Specifies the +algorithm type of AK. +Algorithms should follow the " formatting standards, see section +\[lq]Algorithm Specifiers\[rq]. +See section \[lq]Supported Public Object Algorithms\[rq] for a list of +supported object algorithms. +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: Like \-g, but +specifies the algorithm of sign. +See section \[lq]Supported Signing Algorithms\[rq] for details. +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]file\f[]=\f[I]FILE\f[]: Specifies the file used +to save the public portion of AK. +This will be a binary data structure corresponding to the TPM2B_PUBLIC +struct in the specification. +.IP \[bu] 2 +\f[B]\-n\f[], \f[B]\[en]ak\-name\f[]=\f[I]NAME\f[]: Specifies the file +used to save the ak name, optional. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Signing Algorithms +.PP +Supported algorithms are: +.IP \[bu] 2 +\f[B]0x5\f[] or \f[B]hmac\f[] for \f[B]TPM_ALG_HMAC\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0x14\f[] or \f[B]rsassa\f[] for \f[B]TPM_ALG_RSASSA\f[] +.IP \[bu] 2 +\f[B]0x16\f[] or \f[B]rsapss\f[] for \f[B]TPM_ALG_RSAPSS\f[] +.IP \[bu] 2 +\f[B]0x18\f[] or \f[B]ecdsa\f[] for \f[B]TPM_ALG_ECDSA\f[] +.IP \[bu] 2 +\f[B]0x1A\f[] or \f[B]ecdaa\f[] for \f[B]TPM_ALG_ECDAA\f[] +.IP \[bu] 2 +\f[B]0x1B\f[] or \f[B]sm2\f[] for \f[B]TPM_ALG_SM2\f[] +.IP \[bu] 2 +\f[B]0x1C\f[] or \f[B]ecschnorr\f[] for \f[B]TPM_ALG_ECSCHNORR\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Supported Public Object Algorithms +.PP +Supported public object algorithms are: +.IP \[bu] 2 +\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] +(\f[B]default\f[]). +.IP \[bu] 2 +\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. +.IP \[bu] 2 +\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. +.IP \[bu] 2 +\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_getpubak\ \-e\ abc123\ \-P\ abc123\ \-o\ passwd\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name +tpm2_getpubak\ \-e\ 1a1b1c\ \-P\ 123abc\ \-o\ 1a1b1c\ \-X\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getpubek.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getpubek.1 --- tpm2-tools-3.0.4/man/man1/tpm2_getpubek.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_getpubek.1 2018-09-10 07:57:14.443574977 -0700 @@ -0,0 +1,189 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_getpubek" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement +key. +.SH SYNOPSIS +.PP +\f[B]tpm2_getpubek\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement +key(endorsement hierarchy primary object), make it persistent with give +ek handle, and return public EK, if any passwd option is missing, assume +NULL. +.PP +Refer to: + +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: +Specifies current endorsement password, defaults to NULL. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[] +Specifies the current owner password, defaults to NULL. +Same formatting as the endorse password value or \-e option. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]eKPasswd\f[]=\f[I]EK_PASSWORD\f[] Specifies the +EK password when created, defaults to NULL. +Same formatting as the endorse password value or \-e option. +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: specifies the handle +used to make EK persistent (hex). +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: specifies the +algorithm type of EK. +See section \[lq]Supported Public Object Algorithms\[rq] for a list of +supported object algorithms. +See section \[lq]Algorithm Specifiers\[rq] on how to specify an +algorithm argument. +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]file\f[]=\f[I]FILE\f[]: specifies the file used +to save the public portion of EK. +This will be a binary data structure corresponding to the TPM2B_PUBLIC +struct in the specification. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION\f[]: +Optional Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Supported Public Object Algorithms +.PP +Supported public object algorithms are: +.IP \[bu] 2 +\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] +(\f[B]default\f[]). +.IP \[bu] 2 +\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. +.IP \[bu] 2 +\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. +.IP \[bu] 2 +\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_getpubek\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\ \-g\ rsa\ \-f\ ek.pub +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getrandom.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getrandom.1 --- tpm2-tools-3.0.4/man/man1/tpm2_getrandom.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_getrandom.1 2018-09-10 07:57:14.625572490 -0700 @@ -0,0 +1,144 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_getrandom" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_getrandom\f[](1) \- Retrieves random bytes from the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_getrandom\f[] [\f[I]OPTIONS\f[]] \f[I]SIZE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_getrandom\f[](1) \- Returns the next \f[I]SIZE\f[] octets from +the random number generator. +The \f[I]SIZE\f[] parameter is expected as the only argument to the +tool. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[] specifies the filename +to output the raw bytes to. +Defaults to stdout as a hex string. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.PP +Generate a random 20 bytes and output the binary data to a file: +.IP +.nf +\f[C] +tpm2_getrandom\ \-o\ random.out\ 20 +\f[] +.fi +.PP +Generate a random 8 bytes and output the hex formated data to stdout: +.IP +.nf +\f[C] +tpm2_getrandom\ 8 +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_hash.1 tpm2-tools-3.0.4-new/man/man1/tpm2_hash.1 --- tpm2-tools-3.0.4/man/man1/tpm2_hash.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_hash.1 2018-09-10 07:57:14.800570098 -0700 @@ -0,0 +1,189 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_hash" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_hash\f[](1) \- Performs a hash operation with the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_hash\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_hash\f[](1) \- performs a hash operation on \f[I]FILE\f[] and +returns the results. +If \f[I]FILE\f[] is not specified, then data is read from stdin. +If the results of the hash will be used in a signing operation that uses +a restricted signing key, then the ticket returned by this command can +indicate that the hash is safe to sign. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to +use for the ticket. +Supported options are: +.RS 2 +.IP \[bu] 2 +\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] +.IP \[bu] 2 +\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] +.IP \[bu] 2 +\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] +.RE +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash +algorithm to use. +Algorithms should follow the \[lq]formatting standards, see +section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported +Hash Algorithms" for a list of supported hash algorithms. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]outfile\f[]=\f[I]OUT_FILE\f[] Optional file +record of the hash result. +Defaults to stdout in hex form. +.IP \[bu] 2 +\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[] Optional file +record of the ticket result. +Defaults to stdout in hex form. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.PP +Hash a file with sha1 hash algorithm and save the hash and ticket to a +file: +.IP +.nf +\f[C] +tpm2_hash\ \-H\ e\ \-g\ sha1\ \-o\ hash.bin\ \-t\ ticket.bin\ data.txt +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_hmac.1 tpm2-tools-3.0.4-new/man/man1/tpm2_hmac.1 --- tpm2-tools-3.0.4/man/man1/tpm2_hmac.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_hmac.1 2018-09-10 07:57:14.979567652 -0700 @@ -0,0 +1,214 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_hmac" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_hmac\f[](1) \- Performs an HMAC operation with the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_hmac\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_hmac\f[](1) \- performs an HMAC operation on \f[I]FILE\f[] and +returns the results. +If \f[I]FILE\f[] is not specified, then data is read from stdin. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The +key handle for the symmetric signing key providing the HMAC key. +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The +filename of the key context used for the operation. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for +key, optional. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash +algorithm to use. +Algorithms should follow the \[lq]formatting standards, see +section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported +Hash Algorithms" for a list of supported hash algorithms. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]outfile\f[]=\f[I]OUT_FILE\f[] Optional file +record of the HMAC result. +Defaults to stdout. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.PP +Perform a SHA1 HMAC on data.in and send output and possibly ticket to +stdout: +.IP +.nf +\f[C] +tpm2_hmac\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ data.in +\f[] +.fi +.PP +Perform a SHA1 HMAC on data.in read as a file to stdin and send output +to a file: +.IP +.nf +\f[C] +tpm2_hmac\ \-c\ key.context\ \-P\ abc123\ \-g\ sha1\ \-o\ hash.out\ <<\ data.in +\f[] +.fi +.PP +Perform a SHA256 HMAC on \f[I]stdin\f[] and send result and possibly +ticket to stdout: +.PP +cat data.in | tpm2_hmac \-k 0x81010002 \-g sha256 \-o hash.out ``` +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_listpersistent.1 tpm2-tools-3.0.4-new/man/man1/tpm2_listpersistent.1 --- tpm2-tools-3.0.4/man/man1/tpm2_listpersistent.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_listpersistent.1 2018-09-10 07:57:15.157565219 -0700 @@ -0,0 +1,185 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_listpersistent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_listpersistent\f[](1) \- Display all defined persistent +objects. +.SH SYNOPSIS +.PP +\f[B]tpm2_listpersistent\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_listpersistent\f[](1) \- display all defined persistent +objects. +.SH OPTIONS +.PP +These options for listing the persistent objects: +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]ALGORITHM\f[]: Only display +persistent objects using this hash algorithm. +Algorithms should follow the " formatting standards, see section +\[lq]Algorithm Specifiers\[rq]. +Also, see section \[lq]Supported Hash Algorithms\[rq] for a list of +supported hash algorithms. +.IP \[bu] 2 +\f[B]\-G\f[], \f[B]\[en]kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Only display +persistent objects using this key algorithm. +It accepts friendly names just like \f[B]\-g\f[] option. +See section \[lq]Supported Public Object Algorithms\[rq] for a list of +supported object algorithms. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Supported Public Object Algorithms +.PP +Supported public object algorithms are: +.IP \[bu] 2 +\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] +(\f[B]default\f[]). +.IP \[bu] 2 +\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. +.IP \[bu] 2 +\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. +.IP \[bu] 2 +\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_listpersistent +tpm2_listpersistent\ \-g\ sha256\ \-G\ ecc +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_load.1 tpm2-tools-3.0.4-new/man/man1/tpm2_load.1 --- tpm2-tools-3.0.4/man/man1/tpm2_load.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_load.1 2018-09-10 07:57:15.346562636 -0700 @@ -0,0 +1,176 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_load" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_load\f[](1) \- Load an object into the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_load\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_load\f[](1) \- Load both the private and public portions of an +object into the TPM. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]parent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of +the parent object. +Either this option or \f[B]\-c\f[] must be used. +.IP \[bu] 2 +\f[B]\-c\f[], +\f[B]\[en]context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]: The filename +for parent context. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The +password for parent key, optional. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-u\f[], \f[B]\[en]pubfile\f[]=\f[I]PUBLIC_OBJECT_DATA_FILE\f[]: A +file containing the public portion of the object. +.IP \[bu] 2 +\f[B]\-r\f[], \f[B]\[en]privfile\f[]=\f[I]PRIVATE_OBJECT_DATA_FILE\f[]: +A file containing the sensitive portion of the object. +.IP \[bu] 2 +\f[B]\-n\f[], \f[B]\[en]name\f[]=\f[I]NAME_DATA_FILE\f[]: An optional +file to save the name structure of the object. +.IP \[bu] 2 +\f[B]\-C\f[], \f[B]\[en]context\f[]=\f[I]CONTEXT_FILE\f[]: An optional +file to save the object context to. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_load\ \ \-H\ 0x80000000\ \-P\ abc123\ \-u\ \ \-r\ \ \-n\ +tpm2_load\ \ \-c\ parent.context\ \-P\ abc123\ \-u\ \ \-r\ \ \-n\ \ \-C\ object.context +tpm2_load\ \ \-H\ 0x80000000\ \-P\ "hex:123abc"\ \-u\ \ \-r\ \ \-n\ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_loadexternal.1 tpm2-tools-3.0.4-new/man/man1/tpm2_loadexternal.1 --- tpm2-tools-3.0.4/man/man1/tpm2_loadexternal.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_loadexternal.1 2018-09-10 07:57:15.520560258 -0700 @@ -0,0 +1,166 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_loadexternal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected +Object into the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_loadexternal\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected +Object into the TPM. +The command allows loading of a public area or both a public and a +sensitive area. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to +use for the ticket. +Supported options are: +.RS 2 +.IP \[bu] 2 +\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] +.IP \[bu] 2 +\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] +.IP \[bu] 2 +\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] +.RE +.IP \[bu] 2 +\f[B]\-u\f[], \f[B]\[en]pubfile\f[]=\f[I]PUBLIC_FILE\f[]: The public +portion of the object. +.IP \[bu] 2 +\f[B]\-r\f[], \f[B]\[en]privfile\f[]=\f[I]PRIVATE_FILE\f[]: The +sensitive portion of the object, optional. +.IP \[bu] 2 +\f[B]\-C\f[], \f[B]\[en]context\f[]=\f[I]CONTEXT_FILE\f[] The file to +save the object context, optional. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.PP +Load a public area generated by tpm2_create, tpm2_readpublic or manually +.IP +.nf +\f[C] +tpm2_loadexternal\ \-H\ \ \-u\ \ \-C\ object.context +\f[] +.fi +.PP +Load a key with sensitive area. +Both the public & the senstive areas shall be generated externally. +\f[I]DON'T\f[] use the areas generated by tpm2_create. +.IP +.nf +\f[C] +tpm2_loadexternal\ \-H\ n\ \-u\ \ \-r\ \ \-C\ object.context +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_makecredential.1 tpm2-tools-3.0.4-new/man/man1/tpm2_makecredential.1 --- tpm2-tools-3.0.4/man/man1/tpm2_makecredential.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_makecredential.1 2018-09-10 07:57:15.705557730 -0700 @@ -0,0 +1,142 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_makecredential" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_makecredential\f[](1) \- load an object that is not a +Protected Object into the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_makecredential\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_makecredential\f[](1) \- Use a TPM public key to protect a +secret that is used to encrypt the AK certififcate. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]enckey\f[]=\f[I]PUBLIC_FILE\f[]: A tpm Public +Key which was used to wrap the seed. +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]sec\f[]=\f[I]SECRET_DATA_FILE\f[]: The secret +which will be protected by the key derived from the random seed. +.IP \[bu] 2 +\f[B]\-n\f[], \f[B]\[en]name\f[]=\f[I]NAME\f[] The name of the key for +which certificate is to be created. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUT_FILE\f[] The output file +path, recording the two structures output by tpm2_makecredential +function. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_makecredential\ \-e\ \ \-s\ \ \-n\ \ \-o\ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvdefine.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvdefine.1 --- tpm2-tools-3.0.4/man/man1/tpm2_nvdefine.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvdefine.1 2018-09-10 07:57:15.879555352 -0700 @@ -0,0 +1,204 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_nvdefine" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_nvdefine\f[](1) \- define a TPM Non\-Volatile (NV) index. +.SH SYNOPSIS +.PP +\f[B]tpm2_nvdefine\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_nvdefine\f[](1) \- Define NV index with given auth value. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index +to define the space at. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: +specifies the handle used to authorize: +.RS 2 +.IP \[bu] 2 +\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] +.RE +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]size\f[]=\f[I]SIZE\f[]: specifies the size of +data area in bytes. +Defaults to MAX_NV_INDEX_SIZE which is typically 2048. +.IP \[bu] 2 +\f[B]\-t\f[], \f[B]\[en]attributes\f[]=\f[I]ATTRIBUTES\f[] Specifies the +attribute values for the nv region used when creating the entitiy. +Either the raw bitfield mask or \[lq]nice\-names\[rq] may be used. +See section \[lq]NV Attributes\[rq] for more details. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: +specifies the password of authHandle. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-I\f[], \f[B]\[en]index\-passwd\f[]=\f[I]INDEX_PASSWORD\f[]: +specifies the password of NV Index when created. +Follows the same formatting guidelines as the handle password or \-P +option. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: Specifies +the policy digest file for policy based authorizations. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: +Optional Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH NV Attributes +.PP +NV Attributes are used to control various properties of the NV defined +space. +When specified as an option, either the raw bitfield mask or +\[lq]nice\-names\[rq] may be used. +The values can be found in Table 204 Part 2 of the TPM2.0 specification, +which can be found here: +.PP + +.PP +Nice names are calculated by taking the name field of table 204 and +removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result. +Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite. +Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. +.PP +Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set +via \f[B]nt=\f[] format. +For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[], +\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and +\f[B]TPMA_NT = 0x3\f[], the argument would be: +.PP +\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ 0x2000A +tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ ownerread|ownerwrite|policywrite\ \-I\ 1a1b1c +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvlist.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvlist.1 --- tpm2-tools-3.0.4/man/man1/tpm2_nvlist.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvlist.1 2018-09-10 07:57:16.056552933 -0700 @@ -0,0 +1,192 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_nvlist" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s +indices. +.SS SYNOPSIS +.PP +\f[B]tpm2_nvlist\f[] [\f[I]OPTIONS\f[]] +.SS DESCRIPTION +.PP +\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s +indices to stdout in a YAML format. +.PP +Display metadata for all defined NV indices. +Metadata includes: +.IP \[bu] 2 +The size of the defined region. +.IP \[bu] 2 +The hash algorithm used to compute the name of the index. +.IP \[bu] 2 +The auth policy. +.IP \[bu] 2 +The NV attributes as defined in section \[lq]NV Attributes\[rq]. +.PP +Example Output: +.IP +.nf +\f[C] +0x1500015: +\ \ hash\ algorithm: +\ \ \ \ friendly:\ sha256 +\ \ \ \ value:\ 0xB +\ \ attributes: +\ \ \ \ friendly:\ ownerwrite|ownerread +\ \ \ \ value:\ 0x2000200 +\ \ size:\ 32 +\ \ authorization\ policy: + +0x1500017: +\ \ hash\ algorithm: +\ \ \ \ friendly:\ sha256 +\ \ \ \ value:\ 0xB +\ \ attributes: +\ \ \ \ friendly:\ ownerwrite|ownerread +\ \ \ \ value:\ 0x2000200 +\ \ size:\ 32 +\ \ authorization\ policy: +\f[] +.fi +.SH OPTIONS +.PP +This tool takes no tool specific options. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH NV Attributes +.PP +NV Attributes are used to control various properties of the NV defined +space. +When specified as an option, either the raw bitfield mask or +\[lq]nice\-names\[rq] may be used. +The values can be found in Table 204 Part 2 of the TPM2.0 specification, +which can be found here: +.PP + +.PP +Nice names are calculated by taking the name field of table 204 and +removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result. +Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite. +Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. +.PP +Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set +via \f[B]nt=\f[] format. +For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[], +\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and +\f[B]TPMA_NT = 0x3\f[], the argument would be: +.PP +\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # EXAMPLES +.PP +To list the defined NV indeces to stdout: +.IP +.nf +\f[C] +tpm2_nvlist +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvread.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvread.1 --- tpm2-tools-3.0.4/man/man1/tpm2_nvread.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvread.1 2018-09-10 07:57:16.235550487 -0700 @@ -0,0 +1,194 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_nvread" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s +index. +.SH SYNOPSIS +.PP +\f[B]tpm2_nvread\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s +index. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index +to define the space at. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: +specifies the handle used to authorize: +.RS 2 +.IP \[bu] 2 +\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] +.RE +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[]: file to write data +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: +specifies the password of authHandle. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]size\f[]=\f[I]SIZE\f[]: Specifies the size of +data to be read in bytes, starting from 0 if offset is not specified. +If not specified, the size of the data as reported by the public portion +of the index will be used. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]offset\f[]=\f[I]OFFSET\f[]: The offset within +the NV index to start reading from. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: +Optional Input session handle from a policy session for authorization. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: +.RS 2 +.PP +The list of pcr banks and selected PCRs' ids. +\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers +standards, see section \[lq]PCR Bank Specfiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-F\f[],**\[en]pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] +.RS 2 +.PP +Optional Path or Name of the file containing expected pcr values for the +specified index. +Default is to read the current PCRs per the set list. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.PP +To read 32 bytes from an index starting at offset 0: +.IP +.nf +\f[C] +tpm2_nvread\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32 +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvreadlock.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvreadlock.1 --- tpm2-tools-3.0.4/man/man1/tpm2_nvreadlock.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvreadlock.1 2018-09-10 07:57:16.415548027 -0700 @@ -0,0 +1,169 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_nvreadlock" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for +further reads. +.SH SYNOPSIS +.PP +\f[B]tpm2_nvreadlock\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for +further reads. +The index is released on subsequent restart of the machine. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index +to define the space at. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: +specifies the handle used to authorize: +.RS 2 +.IP \[bu] 2 +\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: +specifies the password of authHandle. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: +Optional Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.PP +To lock an index protected by a password: +.IP +.nf +\f[C] +tpm2_nvreadlock\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvrelease.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvrelease.1 --- tpm2-tools-3.0.4/man/man1/tpm2_nvrelease.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvrelease.1 2018-09-10 07:57:16.603545458 -0700 @@ -0,0 +1,168 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_nvrelease" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index. +.SH SYNOPSIS +.PP +\f[B]tpm2_nvrelease\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index that +was previously defined with tpm2_nvdefine(1). +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index +to release. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: +specifies the handle used to authorize: +.RS 2 +.IP \[bu] 2 +\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] +.RE +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]size\f[]=\f[I]SIZE\f[]: specifies the size of +data area in bytes. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: +specifies the password of authHandle. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: +Optional Input session handle from a policy session for authorization. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_nvrelease\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvwrite.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvwrite.1 --- tpm2-tools-3.0.4/man/man1/tpm2_nvwrite.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvwrite.1 2018-09-10 07:57:16.788542929 -0700 @@ -0,0 +1,187 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_nvwrite" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_nvwrite\f[](1) \- Write data to a Non\-Volatile (NV) index. +.SH SYNOPSIS +.PP +\f[B]tpm2_nvwrite\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_nvwrite\f[](1) \- Write data specified via \f[I]FILE\f[] to a +Non\-Volatile (NV) index. +If \f[I]FILE\f[] is not specified, it defaults to stdout. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index +to define the space at. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]offset\f[]=\f[I]OFFSET\f[]: The offset within +the NV index to start writing at. +.IP \[bu] 2 +\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: +specifies the handle used to authorize: +.RS 2 +.IP \[bu] 2 +\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] +.IP \[bu] 2 +\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: +specifies the password of authHandle. +Passwords should follow the \[lq]password formatting standards, see +section\[rq]Password Formatting“. +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: +Optional Input session handle from a policy session for authorization. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: +.RS 2 +.PP +The list of pcr banks and selected PCRs' ids. +\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers +standards, see section \[lq]PCR Bank Specfiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-F\f[],**\[en]pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] +.RS 2 +.PP +Optional Path or Name of the file containing expected pcr values for the +specified index. +Default is to read the current PCRs per the set list. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.PP +To write the file nv.data to index 0x150016: +.IP +.nf +\f[C] +tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x40000001\ nv.data +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_pcrevent.1 tpm2-tools-3.0.4-new/man/man1/tpm2_pcrevent.1 --- tpm2-tools-3.0.4/man/man1/tpm2_pcrevent.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_pcrevent.1 2018-09-10 07:57:16.965540510 -0700 @@ -0,0 +1,162 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_pcrevent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_pcrevent\f[](1) \- hashes a file and optionally extends a pcr. +.SH SYNOPSIS +.PP +\f[B]tpm2_pcrevent\f[] [\f[I]OPTIONS\f[]] [\f[I]FILE\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_pcrevent\f[](1) hashes \f[I]FILE\f[] if specified or stdin. +It uses all of the hashing algorithms that the tpm supports. +Optionally, if a pcr index is specified, it extends that pcr for all +supported algorithms with the hash digest. +In either case, it outputs to stdout the hash algorithm used and the +digest value, one per line: +.PP +\f[I]alg\f[]:\f[I]digest\f[] +.PP +Where \f[I]alg\f[] is the algorithm used (eg. +sha1) and \f[I]digest\f[] is the digest resulting from the hash +computation of \f[I]alg\f[] on the data. +.PP +See sections 23.1 and sections 17 of the TPM2.0 +Specification (https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf) +.SH OPTIONS +.PP +These options control extending the pcr: +.IP \[bu] 2 +\f[B]\-i\f[], \f[B]\[en]pcr\-index\f[]=\f[I]INDEX\f[]: Not only compute +the hash digests on \f[I]FILE\f[], also extend the pcr given by +\f[I]INDEX\f[] for all supported hash algorithms. +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Use +\f[I]SESSION_HANDLE\f[] for providing an authorization session for the +pcr specified by \f[I]INDEX\f[]. +It is an error to specify \f[B]\-S\f[] without specifying a pcr index +with \f[B]\-i\f[]. +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]password\f[]=\f[I]PASSWORD\f[]: Use +\f[I]PASSWORD\f[] for providing an authorization value for the pcr +specified in \f[I]INDEX\f[]. +It is an error to specify \f[B]\-P\f[] without specifying a pcr index +with \f[B]\-i\f[]. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.PP +Hash a file: +.PP +tpm2_pcrevent data +.PP +Hash a file and extend pcr 8: +.PP +tpm2_pcrevent \-i 8 data +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_pcrextend.1 tpm2-tools-3.0.4-new/man/man1/tpm2_pcrextend.1 --- tpm2-tools-3.0.4/man/man1/tpm2_pcrextend.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_pcrextend.1 2018-09-10 07:57:17.146538037 -0700 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_pcrextend" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_pcrextend\f[](1) \- Extends a PCR. +.SH SYNOPSIS +.PP +\f[B]tpm2_pcrextend\f[] [\f[I]OPTIONS\f[]] [\f[I]PCR_DIGEST_SPEC\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_pcrextend\f[](1) Extends the pcrs with values indicated by +\f[I]PCR_DIGEST_SPEC\f[]. +.PP +A \f[I]PCR_DIGEST_SPEC\f[] is defined as follows: +.IP \[bu] 2 +A numerical pcr identifier. +.IP \[bu] 2 +A colon followed by the algorithm hash specification. +The algorithm hash specification is as follows: +.RS 2 +.IP \[bu] 2 +The algorithm friendly name or raw numerical. +.IP \[bu] 2 +An equals sign. +.IP \[bu] 2 +The hex hash value. +.RE +.PP +Example Digest Specification: +.IP +.nf +\f[C] +4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 +\f[] +.fi +.PP +\f[B]Note\f[]: that multiple specifications of PCR and hash are allowed. +Multiple hashes cause the pcr to be extended with both hashes. +Multiple same PCR values cause the PCR to be extended multiple times. +Extension is done in order from left to right as specified. +At most 5 hash extensions per PCR entry are supported. +This is to keep the parser simple. +.SH OPTIONS +.PP +This tool accepts no tool specific options. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.PP +Extend PCR 4's SHA1 bank with a hash: +.IP +.nf +\f[C] +tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 +\f[] +.fi +.PP +Extend PCR 4's SHA1 and SHA256 banks with hashes: +.IP +.nf +\f[C] +tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15,sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c +\f[] +.fi +.PP +Extend PCR 4's SHA1 and PCR 7's SHA256 bank with hashes: +.IP +.nf +\f[C] +tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\ 7:sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_pcrlist.1 tpm2-tools-3.0.4-new/man/man1/tpm2_pcrlist.1 --- tpm2-tools-3.0.4/man/man1/tpm2_pcrlist.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_pcrlist.1 2018-09-10 07:57:17.326535577 -0700 @@ -0,0 +1,244 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_pcrlist" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_pcrlist\f[](1) \- List PCR values. +.SH SYNOPSIS +.PP +\f[B]tpm2_pcrlist\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_pcrlist\f[](1) Displays PCR values. +Without any options, \f[B]tpm2_pcrlist\f[] outputs all pcrs and their +hash banks. +One can use either the \f[B]\-g\f[] or \f[B]\-L\f[] mutually exclusive +options to filter the output. +.PP +Output is writtien in a YAML format to stdout, with each algorithm +followed by a PCR index and its value. +As a simple example assume just sha1 and sha256 support and only 1 PCR. +The output would be: +.IP +.nf +\f[C] +sha1\ : +\ \ 0\ \ :\ 0000000000000000000000000000000000000003 +sha256\ : +\ \ 0\ \ :\ 0000000000000000000000000000000000000000000000000000000000000003 +\f[] +.fi +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]algorithm\f[]=\f[I]HASH_ALGORITHM\f[]: Only +output PCR banks with the given algorithm. +Algorithms should follow the \[lq]formatting standards, see +section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported +Hash Algorithms" for a list of supported hash algorithms. +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[]: The output file to +write the PCR values in binary format, optional. +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]: +.RS 2 +.PP +The list of pcr banks and selected PCRs' ids for each bank to display. +\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers +standards, see section \[lq]PCR Bank Specfiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]algs\f[]: Output the list of supported +algorithms. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH PCR Bank Specfiers +.PP +PCR Bank Selection lists follow the below specification: +.IP +.nf +\f[C] +:[,] +\f[] +.fi +.PP +multiple banks may be separated by `+'. +.PP +For example: +.IP +.nf +\f[C] +sha:3,4+sha256:5,6 +\f[] +.fi +.PP +will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the +SHA256 bank. +.SS Note +.PP +PCR Selections allow for up to 5 hash to pcr selection mappings. +This is a limitaion in design in the single call to the tpm to get the +pcr values. +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.PP +display all PCR values: +.IP +.nf +\f[C] +tpm2_pcrlist +\f[] +.fi +.PP +Display the PCR values with a specified bank: +.IP +.nf +\f[C] +tpm2_pcrlist\ \-g\ sha1 +\f[] +.fi +.PP +Display the PCR values with specified banks and store in a file: +.IP +.nf +\f[C] +tpm2_pcrlist\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-o\ pcrs +\f[] +.fi +.PP +Display the supported PCR bank algorithms and exit: +.IP +.nf +\f[C] +tpm2_pcrlist\ \-s +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_quote.1 tpm2-tools-3.0.4-new/man/man1/tpm2_quote.1 --- tpm2-tools-3.0.4/man/man1/tpm2_quote.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_quote.1 2018-09-10 07:57:17.506533117 -0700 @@ -0,0 +1,256 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_quote" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_quote\f[](1) \- Provide a quote and signature from the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_quote\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_quote\f[](1) Provide quote and signature for given list of +PCRs in given algorithm/banks. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]ak\-handle\f[]=\f[I]AK_HANDLE\f[]: +.RS 2 +.PP +Handle of existing AK. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]ak\-context\f[]=\f[I]AK_CONTEXT_FILE\f[]: +.RS 2 +.PP +Filename for the existing AK's context. +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]ak\-password\f[]=\f[I]AK_PASSWORD\f[]: +.RS 2 +.PP +specifies the password of \f[I]AK_HANDLE\f[]. +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-l\f[], \f[B]\[en]id\-list\f[]=\f[I]PCR_ID_LIST\f[] +.RS 2 +.PP +The comma separated list of selected PCRs' ids, 0~23 e.g. +\[lq]4,5,6\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]: +.RS 2 +.PP +The list of pcr banks and selected PCRs' ids for each bank. +\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers +standards, see section \[lq]PCR Bank Specfiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-m\f[], \f[B]\[en]message\f[]: +.RS 2 +.PP +message output file, records the quote message that makes up the data +that is signed by the TPM. +.RE +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]signature\f[]: +.RS 2 +.PP +signature output file, records the signature in the format specified via +the \f[B]\-f\f[] option. +.RE +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]format\f[] +.RS 2 +.PP +Format selection for the signature output file. +See section \[lq]Signature Format Specifiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-q\f[], \f[B]\[en]qualify\-data\f[]: +.RS 2 +.PP +Data given as a Hex string to qualify the quote, optional. +This is typically used to add a nonce against replay attacks. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional +Input session handle from a policy session for authorization. +.IP \[bu] 2 +\f[B]\-G\f[], \f[B]\[en]sig\-hash\-algorithm\f[]: +.RS 2 +.PP +Hash algorithm for signature. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH PCR Bank Specfiers +.PP +PCR Bank Selection lists follow the below specification: +.IP +.nf +\f[C] +:[,] +\f[] +.fi +.PP +multiple banks may be separated by `+'. +.PP +For example: +.IP +.nf +\f[C] +sha:3,4+sha256:5,6 +\f[] +.fi +.PP +will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the +SHA256 bank. +.SS Note +.PP +PCR Selections allow for up to 5 hash to pcr selection mappings. +This is a limitaion in design in the single call to the tpm to get the +pcr values. +.SH Signature Format Specifiers +.PP +Format selection for the signature output file. +\f[B]tss\f[] (the default) will output a binary blob according to the +TPM 2.0 specification and any potential compiler padding. +The option \f[B]plain\f[] will output the plain signature data as +defined by the used cryptographic algorithm. +# EXAMPLES +.IP +.nf +\f[C] +tpm2_quote\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ \-l\ 16,17,18 +tpm2_quote\ \-c\ ak.context\ \-P\ "str:abc123"\ \-g\ sha1\ \-l\ 16,17,18 +tpm2_quote\ \-k\ 0x81010002\ \-g\ sha1\ \-l\ 16,17,18 +tpm2_quote\ \-c\ ak.context\ \-g\ sha1\ \-l\ 16,17,18 +tpm2_quote\ \-k\ 0x81010002\ \-P\ "hex:123abc"\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-q\ 11aa22bb +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_rc_decode.1 tpm2-tools-3.0.4-new/man/man1/tpm2_rc_decode.1 --- tpm2-tools-3.0.4/man/man1/tpm2_rc_decode.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_rc_decode.1 2018-09-10 07:57:17.680530739 -0700 @@ -0,0 +1,132 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_rc_decode" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_rc_decode\f[](1) \- Decode TPM2 error codes to human readable +format. +.SH SYNOPSIS +.PP +\f[B]tpm2_rc_decode\f[] [\f[I]OPTIONS\f[]] \f[I]RC_CODE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_rc_decode\f[](1) converts \f[I]RC_CODE\f[] originating from +the SAPI and TCTI into human readable errors. +Analogous to strerror(3), but for the tpm2 stack. +.SH OPTIONS +.PP +This tool takes no tool specific options. +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_rc_decode\ 0x100 +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_readpublic.1 tpm2-tools-3.0.4-new/man/man1/tpm2_readpublic.1 --- tpm2-tools-3.0.4/man/man1/tpm2_readpublic.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_readpublic.1 2018-09-10 07:57:17.852528388 -0700 @@ -0,0 +1,155 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_readpublic" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_readpublic\f[](1) \- Read the public area of a loaded object. +.SH SYNOPSIS +.PP +\f[B]tpm2_readpublic\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_readpublic\f[](1) Reads the public area of a loaded object. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]object\f[]=\f[I]HANDLE\f[]: +.RS 2 +.PP +The loaded object handle to read the public data of. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]ak\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]: +.RS 2 +.PP +Filename for object context. +.RE +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]opu\f[]: +.RS 2 +.PP +The output file path, recording the public portion of the object. +.RE +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]format\f[]: +.RS 2 +.PP +Format selection for the public key output file. +`tss' (the default) will output a binary blob according to the TPM 2.0 +secification. +`pem' will output an OpenSSL compatible PEM encoded public key. +`der' will output an OpenSSL compatible DER encoded public key. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_readpublic\ \-H\ 0x81010002\ \-\-opu\ output.dat +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_rsadecrypt.1 tpm2-tools-3.0.4-new/man/man1/tpm2_rsadecrypt.1 --- tpm2-tools-3.0.4/man/man1/tpm2_rsadecrypt.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_rsadecrypt.1 2018-09-10 07:57:18.040525819 -0700 @@ -0,0 +1,192 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_rsadecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_rsadecrypt\f[](1) \- Performs an RSA Decryption operation +using the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_tpm2_rsadecrypt\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_rsadecrypt\f[](1) performs RSA decryption using the indicated +padding scheme according to IETF RFC 3447 (PKCS#1). +The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. +.PP +The key referenced by keyHandle is \f[B]required\f[] to be: +.IP "1." 3 +an RSA key +.IP "2." 3 +Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it's attributes. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: +.RS 2 +.PP +the public portion of RSA key to use for decryption. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: +.RS 2 +.PP +filename of the key context used for the operation. +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: +.RS 2 +.PP +specifies the password of \f[I]KEY_HANDLE\f[]. +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-I\f[], \f[B]\[en]in\-file\f[]=\f[I]INPUT\f[]: +.RS 2 +.PP +Input file path, containing the data to be decrypted. +.RE +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: +.RS 2 +.PP +Output file path, record the decrypted data. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: +.RS 2 +.PP +Optional Input session handle from a policy session for authorization. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_rsadecrypt\ \-k\ 0x81010001\ \-I\ encrypted.in\ \-o\ plain.out +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_rsaencrypt.1 tpm2-tools-3.0.4-new/man/man1/tpm2_rsaencrypt.1 --- tpm2-tools-3.0.4/man/man1/tpm2_rsaencrypt.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_rsaencrypt.1 2018-09-10 07:57:18.219523373 -0700 @@ -0,0 +1,189 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_rsaencrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_rsaencrypt\f[](1) \- Performs an RSA Encryption operation +using the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_rsaencrypt\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] +.SH DESCRIPTION +.PP +\f[B]tpm2_rsaencrypt\f[](1) performs RSA encryption on the contents of +\f[I]FILE\f[] (defaulting to stdin) using the indicated padding scheme +according to IETF RFC 3447 (PKCS#1). +The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. +.PP +The key referenced by keyHandle is \f[B]required\f[] to be: +.IP "1." 3 +an RSA key +.IP "2." 3 +Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it's attributes. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: +.RS 2 +.PP +the public portion of RSA key to use for encryption. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: +.RS 2 +.PP +filename of the key context used for the operation. +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: +.RS 2 +.PP +specifies the password of \f[I]KEY_HANDLE\f[]. +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: +.RS 2 +.PP +Output file path, record the decrypted data. +The default is to print an xxd compatible hexdump to stdout. +If a file is specified, raw binary output is performed. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: +.RS 2 +.PP +Optional Input session handle from a policy session for authorization. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_rsaencrypt\ \-k\ 0x81010001\ \-I\ plain.in\ \-o\ encrypted.out +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_send.1 tpm2-tools-3.0.4-new/man/man1/tpm2_send.1 --- tpm2-tools-3.0.4/man/man1/tpm2_send.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_send.1 2018-09-10 07:57:18.394520981 -0700 @@ -0,0 +1,147 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_send" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_send\f[](1) \- Send a raw command buffer to the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_send\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_send\f[](1) Sends a TPM command to the TPM. +The command is read from a file as a binary stream and transmitted to +the TPM using the TCTI specified by the caller. +The response received from the TPM is written to the output file. +.PP +Likely the caller will want to redirect this to a file or into a program +to decode and display the response in a human readable form. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: +.RS 2 +.PP +Output file to send response buffer to. +Defaults to stdout. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.PP +Send the contents of tpm2\-command.bin to a device and collect the +response as tpm2\-response.bin. +All examples of below accomplish this task. +.IP +.nf +\f[C] +tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ >\ tpm2\-response.bin +tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ >\ tpm2\-response.bin +tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ \-o\ tpm2\-response.bin +tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ \-o\ tpm2\-response.bin +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_sign.1 tpm2-tools-3.0.4-new/man/man1/tpm2_sign.1 --- tpm2-tools-3.0.4/man/man1/tpm2_sign.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_sign.1 2018-09-10 07:57:18.572518548 -0700 @@ -0,0 +1,245 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_sign" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_sign\f[](1) \- Sign a hash using the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_sign\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_sign\f[](1) signs an externally provided hash with the +specified symmetric or asymmetric signing key. +If keyHandle references a restricted signing key, then validation shall +be provided, indicating that the TPM performed the hash of the data and +validation shall indicate that hashed data did not start with +\f[B]TPM_GENERATED_VALUE\f[]. +The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: +.RS 2 +.PP +Handle of key that will perform signing. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: +.RS 2 +.PP +Filename of the key context used for the operation. +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: +.RS 2 +.PP +Specifies the password of \f[I]KEY_HANDLE\f[]. +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: +.RS 2 +.PP +The hash algorithm used to digest the message. +Algorithms should follow the \[lq]formatting standards, see +section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported +Hash Algorithms" for a list of supported hash algorithms. +.RE +.IP \[bu] 2 +\f[B]\-m\f[], \f[B]\[en]msg\f[]=\f[I]MSG_FILE\f[]: +.RS 2 +.PP +The message file, containing the content to be digested. +.RE +.IP \[bu] 2 +\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[]: +.RS 2 +.PP +The ticket file, containning the validation structure, optional. +.RE +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]sig\f[]=\f[I]TICKET_FILE\f[]: +.RS 2 +.PP +The signature file, records the signature structure. +.RE +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]format\f[] +.RS 2 +.PP +Format selection for the signature output file. +See section \[lq]Signature Format Specifiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: +.RS 2 +.PP +Optional Input session handle from a policy session for authorization. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH Signature Format Specifiers +.PP +Format selection for the signature output file. +\f[B]tss\f[] (the default) will output a binary blob according to the +TPM 2.0 specification and any potential compiler padding. +The option \f[B]plain\f[] will output the plain signature data as +defined by the used cryptographic algorithm. +# EXAMPLES +.IP +.nf +\f[C] +tpm2_sign\ \-k\ 0x81010001\ \-P\ abc123\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ +tpm2_sign\ \-c\ key.context\ \-P\ abc123\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_startup.1 tpm2-tools-3.0.4-new/man/man1/tpm2_startup.1 --- tpm2-tools-3.0.4/man/man1/tpm2_startup.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_startup.1 2018-09-10 07:57:18.742516225 -0700 @@ -0,0 +1,139 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_startup" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_startup\f[](1) \- Send a startup command to the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_startup\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_startup\f[](1) Send a \f[B]TPM2_Startup\f[] command with +either \f[B]TPM_SU_CLEAR\f[] or \f[B]TPM_SU_STATE\f[]. +.PP +\f[B]NOTE\f[]: Typically a Resource Manager or low\-level/boot software +will have already sent this command. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]clear\f[]: +.RS 2 +.PP +Startup type sent will be \f[B]TPM_SU_CLEAR\f[] instead of +\f[B]TPM2_SU_STATE\f[]. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_startup +tpm2_startup\ \-c +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_takeownership.1 tpm2-tools-3.0.4-new/man/man1/tpm2_takeownership.1 --- tpm2-tools-3.0.4/man/man1/tpm2_takeownership.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_takeownership.1 2018-09-10 07:57:18.932513629 -0700 @@ -0,0 +1,221 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_takeownership" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_takeownership\f[](1) \- Insert authorization values for the +owner, endorsement and lockout authorizations. +.SH SYNOPSIS +.PP +\f[B]tpm2_takeownership\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_takeownership\f[](1) \- performs a hash operation on +\f[I]FILE\f[] and returns the results. +If \f[I]FILE\f[] is not specified, then data is read from stdin. +If the results of the hash will be used in a signing operation that uses +a restricted signing key, then the ticket returned by this command can +indicate that the hash is safe to sign. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]owner\-password\f[]=\f[I]OWNER_PASSWORD\f[]: The +new owner authorization value. +.RS 2 +.PP +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-e\f[], \f[B]\[en]endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]: +.RS 2 +.PP +The new endorse authorization value. +Passwords should follow the same formatting requirements as the \-o +option. +.RE +.IP \[bu] 2 +\f[B]\-l\f[], \f[B]\[en]lockout\-password\f[]=\f[I]LOCKOUT_PASSWORD\f[]: +.RS 2 +.PP +The new lockout authorization value. +.PP +The new endorse authorization value. +Passwords should follow the same formatting requirements as the \-o +option. +.RE +.IP \[bu] 2 +\f[B]\-O\f[], +\f[B]\[en]old\-ownerPassword\f[]=\f[I]OLD_OWNER_PASSWORD\f[]: +.RS 2 +.PP +The old owner authorization value. +Passwords should follow the same formatting requirements as the \-o +option. +.RE +.IP \[bu] 2 +\f[B]\-E\f[], +\f[B]\[en]old\-endorsePassword\f[]=\f[I]OLD_ENDORSE_PASSWORD\f[]: +.RS 2 +.PP +The old endorse authorization value. +Passwords should follow the same formatting requirements as the \-o +option. +.RE +.IP \[bu] 2 +\f[B]\-L\f[], +\f[B]\[en]old\-lockoutPassword\f[]=\f[I]OLD_LOCKOUT_PASSWORD\f[]: +.RS 2 +.PP +The old lockout authorization value. +Passwords should follow the same formatting requirements as the \-o +option. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]clear\f[]: +.RS 2 +.PP +Clears the 3 authorizations values with lockout auth, thus one must +specify \-L. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH EXAMPLES +.PP +Set owner, endorsement and lockout authorizations to an empty auth +value: +.IP +.nf +\f[C] +tpm2_takeownership\ \-c\ \-L\ oldlockoutpasswd +\f[] +.fi +.PP +Set owner, endorsement and lockout authorizations to a new value: +.IP +.nf +\f[C] +tpm2_takeownership\ \-o\ newo\ \-e\ newe\ \-l\ newl\ \-O\ oldo\ \-E\ olde\ \-L\ oldl +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_unseal.1 tpm2-tools-3.0.4-new/man/man1/tpm2_unseal.1 --- tpm2-tools-3.0.4/man/man1/tpm2_unseal.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_unseal.1 2018-09-10 07:57:19.123511018 -0700 @@ -0,0 +1,233 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_unseal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_unseal\f[](1) \- Returns the data in a loaded Sealed Data +Object. +.SH SYNOPSIS +.PP +\f[B]tpm2_unseal\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_unseal\f[](1) \- \-returns the data in a loaded Sealed Data +Object. +.PP +\f[B]NOTE\f[]: The \f[B]\[en]set\-list\f[] and +\f[B]\[en]pcr\-input\-file\f[] options should only be used for simple +PCR authentication policies. +For more complex policies the tools should be ran in an execution +environment that keeps the session context alive and pass that session +using the \f[B]\[en]input\-session\-handle\f[] option. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-H\f[], \f[B]\[en]item\f[]=\f[I]ITEM_HANDLE\f[]: +.RS 2 +.PP +Item handle of loaded object. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]item\-context\f[]=\f[I]ITEM_CONTEXT_FILE\f[]: +.RS 2 +.PP +Filename of the item context. +.RE +.IP \[bu] 2 +\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: +.RS 2 +.PP +Specifies the password of \f[I]ITEM_HANDLE\f[]. +Passwords should follow the password formatting standards, see section +\[lq]Password Formatting\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]outfile\f[]=\f[I]OUT_FILE\f[]: +.RS 2 +.PP +Output file name, containing the unsealed data. +Defaults to stdout if not specified. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: +.RS 2 +.PP +Optional Input session handle from a policy session for authorization. +.RE +.IP \[bu] 2 +\f[B]\-L\f[], \f[B]\[en]set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: +.RS 2 +.PP +The list of pcr banks and selected PCRs' ids. +\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers +standards, see section \[lq]PCR Bank Specfiers\[rq]. +.RE +.IP \[bu] 2 +\f[B]\-F\f[],**\[en]pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] +.RS 2 +.PP +Optional Path or Name of the file containing expected pcr values for the +specified index. +Default is to read the current PCRs per the set list. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH PCR Bank Specfiers +.PP +PCR Bank Selection lists follow the below specification: +.IP +.nf +\f[C] +:[,] +\f[] +.fi +.PP +multiple banks may be separated by `+'. +.PP +For example: +.IP +.nf +\f[C] +sha:3,4+sha256:5,6 +\f[] +.fi +.PP +will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the +SHA256 bank. +.SS Note +.PP +PCR Selections allow for up to 5 hash to pcr selection mappings. +This is a limitaion in design in the single call to the tpm to get the +pcr values. +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_unseal\ \-H\ 0x81010001\ \-P\ abc123\ \-o\ out.dat +tpm2_unseal\ \-c\ item.context\ \-P\ abc123\ \-o\ out.dat +tpm2_unseal\ \-H\ 0x81010001\ \-P\ "hex:123abc"\ \-o\ out.dat +tpm2_unseal\ \-c\ item.context\ \-L\ sha1:0,1,2\ \-F\ out.dat +\f[] +.fi +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN tpm2-tools-3.0.4/man/man1/tpm2_verifysignature.1 tpm2-tools-3.0.4-new/man/man1/tpm2_verifysignature.1 --- tpm2-tools-3.0.4/man/man1/tpm2_verifysignature.1 1969-12-31 17:00:00.000000000 -0700 +++ tpm2-tools-3.0.4-new/man/man1/tpm2_verifysignature.1 2018-09-10 07:57:19.305508531 -0700 @@ -0,0 +1,244 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_verifysignature" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_verifysignature\f[](1) \- Validates a signature using the TPM. +.SH SYNOPSIS +.PP +\f[B]tpm2_verifysignature\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_verifysignature\f[](1) uses loaded keys to validate a +signature on a message with the message digest passed to the TPM. +If the signature check succeeds, then the TPM will produce a +\f[B]TPMT_TK_VERIFIED\f[]. +Otherwise, the TPM shall return \f[B]TPM_RC_SIGNATURE\f[]. +If \f[I]KEY_HANDLE\f[] references an asymmetric key, only the public +portion of the key needs to be loaded. +If \f[I]KEY_HANDLE\f[] references a symmetric key, both the public and +private portions need to be loaded. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: +.RS 2 +.PP +Handle of key that will used in the validation. +.RE +.IP \[bu] 2 +\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: +.RS 2 +.PP +Filename of the key context used for the operation. +.RE +.IP \[bu] 2 +\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: +.RS 2 +.PP +The hash algorithm used to digest the message. +Algorithms should follow the \[lq]formatting standards, see +section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported +Hash Algorithms" for a list of supported hash algorithms. +.RE +.IP \[bu] 2 +\f[B]\-m\f[], \f[B]\[en]msg\f[]=\f[I]MSG_FILE\f[]: +.RS 2 +.PP +The message file, containing the content to be digested. +.RE +.IP \[bu] 2 +\f[B]\-D\f[], \f[B]\[en]digest\f[]=\f[I]DIGEST_FILE\f[]: +.RS 2 +.PP +The input hash file, containing the hash of the message. +If this option is selected, then the message (\f[B]\-m\f[]) and +algorithm (\f[B]\-g\f[]) options do not need to be specified. +.RE +.IP \[bu] 2 +\f[B]\-s\f[], \f[B]\[en]sig\f[]=\f[I]SIG_FILE\f[]: +.RS 2 +.PP +The input signature file of the signature to be validated. +.RE +.IP \[bu] 2 +\f[B]\-r\f[], \f[B]\[en]raw\f[]: +.RS 2 +.PP +Set the input signature file to raw type. +The default is TPMT_SIGNATURE. +.RE +.IP \[bu] 2 +\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[]: +.RS 2 +.PP +The ticket file to record the validation structure. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], +\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: +.RS 2 +.PP +Optional Input session handle from a policy session for authorization. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. +This requires the manpages to be installed or on \f[I]MANPATH\f[], See +man(1) for more details. +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +# TCTI ENVIRONMENT +.PP +This collection of environment variables that may be used to configure +the various TCTI modules available. +.PP +The values passed through these variables can be overridden on a +per\-command basis using the available command line options, see the +\f[I]TCTI_OPTIONS\f[] section. +.PP +The variables respected depend on how the software was configured. +.IP \[bu] 2 +\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication +with the next component down the TSS stack. +In most configurations this will be the TPM but it could be a simulator +or proxy. +The current known TCTIs are: +.RS 2 +.IP \[bu] 2 +tabrmd \- The new resource manager, called +tabrmd (https://github.com/01org/tpm2-abrmd). +.IP \[bu] 2 +socket \- Typically used with the old resource manager, or talking +directly to a simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the +TPM device file. +The default is \[lq]/dev/tpm0\[rq]. +.RS 2 +.PP +Note: Using the tpm directly requires the users to ensure that +concurrent access does not occur and that they manage the tpm resources. +These tasks are usually managed by a resource manager. +Linux 4.12 and greater supports an in kernel resource manager at +\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. +.RE +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify +the domain name or IP address used. +The default is 127.0.0.1. +.IP \[bu] 2 +\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the +port number used. +The default is 2321. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the varous TCTI modules +available. +They override any environment variables. +.IP \[bu] 2 +\f[B]\-T\f[], +\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: +Select the TCTI used for communication with the next component down the +TSS stack. +In most configurations this will be the resource manager: +tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific +options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to +\f[I]TCTI_NAME\f[]. +.RS 2 +.IP \[bu] 2 +For the device TCTI, the TPM device file for use by the device TCTI can +be specified. +The default is /dev/tpm0. +Example: \f[B]\-T device:/dev/tpm0\f[] +.IP \[bu] 2 +For the socket TCTI, the domain name or IP address and port number used +by the socket can be specified. +The default are 127.0.0.1 and 2321. +Example: \f[B]\-T socket:127.0.0.1:2321\f[] +.IP \[bu] 2 +For the abrmd TCTI, it takes no options. +Example: \f[B]\-T abrmd\f[] +.RE +.SH Password Formatting +.PP +Passwords are interpreted in two forms, string and hex\-string. +A string password is not interpreted, and is directly used for +authorization. +A hex\-string, is converted from a hexidecimal form into a byte array +form, thus allowing passwords with non\-printable and/or terminal +un\-friendly characters. +.PP +By default passwords are assumed to be in the string form. +Password form is specified with special prefix values, they are: +.IP \[bu] 2 +str: \- Used to indicate it is a raw string. +Useful for escaping a password that starts with the \[lq]hex:\[rq] +prefix. +.IP \[bu] 2 +hex: \- Used when specifying a password in hex string format. +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specfiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. +The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] +from the Algorithm Name field and converting it to lower case. +For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. +.PP +The algorithms can be found at: + +.SH EXAMPLES +.IP +.nf +\f[C] +tpm2_verifysignature\ \-k\ 0x81010001\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ +tpm2_verifysignature\ \-k\ 0x81010001\ \-D\ \ \-s\ \ \-t\ +tpm2_verifysignature\ \-c\ key.context\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ +\f[] +.fi +.PP +RETURNS +.PP +0 on success or 1 on failure. +.PP +BUGS +.PP +Github Issues (https://github.com/01org/tpm2-tools/issues) +.PP +HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)